Close
0%
0%

Turning a LTE router into a versatile hacking tool

JioFi, a compact LTE router, I aim to transform it into a versatile hacking tool. Leveraging its USB and Wi-Fi hotspot capabilities

shashankx86shashankx86
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Public Chat
Similar projects worth following
681 views
2 comments
7 followers
View Gallery
Public Chat
Update:
I Fu*ked up,
sbl got corrupted then stuck in edl
after recovering sbl, it crashes at boot
then tried to do in edl manually
shorted wrong pad
its now ded :(
if anyone reading this and have spare JioFi 3 and willing to give it to me
shoot me at mail shashankspis20@gmail.com

JioFi 3 (JMR540 & JMR541) a compact LTE router, the goal is to archive its full potential as a versatile hacking tool. With its built-in USB and Wi-Fi hotspot features, the primary objective is to manipulate the firmware, enabling it to accept custom binary extensions, which can be conveniently loaded through an SD card.

By introducing these custom binary extensions, the JioFi router can gain a wide array of capabilities, including USB ducking for keystroke injection, packet sniffing, and various other functions, the possibility is endless.

Device Model JMR540 & JMR541
CPU <Unknown>
CPU Architecture armv7
OS Android (stripped)
Kernel little-endian
Kernel Version 3.18.20


Firmware:

.
└── .
    ├── boot.img -> Android bootimg, kernel, page size: 2048, cmdline (noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=)
    ├── cache.img -> ISO-8859 text, with very long lines (65536), with no line terminators
    ├── efs2.img -> empty
    ├── fota.img -> ISO-8859 text, with very long lines (65536), with no line terminators
    ├── foxusr.img -> UBI image, version 1
    ├── fwinfo.img -> data
    ├── misc.img -> ISO-8859 text, with very long lines (65536), with no line terminators
    ├── modem_bak.img -> UBI image, version 1
    ├── modem.img -> UBI image, version 1
    ├── recoveryfs.img -> UBI image, version 1
    ├── recovery.img -> Android bootimg, kernel, page size: 2048, cmdline (noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=)
    ├── sbl.img -> empty
    ├── scrub.img -> ISO-8859 text, with very long lines (65536), with no line terminators
    ├── sec.img -> data
    ├── system.img -> UBI image, version 1
    └── system_unlocked.img -> UBI image, version 1 (the one I am modding)

Download Full Firmware at https://github.com/ExtendedFi/JMR540_Firmware

system_unlocked.img

The Image which I will be modifying

x-raw-disk-image - 38.69 MB - 09/25/2023 at 17:08

Download

  • 1 × JMR540 JMR540 & JMR541 are identical

  • 1
    Step 1: Unpack & Repack

    Prerequisite

    • ubireader
    • mkfs.ubifs and ubinize (search how to install them)

    Step 1.1: Unpack system_unlocked.img

    ubireader_extract_images system_unlocked.img -o system_u
cd ./system_u/system_unlocked.img/

    Now you will get a file with a .ubifs extension.
    In my case, it's "img-35657280_vol-rootfs.ubifs"

    Step 1.2: Unpack ubifs

    ubireader_extract_files -k -o ./rootfs img-35657280_vol-rootfs.ubifs

    You will now have a folder named "rootfs" containing all system files.

    Step 1.3: <Modify Firmware>

    Step 1.4: Repack .ubifs

    mkfs.ubifs -m 2048 -e 126976 -c 1073 -x lzo -f 8 -k r5 -p 1 -l 5 -F -r ./rootfs/ rootfs.ubivol

    Set up the config.ini file:

    touch config.ini
echo "[rootfs-volume]
mode=ubi
image=rootfs.ubivol
vol_id=0
vol_size=27807744
vol_type=dynamic
vol_name=rootfs" > config.ini

    Change the "vol_size" value when the firmware is modified. Keep it as is unless you encounter size-related errors.

    If you do encounter size-related errors, the error will have the 'vol_size' that needs to be set.

    Step 1.5: Repack img

    ubinize -p 131072 -m 2048 -o system_m.img ./config.ini

    You will now have the modified firmware (system_m.img) ready to be flashed using fastboot.

    Step 1.6: Flash using fastboot

    How to Boot in Fastboot:

    • Remove battery from JioFi 3
    • Locate reset pin hole button
    • Lay down JioFi 3
    • Use Paper Clip / SIM Ejector Tool to press button inside (using sharp object is not recommended)
    • Keep pressing button down and insert USB cable
    • Release button as soon as all the LEDs in Display turns RED. This means device is in boot loader mode
    fastboot erase system && fastboot flash system system_m.img && fastboot reboot

View all instructions

Enjoy this project?

Share

Discussions

drcyberg wrote 12/30/2023 at 07:32 point

Hi!

gamil? :-)

  Are you sure? yes | no

shashankx86 wrote 02/13/2024 at 12:17 point

shashankspis20@gmail.com

  Are you sure? yes | no

Similar Projects

Talking analog clock on a Tron disc
Project Owner Contributor

Tron Identity Disc upgrade.3

dan-rogahnDan Rogahn

aka how I reflashed the UEFI after I've bricked it
Project Owner Contributor

Asus T100TA resurrection

darthllamahdarth_llamah

Run Windows 7 from a VHD on a NVME Drive
Project Owner Contributor

NVME Win7 VHD

stanislas-bertrandStanislas Bertrand

An API for medical ultrasound usb probes
Project Owner Contributor

pyusbus: a python lib for ultrasound usb probes

kelu124kelu124

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Turning a LTE router into a versatile hacking tool", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.