Hacking the (allegedly) Unhackable. BT HomeHub 2.0A UNLOCKED.

@ Psi,
I am using nothing but a very basic windows xp machine in order to eliminate possible complications coming from unecessary ancillaries. I have tried on other machines and I get the exact same result. As a last resort I bought another HomeHub2 from Ebay which I should get in a week.
Again as I watch brjtag run it looks like it is waiting for more responses from the router which it does not get. It identifies the chip type, but after that the responses are not the same as your example. Brjag does not appear to hang, it just looks busy; and does not finnish running.

Ok. I am not sure what to suggest now. How about your ground wire? You can actually ground pins 20 through to 25 by linking them together. Have never seen anyone that had to do this, however I have never seen the problem you have before.
There is definately something wrong connection wise. Check the resistance of your 4 resistors on the 25 pin D connection and your soldering of them?
Again a thought off the top of my head.

Psi

@Psi,
Resistors are 100R (brown-black-brown-gold) carbon film 0.25w. Just like the photo in your guide I have joined pins 20 and 25 and connected to the pcb ground. Are you talking about grounding pins 20 THROUGH 25? (inclusive)

Progress!
After touching the aparantly sound solder (j9) with the iron and trying again I have a response. I am currently backing up the firmware... Will post soon!

what kernel version does the V2 run? Pls can you post a tarball of the filesystem?

@ Mr. Zetec. Yay! I knew it had to be something connection wise. Let us know how you go. And remember 2 comparable backups before flashing!

@btsimonh. Hi mate. Followed your work with the 1.5 on modem-help.
Kernel appears to be 2.6.8.1
Check pm for the extracted rootfs tarball.

Psi

Got the 2 comparable backups ok. Flashed ok. Router now accepts my sky.com account BUT when I click on connect it fails to connect to the net and the orange light does not go blue.
I don't know where you want me to enter guru ID Psi, I can't seem to find where to use this account.
Again I am stuck, but surely this is the last hurdle! I have to ask you all for more help on where I go from here (below)

YAY! Now we're cooking. It's been an uphill struggle but we got there!
Ok your Sky username and password you use for you email are different from the ones in the router. That's whay you cannot log in. I suggest you have a look at the forum here for info on extracting the username and password from your router.
The GURU are for logging via FTP and telnet if you so feel inclined

Psi

At last! I am using my HubPhones and browsing on my HomeHub2. I have a 1TB disk connected to the usb port of the hub and it is accessible via my home network.
Thank you very much Psi, I would never have guessed what the problem was with Sky's login!

@Psi
thanks!
What did you do to enable FTP and telnet?

I took a quick look at the filesystem, and the unit has the same run of samba_conf if it exists in the /dl folder, so if we can ftp into that folder, then you can do the same hack to get root telnet access.
(see samba in etc/init.d)

The kernel is the same version as the V1/V1.5 - there is a relatively easy to create linux build environment based on the open source of the speedport router. I've used this to create kernel modules for the V1 and V1.5.


There is quite a lot of stuff about updates... this bears some investigation, as it may be a way in; the executable 'flasher' contains references to the compression used in BLI files (why did i not notice this in V1/V1.5), and so may help at least in decrypting, but the files are SHA-1 protected, so we may not be able to create one (although SHA-1 is now considered 'broken', it's still actually practically impossible to break; but the application may contain some instability/hole to accept incorrect files - worth investigation).

now I'll have to dig out my borrowed V2 and try some stuff!


Thanks again for your persistance...

s

@Mr zetec.
Have come up against the sky routers before. Had to extract passwords off them for a few of the lads in work. Good to see you're all up and running. I think we can chalk that up as a result.

@btsimonh,
Have a read on this thread on modem-help.
It details how I enabled Telnet and FTP.
I am a step ahad fo you with regards to scripting as I can now confirm that running scripts from a samba.conf file in the /dl directory now works. I added the command to the samba script in the /etc/init.d directory.
Did you spot my schoolboy error on the samba script? I forgot to chmod itfrom 644 to 755 so in the first release samba was broken. I upped the fixed firmware yesterday. I have tested it with the utelnetd binary and the "doit" script chained off the samba.conf and it works fine. You just need a USB drive in the port to trigger the samba start and run the samba.conf script.

Psi

@psidoc:
do you have a bt connection? I'd love to know if remote support can be run as Alex describes; if it can, then you can get to the CLI interface, and can probably make the changes described mostly through the CLI.. including the root user hack - as per the V1.0/v1.5

Is there such a thing as an ADSL simulator? Can we connect two hubs together to get our own ADSL link independant of my main adsl connection?

other thoughs I had were to somehow route the telnet port using the firewall configuration through the web interface - but I don't think this will work as there is no WAN connection in my configuration.

s

@btsimonh
No. I am with Demon.
The The HomeHub 2.0 does not have remote assistance in the GUI. Also the default MLPUser only has a lan basic user and lan administrator. No login for Wan Side remote access. Also the firewall had been configged to block telnet from WAN and LAN. So that's that idea scuppered.
They really did lock this one down tighter than a drum so I'm afraid it's a JTAG job, unless you know how to create a flashable linux BLI image?
ADSL Simulator? Never heared of one to be honest.
Psi

i've got a security specialist at work... just had a look through the v1 image I ftped off the v1 hub, and flasher is not there (although for some reason I remember the name) so this may be the first time we've seen the flasher program. If we can find out how it operates, then we may find a method of creating a firmware file... but the check is SHA-1, which is for all practical purposes uncrackable... however, if anyone has some ideas, he will. (it's his v2 hub I'm borrowing anyway!!).
It is possible that we could truely hack 'flasher' to flash images which don't obey the SHA-1 check - this should be simple for someone who understands mips asm... then once jtag modified to add the new flasher, we should be able to upgrade how we like (if we could create a basic BLI file with invalid SHA-1 coded key - the flasher ultility give some clues to the 'mute' compression - understanding this alone would help).


Other thoughts:
The v2 has some open ports - mbus is one? but the mbus spec contains security methods

The USB seems to be allocated an IP address... firewall config may provide routing to it if we are very lucky, but I doubt it.

s

@ Psi,
Well, after a few days both of the routers I flashed are still stable and I will never miss my Sky router. The HomeHub 2.0 I bought from Ebay arrived, and with two modded hubs under my belt I got stuck in to do the same with the third.
Then problems, the third router is a year newer and although the firmware has the same revision number I have hit a major snag. Basically see below for the response I get when I try to flash!

The third router has a differently branded flash chip like so:

Technical/Catalog Information M29W128GL70N6E
Vendor Numonyx/ST Micro
Category Integrated Circuits (ICs)
Memory Type FLASH
Memory Size 128M (16Mx8, 8Mx16)
Speed 70ns
Interface Parallel
Package / Case 56-TSOP
Packaging Tray
Voltage - Supply 2.7 V ~ 3.6 V
Operating Temperature -40°C ~ 85°C
Format - Memory FLASH
Lead Free Status Lead Free
RoHS Status RoHS Compliant
Other Names M29W128GL70N6E
M29W128GL70N6E
Each time I run brjtag I get errors relating to unrecognised flash memory. Is there anything I can do????

OK don't panic!
It's just BT have changed the flash chip in you and it's not supported. By V1.6 of the BRJtag software.
It is however supported by version 1.8c.
See here:

===============================================
Broadcom EJTAG Debrick Utility v1.8c-hugebird
===============================================

Build-in flash list
-------------------
/fc:02 ............. MX29LV800BTC 512kx16 TopB (1MB)
/fc:03 ............. MX29LV800BTC 512kx16 BotB (1MB)
/fc:04 ............. AMD 29lv160DB 1Mx16 BotB (2MB)
/fc:05 ............. AMD 29lv160DT 1Mx16 TopB (2MB)
/fc:06 ............. EON EN29LV160A 1Mx16 BotB (2MB)
/fc:07 ............. EON EN29LV160A 1Mx16 TopB (2MB)
/fc:08 ............. MBM29LV160B 1Mx16 BotB (2MB)
/fc:09 ............. MBM29LV160T 1Mx16 TopB (2MB)
/fc:10 ............. MX29LV161B/160B 1Mx16 BotB (2MB)
/fc:11 ............. MX29LV161T/160T 1Mx16 TopB (2MB)
/fc:12 ............. MX25L160A (2MB)
/fc:13 ............. K8D1716UTC 1Mx16 TopB (2MB)
/fc:14 ............. K8D1716UBC 1Mx16 BotB (2MB)
/fc:15 ............. ST M29W160EB 1Mx16 BotB (2MB)
/fc:16 ............. ST M29W160ET 1Mx16 TopB (2MB)
/fc:17 ............. AMD 29lv320MT 2Mx16 TopB (4MB)
/fc:18 ............. AMD 29lv320MB 2Mx16 BotB (4MB)
/fc:19 ............. AMD 29lv320MT 2Mx16 TopB (4MB)
/fc:20 ............. AMD 29lv320DB 2Mx16 BotB (4MB)
/fc:21 ............. AMD 29lv320DT 2Mx16 TopB (4MB)
/fc:22 ............. TC58FVB321 2Mx16 BotB (4MB)
/fc:23 ............. TC58FVT321 2Mx16 TopB (4MB)
/fc:24 ............. AT49BV/LV16X 2Mx16 BotB (4MB)
/fc:25 ............. AT49BV/LV16XT 2Mx16 TopB (4MB)
/fc:26 ............. MBM29DL323BE 2Mx16 BotB (4MB)
/fc:27 ............. MBM29DL323TE 2Mx16 TopB (4MB)
/fc:28 ............. MBM29LV320BE 2Mx16 BotB (4MB)
/fc:29 ............. MBM29LV320TE 2Mx16 TopB (4MB)
/fc:30 ............. MX29LV320AB 2Mx16 BotB (4MB)
/fc:31 ............. MX29LV320AT 2Mx16 TopB (4MB)
/fc:32 ............. MX29LV320AB/BB 2Mx16 BotB (4MB)
/fc:33 ............. MX29LV320AT/BT 2Mx16 TopB (4MB)
/fc:34 ............. K8D3216UBC 2Mx16 BotB (4MB)
/fc:35 ............. K8D3216UTC 2Mx16 TopB (4MB)
/fc:36 ............. ST 29w320DB 2Mx16 BotB (4MB)
/fc:37 ............. ST 29w320DT 2Mx16 TopB (4MB)
/fc:38 ............. ST M29DW324DB 2Mx16 BotB (4MB)
/fc:39 ............. ST M29DW324DT 2Mx16 TopB (4MB)
/fc:40 ............. W19B(L)320ST 2Mx16 TopB (4MB)
/fc:41 ............. W19B(L)320SB 2Mx16 BotB (4MB)
/fc:42 ............. TC58FVM6T2A 4Mx16 TopB (8MB)
/fc:43 ............. TC58FVM6B2A 4Mx16 BopB (8MB)
/fc:44 ............. K8D6316UTM 4Mx16 TopB (8MB)
/fc:45 ............. K8D6316UBM 4Mx16 BotB (8MB)
/fc:46 ............. Intel 28F160B3 1Mx16 BotB (2MB)
/fc:47 ............. Intel 28F160B3 1Mx16 TopB (2MB)
/fc:48 ............. Intel 28F160C3 1Mx16 BotB (2MB)
/fc:49 ............. Intel 28F160C3 1Mx16 TopB (2MB)
/fc:50 ............. Intel 28F320B3 2Mx16 BotB (4MB)
/fc:51 ............. Intel 28F320B3 2Mx16 TopB (4MB)
/fc:52 ............. Intel 28F320C3 2Mx16 BotB (4MB)
/fc:53 ............. Intel 28F320C3 2Mx16 TopB (4MB)
/fc:54 ............. Sharp 28F320BJE 2Mx16 BotB (4MB)
/fc:55 ............. Intel 28F640B3 4Mx16 BotB (8MB)
/fc:56 ............. Intel 28F640B3 4Mx16 TopB (8MB)
/fc:57 ............. Intel 28F640C3 4Mx16 BotB (8MB)
/fc:58 ............. Intel 28F640C3 4Mx16 TopB (8MB)
/fc:59 ............. Intel 28F160S3/5 1Mx16 (2MB)
/fc:60 ............. Intel 28F320J3 2Mx16 (4MB)
/fc:61 ............. Intel 28F320J5 2Mx16 (4MB)
/fc:62 ............. Intel 28F320S3/5 2Mx16 (4MB)
/fc:63 ............. Intel 28F640J3 4Mx16 (8MB)
/fc:64 ............. Intel 28F640J5 4Mx16 (8MB)
/fc:65 ............. Intel 28F128J3 8Mx16 (16MB)
/fc:66 ............. SST39VF1601 1Mx16 BotB (2MB)
/fc:67 ............. SST39VF1602 1Mx16 TopB (2MB)
/fc:68 ............. SST39VF1601C 1Mx16 BotB (2MB)
/fc:69 ............. SST39VF1602C 1Mx16 TopB (2MB)
/fc:70 ............. SST39VF1601E 1Mx16 BotB (2MB)
/fc:71 ............. SST39VF1602E 1Mx16 TopB (2MB)
/fc:72 ............. SST39VF3201 2Mx16 BotB (4MB)
/fc:73 ............. SST39VF3202 2Mx16 TopB (4MB)
/fc:74 ............. SST39VF3201B 2Mx16 BotB (4MB)
/fc:75 ............. SST39VF3202B 2Mx16 TopB (4MB)
/fc:76 ............. SST39VF6401 4Mx16 BotB (8MB)
/fc:77 ............. SST39VF6402 4Mx16 TopB (8MB)
/fc:78 ............. SST39VF6401B 4Mx16 BotB (8MB)
/fc:79 ............. SST39VF6402B 4Mx16 TopB (8MB)
/fc:80 ............. Spansion S29GL032MR4 BotB (4MB)
/fc:81 ............. Spansion S29GL032MR3 TopB (4MB)
/fc:82 ............. Spansion S29GL064MR4 BotB (8MB)
/fc:83 ............. Spansion S29GL064MR3 TopB (8MB)
/fc:84 ............. Spansion S29GL032MR1/2 Uni (4MB)
/fc:85 ............. Spansion S29GL064MR6/7 Uni (8MB)
/fc:86 ............. Spansion S29GL064MR1/2 Uni (8MB)
/fc:87 ............. Spansion S29GL128M Uni (16MB)
/fc:88 ............. Spansion S29GL128N/P Uni (16MB)
/fc:89 ............. ST M29W640GB BotB (8MB)
/fc:90 ............. ST M29W640GT TopB (8MB)
/fc:91 ............. ST M29W640GL Uni (8MB)
/fc:92 ............. ST M29W640GH Uni (8MB)
/fc:93 ............. ST M29W128GL Uni (16MB)
/fc:94 ............. ST M29W128GH Uni (16MB)
/fc:95 ............. EON EN29LV320BB 2Mx16 BotB (4MB)
/fc:96 ............. EON EN29LV320BT 2Mx16 TopB (4MB)
/fc:97 ............. EON EN29LV640B 4Mx16 BotB (8MB)
/fc:98 ............. EON EN29LV640T 4Mx16 TopB (8MB)
/fc:99 ............. EON EN29LV640H/L Uni (8MB)
/fc:100 ............. EON EN29GL064B BotB (8MB)
/fc:101 ............. EON EN29GL064T TopB (8MB)
/fc:102 ............. EON EN29GL064H/L Uni (8MB)
/fc:103 ............. EON EN29GL128 Uni (16MB)
/fc:104 ............. MX29GL320EB/LV320MB BotB (4MB)
/fc:105 ............. MX29GL320ET/LV320MT TopB (4MB)
/fc:106 ............. MX29GL320EH/L Uni (4MB)
/fc:107 ............. MX29LV640EB/DB BotB (8MB)
/fc:108 ............. MX29LV640ET/DT TopB (8MB)
/fc:109 ............. MX29GL640EB/LV640MB BotB (8MB)
/fc:110 ............. MX29GL640ET/LV640MT TopB (8MB)
/fc:111 ............. MX29GL640EH/L Uni (8MB)
/fc:112 ............. MX29GL128E Uni (16MB)
/fc:113 ............. MX29LV128DB 8Mx16 BotB (16MB)
/fc:114 ............. MX29LV128DT 8Mx16 TopB (16MB)
------------------------------------------------------
Total 113 flash in list

Use switch '/fc:XX' if you want to manually select Flash Chip.
It will disable CFI auto detect and non CFI flash ID auto match.
use 'brjtag /showflashlist' show this list

I'll upload it to my site later for you.
Although before you flash ANYTHING I'd like to see the results you get from doing a brjtag -probeonly with no "/window" command and then if you get sense from it a look at what brjtag -backup:cfe (again with no "/window" command) produces.
Reason why I need these is the /window command dictates the start point of the flash for the brjtag software. The default ones (no /window command) for both the HH1 and HH2 were wrong. So if this one is wrong as well then we'll need to work out the /window start location.

Psi

Have uploaded the BRJtag software to my site:
Ir's available here.: http://www.psidoc.com/infusions/pro_...load.php?did=5

Can you please let me know wither via PM here or Via pm on psidoc.com what results you get.

Thanks.
Psi

Hello Psi,
Great. I get a response that makes sense see below:



-backup:cfe



Your help is very much appreciated!

YAY! That's looking good and the address window looks ok.
Can you email me a copy of the cfe that you backedup? I want to check it to make sure it's ok. Then you should be good to flash.
Will pm you my email.
Psi

Ok Psi, I have sent you the results. Looks like a full backup works but not a partial. I will post again at the next attempt.

Hmmm the backup is ok. Wonder why the command errored out.
OK try this:
brjtag -probeonly /window:1D000000
if that doesn't work try
brjtag -probeonly /window:1F000000
Let me know if one of them gives you the proper result.
I have a gut feeling it'll be the /window:1D000000 one that works.

Psi

Ok Psi, I have sent you the screenshots, hopefully they will shed some light.

Well done Psi,
BRJTAG v1.7 (a step backward from v1.8) is stable and more compatible with the ST flash chip. The backups worked and so did the flash, using your tutorial to the letter. Excellent work mate!

YAY! Another mission accomplished.
Thank you for being a willing test case (or is that crash test dummy? hehe).
Glad it worked fine.

PSi

I have a mac book but it runs Windows 7 via bootcamp. Could I use that along with this...

http://www.usbnow.co.uk/p1221/Targus...duct_info.html

to hack the homehub 2.0 ?

can i unlock this bt hub 2.0 if its bought in uk but want use in other coutry in europe?
Thx

As promised I have a christmas present to you all. I have completed the Home Hub 2.0A hack tutorial.
It does require soldering and will take somewhere in the reigion of 6 - 8 hours to complete with your PC being tied up for a lot of the time during flashing.
If you have any questions please post them in the forum over on the site.
It's still in it's first incarnation and please if you see any discrepancies let me know on the site.
Link below:


Nadolig Llawen a Blwyddyn Newydd Dda
(Merry Christmas and a Happy New Year)
Here's hoping 2010 is good for you all.
Psi

Originally Posted by PsiDOC

this is all to complicated for me i would rather i sent it to u with some sort of payment for doing it and and sending it bk how does that sound

Just a quick comment - Very Good work. it seems like the default key algorithm might be around soon.

Flashed my homehub and all seemed to go well (had two identical backups, and uploaded the 81HJ version OK). But upon rebooting the router, it never gets past the flashing 'upgrading' light. Have I corrupted its firmware?

Tried flashing again, and all OK.

But having trouble getting VOIP to work. Can you confirm that this hack enables non BT VOIP? Have used telnet following the guide at http://www.josephn.net/bt_home_hub_and_voip, entering:

voice profile add

SIP_URI = nnnnnnn
[username] =
[password] = ********
[password] = ********
[display name] = (whatever you want as your name)
voiceport = COMMON
[abbr] =

and,

voice sip config primproxyaddr=nat.plus.net:5082
voice sip config primregaddr=sip.plus.net
voice sip config notifier_addr=sip.plus.net
config save filename=user


But the telphony settings page on the HH2 shows 'Service temporarily unavailable'. Any thoughts?