Debrand Ericsson W35 - Rogers Rocket Dock

[westofanywhere]

@kcmconnect:

you do not mention what was the version/release of your original firmware before your attempted upgrade. But please note that the filename of the firmware on the Ericsson site indicates it is a Release 12.
I know that both Bell Canada and Roger sold W35's which use firmware which is Release 13. Bell Canada did issue an updated firmware which can be found here:

How to update the software on my Ericsson W35 Turbo Hub

I have read a number of other reports by individuals who attempted upgrades with the firmware from the Ericsson site. They reported similar results to you. No one, to the best of my knowledge, ever posted instructions for recovering their W35 from that state. If someone has, in fact recovered from an attempted upgrade with the R12 Ericsson firmware, please post your recommendations here on how to recover and regain control/use of the W35.

[kcmconnect]

I have confirmed that it was at V13 previous to the failed upgrade. I have tried the metaspliot method, however it appears as tho the smb share is not write accessible with the default user. Any one have an idea of user that would gain me write access to the share? here is my console output:

[*] Connecting to the server...[*] Trying to mount writeable share '0041541b-'...[*] Trying to link 'rooted' to the root filesystem...
[-] Auxiliary failed: Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=50 WordCount=0)
[-] Call stack:
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:215:in `smb_recv_parse'
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:1621:in `trans2'
[-] C:/metasploit/apps/pro/msf3/lib/rex/proto/smb/client.rb:1742:in `symlink'
[-] C:/metasploit/apps/pro/msf3/modules/auxiliary/admin/smb/samba_symlink_traversal.rb:67:in `run'[*] Auxiliary module execution completed
msf auxiliary(samba_symlink_traversal) >


I am Confident that with the hashes I might get somewhere. Otherwise i'm open to other options as well.

Whats the possibility of TTL / RS232 interface or Jtag? I noticed that there are pogo pads ( 5 of them) on the back side of the router daughter board. there is a cutout on the front of the unit to allow access to these pogo pads with the router board installed, which leads me to believe they are for debug / diagnostic purposes. The unit does not post without the router board installed.

I have taken basic reading and have come up with the following values:

1 2 3 4 5

pad 1 = 3.3v
pad 2 = GND
pad 3 = 3.3v
pad 4 = GND
pad 5 = 0.3V

anyone care to take a guess?

[abeiku12]

getting the "root" password is the main aspect. Getting the manual too is another

[abeiku12]

is there a way to update or flash the firmware via CLI mode or let the device fetch a compatible firmware from an ftp site?? Am out of luck here.

[westofanywhere]

@abeiku12 & others:

as you mentioned, getting the root password, and gaining access to the cli is the key.
I was just reading the W3x Administrators Guide, and it describes various ways of updating the firmware, as well as ways of recovering from an unsuccessful update attempt. To quote that document:
"The Ericsson W3x runs Linux OS. The flash file system is formatted as two partitions, each capable of holding a complete software image. If a software update process should get interrupted, e.g. power failure during the update process, there is always a last known good firmware image to boot from.
Software updates can be performed either manually using the FTP or HTTP(s) protocols, or automatically using TR-069 (CWMP)."

Of course, cli access seems to be required in order to perform the recovery.

Also mentioned is that a software update can be done via cli commands from a file on a USB stick:
"Manual software updates is supported from FTP or HTTP(s) servers using the swinst command. The swinst command can also get the image file from the local file system. The local file system includes whatever is mounted as USB storage. For example, the software image can be put on a USB memory stick which then is inserted into the Ericsson W3x."

So, for those of you who have the problem of recovering from an unsuccessful "upgrade" using the R12 firmware release currently available from the Ericsson site, I would first try to get into the cli using the published default username/password combinations to see if you can get cli access:
"The factory default settings for the unit define .... user IDs:
root with initial password feb.07
operator with initial password -cpeps"

This may be a "long shot", but according to the Administrators Guide, applicable to the R12 release. So, try it and see what happens. The Administrators Guide .pdf is available earlier in this thread as a download.

The information relating to updating firmware from the cli, etc., can be found in the "Management Tools" chapter beginning on page 90.

So, give it a try. Let us know if it works.

Good Luck!

westofanywhere

[suburbia]

Hi all, is the root password the same for all devices?

Has anyone cracked the posted password provided?

Also, anyone figured out how to de-brick a W35?

Thx!

[westofanywhere]

I doubt that the root password would be the same for W35's from different carriers. That would sort of defeat the purpose of basic security for the device. But until we actually have those passwords available, we won't know.

No one has yet admitted to, or boasted of, successfully cracking the password file posted earlier in this thread.

I have not seen any directions for debricking the W35. If anyone knows how, we hope they would share their knowledge.

westofanywhere

[westofanywhere]

@All:

we have been discussing the "debranding" of the Ericsson W35. Attention has been primarily directed at obtaining root access to the Linux/Busybox OS which the W35 uses. But do we understand and accept the consequences of success here?

Recently I received a report on Mobile phone malware from Sophos a security organization, at the following URL:

http://www.sophos.com/en-us/medialib...oes_Mobile.pdf

As I read this report, I could not help but think of the consequences of "debranding" the W35. I had cause to reflect on several issues relating to malware and device security which were mentioned in this report:

1. Many older mobile devices will not receive firmware updates issued by their vendors. As a result, functional, security and other problems which are currently known in the existing firmwares will likely never be resolved.

The W35 now appears to be such a "dormant" device. The vendor is not issuing firmware updates, and has not for some time. I suspect that without vendor (Ericsson) support no carrier who has provided the W35 to its customers will have the ability to develop independently a firmware update. Given the changes in technology over time there would seem to be little incentive as well to develop or issue any updates.

2. "Unlocked" and/or "jailbroken" mobile devices can represent potential security risks to the networks (LAN) to which they connect. The user/owner of the mobile device is now responsible for the mobile device security, and how well will this be done, and what security "policies" will the owner/user follow? As well, jailbroken mobile devices are significantly more prone to being affected by malware.

The Sophos report concludes that jailbroken mobile devices (in this case primarily smart phones) should not be allowed on corporate networks as they represent a security risk and a significant risk as being hosts for malware.

Now, how does this apply to us, who are dealing with the W35?

So, ask yourself these questions: if we get to know the root password for the W35, will we be responsible holders of this information, and put our own strong security in place?

Can we correct the known security problems which exist in the current Linux firmware on the device?

Could we possibly create and issue firmware updates containing the required corrections as and when we successfully develop and test them?

The W35 CLI seems like it has quite a few powerful capabilities the exercise of which could negatively affect the cell network to which the W35 connects. Once we know the root password, will be able to exercise our new-found powers correctly and responsibly, and not affect negatively either the cell network, or other customers on the cell network?

As for malware, well, could there be malware infections possible for a jailbroken W35?

westofanywhere

[Flaggmann]

The W35 runs linux. As you might expect, there are a functionally rich set of cli tools to set up, configure and determine the status of the W35. Included in these tools are configuration functions which set up the country, operator and cellular functionality for the device.

The key is that you need cli access as user "operator" or "root" via telnet or ssh2 to perform these functions. I should point out as well that the W35 cli functionality is documented in the W35 System Admin Guide, which used to be available from the Ericsson FWT website. I don't know where it can be obtained now, but I do have a .pdf copy of this document on my PC.

You should also be aware that both the Rogers W35 RocketHub and the Bell W35 TurboHub originally ran the same R13A version of the W35 firmware dated Oct 16, 2009. Bell eventually issued a firmware update R13B dated Nov 18, 2010.

The W35 System Admin Guide of which I have a copy is for the R12 release of the W35 firmware.

So, the long and the short of it is, that if you can figure out how to access linux on the W35 as root, you will likely be able to configure the device to the full extent of its capabilities. And yes, the W35 System Admin Guide does mention that there are three different versions of the W35: "There are different models of the Ericsson W35 available each supporting different combinations of frequency bands; 850/1900/2100 MHz, 900/1900/2100 MHz and 2100 MHz only." I have not yet determined how you can tell which variant is which, other than by using it. Could it be that the device has hardware differences to accommodate those three variants?



westofanywhere

Has telnet access been disabled in these w35 units ie telnet in using root@192.168,etc.etc

[westofanywhere]

telnet is enabled, but we do not know the root password and hence any log in attempts are unsuccessful.

westofanywhere

[Flaggmann]

R13A version of the W35 firmware dated Oct 16, 2009. Bell eventually issued a firmware update R13B dated Nov 18, 2010.

The original OEM firmware admin manual specified a root password of 'feb.07' I believe; if the upgrades hold true to same patter
one might try 'oct.09' and/or 'nov.10' possibly. I haven't got the unit handy to try right now but intend to try that.

When I got the unlock code from the original ISP, at a cost of $50, they would not just give me the code, I had to be online, viewing the WebGui control page of the W35 on the "enter the code" page. While on that page I was put on hold many times with little or no explanation and during one discussion they asked for the new ISP company name, which is not req'd from my privacy perspective; when I objected to giving that info out they then just insisted on knowing the region it will operate in. This appears to be related to the customizing of the frequencies and band options, and it appears on unlocking that as soon as it was unlocked, the databases were locked so that any use of the machine was rendered impossioble without the root password.

It struck me as odd that they insist on having it online and active before they would just give me a code to write down and use myself. I suspect there was some form of tftp taking place transparent to me and that was the reason for the question about regions of use/ISP.

It is a little like buying a car from mfr #1, and two years later trading it in on one from mfr #2, but needing a technical release to do so, mfr #1 disables the ecm module so that the trade in value at mfr #2 is gone out of spite for you following free enterprise theory of competition and going elsewhere.

Rogers was original ISP

I subsequently did a firmware reinstall to mfr's original download package and db still locked and root password did not get changed with the ericsson firmware install it appears

[westofanywhere]

@Flaggmann:

I just tried your suggestion on my W35. Using "oct.09" did not work as root password. Several other variants of that theme failed as well.

I remember trying that some months ago, and having it fail. Actually, it makes sense that an ISP would not make their root password for the device quite so obvious.

You state: "...and it appears on unlocking that as soon as it was unlocked, the databases were locked so that any use of the machine was rendered impossioble without the root password." I'm not sure what you mean by that. Would you mind explaining.

You also wrote:

"It struck me as odd that they insist on having it online and active before they would just give me a code to write down and use myself. I suspect there was some form of tftp taking place transparent to me and that was the reason for the question about regions of use/ISP."

The requirement to have the device online could be for a number or reasons I can think of, including so they could access the device to confirm device parameter settings, or to change them as required.

Certainly, the device settings would need to reflect the geographic location in which it is to be used as cell networks differ from continent to continent and amongst carriers.

In general the whole concept of "ownership" of technological devices is being redefined to mean "right to use", with the selling company retaining rights of ownership of the "intellectual property" which is at the heart of the device.

You make reference to the automotive world. Today, our automobiles depend on a quite sophisticated computer, as you mention, the ECM. There has been ongoing a major dispute over who has the right to use the diagnostic and monitoring capabilities of the ECM. The automotive companies wanted to hold onto the rights to use the ECM capabilities so that we would need to go to one of their dealers to have problems diagnosed and repaired.

So, it would appear that the owner of the automobile has the "right to use". But beyond that access to the technology is again controlled by the manufacturer as much as possible.

I do not expect the equivalent of a DD-WRT or tomato firmware for the W35 to appear anytime soon, if only because the W35 connects to the cell networks owned by the carriers, rather than the less complex and benign SOHO LAN environments.

westofanywhere

[rickwr88]

Hello everyone. I am new on this forum, I have reed the faQ but if I am doing any mistake please forgive me. Since I haven't did my research properly before, I am now in the same trouble as Kobiss and Kcmconnect so Is there someone as came out with a solution on how to recovering from a bad firmware upgrade, following the last westofanywhere suggestion on 3rd November, 2012 ? I've work on it on my way and noting good came out but I am not the best at it. So if someone have something that we didn't try yet please tell us.

Thank you all for those precious information.

[rickwr88]

I am in the dead end now. I've try to login with telnet and SSH and but notting work. I try all user id and password I've found in the administrator guide and that didn't work.
There is someone been trough this before? Help me someone please.
anything can help.
Thank you
rickwr88

[twinsoris]

For me i manage to secure a root password from a friend of in ghana but after unlock erricsson W35 using the Telnet commands it is unlock and detect another operators but the proble, is that i cannot change the APN of the main ISP which is ZAIN or AIRTEL from GHANA.
I even upgrade the w35 firmware which 12C of april 2009 from erisson website which went successfully but note that when upgrading the firmware you need to have a lots of patience as this may take up to 5 to 15 minutes so you don't need to be too hurry.
My problem is how can i can change APN from INTERNET to other network APN .