Hackable $20 Modem Combines LTE And Pi Zero W2 Power

The modem in question plugged into a black powerbank.

[extrowerk] tells us about a new hacker-friendly device – a $20 LTE modem stick with a quadcore CPU and WiFi, capable of running fully-featured Linux distributions. This discovery hinges on a mountain of work by a Chinese hacker [HandsomeYingYan], who’s figured out this stick runs Android, hacked its bootloader, tweaked a Linux kernel for it and created a Debian distribution for the stick – calling this the OpenStick project. [extrowerk]’s writeup translates the [HandsomeYingYan]’s tutorial for us and makes a few more useful notes. With this writeup in hand, we have unlocked a whole new SBC to use in our projects – at a surprisingly low price!

At times when even the simplest Pi Zero is unobtainium (yet again!), this is a wonderful find. For a bit over the price of a Zero 2W, you get a computer with a similar CPU (4-core 1GHz A53-based Qualcomm MSM8916), same amount of RAM, 4GB storage, WiFi – and an LTE modem. You can stick this one into a powerbank or a wallwart and run it at a remote location, make it into a home automation hub, or perhaps, process some CPU-intensive tasks in a small footprint. You can even get them with a microSD slot for extra storage – or perhaps, even extra GPIOs? You’re not getting a soldering-friendly GPIO header, but it has a few LEDs and, apparently, a UART header, so it’s not all bad. As [extrowerk] points out, this is basically a mobile phone in a stick form factor, but without the display and the battery.

The modem with its cover taken off, showing the chips on its board.Now, there’s caveats. [extrowerk] points out that you should buy the modem with the appropriate LTE bands for your country – and that’s not the only thing to watch out for. A friend of ours recently obtained a visually identical modem; when we got news of this hack, she disassembled it for us – finding out that it was equipped with a far more limited CPU, the MDM9600. That is an LTE modem chip, and its functions are limited to performing USB 4G stick duty with some basic WiFi features. Judging by a popular mobile device reverse-engineering forum’s investigations (Russian, translated), looks like the earlier versions of this modem came with the way more limited MDM9600 SoC, not able to run Linux like the stick we’re interested in does. If you like this modem and understandably want to procure a few, see if you can make sure you’ll get MSM8916 and not the MDM9600.

Days of using WiFi routers to power our robots are long gone since the advent of Raspberry Pi, but we still remember them fondly, and we’re glad to see a router stick with the Pi Zero 2W oomph. We’ve been hacking at such sticks for over half a decade now, most of them OpenWRT-based, some as small as an SD card reader. Now, when SBCs are hard to procure, this could be a perfect fit for one of your next projects.

Update: in the comments below, people have found a few links where you should be able to get one of these modems with the right CPU. Also, [Joe] has started investigating the onboard components!

183 thoughts on “Hackable $20 Modem Combines LTE And Pi Zero W2 Power

    1. some of the listings on fleabay do indictate ‘qualcomm 9600’ or ‘qualcomm 8916’, so I recommend doing a search with descriptions included to find those listings.

          1. I’ve picked up a pair from a different seller. They’re listed.. confusingly, and I’m guessing they ship whatever’s on hand. Both the ones I got from https://www.aliexpress.com/item/1005004198680336.html are 8916s (according to the splash page on the router ui) with one sim, GPS detected as 0 lat and long, and the ability to switch to a second, non obvious sim card. Haven’t tried reflashing them cause I actually need them to be 4G APs for a bit

      1. I’m still a little new to hardware hacking so I have to ask, with having a full Linux distro on this, could it reverse SSH tunnel to my home setup so I can link to it from the house regardless of the sim card it’s using?

          1. Thanks for the reply.

            My home broadband has a dynamic ip, but SSH into my router and VNC of my pi Zero work fine using NoIP DDNS service.

            A reverse tunnel would work just the same as with a fixed IP?

          2. As long as your DDNS works well and you use the DDNS domain name instead of the IP when creating the tunnel, it oughta work! One thing though – I’d look into something like a Wireguard connection instead of SSH for a tunnel, not only it’s more featureful, it’s also more reliable wrt autoconnects and unreliable links, in my experience.

      2. Thank you very much for the article and your url.
        I ordered two sticks from your url 2 weeks ago and received the devices already today.
        I can confirm your instructions worked without any problems and both devices have debian installed now :)
        I’m a bit concerned about the mirror “http://mirrors.163.com/debian/” used in /etc/apt/sources.list, and http://repo.mobian-project.org/ used in /etc/apt/sources.list.d/mobian.list, because both don’t look official. I guess they contain patches for the hardware somewhere, but imho it would feel much better if both repos would only contain the patched packages and not override all official ones.

    2. It is striking that everyone involved has seen fit to detail every aspect of the project *except* the most essential bit: a reliable way to get hold of the stick in question… it’s probably safest to regard this as non-repeatable until there’s a source for it, just like all of those nifty-looking software projects whose only documentation is a Youtube video.

        1. Isn’t that perfect? We’re looking for the MSM8916. Who here even cares about the sim? It seems to me that we’re in this to make an affordable sbc, not a phone or modem.

      1. My sticks just arrived! I can confirm that the black sticks really are MSM8916 as advertised. It took them 2 weeks to arrive to me here in Arizona from China. Now to get hacking…

  1. Why does an LTE modem have an Android distribution on it? What’s it doing? Why is the processor this powerful?

    Is this just a bigger processor swapped in because the smaller ones became unobtainable? Or is this thing MITMing all your LTE comms?

    1. Stingray on a fob, for 3rd world intelligence services on a budget.

      Someone with deep cell network knowledge should implement a stingray on this thing. If the NSA can snoop us, we should be able to snoop them. Fair’s fair. Goose, gander etc.

      Might need a linear to work, but good news, Alibaba has cheap linears.

    2. TL;DR: using Android is easier and cheaper than spinning up their own distro because it already handles 95% of the stuff they’d need to implement if they did it from scratch

      Android was just the cheapest and easiest option to go with when deciding on what to run on the thing. Think about it, android already has all the drivers and utilities for setting up an LTE connection and handling network routing (hotspot). All the manufacturer has to do is rip out all the gui bits, throw in a couple of auto configuration scripts for stuff like a wifi AP, a web interface for additional configuration (APNs, sms, etc.) and boom you have an LTE hotspot. As for why it’s so powerful, the main chip is a SOC meant to power whole android phones and tablets it’s not just a modem. I wouldn’t be surprised the chips in these are inexpensive QC rejects from Qualcomm

      1. Exactly this. I’ve seen medical devices that had to call home, and they came with a locked-down Motorola smart phone that had the android UI disabled. Literally powers on with Motorola & the carrier logos, then shows the most simple text UI reminiscent of fastboot / recovery mode that shows signal strength and IMEI. No user-interactive controls beyond power off.

  2. I feel silly but I can’t find what the guy bought in specific. Rather just the class of device bought.

    That said, I am reminded of a hocky puck sized Wifi/LTE modem my aunt had about a decade back, andrealized if I could run a ‘normal’ linux on it and if there is on device storage it’d make a decent little hobby box.

  3. Can the USB port on this be configured to not only power the device, but to be a host to another USB device? If so, adding a small USB hub would allow you to use multiple devices with this.

    1. By default, the usb port would be a gadget or device port, rather than a host.

      That said, since many phones support OTG, that may also be the case here, and it might be possible to have the dongle be a host with an appropriate adapter and internal programming.

      Note that an OTG cable has the ID pin to allow the device to recognise that it should enter OTG mode and assume the host role, while these devices only have a USB A connector which omits the ID pin. Hence the requirement to programmatically enter host mode. Also, you would need the hub to source power to the dongle as well as any other devices connected to it.

      1. I just bought a [female USB to female micro-USB adapter](https://www.aliexpress.com/item/1005003139375815.html?spm=a2g0o.order_list.0.0.74441802T46tA4) to convert the male USB of the stick to female microUSB. From this point it is like a phone.
        Then i bought a [microUSB hub](https://www.aliexpress.com/item/1005002547500579.html?spm=a2g0o.order_list.0.0.74441802T46tA4) which provides 2 USB-A port and elt me power the whole stuff through a microUSB port.
        I am waiting those to arrive, will report back.

  4. Not sure how $20 is a good deal, 6 years ago I bought 3 Moto Es for $20 each, those have the same chipset, twice as much RAM, and include a battery and screen. They even held up to a few years of cryptocurrency mining, something that would burn out cheap ZTEs after a few months to a year. Once mining wasn’t profitable anymore, I now have those Moto Es waiting for use in some other project.

    1. I just bought a moto g4 play XT1601 (as is- couldn’t read sim cards) as well as several of these 4G LTE MSM8916 sticks to see if I can get openstick running on both instances of MSM8916 (the moto g4 play has MSM 8916 and 2GB DDR3 RAM). The 4G LTE sticks on Alibaba were $12 with free shipping and the as-is g4 play was $13 with free shipping. Same cost, but more ram and a working screen. I’m just curious what I can do with it.

  5. Pis are highly sought after because they have a vast developer network, receive regular updates, and are designed for DIY. Taking any ARM SBC with similar chips and trying to replicate a Pi just turns it into a Linux box that can’t install kernel updates.

    It’s just not the same thing, and the pricing of Pis reflects that more than just supply chain issues. We know there are plenty of cheap chips out there, but there’s only one brand of ARM SBCs that gives you the flexibility and support as if you were building a home PC. There is just no competitor for that ecosystem yet.

  6. It seems that this chipset has some additional functionality built in: Adreno 306 graphics, Bluetooth, GNSS (GPS, GLONASS, BeiDou).

    On this dongle, the GNSS probably doesn’t have an antenna, but I wonder if Bluetooth shares the WiFi antenna?

    Not being a Linux guru, let me ask a possibly dumb question. Could you use the Adreno as if there were a display connected, but instead, view the output on VNC? I know you can do this on a computer with a physical display connected. That way, you wouldn’t be limited to only running text programs.

    BTW, I ordered two similar looking dongles from Amazon for $23 each (two days, instead of two weeks). They showed as having a uSD slot, so hopefully they have the correct chipset. Wrong LTE bands for the US, but I don’t care.

      1. I think it’s ironic that one of you is called Lucifer, the father of lies, and the other is called tryhrth which looks like truth.

        Anyway, I’ve seen it for as low as $12 on aliexpress. ctrl + f my name for a link to what I found

  7. I did something like that once.
    I have a Huawei LTE router, on digging I found out that it runs Android.
    Adb is accessible via network and running “adb shell” returns a root terminal.
    I have Disable unnecessary services (VoIP + SIP, VPN etc) to save memory.
    Then I have mounted an Adguard Server and with a HDD through the USB port a torrent download server (Transmission WebRPC).
    Those modifications had no impact on performance and were more than enough.
    The characteristics were CPU Hisilicon x2 1Gz, 512MB RAM, 1Gb Flash (only 128Mb accessible, the rest of the partitions are system and read only).

  8. My Amazon order arrived today. I have Debian installed on one of the two devices that I ordered. I did have a problem with fastboot on Win10, but found the answer here: https://beebom.com/fastboot-not-detecting-device-windows-10/

    I am currently having a problem with installing nano. I am getting name resolution errors. I’ll have to brush up on my Linux. I haven’t done anything with it in several years, and all of the configuration stuff I used to know has changed.

    Here is a link to what I bought. Note that despite the description and picture, it has no TF slot. There are several vendors selling the same thing, at least one for $2 less. Look for the picture of the guy with glasses, holding it next to his head.


    Looking at the circuit board, I see pads for a UART, an antenna (which one?) and other stuff. For later investigation…

    1. nicely done, thank you for writing your experience up and sharing it with us! some notes:

      The bottom side shows where the missing TF socket should be, next to a reset button.

      That is not a TF socket footprint, it’s a footprint for a small DFN-8 chip – in fact, there’s two of these, as you’ve noticed. I wonder what’s that for – I’ll have to wait until I can get one of your modems. However, if it’s a flash chip and happens to use SPI, we could absolutely mod a microSD card slot on there, just that it’d be lower-speed, perhaps.

      I’ll have to see how a SIM is interfaced to a phone, but this sound suspiciously like the signals used by I2C, except for Reset.

      Certainly not – in fact, SIM interfaces are more UART-like.

      The two FB pads with arrows are obviously for Up/Down buttons.

      ..hope so, but what makes you think that?

      One may be for Bluetooth. I’ll find this out later, when I try to enable Bluetooth.

      the Bluetooth support circuitry might not even be wired up to the chip, I’m afraid =( that said, there’s hope, of course!

      The UART and SPI things absolutely could use a test! My guess is that SPI would be quite usable from Linux, and UART always tends to be – unless it’s some comms channel between two chips on the board or something.

      1. I was going by the picture that showed a TF socket, and assumed that was what the footprint was for. It looks like you know more about that than I do. Also about SIMs.

        As for the buttons, I found some documentation for a development board that uses the Snapdragon 410. It talks about reassigning buttons. That is just some of the additional documentation that I need to read through. I’ll update the web page later.

        I haven’t tried Bluetooth yet. I assume it uses the same antenna as Wifi, though.

        The UART is next on my list of hardware to investigate. I2C and SPI will be later.

        For further discussion, it might be best for you to email me (take the username and domain in the URL of the web page). Any information about these dongles will be added to my web page as we learn new things.

    2. I noticed in your OpenStick investigations that you had two pads labeled Vi & Gnd and crossed them out. I believe these are antenna pads.

      In your photos you have the plastic tip with black tape still installed on your board but in Mizsei Zoltán’s photos he’s removed the plastic tip. If you notice in Mizsei Zoltán’s photos where the plastic tip would be, you can see two pads similar to the one you marked up however one is populated with a connector. That connector interfaces to the black tape on the plastic tip which is actually a metallic tape antenna.

      Curiously, if you inspect the plastic tip you’ll see there’s actually two contact pads and one lines up with the unpopulated pad on the board. So it appears there are actually 4 antenna pads on the board but only one is populated.

  9. To save others from making the same mistake I did, you need to configure the WiFi on the dongle as a client, with no SSID. Then use “Activate” to connect to your home WiFi router. Select your SSID, then you will be prompted for a password. Finally, your dongle will be connected to the internet.

    But now, when I try to do an apt-get update, I’m getting various errors. I can ping google.com and others, so I know that the internet is finally working.

  10. I think I have the same one. I opened it and it has a chip marked as “PM8916”. When I log in to the router page, there is a “upgrade” option which accepts an “apk” file and in windows the device name is “Android”. But I cannot connect via ADB. The router IP is “” and if I try to connect by running “adb connect” it says connection refused. Anyone has any idea?

    1. That PM8916 chip is the Power Management IC (PMIC). That is the same one I have. However, the default IP you have is different. I have, which is the same as documented by Extrowerk. So, without unsoldering the metal shield to look for the MSM8916, I don’t know how to confirm that you have the correct LTE dongle.

      I followed Extrowerk’s instructions, and managed to flash Linux. If that isn’t working for you, perhaps you don’t have the correct dongle.

      1. I tried to change the change the ip address to “” just to test if it works. The modem stopped working at all. So I opened it, long pressed the power button and everything was reset. So it works now.
        Although my device doesn’t normally show up on “adb devices” list, when I do a factory reset, it briefly shows up in “recovery” mode. So I am guessing a valid android device is in there, but the system has developer mode turned off so it doesn’t normally shows up in “adb devices” list.

    2. > adb connect”

      I have *nowhere* documented a step like this.
      Stop reinventing the wheel and causing headache for yourself while doing so, just follow the simple step-by-step guide i have published.

      1. I tried to connect via network because normally “adb devices” doesn’t show my modem on the list. It might not be the exact device you guys have. Or the software version is different which doesn’t have ADB connections enabled. Since the modem upgrade page accepts an apk file, I will try to upload a modified apk file and open a reverse shell. I will update here if I succeed.

    1. I’m not sure what you have in mind, but Debian is what is already running on the thing. The Chinese blog site documents what the guy did to figure out how to flash a bootloader and Debian. I used Google Translate, and it did a decent job on most of the page. A few small sections of text were left in Chinese, but i copied/pasted them to get them translated.

  11. Has anyone had luck actually using the LTE modem after flashing this? I had a stick that detected the SIM just fine before flashing. After flashing it shows the sim as not being inserted:

    root@openstick:/# mmcli -m 0
    General | path: /org/freedesktop/ModemManager1/Modem/0
    | device id: 1ec3156c870d523e616cee0ef4dcf0676f78xxxx
    Hardware | manufacturer: 1
    | model: 0
    | firmware revision: MPSS.DPM.2.0.2.c1-00178-M8936FAAAANUZM-1D 1 [Nov 04 2016 02:00:00]
    | carrier config: ROW_Generic_3GPP
    | carrier config revision: 02010801
    | h/w revision: 10000
    | supported: gsm-umts, lte
    | cdma-evdo, lte
    | lte
    | cdma-evdo, gsm-umts, lte
    | current: gsm-umts, lte
    | equipment id: 86176603523xxxx
    System | device: qcom-soc
    | drivers: qcom-q6v5-mss, bam-dmux
    | plugin: qcom-soc
    | primary port: wwan0qmi0
    | ports: wwan0 (net), wwan0at0 (at), wwan0qmi0 (qmi), wwan1 (net),
    | wwan2 (net), wwan3 (net), wwan4 (net), wwan5 (net), wwan6 (net),
    | wwan7 (net)
    Status | state: failed
    | failed reason: sim-missing
    | power state: off
    | signal quality: 0% (cached)
    Modes | supported: allowed: 2g; preferred: none
    | allowed: 3g; preferred: none
    | allowed: 2g, 3g; preferred: 3g
    | allowed: 2g, 3g; preferred: 2g
    | allowed: 2g, 4g; preferred: 4g
    | allowed: 2g, 4g; preferred: 2g
    | allowed: 3g, 4g; preferred: 4g
    | allowed: 3g, 4g; preferred: 3g
    | allowed: 2g, 3g, 4g; preferred: 4g
    | allowed: 2g, 3g, 4g; preferred: 3g
    | allowed: 2g, 3g, 4g; preferred: 2g
    | current: allowed: any; preferred: none
    Bands | supported: egsm, dcs, pcs, g850, utran-1, utran-5, utran-8, eutran-1,
    | eutran-3, eutran-5, eutran-8, cdma-bc0
    IP | supported: ipv4, ipv6, ipv4v6

    anyone have a tip as to what might be wrong?

    1. It’s possibly down to a switch contact that is no longer mapped or has been remapped after flashing.

      I’ve setup a stupid number of RUT955 routers, the newer versions have a little metal plate on the side of the SIM tray that bridges a set of contacts, even with a sim inserted RUT955 refuses to accept there is a SIM present if this contact is not made.

      Could be something deeper but this is all I can think of at the moment.

        1. Thanks for the info, I’m still a finding new commands each day to get the info I want.

          I’m about to order a 2nd one of these, I’ve been holding off on flashing till the modem issue has been dealt with, once my 2nd is on the way I’ll flash the first one.

          1. I’ve not progressed further than using one as it is out of the box so far.

            Not currently sure where I’ve put them but if I find them I’ll try pull the drivers for you, could be quite a while though.

    2. Just had another read of the OP Chinese post on this device, it says….

      “Supports 4G wireless network cards whose silkscreens start with UFI001B, UFI001C, SP970, and UZ801.”

      a little lower dowm there is a table giving the GPOI for the LEDs for each of the above pcb silkscreen.

      Mine silkscreen is UF896_V1.1 so for the time being at least I’ll not have the LTE when I flash mine.

      1. Nop, been there.
        Modem will stuck in connecting mode
        > wwan0qmi0 gsm connecting (prepare) modem
        with this error:
        Jul 13 17:42:49 openstick ModemManager[330]: [modem0] couldn’t enable interface: ‘Couldn’t set operating mode: QMI protocol error (52): ‘DeviceNotReady”

        I also tried other images from OpenStick and finally bricked dongle with boot-uz801.img

      2. I have the same device UF886 and I want to send/recieve sms.
        So first I have now backed up my flash and dumped dmesg, config.gz and extracted several dtb..
        I would like to know where I can see in the plain android the gpio mapping or see a file where/which gpio is toggled if the sim is inserted as obviously this is why openstick will not work with sms.

        If I could send/recieve sms programmatically I would be fine with the stock android, too – as it’s so rooted. I can add and remove what I want now already. Thou a clean make flash all would be nice.

    3. I was seeing the same “sim-missing” failed status in ModemManager after flashing Debian.

      To get it working again, I took the white plastic casing off, removed the thin metal covering the SIM slot (had to gently pry it off a little after cutting the solder on both sides with a razor blade) and then (I know) taping the SIM card down making sure the 6 pins were in contact with the slot.

      Worked like a charm after that. My guess is that the pins on the SIM slot just weren’t making full contact with the SIM card before.

      1. Hi Richard, what is the silkscreen of your PCB?

        I think mine is one of the types that have been found to have LTE issue after flashing, as stock both of mine have worked fine.

    4. I have the same issue. Modems with firmware name beginning with MPSS are reported to not working properly with LTE on debian. I ordered two sticks, one with MPSS and the other one with UZ801 and the last one is working flawlessly.

  12. I don’t think that the SIM is enabled after flashing Linux. In the device tree, both UARTs are defined,but one is disabled. The enabled UART is assigned as a console during boot (solder wires onto RX, TX and GND).

    Either UART can be assigned to function as a SIM interface (UIM as Qualcom calls it). In device tree, sim_sel and sim_en are defined, but disabled.

    I’m trying to get the disabled UART enabled, to use as a second serial port. See what I have found on my web page.

  13. I may be a bit dim, but I can’t get either of the 2 devices I bought (which according to their web interfaces are the correct chipset) to show up with adb. I’m assuming they aren’t set up for usb debugging and I can’t see anything on either (totally different) web interface to set it up. nmap doens’t show any services on the usb0: interface it stands up either.

    The devices shows up as 65MB storage device (both) and expose something of a filesystem.

    Is there a file somewhere I need to edit to set up debugging?

    Nothing anywhere obvious (to me at least) like /boot, although I don’t see a kernel anywhere so I’m assuming I only have *some* of the filesystem.


    1. I followed Extrowerk’s instructions and was able to flash both of mine. If that doesn’t work for you, then perhaps you don’t have the correct ones.

      The other thing you can try is to press the “reset” switch just after plugging it in. That is supposed to put the device into flashboot mode. I didn’t need to do this, but was told that this works.

      1. Thanks for the reply Joe. Extrowerks instructions rely on debug being enabled, which unfortunately isn’t the case …

        Dmesg and lsusb report the correct chipset and an Android device and the chips are labeled as such (and that’s never wrong, right?…..) so I’m *fairly* confident I’ve not been ripped.

        Was wondering about the resets. The build quality is a bit crap so they are metal dome type switches rather than an actual hardware switch so it’ll be tricky, but doable. The timing will be critical as the boot process takes a bit of time and appears slightly different for both devices. The layout of both boards is slightly different as well. One has the I/O points on the edge, the other does not.

        I guess the next step is digging out the uart tools. Anyone have luck with that?

        1. I had the same issue. I was able to get past that.
          – Open the casing, there should be a switch. Plug in your device, wait a few moments till it turns on.
          – Run this command in the terminal -> adb wait-for-any-recovery && adb reboot bootloader
          – Press and hold switch, the lights will change color/flicker a few times. Let go of the switch and after a few moments your device should go to bootloader mode. From there you can resume the process mentioned in Extrowerks article.

  14. Awesome Nazmul. Thanks for that. Just have to futz with the damn tape and dome to make the switch work.

    Maybe if I’d read *all* the previous comments properly, I’d have seen you went through similar grief…

    .. Noob move on my part. But to be fair, I’ve been a lurker for years and this is the first post I’ve ever commented on, so …

  15. I have now looked at several web pages that tell you how to make a device tree overlay. However, the syntax on some is different than others, so I’m not sure which is correct. I’d appreciate it if someone more knowledgeable would look at what I have and tell me what I’m doing wrong.

    There is no separate dtb file, so I created a dts using this command “dtc -I fs /sys/firmware/devicetree/base”. The file is too large to post, so here is a Dropbox link:


    This is the overlay that I created:


    As you can see in the full device tree, the serial port that I am dealing with is already defined, but disabled. I just want to enable it. Optionally, setting the alias would be good, as the enabled serial port has one.

    When I compile the overlay with “dtc -O dtb -o serial2.dtbo -@ serial2.dts”, I get the following error:

    Error: serial2.dts:8.20-21 syntax error

    FATAL ERROR: Unable to parse input tree

  16. This is a great little linux device. Unfortunately I accidently removed network-manager and now I have no access to it anymore via adb or network/usb. has anyone successfully used the reset button to get it into fastboot/recovery? I am having no luck so far.

    1. Did you try ssh’ing into it? Also, there is a serial console running. Solder wires for tx, rx, gnd. Use 115,200, n, 8, 1. Failing all of that, look above for Nazmul’s instructions. See my web page for more info.

    2. I bricked mine, but managed to boot into EDL mode (pressing the reset button while plugging it into USB). From there it’s possible to reflash a stock image and afterwards debian again… If you’re interested I can help you with that.

        1. If you hold the button and connect it, it starts up in QDL/EDL mode and you can read and write its flash using this tool: https://github.com/bkerler/edl – it’s written in python so I think you can also install it using pip. Here you can find a “stock” firmware in the UFIOO1C_MB_V01_JZ_ROM subdir: https://drive.google.com/drive/folders/1UT6yQoI-s5d02pTQJj9MCErYoF6Juzc9
          The command I used was “edl qfil rawprogram0.xml patch0.xml .”
          Good luck!

          1. Should the device show up in ‘lsusb’ or ‘Device Manager’ while in this edl mode?
            Mine does not. it appears to be dead, no LED’s ever any more. no usb devices enumerating. I pressed the button on the PCB while plugging it in, held it for varying lengths of time before releasing it, no luck so far.
            My device is the same as the one in the pictures on the first post of this thread.

          2. Hmm when I plug mine in while holding the button, LEDs are not doing anything.
            However, lsusb shows this line: “ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)” which is how I found out about QDL mode in the first place…

          3. to answer @jockl I was first in the same situation as you, nothing in the shell as well.
            After retrying unplug plug again by maintaining reset button pressed and then unpressed, and relaunching the command indicated “edl qfil rawprogram0.xml patch0.xml .” from inside the Roms directory, I was able to see lot of logs in shell indicating flashing.
            However no led blinking, so I suppose Led blinking is only when the Openstick is on its own

  17. I was super excited to see this awesome hack and found a promising one that I purchased from alibaba; the primary chip checks out – MSM8916; pictures for reference https://snipboard.io/EMeKF7.jpg , https://snipboard.io/9ExrwU.jpg

    But the challenge is, I’m not able to get an adb connection to it. The device is pingable and UI is accessible on, now here’s something new – there is no “upgrade” function in the UI either and after a bit of tinkering, found it is running a Eclipse Jetty webserver, rather than I what I can guess the others are running – an android app.

    On connecting to USB, it lists as a RNDIS device, disconnects and reconnects again in a few seconds
    [Aug20 15:04] usb 3-8.1.4: new high-speed USB device number 41 using xhci_hcd
    [ +0.101530] usb 3-8.1.4: New USB device found, idVendor=05c6, idProduct=f00e, bcdDevice=ff.ff
    [ +0.000010] usb 3-8.1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [ +0.000003] usb 3-8.1.4: Product: Android
    [ +0.000002] usb 3-8.1.4: Manufacturer: Android
    [ +0.000002] usb 3-8.1.4: SerialNumber: 0123456789ABCDEF
    [ +0.006808] rndis_host 3-8.1.4:1.0 usb0: register ‘rndis_host’ at usb-0000:00:14.0-8.1.4, RNDIS device, ce:12:d8:cd:30:e0
    [ +8.630068] usb 3-8.1.4: USB disconnect, device number 41
    [ +0.000192] rndis_host 3-8.1.4:1.0 usb0: unregister ‘rndis_host’ usb-0000:00:14.0-8.1.4, RNDIS device
    [ +0.257230] usb 3-8.1.4: new high-speed USB device number 42 using xhci_hcd
    [ +0.100923] usb 3-8.1.4: New USB device found, idVendor=05c6, idProduct=f00e, bcdDevice=ff.ff
    [ +0.000009] usb 3-8.1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [ +0.000004] usb 3-8.1.4: Product: Android
    [ +0.000002] usb 3-8.1.4: Manufacturer: Android
    [ +0.000002] usb 3-8.1.4: SerialNumber: 0123456789ABCDEF
    [ +0.004680] rndis_host 3-8.1.4:1.0 usb0: register ‘rndis_host’ at usb-0000:00:14.0-8.1.4, RNDIS device, 3e:d1:02:cf:1d:75

    I’m a noob and perhaps I’m missing something very obvious – any insights?

  18. Been running mine stock for a couple of days, works fine as its built, I’ve done a port scan using “pingtools” from my phone and the following 3 ports show with stock firmware.

    Tried to SSH into 53 using ‘admin’ and ‘root’ as user name but it just hangs.

    I’m hoping there is a way to poke at it while stock to figure out what’s different between stock and Linux for the modem “no sim” issue.

  19. I got mine from https://amzn.eu/d/6UEapVO and https://amzn.eu/d/6QXY1tJ they both are labeled with UFI_003_MB_V02 and I also have issues with 4G, but at least SIM and GSM seem to work on stock android. That’s why I rooted the device for further debugging… The app “Qct Modem Capabilities” shows lte bands B1, B3, B5 and B8 are supported. In case anyone is interested in an easy way to root stock android:


    adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard

    adb reboot bootloader

    fastboot boot twrp-3.1.1-0-seed.img

    #wait some time until adb is up

    adb shell

    twrp install /sdcard/SR5-SuperSU-v2.82-SR5-20171001224502.zip


    you can access the gui with some adb screenshot tool like


    1. Hi, so after rooting, the GUI or “phones menu” screen is available on the PC?

      Does this mean that if we only need to run a Android APK it can be installed this way?

      1. Hi!

        Root is not needed for that – just adb :)
        You can see a qualcomm boot animation and a GUI for the chinese webserver app.
        The top button takes you to settings menu.
        First things I did were setting the language to english and turning off the display lock.
        After that I installed apks for a launcher, sms and calls (no GUI needed for that)

        After rooting you can do some interesting stuff
        like getting band infos of your modem,
        change the IMEI or even unlock all bands.

        I unlocked all the bands and changed the IMEI (android showed a different IMEI than a sticker on the device, and I could not change the IMEI via webserver) but, as was to be expected, I am still not able to use 4G :/

        If you wanna try it, check xda developers for some qualcomm tools (i.e. QPST, DFS, IMEI Changer, etc) and how to use them.
        Maybe there’s a dialer code or another way to get into qualcomm diag mode, but I used root and did it like this:

        adb shell
        su #if you rooted like me you probably have to confirm via GUI once
        setprop sys.usb.config diag,adb

  20. I just got two in…Both appear to be exactly the same based off layout and information on the boards.

    Got one working fine, the other never gets picked up by ADB.

    Tried a bunch of the button/reboot suggestions, just can’t get it to work…The stock firmware is fine (Although sadly I didn’t get the right LTE band so it’s worthless for me at stock).

    But hey, got one to mess with…Pretty slick for $18

  21. anyone know how to change the imei on this modem? my LTE network won’t connect cause the IMEI is not registered in my country, need to change the imei to fix that. using “fastboot oem writeimei ” I don’t have any result.

    1. there is another kind of red that have branded like Telkomsel 4g LTE https://i.imgur.com/C5S6G88.jpeg , I have those and no adb, but I was able to boot to fastboot by holding the reset/switch button long enough, the pcb marking is SP970-B-V3, more detail below your comment. basically it is a gacha buying this modem, we have to ensure the right model by asking the seller agan and again until it is clear.

      1. Dude, can I have your email or any other contact? I have a WiFi dongle with Hardware: SP970-A-V9 and Firmware: M8916_MD.B14.APE04/BP010. The web admin page ( can not read or send sms (i think because broken interface). I only just want to read sms programmatically such as Gammu or any other tools. The PCB you have can it read/sens sms?

  22. my other modem with old firmware don’t enable adb by default, but I can enter fastboot mode by pressing the reset button long enough until all the led is not blinking (all led color turn on).
    the device firmware and hardware info from web interface:
    Firmware version: M8916_MD.B01.AP007/BP001
    Hardware version: SP970_HW_V1
    Internal storage: 2.25 GB/2.37 GB
    lsusb result
    Bus 005 Device 007: ID 05c6:f000 Qualcomm, Inc. TA-1004 [Nokia 8]
    lsusb when in fastboot mode
    Bus 005 Device 009: ID 18d1:d00d Google Inc. Xiaomi Mi/Redmi 2 (fastboot)

    the marking of the pcb is SP970-B-V3, all module are shielded can not get any information on anymore

    1. nice that it worked out for you! may I ask, which bands your provider uses? I’m still trying to get 4G to work with a telephonica prepaid card in germany and already changed the IMEI to a valid one…

      1. The modem itself support only this according to my vendor that sell this modem. Our biggest provider Telkomsel use this modem and rebrand it with their name and sell it here so it is legit information.

        Support 2G, 3G, 4G 1800 MHz 2300MHZ
        FDD BAND 1/3/5
        TDD BAND 40

  23. I discovered a new thing. To enable adb on this SP970_HW_V1, I have to enter this strange url. if your modem UI setting is on and the DHCP ip range is on and have the SP970 version, you can try this.

    after entering those url on web browser I was immediately able to se devices under adb. when adb is detected the lsusb tell that this is a nexus device
    Bus 005 Device 004: ID 18d1:d002 Google Inc. Nexus 4 (debug)

    I found this trick from https://github.com/peasca/SP970_Patcher

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.