Changes in Ericsson W25 11B firmware

I have not checked it very thorowly, but Ericsson has changed a lot of the programs used in the Ericsson W25 router.

I have mentioned before that the wget has dissapeared. The time setting from network is now fixed, it keeds up and running even after connecting and disconnecting to the ionternet.

Another change that the DNS and DHCP services were changed to a program called DNS relay, you can find it's decription here. If you want your domain handled with it, simply put the following line in your /etc/dhcpdoptions.conf file:


Other new tool is the xl2tpd (which is not and excel to pdf converter :-) which is the tunneling (e.g. ipsec) handling part. description of a simmilar program can be found here.


Anonymous said…
Hello Laco,
I have an W25, but it is operator locked so I cannot access it via telnet. My only access is "user" through the web interface. Do you know of any way to unlock this box?
Lacó said…
There are at least two ways to get root access to the W25 and none of them is easy.

The first one is if you manage to convince your operator that you need this password and they give it to you.

The second one is more technical and I have not tried to do it, but I think that it can work.

You need to do the following steps:
1) Get access to the RedBoot boot loader of the device. This is easy on one and and very difficult on the other. When the device boots up, the bootloader gets the address and you can connect to the boot loader with a simple telnet session on port 9000 (if I remember well). There you have one second the press ctrl C to skip booting and get to the RedBoot menu. (This is very challenging I have never managed to reach this)
2) When you are at the RedBoot prompt you should dump the rw filesystem from the flash.
3) The rwfs is a jffs2 type filesystem, from here you should extract the running.cdb file and in the file you can find the password.
Anonymous said…

i also tried to unsquash the filesystem with friend.. but it 's special unsquash-lzma Version 3.0, that need modifications..

Before to get one of them.. can you post all command line the ericsson have ?

another strange thing..
i greped wanfw (gsm stack firmware)
there is strings like :


is there an ip to access to the gsm stack shell..
normally there is only Serial /dev/modem ...

Can you verify it ?

Thanks ;)
Lacó said…
Here is a list of available commands on the Ericsson W25:

It is valid for version 9 (if I remember correctly), in version 11 they have removed some commands (e.g. wget and ssh) and added some new ones.

I am not familiar with the gsm modem SW at all, what I saw in earlier versions of the W25, that they had 3 USB serial connections to the GSM module these were used to send commands to the modem and a ppp connection is used for the internet traffic.

In the gsm firmware there can be an IP stack implemented, because it may be needed for the communication over the radio network or because it is needed for handling the ppp connection.
Anonymous said…
Thanks Laco..

I saw commands, it's interesting..
I m a bit familiar with gsm modem.

What version of firmware you have ?

The ericssonw25 use msm6280 qualcomm chipset and they bought this from Sierra Wireless.
Sometimes vendors give gsm Trace serial device..

Filesystem :

Due to difficulties to unsquashfs rootfs.squashfs, maybe we can extract rootfs filesystem directly from the ericsson command line :

+ we need to know how the nand memory is structured, like : "cat /proc/mtd"

+ try to use dd utility to dump the rootfilesystem and saving it on usb disk. after we can reconstruct rootfs.squashfs using our version.

dmesg could be appreciate ;) of course don't forget to remove your personal parameters.

Lacó said…
If you send me a disposable email address I will send you what you need.
Andreas Schütz said…
Hello Lacó

I've just bought a W25 but I have a problem: it is locked - the SIM card has to be of a particular mobile telecom. Do you have any tips to unlock the W25 ? Or do I need to get the root password as you have shown in your previous comment ?


Andreas - Brazil
Lacó said…
I do not know exactly, how the Network Lock is implemented. IF it is implemented in the router part, then probably after gatting a root access you can hack it out.

If it is in the UMTS modem part, then the root password may not help you.
Feri said…
How to get root access to W25:

1) Get RedBoot prompt via serial console (I have not tried the
2) Load and execute kernel with one extra parameter. After the boot process you will get a root prompt.
RedBoot>fis load kernel_A
RedBoot>exec -c "console=ttyS0,115200 root=/dev/mtdblock2 init=/bin/sh" 0x00040000
3)At the root prompt run the init script. You will get back the root prompt.
/ # /etc/init.d/rc.sysinit
4) Now you can do whatever you want, e.g. clear the root pwd:
vi /etc/passwd
delete the encrypted password.
5)/ # exit; reboot

Unknown said…
is there anyone who got it working?if yes how???
Lacó said…
I have not tried it, because I have no access to the serial port. (I think that you have to do some soldering to get it work on the W25).

I could get access to the boot loader over the newtork (I have described how in a previous post), and probably it is possible to do some simmilar magic from there as well.
Marie said…
Hi.. Hope someone can Help me. I just bought the W25 and I want to Play Online With Xbox 360. The xbox is giving me an error that I need to change the MTU setting on my modem to 1394. I don't have any idea how to change it... Any ideas?
alex said…
Hi Laco!

I've managed to get into the Redboot menu on my W21 over telnet. The trick was just to use standard windows telnet. None of the others like SecureCRT, Terraterm or Putty did work for me. It's this CTRL-C combo that seems to be the problem in all these terminals.

Anyhow, I've got some difficulties to execute this whole thing. One of the posts describes how to mount the image over the serial port, over telnet, this should look a bit different, I think. Plus, whenever I exec something in Redboot, the box just freezes.

Can you tell me what to use instead of 'exec -c "console=ttyS0,115200 root=/dev/mtdblock2 init=/bin/sh" 0x00040000' when I'm connected over telnet?

Would be cool!

Thanks in advance, cheers
Anonymous said…
Photo and pinout on W25 console port
J4 connector, unpopulated
5 - TP5: Txd (output)
4 - : GND
1 - TP6: RxD (input)
For accessing the console you need
- to solder pins onto connector pads
- 3.3V TTL logic/ RS232 converter, like MAX232, or
- USB/serial TTL level converter, e.g. FTDI Ft232R

Popular posts from this blog

MPR-L8 (HAME MPR-A1) firmware update and firmware images