#62
|
|||
|
|||
![]()
Proper result
![]() Can't be having ol' BT breaking GPL Licencing now can we!? lol So now all we need are some budding firmware builders to take the challenge of creating an open firmware for the HomeHub. *cough* 7G *cough* I successfully managed to downgrade the HomeHub to an older f/w (I forget which version), so now I can access everything again. I can see this being a VERY nice peice of kitt; ONCE it has been opened up, I say ONCE cause I know it will be done eventually. ![]() |
#63
|
|||
|
|||
![]()
Method for getting Super User access in 6.2.2.6 – 19/01/2007
It appears that BT have tried to lock down the BTHH in this new firmware version by changing the permissions on the configuration backup/restore/user management functions, thus thwarting attempts to manipulate user accounts in the CLI and the method of editing a backup config offline, then restoring it to alter user roles. In fact the GUI pages are still there but not accessible to the Admin user with the default Administrator privileges. However, the ‘tech’ user, intended for BT customer support use, does have the necessary access… 1. Point your browser at http://192.168.1.254/cgi/b/ras/ and enable remote assistance. 2. Open another browser instance and go to the Remote Assistance URL provided by the hub (note: by default the tech support user is only allowed to login from the Internet IP, to the GUI.) 3. Accept the BT SSL certificate, and login with the username ‘tech’ and password provided by the hub in step 1 4. In the brower's address bar append the URL with /cgi/b/bandr/ and press go 5. Now you should see the Backup and Restore page. 6. You can now follow AL’s procedure (from step 5.) to modify the config offline: http://www.homehubblog.com/getting-root-the-easy-way/ Better luck next time BT! ![]() Last edited by netrat; 19-January-2007 at 16:28. |
#64
|
|||
|
|||
![]()
Dont if this will help but i found a site with a link to what they
say is the boot loader output http://mikenelis.net/bthomehub/bootlog.txt |
#65
|
|||
|
|||
![]() Method for getting Super User access in 6.2.2.6 – 19/01/2007 I've actually put mine back in the box, due to not being able to 'rip it apart' anymore... Will have to rig it up again, and try some more. |
#66
|
|||
|
|||
![]() Is this the way to overcome the problem with the lastest firmware? Has anyone actually managed to change the login username and password and use it with an ISP other than BT?? |
#67
|
|||
|
|||
![]()
Has anone managed to reconfigure this HomeHub just as a router. I'm not really interested in the built in modem as I have an external one. However I'd like to use it as a wireless router, any suggestions?
|
#68
|
|||
|
|||
![]() Has anone managed to reconfigure this HomeHub just as a router. I'm not really interested in the built in modem as I have an external one. However I'd like to use it as a wireless router, any suggestions? If you need to do some IP routing between interfaces then a little configuration is needed. I used these commands to set up a new IP subnet on eth2 to use as DMZ LAN... :eth bridge ifdetach brname=bridge intf=ethport2 :eth bridge ifdelete brname=bridge intf=ethport2 :eth bridge add brname=bridge2 :eth bridge ifadd brname=bridge2 intf=ethport2 :eth bridge ifconfig brname=bridge2 intf=ethport2 dest=ethif2 portstate=forwarding vlan=default :eth bridge ifattach brname=bridge2 intf=ethport2 :ip ifadd intf=DMZ dest=bridge2 :ip ifconfig intf=DMZ status=up group=dmz :ip ipadd intf=DMZ addr=192.168.0.254/24 addroute=enabled :ip ifattach intf DMZ |
#69
|
|||
|
|||
![]()
Hey guys sorry to keep goin on about this but anyone managed to get the voice over LAN working. Ive tried
For voice over LAN, try this: telnet to the hub, go to voice, config and change intf to LAN. Any other ideas? |
#70
|
|||
|
|||
![]()
Just seen this:
http://www.theregister.co.uk/2007/01..._breaking_gpl/ This should crank up the pressure on BT to comply with the GPL fully. -Pete |
#71
|
|||
|
|||
![]() Olozzj, I must admit, I've tried to look for this elusive alternative firmware, but have come up empty handed. I have an idea; i know where i can get a Home Hub "hot, hot, hot" (if you know what i mean), so maybe if i got BT engineer out to unlock it, yes i would have to pay for his/her time, i could send the device to a member of TS! for them to copy and distribute the firmware. The only problem is, how do i get a BT engineer to unlock it without checking the serial codes / product id no.s? |
#72
|
|||
|
|||
![]()
Hi guys found this link to a site containing a load of Speedtouch Firmware not had time to look at them yet
http://m8s-rates.com/speedtouch/routers/ |
#73
|
|||
|
|||
![]()
Olozzj, check your history.
|
#74
|
|||
|
|||
![]()
history is cleared everytime i close opera.
PS TKNo, isn't a speedtouch. It is from the speedtouch brand made by Thomson, but isn't a speedtouch. ![]() |
#75
|
|||
|
|||
![]() history is cleared everytime i close opera. (Wasnt this clarified earlier in the thread, the HomeHub being based/a clone of the Speedtouch 7G)
![]() Edit: More to the point, why would you want to extract the boot loader from the Speedtouch firmware, and then load the BT locked firmware?? Last edited by studioeng; 29-January-2007 at 12:51. Reason: addition to post |
#76
|
|||
|
|||
![]()
OK, so i've got myself in a little muddle. To confirm my last few posts:
The BT Home Hub will not work with any speedtouch firmware. It is made by the Thomson speedtouch brand, but is not based on any other model. And yes, for those who haven't yet realised, i was thinking of a way to get the Home Hub unlocked when i came accross the idea to extract the boot loader from a different firmware. Well this would work and would sucessfully allow you to reload the device with the BT locked firmware again ![]() Sorry, it's dangerous for me to think on Monday mornings as i come up with the most redicuous ideas ![]() |
#77
|
|||
|
|||
![]()
Well, not heard anything from you guys in awhile; any more news on the hacking of the HomeHub ??
I was going to give those firmwares TKNo posted a try, but after Olozzj ruined that by saying they won't work ![]() Wastes too much space while it's locked to BT; since I have no other use for it. |
#78
|
|||
|
|||
![]() Hi Mat, I've been given one of these lubberly looking boxes by a friend & hope to get it working on my mother's TalkTalk connection. I'm sure the hardware IS the same as the 7G & I reckon I know a way of flashing it... any chance of posting the firmware somewhere & i'll report back if I work it out?? |
#79
|
|||
|
|||
![]()
Londonmadness, the Home Hub hasn't been cracked yet, so there's no chance anyone on this forum can help you!
To everyone that's working on unlocking the Home Hub: I've tried all ways to get back to the page on the BT web site where you can pay to get the Home Hub unlocked, but can't find it. It doesn't really matter now anyway, as i've contacted BT once again about this mysterious page, and got an e-mail back from a member of the support team saying she wasn't sure on where i'd been to get that page, but it is possible to have the Home Hub unlocked remotely by a BT technician for a fee of £45. I was told to phone up BT for more information about this. There's only one small problem with unlocking the Home Hub this way though; you've got to have BT Broadband active on your line. |
#80
|
|||
|
|||
![]()
Just had a very painful 30 mins on the phone with BT Broadband dept who said "there must be a problem with the hub if it is not remembering your settings" to which I replied "it is remebering all my settings except my ADSL user name as it does not end with @btinternet.com". They said "we do NOT lock our hardware as we know and understand that people will change providers". AAARRRGGGGHHHHHH!!!
I then said "please can we just unlock it" and she said again "we do not lock it down - there must be a problem with it". I then said "there is no problem with it, just the software". I then said that there are lots of people talking about BT lock down on the internet and she just replied and said "she can't help me". How do I get to speak to someone about unlocking it!!!!??? AAAARRRGGGHHHH!!! Not giving up yet.... |
#81
|
|||
|
|||
![]()
You should've asked to speak to an Engineer in the technical dept. and told them you've been put through to them to unlock th Home Hub. They'll have no problem with that.
|
#82
|
|||
|
|||
![]() For BT to unlock the Home Hub, you must be an existing customer of BT and have an active BT Internet subscription on your phone line. In theory, now that BT have bought PlusNet, you are a BT Internet customer. The only difference is you'll still be running through PlusNet's infrastructure, which shouldn't make any difference now the BT Engineers have had a snoop through it. Some random bits of information for y'all. /nmon/linux_appl.exe is the core of the router. It provides FTP, DNS, DHCP, Webserv, telnet & pretty much every other major feature of the hub. You can view a list of allowed realms via telnet by executing: ppp simlock These realms are stored in /archive/ZZJMAA6.11R/active/slock.txt (but I reckon you guys knew that anyway ![]() (based on 6.1.1.R firmware) If you look in /archive/ZZJMAA6.11R/active/security.cfg.gz, and scroll down to the line beginning with "gfirewall", it is possible to build a fairly complete list of commands and their params executable via telnet. (Although some seem to have been removed, and some may be missing) g = group c = command o = param JFSS2 and SquashFS have been used on the router, but I can not as yet determine how may partitions there are, and where they are mounted. However, it would make sense for /dl & /var to be JFFS2 as SquashFS is readonly. It may be necessary to reverse engineer the BLI2 format in order to unlock the home hub. Although an engineer does it remotely, it is very possible to upgrade the firmware via telnet, so this can't be ruled out as the way that it is done. The following commands may (or may not) give you some interesting stuff to play with... mbus client register mbus listtypes expand=enabled mbus client exec cmd=getparamvalues mbus client exec cmd=getparamattributes And that is all of the crap I have accumulated so far ![]() |
#83
|
|||
|
|||
![]()
Hi Guys,
Is there any way of finding out what commands are available if you telnet then type debug > exec (the expert command console). Surely there is some way here to remove the lock, i cant see BT having a 'unlocked' firmware as people who have there hub unlocked could just extract the firmware from that and post it for us to use. So they must remove the 'simlock' some how via telnet. |
#84
|
|||
|
|||
![]()
We need to take the FTP dump given here: http://www.bitcount.net/files/611R.tar.gz
And the GPL code released by BT here: http://www.btyahoo.com/broadband/adh...s/gplcode.html And find out how there own little app works, extract ALL the commands thats used in that home application then see if there is anything useful to use. I really cant see BT flashing the home remotely, i cant see it working. We need to find out all the hidden commands like simlock above was pointed out. How was that discovered? |
#85
|
|||
|
|||
![]() And find out how there own little app works, extract ALL the commands thats used in that home application then see if there is anything useful to use. ![]() The problem is, the tag parser (responsible for parsing config files and telnet commands) is essentially a scripting engine, meaning it isn't just a case of finding the relevant list of allowed commands. You have to find the initial list of commands, then figure out how the tag parser stores them, links them together to form command trees and parameters, then figure out how it validates & executes them. Without a debug board this is pretty damn difficult. See telnet cmd software menu and you will see that it is very possible to flash remotely. Possibly more agro than just a series of commands, but also more difficult to unlock. We need to find out all the hidden commands like simlock above was pointed out. DIR cd /archive GET ZZJMAA6.11R exit FTP Run an extraction script against ZZJMAA6.11R. Its in PHP, but I can post it if you are interested. cp ZZJMAA6.11R_EXT/active/security.cfg.gz ./ gzip -d security.cfg.gz Run a formatting script against security.cfg. Again, in PHP but I can post if you are interested. The security.cfg file is responsible for defining default roles and permissions required to execute most (if not all) actions available. It also happens to list parameters available to the commands. I will attach the full list of commands when I get home as I'm at work atm. |
#86
|
|||
|
|||
![]()
zero-x and I found some additional hidden commands tonight (actually, zero-x found them, I just played with them)
![]() :debug dmesg :mlp interaction :mlp zones interactions is interesting because it gives you a full list of commands, their parameters and their "scores" . I think these scores are irrelevant if you are SuperUser / root as they just seem to be permission restrictions. try one of these... :mlp interaction list type=file verbose=all :mlp interaction list type=cgi verbose=all :mlp interaction list type=mdap verbose=all :mlp interaction list type=cli verbose=all :mlp interaction list type=ftp verbose=all The last one is a bit lame though. It still won't let you write to anywhere but /dl (or at least we never got it to). BTW, when this router says CLI, it means the managed one available via telnet and not a "real" shell. In addition (but totally useless) you can execute some of these commands through FTP!!! telnet in to ftp as admin on windows, execute: literal SITE debug dmesg on nix ... I'm not sure, I think it might be "quote" instead of "literal". Of course, this last bit could just be a side effect of me messing with the interaction stuffs too much ![]() Finally, I've done a wireshark capture of the recovery tool in action. In short, it does next to no validation on the BLI files (so there isn't much hope of reversing the BLI format from that) and acts as a pretty BOOTP/TFTP server that will nicely backup your configs for you... The process goes a little like this.
That means that if we do figure out BLI then we can use this tool to get it on the hub. My theory is that the hub is bouncing it due to the checksum (when you modify it to say BAT-Z instead of BANT-7). Still need the checksum offset and calculation algorithms to test it tho ![]() |
#87
|
|||
|
|||
![]()
Some more things found were:
:debug exec commands ^@^@^@^@Execute a 'Trace & Debug' command. For qualified personnel only.^@^@^@^@dmesg^@^@^@Show the Linux kernel messages. For qualifies personnel only.^@^@^@Quoted 'Trace & Debug' command string^@^@^@Execute a 'Trace & Debug' command. For qualified personnel only.^@^@^@Switch to 'Trace & Debug' prompt. For qualified personnel only.^@Switch to Linux shell. For qualified personnel only.^@^@^@^@alg vpn^@ip dt^@^@^@ip lt^@^@^@ip ct^@^@^@ip +t^@^@^@ip -t^@^@^@sea bstats^@^@sea istats^@^@sea pstats^@^@sea clear^@^@^@sea sq^@^@eth stats^@^@^@eth clear^@^@^@eth trace^@^@^@eth tlen^@^@^@^@sachem get_config^@^@^@sachem get_state^@^@^@^@sachem activate_performance^@sachem deactivate_performance^@^@^@sachem get_data^@sachem do^@^@^@tdsl LOVTest^@^@^@^@tdsl LOVTestL1^@^@tdsl LOVTestL2^@^@tdsl LCLTest^@^@^@^@tdsl custoData barometer^@^@^@^@tdsl getData all^@^@^@^@atm otrace^@^@atm sxt^@atm stt^@atm svt^@atm tvc^@atm tlen^@^@^@^@atml stats^@^@atml pstats^@atml gstats^@atml istats^@atml dstats^@atml clear^@^@pptp ctrace^@pptp dtrace^@dbg spt^@dbg rvt^@dbg fvt^@dbg spo^@dbg cpuload^@err stats^@^@^@edm ctrl ^@^@^@edm sit^@edm situation^@^@^@edm start^@^@^@edm stop^@^@^@^@edm otherrxf^@^@^@^@edm getli^@^@^@edm ss^@^@edm setstats^@^@^@^@edm rs^@^@edm resetstats^@^@edm gs^@^@edm getstats^@^@^@^@edm sa^@^@edm setaddr^@mdap trace^@^@mdap search^@voip trace^@^@voip ss^@vdsp fxooffhook^@vdsp tracecodec^@vdsp hci^@^@^@^@voip info^@^@^@vdsp info^@^@^@voip siploglevel^@^@^@^@voip addfilter^@^@voip delfilter^@^@usbhost devs^@^@^@^@usbhost pos^@wld spool^@^@^@wld ssrom^@^@^@wld wlifdata^@^@^@^@wld poolinfo^@^@^@^@wld macevents^@^@^@wld cmacevents^@^@kru st^@^@^M =====================DISCLAIMER=================== ===^M Access to expert commands is intended for qualified ^M personnel only. ^M ==================END=OF=DISCLAIMER=============== ===^M Its all abit messy as ive taken if from the code directly, the interesting one would be "kru st" purely because it killed my router for a bit until i rebooted. This command cannot be found anywhere else on the net, ive searched some of the other commands and came up with a list from someone else relating to the old speedtouches. They can also be found here: http://members.lycos.nl/epias/st510/text/510cli.txt |
#88
|
|||
|
|||
![]()
I have 2 of the white home hubs sat here. one not being used. Anyone know of a way to get them to talk to each other to extend the range of my connection? Failing that what would be my best bet as when the hub is downstairs i get no connection upstairs and vice versa!
|
#89
|
|||
|
|||
![]()
What channel is the hub on m8 - by default I think it is 1 - change it to 12 and the wireless range is usually better
|
#90
|
|||
|
|||
![]() I have 2 of the white home hubs sat here. one not being used. Anyone know of a way to get them to talk to each other to extend the range of my connection? Failing that what would be my best bet as when the hub is downstairs i get no connection upstairs and vice versa! ![]() |
![]() |
Tags |
adsl, adsl2, belkin, broadband, bt, bt home hub, cable, dhcp, dns, files, firmware, home, home hub, hub, internet, isp, key, laptop, lock, make, netgear, network, product, router, settings, sipgate, speed, speedtouch, speedtouch 7g, tiscali, voip, web, windows, wireless |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unlocking BT Home Hub V1.5 *Upgrade at your own risk* | Hiddenvision | ADSL Router Mods | 59 | 22-July-2014 06:40 |
lsass.exe Windows XP | DigitalAlex | General Software | 17 | 12-August-2007 23:49 |