UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt?

Im trying to compile Handsomemod version buts a whack-a-mole with errors, but im very new to this kind of stuff

I've added support for the UF896 based on the Handsome repo.

OpenWrt works so far, but the modem isn't working and I'm still struggling to get sysupgrade working.

Maybe I can push the fork later this week.

1 Like

Would be great because I have the UF896 im flashing the 1c version(the version from the chinese link works om my UF896, just no modem) right now lets see how it goes.

EDIT:
it boots, but a few problems with luci, no adb dont know why.

Like this?

And what do i do in EDL mode?

1 Like

Hey! Thanks for the inspiration and blog post! Yes, I think that's trick. If you plug in the device with those pins shorted, hold for 5 seconds and release, you should see the device appear as some Qualcomm device like so:

Bus 001 Device 006: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

This will allow you to use edl-tools (https://github.com/bkerler/edl) to do things like:

  • wipe the boot partition
  • restore from a stock EDL dump (available earlier in this thread)

Both of those are useful in case you mess up userspace and lock yourself out. The build of lk1st available in the OpenStick repos does not properly wire up the reset button, and so there are scenarios where getting into EDL and doing a full recovery is required. It's suspected that this EDL trigger is in the Boot ROM so it should be a very reliable failsafe.

(I did wind up doing this so that I could extract all of the firmware files, which sadly, are spread across multiple Android partitions, including userdata. It was very easy to get the EDL tools setup, though do make sure you clone the git submodules first!)

1 Like

I've pushed my handsome OpenWrt fork to:

This is pretty much WIP.
I've added some installation instructions to the WIP commit.

Feel free to test this and report back.

The LTE modem isn't working though, maybe someone has an idea how to fix this:

[   15.950834] remoteproc remoteproc0: powering up 4080000.remoteproc
[   15.991772] remoteproc remoteproc0: Booting fw image mba.mbn, size 229898
[   16.017704] qcom-wcnss-pil a204000.remoteproc: unexpected response to sysmon event
[   16.047035] qcom-q6v5-mss 4080000.remoteproc: PBL returned unexpected status -284557052
[   16.047924] remoteproc remoteproc0: can't start rproc 4080000.remoteproc: -22
[   16.048093] qcom-wcnss-pil a204000.remoteproc: unexpected response to sysmon event
[   16.048149] remoteproc remoteproc0: Boot failed: -22
3 Likes

UPDATE:

I fixed the modem.

First issue was the extracted sparse modem images. They were somehow corrupt.

I've forked the handsome qcom-firmware repo, added the firmware for the uf896 and updated the qcom-firmware package.

Second issue is, the mmcblk0 partition doesn't contain partlabels, though they are required by eudev to create the /dev/disk/by-partlabel nodes. Those are in turn required by rmtfs.

To fix that, just use gdisk for example and do a fake name change (gdisk "c", use the same name) for one of the partitions (mmcblk0p7 for example, "modemst1")
Then write the partition table with "w", this rewrites the entire partition table incl. partlabels.

Restart eudev (/etc/init.d/udev restart) and check if there are nodes created (ls /dev/disk/by-partlabel)

If so, reboot and rmtfs should now able to start the remoteproc and create the wwan interfaces)

Then edit the wwan network interface in LuCI and add the APN and PAP/CHAP credentials if required.

wwan connection should then work.

I've pushed the changes to my repo.

7 Likes

I'm compiling your repo right now thanks!

I did notice something wonky with the firmware, I was applying the new firmware files and it suddenly connected using mmcl around file .23 and when it finished uploading the files it stopped working, I was going to post but saw your post so even better, glad someone noticed/fixed this.

Now how do I make adbd/usb tethering start on boot using the handsomefeed, i compiled it on and the package are there, but it doesn't start when I boot the device.

adb and usb tethering should work if package openstick-tweaks is selected (that is a default package, so every dependency should already selected)

Both works for me out of the box.

2 Likes

I'd like to use the stick to provide tailscale vpn access to an alternative operating system which doesn't support ts yet, so it would look like this

[ AP ] --)))))-- [ OpenStick running TS ] --)))))) -- [ Laptop ]

Can the OpenStick act as a client and an AP in the same time? If not, can i set it up as a usb-network device to route TailScale'd wlan to the USB heder?

Don't know why, but for me doesnt work (the modem).
Is there any problem for you to share a full emmc backup/build so I can test to see if it works,
Because now the modem dont show up on mmcli, and the backup availabe on this thread dont work on mine even if is UF896 (can only access adb, no wifi), I might have a different version even if it says UF896_V1.1 on the mb.

1 Like

Hi, where can i find your repo or firmware for uf896? Thanks!

1 Like

Do the following:

/etc/init.d/rmtfs stop
rmtfs -P -r -s -v

And post the output of the second command.

root@HandsomeMod:~# rmtfs -P -r -s -v
registering services
[RMTFS] packet; from: 0:4
[RMTFS] open /boot/modem_fs1 => 0 (0:0)
[RMTFS] packet; from: 0:5
[RMTFS] open /boot/modem_fs2 => 1 (0:0)
[RMTFS] packet; from: 0:6
[RMTFS] open /boot/modem_fsg => 2 (0:0)
[RMTFS] packet; from: 0:7
[RMTFS] open /boot/modem_fsc => 3 (0:0)
[RMTFS] packet; from: 0:7
[RMTFS] alloc 0, 917504 => 0x86700000 (0:0)
[RMTFS] packet; from: 0:7
[RMTFS] iovec 0, not forced => (0:0)
[RMTFS]       read 1:1 0x86700200
[RMTFS] packet; from: 0:7
[RMTFS] iovec 1, not forced => (0:0)
[RMTFS]       read 1:1 0x86700200
[RMTFS] packet; from: 0:7
[RMTFS] iovec 2, not forced => (0:0)
[RMTFS]       read 0:1792 0x86700000

dmesg last lines

[   78.017358] remoteproc remoteproc0: stopped remote processor 4080000.remoteproc
[   86.517558] remoteproc remoteproc0: powering up 4080000.remoteproc
[   86.518228] remoteproc remoteproc0: Booting fw image mba.mbn, size 230272
[   86.519044] qcom-wcnss-pil a204000.remoteproc: unexpected response to sysmon event
[   86.578207] qcom-q6v5-mss 4080000.remoteproc: MBA booted without debug policy, loading mpss
[   87.129346] remoteproc remoteproc0: remote processor 4080000.remoteproc is now up
[   89.718328]  remoteproc0:smd-edge: remote side did not enter opening state
[   89.718397] rpmsg rpmsg1: failed to open DATA4
[   90.838450]  remoteproc0:smd-edge: remote side did not enter opening state
[   90.838477] rpmsg rpmsg0: failed to open DATA5_CNTL
[   92.671779] bam-dmux wwan: Channel already open: 0
[   92.671807] bam-dmux wwan: Channel already open: 1
[   92.671819] bam-dmux wwan: Channel already open: 2
[   92.671829] bam-dmux wwan: Channel already open: 3
[   92.671840] bam-dmux wwan: Channel already open: 4
[   92.671849] bam-dmux wwan: Channel already open: 5
[   92.671858] bam-dmux wwan: Channel already open: 6
[   92.671870] bam-dmux wwan: Channel already open: 7

That looks good so far.

I just find a minor issue regarding sysupgrade. Unfortunately the kernel wasn't part of the sysupgrade.

So it maybe possible you are running not the current kernel, can you pull the latest commit, build a new sysupgrade and flash that?

1 Like

I managed to install openwrt on my ufi003 using the image from the above linked by extrowerk, modem work out of the box, the speed on the wifi is worse than in thetering mode. the modem speed is quite good

I also have the one labeled as sp970, it doesn't support modem as ufi003. Also I found Miko is easier to use for flashing and dumping image compared to edl tool. always get error on windows when using edl.

2 Likes

Hi,

i was able to flash the dump to my UF896_V1.1 like:

edl qfil rawprogram0.xml -- <dir_where_the_extracted_images_located>

Technically i supposed to use patch.xml instead of --, but there is no file like that, and it bails out if i omit it from the command line, so i decided to add it.
So using this command i was able to flash everything, i see the progress bars. No error at all.
But after disconnecting and reconnecting the device it boots always in 9008 / edl mode.

What am i doing wrong? Any hints?

Hi

I flashed the partitions one by one.
start edl with the loader first:

$ edl --loader <where you cloned edl to>/Loaders/qualcomm/factory/msm8916/007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Using loader .../Loaders/qualcomm/factory/msm8916/007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2, Version supported: 1
main - Mode detected: sahara
sahara -
------------------------
HWID:              0x007050e100000000 (MSM_ID:0x007050e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected:      "MSM8916"
PK_HASH:           0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial:            0x0281b9b7

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader .../Loaders/qualcomm/factory/msm8916/007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin ...
sahara - 32-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.

then flash the partition table:

$ edl w gpt gpt_main0.bin
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "eMMC" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose - TargetName=MSM8916
firehose - MemoryName=eMMC
firehose - Version=1
firehose - Trying to read first storage sector...
firehose - Running configure...
firehose_client - Supported functions:
-----------------
firehose -
Writing to physical partition 0, sector 0, sectors 9
Progress: |██████████████████████████████████████████████████| 100.0% Write (Sector 0x9 of 0x9, ) 2.77 MB/s
Wrote gpt_main0.bin to sector 0.

thats the resulting partition table

$ edl printgpt
Capstone library is missing (optional).
Keystone library is missing (optional).
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "eMMC" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose - TargetName=MSM8916
firehose - MemoryName=eMMC
firehose - Version=1
firehose - Trying to read first storage sector...
firehose - Running configure...
firehose_client - Supported functions:
-----------------

Parsing Lun 0:

GPT Table:
-------------
modem:               Offset 0x0000000004000000, Length 0x0000000004000000, Flags 0x1000000000000000, UUID dc4e15fc-e42a-71fa-0882-3499b9b4adba, Type EFI_BASIC_DATA, Active False
sbl1:                Offset 0x0000000008000000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID d3c57708-138c-a6ea-e154-994ba16a083d, Type 0xdea0ba2c, Active False
sbl1bak:             Offset 0x0000000008080000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID c2ff6bfe-471e-933d-3fb4-1c2fd6b2ae06, Type EFI_BASIC_DATA, Active False
aboot:               Offset 0x0000000008100000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID 0bf6fe27-fceb-a12f-e284-0540b0f20877, Type 0x400ffdcd, Active False
abootbak:            Offset 0x0000000008200000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID cd5f88e1-f9ce-e228-68c0-f3443d26d856, Type EFI_BASIC_DATA, Active False
rpm:                 Offset 0x0000000008300000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 21529019-b5cf-266d-0cc8-1989bd930821, Type 0x98df793, Active False
rpmbak:              Offset 0x0000000008380000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID ab4d62a3-670a-4826-d2e8-dd6538af0d20, Type EFI_BASIC_DATA, Active False
tz:                  Offset 0x0000000008400000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID b0412613-1ee6-0292-531e-ae9c55782664, Type 0xa053aa7f, Active False
tzbak:               Offset 0x0000000008480000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID c51eaf49-d47e-656c-baf7-256c567dceff, Type EFI_BASIC_DATA, Active False
hyp:                 Offset 0x0000000008500000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID ec865428-e35f-d6b2-0c04-77388bb2fd32, Type 0xe1a6a689, Active False
hypbak:              Offset 0x0000000008580000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 5bfa8c13-ce51-d2bf-fc61-8d5556c296df, Type EFI_BASIC_DATA, Active False
pad:                 Offset 0x0000000008600000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID 34ed95eb-4900-a965-ac12-b0ac9f8ae650, Type EFI_BASIC_DATA, Active False
modemst1:            Offset 0x0000000008700000, Length 0x0000000000180000, Flags 0x0000000000000000, UUID 67cbc733-ba31-8c29-795e-bd702b535a76, Type 0xebbeadaf, Active False
modemst2:            Offset 0x0000000008880000, Length 0x0000000000180000, Flags 0x0000000000000000, UUID 94449988-342d-f8e7-e509-9073dd0f1193, Type 0xa288b1f, Active False
misc:                Offset 0x0000000008a00000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID c07b8a23-7d0e-fa1e-0882-d2700adc49cd, Type 0x20117f86, Active False
fsc:                 Offset 0x0000000008b00000, Length 0x0000000000000400, Flags 0x0000000000000000, UUID 993c8420-e810-1096-dd9c-cfb9e90fb323, Type 0x57b90a16, Active False
ssd:                 Offset 0x0000000008b00400, Length 0x0000000000002000, Flags 0x0000000000000000, UUID 0a891224-ded5-ea1b-c22e-066b547ec7a4, Type 0x2c86e742, Active False
splash:              Offset 0x0000000008b02400, Length 0x0000000000a00000, Flags 0x0000000000000000, UUID 97a96eed-72d8-9b4d-4521-e0298dbd3a77, Type 0x20117f86, Active False
DDR:                 Offset 0x000000000c000000, Length 0x0000000000008000, Flags 0x1000000000000000, UUID e62990de-7a6a-7fca-16b4-2c951ffb960a, Type 0x20a0c19c, Active False
fsg:                 Offset 0x000000000c008000, Length 0x0000000000180000, Flags 0x1000000000000000, UUID bc2ab13b-0ad8-3038-b80e-cb5879baf554, Type 0x638ff8e2, Active False
sec:                 Offset 0x000000000c188000, Length 0x0000000000004000, Flags 0x1000000000000000, UUID 99804ee5-c931-767f-4f2d-43e82e8483b2, Type 0x303e6ac3, Active False
boot:                Offset 0x000000000c18c000, Length 0x0000000001000000, Flags 0x1000000000000000, UUID edaa93b3-5226-2ccd-2d4c-a36919bd6a6d, Type 0x20117f86, Active False
system:              Offset 0x000000000d18c000, Length 0x0000000032000000, Flags 0x1000000000000000, UUID 798c440f-be44-b351-c314-d1f666b26ac3, Type EFI_BASIC_DATA, Active False
persist:             Offset 0x000000003f18c000, Length 0x0000000002000000, Flags 0x1000000000000000, UUID 39643ffb-f379-2ac5-d961-b0ed07a97109, Type EFI_BASIC_DATA, Active False
cache:               Offset 0x000000004118c000, Length 0x0000000008000000, Flags 0x1000000000000000, UUID 89ccb492-ba3c-8c1a-8135-d2266ca9973c, Type EFI_BASIC_DATA, Active False
recovery:            Offset 0x000000004918c000, Length 0x0000000001000000, Flags 0x1000000000000000, UUID 960f546e-22d3-67b0-a3ec-f7a59372e2f3, Type 0x20117f86, Active False
userdata:            Offset 0x000000004a18c000, Length 0x000000009ee6fe00, Flags 0x1000000000000000, UUID 6d7b43d9-e4e4-c93e-7a18-2f7ef2c05864, Type EFI_BASIC_DATA, Active False

Total disk size:0x00000000e9000000, sectors:0x0000000000748000

Flash now the partitions one by one: e.g. modem

$ edl w modem modem.bin

erase userdata and cache, they are not needed.

$ edl e userdata
$ edl e cache

after bootup change to fastboot mode:

$ adb reboot bootloader

and format userdata and cache:

$ fastboot format:ext4 userdata
$ fastboot format:ext4 cache

Just FYI, I got my UF896_V1.1 bricked just by flashing the openstick generic image and leaving it running for a couple of hours. I'm not sure what happened, I didn't even open it up. I tried to get it to boot into edl mode by various tricks mentioned in the forums, but it looks like the stick is dead for good.