A couple of months ago, I purchased this 4G LTE USB Dongle from Shopee for around 300+ PHP. Out of curiosity, I searched the internet to see if there was a way to modify the horrible web UI of the device. Here are some images of the device along with the board and it's chips.
The device heart of the dongle is a MSM8916 which is running a stripped-down version of Android 4.4.4 KitKat, the android setup restricts the use of the additional two CPU cores. I believe this is to prevent the device from overheating.
The web UI is so poorly designed that simply changing the URL and calling main.html
will take you to the main page:
Before doing anything to your USB dongle, you must first enable ADB (if it's not already enabled) by accessing this URL: http://192.168.100.1/usbdebug.html.
You need to have:
If you are using Windows, you must install the following:
On Windows, you might encounter this error: NotImplementedError: Operation not supported or unimplemented on this platform
. One way to fix this is by uninstalling the QDLoader 9008 Driver and replacing it with Zadig WinUSB⁽¹⁾.
To enable EDL mode on your device, execute the following command:
adb reboot edl
Alternatively, for a more hands-on approach, you can short the D+ and GND on the USB before connecting it to your computer. Once the device is in EDL mode, execute the following commands to create a backup:
python3 edl rf {your_filename}.bin
To restore simply run:
python3 edl wf {your_filename}.bin
You can then use tools such as PowerISO to view the different partitions of the image.
To gain root access, you need to install SuperSU on the USB dongle. Ensure you have the following files:
After obtaining the necessary files, open a new terminal and execute the following commands:
adb push SR5-SuperSU-v2.82-SR5-20171001224502.zip /sdcard
adb reboot bootloader
fastboot boot twrp-3.1.1-0-seed.img
The device may take some time to restart adb. Please be patient. Once adb is up and running again, proceed with the following commands:
adb shell
twrp install /sdcard/SR5-SuperSU-v2.82-SR5-20171001224502.zip
reboot
As the device is running Android, we can see the display as if it has a screen using a tool named adbcontrol.
Steps:
extract adbcontrol.zip
cd adbcontrol
modify config.properties by pointing to the appropriate directories
java -jar adbcontrol.jar
Note:
adbCommand = {LOCATION_OF_ADB_EXE}
localImageFilePath = {LOCATION_ON_YOUR_HOST_MACHINE}
Thanks to this wonderful and well written guide from here we can now modify the web ui
First and foremost we need to identify the correct apk file some version of this dongle comes with the Jetty2m.apk and MifiService.apk in my case I have the MifiService.apk which was located in /system/priv-app/MifiService.apk
I then pull the packed using adb pull /system/priv-app/MifiService.apk
to get the apk package here are some of the steps from the instructions above:
Fetch test-keys:
git clone https://android.googlesource.com/platform/build
cd build/target/product/security/
openssl pkcs8 -inform DER -nocrypt -in platform.pk8 -out platform.pem
openssl pkcs12 -export -in platform.x509.pem -inkey platform.pem -out platform.p12 -password pass:android -name testkey
keytool -importkeystore -deststorepass android -destkeystore platform.keystore -srckeystore platform.p12 -srcstoretype PKCS12 -srcstorepass android
mv platform.keystore {YOUR_WORK_DIR}
Decompile apk:
java -jar apktool.jar d {APP_NAME}.apk -o {APP_NAME}
You can then start to customization under the assets folder
[!NOTE]
Don't forget to change theversionCode
andversionName
in the apktool.yml
Recompile apkn(If asked for a passphrase type android
):
java -jar apktool.jar b -o unsigned.apk {APP_NAME}
Zipalign:
zipalign -v 4 unsigned.apk aligned.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ./platform.keystore aligned.apk testkey
Install apk:
adb install -r aligned.apk
To install openwrt on the device you will need
fsc.bin, fsg.bin modemst1.bin, modemst2.bin from your backup
Steps
adb shell reboot edl
python3 edl wf {OPENWRT FILE}
python3 edl reset
adb reboot-bootloader
fastboot oem reboot-edl
python3 edl w fsc fsc.bin
python3 edl w fsg fsg.bin
python3 edl w modemst1 modemst1.bin
python3 edl w modemst2 modemst2.bin
python3 edl reset
wget https://download.wvthoog.nlopenstick-uz801-v3.0.zip
../flash.sh
; for Windows, run ./flash.bat
.For more information visit Wim van 't Hoog blog
Below, I’ve provided a stock dump of my firmware (Philippines version). Please note that flashing this firmware is at your own risk. The board number for this dump is FY_UZ801_V3.2. You might also need to replace the modem firmware with yours for it to work in your region.
In case you bricked your device and cannot access EDL just short the pins below
This project references the following resources:
Wim van 't Hoog - For Debian Kernel build and instructions.
ddscentral - For Debian build and instructions.
postmarketOS - Instructions and Board pinout image
edl - Primary tool for dumping the Original firmware
adrian-bl - Instruction for modifying Web UI
These resources have been instrumental in the creation of this project.
This repository is open-sourced software licensed under the MIT license.
Copyright AlienWolfX 2024