UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt?

I installed this zip UFI001C.zip and it works good, just updating/installing some packages dont work, and the modem also doesnt work, but so far pretty cool.

I must have misunderstood that from the Google translate version of the page;

does the SIM modem not work at all in OpenWRT?

I would still like to use this stick as a 4G modem but would prefer the security of OpenWrt rather than the default included OS.

Hi, have you still the stock firmware on the stick? If so, can you provide the boot.img?

Reboot to fastboot (adb reboot bootloader) and do:

fastboot oem dump boot && fastboot get_staged boot.bin

I have the same stick but already flashed debian.

I guess the sticks are slightly different regarding gpio pins, leds etc. But if I have the boot.img I can have a look in the dtb.

1 Like

I am running into an issue.

My device is on stock software so far (no changes at all), I have systemwide adb, fastboot and latest fastboot drivers but this happens:

>adb devices
List of devices attached
1234567890ABCDEF        device

>adb reboot bootloader

>fastboot devices
42bbae6c        fastboot

>fastboot oem dump boot && fastboot get_staged boot.bin
...
FAILED (remote: Use 'fastboot oem dump on/off')
finished. total time: 0.010s

>fastboot oem device-info
...
(bootloader)    Device tampered: false
(bootloader)    Device unlocked: false
(bootloader)    Charger screen enabled: true
(bootloader)    Display panel:
OKAY [  0.012s]
finished. total time: 0.013s

I do not understand the "FAILED (remote: Use 'fastboot oem dump on/off'" error and I could not find an answer googling for it.

I tried issuing the following commands but still no success:

>fastboot oem dump on
...
OKAY [  0.007s]
finished. total time: 0.008s

>fastboot oem dump boot && fastboot get_staged boot.bin
...
FAILED (remote: Use 'fastboot oem dump on/off')
finished. total time: 0.007s

Any further advice?

This is weird, as exactly this command works on my stick.

fastboot oem dump boot && fastboot get_staged boot.bin
OKAY [  0.431s]
Finished. Total time: 0.432s
Uploading 'boot.bin'                               OKAY [  2.740s]
Finished. Total time: 2.740s

What gives a:

fastboot oem --help

?

1 Like
>fastboot oem --help
usage: fastboot [ <option> ] <command>

commands:
  update <filename>                        reflash device from update.zip
  flashall                                 flash boot, system, vendor and if found,
                                           recovery
  flash <partition> [ <filename> ]         write a file to a flash partition
  flashing lock                            locks the device. Prevents flashing                                           partitions
  flashing unlock                          unlocks the device. Allows user to                                           flash any partition except the ones                                           that are related to bootloader
  flashing lock_critical                   Prevents flashing bootloader related                                           partitions
  flashing unlock_critical                 Enables flashing bootloader related                                           partitions
  flashing get_unlock_ability              Queries bootloader to see if the                                           device is unlocked
  erase <partition>                        erase a flash partition
  format[:[<fs type>][:[<size>]] <partition> format a flash partition.
                                           Can override the fs type and/or
                                           size the bootloader reports.
  getvar <variable>                        display a bootloader variable
  boot <kernel> [ <ramdisk> ]              download and boot kernel
  flash:raw boot <kernel> [ <ramdisk> ]    create bootimage and flash it
  devices                                  list all connected devices
  continue                                 continue with autoboot
  reboot [bootloader]                      reboot device, optionally into bootloader
  reboot-bootloader                        reboot device into bootloader
  help                                     show this help message

options:
  -w                                       erase userdata and cache (and format
                                           if supported by partition type)
  -u                                       do not first erase partition before
                                           formatting
  -s <specific device>                     specify device serial number
                                           or path to device port
  -l                                       with "devices", lists device paths
  -p <product>                             specify product name
  -c <cmdline>                             override kernel commandline
  -i <vendor id>                           specify a custom USB vendor id
  -b <base_addr>                           specify a custom kernel base address.
                                           default: 0x10000000
  -n <page size>                           specify the nand page size.
                                           default: 2048
  -S <size>[K|M|G]                         automatically sparse files greater
                                           than size.  0 to disable

same output as fastboot --help

hmm, locks like there aren't any oem commands available.

Even more strange....

1 Like

I can issue the following however:

>fastboot oem device-info
                                                   (bootloader)         Device tampered: false
(bootloader)    Device unlocked: false
(bootloader)    Charger screen enabled: true
(bootloader)    Display panel:
OKAY [  0.010s]
Finished. Total time: 0.010s

I have just tried all the above on a linux machine BTW (was previously on Win10) but all results the same.

Do i need to issue a "fastboot oem unlock" command? I could not find reference of that anywhere

yeah you can try fastboot oem unlock

1 Like

Same results after unlock!!

:rage:

$ fastboot oem unlock
OKAY [  0.006s]
Finished. Total time: 0.006s

$ fastboot oem device-info
(bootloader)         Device tampered: false
(bootloader)    Device unlocked: true
(bootloader)    Charger screen enabled: true
(bootloader)    Display panel:
OKAY [  0.008s]
Finished. Total time: 0.008s

$ fastboot oem dump boot && fastboot get_staged boot.bin
FAILED (remote: 'Use 'fastboot oem dump on/off'')
fastboot: error: Command failed

I'm out of ideas :roll_eyes:

1 Like

Thank you so much for your help on this!

I have this board and I was able to flash the generic base and openstick debian image. However, when trying to make my own boot.img+rootfs/system.img, I got into into a "partial boot" state, and semi-bricked.

I also need to figure out how to force this into fastboot mode via lk2nd, or, hopefully something that will put it into EDL mode where I can then reflash it from scratch.

also, since I think you didn't mention it, and to be explicit for the search engines: mine is labeled with UF896_V1.1.

1 Like

Mine says UF896_V1.1 as well. For further digging we would need UART connect.

I mean, there are pads on the PCB, but no markings at all and they are rather small.

Yes, force booting in fastboot or edl mode would be really helpful.

1 Like

As shown on the pics above, mine is labelled UF896_V1.1 also.

My device is currently completely stock (other than issuing a fastboot oem unlock command), I have not installed OpenStick Debian as I am hoping to use this device as a 4G modem but I would rather use OpenWRT to the default firmware.

I am willing to test things from a stock point of view if needed!

1 Like

I fried one that I'd flashed with Debian while trying to force EDL mode.

RE: UART: I can say that when the gold pads are at the "top", the one on the right is UART TX. However, it mostly just showed me constantly entering lk2nd.

There doesn't seem to be:

  1. A way to force EDL on this particular stick. (I've tried bridging D+ and GND and can't get any change in behavior) Other boards supposedly enter EDL if you hold the RESET switch while powering on, but that also doesn't seem to work for me.
  2. The lk2nd is patched to enter recovery/fastboot on certain button presses, but I can't find any way to trigger those buttons on this board. (and like I said, fried one in the process). I suspect these mappings are slightly different per board variant.
1 Like

I also cannot dump boot via fastboot, but one can get into EDL adb reboot edl if you have a functioning stick still. However, I don't have EDL tools available right now so I can't easily dump it. Maybe @Capt.Insano can though.

EDIT: I'm also curious about this internal connector and switch:

The fastboot oem dump commands are actually part of the lk2nd kernel and therefore not available in the stock firmware.

The lk2nd is flashed during the base-generic flash (i believe it's the aboot image)
That means, we need to copy the boot partition via edl first, there 's no other way to get the stock dtb I'm afraid.

Update: maybe there is another way, fastboot can boot images without actually flashing them. So you could try:

fastboot boot aboot.img 

edl tool is no big deal, just clone https://github.com/bkerler/edl.git and follow the readme.

Well this took me longer to achieve than it should! (Advice: Don't bother with windows when trying to do EDL stuff!)

I dumped all the partions from the device here (the edl tool you linked defaults to dumping as .bin files but I also dummed some as .img files)

I hope this is what you were looking for:

GoogleDrive UF896_V1.1 Partition Dumps

2 Likes

Looks to me like a spring-loaded antenna connector.

openstick-plastic-shunt

And yes, high frequency (HF) antennas often look like direct current (DC) short circuits.

Regards!