The BT Home hub was declared half hackable in the case of the version 1 and "unhackable" in the case of the Version 1.5. This of course is a complete pile of tosh! If a router has a JTAG port then the firmware can be downloaded, analysed and manipulated to either accept a different firmware from a model which is electronically identical or similar, or hacked in itself. All that required is a little ingenuity and experimentation.
Ok so how do we hack the allegedly unhackable?
Relatively simply actually. The explaination is below.
Version 1.0
We patch the bootloader or to give it it's technical name the CFE, to change the identity of the Home Hub so that we can load a firmware from the later version of the Speedtouch 7G CANT-A model and get almost full functionality from the router.
Version 1.5
In the case of the 1.5 version it also has extra locks in the CFE which stop us from using a different firmware. How do we get around these? Again a simple solution is to hand. We use the CFE from the Version 1.0! Use a patched version 1.0 CFE and we're in business!
After flashing the CFE then we need to update the firmware in the normal kernel mode way - If you don't know how to get into kernel mode by now then I really think the rest of this may be a little beyond you so please go and do some reading up.
Required Files::
Download the files required from the Download Section Password for the file: www.psidoc.com
The files in the archive are:
brjtag.exe - The JTAG read / write tool
command.txt - The command list for brjtag.exe
custom.bin - Patched version 1.0 CFE ready to flash
giveio.sys - Parallel port driver for the JTAG tool
loaddrv.exe - Tool for enabling the giveio.sys
readme.doc - This how but will be probably different to this one.
Builds folder - The folder with theupgraded firmware that will be used after flashing the CFE via JTAG
UpgradeST folder - Speedtouch Updater tools for upgrading the firmware.
Disclaimer:
1: Flashing your router with anything other that standard BT firmware will invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
2: The firmware(s), CFE and this method, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com.
3: Just to repeat: If you are unsure in any way then don't do it!
Preparation of the hardware:
JTAG.
We need to read out the CFE (bootloader) of the router to edit it so as we can make the new firmware boot for this we need to build a JTAG flasher cable. The following diagram is a standard unbuffered JTAG cable which will suffice. Note: for this type of cable keep the length to no more than 6” (15cm)
It’s also worth mentioning here that the PC parallel port is the 25pin D male that connects directly to the back of the pc, not the 36 pin centronics like on the end of a printer cable.
The cheapest and easiest way of getting the resistors in place is to simply solder them in line as shown in the picture.
Excellent hi res picture courtesy of Tony 2 Shoes on the forum
Connections on the mainboard:
Solder the relevant cables to the mainboard as shown below.
The pictures below show the test points and their location on the board. Note the ground line in the 2nd photo is the one with the multiple wires soldered to it.
And here kindly donated by Wakaru from The Scream forums is a very nice close up of the test points.
Many thanks for allowing me to use the picture. My photographic skills suck!
Preparation of the software:
1. The folder (flash) this readme is in should be in the root of your C: drive. If it’s not there already move it now.
2. One of the files in this folder is called “giveio.sys”. Copy this file to c:\windows\system32\drivers\ (this is for Windows XP, the location on other systems may be different).
3.Open a command prompt (Click Start; Run; type “cmd” & press enter)
4.Change to the “flash” directory [C:\flash] by typing cd c:\flash
5.Run loaddrv.exe (type loaddrv.exe – press enter)
6.In the window which opens, complete the location of the “giveio.sys” file (c:\windows\system32\drivers\giveio.sys)
7.Click on “Install” (This only needs to be done ONCE)
8.Click on Start (This needs to be done ONCE after every reboot)
9.Close the window.
Now You’re good to test out the cable:
Testing the cable & communication with the router:
1.Type “brjtag -probeonly /window:1F400000” - DON'T press enter yet!
2.Switch on the router – wait 4 seconds – NOW press enter.
The output should be something like this:
===============================================
Broadcom EJTAG Debrick Utility v1.6r-hugebird
===============================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
It may take a couple of attempts to get the timing right when to hit enter but you’ll get there. If it errors out unable to find a CPU then check your connections both ends of the cable.
Backing up the CFE:
1: Type “brjtag -backup:custom /window:1F400000 /start:1F400000 /length:0040000” into the dos window
2: Switch on the router – wait 4 seconds – press enter.
3: Wait until the backup has finished (less than 1 minute) you will notice a custom.bin. file has been created in the flash folder. This is your backup of your CFE.
4: Turn off the router
5: Repeat steps 1 – 3 again.
6: Type “comp” in the dos window and press enter. You will be asked for File 1. type in the name of the 1st backup and press enter. You will be asked for File 2. Type in the name of the 2nd backup and press enter. If there are no differences the all is good. If the 2 files are different then delete them and try again until you get 2 identical backups. It may also be an idea to shorten the JTAG cable.
Flashing the CFE:
1: Type “brjtag -flash:custom /window:1F400000 /start:1F400000 /length:0040000 /bypass /forcealign” into the dos window
2.Switch on the router – wait 4 seconds – press enter.
3: Wait until the flashing has finished. (You’ll see some scary stuff about erasing memory blocks etc and flashing just wait till it’s done and yes the last 50% does flash quickly!) Should take approx 100 - 150 seconds depending on your PC.
4: Turn off the router.
Loading the New Firmware
Note: If you have BT firmware 6.2.2.6 flashed to the router it will actually still boot if running a newer version of the BT (6.2.6.A and on) firmware it’ll see it as an illegal build and terminate ˝ way through booting.
1: Force kernel mode by pressing and holding the Wifi button and powering on the router.
2: Reflash as you normally would using the Speedtouch Updater in the UpgradeST folder.
3: Allow it to do it’s thing and setup as you normally would.
Note: 3 firmwares are supplied.
1: 7.4.1.7 (ZZGKAA7.417.bin) The last firmware available for the cant-a. Works well for me.
2: 6.2.29.2 (ZZGQAA6.2T2.bin) Earlier firmware but very quick. Again works well.
3: 6.2.2.6 (6226_bant-z_Live.bin) BT firmware 6.2.2.6 Dunno why you’d want it but it’s there!
· Posted by PsiDOC
on December 20 2009 07:58:17
8420 Reads ·
Many thanks.... I'm looking forward to the time in between now and the stroppy teenager lol..... fingers crossed... my HH2 is packed away as it was too unstable on my current ISP (i tried two
.jpg)
