Hacking the (allegedly) Unhackable. BT HomeHub 2.0A UNLOCKED.

[PsiDOC]

This is just a pre-release announcement as I am polishing the hack to include FTP and hopefully telnet access on the HH2.0A. I have come up against a minor setback in the shape of my monitor died but should have the parts here tomorrow to repair it. Sadly my laptop does not have a printer port to work with.
Anyway here's a proof piccy My Demon connection. Ip address to validate (it's ok I am on a dynamic IP) and connected via WIFI.

Yes it does require soldering as it's a JTAG job. No simple flash n go method I'm sorry - That is unless anyone knows someone who can create a Linux-Go bli image? If so PM me.
There's more to come from this.

Psi

[jmpr]

hi
can you tell me please when are you going to place the whole hacking proccedure?
thanks

[PsiDOC]

When I have finished the hack and it all works as it should.
Timescale? Less than 2 weeks hopefully.

Psi

[Memfis]

unless anyone knows someone who can create a Linux-Go bli image? If so PM me.
Psi

Originally Posted by PsiDOC

isn't a bli image just a block level image of a file system?

[PsiDOC]

I was led to believe a .bli a JFFS which contains all of the file systems which is encrypted.

Psi

[tbaby]

Brilliant .. Just waiting for your next post and hack my little bt black box in the corner . Please post the procedure .

[tbaby]

Any updates ?

[ian.morgan]

I'm an amateur with all this, but I'm excitedly waiting to hear too

Just thought I'd give some encouragement that your work is much appreciated !

[PsiDOC]

Not yet.
I killed the HH2 and not revivied it yet as it'll take 6+ hours to jtag the wholeflash back in so not had time. Will see what happens at the weekend.

Psi

[PsiDOC]

*** Development Stopped ***
My HomeHub 2 is dead. The flash rom is getting serious write verify errors which means it is pooched.
Without a working HH2 to work with obviously I cannot continue.

Sorry all.
Psi

[unlokia]

*** Development Stopped ***
My HomeHub 2 is dead. The flash rom is getting serious write verify errors which means it is pooched.
Without a working HH2 to work with obviously I cannot continue.

Sorry all.
Psi

Originally Posted by PsiDOC

Gutted

"wah wah wah WAHHHHHH!" :P

[PsiDOC]

I'm back!
After being donated a new home hub that sadly turned out to be a 2.0B (niether use nor ornament!).
I have repaired the bricked 2.0A and we're running again!
I can now safely say we're almost there.
I have an unlock solution and telnet running.

Code:

Username : admin
Password : *********
------------------------------------------------------------------------

                             ______  BT Home Hub 2.0A
                         ___/_____/\
                        /         /\\  8.1.H.G
                  _____/__       /  \\
                _/       /\_____/___ \  Copyright (c) 1999-2009, THOMSON
               //       /  \       /\ \
       _______//_______/    \     / _\/______
      /      / \       \    /    / /        /\
   __/      /   \       \  /    / /        / _\__
  / /      /     \_______\/    / /        / /   /\
 /_/______/___________________/ /________/ /___/  \
 \ \      \    ___________    \ \        \ \   \  /
  \_\      \  /          /\    \ \        \ \___\/
     \      \/          /  \    \ \        \  /
      \_____/          /    \    \ \________\/
           /__________/      \    \  /
           \   _____  \      /_____\/
            \ /    /\  \    /___\/
             /____/  \  \  /
             \    \  /___\/
              \____\/

------------------------------------------------------------------------

{admin}=>

Telnet is a must on these as the web gui is so limited.
I want to check out a few things like non BT VOIP and DYDNS etc before I continue so bear with me.

I will be making the unlock as simple as possible, as I did the the V1 and 1.5 with no editing files required. It will be a JTAG job I'm afraid as I don't know how to create a flashable linux BootP image, and it will take up to 8 hours to backup your existing flash and then reflash the new OS which will be supplied.

Am hoping to get this all done by Christmas as a little christmas present to those that want it.

Nadolig Llawen all

Psi

[ian.morgan]

Great News !

Looking forward to seeing the results. Is it possible to provide a sneak preview of the JTAG part, so I can get a competent mate to do this in advance?
(If I attempt it with my soldering skills, I'll kill it for sure).

If you haven't time, no worries

Great work.

Ian.

[tbaby]

What a great news .. Looking forward to the christmas present

very nice work indeed. any ntfs support ?

[PsiDOC]

NTFS Support?
If you mean for the USB drive then no. That area of the flash is untouched.
Psi

ok, what about native ext2 or 3 support does it have that? im thinking it would be a nice replacement for my dying nslu2. well once some firmware is released in the future ofc

do you have any tutorials on how to make a jtag cable with an old printer cable (would it work)? ive seen in x scene theres people making them for the x360 im wondering if it would be the same principle with this

[PsiDOC]

Fat 32 only I'm afraid. That's as it comes from the Thomson.
RE: The Jtag cable yes the printer cable method will work and works well. Have a look at the 2nd to last and last page of the Home Hub V1 hacking page. One of the members here used a cut down printer cable. Same principle as the one on X-Scene (I am a member there as well).

PsiDOC

[PsiDOC]

As promised I have a christmas present to you all. I have completed the Home Hub 2.0A hack tutorial.
It does require soldering and will take somewhere in the reigion of 6 - 8 hours to complete with your PC being tied up for a lot of the time during flashing.
If you have any questions please post them in the forum over on the site.
It's still in it's first incarnation and please if you see any discrepancies let me know on the site.
Link below:
http://www.psidoc.com/articles.php?article_id=2

Nadolig Llawen a Blwyddyn Newydd Dda
(Merry Christmas and a Happy New Year)
Here's hoping 2010 is good for you all.
Psi

thanks for opening the door
now the fun begins

[mrzetec]

I really was thrilled when I found this solution. I have searched high and low for a way to make my homehub2.0 work with sky broadband.
I followed the guide to the letter, and I tried it on an xp and windows 7 machine. It failed on both because the brtag program cannot see the router. I am hoping this is a parallel port setup error in BIOS. Can anyone help?

[PsiDOC]

Try all 3 settings in the bios and see what works for you.
Personally I have never had to change form the EPP/ECP setting an all the machines I have used for flashing, although I have seen reports of changing to EPP that have worked.
Of course check your connections are in the right places as well - I have made that mistake myself!
Also remember to keep the length of the cable as short as possible. Maximum 6 - 8"
Remember do NOT flash until you get 2 good dumps that compare correctly. 1 misprogrammed byte in the flash and you have a bricked router.

Psi

[mrzetec]

Ok, I have tried again on another router (same firmware) and used two other PCs. I tried all BIOS settings for the printer port. I kept my cables down to 100mm, I am confident in my soldering and the second router was brand new. Still the same problem where the JTAG software implies that a cable is unplugged!
I have the right router version, both routers still work, but although I am really determined I can't see the problem.

[PsiDOC]

In that case there's something so blatantly wrong you're not seeing it.
Only thing I can think of is your connections.
On the JTAG drawing remember they go:

13 -------- TDO ------ J9 Pin 3
2 --------- TDI ------- J9 Pin 2
4 --------- TMS ------ J9 Pin 5
3 --------- TCK ------ J9 Pin 6
20 ------ ground ----- PCB Ground
25 ------ ground

TMS and TCK are both highlighted as it is easy to get them the wrong way round

Just a thought.
Psi

[mrzetec]

Attempt3: Embarrassingly I used bad info for the pin arrangement (my connector has no labels) and after a check with another pinout site I found a much better parallel illustration.
So now after going through the motions again the mod still does not work BUT I do get responses that seem to make sense.
After typing brjtag '-probeonly /window:1E000000' I get:



After typing 'brjtag -backup:custom /window:1E000000 /start:1E000000 /length:1000000' I get:

Then, the command window just seems busy; I can not type in it but the cursor flashes, nothing seems to be happening.

So, closer but not there yet........

the backup of the flash usually takes around 4-5? hours. i set it off in the morning and went out n had a few beers by the time i come back it was done

[PsiDOC]

@ Mr. Zetec.
Finally you're getting somewhere! Now try the settings in the Bios. Set it to ECP first then try again. Then EPP, etc etc. I am sure that ECP will work, but I have read of circumstances where using bi-directional has cured the issue.

@ Sandvage.
4 - 5 hours to backup? It's usually between 1 and 2 hours if using the parallel port in ECP mode and 2 - 3 in any other mode.

Regards,
Psi

[mrzetec]

@ PsiDoc,
Thanks for the hint. However, after trying ECP DMA0, ECP DMA1, ECP DMA3, NORMAL, BIDIRECTIONAL, EPP and trying every variation of port address I still have the same problem.
When brjtag reaches the halt processor stage nothing happens; the cursor just flashes and I am unable to type further commands.
I left it running all night and when I checked 9 hours later nothing had changed.
So, looking at PsiDOC's example brjtag results, (and my results posted above) I see that my results begin to differ on the IMPCODE line onwards. I am stuck, I know nothing about this utility and I am completely new to this kind of flashing. For now I will keep on looking for an answer, but I would be massively grateful to anyone that can help me further...
I really want to loose my sky router and get my far better HomeHub2 re-instated.

@ Mr. Zetec.
4 - 5 hours to backup? It's usually between 1 and 2 hours if using the parallel port in ECP mode and 2 - 3 in any other mode.

Regards,
Psi

Originally Posted by PsiDOC

i take it its due to the lengh of my cable im using.. its about a meter and a bit long. i dont think the dumps im getting from it are even matching though. my own fault for using such a long cable though once i do ill up you the 8.1.H.J firmwares if you still havent got them

[PsiDOC]

In that case yes it's due to your cable.
6" or less you want to aim for.
Thanks for the firmware offer, which I'll accept gladly.

@Mr.zetec. I'm afraid there's still something silly going on with your setup. Do you have a Parallel port scanner or a Zip drive or something? Seems like something is grabbing the parallel port. Without going through your setup I am not quite sure what to suggest next.
Regards,

Psi