Hackable $20 Modem Combines LTE And Pi Zero W2 Power

The modem in question plugged into a black powerbank.

[extrowerk] tells us about a new hacker-friendly device – a $20 LTE modem stick with a quadcore CPU and WiFi, capable of running fully-featured Linux distributions. This discovery hinges on a mountain of work by a Chinese hacker [HandsomeYingYan], who’s figured out this stick runs Android, hacked its bootloader, tweaked a Linux kernel for it and created a Debian distribution for the stick – calling this the OpenStick project. [extrowerk]’s writeup translates the [HandsomeYingYan]’s tutorial for us and makes a few more useful notes. With this writeup in hand, we have unlocked a whole new SBC to use in our projects – at a surprisingly low price!

At times when even the simplest Pi Zero is unobtainium (yet again!), this is a wonderful find. For a bit over the price of a Zero 2W, you get a computer with a similar CPU (4-core 1GHz A53-based Qualcomm MSM8916), same amount of RAM, 4GB storage, WiFi – and an LTE modem. You can stick this one into a powerbank or a wallwart and run it at a remote location, make it into a home automation hub, or perhaps, process some CPU-intensive tasks in a small footprint. You can even get them with a microSD slot for extra storage – or perhaps, even extra GPIOs? You’re not getting a soldering-friendly GPIO header, but it has a few LEDs and, apparently, a UART header, so it’s not all bad. As [extrowerk] points out, this is basically a mobile phone in a stick form factor, but without the display and the battery.

The modem with its cover taken off, showing the chips on its board.Now, there’s caveats. [extrowerk] points out that you should buy the modem with the appropriate LTE bands for your country – and that’s not the only thing to watch out for. A friend of ours recently obtained a visually identical modem; when we got news of this hack, she disassembled it for us – finding out that it was equipped with a far more limited CPU, the MDM9600. That is an LTE modem chip, and its functions are limited to performing USB 4G stick duty with some basic WiFi features. Judging by a popular mobile device reverse-engineering forum’s investigations (Russian, translated), looks like the earlier versions of this modem came with the way more limited MDM9600 SoC, not able to run Linux like the stick we’re interested in does. If you like this modem and understandably want to procure a few, see if you can make sure you’ll get MSM8916 and not the MDM9600.

Days of using WiFi routers to power our robots are long gone since the advent of Raspberry Pi, but we still remember them fondly, and we’re glad to see a router stick with the Pi Zero 2W oomph. We’ve been hacking at such sticks for over half a decade now, most of them OpenWRT-based, some as small as an SD card reader. Now, when SBCs are hard to procure, this could be a perfect fit for one of your next projects.

Update: in the comments below, people have found a few links where you should be able to get one of these modems with the right CPU. Also, [Joe] has started investigating the onboard components!

83 thoughts on “Hackable $20 Modem Combines LTE And Pi Zero W2 Power

    1. some of the listings on fleabay do indictate ‘qualcomm 9600’ or ‘qualcomm 8916’, so I recommend doing a search with descriptions included to find those listings.

          1. I’ve picked up a pair from a different seller. They’re listed.. confusingly, and I’m guessing they ship whatever’s on hand. Both the ones I got from https://www.aliexpress.com/item/1005004198680336.html are 8916s (according to the splash page on the router ui) with one sim, GPS detected as 0 lat and long, and the ability to switch to a second, non obvious sim card. Haven’t tried reflashing them cause I actually need them to be 4G APs for a bit

      1. I’m still a little new to hardware hacking so I have to ask, with having a full Linux distro on this, could it reverse SSH tunnel to my home setup so I can link to it from the house regardless of the sim card it’s using?

          1. Thanks for the reply.

            My home broadband has a dynamic ip, but SSH into my router and VNC of my pi Zero work fine using NoIP DDNS service.

            A reverse tunnel would work just the same as with a fixed IP?

          2. As long as your DDNS works well and you use the DDNS domain name instead of the IP when creating the tunnel, it oughta work! One thing though – I’d look into something like a Wireguard connection instead of SSH for a tunnel, not only it’s more featureful, it’s also more reliable wrt autoconnects and unreliable links, in my experience.

    2. It is striking that everyone involved has seen fit to detail every aspect of the project *except* the most essential bit: a reliable way to get hold of the stick in question… it’s probably safest to regard this as non-repeatable until there’s a source for it, just like all of those nifty-looking software projects whose only documentation is a Youtube video.

        1. Isn’t that perfect? We’re looking for the MSM8916. Who here even cares about the sim? It seems to me that we’re in this to make an affordable sbc, not a phone or modem.

  1. Why does an LTE modem have an Android distribution on it? What’s it doing? Why is the processor this powerful?

    Is this just a bigger processor swapped in because the smaller ones became unobtainable? Or is this thing MITMing all your LTE comms?

    1. Stingray on a fob, for 3rd world intelligence services on a budget.

      Someone with deep cell network knowledge should implement a stingray on this thing. If the NSA can snoop us, we should be able to snoop them. Fair’s fair. Goose, gander etc.

      Might need a linear to work, but good news, Alibaba has cheap linears.

    2. TL;DR: using Android is easier and cheaper than spinning up their own distro because it already handles 95% of the stuff they’d need to implement if they did it from scratch

      Android was just the cheapest and easiest option to go with when deciding on what to run on the thing. Think about it, android already has all the drivers and utilities for setting up an LTE connection and handling network routing (hotspot). All the manufacturer has to do is rip out all the gui bits, throw in a couple of auto configuration scripts for stuff like a wifi AP, a web interface for additional configuration (APNs, sms, etc.) and boom you have an LTE hotspot. As for why it’s so powerful, the main chip is a SOC meant to power whole android phones and tablets it’s not just a modem. I wouldn’t be surprised the chips in these are inexpensive QC rejects from Qualcomm

      1. Exactly this. I’ve seen medical devices that had to call home, and they came with a locked-down Motorola smart phone that had the android UI disabled. Literally powers on with Motorola & the carrier logos, then shows the most simple text UI reminiscent of fastboot / recovery mode that shows signal strength and IMEI. No user-interactive controls beyond power off.

  2. I feel silly but I can’t find what the guy bought in specific. Rather just the class of device bought.

    That said, I am reminded of a hocky puck sized Wifi/LTE modem my aunt had about a decade back, andrealized if I could run a ‘normal’ linux on it and if there is on device storage it’d make a decent little hobby box.

  3. Can the USB port on this be configured to not only power the device, but to be a host to another USB device? If so, adding a small USB hub would allow you to use multiple devices with this.

    1. By default, the usb port would be a gadget or device port, rather than a host.

      That said, since many phones support OTG, that may also be the case here, and it might be possible to have the dongle be a host with an appropriate adapter and internal programming.

      Note that an OTG cable has the ID pin to allow the device to recognise that it should enter OTG mode and assume the host role, while these devices only have a USB A connector which omits the ID pin. Hence the requirement to programmatically enter host mode. Also, you would need the hub to source power to the dongle as well as any other devices connected to it.

  4. Not sure how $20 is a good deal, 6 years ago I bought 3 Moto Es for $20 each, those have the same chipset, twice as much RAM, and include a battery and screen. They even held up to a few years of cryptocurrency mining, something that would burn out cheap ZTEs after a few months to a year. Once mining wasn’t profitable anymore, I now have those Moto Es waiting for use in some other project.

    1. I just bought a moto g4 play XT1601 (as is- couldn’t read sim cards) as well as several of these 4G LTE MSM8916 sticks to see if I can get openstick running on both instances of MSM8916 (the moto g4 play has MSM 8916 and 2GB DDR3 RAM). The 4G LTE sticks on Alibaba were $12 with free shipping and the as-is g4 play was $13 with free shipping. Same cost, but more ram and a working screen. I’m just curious what I can do with it.

  5. Pis are highly sought after because they have a vast developer network, receive regular updates, and are designed for DIY. Taking any ARM SBC with similar chips and trying to replicate a Pi just turns it into a Linux box that can’t install kernel updates.

    It’s just not the same thing, and the pricing of Pis reflects that more than just supply chain issues. We know there are plenty of cheap chips out there, but there’s only one brand of ARM SBCs that gives you the flexibility and support as if you were building a home PC. There is just no competitor for that ecosystem yet.

  6. It seems that this chipset has some additional functionality built in: Adreno 306 graphics, Bluetooth, GNSS (GPS, GLONASS, BeiDou).

    On this dongle, the GNSS probably doesn’t have an antenna, but I wonder if Bluetooth shares the WiFi antenna?

    Not being a Linux guru, let me ask a possibly dumb question. Could you use the Adreno as if there were a display connected, but instead, view the output on VNC? I know you can do this on a computer with a physical display connected. That way, you wouldn’t be limited to only running text programs.

    BTW, I ordered two similar looking dongles from Amazon for $23 each (two days, instead of two weeks). They showed as having a uSD slot, so hopefully they have the correct chipset. Wrong LTE bands for the US, but I don’t care.

      1. I think it’s ironic that one of you is called Lucifer, the father of lies, and the other is called tryhrth which looks like truth.

        Anyway, I’ve seen it for as low as $12 on aliexpress. ctrl + f my name for a link to what I found

  7. I did something like that once.
    I have a Huawei LTE router, on digging I found out that it runs Android.
    Adb is accessible via network and running “adb shell” returns a root terminal.
    I have Disable unnecessary services (VoIP + SIP, VPN etc) to save memory.
    Then I have mounted an Adguard Server and with a HDD through the USB port a torrent download server (Transmission WebRPC).
    Those modifications had no impact on performance and were more than enough.
    The characteristics were CPU Hisilicon x2 1Gz, 512MB RAM, 1Gb Flash (only 128Mb accessible, the rest of the partitions are system and read only).

  8. My Amazon order arrived today. I have Debian installed on one of the two devices that I ordered. I did have a problem with fastboot on Win10, but found the answer here: https://beebom.com/fastboot-not-detecting-device-windows-10/

    I am currently having a problem with installing nano. I am getting name resolution errors. I’ll have to brush up on my Linux. I haven’t done anything with it in several years, and all of the configuration stuff I used to know has changed.

    Here is a link to what I bought. Note that despite the description and picture, it has no TF slot. There are several vendors selling the same thing, at least one for $2 less. Look for the picture of the guy with glasses, holding it next to his head.

    https://www.amazon.com/dp/B07NY4X5YP/

    Looking at the circuit board, I see pads for a UART, an antenna (which one?) and other stuff. For later investigation…

    1. nicely done, thank you for writing your experience up and sharing it with us! some notes:

      The bottom side shows where the missing TF socket should be, next to a reset button.

      That is not a TF socket footprint, it’s a footprint for a small DFN-8 chip – in fact, there’s two of these, as you’ve noticed. I wonder what’s that for – I’ll have to wait until I can get one of your modems. However, if it’s a flash chip and happens to use SPI, we could absolutely mod a microSD card slot on there, just that it’d be lower-speed, perhaps.

      I’ll have to see how a SIM is interfaced to a phone, but this sound suspiciously like the signals used by I2C, except for Reset.

      Certainly not – in fact, SIM interfaces are more UART-like.

      The two FB pads with arrows are obviously for Up/Down buttons.

      ..hope so, but what makes you think that?

      One may be for Bluetooth. I’ll find this out later, when I try to enable Bluetooth.

      the Bluetooth support circuitry might not even be wired up to the chip, I’m afraid =( that said, there’s hope, of course!

      The UART and SPI things absolutely could use a test! My guess is that SPI would be quite usable from Linux, and UART always tends to be – unless it’s some comms channel between two chips on the board or something.

      1. I was going by the picture that showed a TF socket, and assumed that was what the footprint was for. It looks like you know more about that than I do. Also about SIMs.

        As for the buttons, I found some documentation for a development board that uses the Snapdragon 410. It talks about reassigning buttons. That is just some of the additional documentation that I need to read through. I’ll update the web page later.

        I haven’t tried Bluetooth yet. I assume it uses the same antenna as Wifi, though.

        The UART is next on my list of hardware to investigate. I2C and SPI will be later.

        For further discussion, it might be best for you to email me (take the username and domain in the URL of the web page). Any information about these dongles will be added to my web page as we learn new things.

  9. To save others from making the same mistake I did, you need to configure the WiFi on the dongle as a client, with no SSID. Then use “Activate” to connect to your home WiFi router. Select your SSID, then you will be prompted for a password. Finally, your dongle will be connected to the internet.

    But now, when I try to do an apt-get update, I’m getting various errors. I can ping google.com and others, so I know that the internet is finally working.

  10. I think I have the same one. I opened it and it has a chip marked as “PM8916”. When I log in to the router page, there is a “upgrade” option which accepts an “apk” file and in windows the device name is “Android”. But I cannot connect via ADB. The router IP is “192.168.100.1” and if I try to connect by running “adb connect 192.168.100.1” it says connection refused. Anyone has any idea?

    1. That PM8916 chip is the Power Management IC (PMIC). That is the same one I have. However, the default IP you have is different. I have 182.168.68.1, which is the same as documented by Extrowerk. So, without unsoldering the metal shield to look for the MSM8916, I don’t know how to confirm that you have the correct LTE dongle.

      I followed Extrowerk’s instructions, and managed to flash Linux. If that isn’t working for you, perhaps you don’t have the correct dongle.

      1. I tried to change the change the ip address to “192.168.68.1” just to test if it works. The modem stopped working at all. So I opened it, long pressed the power button and everything was reset. So it works now.
        Although my device doesn’t normally show up on “adb devices” list, when I do a factory reset, it briefly shows up in “recovery” mode. So I am guessing a valid android device is in there, but the system has developer mode turned off so it doesn’t normally shows up in “adb devices” list.

    2. > adb connect 192.168.100.1”

      I have *nowhere* documented a step like this.
      Stop reinventing the wheel and causing headache for yourself while doing so, just follow the simple step-by-step guide i have published.

      1. I tried to connect via network because normally “adb devices” doesn’t show my modem on the list. It might not be the exact device you guys have. Or the software version is different which doesn’t have ADB connections enabled. Since the modem upgrade page accepts an apk file, I will try to upload a modified apk file and open a reverse shell. I will update here if I succeed.

    1. I’m not sure what you have in mind, but Debian is what is already running on the thing. The Chinese blog site documents what the guy did to figure out how to flash a bootloader and Debian. I used Google Translate, and it did a decent job on most of the page. A few small sections of text were left in Chinese, but i copied/pasted them to get them translated.

  11. Has anyone had luck actually using the LTE modem after flashing this? I had a stick that detected the SIM just fine before flashing. After flashing it shows the sim as not being inserted:

    root@openstick:/# mmcli -m 0
    ———————————–
    General | path: /org/freedesktop/ModemManager1/Modem/0
    | device id: 1ec3156c870d523e616cee0ef4dcf0676f78xxxx
    ———————————–
    Hardware | manufacturer: 1
    | model: 0
    | firmware revision: MPSS.DPM.2.0.2.c1-00178-M8936FAAAANUZM-1D 1 [Nov 04 2016 02:00:00]
    | carrier config: ROW_Generic_3GPP
    | carrier config revision: 02010801
    | h/w revision: 10000
    | supported: gsm-umts, lte
    | cdma-evdo, lte
    | lte
    | cdma-evdo, gsm-umts, lte
    | current: gsm-umts, lte
    | equipment id: 86176603523xxxx
    ———————————–
    System | device: qcom-soc
    | drivers: qcom-q6v5-mss, bam-dmux
    | plugin: qcom-soc
    | primary port: wwan0qmi0
    | ports: wwan0 (net), wwan0at0 (at), wwan0qmi0 (qmi), wwan1 (net),
    | wwan2 (net), wwan3 (net), wwan4 (net), wwan5 (net), wwan6 (net),
    | wwan7 (net)
    ———————————–
    Status | state: failed
    | failed reason: sim-missing
    | power state: off
    | signal quality: 0% (cached)
    ———————————–
    Modes | supported: allowed: 2g; preferred: none
    | allowed: 3g; preferred: none
    | allowed: 2g, 3g; preferred: 3g
    | allowed: 2g, 3g; preferred: 2g
    | allowed: 2g, 4g; preferred: 4g
    | allowed: 2g, 4g; preferred: 2g
    | allowed: 3g, 4g; preferred: 4g
    | allowed: 3g, 4g; preferred: 3g
    | allowed: 2g, 3g, 4g; preferred: 4g
    | allowed: 2g, 3g, 4g; preferred: 3g
    | allowed: 2g, 3g, 4g; preferred: 2g
    | current: allowed: any; preferred: none
    ———————————–
    Bands | supported: egsm, dcs, pcs, g850, utran-1, utran-5, utran-8, eutran-1,
    | eutran-3, eutran-5, eutran-8, cdma-bc0
    ———————————–
    IP | supported: ipv4, ipv6, ipv4v6
    root@openstick:/#

    anyone have a tip as to what might be wrong?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.