Verizon MiFi 8800L hot spot mods, hacking, pwd needed

Search This thread

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
I run my hot spots 24/7 and they overcharge the batteries and puff up.
Verizon already did one recall on the Franklin "Ellipse".
I do a direct USB powering since many devices won't run without a battery.
The photo show the one for the MiFi 8800L with a diode, a 51k ID resistor and a 100k thermistor resistor.
It works fine, but I still wasn't happy with how warm the device got even without a battery.
So I threw away the back plate, broke the glass/touch panel off the bezel and removed the OLED display.
Now the tin covers on the processor get direct access to air and it runs a lot cooler.
It seems to work fine.

Still, I wanted to be able to run "top" and make sure that it's not thrashing too badly without the OLED and the I²C touch panel.
I plugged the MiFi into Windows 10 and identified a single HID interface with a 4 byte input record and a 4 byte output record.
I tried to read the input record, nothing was coming out.
So I wrote my 4 bytes of zeroes (in Windows that makes it 5 bytes since you have to add an unused record ID).
Code:
memset(report, 0, 5);
WriteFile(hid, report, 5, &n, NULL);
And lo and behold, the MiFi reset and came back with 7 interfaces, including the original HID.
One of the interfaces was a CDC serial that came up as a virtual com port (VCP).
Code:
mifi login: admin
Password:
Login incorrect
Any idea what the password could be?
 

Attachments

  • hotspot.jpg
    hotspot.jpg
    99 KB · Views: 121
  • hotspot2.jpg
    hotspot2.jpg
    102.9 KB · Views: 112
  • Like
Reactions: maddmenz

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
I added a 40mm square heatsink. Now it runs even cooler. I cut away some of the top cover so that you can still plug in the LCD if you need to.

If you're thinking this is all pointless: In marginal areas a hot unit decreases the S/NR. I've often stuck my old Jet Pack in the freezer when nothing else would get me a connection.
 

Attachments

  • hotspot5.jpg
    hotspot5.jpg
    134.6 KB · Views: 49

pcoplen

New member
Nov 25, 2021
4
0
So I believe the password is listed in the device settings. On mine its under advanced settings on the screen.
I want to get more outta mine and am trying to put custom firmware on it.
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
I'm not sure if you mean the regular WiFi or administration logon password. I've tried those. I don't know what the login itself is either. I've tried root and admin. Can you give me a screenshot of that password using the regular web interface? (Ok, with the password blacked out.)

In other news, I discovered that the network manual selection allows me to select AT&T or Telekom (since I paid full price for the unit). It may not have all the right bands, but I think that I'll try test drive one of them since the Verizon tower here is horribly overloaded. That's 8 kb/sec download during prime time.
 

pcoplen

New member
Nov 25, 2021
4
0
I got mine second hand and dont have a data plan currently but its the verizon one.
 

Attachments

  • IMG_2458.jpg
    IMG_2458.jpg
    1.8 MB · Views: 63

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
No, that's the regular Administrator password. It doesn't work here:
Code:
mifi login: Admin
Password:
Login incorrect
mifi login: admin
Password:
Login incorrect
mifi login: root
Password:
Login incorrect
mifi login: user
Password:
Login incorrect
mifi login:
This is on the virtual com port coming over the USB cable, not the front screen or the web access.
 

pcoplen

New member
Nov 25, 2021
4
0
how are you accessing this com port when i boot and enable usb connection it doesnt appear in windows
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
That's the whole point of that memset/WriteFile stuff at the top. I've never had to resend that so I don't know if that's a permanent enable. It did disconnect and reconnect when I did it, so I think that it's real. If you're not showing the same as I see now, that confirms it.
Do you have UsbView.exe? It's here: https://www.ftdichip.com/Support/Utilities.htm#MicrosoftUSBView
This is the what I have (trimmed down to the essentials). Is your "Total Length 0x136" the same as me? Do you see 7 interfaces?
Code:
Device Descriptor:
idVendor:           0x1410
idProduct:          0xB023
bcdDevice:          0x0318

Configuration Descriptor:
wTotalLength:       0x0136
bNumInterfaces:       0x07

Interface Descriptor:
bInterfaceNumber:     0x00
0x0409: "RNDIS Communications Control"

Interface Descriptor:
bInterfaceNumber:     0x01
0x0409: "RNDIS Ethernet Data"

Interface Descriptor:
bInterfaceNumber:     0x02
(Something custom)

Interface Descriptor:
bInterfaceNumber:     0x03
(Something custom)

Interface Descriptor:
bInterfaceNumber:     0x0C
0x0409: "CDC Abstract Control Model (ACM)"

Interface Descriptor:
bInterfaceNumber:     0x0D
0x0409: "CDC ACM Data"

Interface Descriptor:
bInterfaceNumber:     0x0E
0x0409: "HID Interface"
(You get extra credit for noticing that the interface numbers are not contiguous! (0, 1), 2, 3, (12, 13), 14. That breaks some Linux libs.)

Edit: Oh! My 8800 was originally 1410/b010, then when I did the HID thing it turned into 1410/b023. I just looked at my code.
So this is a Qualcomm processor, so apparently this is a Qualcomm DIAG port. I still can't find a password, but I strongly suspect that "root" is the (only useful) user.
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
Ok, so I managed to reset it back to "Normal", a/k/a 1410/b010
I see that in this mode there is only one interface, that HID.
So I wrote a little utility:
Code:
C:\>mifilink /?
MiFi Configuration Utility
mifilink <cmd>
cmd = normal, diag

C:\>mifilink
Found MiFi 8000/8800 (normal mode)

C:\>mifilink diag
Found MiFi 8000/8800 (normal mode)
Sending Diag (0) ok

C:\>mifilink
Could not find any MiFi devices

C:\>mifilink
Found MiFi 8000/8800 (DIAG mode)
When it couldn't find anything that was because it was rebooting. I put that in there to demonstrate that the utility knows that. Without a command it just shows what it sees.

Note: This is not a zip file. Don't unzip it, just rename it mifilink.exe
 

Attachments

  • mifilink.zip
    99 KB · Views: 60

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
I had a question on how I was powering this. Just to clarify:

I'm using a USB cable that I cut up. Normally the color code is to be trusted, but check with a voltmeter if you have it.
Black is ground, green is D+ (unused), white is D- (unused), red is Vbus i.e. +5V.
The photo in the OP shows it all.
From the bottom is the ground connection to black.
Then the 100k resistor for the thermistor to ground (to make the device think that the temperature is reasonable).
Then the 51k resistor to ground to fake the device out to thinking that a battery is connected.
Then the 1 Amp diode (like a 1N4001 to 1N4007) to drop the voltage down a bit to make life easier for the device.
The banded end (i.e. the cathode) goes to the contact, the plain end (i.e. the anode goes to the red wire.

If you don't like murdering your device you could take a block of something (wood, plastic) and put four contacts on it.
Then you could leave your device unmodified. I've made some blocks for cell phones that I have for testing.

Here's a Moto E6 that I was trying to get into EDL mode. The plug has one resistor in it for thermistor.
 

Attachments

  • hardway.jpg
    hardway.jpg
    824.6 KB · Views: 35

pcoplen

New member
Nov 25, 2021
4
0
I had a question on how I was powering this. Just to clarify:

I'm using a USB cable that I cut up. Normally the color code is to be trusted, but check with a voltmeter if you have it.
Black is ground, green is D+ (unused), white is D- (unused), red is Vbus i.e. +5V.
The photo in the OP shows it all.
From the bottom is the ground connection to black.
Then the 100k resistor for the thermistor to ground (to make the device think that the temperature is reasonable).
Then the 51k resistor to ground to fake the device out to thinking that a battery is connected.
Then the 1 Amp diode (like a 1N4001 to 1N4007) to drop the voltage down a bit to make life easier for the device.
The banded end (i.e. the cathode) goes to the contact, the plain end (i.e. the anode goes to the red wire.

If you don't like murdering your device you could take a block of something (wood, plastic) and put four contacts on it.
Then you could leave your device unmodified. I've made some blocks for cell phones that I have for testing.

Here's a Moto E6 that I was trying to get into EDL mode. The plug has one resistor in it for thermistor.
So I would recommend something slightly different, use a tp4056 to charger the battery, they don’t get very hot and it bypasses the internal charger and usb c port. So you could use that for data still.
 

maddmenz

New member
Oct 16, 2010
1
0
I had a question on how I was powering this. Just to clarify:

I'm using a USB cable that I cut up. Normally the color code is to be trusted, but check with a voltmeter if you have it.
Black is ground, green is D+ (unused), white is D- (unused), red is Vbus i.e. +5V.
The photo in the OP shows it all.
From the bottom is the ground connection to black.
Then the 100k resistor for the thermistor to ground (to make the device think that the temperature is reasonable).
Then the 51k resistor to ground to fake the device out to thinking that a battery is connected.
Then the 1 Amp diode (like a 1N4001 to 1N4007) to drop the voltage down a bit to make life easier for the device.
The banded end (i.e. the cathode) goes to the contact, the plain end (i.e. the anode goes to the red wire.

If you don't like murdering your device you could take a block of something (wood, plastic) and put four contacts on it.
Then you could leave your device unmodified. I've made some blocks for cell phones that I have for testing.

Here's a Moto E6 that I was trying to get into EDL mode. The plug has one resistor in it for thermistor.
Thanks for this. it worked like a charm. This was the best solution for me even after trying two of Netgear's LTE Modems and Modem/Router. Those devices frequently lost connection to Verizon. Neither Verizon nor Netgear could help me.
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
There was a question on firmware updatting the 8000/8800
I tried a bit to find EDL test points on my 8800. Since this is my main connection that was in use I didn't try too hard at the time.
I had an Orbic Speed that I got under warranty and don't use so I could attack it at my leisure.
I found the EDL test points. It uses Red Hat Linux. Since I'm more Android and don't need to do anything I dropped the matter there.
This is all related here: https://forum.xda-developers.com/t/...-firmware-flash-kajeet.4334899/#post-86616269

(My main device, an Onyx Boox Poke3 ereader is also modified with a reed switch as I do a lot of slinging partitions around.)
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
You need active power coming in on the battery terminal. If you just want to just use the USB port you can jumper from the USB through a diode to the battery in. Of course you still need the two resistors. There is a test point near the USB connector where you can pick off power. I don't have a photo off-hand.
 

mjg59

Member
Nov 23, 2010
6
7
There was a question on firmware updatting the 8000/8800
I tried a bit to find EDL test points on my 8800. Since this is my main connection that was in use I didn't try too hard at the time.
I had an Orbic Speed that I got under warranty and don't use so I could attack it at my leisure.
I found the EDL test points. It uses Red Hat Linux. Since I'm more Android and don't need to do anything I dropped the matter there.
This is all related here: https://forum.xda-developers.com/t/...-firmware-flash-kajeet.4334899/#post-86616269

(My main device, an Onyx Boox Poke3 ereader is also modified with a reed switch as I do a lot of slinging partitions around.)

There's three test pads on upper right of the 8800 board (the same side as the battery). Shorting the left pad to the middle pad and plugging in a USB cable results in it booting in EDL mode.
 
  • Like
Reactions: Renate

mjg59

Member
Nov 23, 2010
6
7
There's three test pads on upper right of the 8800 board (the same side as the battery). Shorting the left pad to the middle pad and plugging in a USB cable results in it booting in EDL mode.
Unfortunately there doesn't seem to be a publicly available loader that'll work here
 

stealthrt

Senior Member
Sep 28, 2011
69
6
I had a question on how I was powering this. Just to clarify:

I'm using a USB cable that I cut up. Normally the color code is to be trusted, but check with a voltmeter if you have it.
Black is ground, green is D+ (unused), white is D- (unused), red is Vbus i.e. +5V.
The photo in the OP shows it all.
From the bottom is the ground connection to black.
Then the 100k resistor for the thermistor to ground (to make the device think that the temperature is reasonable).
Then the 51k resistor to ground to fake the device out to thinking that a battery is connected.
Then the 1 Amp diode (like a 1N4001 to 1N4007) to drop the voltage down a bit to make life easier for the device.
The banded end (i.e. the cathode) goes to the contact, the plain end (i.e. the anode goes to the red wire.

If you don't like murdering your device you could take a block of something (wood, plastic) and put four contacts on it.
Then you could leave your device unmodified. I've made some blocks for cell phones that I have for testing.

Here's a Moto E6 that I was trying to get into EDL mode. The plug has one resistor in it for thermistor.
Can you power an SSD via the USB-C (for file sharing feature 8800L) still with doing the power where the battery would be going? Or do I need to send 5v down the USB-C wire since the battery input would be ~3.3v?

So I would recommend something slightly different, use a tp4056 to charger the battery, they don’t get very hot and it bypasses the internal charger and usb c port. So you could use that for data still.
Would you care to share how the tp4056 would hook up to the charging pin? This sounds like the way I would need to go in order to power an SSD via USB-C port.
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,253
1,445
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
Can you power an SSD via the USB-C (for file sharing feature 8800L) still with doing the power where the battery would be going? Or do I need to send 5v down the USB-C wire since the battery input would be ~3.3v?
The device has a boost converter to take battery power and boost it to 5V for the Type C when you are using a flash drive.
You don't need to do anything.
If you did route 5V to the Type C yourself it would say, "Oh, I'm connected to a charger, of course there is no flash drive."

I can plug in a flash drive, there is 5V supplied to it, it's takes 70mA or so.
It is enabled on the MiFi Share setting page.
I can't find it on my Windows machine. Maybe because I disabled so much of that net sharing.

If you really wanted to keep the battery, yes, you could throw in a TP4056 charger board and have it charge your battery.
Would you care to share how the tp4056 would hook up to the charging pin?
Just connect the two battery pads on the PCB to the + and - of the battery.

I tried the EDL, the test points are as stated, "Left" in the instructions means towards the middle of the device.
Code:
HWID: 0007d0e100000000
Hash: 62b4a62f72d6c323
I couldn't find a loader either.

As I've said before I think this device runs hot.
That's why I cannibalized it and added a heatsink.
Maybe this thing was tested at an ambient temperature of 20°C (68°F) but it just runs away at higher temperatures.
At 38°C (100°F) ambient temperature even with a heatsink this thing is a nuclear reactor.
I had a little 12V 40mm fan. I plugged it into 5V and that's enough to keep this thing cool when it gets hot.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    There was a question on firmware updatting the 8000/8800
    I tried a bit to find EDL test points on my 8800. Since this is my main connection that was in use I didn't try too hard at the time.
    I had an Orbic Speed that I got under warranty and don't use so I could attack it at my leisure.
    I found the EDL test points. It uses Red Hat Linux. Since I'm more Android and don't need to do anything I dropped the matter there.
    This is all related here: https://forum.xda-developers.com/t/...-firmware-flash-kajeet.4334899/#post-86616269

    (My main device, an Onyx Boox Poke3 ereader is also modified with a reed switch as I do a lot of slinging partitions around.)

    There's three test pads on upper right of the 8800 board (the same side as the battery). Shorting the left pad to the middle pad and plugging in a USB cable results in it booting in EDL mode.
  • 2
    I had a question on how I was powering this. Just to clarify:

    I'm using a USB cable that I cut up. Normally the color code is to be trusted, but check with a voltmeter if you have it.
    Black is ground, green is D+ (unused), white is D- (unused), red is Vbus i.e. +5V.
    The photo in the OP shows it all.
    From the bottom is the ground connection to black.
    Then the 100k resistor for the thermistor to ground (to make the device think that the temperature is reasonable).
    Then the 51k resistor to ground to fake the device out to thinking that a battery is connected.
    Then the 1 Amp diode (like a 1N4001 to 1N4007) to drop the voltage down a bit to make life easier for the device.
    The banded end (i.e. the cathode) goes to the contact, the plain end (i.e. the anode goes to the red wire.

    If you don't like murdering your device you could take a block of something (wood, plastic) and put four contacts on it.
    Then you could leave your device unmodified. I've made some blocks for cell phones that I have for testing.

    Here's a Moto E6 that I was trying to get into EDL mode. The plug has one resistor in it for thermistor.
    1
    I run my hot spots 24/7 and they overcharge the batteries and puff up.
    Verizon already did one recall on the Franklin "Ellipse".
    I do a direct USB powering since many devices won't run without a battery.
    The photo show the one for the MiFi 8800L with a diode, a 51k ID resistor and a 100k thermistor resistor.
    It works fine, but I still wasn't happy with how warm the device got even without a battery.
    So I threw away the back plate, broke the glass/touch panel off the bezel and removed the OLED display.
    Now the tin covers on the processor get direct access to air and it runs a lot cooler.
    It seems to work fine.

    Still, I wanted to be able to run "top" and make sure that it's not thrashing too badly without the OLED and the I²C touch panel.
    I plugged the MiFi into Windows 10 and identified a single HID interface with a 4 byte input record and a 4 byte output record.
    I tried to read the input record, nothing was coming out.
    So I wrote my 4 bytes of zeroes (in Windows that makes it 5 bytes since you have to add an unused record ID).
    Code:
    memset(report, 0, 5);
    WriteFile(hid, report, 5, &n, NULL);
    And lo and behold, the MiFi reset and came back with 7 interfaces, including the original HID.
    One of the interfaces was a CDC serial that came up as a virtual com port (VCP).
    Code:
    mifi login: admin
    Password:
    Login incorrect
    Any idea what the password could be?
    1
    There was a question on firmware updatting the 8000/8800
    I tried a bit to find EDL test points on my 8800. Since this is my main connection that was in use I didn't try too hard at the time.
    I had an Orbic Speed that I got under warranty and don't use so I could attack it at my leisure.
    I found the EDL test points. It uses Red Hat Linux. Since I'm more Android and don't need to do anything I dropped the matter there.
    This is all related here: https://forum.xda-developers.com/t/...-firmware-flash-kajeet.4334899/#post-86616269

    (My main device, an Onyx Boox Poke3 ereader is also modified with a reed switch as I do a lot of slinging partitions around.)

    There's three test pads on upper right of the 8800 board (the same side as the battery). Shorting the left pad to the middle pad and plugging in a USB cable results in it booting in EDL mode.