Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

UZ801

The UZ801 is a 4G/LTE USB modem which is built on top of a Qualcomm Snapdragon 410 (MSM8916, with MDM8916 modem.) It does not have a screen, but it does have LEDs which can be used to signal the same status as the green/red bar on the Orbic hotspot. It uses a custom Android-based firmware with limited coreutils. More information about this device can be found here

It is worth noting that even though the Snapdragon 410 is a quad-core SoC, the CPU has only 2 of the cores enabled on the stock Android-based firmware, probably to avoid overheating as they did not exactly engineer any cooling solution. Regardless, even with 2 disabled cores there is plenty of compute overhead. There are 384MB of RAM on the SoC, and 4GB of eMMC in the form of an SK Hynix NAND flash chip located external to the SoC.

Rayhunter has been tested on UZ801 devices with firmware supporting USB debugging backdoor access. It is not certain whether all of the sticks that use this board will be compatible with the automated installer, or even with any alternative manual installation method. Please consider sharing your device's firmware version and hardware information here to help improve compatibility.

Where to purchase

There are several option to purchase this device:

  1. AliExpress:
  1. eBay:
  1. Amazon:

Supported bands

The UZ801 supports various LTE bands depending on the specific hardware revision and carrier customization. Check your device specifications for the exact band support.

The most frequent bands found on these devices are LTE bands 1/3/5/8/20. In the US, this means that Verizon's band 5 towers are the only towers that this device could communicate with in its normal usage as an LTE modem. Research on whether Qualcomm diagnostic tools can be used to write new band support into the NVRAM is pending.

Installing

With the device fully booted (i.e. beaming a wifi network, blue LED, etc.) and plugged into the computer that is performing the installation, run:

./installer uz801

Note: The default IP for UZ801 is typically 192.168.100.1; if yours differs, use the --admin-ip argument to specify it.

LED modes

Rayhunter stateLED indicator
RecordingGreen LED solid on
PausedWiFi (blue) LED solid on
Warning DetectedRed LED solid on

Note: Unlike the TMOHS1, the UZ801 uses solid LED indicators instead of blinking patterns.

Obtaining a shell

The UZ801 supports ADB access after the USB debugging backdoor is activated.

adb shell

Device-specific notes

The UZ801 uses a unique installation process that activates a hidden USB debugging backdoor.

The installation process works as follows:

  1. Activates the USB debugging backdoor via HTTP AJAX request
  2. Waits for device reboot and ADB availability
  3. Uses ADB to install rayhunter files and modify the startup script
  4. Launches rayhunter daemon automatically
  • The UZ801 does not symlink busybox for some core system utils, for some reason. Please use busybox <utility_name>, e.g. busybox df -h.
  • USB debugging must be activated via the web backdoor before ADB access is possible (this is required only once.) The installer does this already.
  • The device uses /system/bin/initmifiservice.sh as the main startup script.