BT Home Hub v2 Type A: Info, Unlock & Configuration

Hello Again!

Next up is the BT Home Hub v2* Type A home ADSL Wireless Router by Thomson/Technicolor (more info at OpenWRT wiki). Again, this router accepts only BT specific/approved domain names for username of dsl and must be 'unlocked' to be used with other ISPs. Such 'unlocking' (thanks to btsimonh and Surreliz3) also allows more configuration options, though firmware upgrade options might become limited. As with the BTHH v1 & v1.5, this router can be 'unlocked' via jTAG method but there is also the relatively easier software method provided the firmware version currently on the BTHHv2A is lower than version 8.1.H.U. 

Unlock:

I 'unlocked' mine via the software method a long time ago so I won't be able to post screenshots of the process (have yet to try the jtag method on one with newer firmware that I also happen to have), but, here is the process as described on the now defunct psidoc.com website (the links may no longer work for downloads ... you may get the files here):

(To continue reading, please click on 'Read More')



"

How to hack - or unlock your home hub 2.0A via software.

Hacking the BT Home Hub V2.0A via software

Introduction:
The BT Home Hub 2.0A was until now only hackable by JTAG. This, however has all changed thanks to the efforts of forum member btsimonh. This is his method. He pioneered it on his own and all credit and HUGE thanks got out to him.
The root hack that we use initially was developed by Surreliz3 over on modem-help.co.uk when the owner of the site - Alex - threw down the challenge.

Disclaimer:

1: Flashing your router with anything other that standard BT firmware will really really definately invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
2: The firmware supplied and this method and all files, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com.
3: Just to repeat: If you are unsure in any way then don't do it!

Preparation:
This hack requires the use of 2 USB drives, 1 to help with the root hack, the other to hold the flash files.
Downloading the files:
Download the files from here: http://www.psidoc.com/showthread.php...re-flash-files and extract to your HDD
Password for the Archive = www.psidoc.com

Preparing the root hack drive:
In the folder FlashWithoutJTAG_btsimonh_v1 there is a disk image writer called DiskImage_1_6_WinAll.exe.
Insert your stick into your windows machine.
Run DiskImage as administrator.
Select the physical disk representing the USB stick. BE CAREFUL - YOU COULD DESTROY YOUR WINDOWS HD!
Select 'sysroot.sqsh' (Remember to select all files not just disk images in the open dialog)
Hit start. It should complete very quickly.
USB Prepared!

Step 1 The Root Hack - Courtesy of Surrealiz3 from modem-help.co.uk:
Connect your PC to the Homehub using an ethernet cable - NEVER TRY THIS WIRELESSLY! Make sure it is assigned an IP address.
Insert the USB drive we just prepared into the home hub and wait a few seconds.
In Windows Explorer, type \\192.168.1.253 into the address bar. You should get 'Disk_a' appear.
Navigate to \\192.168.1.253\Disk_a\sys\rw\dl\ and copy / paste in the utelnetd file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Navigate to \\192.168.1.253\Disk_a\sys\rw\etc\ and DELETE the smb.conf file. Now copy / paste in the smb.conf file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Close the Windows Explorer window.
Open a new Windows Explorer window and type \\192.168.1.253\Disk_yyy in the address bar. If it errors out try \\192.168.1.253\Disk_a (It's a windows thing - don't panic!)
The router will have launched utelnetd in the background on port 4002
Click start >> run and type in Telnet 192.168.1.253 4002 you should be greeted by a telnet prompt with full root priviledges.
Hello Houston... WE HAVE ROOT!

Step 2: Flashing the new filesystem.
Take the other USB stick, and copy the v2reflash folder onto it.
Remove the first USB stick from the Homehub and insert the second.
It's worthwhile noting here. Some have tried with a 2 -3 partition USB stick with the root hack on 1 partition and the V2reflash files on another however it freezes at one of the commands later on so don't! Use 2 seperate USB sticks.

1: In the telnet window type:
mount
The output should be identical to the one below:

what we are interested in is this line: /dev/sda1 on /var/usbmount/sda1 type vfat (rw,sync,noatime,nodiratime,fmask=0000,dmask=0000)
If it says /sdb1 instead of /sda1 pull the USB drive out of the hub, wait 5 seconds and pop it back in then do the mount command again you will get the drive mounted as /sda1

2: First thing we need to do is Backup your original firmware. This is done by typing the command below into the telnet window: The command copies a full flash backup to your USB stick and calls it backup.bin.
cat /dev/mtdblock5 > /var/usbmount/sda1/backup.bin

3: In the telnet window type:
cd /var/usbmount/sda1/v2reflash then ls -l
The output should match the image below with the exception of 2 files. The flash_createextended and flash_newrootfs files are not required and are not included so their absence can be safely ignored.

What we have done here is simply check we have all the files in the right place.

4: In the telnet window type:
./startpivot
You will get a double check to confirm before anything happens. Press ENTER to continue or CTRL and C to cancel.
The output should match the image below.

This is where some linux magic is perfomed. Basically what happens is a new file system is made in memory and we switch to it so as the flash rom can be accessed and the files on the USB stick are copied to the /sbin directory on the router.
At this point the Telnet window will disconnect - don't panic this is expected. Wail till you see "Connection Lost to Host" and close the telnet window.

5: Telnet back in on port 4003 by Click start >> run and type in Telnet 192.168.1.253 4003 as per the image below.

And we should be back in business.

6: In the new Telnet window type:
unmount
The output should match the picture below.

At this stage we're just cleaning up a little more so we have plenty of space to work with.

Note: It's worthwhile mentioning here that so far NO changes have been made to the HomeHub in any way whatsoever, so if you are not happy in anyway you can unplug it and it will reboot as if nothing has ever happened.
The next step however will erase and reflash the home hub. It takes approx 3 - 4 minutes. So please DO NOT POWER OFF THE ROUTER TILL THIS PART IS COMPLETED.

7: In the new Telnet window type:
flash_allfrom40000
You will get a double check to confirm before anything happens. Press ENTER to flash or CTRL and C to cancel.
Now... Sit on your hands and do nothing! Just watch the telnet window for the next 3 -4 minutes. The output should be like this:


When you see the directories in blue that confirms the flash has been successful.
Congratulations you have softmodded your HH2.

 "



We'll now configure the HH2A. The process is quite similar to the one for HHv1 and HHv1.5 shown earlier so the description(s) might be shorter:

Screenshots for Configuration via Thomson/SpeedTouch Configuration Wizard:

- After resetting the hub, login via user password on the back of the hub

- Run the Configuration Wizard (might have to use the Compatibility Troubleshooter)

 - Use the username "admin" and the default password on the back of the hub

 - Copy the Template file to the Desktop for Editing (Basic PPP in this case)

- Edit via gVIM or Notepad++

- Now configure as per choice and as per ISP provided settings (PTCL in this case)

(Might change username from Administrator to admin as before)

 - We'll use Telnet to configure some more settings (Optional)

 - Manually changing the DNS Server

- Disable CWMP just in case

 - Increasing LCP Echo Tolerance helps with ISP PTCL's connection

- You may reconnect the PPP interface (Internet) with ifattach under ppp menu but I have skipped it for now

 - You may have to manually connect using the Connect button under the Internet menu

- Success!

Note that not all settings may apply but the important ones (connection details) are usually applied without any problems via the Wizard!

Also, by adding the HH2A to the different template files as shown above, the hub can be configured differently such as a wireless router!

Configuration via CLI:

The connection can be configured via the CLI as well (ISP PTCL's Copper Config in this case):

- Assuming we have telnet access to the Thomson CLI with appropriate user priviledges:

Optional: You may delete all current interfaces for the PPPoA ... in reverse order of creation as below

Note: You may also use the 'menu'! Also TAB works for autofill!

Phonebook entry and ATM config

1. atm phonebook add name=RtPPPoE_ph addr=0.103 (replace with your VPI.VCI)

2. atm ifadd intf=RtPPPoE_atm

3. atm ifconfig intf=RtPPPoE_atm dest=RtPPPoE_ph ulp=mac

4. atm ifattach intf=RtPPPoE_atm

Ethernet bridge (PPPoEoA)

5. eth ifadd intf=RtPPPoE_eth

6. eth ifconfig intf=RtPPPoE_eth dest=RtPPPoE_atm

7. eth ifattach intf=RtPPPoE_eth

PPP

8. ppp ifadd intf=RtPPPoE

9. ppp rtadd intf=RtPPPoE dst=0.0.0.0/0

10. ppp ifconfig intf=RtPPPoE dest=RtPPPoE_eth user=dslusername password=dslpassword

NAT enabled before attaching

11. nat ifconfig intf=RtPPPoE translation=enabled

12. ppp ifattach intf=RtPPPoE

Don't forget to save

13. saveall

(Typos excepted)

Source: Thomson/SpeedTouch CLI configuration Manual(s)

Hub phone:

Warning: DECT v6 that operates on 1900 MHz Frequency Band designed for US is banned in Pakistan as the 1900 MHz band is being used by cellular operators (who paid license fee for this band) and DECT v6 can cause interference in this band! The public notice by PTA can be read here!

Caution: VoIP is prohibited by PTA on 'data' networks (though enforcement depends upon the ISP) without permission in Pakistan due to 'illegal' gateway exchanges! For VoIP configuration outside Pakistan (or with required permissions), kindly refer to the User Manual and your VoIP provider for configuration details like the ones provided for SpeedTouch 780WL (similar to BTHH) by 'voiptalk' here!. In case of BT HH2, one would have to use the CLI via telnet access to configure the same settings!

Fortunately, the BT HH Phones are not DECT 6.0 and can be used here as simple cordless phones! By default, calls can be made by dialling '5' before the desired number.

In the case of the BT Home Hub 2 (also a DECT base-station), we have the (matching) BT Hub Phone 2.1 cordless phone (originally used for BT's Broadband Talk service). Here are some pictures of the phone:

--------------------------------------------------

* There seems to be a newer hardware build of the hub that can be described as v2.1 or rev 2 ... only the pcb layout seems to be different! Some models also have mini pci slot based wifi cards instead of soldered ones!

Update:
Found some photos taken earlier: