UFI6735 - MediaTek MT6735 4G/LTE + WiFi + USB-stick-router

Recently here was → a thread about the "UF896", a Qualcomm MSM8916 based LTE+WiFi router in USB-stick-format, where people had success in replacing the stock Android with a custom Debian or OpenWrt-based system.

Now I have here a "UFI6735W_V1.1" (→ this exact offer), a seemingly similar device but powered by a MediaTek MT6735V with probably 2 GB flash and 128 MiB RAM which seems to run some form of Android 6.0. It has a SIM card slot, a microSD slot, it provides wireless LAN, and via USB it provides direct ethernet.

Would be interesting if there are any options to put a custom operating system, preferably an OpenWrt based one, on the router.
The → MediaTek MT6735 seems not to have any usable mainline Linux kernel support as of Linux 5.11 (and I don't assume that much has changed), so one has to live with whatever kernel is there from the vendor.


Behaviour:

It's web interface is chinese onlycan be set to English at the login page, it's WLAN IP is 192.168.100.1, it's USB LAN IP is 192.168.101.1. The webinterface allows changing the WLAN's ESSID, encryption, and to specify the SIM card's PIN and set the APN. Also some SIM card SMS and adress book management, and the possibility for firmware upgrade.

When I connect the device to the computer, it first registeres as "MT65xx Preloader" (0e8d:2000) for about 1 second and provides a serial port to the host (/dev/ttyACM0). That serial port continuosly spills out READY (without newlines) until the boot continues.
In the next step it registeres as "Cyrus Technology CS 24" (0e8d:2008) for several seconds. This provides a MTP interface, but mtpfs could not make a sensible connection.
Finally, it registers as "4G_LTE" (0e8d:2004), which provides a CDC Ethernet device.

ADB connection was not possible for me; neither directly via USB (adb devices -l returns nothing), nor via network (adb connect 192.168.100.1 (connect via WLAN) and adb connect 192.168.101.1 (connect via USB LAN) both return failed to connect to '192.168.100.1:5555': Connection refused. Of course, the network connection itself works.)

The stock firmware seems to support VPN, VPN-types called "PPTP PSK" and "L2tp/IPSec PSK".

Photographs:

Photographs (*click* to open):

02_-_frontside 03_-_backside

Screenshot of webinterface (*click* to open):

Technical information:

`dmesg` output after attaching the device to USB (*click* to open):
[125673.657985] usb 1-2: new high-speed USB device number 122 using xhci_hcd
[125673.839202] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2000, bcdDevice= 1.00
[125673.839216] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[125673.839219] usb 1-2: Product: MT65xx Preloader
[125673.839221] usb 1-2: Manufacturer: MediaTek
[125673.862561] cdc_acm 1-2:1.0: Zero length descriptor references
[125673.862590] cdc_acm: probe of 1-2:1.0 failed with error -22
[125673.942875] cdc_acm 1-2:1.1: ttyACM0: USB ACM device
[125676.490738] usb 1-2: USB disconnect, device number 122
[125686.908199] usb 1-2: new high-speed USB device number 123 using xhci_hcd
[125687.092364] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2008, bcdDevice=ff.ff
[125687.092376] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[125687.092379] usb 1-2: Product: 4G_LTE
[125687.092381] usb 1-2: Manufacturer: MediaTek
[125687.092383] usb 1-2: SerialNumber: 0123456789ABCDEF
[125731.488163] usb 1-2: USB disconnect, device number 123
[125731.938251] usb 1-2: new high-speed USB device number 124 using xhci_hcd
[125732.119260] usb 1-2: New USB device found, idVendor=0e8d, idProduct=2004, bcdDevice=ff.ff
[125732.119272] usb 1-2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[125732.119274] usb 1-2: Product: 4G_LTE
[125732.119277] usb 1-2: Manufacturer: MediaTek
[125732.119278] usb 1-2: SerialNumber: 0123456789ABCDEF
[125732.124894] rndis_host 1-2:1.0 usb0: register 'rndis_host' at usb-0000:00:15.0-2, RNDIS device, f6:6a:e9:ce:07:1b

(Note that at first there is a "MT65xx Preloader" with a serial port, which after ca. 1 second get's removed again and is replaced by a "4G_LTE", which in turn after some seconds gets removed and replaced by another "4G_LTE".)

Output of `lsusb -vvv -d 0e8d:2000` (the first device that the stick appears as, only for about one second) (*click* to open):
Bus 001 Device 014: ID 0e8d:2000 MediaTek Inc. MT65xx Preloader
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            2 Communications
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0e8d MediaTek Inc.
  idProduct          0x2000 MT65xx Preloader
  bcdDevice            1.00
  iManufacturer           1 MediaTek
  iProduct                2 MT65xx Preloader
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0046
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          3 USB CDC ACM for preloader
    bmAttributes         0xc0
      Self Powered
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 CDC ACM Data Interface
      Endpoint Descriptor:
        bLength                 8
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 8
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass      2 Abstract (modem)
      bInterfaceProtocol      1 AT-commands (v.25ter)
      iInterface              5 CDC ACM Communication Interface
      CDC Header:
        bcdCDC               1.10
      CDC ACM:
        bmCapabilities       0x0f
          connection notifications
          sends break
          line coding and serial state
          get/set/clear comm features
      CDC Union:
        bMasterInterface        1
        bSlaveInterface         0 
      CDC Call Management:
        bmCapabilities       0x03
          call management
          use DataInterface
        bDataInterface          0
      Endpoint Descriptor:
        bLength                 8
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              16
Device Status:     0x0001
  Self Powered
Output of `lsusb -vvv -d 0e8d:2008` (the second device that the stick appears as, for several seconds) (*click* to open):
Bus 001 Device 015: ID 0e8d:2008 MediaTek Inc. Cyrus Technology CS 24
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0e8d MediaTek Inc.
  idProduct          0x2008 Cyrus Technology CS 24
  bcdDevice           ff.ff
  iManufacturer           2 MediaTek
  iProduct                3 4G_LTE
  iSerial                 4 0123456789ABCDEF
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0027
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol      0 
      iInterface             17 MTP
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x001c  1x 28 bytes
        bInterval               6
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0001
  Self Powered
Output of `lsusb -vvv -d 0e8d:2004` (the final device that the stick appears as) (*click* to open):
Bus 001 Device 124: ID 0e8d:2004 MediaTek Inc. 4G_LTE
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          224 Wireless
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0e8d MediaTek Inc.
  idProduct          0x2004 
  bcdDevice           ff.ff
  iManufacturer           2 MediaTek
  iProduct                3 4G_LTE
  iSerial                 4 0123456789ABCDEF
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x004b
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              500mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         2
      bFunctionClass        224 Wireless
      bFunctionSubClass       1 Radio Frequency
      bFunctionProtocol       3 RNDIS
      iFunction              19 RNDIS
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass       224 Wireless
      bInterfaceSubClass      1 Radio Frequency
      bInterfaceProtocol      3 RNDIS
      iInterface             17 RNDIS Communications Control
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 01
      ** UNRECOGNIZED:  04 24 02 00
      ** UNRECOGNIZED:  05 24 06 00 01
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               9
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface             18 RNDIS Ethernet Data
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass          224 Wireless
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0001
  Self Powered
Output from `/dev/ttyACM0` for the short time it is present during the boot of the stick (*click* to open):
READYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADYREADY
From inside the webinterface, I get the following system information (*click* to open):

软件版本: 4G_LTE_5M_H07_C03_MV2.247
ROM版本: Android 6.0
WLAN MAC地址: [censored by author]
IMEI1: [censored by author]
IMEI2: 000000000000000
ICCID1: [censored by author]
ICCID2: [censored by author]

which → machine-translates to

Software Version: 4G_LTE_5M_H07_C03_MV2.247
ROM version: Android 6.0
WLAN MAC address: [censored by author]
IMEI1: [censored by author]
IMEI2: 000000000000000
ICCID1: [censored by author]
ICCID2: [censored by author]

NMAP TCP + UDP + service discovery + OS discovery scan (*click* to open):

nmap -oN nmap.tcp-and-udp.log -sS -sU -p0-65535,U:0-65535 -r -sV --version-all -O --osscan-guess -d -vv --max-os-tries 5 192.168.101.1:

WARNING: Duplicate port number(s) specified.  Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm).
# Nmap 7.92 scan initiated Wed Nov  2 11:01:34 2022 as: nmap -oN nmap.tcp-and-udp.log -sS -sU -p0-65535,U:0-65535 -r -sV --version-all -O --osscan-guess -d -vv --max-os-tries 5 192.168.101.1
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
[...]
Not shown: 65532 closed udp ports (port-unreach), 65530 closed tcp ports (reset)
PORT      STATE         SERVICE       REASON              VERSION
53/tcp    open          domain        syn-ack ttl 64      dnsmasq 2.51
80/tcp    open          http          syn-ack ttl 64
8080/tcp  open          http-proxy    syn-ack ttl 64
8443/tcp  open          ssl/https-alt syn-ack ttl 64
8989/tcp  open          sunwebadmins? syn-ack ttl 64
9876/tcp  open          sd?           syn-ack ttl 64
53/udp    open          domain        udp-response ttl 64 dnsmasq 2.51
67/udp    open          dhcps?        udp-response ttl 64
8979/udp  open|filtered unknown       no-response
49361/udp open|filtered unknown       no-response
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
[...]

Uptime guess: 0.805 days (since Wed Nov  2 10:04:26 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-os-db nmap-payloads nmap-service-probes nmap-services.
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov  3 05:23:42 2022 -- 1 IP address (1 host up) scanned in 66128.09 seconds

↑ Removed service discovery fingerprints since too much data for this forum. Full log: → Here.

NMAP IP protocols scan (*click* to open):

nmap -oN nmap.protocolscan.log -p 0-255 -sO --osscan-guess --reason -d -vv 192.168.101.1:

# Nmap 7.92 scan initiated Wed Nov  2 10:56:28 2022 as: nmap -oN nmap.protocolscan.log -p 0-255 -sO --osscan-guess --reason -d -vv 192.168.101.1
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Packet capture filter (device usb0): arp and arp[18:4] = 0x9E541A78 and arp[22:2] = 0x5CD9
Packet capture filter (device usb0): dst host 192.168.101.4 and (icmp or icmp6 or (src host 192.168.101.1))
Increasing send delay for 192.168.101.1 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 40 to 80 due to 11 out of 13 dropped probes since last increase.
Increasing send delay for 192.168.101.1 from 640 to 1000 due to 11 out of 12 dropped probes since last increase.
Nmap scan report for 192.168.101.1
Host is up, received arp-response (0.00054s latency).
Scanned at 2022-11-02 10:56:28 CET for 299s
Not shown: 245 closed n/a protocols (proto-unreach)
PROTOCOL STATE         SERVICE REASON
1        open          icmp    echo-reply ttl 64
2        open|filtered igmp    no-response
4        open|filtered ipv4    no-response
6        open          tcp     proto-response ttl 64
17       open          udp     port-unreach ttl 64
41       open|filtered ipv6    no-response
50       open|filtered esp     no-response
51       open|filtered ah      no-response
103      open|filtered pim     no-response
108      open|filtered ipcomp  no-response
136      open|filtered udplite no-response
MAC Address: 0E:B8:01:41:C2:91 (Unknown)

Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-protocols.
# Nmap done at Wed Nov  2 11:01:27 2022 -- 1 IP address (1 host up) scanned in 299.42 seconds
The following chips could be identified on the board, with the following writings on them (*click* to open):

Mediatek IC "MT6735V" (SoC with LTE modem, → Postmarket OS has a page about it, CPU: 4x GHz ARM Cortex-A53, GPU: ARM Mali-T720 MP2):

  MEDIATEK
       ARM
MT6735V
1547-WMAHHTH
BTTCF001

•

Samsung IC "KMN9X000RM-B209" (Probably 2GiB Flash memory and 128 MiB RAM):

SAMSUNG     443
KMN9X000RM-B209

•  S2R8HAN7C

Mediatek IC "MT6625LN" (maybe wireless LAN chip??):

 MEDIATEK
MT6625LN
1717-AJCJL
BAP0W683
ACMQP07Y
•

Skyworks IC "Skyworks 77643-11" (maybe UMTS/ LTE amplifier):

•


77643-11
305003 1P
1529   MX

Mediatek IC "MT6169V" (RF transciever):

MEDIATEK
 MT6169V
1541-AMAH
BTP34M21

•

Unknown IC "418":

 418
•

On the other side of the PCB:

Mediatek IC "MT6328V" (Power Management IC, → datasheet):

MEDIATEK
MT6328V
1613-AEAH
D6023160

•

Unknown IC "120903":

 120903
 629695
 H   Y

•

Connect from WLAN
1.Enable adb and change web face
http://192.168.100.1/adbWifiDebugForm.do?adb=1
2. adb connect 192.168.100.1
3. Save current web face
adb pull /storage/emulated/0/lrserver/webapps/ROOT.war ROOT.war
4. Download modified web face https://4pda.to/pages/go/?u=https%3A%2F%2Fdisk.yandex.ru%2Fd%2FN_2fLsA_3ui-4w&e=114529136
5. Flash web face to modem
adb push ROOT.war /storage/emulated/0/lrserver/webapps

After reboot, web face EN, RU, CN.
IMEI and TTL, band change, and other tweaks.

Ahoj @sorine,

thanks for your information!

How did you find it out?

Do you have more ressources somewhere for this modem you can link to?

(I corrected "192.168.1.100.1" to "192.168.100.1") This always brings me back to the login interface (I also tried the USB-ethernet connection), and

still reacts with a "Connection refused". What is going wrong? Do I need to do some special things before (like removing the SIM card)?

I made a screenshot of the web interface -- is this similar to yours?

However, I just overlooked that I can change the web interface to English, when I do it in the login screen. (I just overlooked it, because I was not looking for any settings before any login, and so I was looking for settings only after login.)

Btw., the stock firmware seems to support VPN, VPN-types called "PPTP PSK" and "L2tp/IPSec PSK".

I advise you to stop using the modem on the MTK6735. During testing, they showed a times lower download speed compared to devices based on MSM8916. There is no OpenWRT for the modem on MTK. Modify the interface and give it to a neighbor :slight_smile:

First you need to use the modem in the web interest, then turn on adb.

I have 10 Mbit/s which is the maximum which I can get with my contract, and that is more which I got on the UF896.

But I am looking for a MSM8916-based UF896 again.

I have also ordered a → VoCore 2 ultimate, there I could plug in my Huawei E3372s-153, as an alternative almost-even-as-small solution (needs a power cable, though).

What do you mean?
I logged in at http://192.168.100.1/web/login.asp or http://192.168.100.1/cellweb/login.asp, always, and when I open http://192.168.100.1/adbWifiDebugForm.do?adb=1 I just get back to the login page and adb is still not working.

I just get a redirect:

curl 'http://192.168.100.1/adbWifiDebugForm.do?adb=1':

Forum from Russian https://4pda.to/forum/index.php?showtopic=982734&st=500#entry107347095

1 Like