From an 8-dollar stick to a Debian server — the reproducible way
Back up, flash, connect. Backup first, courage second.
Five steps. Each leads to its matching detail section — no dead ends.
Before anything gets written: how do you enter each mode, how does the host PC see the device, and what is it for?
| Mode | How to enter | Host PC sees | Purpose |
|---|---|---|---|
| ADB (stock Android) |
Boot stock Android → connect via Wi-Fi to http://192.168.100.1 (login admin) → enable ADB at /usbdebug.html → re-plug the stick |
adb devices lists the device |
Initial recon & backups while Android is still running |
| Fastboot (bootloader) |
adb reboot bootloader from a running ADB |
fastboot devices |
Write individual partitions, the actual Debian flash (./flash.sh) |
| EDL 9008 (Emergency Download) |
adb reboot edl (or from Fastboot: fastboot oem reboot-edl) |
USB device 05c6:9008 („Qualcomm HS-USB QDLoader 9008“) |
Full read/write access to the eMMC + rescue of bricked devices |
# Bjoern Kerler's EDL client (tools/edl) + firehose loader EDL=tools/edl/edl LOADER=tools/edl/edlclient/prog_emmc_firehose_8916.mbn # Detect device / read the partition table edl printgpt
From „all at once“ to the surgical single shot. Store the files safely — they are your return ticket.
# Full dump of all partitions into one file (~3.7 GB) edl rf uz801-stock.bin
# Read the boot partition individually python edl r boot boot.img
These are the pieces you'll need later for a working modem.
# Back up all partitions individually — produces modem.bin, modemst1.bin, # modemst2.bin, fsg.bin, fsc.bin … + rawprogram0.xml: edl rl uz801_stock --genxml # Critical NV partitions (IMEI/calibration): modemst1, modemst2, fsg, fsc
Offset = start sector (sector size 512 bytes), size converted from size_in_KB — both verbatim from the autogenerated rawprogram0.xml. The XML has no flags column. „Purpose“ is a standard MSM8916 description (not from a repo comment).
| Name | Offset | Size | Flags | Purpose |
|---|---|---|---|---|
| modem | 65536 | 64 MB | — | Modem firmware (NON-HLOS) |
| sbl1 | 196608 | 512 KB | — | Secondary Bootloader (SBL1) |
| sbl1bak | 197632 | 512 KB | — | SBL1 backup |
| aboot | 198656 | 1 MB | — | Android/LK bootloader (aboot) |
| abootbak | 200704 | 1 MB | — | aboot backup |
| rpm | 202752 | 512 KB | — | Resource Power Manager firmware |
| rpmbak | 203776 | 512 KB | — | RPM backup |
| tz | 204800 | 512 KB | — | TrustZone (Secure World) |
| tzbak | 205824 | 512 KB | — | TrustZone backup |
| hyp | 206848 | 512 KB | — | Hypervisor |
| hypbak | 207872 | 512 KB | — | Hypervisor backup |
| pad | 208896 | 1 MB | — | Padding/reserve |
| modemst1 | 210944 | 1.5 MB | — | Modem NV storage 1 (IMEI/calibration) |
| modemst2 | 214016 | 1.5 MB | — | Modem NV storage 2 |
| misc | 217088 | 1 MB | — | Boot-mode flags (misc) |
| fsc | 219136 | 1 KB | — | Modem FS cookie |
| ssd | 219138 | 8 KB | — | Secure storage (SSD) |
| splash | 219154 | 10 MB | — | Boot logo |
| DDR | 262144 | 32 KB | — | DDR training data |
| fsg | 262208 | 1.5 MB | — | Modem filesystem (NV/provisioning) |
| sec | 265280 | 16 KB | — | Security/fuse data |
| boot | 265312 | 16 MB | — | Kernel + ramdisk (boot image, DTB appended) |
| system | 298080 | 800 MB | — | Root filesystem (Android system / Debian rootfs) |
| persist | 1936480 | 32 MB | — | Persistent sensor/calibration data |
| cache | 2002016 | 128 MB | — | Cache |
| recovery | 2264160 | 16 MB | — | Recovery image |
| oem | 2296928 | 10 MB | — | OEM partition |
| userdata | 2317408 | ≈2.47 GB | — | User data (largest partition) |
/lib/firmwareWhere most people get stuck: without the right firmware files the modem won't register under Linux.
From stock Android: pull /firmware/image/ (Android 4.4.4) via ADB — alternatively from the backed-up modem partition (modem.bin) of the EDL backup.
# 58 firmware files (stock dump): # modem.* – 22 (modem.mdt + modem.b00 … baseband DSP) # wcnss.* – 9 (Wi-Fi/Bluetooth, WCN3620) # cmnlib.* – 5 (Common Library) # keymaste.* – 5 (Keymaster) # isdbtmm.* – 5 (ISDB-T Multimedia) # playread.* – 5 (PlayReady DRM) # widevine.* – 5 (Widevine DRM) # modem_pr – 1 # mba.mbn – 1 (Modem Boot Authenticator)
Both drop the same files into /lib/firmware/. Way A is easiest while stock Android still runs; Way B only needs the EDL backup.
Way A — from stock Android (ADB)
# Android running, ADB active — pull the firmware folder: adb pull /firmware/image/ firmware-backup/image/ # install on the Debian stick: sudo cp firmware-backup/image/* /lib/firmware/ sudo systemctl restart ModemManager
Way B — from the backed-up modem partition
# modem partition from the EDL backup (see 0x01): edl r modem modem.img --memory=emmc # mount the image read-only via loopback and copy the firmware: mkdir -p modem_mnt sudo mount -o loop,ro modem.img modem_mnt sudo cp modem_mnt/image/* /lib/firmware/ sudo umount modem_mnt
Note: adjust the exact target path / file layout (e.g. an image/ subfolder) to your setup — the install step was only prose in the repo; the source files are verbatim.
/lib/firmware → the modem won't register. On top of that the Q6/remoteproc does an intentional reset ~30 s after boot (ModemManager loses the QMI port); fix: modem-fix.service restarts ModemManager after 45 s (since v6.0).
Only once the backup is in place. Flashing runs in Fastboot mode — flash.sh first backs up the NV partitions internally, then writes the bootloader, rootfs and boot.
# In Fastboot mode (see 0x00). Download, unzip and flash the OpenStick release: wget https://download.wvthoog.nl/projects/security/openstick/openstick-uz801-v3.0.zip cd OpenStick/flash/ ./flash.sh
Device tree (DTB) used: the DT is appended to the kernel zImage inside boot.img — no separate DTB file is flashed. Custom kernel builds compile msm8916-uz801-v3.dtb or msm8916-handsome-openstick-uz801.dtb. (There is no fy-mf800.dtb — fy-mf800 is just a photo folder.)
Plug in the stick, log in, enable LTE.
ssh user@192.168.200.1 # USB (RNDIS), default ssh user@192.168.100.1 # Wi-Fi AP (SSID 4G-UFI-XX, PSK 1234567890) # Default user password: 1
# NetworkManager ships a prepared "lte" profile: sudo nmcli connection modify lte gsm.apn <your_apn> sudo nmcli connection up lte # check: sudo mmcli -m 0 ip a show wwan0 # optional, if a SIM PIN is set: sudo nmcli connection modify lte gsm.pin <your_pin>
If the stick no longer boots: enter EDL (0x00) and write the backup back.
# Full restore (write the backup back): edl wf uz801-stock.bin # or individually, e.g. boot: edl w boot boot.img # Restore modem NV from this stick's originals (preserves IMEI): edl w modemst1 uz801_stock/modemst1.bin edl w modemst2 uz801_stock/modemst2.bin edl w fsg uz801_stock/fsg.bin edl w fsc uz801_stock/fsc.bin edl reset
"The EDL backup before your first flash isn't a recommendation, it's the precondition." — everyone who has ever bricked a stick