EFForg
documentation on getting into adb mode is a bit lacking
hi there,
I can not seem to get the orbic device into a state where it can be read with "adb devices".
the serial app isnt forcing the issue either.
tried this on osx and ubuntu 24.
i can get it to present as ttyS0 on linux by holding power and reset for about 10 seconds. it then has device ID 05c6:9008.
however opening minicom (dont know what baud settings to use think im 115200, 8,N,1) doesnt do anything with the AT command.
adb devices just shows List of devices attached :
it is an orbic speed RC400L.
the linked page on xdaforums didnt really help me figure out if theres a button combo to do this, or if i need to open it up and ground a pin.
theyre trying to read/write firmware dumps and or possibly examine IMEI. that doesnt seem to be quite what this installer wants to do (copy a couple binaries and configs to the existing partition.)
thanks
to clarify: i had purchased from amazon directly from EFFs press release. i have not updated the firmware yet out of fear an update might block this from being done. just in case thats the problem and that you do expect someone to update it for this to work.
I'm currently wrestling with this as well - I'm digging through this post and this follow up.
I bought the device linked in the readme using bezosbucks. I gave 11 dollars to a billionaire, which makes me sad, and motivates me to root the effing thing.
I'm both following this issue, keeping my hopes up that someone will point out the obvious thing I'm missing, and if/when I get something sorted I'll document and share results here.
What version of the firmware are you on? Stock? Did you update it at all? Wondering if that is the common denominator …
And, my issue was 100% PEBKAC.
I was trying to see if I could use a Raspberry Pi running Ubuntu to manage the install. That failed with an error message related to the serial-ubuntu-latest - theoretically, this should have worked, but practically, it didn't.
When I ran it just now using Ubuntu 24.04 on a laptop, it worked cleanly - the entire install took under 3 minutes.
The Orbic I recieved did not have adb active. The command "adb attach" returned "no dev/emulators found", even though it was connected via usb and functioning as a NIC.
I did the upgrade tool trick and it opened up the adb interface at the same time as the com ports.
Model: RC400L Ver: RC400L_1.2.0_BVZRT
I made a short guide for rooting the Orbic from Windows. https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash-kajeet.4334899/page-3#post-89993011
The current version of the README has a section for working on Windows that points to the original post in that thread. It would probably be better to point to your updated writeup, @issacaron - might be worth a pull request to update the link in this section.
Thanks for the tips and fast replies , thank you Isaac for a detailed write up I’ll I’ve that a go.
Can confirm the stock firmware only exposes one QDM serial port at ttyUSB0. I Don’t have the other two ports shown in Isaac’s guide with the stock fw.
So if anyone else is stuck here, see how many serial ports you have listed when it’s plugged in….
On linux, simplified steps might look more like:
- Download the release file for Rayhunter v0.2.5
- Download the android platform tools
- Copy adb into a system path directory like /usr/local/bin/ or ("echo $PATH" to show a list)
- run sudo ./install-linux.sh
Note: Orbic is not plugged in for this example. One of the first things the script tries to do is enable ADB, so it may be worth trying to run.
`justin@Ubuntu-VM:~/release$ sudo ./install-linux.sh [sudo] password for justin: Using adb at /usr/local/bin/adb Force a switch into the debug mode to enable ADB
thread 'main' panicked at serial/src/main.rs:113:5: No Orbic device found`
I'm nearly done with a setup and usage tutorial that does the setup with Linux, and breaks down the moving parts. I'm about 98% done with the text, and need to do a final read through and add some screenshots.
I'm hoping to finish this up today, but realistically with some other things I'm working on it'll be tomorrow
Finished this over lunch: https://www.funnymonkey.com/2025/03/setting-up-rayhunter-from-eff-and-using-rayhunter-in-the-world/
My sense is that the Linux and MacOS process is cleaner than the Windows setup. Once the thing is set up, using it is pretty simple.
Anecdotally, running into the same challenges as @epsilonaurigae.
Ebay-purchased; new-in-box. Model: RC400L Version: ORB400L_V1.1.5_BVZRT
Shipped with a SIM already installed, but the provided SIM showed no connectivity. Swapping in another Verizon SIM at least allows it to see the towers (signal-strength bars + 4G LTE icons in upper left-hand corner).
Watching dmesg, it only seems to recognize it as an rndis device; no adb/other interfaces.
dmesg with USB tethering enabled
[ 9792.643188] usb 1-1: new high-speed USB device number 13 using xhci_hcd
[ 9792.841296] usb 1-1: New USB device found, idVendor=05c6, idProduct=f626, bcdDevice= 3.18
[ 9792.841300] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 9792.841303] usb 1-1: Product: MDM9207-MTP _SN:EEA193BF
[ 9792.841305] usb 1-1: Manufacturer: Android
[ 9792.873331] rndis_host 1-1:1.0 eth0: register 'rndis_host' at usb-0000:02:00.0-1, RNDIS device, 8e:b7:38:01:70:e4
[ 9792.884246] rndis_host 1-1:1.0 enp2s0f0u1: renamed from eth0
[ 9792.905436] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9792.905441] ll header: 00000000: ff ff ff ff ff ff 02 b3 3a 6f d0 79 08 06 00 01
[ 9792.905444] ll header: 00000010: 08 00 06 04 00 01 02 b3 3a 6f d0 79 c0 a8 01 01
[ 9792.905445] ll header: 00000020: 00 00 00 00 00 00 c0 a8 01 70 78 6d 6c 0d 0a 0d
[ 9792.905447] ll header: 00000030: 0a 2c 31 3d 30 31 30 30 2c 32
[ 9793.903808] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9793.903817] ll header: 00000000: ff ff ff ff ff ff 02 b3 3a 6f d0 79 08 06 00 01
[ 9793.903821] ll header: 00000010: 08 00 06 04 00 01 02 b3 3a 6f d0 79 c0 a8 01 01
[ 9793.903824] ll header: 00000020: 00 00 00 00 00 00 c0 a8 01 70 63 72 69 70 74 69
[ 9793.903826] ll header: 00000030: 6f 6e 2e 78 6d 6c 0d 0a 0d 0a
[ 9794.903850] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9794.903859] ll header: 00000000: ff ff ff ff ff ff 02 b3 3a 6f d0 79 08 06 00 01
[ 9794.903862] ll header: 00000010: 08 00 06 04 00 01 02 b3 3a 6f d0 79 c0 a8 01 01
[ 9794.903865] ll header: 00000020: 00 00 00 00 00 00 c0 a8 01 70 00 00 00 00 00 00
[ 9794.903868] ll header: 00000030: 00 00 00 00 00 00 00 00 00 00
[ 9795.667459] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9795.667472] ll header: 00000000: 8e b7 38 01 70 e4 02 b3 3a 6f d0 79 08 00 45 00
[ 9795.667477] ll header: 00000010: 00 30 a1 13 40 00 40 01 15 f8 c0 a8 01 01 c0 a8
[ 9795.667481] ll header: 00000020: 01 70 08 00 fc 9d fb 61 00 00 00 00 00 00 00 00
[ 9795.667484] ll header: 00000030: 00 00 00 00 00 00 00 00 00 00
[ 9795.669083] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9795.669089] ll header: 00000000: 8e b7 38 01 70 e4 02 b3 3a 6f d0 79 08 00 45 c0
[ 9795.669091] ll header: 00000010: 01 51 dd aa 00 00 40 11 17 70 c0 a8 01 01 c0 a8
[ 9795.669094] ll header: 00000020: 01 70 00 43 00 44 01 3d 5b 39 02 01 06 00 82 eb
[ 9795.669096] ll header: 00000030: b0 64 00 01 00 00 00 00 00 00
[ 9795.670296] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9795.670305] ll header: 00000000: 8e b7 38 01 70 e4 02 b3 3a 6f d0 79 08 00 45 c0
[ 9795.670309] ll header: 00000010: 01 51 dd ab 00 00 40 11 17 6f c0 a8 01 01 c0 a8
[ 9795.670311] ll header: 00000020: 01 70 00 43 00 44 01 3d 63 08 02 01 06 00 12 d1
[ 9795.670315] ll header: 00000030: 18 af 00 02 00 00 00 00 00 00
[ 9796.182857] IPv4: martian source 192.168.1.112 from 192.168.1.1, on dev enp2s0f0u1
[ 9796.182864] ll header: 00000000: 8e b7 38 01 70 e4 02 b3 3a 6f d0 79 08 00 45 c0
[ 9796.182866] ll header: 00000010: 01 57 dd b0 00 00 40 11 17 64 c0 a8 01 01 c0 a8
[ 9796.182868] ll header: 00000020: 01 70 00 43 00 44 01 43 8b 18 02 01 06 00 12 d1
[ 9796.182869] ll header: 00000030: 18 af 00 02 00 00 00 00 00 00
dmesg with USB tethering disabled
[10681.026213] usb 1-1: new high-speed USB device number 15 using xhci_hcd
[10681.225314] usb 1-1: New USB device found, idVendor=05c6, idProduct=f626, bcdDevice= 3.18
[10681.225318] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[10681.225321] usb 1-1: Product: MDM9207-MTP _SN:EEA193BF
[10681.225323] usb 1-1: Manufacturer: Android
[10681.257366] rndis_host 1-1:1.0 eth0: register 'rndis_host' at usb-0000:02:00.0-1, RNDIS device, 2a:64:fe:cd:2b:c7
[10681.267842] rndis_host 1-1:1.0 enp2s0f0u1: renamed from eth0
And indeed, running lsusb -v -d 05c6:f626 seems to only show RNDIS interfaces.
lsusb output
❯ lsusb -v -d 05c6:f626
Bus 001 Device 017: ID 05c6:f626 Qualcomm, Inc. MDM9207-MTP _SN:EEA193BF
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 [unknown]
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05c6 Qualcomm, Inc.
idProduct 0xf626 MDM9207-MTP _SN:EEA193BF
bcdDevice 3.18
iManufacturer 1 Android
iProduct 2 MDM9207-MTP _SN:EEA193BF
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x004b
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xa0
(Bus Powered)
Remote Wakeup
MaxPower 500mA
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 0
bInterfaceCount 2
bFunctionClass 224 Wireless
bFunctionSubClass 1 Radio Frequency
bFunctionProtocol 3 RNDIS
iFunction 8 RNDIS
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 3 RNDIS
iInterface 6 RNDIS Communications Control
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 05 24 01 00 01
** UNRECOGNIZED: 04 24 02 00
** UNRECOGNIZED: 05 24 06 00 01
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 [unknown]
bInterfaceProtocol 0
iInterface 7 RNDIS Ethernet Data
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0 [unknown]
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0000
(Bus Powered)
Connecting via WiFi, I can navigate to 192.168.1.1 without issue and see the hotspot's management page. Running nmap on it, port 5555 shows as filtered; attempting to connect adb over the network with adb connect 192.168.1.1:5555 simply times out after a while.
nmap output
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
5555/tcp filtered freeciv
Any thoughts?
zachary,
your device ID is covered in serial/src/main.rs
(if you were to see 9008 , youd probably have the same problem i did/do. wont get a chance to take a second crack at it until this weekend, i havent modified main.rs to add a use case for 05c6 9008, i could try that before the update and submit a patch if it works)
serial/src/main.rs: if let Some(handle) = open_device(context, 0x05c6, 0xf626) { serial/src/main.rs: if let Some(mut handle) = open_device(context, 0x05c6, 0xf601) { serial/src/main.rs: if let Some(mut handle) = open_device(context, 0x05c6, 0xf622) {
try this 1) "watch dmesg |tail -10"
plug in your USB cable, power your device off, hold power and the little black reset button inside the battery door down for 10+ seconds until you see the qualcomm QDM port(s) present in the dmesg it should boot with a black screen instead of the UI
its tricky and you may see TTYUSBX attach/detach
you only got it when they present and stay attached. see if any difference in behavior. if i dont get it perfect i get a pair of attached/detached messages in the dmesg
couple edits for clarity
I think there are a couple competing issues here.
First for @issacaron make sure you have USB tethering enabled, usually when I get the 'no orbic device found' error it's because USB tethering is not enabled. This is a setting in the device UI. If that doesn't do the trick please post the output of the lsusb command.
For @epsilonaurigae and @zacharyweiss the device doesn't have ADB enabled by default. You need to kick it into ADB mode. The easiest way to do this is with the install-linux.sh or install-mac.sh script but you can also do it manually by running serial --root (I have no idea if this works on windows but I beleive it should though you will have to compile it by hand.) If you are on windows you could try installing it from a live ubuntu USB.
Appreciate your detailed response @epsilonaurigae! Likewise @cooperq, thanks for the input.
While I didn't have any luck following the reset button approach (may have just been finicky timing / PEBKAC), and install-linux.sh alone would always yield the thread panic stating "No Orbic device found", I was able to solve it by borrowing a Windows machine, running the Orbic Update Assistant and disconnecting it upon first reboot of the process. After that, bringing it back to my NixOS machine, it happily showed an adb device, and I was able to run install-linux.sh without issue.
the install-linux script is dependent on finding one of the usb addresses in serial.rs which are 05c6:f622 , 05c6:f626, 05c6:f601 . zacharys good there, im not. only know this from a code comment somewhere asking people to notify if we run across different usb IDs, and will come back to this thread to see if i can use install-linux.sh to coax it into ADB mode with a use case for 05c6:9008
thank you,
okay,
so when i had tried this on ubuntu 24.04.01 on a thinkpad it came up as 05c6:9008. coming home for round 2, i plugged it into a different linux system running 24.04.02 and it came up as 05c6:f626.
the scripts worked ,and although ill probably update the firmware it wasnt apparently necessary.
the only other thing I did different here was use git clone for the repo and run rayhunter/tools/install-dev.sh . on the other system I had downloaded the zip file and run ./install-linux.sh
im on
Current Software Version: ORB400L_V1.1.5_BVZRT Current Hardware Version: V1.1
dmesg output
[ 1167.760765] usb 2-1: New USB device found, idVendor=05c6, idProduct=f626, bcdDevice= 3.18
eps@localhost:~/Downloads/rayhunter/tools$ ./install-dev.sh Using adb at /usr/bin/adb Force a switch into the debug mode to enable ADB adb enabled, waiting for reboot... it's alive! waiting for atfwd_daemon to startup... done! ./rootshell: 1 file pushed, 0 skipped. 806.3 MB/s (927624 bytes in 0.001s) uid=0(root) gid=0(root) we have root! ./config.toml.example: 1 file pushed, ...kipped. 2.4 MB/s (389 bytes in 0.000s) ./rayhunter-daemon: 1 file pushed, 0 s...d. 1.6 MB/s (11619420 bytes in 7.048s) ./scripts/rayhunter_daemon: 1 file pus...kipped. 4.2 MB/s (580 bytes in 0.000s) ./scripts/misc-daemon: 1 file pushed, ...ipped. 6.5 MB/s (2302 bytes in 0.000s) waiting for reboot... done! checking for rayhunter server...success! you can access rayhunter at http://localhost:8080
Had some issues getting it rooted, but I'm in now. Here is what I get at this point:
Using adb at /usr/bin/adb
Force a switch into the debug mode to enable ADB
Device already in command mode. Doing nothing...
adb enabled, waiting for reboot... it's alive!
waiting for atfwd_daemon to startup... done!
./rootshell: 1 file pushed, 0 skipped. 1424.5 MB/s (927624 bytes in 0.001s)
uid=0(root) gid=0(root)
we have root!
./config.toml.example: 1 file pushed, ...kipped. 1.3 MB/s (389 bytes in 0.000s)
adb: error: failed to copy './config.toml.example' to '/tmp/config.toml': remote No space left on device
And here is the output of df:
/ $ sshell
sshell-4.3# df -h
Filesystem Size Used Available Use% Mounted on
ubi0:rootfs 66.0M 60.5M 5.6M 92% /
tmpfs 64.0K 4.0K 60.0K 6% /dev
tmpfs 78.7M 20.0K 78.6M 0% /run
tmpfs 78.7M 78.7M 0 100% /var/volatile
tmpfs 78.7M 0 78.7M 0% /media/ram
ubi0:usrfs 214.7M 1.8M 213.0M 1% /data
/dev/ubi3_0 8.9M 324.0K 8.0M 4% /usrdata
/dev/ubi1_0 37.1M 29.9M 7.2M 81% /firmware
ubi0:cachefs 31.2M 232.0K 29.3M 1% /cache
Okay my ADB was not enabled on my RC400L. I found on an XDA post you needed to "send a USB control message of type LIBUSB_REQUEST_TYPE_VENDOR, request 0xa0, a value of 0, and no data."
Link: https://xdaforums.com/t/resetting-verizon-orbic-speed-rc400l-firmware-flash.4334899/
I wrote a quick little python script to do this. You will need to use the libusb-win32 driver from Zadig first. Feel free to use this code below:
import usb.core
import usb.util
# Find your RC400L device
# Replace these with your device's actual VID and PID
VENDOR_ID = 0x05C6 # Example (Should be the RC400L); replace if needed
PRODUCT_ID = 0xf626 # Replace if needed
dev = usb.core.find(idVendor=VENDOR_ID, idProduct=PRODUCT_ID)
if dev is None:
raise ValueError("Device not found. Check VID and PID.")
# Set configuration
dev.set_configuration()
# Send vendor-specific control message
bmRequestType = 0x40 # Host to device, vendor type, device recipient
bRequest = 0xA0 # Your request code
wValue = 0x0000 # Value = 0
wIndex = 0x0000 # Usually 0 unless otherwise specified
print("[*] Sending control message to enable ADB...")
# dev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, data_or_wLength=[]) # Oops expected data, crashed but worked
dev.ctrl_transfer(bmRequestType, bRequest, wValue, wIndex, None)
print("[+] ADB should now be enabled.")
@invaliddev403 this is the first thing the installer does: https://github.com/EFForg/rayhunter/blob/3fa583f671d32a8e3f9dce1705d0dd692041412e/installer/src/orbic.rs#L395-L401
@untitaker Thanks! Apologies I missed that. My modem was just being extra stubborn on Windows then.