Skip to main content

BT Home Hub v2 Type A: Info, Unlock & Configuration

Hello Again!







Next up is the BT Home Hub v2* Type A home ADSL Wireless Router by Thomson/Technicolor (more info at OpenWRT wiki). Again, this router accepts only BT specific/approved domain names for username of dsl and must be 'unlocked' to be used with other ISPs. Such 'unlocking' (thanks to btsimonh and Surreliz3) also allows more configuration options, though firmware upgrade options might become limited. As with the BTHH v1 & v1.5, this router can be 'unlocked' via jTAG method but there is also the relatively easier software method provided the firmware version currently on the BTHHv2A is lower than version 8.1.H.U. 

Unlock:


I 'unlocked' mine via the software method a long time ago so I won't be able to post screenshots of the process (have yet to try the jtag method on one with newer firmware that I also happen to have), but, here is the process as described on the now defunct psidoc.com website (the links may no longer work for downloads ... you may get the files here):

(To continue reading, please click on 'Read More')



"

How to hack - or unlock your home hub 2.0A via software.

Hacking the BT Home Hub V2.0A via software

Introduction:
The BT Home Hub 2.0A was until now only hackable by JTAG. This, however has all changed thanks to the efforts of forum member btsimonh. This is his method. He pioneered it on his own and all credit and HUGE thanks got out to him.
The root hack that we use initially was developed by Surreliz3 over on modem-help.co.uk when the owner of the site - Alex - threw down the challenge.

Disclaimer:

1: Flashing your router with anything other that standard BT firmware will really really definately invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
2: The firmware supplied and this method and all files, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com.

3: Just to repeat: If you are unsure in any way then don't do it!

Preparation:
This hack requires the use of 2 USB drives, 1 to help with the root hack, the other to hold the flash files.
Downloading the files:
Download the files from here: http://www.psidoc.com/showthread.php...re-flash-files and extract to your HDD
Password for the Archive = www.psidoc.com

Preparing the root hack drive:
In the folder FlashWithoutJTAG_btsimonh_v1 there is a disk image writer called DiskImage_1_6_WinAll.exe.
Insert your stick into your windows machine.
Run DiskImage as administrator.
Select the physical disk representing the USB stick. BE CAREFUL - YOU COULD DESTROY YOUR WINDOWS HD!
Select 'sysroot.sqsh' (Remember to select all files not just disk images in the open dialog)
Hit start. It should complete very quickly.
USB Prepared!

Step 1 The Root Hack - Courtesy of Surrealiz3 from modem-help.co.uk:
Connect your PC to the Homehub using an ethernet cable - NEVER TRY THIS WIRELESSLY! Make sure it is assigned an IP address.
Insert the USB drive we just prepared into the home hub and wait a few seconds.
In Windows Explorer, type \\192.168.1.253 into the address bar. You should get 'Disk_a' appear.
Navigate to \\192.168.1.253\Disk_a\sys\rw\dl\ and copy / paste in the utelnetd file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Navigate to \\192.168.1.253\Disk_a\sys\rw\etc\ and DELETE the smb.conf file. Now copy / paste in the smb.conf file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Close the Windows Explorer window.
Open a new Windows Explorer window and type \\192.168.1.253\Disk_yyy in the address bar. If it errors out try \\192.168.1.253\Disk_a (It's a windows thing - don't panic!)
The router will have launched utelnetd in the background on port 4002
Click start >> run and type in Telnet 192.168.1.253 4002 you should be greeted by a telnet prompt with full root priviledges.
Hello Houston... WE HAVE ROOT!

Step 2: Flashing the new filesystem.
Take the other USB stick, and copy the v2reflash folder onto it.
Remove the first USB stick from the Homehub and insert the second.
It's worthwhile noting here. Some have tried with a 2 -3 partition USB stick with the root hack on 1 partition and the V2reflash files on another however it freezes at one of the commands later on so don't! Use 2 seperate USB sticks.

1: In the telnet window type:
mount
The output should be identical to the one below:

what we are interested in is this line: /dev/sda1 on /var/usbmount/sda1 type vfat (rw,sync,noatime,nodiratime,fmask=0000,dmask=0000)
If it says /sdb1 instead of /sda1 pull the USB drive out of the hub, wait 5 seconds and pop it back in then do the mount command again you will get the drive mounted as /sda1

2: First thing we need to do is Backup your original firmware. This is done by typing the command below into the telnet window: The command copies a full flash backup to your USB stick and calls it backup.bin.
cat /dev/mtdblock5 > /var/usbmount/sda1/backup.bin

3: In the telnet window type:
cd /var/usbmount/sda1/v2reflash then ls -l
The output should match the image below with the exception of 2 filesThe flash_createextended and flash_newrootfs files are not required and are not included so their absence can be safely ignored.

What we have done here is simply check we have all the files in the right place.

4: In the telnet window type:
./startpivot
You will get a double check to confirm before anything happens. Press ENTER to continue or CTRL and C to cancel.
The output should match the image below.

This is where some linux magic is perfomed. Basically what happens is a new file system is made in memory and we switch to it so as the flash rom can be accessed and the files on the USB stick are copied to the /sbin directory on the router.
At this point the Telnet window will disconnect - don't panic this is expected. Wail till you see "Connection Lost to Host" and close the telnet window.

5: Telnet back in on port 4003 by Click start >> run and type in Telnet 192.168.1.253 4003 as per the image below.

And we should be back in business.

6: In the new Telnet window type:
unmount
The output should match the picture below.

At this stage we're just cleaning up a little more so we have plenty of space to work with.

Note: It's worthwhile mentioning here that so far NO changes have been made to the HomeHub in any way whatsoever, so if you are not happy in anyway you can unplug it and it will reboot as if nothing has ever happened.
The next step however will erase and reflash the home hub. It takes approx 3 - 4 minutes. So please DO NOT POWER OFF THE ROUTER TILL THIS PART IS COMPLETED.

7: In the new Telnet window type:
flash_allfrom40000
You will get a double check to confirm before anything happens. Press ENTER to flash or CTRL and C to cancel.
Now... Sit on your hands and do nothing! Just watch the telnet window for the next 3 -4 minutes. The output should be like this:


When you see the directories in blue that confirms the flash has been successful.
Congratulations you have softmodded your HH2.
 "



We'll now configure the HH2A. The process is quite similar to the one for HHv1 and HHv1.5 shown earlier so the description(s) might be shorter:

Screenshots for Configuration via Thomson/SpeedTouch Configuration Wizard:


- After resetting the hub, login via user password on the back of the hub



- Run the Configuration Wizard (might have to use the Compatibility Troubleshooter)










 - Use the username "admin" and the default password on the back of the hub





 - Copy the Template file to the Desktop for Editing (Basic PPP in this case)


- Edit via gVIM or Notepad++








- Now configure as per choice and as per ISP provided settings (PTCL in this case)

(Might change username from Administrator to admin as before)















 - We'll use Telnet to configure some more settings (Optional)





 - Manually changing the DNS Server



- Disable CWMP just in case


 - Increasing LCP Echo Tolerance helps with ISP PTCL's connection




- You may reconnect the PPP interface (Internet) with ifattach under ppp menu but I have skipped it for now

 - You may have to manually connect using the Connect button under the Internet menu


- Success!

Note that not all settings may apply but the important ones (connection details) are usually applied without any problems via the Wizard!


Also, by adding the HH2A to the different template files as shown above, the hub can be configured differently such as a wireless router!


Configuration via CLI:

The connection can be configured via the CLI as well (ISP PTCL's Copper Config in this case):


- Assuming we have telnet access to the Thomson CLI with appropriate user priviledges:

Optional: You may delete all current interfaces for the PPPoA ... in reverse order of creation as below


Note: You may also use the 'menu'! Also TAB works for autofill!


Phonebook entry and ATM config

1. atm phonebook add name=RtPPPoE_ph addr=0.103 (replace with your VPI.VCI)

2. atm ifadd intf=RtPPPoE_atm

3. atm ifconfig intf=RtPPPoE_atm dest=RtPPPoE_ph ulp=mac

4. atm ifattach intf=RtPPPoE_atm


Ethernet bridge (PPPoEoA)

5. eth ifadd intf=RtPPPoE_eth

6. eth ifconfig intf=RtPPPoE_eth dest=RtPPPoE_atm

7. eth ifattach intf=RtPPPoE_eth


PPP

8. ppp ifadd intf=RtPPPoE

9. ppp rtadd intf=RtPPPoE dst=0.0.0.0/0

10. ppp ifconfig intf=RtPPPoE dest=RtPPPoE_eth user=dslusername password=dslpassword


NAT enabled before attaching

11. nat ifconfig intf=RtPPPoE translation=enabled


12. ppp ifattach intf=RtPPPoE


Don't forget to save

13. saveall


(Typos excepted)


Source: Thomson/SpeedTouch CLI configuration Manual(s)



Hub phone:

Warning: DECT v6 that operates on 1900 MHz Frequency Band designed for US is banned in Pakistan as the 1900 MHz band is being used by cellular operators (who paid license fee for this band) and DECT v6 can cause interference in this band! The public notice by PTA can be read here!

Caution: VoIP is prohibited by PTA on 'data' networks (though enforcement depends upon the ISP) without permission in Pakistan due to 'illegal' gateway exchanges! For VoIP configuration outside Pakistan (or with required permissions), kindly refer to the User Manual and your VoIP provider for configuration details like the ones provided for SpeedTouch 780WL (similar to BTHH) by 'voiptalk' here!. In case of BT HH2, one would have to use the CLI via telnet access to configure the same settings!

Fortunately, the BT HH Phones are not DECT 6.0 and can be used here as simple cordless phones! By default, calls can be made by dialling '5' before the desired number.

In the case of the BT Home Hub 2 (also a DECT base-station), we have the (matching) BT Hub Phone 2.1 cordless phone (originally used for BT's Broadband Talk service). Here are some pictures of the phone:



--------------------------------------------------

* There seems to be a newer hardware build of the hub that can be described as v2.1 or rev 2 ... only the pcb layout seems to be different! Some models also have mini pci slot based wifi cards instead of soldered ones!

Update:
Found some photos taken earlier:




Comments

  1. Sadly, this process did not work for me - Probably because the latest firmware is on the Hub (8.1.H.U).

    I used a USB stick with DiskImage and Sysroot.sqsh as instructed, and it was fine. I put the USB stick in the HomeHub USB port (Homehub V2.0A).
    When I tried accessing '192.168.1.254\Disk_a\sys\rw\dl\', it just gave me a 404 not found error.

    That's as far as I got.

    ReplyDelete
    Replies
    1. Hello!

      Yes, the software unlock method won't work on the latest firmware. The JTAG method should work but not everyone is comfortable doing it.


      Regards,
      Ahmed

      Delete
  2. Hi,

    Thanks for the guide put am stuck with Configuration Wizard steps..... the pictures you share are different than the screens coming up... am not seeing any screen with option to choose "reconfigure my thomson gateway".. please guide

    am using setup_wizard_r8_mh_v1.17

    ReplyDelete
    Replies
    1. Hello!

      You are welcome!

      If you are facing problems with the configuration wizard (the upgrade wizard looks similar so kindly check again), perhaps you could try the r7 version and if that doesn't work either, then you may use the CLI to configure it!

      You may send your screenshots to my email!

      My id is ahmedfarazch
      and I use Gmail


      Regards,
      Ahmed

      Delete
  3. Thanks a lot Ahmed for your guide, van you please put the modified template file to download, cause mine isn't recognized and didn't really understand what to modify in.
    Thanks a lot :)

    ReplyDelete
    Replies
    1. You are welcome! I have attached one template file that is the most commonly used one for ADSL connections here! If you need one for other connection type(s), then let me know and I'll add it to the zipped file as well (kindly unzip before using). Hope this helps!

      Regards,
      Ahmed

      Delete
  4. Hi sir
    i want ask you is that flach dose work on Type B too or just A
    sir i have 2 Type A but when i burn the file to the usb and i attached it the Disk_a dosent apear also the computer show the Usb as dommaged and i should format it so what is the solution ?? Thank you

    ReplyDelete
    Replies
    1. Hello!

      I'll be adding the method for unlocking BT Home Hub 2 Type B soon enough! It is relatively easier to unlock BT Home Hub 2 Type B!

      Unfortunately for some BT Home Hub 2 Type A routers with newer firmware, the usb method does not work and only hope is jtag to unlock! These can be used as Access Points though!

      Regards,
      Ahmed

      Delete
  5. when i write sysroot.sqsh to Usb ! the usb dosent open in the windows also when a attached the usb in router and i do the commande to acces the Disk_a dosent show

    ReplyDelete
  6. Hello Again!

    You need to check in case of BTHH2 Type A:
    - Firmware version
    - USB Disk Image ... write to physical disk ... after writing disk would become un-readable by windows as it's in 'linux' format ... just make sure to write properly and with caution to select the proper disk


    Hope this helps!


    Regards,
    Ahmed

    ReplyDelete
  7. Salam ahmed !! Thank you very much for your efforts !
    unfortunately like you said my type A is in the last version of firmware!
    so i will wait the type B methode !
    i hope that you will uploade it soon i really want to unlock it i'm hopless without wifi router ! and i want ask you please if it possible to show me how to unlock the tybe B this week i will appreciate it very much ! and if not possible i will wait.
    sorry for bothering you Ahmed !
    وعليكم السلام ورحمة الله

    ReplyDelete
    Replies
    1. Hi!

      Sorry for the delay, but, the post will be uploaded soon. Meanwhile, you may go through all the necessary files uploaded here!

      Hope this helps!

      Regards,
      Ahmed

      Delete
  8. Hello Ahmed,
    I need some help regarding unlocking BT HUb 3.0 9 (Type B) to work with PTCL Broadband and I cannot find any related posts on the internet for BT hub 3.0 type B. I hope you can help me in this area.

    Thanks

    ReplyDelete
    Replies
    1. Hello!


      For the Home Hub 3 Type B, the method to get root access was made public by "zcutlip" (Zach) ... informative thread here ... but things didn't go further probably as the BTHH4(r) was launched.

      I think I have one as well and would take another look at it sometime!

      Regards,
      Ahmed

      Delete
  9. Yes! but I think there is not a proper solution found for unlocking HH3.0B thats why I wanted to discuss with you that if you can start experimenting on this device and find a way to unlock it.

    Thanks

    ReplyDelete
  10. that link is no more available.. can u plz help me get those files from somewhere else?

    ReplyDelete
  11. sir plz unlock my hh3 type A i have 4 gb flash nt a 32 mb

    ReplyDelete
  12. AoA Fraz bhai i have Bt HH3 type A and B plz help how unlock it 32 mb flash kahan say lain nai ho rha mj say unlock plz help

    ReplyDelete
    Replies
    1. Hello!

      I'll try to upload the video showing me doing the unlock of BTHH3A soon (probably a couple of days from now).

      Meanwhile, you can try with the 4GB Flash drive as the 32MB is only a suggestion meaning that even an old drive can be used.

      (In the video, I'll try to use a larger drive as well)

      Best of luck!

      Regards,
      Ahmed

      Delete
    2. Hello Again!

      The BT Home Hub 3.0 Type A Unlock video can be viewed here!

      Thanks for your patience!

      Regards,
      Ahmed

      Delete
  13. hi dear,

    please help me for bt home hub type A, i want to configure on Ptcl Dsl,

    ReplyDelete
    Replies
    1. Hello!

      First, we need to know the firmware version on the BTHH2A! If the version is lower than 8.1.H.U, then, the software unlock method might work!

      As far as configuration for ptcl is concerned, one needs to know
      - VPI/VCI: Copper (VPI/VCI 0/103) or ONU/FTTC/Fiber (VPI/VCI 8/81)
      - Connection type: PPPoE LLC
      - Username for dsl
      - Password for dsl
      (this info can be provided by helpline)

      All of these can be configured via the Thomson Configuration Wizard as shown above!

      Hope this helps!

      Regards,
      Ahmed

      Delete
  14. dear need help firmware upgrade page access error showing
    and my BT HHv2A (Software version 8.1.H.J (Type A)) so help me what to do..

    ReplyDelete
    Replies
    1. Hello!

      For the HH2A, the lower firmware version is desired for unlocking. If yours has 8.1.H.J then you can unlock it easily. But, if it has newer firmware you can't unlock it via software method unless someone finds a way to downgrade the firmware via the Thomson utility. In that case, jtag is needed.

      Regards,
      Ahmed

      Delete
  15. i tried these methods on home hub 2A and Home hub 2B overall all thing r fine but i am stuck on that point when i run this file DiskImage_1_6_WinAll.exe. and after that for write image when i select image file sysroot.sqsh' for A type its give me error not i am not able to make usb to unlock the file . i this there is some problem Plz can u help me in this i have both router home hub 2A and home hub 2B

    ReplyDelete
    Replies
    1. Hello!

      You can try to follow the steps as shown in the video here from the 2 min 10 sec mark!
      I hope this helps!

      Regards,
      Ahmed

      Delete
  16. Hello Ahmed,

    Thanks for these instructions, I'm not particularly computer literate but as my TalkTalk fibre router has been causing connection issues I thought I'd try one of the two V2.0 Type A BT Home Hubs I have.

    I managed to get to the stage where I now have Disk_a1 (not Disk_a strangely) in 192.168.1.253. In Disk_a1 the dl folder already contained the utelnetd file, is this correct as I would have assumed the instructions would have said to delete it before copy/pasting the file from the HDD? I deleted the smb.conf file in Disk_a1 and copy/pasted the smb.conf from my HDD. I then typed \\192.168.1.253\Disk_yyy and Disk_yyy appeared showing sub folder sys but when I typed Telnet 192.168.1.253 4002 in Start>>Run I get a message saying it's not recognised.

    Any advice would be greatly appreciated!

    Regards, Simon.

    ReplyDelete
    Replies
    1. Hi!

      You are welcome. As far as the files are concerned, they can be overwritten safely. In fact, any changes made before the 'new' firmware has been written to the flash can be reversed just by restarting the router (Caution: Any interruption during the writing process such as a restart can brick the router).

      Moving on to the 'Telnet' issue, it's most likely that you don't have a telnet client installed. WindowsOS has a telnet client but it's not installed by default and has to be installed afterwards depending upon the version. Like, for Win 7, one can follow the process outlined here!. There are telnet client utilities available from different developers also like PuTTY and KiTTY.

      I hope this helps! Maybe you have figured this out already as it's been some days since you first put up the question and I just found out about it now. In any case, do let us know if you were able to unlock the router!

      Regards,
      Ahmed

      Delete
  17. hello. where can i find files to unlock bt hub 2.0A? link here doesn't work anymore

    ReplyDelete
  18. Hello,
    I prefer modify the backup file bthub2.bin but it's an encrypted file , so how can we find the encryption key since it's possible now (the wpa crack)at the : http://192.168.1.253/sys_backup.lp?be=1&l0=2&l1=5&l2=3 . so we can unlock it properly :) , and i think we have to go in this way :b .
    Best regards .

    ReplyDelete
  19. Hi there. I am trying this on a hh2a firmware 8.1.h.j, I can get all the away till the disk becomes from a to yyy, ready for Telnet. But I cannot connect with telnet as there appears to be no port 4002 open on 192.168.1.253 when I check with Fing app . Any advice to try?

    ReplyDelete
    Replies
    1. Hello!


      Usually it takes a while for the Telnet daemon to run ... try browsing some folders in the network location ... though it is not necessary for hh2a, but, it might help to create a new windows (local) administrator account with the same username and password as that of the hub!

      Hope this helps!

      Regards,
      ahmedfarazch

      Delete
    2. Hi Ahmed. I seem to have the same issue, root hack works with the USB, i can browse to the SMB folder and copy in the telnet daemon and SMB.conf files. The folder changes from Disk_a to Disk_yyy but does not seem to start up the telnet client. Do you have any suggestions? Thankyou.

      Delete
    3. Hi, just to update you. Rather than using the smb.conf procided in the zip, i edited the original one by adding the root preexec command, and editing the disk_a to disk_yyy. This did the trick! It had to however backup to "sda" rather than "sda1", but apart from that everything worked ok. Thank you.

      Delete
    4. Hello!


      Thank you very much for providing the solution. This shall help tremendously for anyone in a similar situation.


      Regards,
      Ahmed

      Delete

Post a Comment

Popular posts from this blog

Technicolor TG582n: Info, Configuration and Usage Options

Hi! DANT-T and DANT-1 variants DANT-T and DANT-1 variants The Technicolor TG582n ( quick specs , user guide ) seems to be quite popular with ISPs and can be found in branded, sometimes locked*, form throughout. Fortunately, it works really well once properly configured and it is (usually) easy to unlock by flashing it with an unlocked firmware. One thing to take into consideration is that it comes in two main variants, the DANT-1 and DANT-T, with each variant only accepting it's own firmware (unless you are installing OpenWRT ). Firmware Update: Now, when it comes to flashing the firmware, we need: (Windows 7 is recommended) - Thomson Upgrade Wizard   - User privileges (username and password for user authorized to flash firmware ... for some branded ones we don't need one once router has been reset but for some like O2 we need the user SuperUser with password the Serial Number of router) - (Unlocked/Generic) Firmware for the

PTCL's (newer) Wireless n 150mbps W150D xDSL Router by Tenda Part2

From the hardware point of view, the PTCL/Tenda W150D is not much different from other BCM6328 based routers but the difference surely lies in the software/firmware ... so let's take a look at the gui side of things ... From the start it was apparent that the firmware for PTCL was not 'special/locked' one and just used image replacement replacing Tenda's images/logos with those for PTCL ... anyways it also didn't seem to work well, felt kind of like a beta version of the firmware ... couldn't hold onto some settings ... my long line and difficult stats didn't help either (awaiting conversion from copper to fiber) ... so in desperation I looked at firmware updates for the router on Tenda's website knowing full well that a corrupted/interrupted/slightly-changed firmware update would brick the router with no obvious way to recover as serial & jTAG pinouts are not known (there are some test points ... but lack of interest) and no full flash backup c