How to get root access on my LTE Stick

No idea if this the right forum, but did somewhere know how can i root my LTE USB Stick ?
I have bay at ebay a some noname USB LTE stick. It called "4G LTE Wifi Modem" but no idea how is the Vendor.
It use use RNDIS for connecting with my Router.
On the Stick running an Android system.
I have acces via ADB but no root access

adb root

says:

adbd can not run as root because of error password

How is this related to OpenWrt?

1 Like

I want to connect my Openwrt router with this 4G LTE stick
I want this as backup for my fiber connection.
My problem is that the stick can not much, it makes a privat IPv4 subnet and connet to the internet.
So i have only a double NAT IPv4 internet

One of my hope is that a Openwrt firmware exist for this stick, another question is how managed other peoble this problem or have somewhere try to root a LTE Stick and can tell there experience

They're seldom or never rooted, and you're usually CGNATed no matter what.

What does lsusb say about it?

1 Like
lsusb -s 001:042 -v

Bus 001 Device 042: ID 05c6:90b4 Android Android
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x05c6 
  idProduct          0x90b4 
  bcdDevice           ff.ff
  iManufacturer           1 Android
  iProduct                2 Android
  iSerial                 3 3a2df27
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0093
    bNumInterfaces          4
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         2
      bFunctionClass        224 
      bFunctionSubClass       1 
      bFunctionProtocol       3 
      iFunction               9 RNDIS
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass       224 
      bInterfaceSubClass      1 
      bInterfaceProtocol      3 
      iInterface              7 RNDIS Communications Control
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 01
      ** UNRECOGNIZED:  04 24 02 00
      ** UNRECOGNIZED:  05 24 06 00 01
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               9
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              8 RNDIS Ethernet Data
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               9
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 
      bInterfaceSubClass     66 
      bInterfaceProtocol      1 
      iInterface              4 ADB Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  bNumConfigurations      1
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0000
  (Bus Powered)

Of course normally have Android no root access,
But i hope that possibility exist where i can do it.
How is the normal way to get root access ?

Of course i have an CGNAT on LTE but now i have two NATs because i can not add a route on the stick for this reason on my Router must be a second NAT.
The second problem is i want IPv6, on my LTE Stick i get a IPv6 address, but the privat subnet on the stick are IPv4 only.

Each manufacturer can do different things with respect to enabling or restricting the ability to root an Android device. Since you don't know who manufactured that device, you may find it difficult (or impossible) to get specific guidance for how to do it on that unit. You may want to find Android specific forums that discuss LTE sticks and other such devices. This forum just doesn't focus that stuff, so you're not likely to get the right audience here.

The truth is, if you have CGNAT, double NAT beyond that probably doesn't honestly matter. You don't have a public IP, but extra NAT layers shouldn't interfere in the vast majority of cases

If your stick only gives you IPv4, you're pretty much out of luck (unless you can root it, and even if you can, you may or may not have the ability to enable IPv6). But are you positive that your ISP provides proper IPv6?

You may be best served by getting a LTE stick that either has root access to begin with, or that you can find documentation about how to gain access. Working with no-name hardware often leads to this type of thing -- you typically have to accept what they give you and you may not be able to hack it all that easily for advanced features.

2 Likes

There isn't much you can change on this modem.

It is a Qualcomm based modem, possibly a Meig from the idV (05c6) but I can't find any reference to the idP so the brand is unknown.

It has 4 interfaces on it. Two for RNDIS and 1 for ADB. The other looks very much like an interface for a serial driver so it could be the AT Command port.

But none of the OpenWrt serial drivers have support for this modem so, unless you can get a patched driver, it is useless.

This modem will only use RNDIS unless there is some command that can change to something else. And it is doubtful you'll ever find a AT Command manual for it.

As pointed out above, unless you get a Public IP from your ISP you are going to have a NAT as you have to go through their network to the Internet. And few ISP give out Public IPs these days.

So the extra NAT from the modem is of no concern.

You are stuck with the modem as is and there is no way to "root" it into something else.

1 Like

I get a public IPv6 with /64 on the internet interface
But on the LAN interface and on the usb0 interface on the PC i get only a link-local IP
IPv6 is activated but forwarding is "2" (what is the meaning of 2 instead 1)

2 for RNDIS ? I have only one network device (usb0)
Where dit you know that there is a serial interface ?

I have open the device:

What will be happen when i connect rx tx and gnd to an URT Serial converter ?

Give it a shot and find out.

BTW, you may be able to use the wifi MAC address to identify the vendor. Depending on the situation, it may just be the chipset vendor and not the device manufacturer, but you can try that.

But as has been stated here, especially with an unidentified/generic type LTE device, you're really not going to have much luck getting info here -- this just isn't a forum for those products.

It has RNDIS Ethernet Data and RNDIS Communication Control interfaces. This is normal for modems to have multiple interfaces for the protocol being used. This is from the lsusb command you posted.

The Interface Descriptor after the RNDIS Ethernet Data interface has the same information you find in other modems with a serial interface.

You may be able to get to the command line that way just like a router.

You have to remember that the modem is using a chip that is very similar to those used in a phone and it is running Android firmware. Unless you are familiar with working with Android you'll still not be able to do much.

The Vid and Pid identify it as a Fibocom Qualcomm HS-USB Modem 90B4 based on the Qualcomm MDM9600 / MDM9610 chipset. This forum has more on it.

https://4pda.to/forum/index.php?showtopic=849043&st=1560