just revisiting this thread - nice to see the discussion is still somewhat alive here - wondering if codemonk or others have any updates or new info to share...?
this thread began over a year ago. It had a burst of postings late last year. And since then, nothing. More to the point, there have been no postings by anyone discussing their experiences with the actual Rogers W35 unlocking process.
So, pending more postings by those who have actual experience with the unlocking of the W35, our questions remain unanswered. At this point, I personally do not have anything of to contribute as my W35 is not unlocked.
I know from reading the W35 System Admin Guide that the device is quite powerful, and has many, many commands available at the command line interface (CLI) level which are not available in the Rogers web-based management interface. You would need to know how to log into the CLI at root level to access these commands.
I agree that it would be interesting to experiment with the CLI commands. It would also require a lot of technical knowledge to understand the consequences of changing the parameters to which these commands allow access. This would seem to be a case of "a little knowledge is dangerous....".
The Ericsson W35 seems to be a quite capable and powerful device. Ericsson extensively described those capabilities in the documentation which they provided online for some time in the past. But for us, the owners of the Rogers W35 variant, these capabilities are not accessible unless Rogers provides us with root access to the CLI.
To this point, no one (including Rogers) has revealed the secret to accessing the W35 CLI as root. If someone knows otherwise, please inform us here.
Thanks in advance for your assistance in this.
thanks Skinorth. You're right it's got a lot of hidden functionality.
I get it that Rogers doesn't want 10,000 people breaking the device and calling them to fix it. But I'm not buying that this would actually happen.
There is (as you proabaly know) a CLI command to show the WAN status, which I believe includes the signal information in dBm for the three strongest cells that the device is currently using for connection. Totally harmless from a brick-the-device perspective. And it would be extremely helpful to me when placing / adjusting my external antenna, or just monitoring service levels or trying a different antenna, etc.. Unfortunately, I can't even use an "operator" account to run simple status commands like this one. What harm would it do?
They don't have to go to this extreme.
It's too bad this cool gadget will likely become landfill at some point, for no good reason other than someone else holds the keys to it's real funtionality.
Hello from across the pond, I have a couple of these Rogers branded w35's. They came with the operator unlock codes which are 10 number/character sequence. So great I thought I can use them in the UK (bought from a UK ebayer). However after entering the unlock code there is still no option to change the area from North America to Europe, it is greyed out. I have even purchaced a Rogers sim card in a vane attempt to get the phone working. I'm not that fussed about 3g as we have satelite broadband. I just wanted a gsm unit with an external aerial to connect as a house phone. If anyone could forward me the admin guide then I could try my operator code & see if I can get inside it with the cli.
FYI I have attempted to flash with the file on ericssonw35.com but it fails at 81% done. Also it appears that these are not sim locked, another forum user has removed his card & used unlocker to find it is not locked. So just software operator lock. However the original ericsson w35 appears to unlock with a sim code generated by a huawei calculator.
I have a .pdf copy of the admin guide, so send me a PM with your email, and I can send it to you as an attachment. It used to be available from the Ericsson FWT website, but that seems now to be history.
I am quite interested in your comments here, on the unlocking of the W35. The device is quite functional at the CLI level, but much of that is not accessible throught the web-based management interface.
Also, be careful what you do with firmware "updates". The firmware available on the Ericsson site is in fact an older version than what is on the stock Rogers W35. Do not try to update with that. Others have come to grief doing that.
There is an alternate version of the firmware available for the Bell Canada version of the W35. You can get it here:
It may be something you want to look at.
Let me know how things work out.
Hi, thanks for the info. The file from bell is a different size than the one on ericssonw35, maybe this is why it fails at 81% as it is looking for a bigger file. I had wanted to virginize the unit to open the locked state of the 'roaming' so I could set it to europe. I will try the Bell file but would like to see how to access via the cli first. I will pm you now. Thanks again, Brian.
the file size could be an issue, but would you not expect firmware download file sizes to be different in any case? As updates and/or functionality is added or changed, it seem inevitable that a firmware file would be a different size, if only slightly.
I wonder if a more significant factor is the version relationship between the updates. It has been mentioned before, but I think I should point out that the firmware file on the Ericsson website is in fact an older version than the one running on the Rogers RocketHub. Rogers has never issued an update for the W35 firmware.
Bell Canada on the other hand (they call their version the TurboHub) did get Ericsson to produce a firmware update to resolve certain well-published problems with random Internet disconnects experienced by their customers when using the Bell Canada TurboHub.
Here is the version information for the firmware on my stock Rogers RocketHub:
CXC 172 7031 R13A (Oct 16 2009)
Curiously, the version information on the original firmware for the stock Bell Canada TurboHub is identical to that used on the Rogers RocketHub.
The version information for the Bell firmware after the Bell update is applied to the TurboHub is:
CXC 172 7031 R13B (Nov 18 2010)
The above version information was obtained from the Bell website detailing the firmware update process for their TurboHub:
I know that a W35 running the Bell version of the firmware can successfully run when connected to the Rogers cellular network, when an appropriate Rogers-supplied SIM is inserted. I have seen it done. Which leads me to speculate that the Bell firmware update could in fact be applied to a Rogers-supplied W35 and the device would work successfully.
In fact, I wonder if in fact the Bell upated firmware would not work better than the stock Rogers RocketHub firmware. The Bell update after all is more than a year newer than the Rogers version, and Ericsson must have found at least some issues to correct or improve during that time. It is simple human nature to have included them in the updated firmware.
If I remember correctly, the firmware file available directly from the Ericsson website is actually version R12. I have seen a number of reports that trying to "upgrade" using that particular file will make the web management interface unuseable, and result in what is possibly a crippled if not bricked W35. So, do not use that update.
Instead, obtain the updated firmware from the Bell Canada website mentioned above.
I am currently with Bell and have a w35. Our 2 yr contract has ended and a work associate has offered me a rogers rocket-hub sim card if I assume the remainder of his contract. When I plug in the rogers sim, the device boots up but an unlock code is required by the firmware. Despite the fact that I was assured by the Bell rep that the w35 was not locked when I bought it 2 years ago, as is the case with Rogers, Bell claims that there is no unlock code available for these devices. I have been working in the electronics field for 30 years so I know this is a crock. I paid good money for this modem so I have the right to choose who will be my service provider.
You stated in a previous post that a friend of yours has a Bell Hub running a Rogers sim. I'm not interested in full access to the cli, I just want to run on the Rogers network. What secret incantation did your friend use? Do I need to go back to the original Bell firmware to make this work?
it is my assumption that the vendor-specific W35 models (specifically the Bell and Rogers variants) have each been configured to access a specific cell network. This was done for both the Bell and Rogers W35 units. This configuration is done by using the W35 cli commands to set the unit up for either the Bell or the Rogers cellular network. Thus the W35 is not really locked; it is preconfigured for each network. You can "unlock" the unit only if you are able to access the cli as root. As we do not know how to do this, the unit is locked to the cellular network for which it was originally configured.
If you need to use the W35 on a different cellular network, you can do this only by accessing the cli, and inputting the required commands. At this point, I have not heard of anyone getting cli access to the W35. I would strongly suspect that both Bell and Rogers know how to gain root access to the W35. They simply are not interested in revealing this information.
So, yes, you "own" the W35, but you do not really have full access to the functionality of the unit. Until someone out there figures out what the "magic incantation" is that will give you cli access, you may well be stuck with your current situation. In my opinion, cli access is mandatory if you wish to reconfigure your W35 to access a different cellular network.
Check out the following URL for some more discussion on this:
I was previously in contact with somebody who I think unlocked the w35 by finding the root password. He gave instructions but they were over my head. Here are some details. Mail me if you guys get anywhere.
There are two steps:
1.Get linux password hash file from router.
2.Decrypt root password from that file
loaded metaspoilt framework (which can be downloaded separately) and used a exploit called samba symlink directory transversal exploit.
this will create a share than can browse root. the password file is /etc/passwd send it to me to compare maybe same password but different hash.
Use brutforse or john the ripper, settings needed are alpha/numeric upper and lower case and 8 chars
Do your or research for step one but the hashes I found are (If you want to try to crack them):
New! Introducing a new feature: groups. Read more.