Merge pull request #511 from Tunas1337/uz801

Add UZ801 support

doc/SUMMARY.md

@@ -16,6 +16,7 @@
   - [TP-Link M7350](./tplink-m7350.md)
   - [TP-Link M7310](./tplink-m7310.md)
   - [Tmobile TMOHS1](./tmobile-tmohs1.md)
+  - [UZ801](./uz801.md)
   - [Wingtech CT2MHS01](./wingtech-ct2mhs01.md)
   - [PinePhone and PinePhone Pro](./pinephone.md)
 - [Support, feedback, and community](./support-feedback-community.md)

doc/supported-devices.md

@@ -24,6 +24,7 @@ Rayhunter is confirmed to work on these devices.
 | [Tmobile TMOHS1](./tmobile-tmohs1.md) | Americas |
 | [TP-Link M7310](./tplink-m7310.md) | Africa, Europe, Middle East |
 | [PinePhone and PinePhone Pro](./pinephone.md) | Global |
+| [FY UZ801](./uz801.md) | Asia, Europe |
 
 ## Adding new devices
 Rayhunter was built and tested primarily on the Orbic RC400L mobile hotspot, but the community has been working hard at adding support for other devices. Theoretically, if a device runs a Qualcomm modem and exposes a `/dev/diag` interface, Rayhunter may work on it.

doc/uninstalling.md

@@ -22,3 +22,18 @@ Your device is now Rayhunter-free, and should no longer be in a rooted ADB-enabl
 4. `update-rc.d rayhunter_daemon remove`
 5. (hardware revision v4.0+ only) In `Settings > NAT Settings > Port Triggers` in TP-Link's admin UI, remove any leftover port triggers.
 
+## UZ801
+
+0. (Optional): Back up the qmdl folder with all of the captures:
+`adb pull /data/rayhunter/qmdl .`
+1. Run `adb shell` to get a root shell on the device
+2. Delete the /data/rayhunter folder: `rm -rf /data/rayhunter`
+3. Modify the initmifiservice.sh script to remove the rayhunter 
+startup line:
+```sh
+mount -o remount,rw /system
+busybox vi /system/bin/initmifiservice.sh
+```
+Then type 999G (shift+g), then type dd. Then press the colon key (:) and type wq. Finally, press Enter.
+4. Lastly, run `setprop persist.sys.usb.config rndis`.
+5. Type `reboot` to reboot the device.

doc/uz801.md

@@ -0,0 +1,67 @@
+# UZ801
+
+The UZ801 is a 4G/LTE USB modem which is built on top of a Qualcomm Snapdragon 410 (MSM8916, with MDM8916 modem.) It does not have a screen, but it does have LEDs which can be used to signal the same status as the green/red bar on the Orbic hotspot. It uses a custom Android-based firmware with limited coreutils. More information about this device can be found [here](https://github.com/AlienWolfX/UZ801-USB_MODEM/wiki/Overview)
+
+It is worth noting that even though the Snapdragon 410 is a quad-core SoC, the CPU has only 2 of the cores enabled on the stock Android-based firmware, probably to avoid overheating as they did not exactly engineer any cooling solution. Regardless, even with 2 disabled cores there is plenty of compute overhead. There are 384MB of RAM on the SoC, and 4GB of eMMC in the form of an SK Hynix NAND flash chip located external to the SoC.
+
+Rayhunter has been tested on UZ801 devices with firmware supporting USB debugging backdoor access. It is not certain whether all of the sticks that use this board will be compatible with the automated installer, or even with any alternative manual installation method. Please consider sharing your device's firmware version and hardware information [here](https://github.com/EFForg/rayhunter/discussions/479) to help improve compatibility.
+
+## Where to purchase
+
+There are several option to purchase this device:
+1. AliExpress:
+- [1](https://www.aliexpress.us/item/3256808999940005.html)
+- [2](https://www.aliexpress.us/item/3256809191207903.html)
+- [3](https://www.aliexpress.us/item/3256809191207903.html)
+2. eBay:
+- [1](https://www.ebay.com/itm/394512588226)
+- [2](https://www.ebay.com/itm/195655408253)
+- [3](https://www.ebay.com/itm/116678550086)
+3. Amazon:
+- [1](https://www.amazon.com/150Mbps-Adapter-Network-Lightweight-Portable/dp/B0DQC64ZFS)
+- [2](https://www.amazon.com/Heayzoki-Network-Adapter-Wireless-Connection/dp/B0CG4W31M4)
+## Supported bands
+
+The UZ801 supports various LTE bands depending on the specific hardware revision and carrier customization. Check your device specifications for the exact band support.
+
+The most frequent bands found on these devices are LTE bands 1/3/5/8/20. In the US, this means that Verizon's band 5 towers are the only towers that this device could communicate with in its normal usage as an LTE modem. Research on whether Qualcomm diagnostic tools can be used to write new band support into the NVRAM is pending.
+
+## Installing
+
+With the device fully booted (i.e. beaming a wifi network, blue LED, etc.) and plugged into the computer that is performing the installation, run:
+
+```sh
+./installer uz801
+```
+
+Note: The default IP for UZ801 is typically `192.168.100.1`; if yours differs, use the `--admin-ip` argument to specify it.
+
+## LED modes
+| Rayhunter state  | LED indicator       |
+| ---------------- | ------------------- |
+| Recording        | Green LED solid on  |
+| Paused           | WiFi (blue) LED solid on |
+| Warning Detected | Red LED solid on    |
+
+Note: Unlike the TMOHS1, the UZ801 uses solid LED indicators instead of blinking patterns.
+
+## Obtaining a shell
+The UZ801 supports ADB access after the USB debugging backdoor is activated.
+
+```sh
+adb shell
+```
+
+## Device-specific notes
+
+The UZ801 uses a unique installation process that activates a hidden USB debugging backdoor.
+
+The installation process works as follows:
+1. Activates the USB debugging backdoor via HTTP AJAX request
+2. Waits for device reboot and ADB availability
+3. Uses ADB to install rayhunter files and modify the startup script
+4. Launches rayhunter daemon automatically
+
+- The UZ801 does not symlink busybox for some core system utils, for some reason. Please use `busybox <utility_name>`, e.g. `busybox df -h`.
+- USB debugging must be activated via the web backdoor before ADB access is possible (this is required only once.) The installer does this already.
+- The device uses `/system/bin/initmifiservice.sh` as the main startup script.