Intro

I bought this "4G LTE USB Dongle WiFi" from AliExpress around 2023.
After playing with it for a while, I decied to document all the quirks/tricks I've learned.
I'm not the first one to research this thing, so some of the link below are to other GH repos by other, smarter people.
SoC seems to be: Qualcomm Snapdragon 410 (MSM8916)
USB Hardware IDs: VID_05C6 PID_90B6
Modem Identifiers (fetched with AT commands):

ATI
Manufacturer: QUALCOMM INCORPORATED
Model: 4094
Revision: UZ801_V01R01B06  1  [Sep 07 2015 23:00:00]
SVN: 01
IMEI: +CGSN:8666800XXXXXXXX
+GCAP: +CGSM,+DS,+ES

AT^SWVER
UZ801_2.0.0

AT^HWVER
Part=206  version=1.0

Table of Contents

🌐 Web App & ADB

1. Blackbox Web App UI + API Research
2. Whitebox Web Server via ADB exploration
3. Replacing the Web Server (or any APK) by abusing test-keys (Part 1) [Part 2] (by adrian-bl)
   • Their device doesn't look the same (+ I had root on by default) but mine also deployed test-keys so the same logic applies.
4. Persistent ADB over WiFi
   • Usually ADB over Wifi is enabled by first connecting the device via USB and running (on PC) adb tcpip 5555. This won't survive a reboot.
   • Alternatively, you can use (on Android) setprop persist.adb.tcp.port 5555. That one will. Follow with adb connect <device-ip>:5555 on PC to access it.

☎️ Modem

1. Modem drivers for Windows + AT Commands communication
2. Sniffing 3G/4G Traffic via QCSuper & Wireshark (by P1sec).
   • Just run the ./qcsuper.py --adb --wireshark-live afte enabling ADB (which enables DIAG as well, I think)

📱Screen Control

1. Screenshots + Disabling Screen Timeout (by u0d7i)
   • Don't use the screenshots manually, use the next link (adbcontrol) for 2-way interactions.
   • The device is running Android KitKat (4.4.4, SDK 19) so neither scrcpy nor Vysor work.
2. View & Control Device "Display" via adbcontrol (by AlienWolfX)
3. Change UI Language to English
   • I tried u0d7i's way and it didn't work for me. Using the Settings app via remote control did.

📶 WiFi

1. Connecting to a WiFi Network (Client/STA Mode)
   • Switch from hotspot to WiFi client via ADB
2. Use this device to send Wake-over-LAN packets

🪄 Firmware Backup/Flashing

1. SuperSU, EDL, FW Dump/Restore, Installing OpenWRT/Debian (by AlienWolfX)
2. Another EDL Guide, Lots of hardware/software documentations (by u0d7i)
3. OpenStick: Install Debian and bridge LTE to WiFi/rndis [Repo] (by handsomehacker)

⚡ UART

UART pins are arranged in a row, on the side without the SIM slot.
Mapping, assuming the USB connector points down:

• Topmost: VCC
• 2nd from top: GND
• 2nd from bottom: TX
• Bottommost: RX
  

Connect using default parameters in PuTTY except:

• Session -> Baud Rate: 115200
• Connection -> Serial -> Flow Control: None You'll be greated with a shell, the user is shell and has the following id values:

shell@msm8916_32_512:/ $ id
uid=2000(shell) gid=1007(log) context=u:r:init_shell:s0

In comparison, ADB shell defaults to the root user and these values:

root@msm8916_32_512:/ # id
uid=0(root) gid=0(root) context=u:r:shell:s0

Anyway, using su root from the shell user just switches to root ¯\_(ツ)_/¯.

EDL via USB pins

As mentioned in AlienWolfx's repo, you can enter "EDL mode" by shorting the GND and D+ pins on the USB connector. This has been confirmed on at least two UZ801 v3.2 boards.