Now I have here a "UFI6735W_V1.1" (→ this exact offer), a seemingly similar device but powered by a MediaTek MT6735V with probably 2 GB flash and 128 MiB RAM which seems to run some form of Android 6.0. It has a SIM card slot, a microSD slot, it provides wireless LAN, and via USB it provides direct ethernet.
Would be interesting if there are any options to put a custom operating system, preferably an OpenWrt based one, on the router.
The → MediaTek MT6735 seems not to have any usable mainline Linux kernel support as of Linux 5.11 (and I don't assume that much has changed), so one has to live with whatever kernel is there from the vendor.
Behaviour:
It's web interface is chinese onlycan be set to English at the login page, it's WLAN IP is 192.168.100.1, it's USB LAN IP is 192.168.101.1. The webinterface allows changing the WLAN's ESSID, encryption, and to specify the SIM card's PIN and set the APN. Also some SIM card SMS and adress book management, and the possibility for firmware upgrade.
When I connect the device to the computer, it first registeres as "MT65xx Preloader" (0e8d:2000) for about 1 second and provides a serial port to the host (/dev/ttyACM0). That serial port continuosly spills out READY (without newlines) until the boot continues.
In the next step it registeres as "Cyrus Technology CS 24" (0e8d:2008) for several seconds. This provides a MTP interface, but mtpfs could not make a sensible connection.
Finally, it registers as "4G_LTE" (0e8d:2004), which provides a CDC Ethernet device.
ADB connection was not possible for me; neither directly via USB (adb devices -l returns nothing), nor via network (adb connect 192.168.100.1 (connect via WLAN) and adb connect 192.168.101.1 (connect via USB LAN) both return failed to connect to '192.168.100.1:5555': Connection refused. Of course, the network connection itself works.)
The stock firmware seems to support VPN, VPN-types called "PPTP PSK" and "L2tp/IPSec PSK".
Photographs:
Technical information:
`dmesg` output after attaching the device to USB (*click* to open):
[125673.657985] usb 1-2: new high-speed USB device number 122 using xhci_hcd
[125673.839202] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[125673.839216] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[125673.839219] usb 1-2: Product: MT65xx Preloader
[125673.839221] usb 1-2: Manufacturer: MediaTek
[125673.862561] cdc_acm 1-2:1.0: Zero length descriptor references
[125673.862590] cdc_acm: probe of 1-2:1.0 failed with error -22
[125673.942875] cdc_acm 1-2:1.1: ttyACM0: USB ACM device
[125676.490738] usb 1-2: USB disconnect, device number 122
[125686.908199] usb 1-2: new high-speed USB device number 123 using xhci_hcd
[125687.092364] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2008, bcdDevice=ff.ff
[125687.092376] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[125687.092379] usb 1-2: Product: 4G_LTE
[125687.092381] usb 1-2: Manufacturer: MediaTek
[125687.092383] usb 1-2: SerialNumber: 0123456789ABCDEF
[125731.488163] usb 1-2: USB disconnect, device number 123
[125731.938251] usb 1-2: new high-speed USB device number 124 using xhci_hcd
[125732.119260] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2004, bcdDevice=ff.ff
[125732.119272] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[125732.119274] usb 1-2: Product: 4G_LTE
[125732.119277] usb 1-2: Manufacturer: MediaTek
[125732.119278] usb 1-2: SerialNumber: 0123456789ABCDEF
[125732.124894] rndis_host 1-2:1.0 usb0: register 'rndis_host' at usb-0000:00:15.0-2, RNDIS device, f6:6a:e9:ce:07:1b
(Note that at first there is a "MT65xx Preloader" with a serial port, which after ca. 1 second get's removed again and is replaced by a "4G_LTE", which in turn after some seconds gets removed and replaced by another "4G_LTE".)
Output of `lsusb -vvv -d 0e8d:2000` (the first device that the stick appears as, only for about one second) (*click* to open):
Bus 001 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0e8d MediaTek Inc.
idProduct 0x2000 MT65xx Preloader
bcdDevice 1.00
iManufacturer 1 MediaTek
iProduct 2 MT65xx Preloader
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0046
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 3 USB CDC ACM for preloader
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 4 CDC ACM Data Interface
Endpoint Descriptor:
bLength 8
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 8
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 5 CDC ACM Communication Interface
CDC Header:
bcdCDC 1.10
CDC ACM:
bmCapabilities 0x0f
connection notifications
sends break
line coding and serial state
get/set/clear comm features
CDC Union:
bMasterInterface 1
bSlaveInterface 0
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 0
Endpoint Descriptor:
bLength 8
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 16
Device Status: 0x0001
Self Powered
Output of `lsusb -vvv -d 0e8d:2008` (the second device that the stick appears as, for several seconds) (*click* to open):
Bus 001 Device 015: ID 0e8d:2008 MediaTek Inc. Cyrus Technology CS 24
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0e8d MediaTek Inc.
idProduct 0x2008 Cyrus Technology CS 24
bcdDevice ff.ff
iManufacturer 2 MediaTek
iProduct 3 4G_LTE
iSerial 4 0123456789ABCDEF
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0027
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 0
iInterface 17 MTP
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x001c 1x 28 bytes
bInterval 6
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0001
Self Powered
Output of `lsusb -vvv -d 0e8d:2004` (the final device that the stick appears as) (*click* to open):
Bus 001 Device 124: ID 0e8d:2004 MediaTek Inc. 4G_LTE
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 224 Wireless
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0e8d MediaTek Inc.
idProduct 0x2004
bcdDevice ff.ff
iManufacturer 2 MediaTek
iProduct 3 4G_LTE
iSerial 4 0123456789ABCDEF
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x004b
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 500mA
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 0
bInterfaceCount 2
bFunctionClass 224 Wireless
bFunctionSubClass 1 Radio Frequency
bFunctionProtocol 3 RNDIS
iFunction 19 RNDIS
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 3 RNDIS
iInterface 17 RNDIS Communications Control
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 05 24 01 00 01
** UNRECOGNIZED: 04 24 02 00
** UNRECOGNIZED: 05 24 06 00 01
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 18 RNDIS Ethernet Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 224 Wireless
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0001
Self Powered
Output from `/dev/ttyACM0` for the short time it is present during the boot of the stick (*click* to open):
READYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADY
From inside the webinterface, I get the following system information (*click* to open):
软件版本: 4G_LTE_5M_H07_C03_MV2.247
ROM版本: Android 6.0
WLAN MAC地址: [censored by author]
IMEI1: [censored by author]
IMEI2: 000000000000000
ICCID1: [censored by author]
ICCID2: [censored by author]
which → machine-translates to
Software Version: 4G_LTE_5M_H07_C03_MV2.247
ROM version: Android 6.0
WLAN MAC address: [censored by author]
IMEI1: [censored by author]
IMEI2: 000000000000000
ICCID1: [censored by author]
ICCID2: [censored by author]
NMAP TCP + UDP + service discovery + OS discovery scan (*click* to open):
nmap -oN nmap.tcp-and-udp.log -sS -sU -p0-65535,U:0-65535 -r -sV --version-all -O --osscan-guess -d -vv --max-os-tries 5 192.168.101.1:
WARNING: Duplicate port number(s) specified. Are you alert enough to be using Nmap? Have some coffee or Jolt(tm).
# Nmap 7.92 scan initiated Wed Nov 2 11:01:34 2022 as: nmap -oN nmap.tcp-and-udp.log -sS -sU -p0-65535,U:0-65535 -r -sV --version-all -O --osscan-guess -d -vv --max-os-tries 5 192.168.101.1
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
[...]
Not shown: 65532 closed udp ports (port-unreach), 65530 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 64 dnsmasq 2.51
80/tcp open http syn-ack ttl 64
8080/tcp open http-proxy syn-ack ttl 64
8443/tcp open ssl/https-alt syn-ack ttl 64
8989/tcp open sunwebadmins? syn-ack ttl 64
9876/tcp open sd? syn-ack ttl 64
53/udp open domain udp-response ttl 64 dnsmasq 2.51
67/udp open dhcps? udp-response ttl 64
8979/udp open|filtered unknown no-response
49361/udp open|filtered unknown no-response
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
[...]
Uptime guess: 0.805 days (since Wed Nov 2 10:04:26 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-os-db nmap-payloads nmap-service-probes nmap-services.
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 3 05:23:42 2022 -- 1 IP address (1 host up) scanned in 66128.09 seconds
↑ Removed service discovery fingerprints since too much data for this forum. Full log: → Here.
NMAP IP protocols scan (*click* to open):
nmap -oN nmap.protocolscan.log -p 0-255 -sO --osscan-guess --reason -d -vv 192.168.101.1:
# Nmap 7.92 scan initiated Wed Nov 2 10:56:28 2022 as: nmap -oN nmap.protocolscan.log -p 0-255 -sO --osscan-guess --reason -d -vv 192.168.101.1
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Packet capture filter (device usb0): arp and arp[18:4] = 0x9E541A78 and arp[22:2] = 0x5CD9
Packet capture filter (device usb0): dst host 192.168.101.4 and (icmp or icmp6 or (src host 192.168.101.1))
Increasing send delay for 192.168.101.1 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 40 to 80 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 640 to 1000 due to 11 out of 12 dropped probes since last increase.
Nmap scan report for 192.168.101.1
Host is up, received arp-response (0.00054s latency).
Scanned at 2022-11-02 10:56:28 CET for 299s
Not shown: 245 closed n/a protocols (proto-unreach)
PROTOCOL STATE SERVICE REASON
1 open icmp echo-reply ttl 64
2 open|filtered igmp no-response
4 open|filtered ipv4 no-response
6 open tcp proto-response ttl 64
17 open udp port-unreach ttl 64
41 open|filtered ipv6 no-response
50 open|filtered esp no-response
51 open|filtered ah no-response
103 open|filtered pim no-response
108 open|filtered ipcomp no-response
136 open|filtered udplite no-response
MAC Address: 0E:B8:01:41:C2:91 (Unknown)
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-protocols.
# Nmap done at Wed Nov 2 11:01:27 2022 -- 1 IP address (1 host up) scanned in 299.42 seconds
The following chips could be identified on the board, with the following writings on them (*click* to open):
Mediatek IC "MT6735V" (SoC with LTE modem, → Postmarket OS has a page about it, CPU: 4x GHz ARM Cortex-A53, GPU: ARM Mali-T720 MP2):
MEDIATEK
ARM
MT6735V
1547-WMAHHTH
BTTCF001
•
Samsung IC "KMN9X000RM-B209" (Probably 2GiB Flash memory and 128 MiB RAM):
SAMSUNG 443
KMN9X000RM-B209
• S2R8HAN7C
Mediatek IC "MT6625LN" (maybe wireless LAN chip??):
MEDIATEK
MT6625LN
1717-AJCJL
BAP0W683
ACMQP07Y
•
Skyworks IC "Skyworks 77643-11" (maybe UMTS/ LTE amplifier):
•
77643-11
305003 1P
1529 MX
Mediatek IC "MT6169V" (RF transciever):
MEDIATEK
MT6169V
1541-AMAH
BTP34M21
•
Unknown IC "418":
418
•
On the other side of the PCB:
Mediatek IC "MT6328V" (Power Management IC, → datasheet):
MEDIATEK
MT6328V
1613-AEAH
D6023160
•
Unknown IC "120903":
120903
629695
H Y
•
