Unlocking BT Home Hub V1 *Upgrade at your own risk*

[fruit tool]

Hi all.

is anybody still playing with the jtag on this thing? ive just figured it out.
heres the shorter version.
i made the modifications to hairy dairy maids debrick utility that Any No Mouse posted erlier in this thread, connected the jtag, dumped the bootloader, flashed a cfe bootloader from a voyager 2091 to it, reset it and nothing happened -it was bricked, lucky i saved the original bootloader. so i flashed it back, reset and nothing happened, gutted. what went wrong? so i decided to dump the bootloader again so i could compare it with the one i first dumped. the file had changed, i think its called the endienness, and it was swapped. like this in hex editor, first few bytes:-

first dump: C0 BF 00 00 84 03 84 23

second dump: 00 00 C0 BF 84 24 84 03

so i flashed the second dump back, restarted, and its alive, well sort of, i get
this on the serial port:-

Speedtouch initialization sequence started.

BOOTP reason : BFLAG_INV_RI

phy_bcm6348.c - ETHD: external phy is used
Ctrl: BOOTP initiated

i know ive damaged the userfs because at first i thought it was lying about the location it was flashing so ive been smashing the first bootloader dump here there and everywhere on the flash.

if i try the firmware recovery tool, the tool says "no build images found".
if i use a dhcp/tftp server the hub downloads the image but reboots with the error

[ERROR] : WRONG PROD-ID or VAR-ID !!!

so im assuming ive erased the part that says what board it is.

be careful if you try to flash yours with jtag, it seems ok on read and erase but gets a bit dicky on write, i fixed this by soldering 1 end of a 110 ohm resistor to the TCK jtag pad where the TCK wire is soldered and and 1 end of another 110 ohm resistor to the bottom ground pad on p3. positioned them vertical to the board so i could touch the free ends together when its time to write, i didnt actualy touch them together and just like magic it just started to write anyway so i left it like that.

allso, can anybody dump their wholeflash with "hairy dairy maids debrick utility" for me so i can continue on my mission.

Thanks...

[moog]

Fruit tool Are you using software or hardware JTAG control?

[fruit tool]

im using the Xilinx DLC5 Cable here

http://wiki.openwrt.org/OpenWrtDocs/...are/JTAG_Cable

[fruit tool]

ive just tried the standard speedtouch firmware updater, heres the output.

Computer interface:
NVIDIA nForce Networking Controller
IP address(es): 192.168.1.1/24
Gateway address(es): 0.0.0.0

Device name:
SpeedTouch
Serial number:

Mode:
Kernel mode
Physical address:
02-90-D0-00-00-00
Firmware version:
6.1.1.22.0
TP version:
?
Board type:
00NT-0
Chip version:
0x1
Bootloader version:
2.0.4
Info:
Kernel mode requested by push button.
Invalid remote inventory content.
Others:
name=SpeedTouch [-device_id=-device_name=SpeedTouch
_board_name=00NT-0
_bootl_flags=80
_bootl_invalid_rip=1
_bootl_request_button=1
_bootloader_version=2.0.4
_build=6.1.1.22.0
_iftype=ETH
_macaddr=02-90-D0-00-00-00
_prod_id=
_variant_id=
_version_bootloader=2.0.4
_version_sea=0x1
mdap_version=1.1

================================================== =====
notice -
_board_name=00NT-0
_prod_id=
_variant_id=

i think i can make the firmware image match _board_name=00NT-0 (change the BANT-7 or BANT-Z in the firmware).
but i have no idea what "_prod_id=" and "_variant_id=" were originally.

any ideas?

[moog]

Fruit tool I will have to catch up with on the jtag front as my soldering iron is busted at the moment. As you have a working rig could you check something for me, if the HASH for the default root account is changed to be the same as the admin account can you log in as root? If not what if the account details are swapped over i.e. write username and hash of admin account over root and hash of default admin account.


Computer interface:
VIA Rhine II Compatible Fast Ethernet Adapter
Obtain an address automatically
IP address(es): 192.168.1.64/24
Gateway address(es): 192.168.1.254
DNS address(es): 192.168.1.254

Device name:
BT Home Hub
Serial number:
0717***** removed for priv
Mode:
Operational
IP address(es):
192.168.1.254/24
10.0.0.138/24
172.16.1.254/24

Product code:
3614****
Physical address:
00-18-**-**-**-** removed for priv
Firmware version:
6.2.6.C
TP version:
2.0.0
Bootloader version:
2.0.5
Board type:
BANT-Z ( QR )
Configuration
Configuration modified by CWMP
UK
BT
Routed PPPoA on 0.38
UK Factory Default
Others:
name=SpeedTouch BTHH [0717F****] removed for priv
-device_id=0717F****
-device_name=SpeedTouch BTHH
__sec_modem_access_code=151344**** removed for priv
_board_name=BANT-Z
_board_serial_nbr=0717F**** removed for priv
_bootloader_version=2.0.5
_bthub_board_version=V10
_build=6.2.6.C
_buildname=ZZJMBG6.26C
_buildvariant=BG
_company_id=ALCL
_company_name=THOMSON
_company_url=http://www.thomson.net
_copyright=Copyright (c) 1999-2007, THOMSON
_ethernet=SINGLE
_fia=QR
_fii=6.2.6.12.0
_iftype=ETH
_igdxversion=
_macaddr=00-18-F6-74-**-**
_modem_access_code=774655**** removed for priv
_modemlabel=bcm96348_R622_ADSL_PHY_A2pBT009a2.d18
_oui=0018F6
_physlayertype=POTS
_prl=36143*** removed for priv
_prod_description=DSL Voice Gateway Device
_prod_friendly_name=BT Home Hub
_prod_name=SpeedTouch
_prod_number=BTHH
_prod_serial_nbr=CP0717FHL** removed for priv
_prod_url=http://www.speedtouch.com
_sntppoll_post_sync=60
_sntppoll_pre_sync=3
_ssid1_serial=BTOpenzone
_ssid2_serial=BTFusion-7AFB
_ssid2_serial_postfix=7AFB
_ssid_serial=BTHomeHub-430B
_ssid_serial_postfix=430B
_tpversion=2.0.0
_usb_macaddr=02-18-F6-74-29-**
_variant_friendly_name=STBTHH
_vega_fw_version=1192
_voice_capable=yes
_wepkey2_serial=93c709d***
_wepkey_serial=95a742f***
_wiz_autopopup=0
_wl_version=4.120.25.0
_wpakey2_serial=93c709d***
_wpakey_serial=95a742f***
ant-name=SpeedTouch BTHH
columns=80
conf_cond_encrypt=enabled
conf_date=Configuration modified by CWMP
conf_description=UK Factory Default
conf_provider=BT
conf_region=UK
conf_service=Routed PPPoA on 0.38
conf_tpversion=2.0.0
conf_version=1.5.12
dhcp_config=1 server
dhcp_status=1 server
fusion_icon=Fusion_Handsets
host_setup=auto
ip_list=10.0.0.138;172.16.1.254;192.168.1.254
ip_main=192.168.1.254
ipmask_list=255.255.255.0;255.255.255.0;255.255.25 5.0
ipmask_main=255.255.255.0
mdap_version=1.2
rows=24
sessiontimeout=600
upgrade_url=http://www.speedtouch.co.uk/upgrade




doesnt look as though the BT images uses the blank values however, it looks like you still have some dodgy bytes there i.e. board_name for instance, you took an image before changes so might be an idea to write it back again.

[moog]

Fruit tools can you host the original image somewhere and I will switch the endedness over for you, would have thought the write tool would have a switch for intel endedness. Also whats the word length looks to be 32 bits as you seem to have either errors in your post or write.
see:-

first dump: C0 BF 00 00 84 03 84 23

second dump: 00 00 C0 BF 84 24 84 03
-----------------------------^^ should be 23 not 24

Weird that it reads one way and writes the other not changed any switches in the software have you?

[fruit tool]

sorry moog, that 24 is a typo.
and i admit, i woz a dunce and didnt backup the whole flash, only the bootloader.
the kernel and rootfs seem untouched but the userfs is totally blank.
settings like the board name are stored in nvram on some other routers but the home hub has this userfs partition, is it possible that they're stored here?

[moog]

Dunno about the userfs as yet however you might try reflashing with BT latest software if it will be accepted using the kernel boot method. you can always reflash backwards but atleast you will have most of the user settings right. I would think that most of the board individualisation would be in NVRAM as this should never change. Post up what you got and once I get time for the JTAG cable I will complare it with mine. Im busy for the next two nights so will be Thursday at the earliest.

[moog]

Ebay has home hubs for £10 ish so might be a good idea to get an extra whilst your investigation procedes

As an after thought anyone out there got a trashed home hub with the flash still intact that Fruit tool can salvage?

Or if the BT guys listen in have the user area format or a image it would be nice.

[moog]

Just reread your "post this page" the board_name is clearly still wrong and this is what is stoping the flash working, would have though it would be BANT not 00nt

[fruit tool]

cheers moog.

i have another home hub here but i think the flash chips shot, the cpu registers with jtag but cannot find the flash.

(might be interesting)
the circuit boards of the 2 have slightly different connector pin mounts, one is surface mounted and the other has pins through the board, and one has 2 antenna the other has 1. identical evry other way though.

i have at the mo a dump of the rootfs as it came off the flash and the bootloader in both endiennesses,

name a place for me to host them and ill stick em up if anyone is interested.

[moog]

its the image not the package you want, might be problems if you have them both connected to the same ISP at the same time, but if you got two seperate ADSL lines in use at the same time you got too much time on your hands. Modified some posts from earlier this page so might be worth a reread

[moog]

as too hosting I use rapidshare myself

[fruit tool]

heres the files

http://rapidshare.com/files/72381630...dumps.rar.html

i have a full working toolchain for voyager (i allready made a jffs2 based firmware for a voyager 210 which flashed directly from the web updater) so my plan was to try to mod it to build a firmware for the home hub.

[moog]

Having strange problems getting rapidshare at the moment

[pepsi_max2k]

here u go moog: http://inaudible.co.uk/temp/bthh-flash-dumps.rar

[moog]

Thanks Pepsi

BT seem to be blocking rapidshare, did a web search and I am no the only one having this problem so I rang them up and they cut me off twice. Quality service thats what I like with English speaking technal support agents, so why am I with BT? Not for long now I can tell you

[moog]

Had a quick look and all three seem proper "broken" have to wait until I got my own cable to be sure but it doesnt look as though they are encrypted in memory just reordered. Hopefully once I have seen what it should look like I can unscramble yours, wells here hoping

[Scoobs]

Thanks Pepsi

BT seem to be blocking rapidshare, did a web search and I am no the only one having this problem so I rang them up and they cut me off twice. Quality service thats what I like with English speaking technal support agents, so why am I with BT? Not for long now I can tell you

Originally Posted by moog

BT are not blocking rapidshare ive just had ago with link on last page and its working fine im using BT and BTs dns servers.

[moog]

Just got back in, Fruit tool I have reformatted them for easier reading but will still need to make my own cable before I can get missing info, so I wouldnt suggest using any of the images. They might work but then again they might trash it completely
see
http://rapidshare.com/files/72498297/hh_Jtag_dumps.rar

If you feel lucky then a total of 4 flashes each extracting the image for the next, like you did for 1st and 2nd might do it

word length seems to be 32bit so to reformat read bytes (1,2,3,4) then write bytes (4,3,2,1)

rootfs makes interesting reading complete with French comments, cant wait to have a go at 6.2.6c he he

[moog]

Well I will rephase then Scoobs, access to rapidshare is not consistant for me or any of the other people that have posted upon the web, do a search for "bt rapidshare" and you will see what I mean. Proberbly due to time I was trying to access although rapidshare's IP does change so they may have a rotating IP range to balance the load

[fruit tool]

That WAS an interesting read. genius moog.

i cant try anything else out at the mo cuz the ends of the jtag are getting frayed and i havent any solder so it'll have wait a day or 2.

iv'e thought though that it might be a safer bet to dump the bootloader once more and see if its different from the first 2. if it is then ill try what you suggested with the 4 flashes.

[moog]

four flashes total, you will have to check each time to see if it boots properly, but it does look like all the info is still there. you got a serial lead aswell? if you have that what im going to end up with, can't have too many cables hanging out of electronic equipment I say.

P.S. did you manage to get the case back together after operating on the guts?

[fruit tool]

im using a bd75232 for the serial converter, i would use a max232 but the 75232 can be taken from most motherboards ive seen, it needs +12v -12v +5v but i get this from an old (working) psu.

as for the case, the first (newer) one didnt go back together very well but the 2nd did (only broke 1 clip).

[moog]

re case nice that it is possible to get it back togther without ductape, just pricing components from RS god there is a price difference from the US

on your console cable is writing to the console possible?

I was going to use this simple circuit I found on http://picprojects.org.uk/projects/simpleSIO/ssio.asp

[fruit tool]

yeah i can write to the console. i like that circuit though, its better than the contraption ive mangled together. im using a dedicated 300w atx supply for 1 smd chip about the size of a fingernail.

[fruit tool]

ive just done dump #3 but its exactly the same as #1. so i dont think flashing x4 will change anything. ill just have to wait till a whole flash dump comes along so i can compare it with mine i think.

[moog]

here is the reformatter, I know its slow but when I get my cable working I will use a blockread rather than a byte by byte method.
http://rapidshare.com/files/72780516/shuffle.exe

Usage shuffle <filename>
if will ask for the word order width, 4 (32 bit) will give the readable output but I think you want 2 for 16 bit
it will create a file called output.bin in the same directory as the datafile so if you create a shortcut to shuffle in sendto folder you can right click sendto "shourtcut to shuffle.exe"

sendto folder is usually cdocuments and settings\username\sendto

which version of the bootloader works? if you look at address 1614 it says decompressing bootloader so do you have to use shuffle to get it to say that? Also if you look at 1ff28 you see you product code etc these are the details you were missing

the difference between boot loader 1st and 2nd was a 16 bit reorder not a 32 bit shuffle so

file.....bytes......32bit shuffled.....16 bit shuffled.......reshuffle32 on 16 output
1st....1234.............4321.................2143. .........................3412
2nd....3412............2143.................4321.. ........................1234

The 16 bit shuffle will take bytes 1234 and give 2143 so you should be able to get any combination you want with a combination of reflash and reshuffles(16 and 32 bits)

so starting with 1st image we can see that if we
1 do a 16 then a 32 bit shuffle call these f16 and f32 respectively
2 do a 16 and 32 on f16 and f32 call these f1616,f1632 f3216 f3232
3 again 16 and 32 on all output files from 2 these called f161616 etc

1st.....f16....f32....f3216.....f1632....f321632.. .f163216...f16321632
1234..2134..4321...3412......4312.......2143...... .3421.........1243

you can see that there are going to be 4^4=256 possible combination of so I think if it doesnt work within the first 4 untested combinations its worth waiting for a full dump and testing writes to a blank area to see the results.

I think we will need the shuffle to just take the byte order not a major change.

[fruit tool]

well i flashed em back but bad news, the flash chip wont register with jtag now.. not properly anyway.

heres the flasher if anyone wants it but dont blame me if brick your router with it. read the disclaimer on page 1.

http://rapidshare.com/files/72786173...ag_flasher.rar

i did see in the reformatted dumps that hex 1ff20 to 1ffb6 seems to be the boards identity. dunno whether it should live there or somewhere else though.

anyway, im off to get another bthh off ebay.

[moog]

and here it is

http://rapidshare.com/files/72791130/shuffle2.exe

type in the byte order, so to get you second dump you would type 3412. There isnt any validation on what you type in so be careful before flashing it back.

I think that if you create a file with just the bytes 01,02,03,04 and write to a blank bit of ram then read it back the order is what you need to use on the readable version of the dump to get it working again.