UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt?

UPDATE:
Shorting D+ and Ground from the USB) alllowed me to start EDL to upload the Loaders. lsusb shows the device at this point in QLD mode

Bus 004 Device 017: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

hackerbox-xx1@hackerboxmint:~/Downloads/edl/Loaders/qualcomm/factory/msm8916$ edl --loader 007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Using loader 007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin ...
main - Waiting for the device
.....main - Device detected :)
sahara - Protocol version: 2, Version supported: 1
main - Mode detected: sahara
sahara - 
------------------------
HWID:              0x007050e100000000 (MSM_ID:0x007050e1,OEM_ID:0x0000,MODEL_ID:0x0000)
CPU detected:      "MSM8916"
PK_HASH:           0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial:            0x07e9c289

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader 007050e100000000_8ecf3eaa03f772e2_fhprg_peek.bin ...
sahara - 32-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
hackerbox-xx1@hackerboxmint:~/Downloads/edl/Loaders/qualcomm/factory/msm8916$ 

But, the second command to flash the partition table performed by @SpeedPat "edl w gpt gpt_main0.bin" didn't work for me. Any suggestions? Here the output:

hackerbox-xx1@hackerboxmint:~/Downloads/edl$ edl w gpt gpt_main0.bin
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 1152, in connect
    self.get_supported_functions()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 1029, in get_supported_functions
    info = self.cmd_nop()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 342, in cmd_nop
    self.debug(resp.hex())
AttributeError: 'response' object has no attribute 'hex'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/edl", line 4, in <module>
    __import__('pkg_resources').run_script('edlclient==3.60', 'edl')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 667, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1463, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/EGG-INFO/scripts/edl", line 391, in <module>
    base.run()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/EGG-INFO/scripts/edl", line 385, in run
    if fh.connect(sahara):
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose_client.py", line 73, in connect
    self.firehose.connect()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 1154, in connect
    self.get_supported_functions()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 1029, in get_supported_functions
    info = self.cmd_nop()
  File "/usr/local/lib/python3.8/dist-packages/edlclient-3.60-py3.8.egg/edlclient/Library/firehose.py", line 342, in cmd_nop
    self.debug(resp.hex())
AttributeError: 'response' object has no attribute 'hex'
hackerbox-xx1@hackerboxmint:~/Downloads/edl$ 

Hello, I found a hub specially designed for openstick,

H4uvfcuX2Cak7YRtq5Q9i6FnTRIj05ln0F2vcw6i1920×1120 166 KB

Maybe someone can order and check it

Hello, can someone tell me how to connect an 4g external antenna to this modem and what is the name of this connector

You can't, it's just a Murata SWD/ SWF/ SWG/ SWH/ SWJ (depending on the exact dimensions) test point, used during factory calibration - but not capable for a permanent connection (it's not a locking connector, nor does it disconnect the internal antenna). Also keep in mind that regulatory requirements for phone networks and their frequencies are even stricter than they already are for WLAN, modifying that will make it lose its certification.

Thanks for the answer

I'm not sure of the dimensions, but MS156 (the u.FL) analogue is locking, and connectors, as well as pigtails for that one are readily available, in two versions: the normal test connector, that towers over the PCB, and a hack on u.FL connector by sellers on Aliexpress.

Hi, thanks for the tip, did you mean this cable

Screenshot_2828×534 186 KB

Exactly. But they will fit only the MS156, not any of the smaller variants.

Also, an addendum: MS156 is a pass-through connector with internal disconnect switch, to avoid any impedance mismatches, when a probe (or external antenna) is connected. This is why it requires the spring-loaded pin at the tip.

After backing up the EMMC, baseband and Qualcomm blobs, I tried installing the Debian image on the openstick repository
Once done flashing the appropriate boot image and transplanting the blobs, everything works just fine, and the SIM APN gets recognized automatically.

Hello @reefbrallis , can you elaborate on this ?
How did you backup blobs and put them back ?

Regards,
Fabien

In the meantime I found the answer to my question in the comments.

To dump the whole flash using this edl tool(https://github.com/bkerler/edl). In case you brick it.

$ adb reboot edl
$ edl rl dumps --skip=userdata --genxml
or
$ edl rf flash.bin

To flash back on the openstick

$ edl qfil rawprogram0.xml patch0.xml .

I have also an UFI001C and replayed as indicated here:

Modem is well detected

root@openstick:/# nmcli c
NAME                UUID                                  TYPE      DEVICE 
USB                 89be98d0-f5e6-4432-ae40-caf8693164de  ethernet  usb0   
Wired connection 1  e07c048d-9efa-30fa-9b3a-ed744eb30e34  ethernet  --     
modem               ead26b9f-2b9e-44dd-87d0-3e9cb826bf88  gsm       --   

also

root@openstick:/# mmcli -L
    /org/freedesktop/ModemManager1/Modem/0 [1] 0

However it seems the SIM card is not powered up:

root@openstick:/# mmcli -m 0
  -----------------------------------
  General  |                    path: /org/freedesktop/ModemManager1/Modem/0
           |               device id: 6e2290d10230978b4ab0ad4aeb613c54d70f3f2d
  -----------------------------------
  Hardware |            manufacturer: 1
           |                   model: 0
           |       firmware revision: MPSS.DPM.2.0.2.c1-00178-M8936FAAAANUZM-1D  1  [Nov 04 2016 02:00:00]
           |          carrier config: Commercial-CSFB-SS-CMCC
           | carrier config revision: 02011866
           |            h/w revision: 10000
           |               supported: gsm-umts, lte
           |                 current: gsm-umts, lte
           |            equipment id: 000000000000000
  -----------------------------------
  System   |                  device: qcom-soc
           |                 drivers: qcom-q6v5-mss, bam-dmux
           |                  plugin: qcom-soc
           |            primary port: wwan0qmi0
           |                   ports: wwan0 (net), wwan0at0 (at), wwan0qmi0 (qmi), wwan1 (net), 
           |                          wwan2 (net), wwan3 (net), wwan4 (net), wwan5 (net), wwan6 (net), 
           |                          wwan7 (net)
  -----------------------------------
  Status   |                   state: failed
           |           failed reason: sim-missing
           |             **power state: off**
           |          signal quality: 0% (cached)
  -----------------------------------
  Modes    |               supported: allowed: 3g; preferred: none
           |                          allowed: 4g; preferred: none
           |                          allowed: 3g, 4g; preferred: 4g
           |                          allowed: 3g, 4g; preferred: 3g
           |                 current: allowed: any; preferred: none
  -----------------------------------
  Bands    |               supported: utran-1, utran-5, utran-8, eutran-1, eutran-3, eutran-5, 
           |                          eutran-8, eutran-38, eutran-39, eutran-40, eutran-41
  -----------------------------------
  IP       |               supported: ipv4, ipv6, ipv4v6

I have found @sorine was mentioning a potential swap of GPIO here: UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt? - #128 by sorine but this was for the other openstick UF896.
Moreover this is for the Openwrt build that was never able to detect my modem when built.

So I have 2 tracks, one finding the Debian source tree and try to swap GPIO to make the SIM powered up, or second one more complex (at least it seems) to fix the modem detection issue and hoping that the GPIO are in the right order or trying to solve it.

Do some experts here have other advises ?

EDIT1: In fact the modem is well detecting a few seconds after booting.
It then stop working after this error seen in syslog:

[   38.833175] qcom-q6v5-mss 4080000.remoteproc: fatal error received: sys_m.c:603:THIS IS INTENTIONAL RESET, NO RAMDUMP EXPECTED, smp2p write ret = 
[   38.833314] remoteproc remoteproc1: crash detected in 4080000.remoteproc: type fatal error
[   38.847751] remoteproc remoteproc1: handling crash #1 in 4080000.remoteproc
[   40.636760] qcom-wcnss-pil a204000.remoteproc: unexpected response to sysmon event
[   40.636799] remoteproc remoteproc1: stopped remote processor 4080000.remoteproc
[   40.645836] qcom-wcnss-pil a204000.remoteproc: unexpected response to sysmon event
[   40.697259] qcom-q6v5-mss 4080000.remoteproc: MBA booted without debug policy, loading mpss
[   41.332011] remoteproc remoteproc1: remote processor 4080000.remoteproc is now up

however the last line seems to indicate it is up again.
Maybe the modem driver qcom-q6v5 embedded into https://github.com/OpenStick/OpenStick is buggy ?

any update, my board is UZ801,

My UZ801 still in fastboot mode, how can I reboot to normal. I unplug and replug to PC but it still in fastboot mode. Please help!

Hello !
have you tried?

fastboot reboot

Thank you! I try and work fine, I install openwrt but I can get back to stock rom.

Good to know !
How did you managed to install openwrt ?
On my new devices UZ801 I am unable to launch ADB, nor FASTBOOT, and so not able to flash openwrt.

adb devices return nothing, only EDL is working by connecting USB pin 1 and 2 to enter this mode.

I recommend do not install openwrt, only 3G work when install openwrt on UZ801, 4G not work. If you really want install Openwrt on UZ801, use adb connect with port 7628 not default port.

Can someone make another dump of the stock firmware of the UF896 v1.1 using EDL

edl rl dumps --skip=userdata --genxml

Screwed up, and it won't boot any more. The dump from @Capt.Insano doesn't seem to work and is missing the patch0.xml

Thanks !

Hi,

You should go there :

Once up and running, please tell whether the LTE is working as expected
for you.
I have not managed to get something workable yet.
Thanks

Thanks so much.

That worked. I have a functioning stick again. Now back to breaking it again