Hello Again!
Next up is the BT Home Hub v2* Type A home ADSL Wireless Router by Thomson/Technicolor (more info at OpenWRT wiki). Again, this router accepts only BT specific/approved domain names for username of dsl and must be 'unlocked' to be used with other ISPs. Such 'unlocking' (thanks to btsimonh and Surreliz3) also allows more configuration options, though firmware upgrade options might become limited. As with the BTHH v1 & v1.5, this router can be 'unlocked' via jTAG method but there is also the relatively easier software method provided the firmware version currently on the BTHHv2A is lower than version 8.1.H.U.
Unlock:
I 'unlocked' mine via the software method a long time ago so I won't be able to post screenshots of the process (have yet to try the jtag method on one with newer firmware that I also happen to have), but, here is the process as described on the now defunct psidoc.com website (the links may no longer work for downloads ... you may get the files here):
(To continue reading, please click on 'Read More')
"
"How to hack - or unlock your home hub 2.0A via software.
Hacking the BT Home Hub V2.0A via software
Introduction:
The BT Home Hub 2.0A was until now only hackable by JTAG. This, however has all changed thanks to the efforts of forum member btsimonh. This is his method. He pioneered it on his own and all credit and HUGE thanks got out to him.
The root hack that we use initially was developed by Surreliz3 over on modem-help.co.uk when the owner of the site - Alex - threw down the challenge.
Disclaimer:
1: Flashing your router with anything other that standard BT firmware will really really definately invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
2: The firmware supplied and this method and all files, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com.
3: Just to repeat: If you are unsure in any way then don't do it!
Preparation:
This hack requires the use of 2 USB drives, 1 to help with the root hack, the other to hold the flash files.
Downloading the files:
Download the files from here: http://www.psidoc.com/showthread.php...re-flash-files and extract to your HDD
Password for the Archive = www.psidoc.com
Preparing the root hack drive:
In the folder FlashWithoutJTAG_btsimonh_v1 there is a disk image writer called DiskImage_1_6_WinAll.exe.
Insert your stick into your windows machine.
Run DiskImage as administrator.
Select the physical disk representing the USB stick. BE CAREFUL - YOU COULD DESTROY YOUR WINDOWS HD!
Select 'sysroot.sqsh' (Remember to select all files not just disk images in the open dialog)
Hit start. It should complete very quickly.
USB Prepared!
Step 1 The Root Hack - Courtesy of Surrealiz3 from modem-help.co.uk:
Connect your PC to the Homehub using an ethernet cable - NEVER TRY THIS WIRELESSLY! Make sure it is assigned an IP address.
Insert the USB drive we just prepared into the home hub and wait a few seconds.
In Windows Explorer, type \\192.168.1.253 into the address bar. You should get 'Disk_a' appear.
Navigate to \\192.168.1.253\Disk_a\sys\rw\dl\ and copy / paste in the utelnetd file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Navigate to \\192.168.1.253\Disk_a\sys\rw\etc\ and DELETE the smb.conf file. Now copy / paste in the smb.conf file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Close the Windows Explorer window.
Open a new Windows Explorer window and type \\192.168.1.253\Disk_yyy in the address bar. If it errors out try \\192.168.1.253\Disk_a (It's a windows thing - don't panic!)
The router will have launched utelnetd in the background on port 4002
Click start >> run and type in Telnet 192.168.1.253 4002 you should be greeted by a telnet prompt with full root priviledges.
Hello Houston... WE HAVE ROOT!
Step 2: Flashing the new filesystem.
Take the other USB stick, and copy the v2reflash folder onto it.
Remove the first USB stick from the Homehub and insert the second.
It's worthwhile noting here. Some have tried with a 2 -3 partition USB stick with the root hack on 1 partition and the V2reflash files on another however it freezes at one of the commands later on so don't! Use 2 seperate USB sticks.
1: In the telnet window type:
mount
The output should be identical to the one below:
what we are interested in is this line: /dev/sda1 on /var/usbmount/sda1 type vfat (rw,sync,noatime,nodiratime,fmask=0000,dmask=0000)
If it says /sdb1 instead of /sda1 pull the USB drive out of the hub, wait 5 seconds and pop it back in then do the mount command again you will get the drive mounted as /sda1
2: First thing we need to do is Backup your original firmware. This is done by typing the command below into the telnet window: The command copies a full flash backup to your USB stick and calls it backup.bin.
cat /dev/mtdblock5 > /var/usbmount/sda1/backup.bin
3: In the telnet window type:
cd /var/usbmount/sda1/v2reflash then ls -l
The output should match the image below with the exception of 2 files. The flash_createextended and flash_newrootfs files are not required and are not included so their absence can be safely ignored.
What we have done here is simply check we have all the files in the right place.
4: In the telnet window type:
./startpivot
You will get a double check to confirm before anything happens. Press ENTER to continue or CTRL and C to cancel.
The output should match the image below.
This is where some linux magic is perfomed. Basically what happens is a new file system is made in memory and we switch to it so as the flash rom can be accessed and the files on the USB stick are copied to the /sbin directory on the router.
At this point the Telnet window will disconnect - don't panic this is expected. Wail till you see "Connection Lost to Host" and close the telnet window.
5: Telnet back in on port 4003 by Click start >> run and type in Telnet 192.168.1.253 4003 as per the image below.
And we should be back in business.
6: In the new Telnet window type:
unmount
The output should match the picture below.
At this stage we're just cleaning up a little more so we have plenty of space to work with.
Note: It's worthwhile mentioning here that so far NO changes have been made to the HomeHub in any way whatsoever, so if you are not happy in anyway you can unplug it and it will reboot as if nothing has ever happened.
The next step however will erase and reflash the home hub. It takes approx 3 - 4 minutes. So please DO NOT POWER OFF THE ROUTER TILL THIS PART IS COMPLETED.
7: In the new Telnet window type:
flash_allfrom40000
You will get a double check to confirm before anything happens. Press ENTER to flash or CTRL and C to cancel.
Now... Sit on your hands and do nothing! Just watch the telnet window for the next 3 -4 minutes. The output should be like this:
When you see the directories in blue that confirms the flash has been successful.
Congratulations you have softmodded your HH2.
We'll now configure the HH2A. The process is quite similar to the one for HHv1 and HHv1.5 shown earlier so the description(s) might be shorter:
Screenshots for Configuration via Thomson/SpeedTouch Configuration Wizard:
- After resetting the hub, login via user password on the back of the hub
- Run the Configuration Wizard (might have to use the Compatibility Troubleshooter)
- Use the username "admin" and the default password on the back of the hub
- Copy the Template file to the Desktop for Editing (Basic PPP in this case)
- Edit via gVIM or Notepad++
- Now configure as per choice and as per ISP provided settings (PTCL in this case)
(Might change username from Administrator to admin as before)
- We'll use Telnet to configure some more settings (Optional)
- Manually changing the DNS Server
- Disable CWMP just in case
- Increasing LCP Echo Tolerance helps with ISP PTCL's connection
- You may reconnect the PPP interface (Internet) with ifattach under ppp menu but I have skipped it for now
- You may have to manually connect using the Connect button under the Internet menu
- Success!
Note that not all settings may apply but the important ones (connection details) are usually applied without any problems via the Wizard!
Also, by adding the HH2A to the different template files as shown above, the hub can be configured differently such as a wireless router!
Configuration via CLI:
The connection can be configured via the CLI as well (ISP PTCL's Copper Config in this case):
- Assuming we have telnet access to the Thomson CLI with appropriate user priviledges:
Optional: You may delete all current interfaces for the PPPoA ... in reverse order of creation as below
Note: You may also use the 'menu'! Also TAB works for autofill!
Phonebook entry and ATM config
1. atm phonebook add name=RtPPPoE_ph addr=0.103 (replace with your VPI.VCI)
2. atm ifadd intf=RtPPPoE_atm
3. atm ifconfig intf=RtPPPoE_atm dest=RtPPPoE_ph ulp=mac
4. atm ifattach intf=RtPPPoE_atm
Ethernet bridge (PPPoEoA)
5. eth ifadd intf=RtPPPoE_eth
6. eth ifconfig intf=RtPPPoE_eth dest=RtPPPoE_atm
7. eth ifattach intf=RtPPPoE_eth
PPP
8. ppp ifadd intf=RtPPPoE
9. ppp rtadd intf=RtPPPoE dst=0.0.0.0/0
10. ppp ifconfig intf=RtPPPoE dest=RtPPPoE_eth user=dslusername password=dslpassword
NAT enabled before attaching
11. nat ifconfig intf=RtPPPoE translation=enabled
12. ppp ifattach intf=RtPPPoE
Don't forget to save
13. saveall
(Typos excepted)
Source: Thomson/SpeedTouch CLI configuration Manual(s)
Hub phone:
Warning: DECT v6 that operates on 1900 MHz Frequency Band designed for US is banned in Pakistan as the 1900 MHz band is being used by cellular operators (who paid license fee for this band) and DECT v6 can cause interference in this band! The public notice by PTA can be read here!
Caution: VoIP is prohibited by PTA on 'data' networks (though enforcement depends upon the ISP) without permission in Pakistan due to 'illegal' gateway exchanges! For VoIP configuration outside Pakistan (or with required permissions), kindly refer to the User Manual and your VoIP provider for configuration details like the ones provided for SpeedTouch 780WL (similar to BTHH) by 'voiptalk' here!. In case of BT HH2, one would have to use the CLI via telnet access to configure the same settings!
Fortunately, the BT HH Phones are not DECT 6.0 and can be used here as simple cordless phones! By default, calls can be made by dialling '5' before the desired number.
In the case of the BT Home Hub 2 (also a DECT base-station), we have the (matching) BT Hub Phone 2.1 cordless phone (originally used for BT's Broadband Talk service). Here are some pictures of the phone:
--------------------------------------------------
Your email?
ReplyDeleteMy id is ahmedfarazch
Deleteand I use gmail
Sadly, this process did not work for me - Probably because the latest firmware is on the Hub (8.1.H.U).
ReplyDeleteI used a USB stick with DiskImage and Sysroot.sqsh as instructed, and it was fine. I put the USB stick in the HomeHub USB port (Homehub V2.0A).
When I tried accessing '192.168.1.254\Disk_a\sys\rw\dl\', it just gave me a 404 not found error.
That's as far as I got.
Hello!
DeleteYes, the software unlock method won't work on the latest firmware. The JTAG method should work but not everyone is comfortable doing it.
Regards,
Ahmed
Hi,
ReplyDeleteThanks for the guide put am stuck with Configuration Wizard steps..... the pictures you share are different than the screens coming up... am not seeing any screen with option to choose "reconfigure my thomson gateway".. please guide
am using setup_wizard_r8_mh_v1.17
Hello!
DeleteYou are welcome!
If you are facing problems with the configuration wizard (the upgrade wizard looks similar so kindly check again), perhaps you could try the r7 version and if that doesn't work either, then you may use the CLI to configure it!
You may send your screenshots to my email!
My id is ahmedfarazch
and I use Gmail
Regards,
Ahmed
Thanks a lot Ahmed for your guide, van you please put the modified template file to download, cause mine isn't recognized and didn't really understand what to modify in.
ReplyDeleteThanks a lot :)
You are welcome! I have attached one template file that is the most commonly used one for ADSL connections here! If you need one for other connection type(s), then let me know and I'll add it to the zipped file as well (kindly unzip before using). Hope this helps!
DeleteRegards,
Ahmed
Hi sir
ReplyDeletei want ask you is that flach dose work on Type B too or just A
sir i have 2 Type A but when i burn the file to the usb and i attached it the Disk_a dosent apear also the computer show the Usb as dommaged and i should format it so what is the solution ?? Thank you
Hello!
DeleteI'll be adding the method for unlocking BT Home Hub 2 Type B soon enough! It is relatively easier to unlock BT Home Hub 2 Type B!
Unfortunately for some BT Home Hub 2 Type A routers with newer firmware, the usb method does not work and only hope is jtag to unlock! These can be used as Access Points though!
Regards,
Ahmed
when i write sysroot.sqsh to Usb ! the usb dosent open in the windows also when a attached the usb in router and i do the commande to acces the Disk_a dosent show
ReplyDeleteHello Again!
ReplyDeleteYou need to check in case of BTHH2 Type A:
- Firmware version
- USB Disk Image ... write to physical disk ... after writing disk would become un-readable by windows as it's in 'linux' format ... just make sure to write properly and with caution to select the proper disk
Hope this helps!
Regards,
Ahmed
Salam ahmed !! Thank you very much for your efforts !
ReplyDeleteunfortunately like you said my type A is in the last version of firmware!
so i will wait the type B methode !
i hope that you will uploade it soon i really want to unlock it i'm hopless without wifi router ! and i want ask you please if it possible to show me how to unlock the tybe B this week i will appreciate it very much ! and if not possible i will wait.
sorry for bothering you Ahmed !
وعليكم السلام ورØمة الله
Hi!
DeleteSorry for the delay, but, the post will be uploaded soon. Meanwhile, you may go through all the necessary files uploaded here!
Hope this helps!
Regards,
Ahmed
Hello Ahmed,
ReplyDeleteI need some help regarding unlocking BT HUb 3.0 9 (Type B) to work with PTCL Broadband and I cannot find any related posts on the internet for BT hub 3.0 type B. I hope you can help me in this area.
Thanks
Hello!
DeleteFor the Home Hub 3 Type B, the method to get root access was made public by "zcutlip" (Zach) ... informative thread here ... but things didn't go further probably as the BTHH4(r) was launched.
I think I have one as well and would take another look at it sometime!
Regards,
Ahmed
Yes! but I think there is not a proper solution found for unlocking HH3.0B thats why I wanted to discuss with you that if you can start experimenting on this device and find a way to unlock it.
ReplyDeleteThanks
that link is no more available.. can u plz help me get those files from somewhere else?
ReplyDeleteHello!
DeleteYou may get the files here!
Regards,
Ahmed
sir plz unlock my hh3 type A i have 4 gb flash nt a 32 mb
ReplyDeleteAoA Fraz bhai i have Bt HH3 type A and B plz help how unlock it 32 mb flash kahan say lain nai ho rha mj say unlock plz help
ReplyDeleteHello!
DeleteI'll try to upload the video showing me doing the unlock of BTHH3A soon (probably a couple of days from now).
Meanwhile, you can try with the 4GB Flash drive as the 32MB is only a suggestion meaning that even an old drive can be used.
(In the video, I'll try to use a larger drive as well)
Best of luck!
Regards,
Ahmed
Hello Again!
DeleteThe BT Home Hub 3.0 Type A Unlock video can be viewed here!
Thanks for your patience!
Regards,
Ahmed
hi dear,
ReplyDeleteplease help me for bt home hub type A, i want to configure on Ptcl Dsl,
Hello!
DeleteFirst, we need to know the firmware version on the BTHH2A! If the version is lower than 8.1.H.U, then, the software unlock method might work!
As far as configuration for ptcl is concerned, one needs to know
- VPI/VCI: Copper (VPI/VCI 0/103) or ONU/FTTC/Fiber (VPI/VCI 8/81)
- Connection type: PPPoE LLC
- Username for dsl
- Password for dsl
(this info can be provided by helpline)
All of these can be configured via the Thomson Configuration Wizard as shown above!
Hope this helps!
Regards,
Ahmed
dear need help firmware upgrade page access error showing
ReplyDeleteand my BT HHv2A (Software version 8.1.H.J (Type A)) so help me what to do..
Hello!
DeleteFor the HH2A, the lower firmware version is desired for unlocking. If yours has 8.1.H.J then you can unlock it easily. But, if it has newer firmware you can't unlock it via software method unless someone finds a way to downgrade the firmware via the Thomson utility. In that case, jtag is needed.
Regards,
Ahmed
i tried these methods on home hub 2A and Home hub 2B overall all thing r fine but i am stuck on that point when i run this file DiskImage_1_6_WinAll.exe. and after that for write image when i select image file sysroot.sqsh' for A type its give me error not i am not able to make usb to unlock the file . i this there is some problem Plz can u help me in this i have both router home hub 2A and home hub 2B
ReplyDeleteHello!
DeleteYou can try to follow the steps as shown in the video here from the 2 min 10 sec mark!
I hope this helps!
Regards,
Ahmed
Hello Ahmed,
ReplyDeleteThanks for these instructions, I'm not particularly computer literate but as my TalkTalk fibre router has been causing connection issues I thought I'd try one of the two V2.0 Type A BT Home Hubs I have.
I managed to get to the stage where I now have Disk_a1 (not Disk_a strangely) in 192.168.1.253. In Disk_a1 the dl folder already contained the utelnetd file, is this correct as I would have assumed the instructions would have said to delete it before copy/pasting the file from the HDD? I deleted the smb.conf file in Disk_a1 and copy/pasted the smb.conf from my HDD. I then typed \\192.168.1.253\Disk_yyy and Disk_yyy appeared showing sub folder sys but when I typed Telnet 192.168.1.253 4002 in Start>>Run I get a message saying it's not recognised.
Any advice would be greatly appreciated!
Regards, Simon.
Hi!
DeleteYou are welcome. As far as the files are concerned, they can be overwritten safely. In fact, any changes made before the 'new' firmware has been written to the flash can be reversed just by restarting the router (Caution: Any interruption during the writing process such as a restart can brick the router).
Moving on to the 'Telnet' issue, it's most likely that you don't have a telnet client installed. WindowsOS has a telnet client but it's not installed by default and has to be installed afterwards depending upon the version. Like, for Win 7, one can follow the process outlined here!. There are telnet client utilities available from different developers also like PuTTY and KiTTY.
I hope this helps! Maybe you have figured this out already as it's been some days since you first put up the question and I just found out about it now. In any case, do let us know if you were able to unlock the router!
Regards,
Ahmed
hello. where can i find files to unlock bt hub 2.0A? link here doesn't work anymore
ReplyDeleteHello,
ReplyDeleteI prefer modify the backup file bthub2.bin but it's an encrypted file , so how can we find the encryption key since it's possible now (the wpa crack)at the : http://192.168.1.253/sys_backup.lp?be=1&l0=2&l1=5&l2=3 . so we can unlock it properly :) , and i think we have to go in this way :b .
Best regards .
Hi there. I am trying this on a hh2a firmware 8.1.h.j, I can get all the away till the disk becomes from a to yyy, ready for Telnet. But I cannot connect with telnet as there appears to be no port 4002 open on 192.168.1.253 when I check with Fing app . Any advice to try?
ReplyDeleteHello!
DeleteUsually it takes a while for the Telnet daemon to run ... try browsing some folders in the network location ... though it is not necessary for hh2a, but, it might help to create a new windows (local) administrator account with the same username and password as that of the hub!
Hope this helps!
Regards,
ahmedfarazch
Hi Ahmed. I seem to have the same issue, root hack works with the USB, i can browse to the SMB folder and copy in the telnet daemon and SMB.conf files. The folder changes from Disk_a to Disk_yyy but does not seem to start up the telnet client. Do you have any suggestions? Thankyou.
DeleteHi, just to update you. Rather than using the smb.conf procided in the zip, i edited the original one by adding the root preexec command, and editing the disk_a to disk_yyy. This did the trick! It had to however backup to "sda" rather than "sda1", but apart from that everything worked ok. Thank you.
DeleteHello!
DeleteThank you very much for providing the solution. This shall help tremendously for anyone in a similar situation.
Regards,
Ahmed