UF896 - Qualcomm MSM8916 LTE router ~384MiB RAM/2.4GiB flash, Android: OpenWrt?

bodop · March 21, 2023, 8:52am

lte connection drops after approximatly five minutes

does anybody have a hint? This happens regardless whether I configure the connection using /etc/config/network or by invoking mmcli -m 0 --simple-connect=..... It is also annoying that ifconfig always shows zero transferred bytes even if something has been downloaded. The last messages from logread with "mmcli -G DEBUG" are

Tue Mar 21 07:27:15 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 16 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 40 <<<<<<   tlv_length  = 4 <<<<<<   message     = "Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Dormancy Status" (0x18) <<<<<<   length     = 1 <<<<<<   value      = 01 <<<<<<   translated = traffic-channel-dormant
Tue Mar 21 07:27:15 2023 daemon.debug [2789]: <debug> [modem0/bearer1] got QMI WDS event report
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 29 <<<<<<   data   = 01:1C:00:80:01:02:04:29:00:01:00:10:00:28:04:00:04:00:00:00:22:02:00:01:00:1F:01:00:02
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 28 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 41 <<<<<<   tlv_length  = 16 <<<<<<   message     = "Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Data Call Address Family" (0x28) <<<<<<   length     = 4 <<<<<<   value      = 04:00:00:00 <<<<<<   translated = ipv4 <<<<<< TLV: <<<<<<   type       = "Data Call Type" (0x22) <<<<<<   length     = 2 <<<<<<   value      = 01:00 <<<<<<   translated = [ data_call_type = 'embedded' tethered_call_type = 'non-tethered' ] <<<<<< TLV: <<<<<<   type       = "Data Call Status" (0x1f) <<<<<<   length     = 1 <<<<<<   value      = 02 <<<<<<   translated = terminated
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 34 <<<<<<   data   = 01:21:00:80:01:02:04:2A:00:22:00:15:00:01:02:00:01:00:10:02:00:01:00:11:04:00:00:00:00:00:12:01:00:04
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 33 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 42 <<<<<<   tlv_length  = 21 <<<<<<   message     = "Packet Service Status" (0x0022) <<<<<< TLV: <<<<<<   type       = "Connection Status" (0x01) <<<<<<   length     = 2 <<<<<<   value      = 01:00 <<<<<<   translated = [ status = 'disconnected' reconfiguration_required = 'no' ] <<<<<< TLV: <<<<<<   type       = "Call End Reason" (0x10) <<<<<<   length     = 2 <<<<<<   value      = 01:00 <<<<<<   translated = generic-unspecified <<<<<< TLV: <<<<<<   type       = "Verbose Call End Reason" (0x11) <<<<<<   length     = 4 <<<<<<   value      = 00:00:00:00 <<<<<<   translated = [ type = '(null)' reason = '0' ] <<<<<< TLV: <<<<<<   type       = "IP Family" (0x12) <<<<<<   length     = 1 <<<<<<   value      = 04 <<<<<<   translated = ipv4
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 34 <<<<<<   data   = 01:21:00:80:01:01:04:04:00:22:00:15:00:01:02:00:01:00:10:02:00:01:00:11:04:00:00:00:00:00:12:01:00:04
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 33 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 1 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 4 <<<<<<   tlv_length  = 21 <<<<<<   message     = "Packet Service Status" (0x0022) <<<<<< TLV: <<<<<<   type       = "Connection Status" (0x01) <<<<<<   length     = 2 <<<<<<   value      = 01:00 <<<<<<   translated = [ status = 'disconnected' reconfiguration_required = 'no' ] <<<<<< TLV: <<<<<<   type       = "Call End Reason" (0x10) <<<<<<   length     = 2 <<<<<<   value      = 01:00 <<<<<<   translated = generic-unspecified <<<<<< TLV: <<<<<<   type       = "Verbose Call End Reason" (0x11) <<<<<<   length     = 4 <<<<<<   value      = 00:00:00:00 <<<<<<   translated = [ type = '(null)' reason = '0' ] <<<<<< TLV: <<<<<<   type       = "IP Family" (0x12) <<<<<<   length     = 1 <<<<<<   value      = 04 <<<<<<   translated = ipv4
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: <debug> [modem0/bearer1] got QMI WDS event report
Tue Mar 21 07:27:24 2023 daemon.info [2789]: <info>  [modem0/bearer1] verbose call end reason (0,0): [(null)] (null)
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Sent message... <<<<<< RAW: <<<<<<   length = 61 <<<<<<   data   = 01:3C:00:00:01:02:00:0E:00:01:00:30:00:1E:01:00:00:1C:01:00:00:1B:01:00:00:1A:01:00:00:19:01:00:00:18:01:00:00:17:01:00:00:15:01:00:00:14:01:00:00:13:01:00:00:12:01:00:00:10:01:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Sent generic request (translated)... <<<<<< QMUX: <<<<<<   length  = 60 <<<<<<   flags   = 0x00 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "none" <<<<<<   transaction = 14 <<<<<<   tlv_length  = 48 <<<<<<   message     = "Set Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Extended Data Bearer Technology" (0x1e) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = no <<<<<< TLV: <<<<<<   type       = "Limited Data System Status" (0x1c) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = no <<<<<< TLV: <<<<<<   type       = "Uplink Flow Control" (0x1b) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = no <<<<<< TLV: <<<<<<   type       = "Data Systems" (0x1a) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = no <<<<<< TLV: <<<<<<   type       = "EVDO PM Change" (0x19) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = no <<
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: <debug> [modem0/wwan0/net] port now disconnected
Tue Mar 21 07:27:24 2023 daemon.info [2789]: <info>  [modem0] state changed (connected -> registered)
Tue Mar 21 07:27:24 2023 daemon.info [2789]: <info>  [modem0/bearer1] connection #1 finished: duration 266s, tx: 4916 bytes, rx: 700 bytes
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 36 <<<<<<   data   = 01:23:00:80:01:02:04:2B:00:01:00:17:00:24:14:00:00:02:00:00:80:00:00:00:00:00:00:01:00:00:00:00:00:00:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 35 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 43 <<<<<<   tlv_length  = 23 <<<<<<   message     = "Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Data Systems" (0x24) <<<<<<   length     = 20 <<<<<<   value      = 00:02:00:00:80:00:00:00:00:00:00:01:00:00:00:00:00:00:00:00 <<<<<<   translated = [ preferred_network_type = '3gpp' networks = '{ [0] = '[ network_type = '3gpp' rat_mask = '32768' so_mask = '0' ] ' [1] = '[ network_type = '3gpp2' rat_mask = '0' so_mask = '0' ] '}' ]
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 20 <<<<<<   data   = 01:13:00:80:01:02:04:2C:00:01:00:07:00:20:04:00:00:00:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 19 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 44 <<<<<<   tlv_length  = 7 <<<<<<   message     = "Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Preferred Data System" (0x20) <<<<<<   length     = 4 <<<<<<   value      = 00:00:00:00 <<<<<<   translated = unknown
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 36 <<<<<<   data   = 01:23:00:80:01:01:04:05:00:01:00:17:00:24:14:00:00:02:00:00:80:00:00:00:00:00:00:01:00:00:00:00:00:00:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 35 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 1 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 5 <<<<<<   tlv_length  = 23 <<<<<<   message     = "Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Data Systems" (0x24) <<<<<<   length     = 20 <<<<<<   value      = 00:02:00:00:80:00:00:00:00:00:00:01:00:00:00:00:00:00:00:00 <<<<<<   translated = [ preferred_network_type = '3gpp' networks = '{ [0] = '[ network_type = '3gpp' rat_mask = '32768' so_mask = '0' ] ' [1] = '[ network_type = '3gpp2' rat_mask = '0' so_mask = '0' ] '}' ]
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 20 <<<<<<   data   = 01:13:00:80:01:02:02:0E:00:01:00:07:00:02:04:00:00:00:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic response (translated)... <<<<<< QMUX: <<<<<<   length  = 19 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 2 <<<<<< QMI: <<<<<<   flags       = "response" <<<<<<   transaction = 14 <<<<<<   tlv_length  = 7 <<<<<<   message     = "Set Event Report" (0x0001) <<<<<< TLV: <<<<<<   type       = "Result" (0x02) <<<<<<   length     = 4 <<<<<<   value      = 00:00:00:00 <<<<<<   translated = SUCCESS
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: <debug> [modem0] data systems update, preferred network: 3gpp
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Sent message... <<<<<< RAW: <<<<<<   length = 13 <<<<<<   data   = 01:0C:00:00:01:01:00:0A:00:85:00:00:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Sent generic request (translated)... <<<<<< QMUX: <<<<<<   length  = 12 <<<<<<   flags   = 0x00 <<<<<<   service = "wds" <<<<<<   client  = 1 <<<<<< QMI: <<<<<<   flags       = "none" <<<<<<   transaction = 10 <<<<<<   tlv_length  = 0 <<<<<<   message     = "Get LTE Attach Parameters" (0x0085)
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 20 <<<<<<   data   = 01:13:00:80:01:01:02:0A:00:85:00:07:00:02:04:00:01:00:4A:00
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic response (translated)... <<<<<< QMUX: <<<<<<   length  = 19 <<<<<<   flags   = 0x80 <<<<<<   service = "wds" <<<<<<   client  = 1 <<<<<< QMI: <<<<<<   flags       = "response" <<<<<<   transaction = 10 <<<<<<   tlv_length  = 7 <<<<<<   message     = "Get LTE Attach Parameters" (0x0085) <<<<<< TLV: <<<<<<   type       = "Result" (0x02) <<<<<<   length     = 4 <<<<<<   value      = 01:00:4A:00 <<<<<<   translated = FAILURE: InformationUnavailable
Tue Mar 21 07:27:24 2023 daemon.debug [2789]: <debug> [modem0] couldn't load initial default bearer properties: Couldn't get LTE attach parameters: QMI protocol error (74): 'InformationUnavailable'
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: [/dev/rpmsg0] Received message... <<<<<< RAW: <<<<<<   length = 34 <<<<<<   data   = 01:21:00:80:03:01:04:08:00:24:00:15:00:01:06:00:00:02:01:00:01:00:11:01:00:00:22:05:00:00:02:00:00:00
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: [/dev/rpmsg0] Received generic indication (translated)... <<<<<< QMUX: <<<<<<   length  = 33 <<<<<<   flags   = 0x80 <<<<<<   service = "nas" <<<<<<   client  = 1 <<<<<< QMI: <<<<<<   flags       = "indication" <<<<<<   transaction = 8 <<<<<<   tlv_length  = 21 <<<<<<   message     = "Serving System" (0x0024) <<<<<< TLV: <<<<<<   type       = "Serving System" (0x01) <<<<<<   length     = 6 <<<<<<   value      = 00:02:01:00:01:00 <<<<<<   translated = [ registration_state = 'not-registered' cs_attach_state = 'detached' ps_attach_state = 'attached' selected_network = 'unknown' radio_interfaces = '{ [0] = 'none '}' ] <<<<<< TLV: <<<<<<   type       = "Data Service Capability" (0x11) <<<<<<   length     = 1 <<<<<<   value      = 00 <<<<<<   translated = {} <<<<<< TLV: <<<<<<   type       = "Detailed Service Status" (0x22) <<<<<<   length     = 5 <<<<<<   value      = 00:02:00:00:00 <<<<<<   translated = [ status = 'none' capability = 'ps' hdr_status = 'none' hdr_hybrid = 'no' forbidde
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0] no 3GPP info given...
Tue Mar 21 07:27:40 2023 daemon.info [2789]: <info>  [modem0] 3GPP registration state changed (home -> unknown)
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0] consolidated registration state: cs 'unknown', ps 'unknown', eps 'unknown', 5gs 'unknown' --> 'unknown'
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0] 3GPP location updated (MCCMNC: '<none>', location area code: 'FFFE', tracking area code: '008CE8', cell ID: '00EE2E1B')
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0/bearer0] bearer not allowed to connect, not registered in 3GPP network
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0/bearer1] bearer not allowed to connect, not registered in 3GPP network
Tue Mar 21 07:27:40 2023 daemon.info [2789]: <info>  [modem0] state changed (registered -> enabled)
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0] access technology changed (lte -> unknown)
Tue Mar 21 07:27:40 2023 daemon.debug [2789]: <debug> [modem0] 3GPP location updated (MCCMNC: '<none>', location area code: '0000', tracking area code: '000000', cell ID: '00000000')
Tue Mar 21 07:27:40 2023 daemon.warn [2789]: <warn>  [modem0] couldn't load operator code: Current operator MCC/MNC is still unknown
Tue Mar 21 07:27:40 2023 daemon.warn [2789]: <warn>  [modem0] couldn't load operator name: Current operator id is still unknown

fikt · March 21, 2023, 9:43am

Did you find out what to do with that?

I've got debian running and networkmanager shows the modem but ModemManager does not... I'm stuck at the moment. I'm wondering whether I need to flash the baseband, but I'm not even sure how to do that. I would assume that modemst1 and modemst2 are the basebands... and those are backed up in the base/flash.sh script and then flashed back again... so then baseband should be unchanged from oem.

I would actually prefer using OpenWRT on the stick but from what I've gathered from this thread is that modem is not working but is on Debian. So I guess it's not a driver issue but a matter of tinkering?

bodop · March 21, 2023, 11:27am

With OpenStick-debian I had to extract the firmware according to https://github.com/OpenStick/OpenStick/issues/33#issuecomment-1309835024 and copy the files to /lib/firmware. This changed state=sim card missing to connected.

If you select the correct model in openwrt the firmware files are already included.

But both variants have the problem, that lte gets disconnected after five minutes. The original firmware was more stable (1 week).

fikt · March 21, 2023, 12:13pm

Thanks for the reply. I have extracted the firmware from the edl backup but modemmanager doesn't even recognize my modem:

# nmcli c
NAME      UUID                                  TYPE      DEVICE 
USB       024ae1c4-35d3-48ea-b543-79b220de0102  ethernet  usb0    
modem     50adff5d-c0b9-4330-ab41-de9b888b0397  gsm       --

root@openstick:/# mmcli -L
No modems were found
root@openstick:/# mmcli -m 0
error: couldn't find modem

root@openstick:/# ls -l /lib/firmware
total 43128
-rw-r--r-- 1 root root   230272 Mar 21  2023 mba.mbn
-rw-r--r-- 1 root root     1012 Mar 21  2023 modem.b00
-rw-r--r-- 1 root root     7400 Mar 21  2023 modem.b01
-rw-r--r-- 1 root root     4212 Mar 21  2023 modem.b02
-rw-r--r-- 1 root root     5376 Mar 21  2023 modem.b03
-rw-r--r-- 1 root root   205152 Mar 21  2023 modem.b04
-rw-r--r-- 1 root root  3398848 Mar 21  2023 modem.b05
-rw-r--r-- 1 root root  3099238 Mar 21  2023 modem.b06
-rw-r--r-- 1 root root   342860 Mar 21  2023 modem.b07
-rw-r--r-- 1 root root   175904 Mar 21  2023 modem.b08
-rw-r--r-- 1 root root    44864 Mar 21  2023 modem.b10
-rw-r--r-- 1 root root   130024 Mar 21  2023 modem.b15
-rw-r--r-- 1 root root   765160 Mar 21  2023 modem.b16
-rw-r--r-- 1 root root 12823120 Mar 21  2023 modem.b17
-rw-r--r-- 1 root root   663520 Mar 21  2023 modem.b18
-rw-r--r-- 1 root root  6174048 Mar 21  2023 modem.b19
-rw-r--r-- 1 root root  2738780 Mar 21  2023 modem.b20
-rw-r--r-- 1 root root    76784 Mar 21  2023 modem.b23
-rw-r--r-- 1 root root   395612 Mar 21  2023 modem.b24
-rw-r--r-- 1 root root  7983104 Mar 21  2023 modem.b25
-rw-r--r-- 1 root root   128288 Mar 21  2023 modem.b27
-rw-r--r-- 1 root root  1048576 Mar 21  2023 modem.b28
-rw-r--r-- 1 root root     8412 Mar 21  2023 modem.mdt
drwxr-xr-x 3 root root     4096 Mar 21  2023 qcom
-rw-r--r-- 1 root root      436 Mar 21  2023 wcnss.b00
-rw-r--r-- 1 root root     6824 Mar 21  2023 wcnss.b01
-rw-r--r-- 1 root root    13064 Mar 21  2023 wcnss.b02
-rw-r--r-- 1 root root    61440 Mar 21  2023 wcnss.b04
-rw-r--r-- 1 root root  2860948 Mar 21  2023 wcnss.b06
-rw-r--r-- 1 root root       52 Mar 21  2023 wcnss.b09
-rw-r--r-- 1 root root   655360 Mar 21  2023 wcnss.b10
-rw-r--r-- 1 root root    43304 Mar 21  2023 wcnss.b11
-rw-r--r-- 1 root root     7260 Mar 21  2023 wcnss.mdt
drwxr-xr-x 3 root root     4096 Mar 21  2023 wlan

On first try I copied the files into the firmware directory and noticed that my firmware had fewer files and was missing a few of the .b##, so some of the files were not overwritten... So on my second attempt I cleared the directory and started clean, except I left the two directories qcom and wlan intact. That had no effect.

Am I missing a driver?

bodop · March 21, 2023, 1:09pm

This firmware and driver magic is over my head. But your result is interesting. I also had some missing files in my first dump. A second dump was identical to https://github.com/kirdesde/qcom-firmware/blob/main/uf896-modem.bin and containes more files.

fikt · March 21, 2023, 3:34pm

Got a few other firmware archives and pushed to the stick... No change... tried upgrading debian to bookworm since mobian has no repo for bullseye and that bricked the stick... my second stick.
I think I'll call it for now... Hopefully we will get information on how to reset it into EDL mode when we get a totally unresponsive device, like I have.

bodop · March 22, 2023, 8:12am

I assume you already tried to shorten the pins shown here while plugging. My device sometimes woke up in edl or fastboot mode.

fikt · March 22, 2023, 12:06pm

Yeah I tried shorting them with a paper clip and plugging in. Does nothing. The pins seem to be covered with a thin film, I scraped that off... still no go. The SoC warms up but there is no response through the USB... Doesn't show up in lsusb, no messages in dmesg, EDL doesn't find it.

fikt · March 27, 2023, 5:56pm

I wonder if this will fix the modem/sim problem that some are having:
https://lore.kernel.org/all/tencent_7036BCA256055D05F8C49D86DF7F0E2D1A05@qq.com/

tv743 · April 10, 2023, 11:43pm

Good news (UPDATE: but not so good - see WARNING). If you had same problem as I:

Brick your UZ801;
Can't put in EDL mode shortening USB + GNB anymore;
Not happy with Debian in UZ801 V2.1 (4G modem not working)
Couldn't use Miko Service Tool to write or backup eMMC firmware;
Couldn't use Qualcomm Premium Tool to write or backup eMMC firmware;
Get UZ801 stucked in fastboot;
Realized that you need to learn much more before playing with linux and WRT;
Just want to have your limited, but functional 4G LTE Modem UZ801_V2.1 working again;
Have recovered your UZ801 but it doesn't have an IMEI anymore (can't connect to cellphone network);

Follow this:

WARNING
I found out that I can't connect to network 3g 4g in Latin America. The copy of firmware below is probably configured to base-band China - I will get another UZ801 and make another .bin for LATIN AMERICA soon) . But everything else works, like com ports, adb mode and modem web interface.

Data extracted using Miracle Box:

  Manufacturer : Qualcomm Technology
  Model : UZ801
  Imei  : 863993062*****
  Android Version : 4.4.4
  Platform : msm8916
  Release Tags : test-keys
  Network Type : Unknown
  Ril-Imp : Qualcomm RIL 1.0
  Region : CN
  Hardware : qcom
  Baseband : N958St_Z85_CN_JSXPH1IDN1H213

1- Get the stock firmware of UZ801_V2.1 (or even uz801_v2.1_openwrt.zip or uz801_v2.1_debian.zip), unzip it and put in a pendrive:

https://github.com/Mio-sha512/openstick-stuff/releases thanks a lot Mr. Mio-sha512

2- If you're are using windows (like me) download linux ready-to-use LIVE DVD from:

https://github.com/bkerler/edl (thanks a lot! [Bjoern Kerler] bkerler)

3- Burn and put your liveDVD to run

User: user, Passwor
user (based on Ubuntu 22.04 LTS)

4- plug your pen-drive with the firmware and open a terminal on the liveDVD running system

5- in the terminal, go to the folder where the firmware is. Now you should do ls an see uz801_v2.1_stock.bin file listed.

6- With your Uz801 already disassembled, make a shortening on two EDL pin (you'll need to solder an wire or make in a way that it stay in short during the hole process)

My uz801 doesn't have this nice EM shield on the board.

EDL connector PINs to short together (put in EDL MODE)

7- plug 4G LTE dongle UZ801 and wait few seconds

8- run in terminal: edl wf uz801_v2.1_stock.bin to write to firmware.

9- If everything goes wright, you should see a nice and slow progress bar going on in the terminal screen.

10- After finished, remove the UZ801 and remove the short circuit on the EDL pins.

11- plug your revived UZ801 on your PC (I am using windos 7 for this purpose)

12 - Now it should run normally (192.168.100.1) via RNDIS or wifi.

13- Now, lets recover the IMEI that, in my case, was gone! Just put UZ801 in debug mode:

http://192.168.100.1/usbdebug.html (just enter this page and it will activate some com ports)

14 - If you have the Qualcomm drivers correctly set, you should now see something like this:

and

15 - Use TERATERM (in my case COM21 / 9600bps) to connect to the modem. Send AT ... you will receive OK. If you send AT+CGSN and didn't receive +CGSN:863993999999999 (your IMEI), it's time to repair it.

The correct IMEI is in a tag on the case of your UZ801. DO NOT CHANGE IT. IT'S ILEGAL! If your IMEI is shown, you're already good to go. In my case, the IMEI was missing.

16 - To repair IMEI, download and install **Qualcomm_Smartphone_Write_IMEI_Tool_v1.01 **( you can find it on internet).

16.1- Open it and choose the Diagnostic port (COM22 in my case).

16.2- Click in WRITE and you should see PASS after seconds.

16.3- Re plug your UZ801 and open TERATERM again (or Putty) using modem port (COM21 in my case).

17 - Repeat step 15. When you send AT+CGSN you should see your IMEI.

18 - Re plug. That's it. Enjoy.

Now you can brick it again and recover as many times as you want!

Tony69 · May 7, 2023, 4:18pm

Hi,

I have a device with Qualcomm MSM8916 cpu.
I flushed the first time with open stick + Debian and worked well except the SIM card was faulty.
I wrote with another image and now my device is wrong
I tried to reflash with the original image but I got these errors

/home/qualcomm/base-generic/base# ./flash.sh
Erasing 'boot' OKAY [ 0.032s]
Finished. Total time: 0.039s
Sending 'aboot' (280 KB) OKAY [ 0.013s]
Writing 'aboot' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Rebooting OKAY [ 0.004s]
Finished. Total time: 0.205s
FAILED (remote: 'unknown command')
fastboot: error: Command failed
FAILED (remote: 'unknown command')
fastboot: error: Command failed
FAILED (remote: 'unknown command')
fastboot: error: Command failed
FAILED (remote: 'unknown command')
fastboot: error: Command failed
Erasing 'boot' OKAY [ 0.026s]
Finished. Total time: 0.032s
Rebooting into bootloader OKAY [ 0.005s]
Finished. Total time: 0.205s
Sending 'partition' (33 KB) OKAY [ 0.005s]
Writing 'partition' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'hyp' (12 KB) OKAY [ 0.004s]
Writing 'hyp' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'rpm' (512 KB) OKAY [ 0.021s]
Writing 'rpm' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'sbl1' (512 KB) OKAY [ 0.020s]
Writing 'sbl1' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'tz' (591 KB) OKAY [ 0.022s]
Writing 'tz' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'fsc' (1 KB) OKAY [ 0.004s]
Writing 'fsc' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'fsg' (1536 KB) OKAY [ 0.052s]
Writing 'fsg' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'modemst1' (1536 KB) OKAY [ 0.052s]
Writing 'modemst1' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'modemst2' (1536 KB) OKAY [ 0.052s]
Writing 'modemst2' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'aboot' (280 KB) OKAY [ 0.013s]
Writing 'aboot' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Sending 'cdt' (0 KB) OKAY [ 0.004s]
Writing 'cdt' FAILED (remote: 'unknown reason')
fastboot: error: Command failed
Erasing 'boot' OKAY [ 0.026s]
Finished. Total time: 0.032s
Erasing 'rootfs' OKAY [ 0.314s]
Finished. Total time: 0.321s
Rebooting OKAY [ 0.004s]
Finished. Total time: 0.154s
all done please flash your os!

How can I solve this?
Thanks

Tony

kyriakides · May 10, 2023, 1:53pm

I'm sharing a dump of the partitions of a newly unboxed 4G LTE stick for anyone who needs them.

The command I used to create the dump:

$ edl rl <directory> --genxml

You can then use this command to write the partitions:

$ edl qfil rawprogram0.xml -- <directory>

https://drive.google.com/drive/folders/1jpgJBAm_OSHKrXNlf-z8BdmIAbo2jpsG?usp=share_link

DaviMRocBR · June 5, 2023, 9:24pm

Hey guys, I've been reading this post for the last few days and I think it's all pretty advanced here. The @extrowerk Blog cites Jean Baudrillard and its amazing, but here was the part about having to solder 3 pins on a board to access recovery mode. So I found a MacGyver in my town who did this spot weld and I was able to flash it via EDL, so I appreciate all the knowledge shared here.

PatEvry · June 6, 2023, 9:52am

Hi tv743, have you managed to make a .bin so that you can connect to 3g/4g in LA ? I'm in france and I still have issues to get connected / to the carrriers we have here? Thanks in advance for your response on this matter.

manoloromero · August 13, 2023, 10:35pm

Hi. I read the thread try things but still cannot use the mode on UF896_v1.1. The modem is in power off state and tried to turn off and on with qmlcli and later mmcli -e and -r and nothing. Any progress out there?

manoloromero · August 14, 2023, 10:36am

I managed to connect using 4G. I replace firmware by the original one, obtained from https://github.com/mbahmodin/UF896_V1.1-EMMC-Dump. The problems now are:
1.- When boot the SIM appears in fail. Executing this remove the fail and connect automatically.
systemctl stop ModemManager
qmicli -d /dev/wwan0qmi0 --uim-sim-power-off=1
qmicli -d /dev/wwan0qmi0 --uim-sim-power-on=1
systemctl start ModemManager
2.- After sometime working it fails and cannot found a way to put on working mode again. The only way is reboot.

Situation with UF896_v1.1

ninadesi61 · August 16, 2023, 4:49pm

Thank's for your great work.. But I don't know how to bring LTE work again in UF896.. I try Openwrt and Debian to.. I try to add patch UF896 from lore.kernel.. Sadness,not succes at all.

UF896 working great on Debian without problem on wifi speed.. Only Modem not work.. With LXDE-Core , Tigervncserver and clash is working perfectly.. Ram average in 152 - 225MB use..

Please help me bring back the Modem online for UF896 Sir..

ninadesi61 · August 18, 2023, 3:14pm

Thanks for your sharing.. Please,Can you explain how to apply this patch on Debian UF896 without compile new image.. I don't understand how to apply.. Or Tutorial how to apply patch in Debian..

manoloromero · August 20, 2023, 10:07am

I will prepare detailed instructions for what I did in the next days.

ninadesi61 · August 23, 2023, 12:40pm

I'am still waiting Sir.. Bring my modem online again.. Openwrt or Debian.. Thank' for your attention Sir..

If anyone have boot.img JZ02V1 for Debian.. Please share, i need that for wifi speed solution.. On Openwrt wifi speed download limited to 5Mbps.. but on Debian is Normal.. Thanks for everyone for help...