This is for educational purposes only.

Getting root access

This guide explains how to get root access on JioFiber ONT.

Before this, we can run the keyguesser.py script with our ONT’s details:

#############################################################################################################
# Modify these variables accordingly before using this script                                               #
#############################################################################################################
inFileName = "RSXXXXXXXXXXX_JCOW414.enc" # Full name of the encrypted config backup file                    #
outFileName = "RSXXXXXXXXXXX_JCOW414.txt" # Name of output file if the decryption is successful             #
routerSerial = "RSXXXXXXXXXXX" # Your Router's Serial Number                                                #
routerSsid = "XXXXX"  # Default Router SSID without the 'JioFiber-' prefix                                  #
#############################################################################################################

Filesystem

The ONT mainly has two permanent partitions: /flash and /flash2, anything we add to these partitions will persist across reboots.

A top level view of the filesystem:

flowchart LR
    A{/}
    A ==>|ubi0:config_data| B(/flash)
    A ==>|ubi1:config_data2| C(/flash2)
    A ==>|/dev/mtdblock11| D(/usr/config/WLan/MAP)
    A ==> E{/dev/sda1}
    E ==> F(/tmp/mnt/vfs/guest/AP)
    E ==> G(/tmp/mnt/vfs/admin)
    E ==> H(/tmp/mnt/vfs/admin/AP)
    E ==> I(/tmp/mnt/vfs/meshadmin/AP)

Some other important files to note:

  • /pfrm2.0/bin/appVersion.lua
  • /pfrm2.0/etc/platformInit
  • /pfrm2.0/etc/pfrm2.0/etc/platformInit2
  • /pfrm2.0/etc/pfrm2.0/etc/platformInit3

Custom init scripts

Usually telnet and other settings get reset when the ONT is rebooted. So, we can add our custom commands to this script to run them at boot.

Note

Make it executable by running chmod +x /flash2/pfrm2.0/etc/customInit

Below is an example script that I use to enable telnet:

/flash2/pfrm2.0/etc/customInit
#!/bin/sh
 
# Wait for the system to be ready
sleep 10
 
# Remove the telnet disable flag
rm /flash/telnetDisable
rm /flash/telnetDisableACS
 
# Start telnet and allow it through the firewall
/usr/sbin/telnetd
/pfrm2.0/bin/iptables -I fwInBypass -p tcp --dport 23 -m ifgroup --ifgroup-in 0x1/0x1 -j ACCEPT
 
# Set the root password
echo -e "rilpass\nrilpass" | passwd root

Serial Number and Password

The GPON SN is the serial number of the ONT. It’s usually at the back of the ONT, but Reliance being Reliance, they’ve hidden it and can only be accessed via telnet1.

gponmgr get info

This should give us the following output:

ONU Info:
 ...
 SN:        SCOMXXXXXXXX
 PASSWD:
  ASCII:    XXXXXXXX
  HEX:      XXXXXXXXXXXXXXXXXXXX
 ...

Footnotes

  1. https://broadband.forum/threads/how-to-authenticate-tp-link-ont-bypassing-jiofiber-router.221140/post-1612422