Installing Rayhunter on Orbic Hotspot

August 14, 2025

Rayhunter Project

Several months back I saw an article from the Electronic Frontier Foundation that talked about using cheap mobile hotspots to detect cellphone intercepting Stingrays. Although I have no use for such a device, I thought it was a cool project. The hardware only cost me $11 on eBay. It seemed like a simple enough project, but I ran into some issues when trying to patch the device from my M2 macbook, so I thought I’d share what I did to get around the issues. Hopefully it helps someone else in the same situation.

Installing EFF’s Rayhunter on an Orbic Mobile Hotspot

Here’s a step-by-step of how I got EFF’s Rayhunter working on an Orbic Speed RC400L (Verizon) 4G LTE mobile hotspot, including all the weird quirks I had to fix.

Prerequisites

An Orbic Speed RC400L 4g LTE hotspot
platform-tools (ADB binaries).
Rayhunter binaries from EFF: github.com/EFForg/rayhunter.
A host machine running macOS (in my case, Apple Silicon).

Enabling ADB

Power on the hotspot and plug it into USB.
Ensure ADB is enabled on the device:
```
./platform-tools/adb devices
```
You should see a real device listed (e.g. b258a7ae).
If multiple devices show up (like an emulator), use:
```
./platform-tools/adb -s b258a7ae ...
```
for every command.

I updated the install.sh script to lock ADB to that serial using:

export ADB=(./platform-tools/adb -s b258a7ae)

And used ${{ADB[@]}} to avoid errors like:

./platform-tools/adb -s b258a7ae: No such file or directory

Patching `install.sh`

The original install.sh assumes ADB is globally accessible and doesn’t handle multiple devices. I made these changes:

Defined ADB with arguments as an array:

export ADB=(./platform-tools/adb -s b258a7ae)

Replaced all calls to "$ADB" with "${{ADB[@]}}".
Wrapped critical commands (like checking for atfwd_daemon) in timeout logic so the script doesn’t hang forever.

Example change:

wait_for_atfwd_daemon() {
    echo -n "waiting for atfwd_daemon to startup..."
    for i in {{1..60}}; do
        if _adb_shell pgrep atfwd_daemon > /dev/null 2>&1; then
            echo " found!"
            return
        fi
        sleep 1
    done
    echo " timeout waiting for atfwd_daemon"
    exit 1
}

Deploying Rayhunter

Once patched, the install went like this:

./install.sh

The script:

Pushed the rootshell binary to /data/local/tmp/
Waited for atfwd_daemon to come online
Installed and forwarded the Rayhunter server

Set up TCP port forwarding with:

./platform-tools/adb -s b258a7ae forward tcp:8080 tcp:8080

Then, from the host machine, I accessed the Rayhunter web UI at:

http://localhost:8080

Testing Rayhunter (Manually)

Here’s the test_rayhunter() function I used:

test_rayhunter() {
    URL="http://localhost:8080"
    "${{ADB[@]}}" forward tcp:8080 tcp:8080 > /dev/null
    echo -n "checking for rayhunter server..."

    SECONDS=0
    while (( SECONDS < 30 )); do
        if curl -L --fail-with-body "$URL" -o /dev/null -s; then
            echo "success!"
            echo "you can access rayhunter at $URL"
            return
        fi
        sleep 1
    done
    echo "timeout reached! failed to reach rayhunter url $URL, something went wrong :("
}

Pro Tips

If ADB gets stuck on “more than one device/emulator,” kill the emulator:
```
adb -s emulator-XXXX emu kill
```
You can always forcibly reset:
```
adb kill-server && adb start-server
```
Make sure pgrep works on the device; if not, use ps | grep fallback.