Ahoj,
I have a device which seems to have nice specs for OpenWRT (ca. 384 MiB of RAM, ca. 2.4 GiB of flash) and it is a tiny 3G/4G-WiFi-USB-Router: In the form factor of an USB stick, it holds a cellular modem, a WiFi device, LAN-via-USB, and the SoC which seems to be a Qualcomm MSM8916, 4 core ARM Cortex A53 (→ seems to be Linux mainline kernel compatible).
Those devices are available fairly cheap (I payed ca. 13 EUR via aliexpress). They would make nice travel-routers (since they don't have builtin battery they are smaller and no issues with taking dangerous goods on some places) "just plug into some USB power supply and go".
The device runs android, has a very limited webinterface (you can only set ESSID, WiFi encryption, and cellular mode, and there is a field to seet IMEI. Even not a SIM pin can be set, if the SIM requires a PIN the device just shows "SIM PIN required" but does not offer any option to set it).
When plugged in via USB, it is accessible via adb, but no root access. It is also possible to reboot it into fastboot mode and into Qualcomm's EDL mode.
I have no knowledge or experience with Android internals and with Qualcomm and ARM based devices in general.
It seems to run firmware which is from 2016 or before, and the Linux kernel seems to be 3.10.28. I suspect it should be possible to get root due to bugs, like the kernel bugs "dirtycow" and "dirtypipe" and maybe others. And maybe also fastboot or EDL might enable direct flashing (though I could not get any storage information by using the edl executable when the device was in EDL mode).
If anyone is interested to find a way to get OpenWRT running on those devices, I would donate my device and I would offer a bounty of 200 EUR in case of success.
If anyone has ideas on how I could "open up" the software of the device (combined with de-bricking instructions in case I brick it) I am also glad, and of course I can provide more information from the device if specifically asked what information is needed.
I don't know if → this project might be helpful; there someone has made a custom, as-open-as-possible, firmware for an (Android?) based Quectel E25-G cellular modem with Qualcomm MDM9607, → here is more information about that modem.
Following, I provide the information I have gathered from the device (click on each section to expand):
Information by looking at the hardware:
Photographs:
Here are the photographs of the device I have taken. Click on each picture to get a large version:
Chips:
The following is printed on the chips:
Qualcomm-Chip PM8918 (maybe power management):
QUALCOMM
PM8918
001
BGSU717
• E352002
Smaller chip besides the PM8918, WCN3620 (seems to have to do something with wireless and beeing from Qualcomm, documentation I have found: → "WCN3620 Wireless Connectivity IC Device Specification", → "WCN3620 Wireless Connectivity IC Design Guidelines"):
WCN3620
OVV
7R47835
BD45005
•06
On the other side of the circuit board:
Not-so-small square chip beside the (unused) coaxial antenna connector (probably a GSM/GPRS/EDGE cellular network signal amplifierby skyworks, → summary PDF):
•
77916-21
3582480.1
1641 MX
Rectangular chip beside (probably an UMTS/LTE amplifier by skyworks, → summary PDF):
•
77643-11
625413.1P
1546 MX
Small rectangular chip somewhat in the middle of the PCB (probably a RF Transceiver):
QUALCOMM
WTR4905
1VV
TGT44800
AE60701
• 45
(the writing is so tiny that I am not really sure if I have read everything correctly. Especially, I am not completely sure with TGT44800 (TGT could also be TCT and 44800 could also be 44900) and the last 45 (could also be 4S).)
Big chip besides the USB port (probably the flash chip):
SKhynix
H9TP32A4G0CC
PRKGM 5904A
• 2MXQT663Q4
Next big chip (probably the SoC, → seems to be Linux mainline kernel compatible, → information, ARM Cortex A53 quad core 64bit):
QUALCOMM
MSM8916
1VV
AUR60306
• N E161400
Information from PC-side:
`dmesg` when plugged into computer:
dmesg output after attaching the router to USB:
usb 1-2: new high-speed USB device number 73 using xhci_hcd
usb 1-2: New USB device found, idVendor=05c6, idProduct=9091, bcdDevice=ff.ff
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-2: Product: Android
usb 1-2: Manufacturer: Android
usb 1-2: SerialNumber: 1234567890ABCDEF
usb 1-2: USB disconnect, device number 73
usb 1-2: new high-speed USB device number 74 using xhci_hcd
usb 1-2: New USB device found, idVendor=05c6, idProduct=9024, bcdDevice=ff.ff
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-2: Product: Android
usb 1-2: Manufacturer: Android
usb 1-2: SerialNumber: 1234567890ABCDEF
rndis_host 1-2:1.0 usb0: register 'rndis_host' at usb-0000:00:15.0-2, RNDIS device, ca:0c:2e:c0:4c:bc
`lsusb` when plugged into computer:
Output of lsusb -vvv -d 05c6:9024:
Bus 001 Device 074: ID 05c6:9024 Qualcomm, Inc. Android
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05c6 Qualcomm, Inc.
idProduct 0x9024
bcdDevice ff.ff
iManufacturer 1 Android
iProduct 2 Android
iSerial 3 1234567890ABCDEF
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0062
bNumInterfaces 3
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 500mA
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 0
bInterfaceCount 2
bFunctionClass 224 Wireless
bFunctionSubClass 1 Radio Frequency
bFunctionProtocol 3 RNDIS
iFunction 9 RNDIS
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 3 RNDIS
iInterface 7 RNDIS Communications Control
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 05 24 01 00 01
** UNRECOGNIZED: 04 24 02 00
** UNRECOGNIZED: 05 24 06 00 01
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 8 RNDIS Ethernet Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 1
iInterface 4 ADB Interface
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0000
(Bus Powered)
`adb devices` information:
Output of adb devices -l:
List of devices attached
1234567890ABCDEF device usb:1-2 product:msm8916_32_512 model:msm8916_32_512 device:msm8916_32_512 transport_id:2
`dmesg` when rebooting to fastboot:
After a adb reboot-bootloader, output of dmesg:
usb 1-2: USB disconnect, device number 76
rndis_host 1-2:1.0 usb0: unregister 'rndis_host' usb-0000:00:15.0-2, RNDIS device
usb 1-2: new high-speed USB device number 77 using xhci_hcd
usb 1-2: New USB device found, idVendor=18d1, idProduct=d00d, bcdDevice= 1.00
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-2: Product: Android
usb 1-2: Manufacturer: Google
usb 1-2: SerialNumber: 8a221a8
`lsusb` when rebooting to fastboot:
After a adb reboot-bootloader, output of lsusb -vvv -d 18d1:d00d:
Bus 001 Device 077: ID 18d1:d00d Google Inc. Xiaomi Mi/Redmi 2 (fastboot)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x18d1 Google Inc.
idProduct 0xd00d Xiaomi Mi/Redmi 2 (fastboot)
bcdDevice 1.00
iManufacturer 1 Google
iProduct 2 Android
iSerial 3 8a221a8
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 256mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 4 fastboot
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Device Status: 0x0000
(Bus Powered)
`fastboot devices` information:
After a adb reboot-bootloader, output of fastboot devices -l:
8a221a8 fastboot
usb:1-2
`dmesg` when rebooting to EDL mode:
After an adb reboot edl, output of dmesg:
usb 1-2: USB disconnect, device number 78
usb 1-2: new high-speed USB device number 79 using xhci_hcd
usb 1-2: New USB device found, idVendor=05c6, idProduct=9024, bcdDevice=ff.ff
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-2: Product: Android
usb 1-2: Manufacturer: Android
usb 1-2: SerialNumber: 1234567890ABCDEF
rndis_host 1-2:1.0 usb0: register 'rndis_host' at usb-0000:00:15.0-2, RNDIS device, 8e:ba:ce:c7:aa:a1
usb 1-2: USB disconnect, device number 79
rndis_host 1-2:1.0 usb0: unregister 'rndis_host' usb-0000:00:15.0-2, RNDIS device
usb 1-2: new high-speed USB device number 80 using xhci_hcd
usb 1-2: New USB device found, idVendor=05c6, idProduct=9008, bcdDevice= 0.00
usb 1-2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
usb 1-2: Product: QHSUSB__BULK
usbcore: registered new interface driver qcserial
usbserial: USB Serial support registered for Qualcomm USB modem
qcserial 1-2:1.0: Qualcomm USB modem converter detected
usb 1-2: Qualcomm USB modem converter now attached to ttyUSB0
`lsusb` when rebooting to EDL mode:
After an adb reboot edl, output of lsusb -vvv -d 05c6:9008:
Bus 001 Device 080: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05c6 Qualcomm, Inc.
idProduct 0x9008 Gobi Wireless Modem (QDL mode)
bcdDevice 0.00
iManufacturer 0
iProduct 2 QHSUSB__BULK
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 2mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)
`edl`:
After an adb reboot edl, output of edl[1]:
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2.1
main - Mode detected: sahara
sahara -
------------------------
HWID: 0x007050e100000000 (MSM_ID:0x007050e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected: "MSM8916"
PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial: 0x1baae92c
sahara - Possibly unfused device detected, so any loader should be fine...
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/cyanogen/007050e100000000_4614048173062ae4_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/cyanogen/007050e100000000_4e3eefa63a67eb7a_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/cyanogen/007050e100000000_d36c6073c9c2cb1c_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/lenovo_motorola/007050e100000000_99c8c13e374c34d8_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/longcheer/007050e100000000_3022817d373fd7f9_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/lyf/007050e100000000_394a2e47cf830150_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/qualcomm/factory/msm8916/007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/xiaomi/007050e100000000_278448179ac756a1_fhprg_peek.bin
sahara - Possible loader available: /usr/lib/python3.10/site-packages/edlclient/../Loaders/xiaomi/007050e100000000_50838757eab7c632_fhprg_peek_wt88047.bin
sahara - Trying loader: /usr/lib/python3.10/site-packages/edlclient/../Loaders/cyanogen/007050e100000000_4614048173062ae4_fhprg_peek.bin
sahara - Protocol version: 2.1
sahara - Uploading loader /usr/lib/python3.10/site-packages/edlclient/../Loaders/cyanogen/007050e100000000_4614048173062ae4_fhprg_peek.bin ...
sahara - 32-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
[1] edl:
https://github.com/bkerler/edl
Information from inside the router's OS:
`/proc/cpuinfo`:
cat /proc/cpuinfo from a shell on the android system:
processor : 0
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 38.40
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 0
processor : 1
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 38.40
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 0
processor : 2
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 38.40
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 0
processor : 3
model name : ARMv7 Processor rev 0 (v7l)
BogoMIPS : 38.40
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 0
Hardware : Qualcomm Technologies, Inc MSM8916
Revision : 0000
Serial : 0000000000000000
Processor : ARMv7 Processor rev 0 (v7l)
`/proc/meminfo`:
cat /proc/meminfo from a shell on the android system:
MemTotal: 390392 kB
MemFree: 19024 kB
Buffers: 5348 kB
Cached: 170048 kB
SwapCached: 0 kB
Active: 88636 kB
Inactive: 167740 kB
Active(anon): 76004 kB
Inactive(anon): 5912 kB
Active(file): 12632 kB
Inactive(file): 161828 kB
Unevictable: 624 kB
Mlocked: 0 kB
SwapTotal: 196604 kB
SwapFree: 196604 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 81628 kB
Mapped: 55196 kB
Shmem: 312 kB
Slab: 35936 kB
SReclaimable: 17112 kB
SUnreclaim: 18824 kB
KernelStack: 4112 kB
PageTables: 3584 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 391800 kB
Committed_AS: 2951208 kB
VmallocTotal: 499712 kB
VmallocUsed: 41216 kB
VmallocChunk: 328732 kB
`/proc/devices`:
cat /proc/devices from a shell on the android system:
Character devices:
1 mem
256 msm_rng
2 pty
3 ttyp
4 /dev/vc/0
4 tty
5 /dev/tty
5 /dev/console
5 /dev/ptmx
7 vcs
10 misc
13 input
21 sg
29 fb
81 video4linux
86 ch
89 i2c
108 ppp
116 alsa
128 ptm
136 pts
166 ttyACM
180 usb
188 ttyUSB
189 usb_device
216 rfcomm
235 vm_bms
236 avtimer
237 ttyGS
238 ccid_bridge
239 usbmon
240 usb_ext_chg
241 uio
242 qseecom
243 kgsl
244 smdpkt
245 dia
246 smd
247 subsys
248 voice_svc
249 bsg
250 battery_data
251 media
252 rtc
253 msm_sps
254 msm_thermal_query
Block devices:
1 ramdisk
259 blkext
7 loop
8 sd
65 sd
66 sd
67 sd
68 sd
69 sd
70 sd
71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
179 mmc
253 zram
254 device-mapper
`df`:
df from a shell on the android system:
Filesystem Size Used Free Blksize
/dev 190.6M 128.0K 190.5M 4096
/sys/fs/cgroup 190.6M 12.0K 190.6M 4096
/mnt/asec 190.6M 0.0K 190.6M 4096
/mnt/obb 190.6M 0.0K 190.6M 4096
/system 387.4M 283.4M 104.1M 4096
/data 2.4G 6.6M 2.4G 4096
/cache 122.0M 44.0K 121.9M 4096
/persist 27.5M 84.0K 27.4M 4096
/firmware 64.0M 50.3M 13.6M 16384
/mnt/shell/emulated 2.4G 6.6M 2.4G 4096
/storage/emulated/legacy 2.4G 6.6M 2.4G 4096
`dmesg`:
dmesg cannot be run on the device:
klogctl: Operation not permitted
`getprop`:
Output of getprop from a shell on the android system:
This is a large file (ca. 11 KiB/ 312 lines), too large for this forum. You can download it from → here.
`dumpsys`:
Output of dumpsys from a shell on the android system:
This is a large file (ca. 598 KiB/ 11342 lines), too large for this forum. You can download it from → here.
`logcat`:
Output of logcat from a shell on the android system (terminated after messages seem to repeat):
This is a large file (ca. 285 KiB/ 3810 lines), too large for this forum. You can download it from → here.
kernel configuration `/proc/config.gz`:
Output of the gunzip-ed /proc/config.gz from the android system
This is a large file (ca. 96 KiB/ 3620 lines), too large for this forum. You can download it from → here.
Regards!
