ishan/JioFiber-Home-Gateway
1
0
Fork 0
mirror of https://github.com/itsyourap/JioFiber-Home-Gateway.git synced 2025-01-21 08:55:41 +00:00
Code Issues Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Ankan Pal 2024-05-29 16:49:49 +00:00
commit dc24a20e56
16 changed files with 996 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Entware/entware-mips.sh Normal file
View File

@ -0,0 +1,33 @@
echo "Mounting Devices"
mkdir /flash2/entware
mount /dev/sda1 /flash2/entware
cd /flash2/entware
echo ""
echo "Downloading Busybox from bin.entware.net"
mkdir /flash2/entware/bin
wget -O /flash2/entware/bin/busybox http://bin.entware.net/armv7sf-k3.2/installer/chroot/other/mipsel/busybox --no-check-certificate
chmod a+x /flash2/entware/bin/busybox
CHROOT_DIR=/flash2/entware
echo ""
echo "Running Chroot install Script"
# Mount VFS
for dir in dev dev/pts proc sys; do
mkdir -p $CHROOT_DIR/$dir
mount -o bind /$dir $CHROOT_DIR/$dir
sleep 1
done
#Install Busybox
PATH=/bin:/sbin ./bin/busybox chroot . /bin/busybox --install -s
# Make resolv.conf and hosts
mkdir -p $CHROOT_DIR/etc
echo 'nameserver 8.8.8.8' > $CHROOT_DIR/etc/resolv.conf
echo 'nameserver 8.8.4.4' >> $CHROOT_DIR/etc/resolv.conf
echo '127.0.0.1 localhost' > $CHROOT_DIR/etc/hosts
echo "Done! Chroot in with"
echo "PATH=/bin:/sbin $CHROOT_DIR/bin/busybox chroot $CHROOT_DIR /bin/sh"
echo "Run wget http://bin.entware.net/mipselsf-k3.4/installer/generic.sh; mkdir /opt; chmod a+x generic.sh; sh generic.sh; and you will be done."

19
Instructions/Alternate-Way-To-Get-Root-Access-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,19 @@
# Alternate way to get root access in JF ONT for newer firmwares with router specific encryption keys
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage. Any wrong step might brick your router. So be aware.*
1. First of all, follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Get-Any-File-From-JF-ONT-Home-Gateway.md) to get the file at `/flash/secure/key.txt` which is the encryption key of your backup config.
2. Go to your router admin page and download a backup of your router settings configuration from Administrator > Maintenance.
3. Decrypt the config (`.enc` file) using the command `openssl aes-128-cbc -d -pass file:key.txt -in input.enc -out output.txt` (Change `input.enc` and `output.txt` respectively to your requirements).
4. Open the decrypted config file.
5. Change the first line of the decrypted config file like this:
```
config.userdb = {} os.execute("/usr/sbin/telnetd"); os.execute("/pfrm2.0/bin/iptables -I fwInBypass -p tcp --dport 23 -m ifgroup --ifgroup-in 0x1/0x1 -j ACCEPT"); os.execute("echo -e \"password\npassword\" | passwd root");
```
6. Ensure there is no line break in the line you just pasted. The whole content should be in a single line and the line should start with `config` otherwise this isn't gonna work.
7. Encrypt the config using the command `openssl aes-128-cbc -pass file:key.txt -in input.txt -out output.enc` (Change `input.txt` and `output.enc` respectively).
8. The output file should have the same name as your actual backed up config file in step 2.
9. Restore the new backup file in Router Admin page at Administrator > Maintenance.
10. Done! Now Telnet into the Router and use username as `root` and password as `password`.

14
Instructions/Decrypt-Router-Configuration-File.md Normal file
View File

@ -0,0 +1,14 @@
# Decrypt Configuration File (Does not work anymore)
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
1. Make sure you have [**openssl**](https://wiki.openssl.org/index.php/Binaries) **installed** or else install it and **add it to environment variable PATH**.
2. Grab the key for your router model from [here](https://github.com/JFC-Group/JF-Customisation/tree/master/EncryptionKeys/).
3. Go to Your **Router WEB-UI Page** (`http://192.168.29.1`) and Sign in as **Admin**. (The default credentials are **`admin : Jiocentrum`**)
4. Go to **Administrator** --> **Maintenance** and click **Backup**.
5. A file (`RSTXXXXXXX_JCXXXXX.enc`) will be downloaded with **`.enc`** extension.
6. Open up **Terminal** or **Command Prompt**.
7. **Decrypt** the downloaded **`.enc`** file using the command
`openssl aes-128-cbc -d -kfile "<path to the key file>" -in "RSTXXXXXXX_JCXXXXX.enc" -out "RSTXXXXXXX_JCXXXXX.txt"`
8. `RSTXXXXXXX_JCXXXXX.txt` contains the decrypted configuration. You might view or edit it at your own risk as your router may get bricked due to incorrect configuration (A hard reset might fix it. Just push the button (inside a hole) behind the router for about 30 seconds)
9. You may also want to encrypt the configuration file after editing it and restore it. Instructions to do so are [here](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Encrypt-Router-Configuration-File.md).

21
Instructions/Disable-TR-069-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,21 @@
# Disable TR-069 (Does not work anymore)
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
**NOTE : JioCall/Landline/JioSTB/Firmware Auto Update/Changing WiFi settings from MyJio or JioHome apps won't work if TR-069 is disabled.**
1. First of all, follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Decrypt-Router-Configuration-File.md) to get the router decrypted configuration file `RSTXXXXXXX_JCXXXXX.txt`
2. Open `RSTXXXXXXX_JCXXXXX.txt` with Notepad or other Text Editor.
3. **Find** the line
`config.tr69["ManagementServer"][1]["URL"] = "https://acs.oss.jio.com:8443/ftacs-digest/ACS"`
and **replace** it with
`config.tr69["ManagementServer"][1]["URL"] = "http://127.0.0.1"`
4. **Find** the line
`config.tr69["ManagementServer"][1]["tr69Status"] = "1"`
and **replace** it with
`config.tr69["ManagementServer"][1]["tr69Status"] = "0"`
5. **Find** the line
`config.tr69["ManagementServer"][1]["PeriodicInformEnable"] = "1"`
and **replace** it with
`config.tr69["ManagementServer"][1]["PeriodicInformEnable"] = "0"`
6. Follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Encrypt-Router-Configuration-File.md) to re-encrypt the configuration file and restore it via the router admin panel.

13
Instructions/Enable-FTP-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,13 @@
# Enable FTP (Does not work anymore)
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
**NOTE: FTP username will be admin & password will be your admin password in WEB-UI (Router Configuration Page)**
1. First of all, follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Decrypt-Router-Configuration-File.md) to get the router decrypted configuration file `RSTXXXXXXX_JCXXXXX.txt`
2. Open `RSTXXXXXXX_JCXXXXX.txt` with Notepad or other Text Editor
3. **Find** the line
`config.vsftpd["ftpd"][1]["enable"] = "0"`
and **replace** it with
`config.vsftpd["ftpd"][1]["enable"] = "1"`
4. Follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Encrypt-Router-Configuration-File.md) to re-encrypt the configuration file and restore it via the router admin panel.

40
Instructions/Enable-Root-FTP-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,40 @@
# Enable FTP Server with `/` as FTP Root
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage. Any wrong step might brick your router. So be aware.*
1. First of all, follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Get-Root-Access-JF-ONT-Home-Gateway.md) to enable root access to your router.
2. Use command `pkill vsftpd` to kill any already running FTP server on your router.
3. Using `vi`, create `/flash/vsftpd.conf` and add these lines:
```
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
listen_port=21
idle_session_timeout=300
max_clients=200
max_per_ip=200
chroot_local_user=YES
ftp_username=root
secure_chroot_dir=/
local_root=/
listen_ipv6=YES
userlist_enable=no
userlist_deny=NO
```
4. Save the file.
5. Use command `vsftpd /flash/vsftpd.conf &` to start the FTP server.
6. Use command `iptables -I fwInBypass -p tcp --dport 21 -m ifgroup --ifgroup-in 0x1/0x1 -j ACCEPT` to enable listening to port 21.
7. Connect your router using FTP client like FileZilla using `root` as username and your root password as the password.
_**P.S. : You can also make a `.sh` script in `/flash/` or `/flash2/` to automate this process.**_

17
Instructions/Encrypt-Router-Configuration-File.md Normal file
View File

@ -0,0 +1,17 @@
# Encrypt Configuration File (Do not use this anymore)
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
**(If you are attempting to get root or change the root password, you need to skip steps 1 to 5).**
1. Copy everything in the text configuration file (`RSTXXXXXXX_JCXXXXX.txt`) till before `config.checksum = "<some random md5 hash>"`.
2. Go to this [MD5 Hash Generator Website](https://passwordsgenerator.net/md5-hash-generator/) and paste it and leave a new line at the end. It should look like ![this](https://i.imgur.com/mAle1mi.png)
3. Click on Generate to get the MD5 hash. Copy it.
4. In your text configuration file (`RSTXXXXXXX_JCXXXXX.txt`) change `config.checksum = "<some random md5 hash>"` to `config.checksum = "<THE MD5 HASH YOU COPIED IN STEP 3>"`.
5. Save the file.
6. Open Terminal or Command Prompt.
7. Use this command to re-encrypt the text configuration file with your respective `server.key` :-
`openssl aes-128-cbc -kfile "<path to the key file>" -in "RSTXXXXXXX_JCXXXXX.txt" -out "RSTXXXXXXX_JCXXXXX_MODIFIED.enc"`
8. In your Router WEB-UI Page (`http://192.168.29.1`), go to `Administrator --> Maintenance`.
9. Select and restore the `RSTXXXXXXX_JCXXXXX_MODIFIED.enc` file that was generated at step 7.
10. If by any chance your router configuration file had incorrect settings, it might reset the whole configuration or also might brick the router. If your router is bricked, a hard reset might fix it. Just push the button (inside a hole) behind the router for about 30 seconds. And after it boots up, restore the original configuration file that you downloaded directly from the Router WEB-UI to get back your original settings.

56
Instructions/Get-Any-File-From-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,56 @@
# Way to get any file directly from your Jio Router's Filesystem to your pendrive [Working as of 3rd January 2023]
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage. Any wrong step might brick your router. So be aware.*
## Requirements:-
1. Chrome Browser
2. Postman (or cURL, if you prefer that)
3. A Pendrive or a Portable HDD/SSD that can be plugged into your router
## Notes:-
*Here we are copying `/flash/secure/key.txt` which is the encryption key used to encrypt the router backup configuration to our pendrive.*
*The location of the the pendrive root in the router is `/mnt/vfs/admin/ITSYOURAP/` (Remember to replace `"ITSYOURAP"` with the label of your pendrive)*
## Steps:-
1. Open your router admin page (`http://192.168.29.1`) and login via your admin credentials.
2. After logging in, copy the value of the cookie `TeamF1Login`. You can use the Application tab in Developer options to do so.
3. Go to the Administration > Maintenance Page
4. Press `CTRL + U` (If you are in Chrome Browser) to View Source of the page (Alternatively, you can Inspect Element)
5. Find the Backup/Restore HTML Form. It should look like this:-
```html
<form name="tf1_frmBackupSaveCurrentSettings" method="post" action="?action=backup">
<input type="hidden" name="token" value="sometoken">
```
6. Copy the value of token element from the form. Here it is sometoken.
7. Open up Postman and create a new POST request to `http://192.168.29.1/platform.cgi`
In the headers section, uncheck `Accept` and `Accept-Encoding` header.
Fill up these headers in the request (Use the Bulk Edit option and copy paste these):-
```none
Cookie:TeamF1Login=yourteamf1logincookievalue
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:http://192.168.29.1/platform.cgi?page=backupRestore.html
```
Change the `TeamF1Login` value with the cookie value you copied in step 2.
Now go to the Body section and check the form-data checkbox. Click on the Bulk Edit option and copy paste these values:
```none
button.usbRestore.statusPage:usbRestore
file:/flash/secure/key.txt /mnt/vfs/admin/ITSYOURAP/ #
token:sometoken
thispage:backupRestore.html
```
Remember to replace `sometoken` with the value of the token you copied earlier. Also replace the first section of the file param with the file you want to copy. (We are copying `/flash/secure/key.txt` in this case)
8. Now Click on the Send button in Postman to send the request.
Within a few seconds, your request gets completed and now you have the requested file in your Pendrive root.
***PS: You can also copy directories using this method. Just change the first section of the file param with the folder location in the router.***

26
Instructions/Get-Root-Access-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,26 @@
# Get Root Access (via Telnet)
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage. Any wrong step might brick your router. So be aware.*
1. First of all, follow [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Decrypt-Router-Configuration-File.md) to get the router decrypted configuration file `RSTXXXXXXX_JCXXXXX.txt`
2. Open `RSTXXXXXXX_JCXXXXX.txt` with Notepad or other Text Editor.
3. The first line of the file should look like : `config.userdb = {}`.
4. Change the first line to :
```
config.userdb = {} os.execute("/usr/sbin/telnetd"); os.execute("/pfrm2.0/bin/iptables -I fwInBypass -p tcp --dport 23 -m ifgroup --ifgroup-in 0x1/0x1 -j ACCEPT"); os.execute("echo -e \"password\npassword\" | passwd root");
```
5. Ensure there is no line break in the line you just pasted. The whole content should be in a single line and the line should start with `config` otherwise this isn't gonna work.
6. Follow **from step 6** mentioned in [this guide](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Encrypt-Router-Configuration-File.md) to re-encrypt the configuration file and restore it via the router admin panel. (You have to skip from step 1 to 5 in that guide otherwise your router may reset or restart and you will not have root).
7. Connect your router via Telnet at port 23 with `root` as user name and `password` as password.
8. For newer firmwares, use command `rm /flash/telnetDisable` to keep Telnet enabled. (Otherwise it will be disabled after some time).
Otherwise, on older firmwares use command `touch /tmp/DEBUG_IMAGE` to keep Telnet enabled. (Otherwise it will be disabled after some time).
**Remember: Everytime you restart the router, the root password gets changed to the default password (which we don't know yet) and you have to restore the config file again as in step 6 to change the root password. Step 8 will keep your telnet enabled across router restarts.**

36
Instructions/Get-dbglogs-JF-ONT-Home-Gateway.md Normal file
View File

@ -0,0 +1,36 @@
# Get Logs (dbglogs) [Doesn't Work Anymore]
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
**NOTE: FTP username will be admin & password will be your admin password in WEB-UI (Router Configuration Page).**
1. Make sure you have [**openssl**](https://wiki.openssl.org/index.php/Binaries) **installed** or else install it and **add it to environment variable PATH**.
2. ~~**Download** and **Extract** the **zip** of your respective firmware from [here](https://github.com/JFC-Group/JF-Customisation/tree/master/Firmwares/)~~
3. ~~Get **`server.key`** file from the Extracted zip at **`/pfrm2.0/etc/server.key`** and Copy it to **`Desktop/JF`**.~~
4. ~~Grab the encryption key for your router model from [here](https://github.com/JFC-Group/JF-Customisation/tree/master/EncryptionKeys/) and Copy it to **`Desktop/JF`** as `server.key`~~
5. Go to Your **Router WEB-UI Page** (`http://192.168.29.1`) and Sign in as **Admin**. (The default credentials are **admin : Jiocentrum**)
6. After you have signed in, change the URL in the address bar from `http://192.168.29.1/platform.cgi` to `http://192.168.29.1/dbglog.cgi`
7. Press Enter and wait a few minutes until a file gets downloaded.
8. Save the downloaded file (**`reliance-dbglog-enc.tgz`**) to **`Desktop/JF`**
9. Open up **Terminal** or **Command Prompt** in **`Desktop/JF`**
10. **Decrypt** the downloaded **.enc** file using the command
`openssl aes-128-cbc -d -kfile "server.key" -in "reliance-dbglog-enc.tgz" -out "reliance-dbglog-dec.tgz"`
11. **Extract** the `reliance-dbglog-dec.tgz` file using **7zip** or use the command `tar -xvf reliance-dbglog-dec.tgz`
12. You will see a lot of files have been extracted to the directory **`Desktop/JF`**. These are the dbglogs.
13. Use [DB Browser for SQLite](https://sqlitebrowser.org/) to open the files with **`.db`** extension.
14. Now experiment with those files on your own.
**The system.db file contains all the configuration data including Wi-Fi passwords, TR-069 Configuration, Router WEB-UI Passwords, and a lot more...**

29
README.md Normal file
View File

@ -0,0 +1,29 @@
# JF-Customisation
This repository contains all the files and instructions to customize your JF ONT Gateway. You can grab your Gateway's firmware from [Firmware](https://github.com/JFC-Group/JF-Customisation/tree/master/Router%20Firmware/) or you can find instructions for miscellaneous customizations from [Instructions](https://github.com/JFC-Group/JF-Customisation/tree/master/Instructions/).
*Special Thanks to [yashrastogi](https://broadbandforum.co/members/yashrastogi.81002/) for getting the [OTA URL of STB](https://broadbandforum.co/threads/jio-stb-jhsd200-ota-link.209956/) and [RealEng1neer](https://github.com/RealEng1neer) for arranging the ONT Firmware Links.*
### Available Instructions :-
1. [Getting Logs (dbglogs) from JF ONT Home Gateway](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Get-dbglogs-JF-ONT-Home-Gateway.md)
2. [Enable FTP on JF ONT Home Gateway](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Enable-FTP-JF-ONT-Home-Gateway.md) *(Might not work, check 5th instruction instead)*
3. [Disable TR-069 on JF ONT Home Gateway](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Disable-TR-069-JF-ONT-Home-Gateway.md) *(Might not work)*
4. [Get Root Access on JF ONT Home Gateway](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Get-Root-Access-JF-ONT-Home-Gateway.md) *(Might not work as JF changed the encryption key in R2.39 update! Please use [this](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Alternate-Way-To-Get-Root-Access-JF-ONT-Home-Gateway.md) instead)*
5. [Enable FTP Server with `/` as FTP Root](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Enable-Root-FTP-JF-ONT-Home-Gateway.md)
6. [Get any file directly from your JF Router's Filesystem to your pendrive](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Get-Any-File-From-JF-ONT-Home-Gateway.md)
7. [Updated and Alternate Way to Get Root in JF ONT Home Gateway](https://github.com/JFC-Group/JF-Customisation/blob/master/Instructions/Alternate-Way-To-Get-Root-Access-JF-ONT-Home-Gateway.md)
8. [Key Guesser for Encrypted Router Configuration file](https://github.com/JFC-Group/JF-Customisation/blob/master/keyguesser.py)
### Others
1. [JF SIP Breakdown](https://github.com/JFC-Group/JF-Customisation/blob/master/Research/SIP.md)
## Disclaimer
*This is Only for educational purposes. No one is responsible for any type of damage.*

456
Research/SIP.md Normal file
View File

@ -0,0 +1,456 @@
# JF SIP Breakdown
**Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.**
*This is what I know so far about the SIP framework used in JF router and JJoin app to make calls.*
## The Story
Back in 2020, before I came to know about the JF firmware, the first thing I did was to sniff the network packets sent from the JioCall app to the router while registering and calling through the app for the first time. But when I turned on the sniffing app, JioCall was not detecting the router because the sniffing app was using VPN method and thus the local network was not accessible through it.
So I turned on my laptop, installed JioCall on an Android Emulator, turned on Wireshark, and then opened JioCall. Everything was working perfectly. But the requests which the app made to the router was encrypted by self-signed certificate, so I couldn't actually sniff the packets. But I got something useful : **The ports which the SIP Server listens on, which are 8080, 8443 and 7443**.
Next thing I did was to decompile the JioCall apk via [jadx](https://github.com/skylot/jadx) and I found a lot of interesting things. Looking into the code of JioCall app (which was obfuscated of course), I found that it was using [Retrofit](https://square.github.io/retrofit/) for the network requests which means that there must be an interface somewhere which contains all the HTTP links with their request methods and if POST request, then their POST data structures. So, I went through the code and found some interesting links. One of them was : `/request_account`. I opened up my browser and opened `http://192.168.29.1:8080/request_account` and voila, this is what I got as response (actually this is the current response, previously the response was a bit different but the contents were almost the same) :-
```json
{"imsi": "00000XXXXXXXXXX","msisdn": "XXXXXXXXXX","mcc": "405","mnc": "874","mode": "JFV","mac_address": "aa:bb:cc:dd:ee:ff","JTCAutoWhitelist": "true","SelfHelpONTLogs": "true","CentralizedCallBlocking": "true","CentralizedCallWaiting": "true"}
```
Indeed, the `msisdn` key contained my JF landline number. I also tried the other URL paths but none of them worked, perhaps those need an API key to work. Atleast I know that I am heading to the right path.
After an year, in October 2021, I found [this repository](https://github.com/fawazahmed0/Jio-fiber-Modem) where I found JF Firmware. I downloaded the firmware quickly and started to explore its contents. I read the lua codes and came to know how the WEB-UI works and stuff. I discovered the way to [get dbglogs from JF](https://github.com/itsyourap/JF-Home-Gateway/blob/master/Instructions/Get-dbglogs-JF-ONT-Home-Gateway.md) and within November, I discovered the way to decrypt the router settings backup file using the Router keys.
Then I started looking for the VoIP server code (which is called the Juice Server) in the firmware which led me to `/pfrm2.0/etc/voipInit` which further led me to `pfrm2.0/bin/hgw-voice-app` which was, of course, a binary, that cannot be decompiled easily. So, I started dumping the strings present in the binary and I found a reference to `libims.so` library which was present in `/pfrm2.0/lib/`. Dumping the strings in the `libims.so` gave me exactly what I needed.
## Juice Server
The Juice server in JF is responsible for handling all the SIP communications. JJoin app uses its API to make calls using the JF VoIP Landline number.
**Uses Ports :** 8080, 7443, 8443, 5068 (maybe more)
**Useful Links :**
1. `http://192.168.29.1:8080/pcap?start=1` will start recording all packets sent from/to the Juice Server until stopped.
2. `http://192.168.29.1:8080/pcap?stop=1` will stop recording packets.
3. `http://192.168.29.1:8080/logs` will let you download the captured packets in a pcap file along with the complete Juice Log dump (VERY USEFUL).
4. `http://192.168.29.1:8080/request_account` will give you a JSON consisting of your JF Landline Number, MCC, MNC, etc etc.
5. `http://192.168.29.1:8080/request_mac` will give you a JSON with your router's MAC address in it.
There are many more, but the first three are the most important links.
## How JJoin Works
1. First, after opening JJoin for the first time, it will search for the host `jiofiber.local.html` with a DNS Query. If found, JJoin will assume that you are on a JF network. *(This is why using custom DNS providers stops JJoin from working, to tackle this, you can define `jiofiber.local.html` with your router's static IP in your `hosts` file)*
2. After you click on the "Generate OTP" button, your phone sends an API request to the Juice Server in the router. The request is kinda like this :-
```none
https://jiofiber.local.html:8443/?IMEI=&rcs_profile=joyn_blackbird&SMS_port=0&default_sms_app=1&msisdn=&rcs_state=0&vers=0&terminal_vendor=sams&terminal_model=aosp&provisioning_version=2.0&rcs_version=5.1B&device_type=vvm&act_type=volatile&terminal_sw_version=7.1.2&default_vvm_app=0&IMSI=&client_vendor=WITS&client_version=RCSAndrd-5.3&alias=itsyourap&mac_address=aa:bb:cc:dd:ee:ff&nwk_intf=wifi&op_type=add
```
**The most important paramters here are `mac_address`, `nwk_intf` and `op_type`. Others can be ignored to get the same response from the request.**
Let me explain the request and what it does.
The `mac_address` parameter contains a random mac address (it is not a real mac address of any device in your network, it is a random mac generated like as a session key which persists with the current JJoin installation. It might be the real mac address in case of Jio STB).
The `nwk_intf` parameter represents the Network Interface used for the request, it can either be `wifi` (almost everytime) or `eth` (in case of requests from Jio STB).
The `op_type` parameter perhaps represents "option type". It can be `add` or `remove` (maybe more which idk).
The `mac_address` and `op_type` are essential parameters in this request.
So, whenever this request is sent to the Juice Server, the Server first checks the `op_type` parameter. If it is `add` then the server has to add the device (from where the request was initiated) to SIP whitelist (devices in this list are the only devices which are permitted to send or receive SIP requests/responses). The server differentiates between clients (I mean different JJoin apps on different devices) using the `mac_address` parameter which is unique for each JJoin app installation. The Juice server checks if the `mac_address` is already present in the whitelisted devices list. If it is present it replies with a XML data which contains all the SIP configs which is explained later. For now let us assume that our device was not previously whitelisted. An OTP is sent to your JF linked mobile number. The Juice server then responds with a **`200 OK`** status code but without any response data. But the server provides with some important response headers which are
```none
Set-Cookie: WITRCSeConfigCookie=uuuuuuuu-vvvv-xxxx-yyyy-zzzzzzzzzzzz
```
and
```none
x-amn: +91********XX
```
The Cookie called `WITRCSeConfigCookie` will be needed when we want to verify the OTP with the Juice Server next while the `x-amn` header signifies the JF linked mobile number to which the OTP was sent.
3. JJoin tells you that an OTP was sent to your registered mobile number `+91********XX` which is derived from the `x-amn` header from the previous step. You type the OTP and submit it. Now the request is sent to the Juice Server looks like this (assume the OTP is 696969):
```none
https://jiofiber.local.html:8443/?OTP=696969
```
with a required header :
```none
Cookie: WITRCSeConfigCookie=uuuuuuuu-vvvv-xxxx-yyyy-zzzzzzzzzzzz
```
which we have received from the `Set-Cookie` header from the server response in step 2.
4. As soon as the OTP is verified, the Juice Server whitelists the `mac_address` associated with the request with the cookie and replies with an XML body. This XML is the SIP configuration required to make calls using JJoin. Now, as the `mac_address` is verified, you can use it to get the XML configuration anytime using step 2. The response in step 2 will now be the XML data without any further authentication.
The XML Configuration looks like this :
```xml
<?xml version="1.0"?>
<wap-provisioningdoc version="1.1">
<characteristic type="application">
<characteristic type="appauth">
<parm name="authtype" value="Digest" />
<parm name="realm" value="wb.wln.ims.jio.com" />
<parm name="username" value="91XXXXXXXXXX@wb.wln.ims.jio.com" />
<parm name="userpwd" value="<randompassword>" />
</characteristic>
<parm name="appid" value="ap2002" />
<characteristic type="capdiscovery">
<parm name="capdisccommonstack" value="0" />
<parm name="defaultdisc" value="0" />
<characteristic type="ext">
<characteristic type="joyn">
<parm name="lastseenactive" value="0" />
<parm name="msgcapvalidity" value="5" />
</characteristic>
</characteristic>
<parm name="pollingperiod" value="0" />
</characteristic>
<characteristic type="ext">
<parm name="inturlfmt" value="1" />
<parm name="naturlfmt" value="1" />
<parm name="q-value" value="0.5" />
<characteristic type="secondarydevicepar">
<parm name="chat" value="0" />
<parm name="filetransfer" value="0" />
<parm name="geolocpush" value="0" />
<parm name="imageshare" value="0" />
<parm name="sendsms" value="0" />
<parm name="videocall" value="0" />
<parm name="videoshare" value="0" />
<parm name="voicecall" value="0" />
</characteristic>
</characteristic>
<parm name="home_network_domain_name" value="wb.wln.ims.jio.com" />
<characteristic type="icsi_list">
<parm name="icsi_resource_allocation_mode" value="0" />
</characteristic>
<characteristic type="im">
<parm name="autaccept" value="0" />
<parm name="autacceptgroupchat" value="0" />
<parm name="conf-fcty-uri" value="sip:foo@bar" />
<parm name="deferred-msg-func-uri" value="sip:foo@bar" />
<parm name="exploder-uri" value="sip:foo@bar" />
<parm name="firstmessageinvite" value="1" />
<parm name="ftautaccept" value="0" />
<parm name="ftcapalwayson" value="0" />
<parm name="ftstandfwenabled" value="0" />
<parm name="ftthumb" value="0" />
<parm name="groupchatfullstandfwd" value="0" />
<parm name="groupchatonlyfstandfwd" value="0" />
<parm name="imcapalwayson" value="0" />
<parm name="imcapnonrcs" value="0" />
<parm name="imwarniw" value="0" />
<parm name="imwarnsf" value="0" />
<parm name="multimediachat" value="0" />
<parm name="pres-srv-cap" value="0" />
<parm name="smsfallbackauth" value="0" />
<parm name="timeridle" value="180" />
</characteristic>
<characteristic type="ims">
<parm name="to-appref" value="IMS-Settings" />
</characteristic>
<parm name="keep_alive_enabled" value="1" />
<characteristic type="lbo_p-cscf_address">
<parm name="address" value="Jiofiber.local.html:5068" />
<parm name="addresstype" value="IPv6" />
</characteristic>
<parm name="mobility_management_ims_voice_termination" value="0" />
<characteristic type="other">
<parm name="deviceid" value="1" />
<parm name="ipcallbreakout" value="0" />
<parm name="ipcallbreakoutcs" value="0" />
<parm name="rcsipvideocallupgradeattemptearly" value="0" />
<parm name="rcsipvideocallupgradefromcs" value="0" />
<parm name="rcsipvideocallupgradeoncaperror" value="0" />
<characteristic type="transportproto">
<parm name="psmedia" value="MSRP" />
<parm name="psrtmedia" value="RTP" />
<parm name="pssignalling" value="SIPoTLS" />
<parm name="wifimedia" value="MSRP" />
<parm name="wifirtmedia" value="RTP" />
<parm name="wifisignalling" value="SIPoTLS" />
</characteristic>
<parm name="uuid_value" value="00000000-0000-1000-8000-AABBCCDDEEFF" />
</characteristic>
<parm name="pdp_contextoperpref" value="0" />
<parm name="private_user_identity" value="sip:91XXXXXXXXXX@wb.wln.ims.jio.com" />
<characteristic type="public_user_identity_list">
<parm name="public_user_identity" value="sip:+91XXXXXXXXXX@wb.wln.ims.jio.com" />
</characteristic>
<parm name="regretrybasetime" value="5" />
<parm name="regretrymaxtime" value="300" />
<characteristic type="serviceproviderext">
<parm name="ipvideocallbreakout" value="1" />
<characteristic type="joyn">
<characteristic type="messaging">
<parm name="deliverytimeout" value="300" />
<parm name="fthttpcapalwayson" value="0" />
</characteristic>
<characteristic type="ux">
<parm name="breakoutipcalllabel" value="joyn out" />
<parm name="e2eipcalllabel" value="joyn out" />
<parm name="e2evoicecapabilityhandling" value="0" />
<parm name="messagingux" value="0" />
<parm name="onebuttonvideocall" value="0" />
</characteristic>
</characteristic>
<characteristic type="remoteconferencecall">
<parm name="addparticipantmodes" value="2" />
<parm name="createinvincludeparticipants" value="0" />
<parm name="createmodes" value="2" />
<parm name="factory" value="sip:mmtel@conf-factory.wb.wln.ims.jio.com" />
<parm name="maxsize" value="8" />
</characteristic>
<characteristic type="rjil">
<parm name="pnparam" value="com.jio.jiocall" />
<parm name="psoltid" value="+91XXXX" />
</characteristic>
<characteristic type="wae">
<parm name="allowoffline" value="0" />
<parm name="pwd" value="wit$waereport" />
<parm name="url" value="https://103.63.128.133/events" />
<parm name="user" value="witapp" />
<parm name="format" value="json" />
</characteristic>
</characteristic>
<characteristic type="services">
<parm name="allowrcsextensions" value="0" />
<parm name="chatauth" value="0" />
<parm name="ftauth" value="0" />
<parm name="geolocpullauth" value="0" />
<parm name="geolocpushauth" value="0" />
<parm name="groupchatauth" value="0" />
<parm name="isauth" value="0" />
<parm name="presenceprfl" value="0" />
<parm name="rcsipvideocallauth" value="15" />
<parm name="rcsipvoicecallauth" value="15" />
<parm name="standalonemsgauth" value="0" />
<parm name="vsauth" value="0" />
</characteristic>
<parm name="sms_over_ip_networks_indication" value="1" />
<characteristic type="supl">
<parm name="geolocpullopen" value="0" />
<parm name="textmaxlength" value="200" />
</characteristic>
<parm name="timer_t1" value="2000" />
<parm name="timer_t2" value="16000" />
<parm name="timer_t4" value="17000" />
<parm name="voice_domain_preference_e_utran" value="2" />
<parm name="voice_domain_preference_utran" value="2" />
<characteristic type="xdms">
<parm name="enablepnbmanagement" value="0" />
<parm name="enablexdmsubscribe" value="0" />
<parm name="revoketimer" value="0" />
</characteristic>
</characteristic>
<characteristic type="token">
<parm name="token" value="<Some Token>" />
<parm name="validity" value="7776000" />
</characteristic>
<characteristic type="vers">
<parm name="validity" value="5184000" />
<parm name="version" value="34" />
</characteristic>
</wap-provisioningdoc>
```
**We need mainly these parameters :**
1. Under `characteristic` of type `application.appauth` :
`authtype` - Digest Authentication
`realm` - SIP Server Realm (for Jio, you cannot connect directly to it, so you need to have the Juice Server as Proxy),
`username` - SIP Username for authentication,
`userpwd` - SIP Password for authentication
2. Under `characteristic` of type `application.lbo_p-cscf_address`:
`address` - Refers to the SIP Proxy URL which is basically the port 5068 of JF
3. Under `characteristic` of type `application.other`:
`uuid_value` represents the value of `mac_address` parameter, if your `mac_address` parameter was `aa:bb:cc:dd:ee:ff` then the last section of the uuid will be `AABBCCDDEEFF`. The first sections are same for every device under every router as far as I know.
## How SIP (in JJoin and JF) Works
*You can see the pcap yourself if you use the previously provided important links in the [Juice Server section](#juice-server).*
### REGISTER Request
The REGISTER request sent by the SIP client (here, JJoin app) looks like this:
```none
REGISTER sip:wb.wln.ims.jio.com SIP/2.0
Via: SIP/2.0/TLS [<My IPv6 Address>]:42131;branch=z9hG4bK-642413-1---7f3f2b4d23eea124;rkeep=180
Max-Forwards: 70
Contact: <sip:+91XXXXXXXXXX@[<My IPv6 Address>]:42131;pn-prid=<FCM Token provided from JJoin (This parameter is not required)>;pn-param=com.jio.jse;pn-provider=fcm;transport=tls>;+sip.instance="<00000000-0000-1000-8000-AABBCCDDEEFF>";reg-id=1;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;+g.3gpp.iari-ref="urn%3Aurn-7%3A3gpp-application.ims.iari.rcs.jio.eucr";+g.gsma.rcs.telephony="none";q=0.5
To: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>
From: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=j6ska8a
Call-ID: _idu1H_8kdsjK9sja..
CSeq: 1 REGISTER
Expires: 86400
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, SUBSCRIBE, UPDATE, PRACK, INFO
Supported: outbound, path, gruu, replaces, timer, norefersub
User-Agent: itsyourap/android RCSAndrd/1.2.4 JUICEJSE/1.4.2.11
Authorization: Digest username="91XXXXXXXXXX@wb.wln.ims.jio.com",realm="wb.wln.ims.jio.com",uri="sip:wb.wln.ims.jio.com",nonce="",response=""
P-Access-Network-Info: GPON;PSAPId=+91XXXX
Content-Length: 0
```
This is the general format of every request sent to the SIP server. This request is sent via the proxy, i.e., Juice Server (look for the parameters in the XML file mentioned previously).
Things that makes Jio's SIP protocol different from others are:
1. **The Contact Header** - The contact header must have the `+sip.instance` parameter with proper value format otherwise you will get *401 Unauthorized* response from the server. The proper format of this parameter is `+sip.instance="<00000000-0000-1000-8000-AABBCCDDEEFF>"` where you have to put the value of uuid got from the XML previously.
Let me be clear, other SIP Server/Clients have their `+sip.instance` parameter format as `+sip.instance="<urn:uuid:ABCABCAB-AABB-CCDD-EEFF-AABBCCAABBCCC>"` - Note the string `urn:uuid:` is present which Jio's Juice Server does not support. (This is why using a third party SIP client like MicroSIP to call through JF isn't gonna work).
2. **The P-Access-Network-Info Header** - Use it on every request.
So, the first time you send the REGISTER request to the SIP server via the Juice Server as proxy, you will get a *401 Unauthorized* response because you haven't provided your credentials yet. The server response is important. Let me show you how it looks like :
```none
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS [<My IPv6 Address>]:42131;branch=z9hG4bK-642413-1---7f3f2b4d23eea124;rkeep=180
To: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=h9sj9ca
From: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=j6ska8a
Call-ID: _idu1H_8kdsjK9sja..
CSeq: 1 REGISTER
User-Agent: JCOW414/JUICEJFV-1.3.24
WWW-Authenticate: Digest nonce="1327324632:a53f5324f3442323cb3242321435b43dca3",algorithm=MD5,realm="wb.wln.ims.jio.com"
Content-Length: 0
```
The headers `WWW-Authenticate` contains the Digest nonce which will be used to verify your identity using your credentials. Refer to [Wikipedia](https://en.wikipedia.org/wiki/Digest_access_authentication) for more information about digest authentication.
According to [Wikipedia](https://en.wikipedia.org/wiki/Digest_access_authentication), we need to prepare a response based on the nonce and our credentials.
The format is:
```none
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)
```
where
`username` refers to your SIP username found in the XML, here, `91XXXXXXXXXX@wb.wln.ims.jio.com`
`realm` refers to your SIP realm, here, `wb.wln.ims.jio.com`
`password` refers to your SIP password, here `<randompassword>`
`method` refers to the request method, here, `REGISTER`
`digestURI` refers to (idk what) but it is `"sip:" + realm`, here, `sip:wb.wln.ims.jio.com`
`MD5(x)` refers to the MD5 hash of `x`.
After preparing our response, we need to send another REGISTER request with a fulfilled `Authorization` header like this:
```none
REGISTER sip:wb.wln.ims.jio.com SIP/2.0
Via: SIP/2.0/TLS [<My IPv6 Address>]:42131;branch=z9hG4bK-642413-1---7f3f2b4d23eea124;rkeep=180
Max-Forwards: 70
Contact: <sip:+91XXXXXXXXXX@[<My IPv6 Address>]:42131;pn-prid=<FCM Token provided from JJoin (This parameter is not required)>;pn-param=com.jio.jse;pn-provider=fcm;transport=tls>;+sip.instance="<00000000-0000-1000-8000-AABBCCDDEEFF>";reg-id=1;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;+g.3gpp.iari-ref="urn%3Aurn-7%3A3gpp-application.ims.iari.rcs.jio.eucr";+g.gsma.rcs.telephony="none";q=0.5
To: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>
From: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=j6ska8a
Call-ID: _idu1H_8kdsjK9sja..
CSeq: 2 REGISTER
Expires: 86400
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, SUBSCRIBE, UPDATE, PRACK, INFO
Supported: outbound, path, gruu, replaces, timer, norefersub
User-Agent: itsyourap/android RCSAndrd/1.2.4 JUICEJSE/1.4.2.11
Authorization: Digest username="91XXXXXXXXXX@wb.wln.ims.jio.com",realm="wb.wln.ims.jio.com",nonce="1327324632:a53f5324f3442323cb3242321435b43dca3",uri="sip:wb.wln.ims.jio.com",response="<Your Auth Response>",algorithm=MD5
P-Access-Network-Info: GPON;PSAPId=+91XXXX
Content-Length: 0
```
Now we get a *200 OK* from the server:
```none
SIP/2.0 200 OK
Via: SIP/2.0/TLS [<My IPv6 Address>]:42131;branch=z9hG4bK-642413-1---7f3f2b4d23eea124;rkeep=180
Require: outbound
Contact: <sip:+91XXXXXXXXXX@[<My IPv6 Address>]:42131;pn-prid=<FCM Token provided from JJoin (This parameter is not required)>;pn-param=com.jio.jse;pn-provider=fcm;transport=tls>;+sip.instance="<00000000-0000-1000-8000-AABBCCDDEEFF>";reg-id=1;video;q=0.5;expires=86399;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";+g.3gpp.iari-ref="urn%3Aurn-7%3A3gpp-application.ims.iari.rcs.jio.eucr";+g.gsma.rcs.telephony="none"
To: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=32ad2f2c
From: <sip:+91XXXXXXXXXX@wb.wln.ims.jio.com>;tag=j6ska8a
Call-ID: _idu1H_8kdsjK9sja..
CSeq: 2 REGISTER
User-Agent: JCOW414/JUICEJFV-1.3.24
Content-Length: 0
```
Thus the REGISTER request is successful.
To call someone, you need to send an INVITE request with SDP data like this:
```none
INVITE sip:<Recipent Mobile Number starting with 0>@wb.wln.ims.jio.com?phone-context=wb.wln.ims.jio.com&user=phone SIP/2.0
Via: SIP/2.0/TLS [<My IPv6 Address>]:43696;rkeep=180;branch=z9hG4bK-<Branch>
Max-Forwards: 70
Contact: <sip:[<My IPv6 Address>]:43696;transport=tls>;+sip.instance="<00000000-0000-1000-8000-AABBCCDDEEFF>";reg-id=1;+g.3gpp.icsi-ref="urn:urn-7:3gpp-service.ims.icsi.mmtel";video;+g.3gpp.iari-ref="urn:urn-7:3gpp-application.ims.iari.rcs.jio.eucr";+g.gsma.rcs.telephony="none";q=0.5
To: <sip:<Recipent Mobile Number starting with 0>@wb.wln.ims.jio.com?phone-context=wb.wln.ims.jio.com&user=phone>
From: <sip:+91<My JF Number>@wb.wln.ims.jio.com>;tag=4cwftvh2
Call-ID: <callid>@<My IPv6 Address>
CSeq: 1 INVITE
Session-Expires: 1800
Min-SE: 90
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, SUBSCRIBE, UPDATE, PRACK, INFO
Content-Type: application/sdp
Supported: outbound, path, gruu, replaces, timer, norefersub, 100rel
User-Agent: JFVoice/1.0
P-Preferred-Identity: <sip:+91<My JF Number>@wb.wln.ims.jio.com>
P-Access-Network-Info: GPON; PSAPId=+91XXXX
Content-Length: 675
v=0
o=Juice 1737281838294729 1737281838294729 IN IP6 <An IPv6 Address>
s=-
c=IN IP6 <An IPv6 Address>
t=0 0
m=audio 52000 RTP/AVP 126 125 124 123 122 121
b=AS:37
b=RS:462
b=RR:1387
a=rtpmap:126 AMR-WB/16000
a=fmtp:126 mode-change-capability=2; max-red=0
a=rtpmap:125 AMR-WB/16000
a=fmtp:125 octet-align=1; mode-change-capability=2; max-red=0
a=rtpmap:124 AMR/8000
a=fmtp:124 mode-change-capability=2; max-red=0
a=rtpmap:123 AMR/8000
a=fmtp:123 octet-align=1; mode-change-capability=2; max-red=0
a=rtpmap:122 telephone-event/16000
a=fmtp:122 0-15
a=rtpmap:121 telephone-event/8000
a=fmtp:121 0-15
a=ptime:20
a=maxptime:240
a=sendrecv
```
The Juice server responds with *100 Trying* which means the call is being connected.
When the recipient picks up the call, we get a *183 Session Progress* from the Juice server along with some SDP data. It does place a call to the number but of course with no audio.
Also you need to send ACK and PRACK requests frequently to keep the call alive. You can read any SIP documentations available on the internet for more info.
Right now, I am stuck at using the RTP. In the INVITE request you can see the request data which is SDP. The `m` parameter gives us the media info which is `RTP/AVP` on port `52000`. Yes you can use any program to create RTP server on that port but the the actual RTP server will be created on the JF side for further communication.The only problem is the audio codec. The audio codec used is `AMR/AMR-WB` which from Android. I don't have the time to look at the whole source code of the audio codec in android repository. You can help me out with this.
I have tried connecting to the RTP server in the Juice Server and I got the audio data but it was AMR-WB encoded. I tried to use some third party programs to get audible audio from the data and one seems to work : [Check this Python Program](https://github.com/Spinlogic/AMR-WB_extractor). This gives me what I need but right now idk how to play the audio in realtime and how to reverse this process so that I can send audio data for the call.
If you do find a way to play the AMR/AMR-WB encoded audio in realtime and record AMR/AMR-WB audio in realtime using the OpenCore AMR library (originally built for Android) in Desktop and use the RTP server to establish communication between the caller and the callee, feel free to open a discussion in this repository.
Until then, this is the dead end.

21
Router Firmware/README.md Normal file
View File

@ -0,0 +1,21 @@
# Instructions
1. The .img and .sig files are the original bundled Release firmware from JF that can be flashed through the WEB-UI.
2. The extracted firmwares are in the zip files respectively.
*We couldn't find the link to the JCO4032 Firmware.*
**WARNING : (THE EXTRACTED FIRMWARE IS FULL OF SYMLINKS, SO BE AWARE).**
## Structure of Firmware OTA Link
For example:-
`http://fota.slv.fxd.jiophone.net/ONT/Arcadyan/JCOW411/ARCNTF1_JCOW411_R2.3.img`
- `Arcadyan` can be replaced with `Sercomm`, etc according to the router.
- Change `JCOW411` with router model
- Change `ARCNTF1_JCOW411_R2.3.img` with router firmware name.
- You can also put `.sig` instead of `.img` to get the signed hash of the firmware.
*Special Thanks to [yashrastogi](https://broadbandforum.co/members/yashrastogi.81002/) for getting the [OTA URL of Jio STB](https://broadbandforum.co/threads/jio-stb-jhsd200-ota-link.209956/) and [RealEng1neer](https://github.com/RealEng1neer) for arranging the ONT Firmware Links.*

56
Router Firmware/checkForAvailableVersions.md Normal file
View File

@ -0,0 +1,56 @@
# Check Available Versions For JF Router Firmwares
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
1. First go to `http://fota.slv.fxd.jiophone.net/` using your PC Browser.
2. Open Developer Tools and Click on the Console option.
3. At the top of the console window (just at the right of Filter box), you will find a spinner named `Custom levels`. Click it and turn off the `Error` checkbox.
4. Copy the script below and paste into the console.
5. In the console, edit the variables `router.manufacturer`, `router.model`, `router.firmwarePrefix`, `currentVersion` and `maxVersion` according to your need.
6. Press Enter in the console which will show the Router Firmware versions along with their URLs.
```js
/*
1. Goto http://fota.slv.fxd.jiophone.net/
2. Replace router options and current and max versions accordingly
3. Run it in browser developer console, to scan for available firmware versions.
*/
function precisionRound(number, precision) {
const factor = Math.pow(10, precision);
return Math.round(number * factor) / factor;
}
function checkFirmwareExists(version, url)
{
var http = new XMLHttpRequest();
http.open('HEAD', url);
http.onreadystatechange = function() {
if (this.readyState === this.DONE) {
if (this.status !== 404){
console.log(`${version} : ${url}`);
}
}
};
http.send();
}
async function loadFirmwares() {
const router = {
manufacturer: "Sercomm", // Replace this with your Router Manufacturer (Sercomm, Skyworth, Arcadyan, etc...)
model: "JCOW414", // Replace this with your Router Model Name (JCOW414, JCOW411, etc...)
firmwarePrefix: "SRCMTF1_JCOW414_R", // Replace this with your Router Firmware Version Prefix (SRCMTF1_JCOW414_R, SKYWTF1_JCOW407_R, ARCNTF1_JCOW411_R, etc...)
};
let currentVersion = 2.3;
const maxVersion = 3;
while (currentVersion < maxVersion) {
const url = `http://fota.slv.fxd.jiophone.net/ONT/${router.manufacturer}/${router.model}/${router.firmwarePrefix}${precisionRound(currentVersion, 2)}.img`;
checkFirmwareExists(precisionRound(currentVersion, 2), url);
currentVersion += 0.01;
}
}
loadFirmwares();
```

71
STB Firmware/checkForAvailableVersions.md Normal file
View File

@ -0,0 +1,71 @@
# Check Available Versions For STB Firmwares
*Disclaimer: - This is Only for educational purposes, No one is responsible for any type of damage.*
1. First go to `http://fota.slv.fxd.jiophone.net/` using your PC Browser.
2. Open Developer Tools and Click on the Console option.
3. At the top of the console window (just at the right of Filter box), you will find a spinner named `Custom levels`. Click it and turn off the `Error` checkbox.
4. Copy the script below and paste into the console.
5. In the console, edit the variables `STB.manufacturer`, `STB.model`, `currentVersion`, `maxVersion` and `increment` according to your need.
6. Press Enter in the console which will show the STB Firmware versions along with their URLs.
```js
/*
Example Link : http://fota.slv.fxd.jiophone.net/STB/Droidlogic/JHSD200/STB-JHSD200-7.4.6.zip
1. Goto http://fota.slv.fxd.jiophone.net/
2. Replace STB options and current and max versions, and increment accordingly (Do not put to much difference between those numbers)
3. Run it in browser developer console, to scan for available firmware versions.
*/
function checkFirmwareExists(version, url) {
const http = new XMLHttpRequest();
http.open('HEAD', url);
http.onreadystatechange = function () {
if (this.readyState === this.DONE) {
if (this.status !== 404) {
console.log(`${version} : ${url}`);
}
}
};
http.send();
}
function loadFirmwares() {
const STB = {
manufacturer: "Droidlogic", // Change this according to your need
model: "JHSD200" // Change this according to your need
};
let currentVersion = "7.0.0"; // Change this according to your need
const increment = "0.0.1" // Change this according to your need
const maxVersion = "8.0.0"; // Keep the difference within 2.0.0.0 otherwise your PC will not have enough bandwidth and resources to check all links
while (compareVersions(currentVersion, maxVersion)) {
const url = `http://fota.slv.fxd.jiophone.net/STB/${STB.manufacturer}/${STB.model}/STB-${STB.model}-${currentVersion}.zip`;
checkFirmwareExists(currentVersion, url);
currentVersion = incrementVersion(currentVersion, increment)
}
}
function compareVersions(ver1, ver2) {
return parseInt(ver1.split(".").join()) < parseInt(ver2.split(".").join());
}
function incrementVersion(ver, increment) {
const splitVer = ver.split(".");
const splitIncrement = increment.split(".");
let carry = 0;
for (let i = (splitVer.length - 1); i >= 0; i--){
splitVer[i] = (parseInt(splitVer[i]) + parseInt(splitIncrement[i]) + carry).toString();
carry = 0;
if ((i !== 0) && splitVer[i] >= 10){
carry = Math.trunc(parseInt(splitVer[i]) / 10);
splitVer[i] = (parseInt(splitVer[i]) % 10).toString();
}
}
return splitVer.join(".");
}
loadFirmwares();
```

88
keyguesser.py Normal file
View File

@ -0,0 +1,88 @@
#!/usr/bin/env python
# This is only for educational purposes. No one is responsible for any type of damage.
__author__ = "itsyourap"
__url__ = "https://github.com/JFC-Group/JF-Customisation"
"""
This script tries to guess and identify the encryption key used to encrypt
the JioFiber config file downloaded from the router's admin page
Works for newer firmwares like R2.49 for JCOW414
Modify this script variables accordingly before using this script
Remember to run this script from the same directory where your downloaded
encrypted config file is stored
Usage: keyguesser.py
"""
from itertools import permutations
import subprocess
#############################################################################################################
# Modify these variables accordingly before using this script #
#############################################################################################################
inFileName = "RSXXXXXXXXXXX_JCOW414.enc" # Full name of the encrypted config backup file #
outFileName = "RSXXXXXXXXXXX_JCOW414.txt" # Name of output file if the decryption is successful #
routerSerial = "RSXXXXXXXXXXX" # Your Router's Serial Number #
routerSsid = "XXXXX" # Default Router SSID without the 'JioFiber-' prefix #
#############################################################################################################
#############################################################################################################
# All of the above information might be found written on the back of the router box. #
# The router SSID does NOT mean the current SSID of your router #
# The router SSID is the DEFAULT SSID of your router, e.g., "JioFiber-Alpha" #
# You have to just take the "Alpha" part in the above routerSsid variable #
#############################################################################################################
def tryToDecrypt(hexKey):
p = subprocess.Popen(["openssl", "aes-128-cbc", "-d", "-pass", "pass:{}".format(hexKey),
"-in", inFileName, "-out", outFileName], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
output, error = p.communicate()
output = output.decode()
returnCode = p.returncode
if (returnCode == 0):
print("Success : {}".format(hexKey))
exit()
else:
print("Failed!")
print()
def tryKey(key):
p = subprocess.Popen(["openssl", 'enc', "-aes-128-cbc", "-k", key,
"-P", "-nosalt"], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
output, error = p.communicate()
output = output.decode()
startIndex = output.find("key=") + len("key=")
endIndex = output.find("\n", startIndex)
hexKey = output[startIndex:endIndex]
print("Trying Key : {}".format(key))
tryToDecrypt(hexKey)
keyStrings = ["1n0NaZQnC9oxcfwf", "us4AQiJAgbj0Fmxq", "NTqK8Ps5iFke8zrp", "bfqerloC15y79WQZ",
"9gNzEbuDjtyT9Pyc", "uuphsZuO92AZW5GJ", "qdySWmmvYKdBcO53", "Q7ODauKsxUAUtbR7",
"Kohgiem4joochei3", "6f1D27JyLm70GUUu", "zuFbKywMhJjVEhk3", "6uMrt5ricsD1ABDh",
"iPjZ8bYm6s3uGYVf", "QGwaPHx2K1rNDTmL", "fJ7OeRF2TvqKdR30"]
def useCombination(keyIndex):
x = [routerSerial, keyStrings[keyIndex], routerSsid]
perms = []
for i in range(1, len(x)+1):
for c in permutations(x, i):
perms.append("".join(c))
for i in range(0, len(perms)):
raw = perms[i]
tryKey(raw)
if (__name__ == "__main__"):
for i in range(0, len(keyStrings)):
useCombination(i)