SIM Card Compatibility on Unifi LTE Backup Pro

Created on November 04, 2025 by Andrew M. Zhang

2025

Disclaimer: This post is meant to be educational. I’m not a telecom expert, and I’m not sure if there are negative consequences of not using an AT&T SIM in the USA. I’m just here to learn about telecom and binaries.

Attributions

  1. u/MrNerdHair’s Reddit Post

The Problem

The Unifi-LTE-Backup-Pro allows users to insert their own SIM card into the device. Unfortunately users are carrier-locked into using AT&T SIM cards. The Sierra Wireless RC7611 modem chip the LTE router uses doesn’t appear to be locked to a fixed carrier. Ubiquity is a bit unclear about what’s possible and what’s not on this hardware. This post is meant to document what the LTE router is compatible/incompatible with.

Gathering Information

AT-Commands

AT Commands are a special set of commands that a lot of telecom modems use.

RC76xx AT-Command Reference Manual: https://www.bipom.com/documents/sierra/AirPrime%20-%20RC76xx%20-%20AT%20Command%20Reference%20Guide%20-%20Rev4.0.pdf

If we SSH into the LTE Router, we can issue AT-commands to gleam some valuable info. The modem in our LTE-Backup-Pro is mounted on /dev/ttyUSB2 To read AT-command output and send AT-commands, run the following after SSH-ing into the LTE router: cat < /dev/ttyUSB2. In a separate SSH session run echo "ATI" > /dev/ttyUSB2. You should receive output similar to the following (the redactions are my own):

root@U-LTE-Pro:~# cat < /dev/ttyUSB2
ATI

Manufacturer: Sierra Wireless, Incorporated
Model: RC7611
Revision: SWI9X07H_00.08.20.00 d73df7 jenkins 2021/10/14 00:48:45
IMEI: [REDACTED]
IMEI SV: 18
FSN: [REDACTED]
+GCAP: +CGSM
OK

This printout confirms that the device uses an RC7611 modem chip and is running what appears to be generic firmware?

uiwwand

What is this binary?

The U-LTE-Backup-Pro runs a watchdog script that starts/checks/bounces the binary /usr/bin/uiwwand.

root@U-LTE-Pro:~# ps w | grep "watch"
 1403 root      1248 S    {modem_watchdog.} /bin/sh /etc/ltecfg/modem_watchdog.sh
13578 root      1264 R    sh /usr/etc/syswrapper.sh ssh-trace-cmd -c ps w | grep "watch" -n 4 -i
13580 root      1208 S    grep watch

If we search for strings in the /usr/bin/uiwwand binary, we can find SIM-related terms:

root@U-LTE-Pro:~# grep "SIM" /usr/bin/uiwwand
EVENT_SIM_READY
EVENT_SIM_REMOVED
STATE_SIM_ACTIVATION
SIM card removed
AUTO-SIM
uim: PIN '%s' is eligible to be verified for SIM with ICCID %s
uim: PIN '%s' was detected as incorrect previously for SIM with ICCID %s, refusing to verify
uim: PIN '%s' is eligible to be verified for SIM with ICCID %s (PIN1 retries = 3)
Incompatible SIM (MCC: %d, MNC: %d)
SIM powered off
SIM powered on
MNC length from SIM: %d
MCC %d, MNC %d from SIM
SIM data read successfully
SIM data could not be read
AUTO-SIM
ULTE-Pro-US: Canada SIM detected: mcc=%i mnc=%i (PRI=%s)
ULTE-Pro-US: %s'AT&T (US)' SIM detected:mcc=%i mnc=%i (PRI=%s)
ULTE-Pro-US: SIM is incompatible
Skip enable_autoconnect() because the SIM card is not compatible
Skip seq_set_profile() because the SIM card is not compatible

This binary is clearly important and SIM-related. We notice from the strings that the code should work with all Canadian SIMs, but only AT&T SIMs in the US.

SCP the binary

The U-LTE-Backup-Pro runs some sort of read-only RamFS Linux OS. In order to SCP files on and off the device, you will need to run SCP in legacy mode as SFTP is not available, ie:

scp -O root@192.168.0.123:/usr/bin/uiwwand .

Reading the manual

If we look through the manual, the RC7611 can load either carrier specific profiles, or AUTO-SIM, which will load profiles depending on the carrier of the SIM.

Studying the binary printouts

The code uses MCC (mobile country code) and MNC (mobile network code) to determine the country and the carrier of the SIM card. The logic checks if the MCC is Canadian (302, or 0x12e in hex). If the MCC is Canadian, then it’ll load the AUTO-SIM profile. If the MCC is NOT Candian, the code assumes the MCC is American and checks if the MNC belongs to AT&T. If the MNC doesn’t belong to AT&T, the code will error out. It’s not clear why Unifi will not allow the loading of AUTO-SIM profile in the United States. In any case, it would appear that the AT&T SIM restriction is only a software check and not a hardware incompatibility. Canadian SIMs don’t appear to have any carrier restrictions.

Notice that if we can trick uiwwand into thinking the SIM card is Canadian. From u/MrNerdHair’s Reddit post, we see that there are 2 binary instructions that translate to the following:

24 02 01 2e     li         v0,0x12e            // Load 302 into v0
14 62 00 04     bne        v1,v0,PC+4          // If v1 != 302 (v0), branch to PC+4, else execute next instruction

As the post points out, changing the binary 14 62 00 04 -> 14 62 00 01 will cause the bne’s jump to goto PC+1, which essentially makes the bne a nop.