Unlocking BT Home Hub V1 *Upgrade at your own risk*

Bt just released the gpl code
link

Seems that the bootloader is missing,
and that the most of the code are generic/unaltered gpl versions of the original.

Proper result

Can't be having ol' BT breaking GPL Licencing now can we!? lol

So now all we need are some budding firmware builders to take the challenge of creating an open firmware for the HomeHub. *cough* 7G *cough*

I successfully managed to downgrade the HomeHub to an older f/w (I forget which version), so now I can access everything again.

I can see this being a VERY nice peice of kitt; ONCE it has been opened up, I say ONCE cause I know it will be done eventually.

Method for getting Super User access in 6.2.2.6 – 19/01/2007

It appears that BT have tried to lock down the BTHH in this new firmware version by changing the permissions on the configuration backup/restore/user management functions, thus thwarting attempts to manipulate user accounts in the CLI and the method of editing a backup config offline, then restoring it to alter user roles. In fact the GUI pages are still there but not accessible to the Admin user with the default Administrator privileges. However, the ‘tech’ user, intended for BT customer support use, does have the necessary access…


1. Point your browser at http://192.168.1.254/cgi/b/ras/ and enable remote assistance.
2. Open another browser instance and go to the Remote Assistance URL provided by the hub (note: by default the tech support user is only allowed to login from the Internet IP, to the GUI.)
3. Accept the BT SSL certificate, and login with the username ‘tech’ and password provided by the hub in step 1
4. In the brower's address bar append the URL with /cgi/b/bandr/ and press go
5. Now you should see the Backup and Restore page.
6. You can now follow AL’s procedure (from step 5.) to modify the config offline: http://www.homehubblog.com/getting-root-the-easy-way/

Better luck next time BT!

Dont if this will help but i found a site with a link to what they
say is the boot loader output
http://mikenelis.net/bthomehub/bootlog.txt

Method for getting Super User access in 6.2.2.6 – 19/01/2007

It appears that BT have tried to lock down the BTHH in this new firmware version by changing the permissions on the configuration backup/restore/user management functions, thus thwarting attempts to manipulate user accounts in the CLI and the method of editing a backup config offline, then restoring it to alter user roles. In fact the GUI pages are still there but not accessible to the Admin user with the default Administrator privileges. However, the ‘tech’ user, intended for BT customer support use, does have the necessary access…


1. Point your browser at http://192.168.1.254/cgi/b/ras/ and enable remote assistance.
2. Open another browser instance and go to the Remote Assistance URL provided by the hub (note: by default the tech support user is only allowed to login from the Internet IP, to the GUI.)
3. Accept the BT SSL certificate, and login with the username ‘tech’ and password provided by the hub in step 1
4. In the brower's address bar append the URL with /cgi/b/bandr/ and press go
5. Now you should see the Backup and Restore page.
6. You can now follow AL’s procedure (from step 5.) to modify the config offline: http://www.homehubblog.com/getting-root-the-easy-way/

Better luck next time BT!

Originally Posted by netrat

Is this the way to overcome the problem with the lastest firmware? Has anyone actually managed to change the login username and password and use it with an ISP other than BT??

I've actually put mine back in the box, due to not being able to 'rip it apart' anymore... Will have to rig it up again, and try some more.

Is this the way to overcome the problem with the lastest firmware? Has anyone actually managed to change the login username and password and use it with an ISP other than BT??

I've actually put mine back in the box, due to not being able to 'rip it apart' anymore... Will have to rig it up again, and try some more.

Originally Posted by studioeng

Nope, the BT PPP username check appears to be hardcoded into the app.

Has anone managed to reconfigure this HomeHub just as a router. I'm not really interested in the built in modem as I have an external one. However I'd like to use it as a wireless router, any suggestions?

Has anone managed to reconfigure this HomeHub just as a router. I'm not really interested in the built in modem as I have an external one. However I'd like to use it as a wireless router, any suggestions?

Originally Posted by Guest

To use the HH as a wireless access point should just be a matter of connecting your existing LAN to one of the ethernet ports.

If you need to do some IP routing between interfaces then a little configuration is needed. I used these commands to set up a new IP subnet on eth2 to use as DMZ LAN...

:eth bridge ifdetach brname=bridge intf=ethport2
:eth bridge ifdelete brname=bridge intf=ethport2
:eth bridge add brname=bridge2
:eth bridge ifadd brname=bridge2 intf=ethport2
:eth bridge ifconfig brname=bridge2 intf=ethport2 dest=ethif2 portstate=forwarding vlan=default
:eth bridge ifattach brname=bridge2 intf=ethport2


:ip ifadd intf=DMZ dest=bridge2
:ip ifconfig intf=DMZ status=up group=dmz
:ip ipadd intf=DMZ addr=192.168.0.254/24 addroute=enabled
:ip ifattach intf DMZ

Hey guys sorry to keep goin on about this but anyone managed to get the voice over LAN working. Ive tried

For voice over LAN, try this: telnet to the hub, go to voice, config and change intf to LAN.

Originally Posted by tentonine

but still no luck.

Any other ideas?

Just seen this:

http://www.theregister.co.uk/2007/01..._breaking_gpl/

This should crank up the pressure on BT to comply with the GPL fully.

-Pete

Olozzj, I must admit, I've tried to look for this elusive alternative firmware, but have come up empty handed.

Originally Posted by studioeng

It's available somewhere on the BT.com web site, as i have seen it with my own two eyes. I should've bookmarked the page or wrote the url down, but it is of no relevance to me, and at the time i was at work and my boss was walking in my direction so i thought i'd best look like i was doing work lol. Sorry guys. I do know it's somewhere on that site tho.

I have an idea; i know where i can get a Home Hub "hot, hot, hot" (if you know what i mean), so maybe if i got BT engineer out to unlock it, yes i would have to pay for his/her time, i could send the device to a member of TS! for them to copy and distribute the firmware. The only problem is, how do i get a BT engineer to unlock it without checking the serial codes / product id no.s?

Hi guys found this link to a site containing a load of Speedtouch Firmware not had time to look at them yet

http://m8s-rates.com/speedtouch/routers/

Olozzj, check your history.

Olozzj, check your history.

Originally Posted by fraser-a-2007

history is cleared everytime i close opera.

PS TKNo, isn't a speedtouch. It is from the speedtouch brand made by Thomson, but isn't a speedtouch.

download one of the speedtouch firmwares, then extract the boot loader from it and use the free firmware on the BT.com web site to load!!!

history is cleared everytime i close opera.

PS TKNo, isn't a speedtouch. It is from the speedtouch brand made by Thomson, but isn't a speedtouch.

Originally Posted by Olozzj

So the Speedtouch 7G firmware will not work with the BT HomeHub??
(Wasnt this clarified earlier in the thread, the HomeHub being based/a clone of the Speedtouch 7G)

download one of the speedtouch firmwares, then extract the boot loader from it and use the free firmware on the BT.com web site to load!!!

Originally Posted by Olozzj

I didn't think it was a Speedtouch!?

Edit: More to the point, why would you want to extract the boot loader from the Speedtouch firmware, and then load the BT locked firmware??

OK, so i've got myself in a little muddle. To confirm my last few posts:

The BT Home Hub will not work with any speedtouch firmware. It is made by the Thomson speedtouch brand, but is not based on any other model.

And yes, for those who haven't yet realised, i was thinking of a way to get the Home Hub unlocked when i came accross the idea to extract the boot loader from a different firmware. Well this would work and would sucessfully allow you to reload the device with the BT locked firmware again
Sorry, it's dangerous for me to think on Monday mornings as i come up with the most redicuous ideas

Well, not heard anything from you guys in awhile; any more news on the hacking of the HomeHub ??

I was going to give those firmwares TKNo posted a try, but after Olozzj ruined that by saying they won't work , I put it back in it's box... Again!!1

Wastes too much space while it's locked to BT; since I have no other use for it.

Hi Mat, I've been given one of these lubberly looking boxes by a friend & hope to get it working on my mother's TalkTalk connection. I'm sure the hardware IS the same as the 7G & I reckon I know a way of flashing it... any chance of posting the firmware somewhere & i'll report back if I work it out??

]-[

Originally Posted by hunta2097

hi there i have one of these could you please help me unlock it.

hi there i have one of these could you please help me unlock it.

Originally Posted by londonmadness

Londonmadness, the Home Hub hasn't been cracked yet, so there's no chance anyone on this forum can help you!

To everyone that's working on unlocking the Home Hub:
I've tried all ways to get back to the page on the BT web site where you can pay to get the Home Hub unlocked, but can't find it. It doesn't really matter now anyway, as i've contacted BT once again about this mysterious page, and got an e-mail back from a member of the support team saying she wasn't sure on where i'd been to get that page, but it is possible to have the Home Hub unlocked remotely by a BT technician for a fee of £45. I was told to phone up BT for more information about this. There's only one small problem with unlocking the Home Hub this way though; you've got to have BT Broadband active on your line.

Just had a very painful 30 mins on the phone with BT Broadband dept who said "there must be a problem with the hub if it is not remembering your settings" to which I replied "it is remebering all my settings except my ADSL user name as it does not end with @btinternet.com". They said "we do NOT lock our hardware as we know and understand that people will change providers". AAARRRGGGGHHHHHH!!!

I then said "please can we just unlock it" and she said again "we do not lock it down - there must be a problem with it". I then said "there is no problem with it, just the software". I then said that there are lots of people talking about BT lock down on the internet and she just replied and said "she can't help me".

How do I get to speak to someone about unlocking it!!!!???

AAAARRRGGGHHHH!!!

Not giving up yet....

You should've asked to speak to an Engineer in the technical dept. and told them you've been put through to them to unlock th Home Hub. They'll have no problem with that.

For BT to unlock the Home Hub, you must be an existing customer of BT and have an active BT Internet subscription on your phone line. In theory, now that BT have bought PlusNet, you are a BT Internet customer. The only difference is you'll still be running through PlusNet's infrastructure, which shouldn't make any difference now the BT Engineers have had a snoop through it.

Give it a go, it's worth a try.

Originally Posted by Olozzj

The reason that you must be a BTInternet customer is because they remote in to the router over the internet. Therefore, you would need to be connected to the net in order for them to unlock it.

Some random bits of information for y'all.

/nmon/linux_appl.exe is the core of the router. It provides FTP, DNS, DHCP, Webserv, telnet & pretty much every other major feature of the hub.

You can view a list of allowed realms via telnet by executing:

ppp simlock

These realms are stored in /archive/ZZJMAA6.11R/active/slock.txt (but I reckon you guys knew that anyway )
(based on 6.1.1.R firmware)

If you look in /archive/ZZJMAA6.11R/active/security.cfg.gz, and scroll down to the line beginning with "gfirewall", it is possible to build a fairly complete list of commands and their params executable via telnet. (Although some seem to have been removed, and some may be missing)

g = group
c = command
o = param

JFSS2 and SquashFS have been used on the router, but I can not as yet determine how may partitions there are, and where they are mounted. However, it would make sense for /dl & /var to be JFFS2 as SquashFS is readonly.

It may be necessary to reverse engineer the BLI2 format in order to unlock the home hub. Although an engineer does it remotely, it is very possible to upgrade the firmware via telnet, so this can't be ruled out as the way that it is done.

The following commands may (or may not) give you some interesting stuff to play with...

mbus client register
mbus listtypes expand=enabled
mbus client exec cmd=getparamvalues
mbus client exec cmd=getparamattributes

And that is all of the crap I have accumulated so far

Hi Guys,

Is there any way of finding out what commands are available if you telnet then type debug > exec (the expert command console).

Surely there is some way here to remove the lock, i cant see BT having a 'unlocked' firmware as people who have there hub unlocked could just extract the firmware from that and post it for us to use.

So they must remove the 'simlock' some how via telnet.

We need to take the FTP dump given here: http://www.bitcount.net/files/611R.tar.gz

And the GPL code released by BT here: http://www.btyahoo.com/broadband/adh...s/gplcode.html

And find out how there own little app works, extract ALL the commands thats used in that home application then see if there is anything useful to use.

I really cant see BT flashing the home remotely, i cant see it working. We need to find out all the hidden commands like simlock above was pointed out.

How was that discovered?

And find out how there own little app works, extract ALL the commands thats used in that home application then see if there is anything useful to use.

Originally Posted by zero-x

Their 'little app' is 7MB of MIPS opcodes with dynamic references
The problem is, the tag parser (responsible for parsing config files and telnet commands) is essentially a scripting engine, meaning it isn't just a case of finding the relevant list of allowed commands. You have to find the initial list of commands, then figure out how the tag parser stores them, links them together to form command trees and parameters, then figure out how it validates & executes them. Without a debug board this is pretty damn difficult.

I really cant see BT flashing the home remotely, i cant see it working.

Originally Posted by zero-x

See telnet cmd

software menu

and you will see that it is very possible to flash remotely. Possibly more agro than just a series of commands, but also more difficult to unlock.

We need to find out all the hidden commands like simlock above was pointed out.

How was that discovered?

Originally Posted by zero-x

FTP to router
DIR
cd /archive
GET ZZJMAA6.11R
exit FTP
Run an extraction script against ZZJMAA6.11R. Its in PHP, but I can post it if you are interested.
cp ZZJMAA6.11R_EXT/active/security.cfg.gz ./
gzip -d security.cfg.gz
Run a formatting script against security.cfg. Again, in PHP but I can post if you are interested.

The security.cfg file is responsible for defining default roles and permissions required to execute most (if not all) actions available.
It also happens to list parameters available to the commands.

I will attach the full list of commands when I get home as I'm at work atm.

zero-x and I found some additional hidden commands tonight (actually, zero-x found them, I just played with them)



:debug dmesg
:mlp interaction
:mlp zones

interactions is interesting because it gives you a full list of commands, their parameters and their "scores" . I think these scores are irrelevant if you are SuperUser / root as they just seem to be permission restrictions.

try one of these...
:mlp interaction list type=file verbose=all
:mlp interaction list type=cgi verbose=all
:mlp interaction list type=mdap verbose=all
:mlp interaction list type=cli verbose=all
:mlp interaction list type=ftp verbose=all

The last one is a bit lame though. It still won't let you write to anywhere but /dl (or at least we never got it to).

BTW, when this router says CLI, it means the managed one available via telnet and not a "real" shell.

In addition (but totally useless) you can execute some of these commands through FTP!!!

telnet in to ftp as admin
on windows, execute:
literal SITE debug dmesg
on nix ... I'm not sure, I think it might be "quote" instead of "literal".

Of course, this last bit could just be a side effect of me messing with the interaction stuffs too much

Finally, I've done a wireshark capture of the recovery tool in action.
In short, it does next to no validation on the BLI files (so there isn't much hope of reversing the BLI format from that) and acts as a pretty BOOTP/TFTP server that will nicely backup your configs for you...

The process goes a little like this.

• Open BT Recovery tool
• Tool makes a request to hub to check if is a HH (not quite sure how it got the address... possibly browse master?)
• HH responds with a load of info on itself including services it offers (mostly visible in mbus)
• Tool executes some CLI commands via MDAP (language checks, list of config files, etc)
• Tool makes MDAP requests to download you config files files
• HH sends config files to tool
• Tool sends "software update" CLI command via MDAP
• HH reboots in to BOOTP mode
• Tool responds to HH BOOTP request
• HH downloads BLI by TFTP (run by recovery tool)
• HH verifies image, flashes itself & reboots
• Tool executes CLI commands to restore user config via MDAP
• Config files written to HH
• The end

That means that if we do figure out BLI then we can use this tool to get it on the hub.
My theory is that the hub is bouncing it due to the checksum (when you modify it to say BAT-Z instead of BANT-7).
Still need the checksum offset and calculation algorithms to test it tho

Some more things found were:

:debug exec commands

^@^@^@^@Execute a 'Trace & Debug' command. For qualified personnel only.^@^@^@^@dmesg^@^@^@Show the Linux kernel messages. For qualifies personnel only.^@^@^@Quoted 'Trace & Debug' command string^@^@^@Execute a 'Trace & Debug' command. For qualified personnel only.^@^@^@Switch to 'Trace & Debug' prompt. For qualified personnel only.^@Switch to Linux shell. For qualified personnel only.^@^@^@^@alg vpn^@ip dt^@^@^@ip lt^@^@^@ip ct^@^@^@ip +t^@^@^@ip -t^@^@^@sea bstats^@^@sea istats^@^@sea pstats^@^@sea clear^@^@^@sea sq^@^@eth stats^@^@^@eth clear^@^@^@eth trace^@^@^@eth tlen^@^@^@^@sachem get_config^@^@^@sachem get_state^@^@^@^@sachem activate_performance^@sachem deactivate_performance^@^@^@sachem get_data^@sachem do^@^@^@tdsl LOVTest^@^@^@^@tdsl LOVTestL1^@^@tdsl LOVTestL2^@^@tdsl LCLTest^@^@^@^@tdsl custoData barometer^@^@^@^@tdsl getData all^@^@^@^@atm otrace^@^@atm sxt^@atm stt^@atm svt^@atm tvc^@atm tlen^@^@^@^@atml stats^@^@atml pstats^@atml gstats^@atml istats^@atml dstats^@atml clear^@^@pptp ctrace^@pptp dtrace^@dbg spt^@dbg rvt^@dbg fvt^@dbg spo^@dbg cpuload^@err stats^@^@^@edm ctrl ^@^@^@edm sit^@edm situation^@^@^@edm start^@^@^@edm stop^@^@^@^@edm otherrxf^@^@^@^@edm getli^@^@^@edm ss^@^@edm setstats^@^@^@^@edm rs^@^@edm resetstats^@^@edm gs^@^@edm getstats^@^@^@^@edm sa^@^@edm setaddr^@mdap trace^@^@mdap search^@voip trace^@^@voip ss^@vdsp fxooffhook^@vdsp tracecodec^@vdsp hci^@^@^@^@voip info^@^@^@vdsp info^@^@^@voip siploglevel^@^@^@^@voip addfilter^@^@voip delfilter^@^@usbhost devs^@^@^@^@usbhost pos^@wld spool^@^@^@wld ssrom^@^@^@wld wlifdata^@^@^@^@wld poolinfo^@^@^@^@wld macevents^@^@^@wld cmacevents^@^@kru st^@^@^M
=====================DISCLAIMER=================== ===^M
Access to expert commands is intended for qualified ^M
personnel only. ^M
==================END=OF=DISCLAIMER=============== ===^M

Its all abit messy as ive taken if from the code directly, the interesting one would be "kru st" purely because it killed my router for a bit until i rebooted.

This command cannot be found anywhere else on the net, ive searched some of the other commands and came up with a list from someone else relating to the old speedtouches.

They can also be found here: http://members.lycos.nl/epias/st510/text/510cli.txt

I have 2 of the white home hubs sat here. one not being used. Anyone know of a way to get them to talk to each other to extend the range of my connection? Failing that what would be my best bet as when the hub is downstairs i get no connection upstairs and vice versa!

What channel is the hub on m8 - by default I think it is 1 - change it to 12 and the wireless range is usually better

I have 2 of the white home hubs sat here. one not being used. Anyone know of a way to get them to talk to each other to extend the range of my connection? Failing that what would be my best bet as when the hub is downstairs i get no connection upstairs and vice versa!

Originally Posted by slapdash

Don't know anyone brave enough to get a second of these , but have you tried bridging them with WDS. You would then have to change the the IP address and turn off dhcp,default route & dnsServer on the second.