July 4, 2022, 8:05 a.m.

PLDT FX-ID3 1.1.1.22 Openline (Unlock) with Telnet Access Tutorial

BABALA: HINDI BINEBENTA ANG TUTORIAL NA ITO! KAPAG IKAW AY NAGBAYAD, HUMINGI NG REFUND! LIBRE LANG ANG TUTORIAL NA ITO AT ANG FILES.

HUWAG MAGING BIKTIMA! FILES ARE PROPERTY OF R1BNC AND BACKSPACE TEAM!

Disclaimer: I am not responsible if you brick your device! Do the tutorial at your own risk!

This has been tested only on PLDT FX ID3 v1.1.1.22 and LTE Baseband v07

I have made a userscript that enables the telnet functionality of PLDT FX-ID3 with the firmware version 1.1.1.22. You can get it for free. Just need the tampermonkey extension and Google Chrome or Firefox browser.

Before Activating Telnet:

$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-02 19:24 PST
Nmap scan report for WIFI_ROUTER (192.168.1.1)
Host is up (0.83s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

After using the script:

$ nmap 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-02 20:00 PST
Nmap scan report for WIFI_ROUTER (192.168.1.1)
Host is up (0.83s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
23/tcp  open  telnet
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Telnet is now activated and does not require you credentials!
If you restart the router, telnet will be disabled again.

You can now proceed to openline/unlock the modem as shown in a lot of videos on Youtube.
Just do the following:

# serial_test /dev/ttyACM1
AT*MRD_MEP=D

Sample output:

# serial_test /dev/ttyACM1
#################################################
#       Serialtools:                                #
#               input quit to exit.                     #
#################################################

debug: open port ok.
AT+CMGL=1


OK



+EEMUMTSSVC:3, 1, 1, 1,-90, 22, -10, -20, -115, -32768, 1, 1, 1301, 3, 25032, 79838901, 4, 65535, 10562, 60, 0, 0, 1, 64, 64, 64, 1, 0, 2, 255, 65535, -1, 0, 0, 0, 0, 0, 0,0, 0, 1301, 3, -1, -1, 1, 1,28672, 255, 194, 24, 0, 65535, 0, 0, 0

AT*MRD_MEP=D
write 13 chars
AT*MRD_MEP=D


OK

...

I have tested this works.

More information about the FX ID3.

CPU INFO

# cat /proc/cpuinfo

system type     : Ralink SoC
processor       : 0
cpu model       : MIPS 24Kc V5.0
BogoMIPS        : 386.04
wait instruction    : yes
microsecond timers  : yes
tlb_entries     : 32
extra interrupt vector  : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ff8, 0x0ff8, 0x0e3b, 0x0ff8]
ASEs implemented    : mips16 dsp
shadow register sets    : 1
core            : 0
VCED exceptions     : not available
VCEI exceptions     : not available

Running processes:

# ps
  PID USER       VSZ STAT COMMAND
    1 pldthome  1640 S    init  
    2 pldthome     0 SW   [kthreadd]
    3 pldthome     0 SW   [ksoftirqd/0]
    4 pldthome     0 SW   [kworker/0:0]
    5 pldthome     0 SW   [kworker/u:0]
    6 pldthome     0 SW<  [khelper]
    7 pldthome     0 SW   [sync_supers]
    8 pldthome     0 SW   [bdi-default]
    9 pldthome     0 SW<  [kblockd]
   10 pldthome     0 SW   [khubd]
   11 pldthome     0 SW   [kswapd0]
   12 pldthome     0 SW<  [crypto]
   20 pldthome     0 SW   [mtdblock0]
   21 pldthome     0 SW   [mtdblock1]
   22 pldthome     0 SW   [mtdblock2]
   23 pldthome     0 SW   [mtdblock3]
   24 pldthome     0 SW   [mtdblock4]
   25 pldthome     0 SW   [mtdblock5]
   26 pldthome     0 SW   [mtdblock6]
   27 pldthome     0 SW   [mtdblock7]
   28 pldthome     0 SW   [mtdblock8]
   29 pldthome     0 SW   [mtdblock9]
   30 pldthome     0 SW   [mtdblock10]
   31 pldthome     0 SW   [mtdblock11]
   32 pldthome     0 SW   [mtdblock12]
   33 pldthome     0 SW   [kworker/u:1]
   46 pldthome  1256 S    nvram_daemon 
   50 pldthome  2692 S    goahead 
   58 pldthome  1560 S    gpio A 
   95 pldthome  1640 S    atelIDURM 
  103 pldthome  1640 S    /bin/sh 
  124 pldthome     0 SW   [kworker/0:1]
  732 pldthome  1648 S    /bin/sh 
  792 pldthome     0 SW   [RtmpCmdQTask]
  793 pldthome     0 SW   [RtmpWscTask]
 1140 pldthome  1788 S    ltemanage 
 1681 pldthome  1648 S    udhcpd /etc/udhcpd.conf 
 2120 pldthome  1544 S    WiFiCalibrationAdjust 
 6675 pldthome  1644 S    syslogd -C8 
 6693 pldthome  1636 S    klogd 
 7190 pldthome  1248 S    remoteUpgrade 
 7547 pldthome  1028 S    dnsmasq --user=pldthome --listen-address 192.168.1.1 
18781 pldthome  1640 S    /bin/sh 
28730 pldthome  1640 R    ps 

Hard coded super admin credentials:

advanceLogin
advancePassword
advance
3V0Lu2n@DvAn6E
/advance.asp
...

MTD Partitions:

cat /proc/mtd

dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00740000 00010000 "Kernel"
mtd5: 00060000 00010000 "Logo"
mtd6: 00010000 00010000 "Config_bak"
mtd7: 00740000 00010000 "BakKernel"
mtd8: 00010000 00010000 "Config2"
mtd9: 00020000 00010000 "Syslog"
mtd10: 00010000 00010000 "Configfile"
mtd11: 00010000 00010000 "Parmeter_voip"
mtd12: 00070000 00010000 "FSMnt"

Mount info:

rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
none on /var type ramfs (rw,relatime)
none on /etc type ramfs (rw,relatime)
none on /tmp type ramfs (rw,relatime)
none on /media type ramfs (rw,relatime)
none on /sys type sysfs (rw,relatime)
none on /dev/pts type devpts (rw,relatime,mode=600)
none on /proc/bus/usb type usbfs (rw,relatime)
mdev on /dev type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)

TR069 https://192.168.1.1/tr069Settings/url_port_setting.asp

Band locking https://192.168.1.1//idu/B28_management.asp

Remote upgrade https://192.168.1.1/adm/remote_upgrade.asp

Firmware upgrade/downgrade https://192.168.1.1/adm/c3d72e5312f946deb63f7f5695fac56c.asp

Full link dump:

https://192.168.1.1/lte/lte_upload_firmware.asp
https://192.168.1.1/home.asp
https://192.168.1.1/treeapp.asp
https://192.168.1.1/wireless/advanced.asp
https://192.168.1.1/wireless/stainfo.asp
https://192.168.1.1/wireless/basic.asp
https://192.168.1.1/wireless/security.asp
https://192.168.1.1/wireless/macfilter.asp
https://192.168.1.1/title.asp
https://192.168.1.1/internet/lan.asp
https://192.168.1.1/internet/dhcpcliinfo.asp
https://192.168.1.1/internet/vpnpass.asp
https://192.168.1.1/internet/atel_ipv6.asp
https://192.168.1.1/internet/wan_altair.asp
https://192.168.1.1/internet/routing.asp
https://192.168.1.1/internet/wan.asp
https://192.168.1.1/wan/net_status.asp
https://192.168.1.1/logout.asp
https://192.168.1.1/tr069Settings/url_port_setting.asp
https://192.168.1.1/idu/bodysetting_wifi_5G.asp
https://192.168.1.1/idu/bodysetting_ODUConfig.asp
https://192.168.1.1/idu/home.asp
https://192.168.1.1/idu/bodysetting_remoteupdate.asp
https://192.168.1.1/idu/bodyinfo_system.asp
https://192.168.1.1/idu/bodysetting_ntp.asp
https://192.168.1.1/idu/bodysetting_adm.asp
https://192.168.1.1/idu/bodysetting_voipDual.asp
https://192.168.1.1/idu/proxy_remoteupdate.asp
https://192.168.1.1/idu/bodyinfo_device.asp
https://192.168.1.1/idu/multi_ssid.asp
https://192.168.1.1/idu/bodyinfo_voip.asp
https://192.168.1.1/idu/webfooter.asp
https://192.168.1.1/idu/webheaderforhelp.asp
https://192.168.1.1/idu/bodysetting_factory.asp
https://192.168.1.1/idu/bodysetting.asp
https://192.168.1.1/idu/webheader.asp
https://192.168.1.1/idu/bodysetting_sub.asp
https://192.168.1.1/idu/bodysetting_security.asp
https://192.168.1.1/idu/webbody_bak_12_19.asp
https://192.168.1.1/idu/bodysetting_Scheduled.asp
https://192.168.1.1/idu/signalmeasure.asp
https://192.168.1.1/idu/bodylte_advanceApn.asp
https://192.168.1.1/idu/bodylte.asp
https://192.168.1.1/idu/bodyinfo_lte.asp
https://192.168.1.1/idu/bodyinfo_lan.asp
https://192.168.1.1/idu/lteupdate.asp
https://192.168.1.1/idu/wan_failover.asp
https://192.168.1.1/idu/bodysetting_lan.asp
https://192.168.1.1/idu/bodysms_outbox.asp
https://192.168.1.1/idu/bodysetting_autoupload.asp
https://192.168.1.1/idu/reset_default_refresh.asp
https://192.168.1.1/idu/bodysetting_snmp.asp
https://192.168.1.1/idu/bodyinfo_Statistics.asp
https://192.168.1.1/idu/bodysms_drafts.asp
https://192.168.1.1/idu/webheader_bak.asp
https://192.168.1.1/idu/bodyinfo_wan.asp
https://192.168.1.1/idu/bodysetting_submenu.asp
https://192.168.1.1/idu/bodyinfo_menu.asp
https://192.168.1.1/idu/proxylte.asp
https://192.168.1.1/idu/bodysetting_vpn.asp
https://192.168.1.1/idu/bodyinformation.asp
https://192.168.1.1/idu/B28_management.asp
https://192.168.1.1/idu/remoteupdate.asp
https://192.168.1.1/idu/bodysetting_upnp.asp
https://192.168.1.1/idu/bodylte_selection.asp
https://192.168.1.1/idu/bodysms_new.asp
https://192.168.1.1/idu/oduupdate.asp
https://192.168.1.1/idu/reset_refresh.asp
https://192.168.1.1/idu/bodyinfo_wifilan5G.asp
https://192.168.1.1/idu/bodysetting_lteband.asp
https://192.168.1.1/idu/bodylte_bridge.asp
https://192.168.1.1/idu/bodysetting_wps.asp
https://192.168.1.1/idu/reboot.asp
https://192.168.1.1/idu/bodysms_inbox.asp
https://192.168.1.1/idu/bodylte_menu.asp
https://192.168.1.1/idu/batterystatus.asp
https://192.168.1.1/idu/bodysetting_wan.asp
https://192.168.1.1/idu/bodyadvance.asp
https://192.168.1.1/idu/header_menu.asp
https://192.168.1.1/idu/webbody.asp
https://192.168.1.1/idu/bodysetting_auth.asp
https://192.168.1.1/idu/bodysetting_voip.asp
https://192.168.1.1/idu/bodysetting_nat.asp
https://192.168.1.1/idu/bodysetting_pw.asp
https://192.168.1.1/idu/bodyinfo_wan_u338ev.asp
https://192.168.1.1/idu/changepassword.asp
https://192.168.1.1/idu/bodysetting_remotewebGUI.asp
https://192.168.1.1/idu/bodysetting_netlock.asp
https://192.168.1.1/idu/bodyinfo_upnp.asp
https://192.168.1.1/idu/webbody.asp_bak
https://192.168.1.1/idu/bodylte_pin.asp
https://192.168.1.1/idu/bodysetting_wifi.asp
https://192.168.1.1/idu/bodylte_network.asp
https://192.168.1.1/idu/SIMLOCK_unlock.asp
https://192.168.1.1/idu/bodysetting_l2tpv3.asp
https://192.168.1.1/idu/bodyinfo_wifilan.asp
https://192.168.1.1/idu/webheadersub.asp
https://192.168.1.1/idu/operationmode.asp
https://192.168.1.1/idu/bodylte_selnetwork.asp
https://192.168.1.1/idu/LTE_debuge.asp
https://192.168.1.1/idu/bodysetting_menu.asp
https://192.168.1.1/idu/bodylte_apn.asp
https://192.168.1.1/idu/bodyinfo_dhcpclients.asp
https://192.168.1.1/VoidSet.asp
https://192.168.1.1/login1.asp
https://192.168.1.1/firewall/mac_filtering.asp
https://192.168.1.1/firewall/ipmac_binding.asp
https://192.168.1.1/firewall/DMZ.asp
https://192.168.1.1/firewall/telnet.asp
https://192.168.1.1/firewall/network_monitor.asp
https://192.168.1.1/firewall/port_forward.asp
https://192.168.1.1/firewall/system_firewall.asp
https://192.168.1.1/firewall/whitelist.asp
https://192.168.1.1/firewall/da.asp
https://192.168.1.1/firewall/virtual_server.asp
https://192.168.1.1/firewall/schedule.asp
https://192.168.1.1/firewall/port_filtering.asp
https://192.168.1.1/firewall/content_filtering.asp
https://192.168.1.1/firewall/ddos.asp
https://192.168.1.1/factory_reset.asp
https://192.168.1.1/loginbody.asp
https://192.168.1.1/login.asp
https://192.168.1.1/device_reboot.asp
https://192.168.1.1/lanipskipweb.asp
https://192.168.1.1/adm/upload_lte_refresh.asp
https://192.168.1.1/adm/status.asp
https://192.168.1.1/adm/upload_refresh.asp
https://192.168.1.1/adm/syslog.asp
https://192.168.1.1/adm/login_err.asp
https://192.168.1.1/adm/auth.asp
https://192.168.1.1/adm/tool.asp
https://192.168.1.1/adm/nvram.asp
https://192.168.1.1/adm/test.asp
https://192.168.1.1/adm/pin.asp
https://192.168.1.1/adm/remote_upgrade.asp
https://192.168.1.1/adm/diagnostic.asp
https://192.168.1.1/adm/ddns.asp
https://192.168.1.1/adm/management.asp
https://192.168.1.1/adm/login_err_polish.asp
https://192.168.1.1/adm/c3d72e5312f946deb63f7f5695fac56c.asp
https://192.168.1.1/adm/admin.asp
https://192.168.1.1/adm/settings.asp
https://192.168.1.1/adm/statistic.asp
https://192.168.1.1/overview.asp
https://192.168.1.1/wps/wps.asp
https://192.168.1.1/wps/wps_inic_sta.asp

Dashboard

Band locking

APN Editor

Network Mode

Remote Upgrade (FOTA) - Disable this or set the URL to other than the default value. To avoid upgrades that might disallow us to unlock/openline the device.

Change IMEI:

# serial_test /dev/ttyACM1

AT*MRD_IMEI=D
AT*MRD_IMEI=W,0101,01NOV2012,123456789012345

Replace 12345.. with your preferred IMEI. Only use IMEI that you OWN!

Why change IMEI? Certain SIMs are only alloved to be used on certain IMEIs. Like Globe at Home Prepaid SIM and Smart Rocket SIM.

This post will be updated in the future.
Although, FX ID3 is only a CAT4 LTE device. I do not recommend getting one, just get CAT6 or CAT7 LTE devices for faster data connectivity.

Credits to the Backspace Discord for support!

If you want to use the information on this blog, please do not forget to add CTTO: r1bnc & Backspace.
DO NOT SELL THE SCRIPT!

I also made a youtube video about this:

Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).