Unlocking BT Home Hub V1 *Upgrade at your own risk*

@djkprojects: Presumably you've tried to login with the root account you set up? ..though this account may have gone since you subsequently uploaded a user.ini file.

One workaround might be to edit the user.ini file on your computer, section [ mlpuser.ini ]. Put in a line, e.g.

add name=Administrator password=_CYP_d41d8cd98f00b204e9800998ecf8427e role=Administrator hash2=a2e279ed6671666bed7738338c8c849f defuser=enabled

(the password is blank here, so later you can leave the browsers' password input box empty)

Then you could make use of 6.2.2.6's firmware auth bypass exploit to upload user.ini, by visiting:

http://bthomehub.home/cgi/b/bandr/fjgfgfgh or

http://192.168.1.254/cgi/b/bandr/fjgfgfgh

Once uploaded, you should be able to log in. This, in theory, should work, though I haven't tested this.

[dezza]

oh dear oh dear. bang goes my confidence in the HH hacking community

i'm writing to you via a home hub, with bt firmware 6.2.2.6, over an ISP known as Be*.

in other words, an unlocked home hub *with* bt firmware; something all but one single post on the internets suggested was impossible

ok, so it only works with ethoa / ipoa connections (and probably unauthenticated pppoa) but it still means a hell of a lot of people can get a very cheap adsl2+ router to work for them. afaik a lot of people on llu connections should be good to go.


the method? download the following user.ini, EDIT THE 0*101 VALUE under phone.ini to reflect your isp's vci/vpi, save and rename the file to just "user.ini" (may not need to, but just incase) and restore it to the home hub:

http://www.inaudible.co.uk/temp/st7g...HoA%20user.ini

for all noobs reading, you need to do the script subsystem method below to enable root user, then log in to the web config and browse to advanced > system > backup. if you dont see it, you'll need to clear the previous logged in user (i just cleared my browaser cache / authenticated sessions) and next time enter the root user name and password when entering the advanced bit.

http://homehubhacks.co.uk/index.php?n=HowTo.GetRoot


And rejoice at your newly unlcoked isp independent Home Hub for all ETHoA and IPoA networks (bethere.co.uk being one, and currently the cheapest unlimited isp in the uk, £14 pm ).

The above currently gives you an ETHoA connection for dynamicly assigned IPs. Static IPs should be trivial to add, but don't ask me how just yet... Line stats are avilable on the Status > ADSL Line > Details page, though Internet Connection stats are no longer available (it would only say "ethoa" and uptime anyway).

All I need to do now is get voip working... oh what fun that'll be. And... unless the hub phone is meant to stay blank, i think i broke it either by droppage or wrong batteries... ho hum...


If anyone's wondering, I figured it all out after finding an ethoa template for the 7G via the speedtouch.de forums and ipstore.us site. After verifying it worked fine on the 7G, and dumping both the 7G pppoa and 7G ethoa user.inis and comparing the two to figure out what the difference was (not much, just atm.ini, eth.ini, ppp.ini, ip.ini and dhcc.ini)



Last but not least, thanks to those who got me this far, most importantly the elusive Malcolm Herring who through this one post: http://www.broadbandbanter.co.uk/318...ub-not-bt.html
was the only person to give me hope it was possible. guess you don't need to email me after all... ipstore.us for getting the original ethoa template re-uploaded, and the-scream.co.uk, homehubhack.co.uk, homehubblog.com and all the rest of you hhhackers £7.50! cheapest adsl2+ voip router ever...


EDIT: voip via phone works as per the usual sip hack (though without bridging): http://www.voipfoneuserforum.com/about2756.html
still can't test the hubphone but i'll assume it's fine unless it's own firmware is hardcoded to bt talk.
now i've just gotta test to find out which firmware version records stats for landline, which at least one probably does but no one seems to have a clue about... nuthin new there

Originally Posted by pepsi_max2k

I know this post is over a year old, but I have just been trying to get these instructions to work and I still can't seem to do it right.

I've managed to restore the new configuration file, but after it's done that, it asks for a username and password, and this is where I get stuck. I've tried all possible combinations and none work.

Does anyone have any idea of how I can get back into the router once the new config file has been put on?

Thanks

Opening http://www.inaudible.co.uk/temp/st7g...HoA%20user.ini , I see there is the section:

[ mlpuser.ini ]
add name=root password=_CYP_21232f297a57a5a743894a0e4a801fc3 role=root hash2=7e57751d84b1460a9b3d7cc4c6a6f5ee descr=root

As you can see there is only one account, the root account...so you can only login with this.
The password is encoded - but visiting http://md5.rednoize.com seems to decode it - try the username "root" with the password "admin".

[dezza]

Opening http://www.inaudible.co.uk/temp/st7g...HoA%20user.ini , I see there is the section:

[ mlpuser.ini ]
add name=root password=_CYP_21232f297a57a5a743894a0e4a801fc3 role=root hash2=7e57751d84b1460a9b3d7cc4c6a6f5ee descr=root

As you can see there is only one account, the root account...so you can only login with this.
The password is encoded - but visiting http://md5.rednoize.com seems to decode it - try the username "root" with the password "admin".

Originally Posted by Jabba

Thanks Jabba
Great - exactly what I was looking for

[hesham2004]

I know this post is over a year old, but I have just been trying to get these instructions to work and I still can't seem to do it right.

I've managed to restore the new configuration file, but after it's done that, it asks for a username and password, and this is where I get stuck. I've tried all possible combinations and none work.

Does anyone have any idea of how I can get back into the router once the new config file has been put on?

Thanks

Originally Posted by dezza

try to use Firefox instead of IE , with Administrator ( User name ) & blank P.W

[PsiDOC]

Hi all. Question and answer time.

1) Presumably the computer that one's using to flash the CFE _may_ need its BIOS parallel port mode (e.g. EPP) changing in order for this procedure to work? (may be worth mentioning in your document?)

Originally Posted by Jabba

Have never had to do that personally. I have used 4 or more different machines for Jtagging with the same software. All with the parallel port set to the standard ECP/EPP mode and all have worked fine. Maybe a bit on JTAG ports and how they work might be an idea. - Thanks for that.

2) It might be nice to include some images and/or text for how to remove the plastic case without breaking it.

Originally Posted by Jabba

There are a few guides on the net on how to do this. Here's a good one!
http://www.jarviser.co.uk/jarviser/hubinside.html

3) Is there any alternative way of attaching the JTAG cable to the PCB other than soldering on direct, given that it's only a temporary connection that's required? I don't know whether I trust myself not to make a mess of it and end up breaking the hub completely.

Originally Posted by Jabba

Sadly no. Soldering to the test points is the best and easiest option, If you look between the test points we are connecting to there is a place for a solder on socket with 8 - 10 connections on it. I guess they but that there for development - If you can find the socket you still have to solder it on though so we're back at square 1. Practice is the key with soldering. Also use a fine tip and keep it clean.

4) With the newer 7.4.1.7 firmware, have you identified any functionality that does not work as expected? Presumably you've tested the VOIP, wireless etc etc.

Originally Posted by Jabba

Yes all tested. I am using a HH1.5 on 7.4.1.7 as my connection. Everything works as it should except for the FXO (Landline) passthrough to the hub phone.

5) The wires attached to the PCB look, from the second PCB image, like there are three wires (4,6,8) going to the TPx locations and four wires (1,3,5,7) going to the ground line. Is this correct? (Have the images been resized?..the pin out diagram looks quite small and isn't easy to see)

Originally Posted by Jabba

That picture I pinched - I know shame on me! Actually if you look there are 4 wires going to the test points - you missed wire 2 as it looks like it is going to earth with the rest but it isn't. Also you can get away with 1 earth wire not 4. I only run 1 earth wire and never have had problems, however the JTAG puritans prefer each signal wire to be spaced with an earth wire so for political correctness I demonstrated it that way.
The pinout diagram I am not quite sure what you mean? I can see the test point numbers easily??

6) This is probably a dumb question, and may well have been explored before .... in order to avoid the JTAG procedure, is there any way to hack the 7.4.1.7 CANT firmware so that it's accepted by the hub regardless of the CFE? (presumably you'd still end up in a situation like with the 6.1.9.6 firmware where the VOIP functionality won't allow DECT phones to be registered?)

Originally Posted by Jabba

That isn't a dumb question. The only dumb question is the one you have not asked. In all speedtouch firmwares 6.2.A.xx onwards they put in a check system that looks at the bootloader idents when the firmware is booting. If it finds an incorrect ident it halts with the Message "Illegal Firmware Build" on the console port. So even if we were to patch the header so it would load it wouldn't run without changing the ident in the CFE.

HTH.
Psi

[Jabba]

@Psi: Thanks for your replies , I'll give it a go once I've sourced some resistors and built the cable. Just to clarify it was this image that I found tricky to see. though obviously things may look very different depending on your monitor/resolution. It looks like its been downsized and consequently the text is a little blurred.

[richy]

I have successfully flashed my HH v1.0 to SpeedTouch 7G 6.1.9.6, I am using a Three dongle and have ICS activated on the connection, but when trying to connection to the internet with my iPhone through WiFi it doesn't work!

Can anyone help? Should I b using a differennt fw? Please post here or PM me thanks!

[PsiDOC]

@Psi: Thanks for your replies , I'll give it a go once I've sourced some resistors and built the cable. Just to clarify it was this image that I found tricky to see. though obviously things may look very different depending on your monitor/resolution. It looks like its been downsized and consequently the text is a little blurred.

Originally Posted by Jabba

AH I see. here ya go.



Psi

[Jabba]

@PSI: Thanks, that's better!

I have a BT home hub v1.0 but i cannot for the life of me unlock it.

I have reset the router to its factory defaults. That means the username is 'admin' and the password is the hubs serial number.

I downloaded the flash utility and the older firmware.

The router is detected fine and I am prompted to entre the username and password.

This takes me to a screen where I can choose a *.bin file. so I chose the old firmware.

when I click next is warns me that this is downgrade to so I checked the box to say thats fine.

The problem is that the firmware does not flash. First it tries to backup the old details then fails at 15% saying that 'authentication failed' and that i should go back or restart the program and enter the username and password.

What is going on here?

[PsiDOC]

Flash it in kernel mode.

[faizy]

bro PSI ... i want to know that if u tried the JTAG hack on the V1 hub and if after changing the firmware to speedtouch ... does the hub phone work with VoIP and Landline ? .. also does the landline work thru the phone port on the back of the HUB ? ..

[PsiDOC]

No it doesn't work and to be honest it's a bit like closing the door after the horse has bolted as the firmware is in already in place and only half there. Reason for that is because there are 2 parts to the flash for the Speedtouch 6.1.9.6 firmware you can edit the main header to load the main part it but the sub header remains as the original and hence isn't flashed as it sees it as a wrong firmware

After some feedback on this from brave souls that have done the JTAG mod detailed on my page I can quite safely say the the landline works straight off I can only guess the reason it did not work for me was because of some dodgy phone wiring in my house that has now been replaced.

In short the JTAG hack detailed on http://www.psidoc.com/homehub is a fully working solution.
This includes the Hub Phone and the Rear Phone port on both FXS (VOIP) and FXO (landline).

Psi

[faizy]

you da man PSI ! ... ill try this out on the hub im using .. its unlocked using the old method ...

[sarahjones1975]

Thought I'd report back and let you all know that I have managed to get the home hub working with my cable internet connection (which many people here said couldn't be done). I have connected the modem to the 'wan' port at the back of the hub, the other ethernet port serves as a lan port, wireless works, voip works (via ring capacitor with normal phone), USB ports work with my USB drive too! Didn't bother with the FXO as I do not have a phone line. Finally I can put this cheap bit of crap to some use.

PS: One of my hubs has the older firmware 6.1.1.M or is it R, can't remember now. This firmware allows you to edit the VOIP settings such as username, sip server, sip port etc in the web interface. Has anyone used this firmware and can comment on it's stability?

Hi Guyz.
i got a Bt home hub and i could successfully unblock it by downgrading the firmware to the speedtouch 7G firmware version 6.1.something

anyways

i can configure the router now but i can't find the advanced configuration options, like the WAN configuration that i could put a static IP and Gatewate for the WAN interface..

All i can do it to set to set the service to bridged but i want it to be bridged LLC. where i can find these options ?

i will appreciate it if anyone helped me

Thank you guys

I have been looking for help till i found some help may be useful but i still need your help:

i have seen that there is something called TEMPLATES that could be added to the speedtouch

so could anyone help with finding me the right template for 7G that allow me to set static IP for WAN and change the type of Encapsulation ????

and when i ftped the router, i couldn't paste any file inside, so i need help about how to add templates to the the 7G

Thank you very much

[knickerless]

I am having trouble with unlocking my BT Home Hub - when I run the upgradeSt program it detects the hopme hub as Speedtouch BTHH and when I enter the login and password as admin - it just goes into a loop - presumably because it rejects the password - I have even tried the password with a capital A.
ANy ideas?

Nick

[PsiDOC]

Flash it in kernel mode. No need for passwords then.

[knickerless]

I am sorry I thought I had asked a fairly straight forward question. Your answer means nothing to me and does not help at all.
If you like to explain further - it would be appreciated.
You may reply direct to me by email if you like.

[PsiDOC]

Research is the key.
Google can be a great help!
Also the search function is good to.

[Smalz]

hi all could any 1 plz help iv flash the hh with the 7g firm were all is well apart from the sead things but i cant get my head round the dsl droping when the house phone rings, iv try the dubble filtring changing filters evn geting my isp 2 do a line check all is well, .................... i like the ider of keeping it as bt firm were but cant under stand how 2 do it that way untill some brite spark puts a pack 2 make gether and makes it easy fore us not so clever 1s ges im stuck ..thax any help will be gr8t full

[xnlopez]

Thanks jarviser, hiddenvision, psidoc and all other great members that have given so much useful information about the HH.

I have a question (sorry if it has already been answered... didnt see it though)

I want to use an internet service that comes via the TV cable (Switzerland, Cablecom) and I have a HH V1.0 that I was given by a friend from the UK. The cable company offers for free a dumb "modem" which connects via coaxial to the TV cable and has ONE ethernet cable port. That's all. My question is:

Can I use the HH as a router, DHCP server, Wireless access point, and Analog Telephone Adapter and NOT use the ADSL interface, by connecting via ETH1 or ETH2 to the Cablecom dumb modem?

Can I do this using the BT firmware?

Thanks.

Hey there,

We Have a BT HUB (white)
Firmware 6.2.6.H

We got up to accessing the https:// blah, blah, blah root.

The light for the wireless went from yellow to green.

We could not do the recovery from the https:// since we asked for a further password which we could not get through (we tried the bt_test user one).

It seems we are almost there.

I downloaded the BT Recovery software.

What else to I need it now?

Thanks jarviser, hiddenvision, psidoc and all other great members that have given so much useful information about the HH.

I have a question (sorry if it has already been answered... didnt see it though)

I want to use an internet service that comes via the TV cable (Switzerland, Cablecom) and I have a HH V1.0 that I was given by a friend from the UK. The cable company offers for free a dumb "modem" which connects via coaxial to the TV cable and has ONE ethernet cable port. That's all. My question is:

Can I use the HH as a router, DHCP server, Wireless access point, and Analog Telephone Adapter and NOT use the ADSL interface, by connecting via ETH1 or ETH2 to the Cablecom dumb modem?

Can I do this using the BT firmware?

Thanks.

Originally Posted by xnlopez

Yes, in most of the times, you just need to connect your cable modem(dumb) to a Yellow port of the HH, (Ethernet output) as an input and using it as Wireless Router, in case you couldn't connect to the wireless, you may need to press the Rest point with a tiny pen and hold it for a few seconds to reset the Hub, the using the Key provided as default on the lable or in the setting.
Good Luck!

Hi just flashed my home hub v1.0 the normal way (no jtag.... yet) and am wondering wether I can use my hub phone yet.

Thanks