Introduction:
The BT Home Hub 2.0A was declared "unhackable" by some "experts" and the rest took their word for it. They lied to you!
If a router has a JTAG port then the firmware can be downloaded, analysed and manipulated to either accept a different firmware from a model which is electronically identical or similar, or hacked in itself. All that is required is a little ingenuity and experimentation.
This hack requires the use of a JTAG connection to the router. That means opening it up and soldering 5 wires to the mainboard. Be warned this WILL invalidate your warranty!
Ok so how do we hack the allegedly unhackable?
This hack involves replacing the linux operating system (the RootFS) with one that has a more relaxed outlook on life than BT would like. For the inquisitive amongst you it is a genuine 8.1.H.J BT firmware that has has the restrictions for ISP, Telnet and FTP removed by myself.
Required Files:
Download the files required from the Download Section If prompted the password for the file is: www.psidoc.com
The files in the archive are:
brjtag.exe - The JTAG read / write tool
command.txt - The command list for brjtag.exe
giveio.sys - Parallel port driver for the JTAG tool
loaddrv.exe - Tool for enabling the giveio.sys
Any Other Firmware Folder - Flash this custom.bin if you have any firmware other than 8.1.H.J
81HJ Folder - Flash this custom.bin if you have firmware 8.1.H.J
Disclaimer:
1: Opening your Router up will invalidate your warranty.
2: Soldering wires to you router will definately invalidate your warranty
3: Flashing your router with anything other that standard BT firmware will really really definately invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
4: The firmware(s) supplied, and this method, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com. 5: Just to repeat: If you are unsure in any way then don't do it!
Firmware Version:
You will need to know the firmware version of your router before you commence. So please login to your router and make a note of it. Hint: it's at the bottom of almost every page! Preparation of the hardware: JTAG.
We need to flash a new RootFS operating system to the router. For this we need to build a JTAG flasher cable. The following diagram is a standard unbuffered JTAG cable which will suffice. Note: for this type of cable keep the length to no more than 6” (15cm)
It’s also worth mentioning here that the PC parallel port is the 25pin D male that connects directly to the back of the pc, not the 36 pin centronics like on the end of a printer cable.
The cheapest and easiest way of getting the resistors in place is to simply solder them in line as shown in the picture.
Excellent hi res picture courtesy of Tony 2 Shoes on the forum
Connections on the mainboard:
Solder the relevant cables to the mainboard as shown below.
The pictures below show the test points and their location on the board.
Preparation of the software:
1. The folder (flash2) this readme is in should be in the root of your C: drive. If it’s not there already move it now.
2. One of the files in this folder is called “giveio.sys”. Copy this file to c:\windows\system32\drivers\ (this is for Windows XP, the location on other systems may be different).
3.Open a command prompt (Click Start; Run; type “cmd” & press enter)
4.Change to the “flash” directory [C:\flash2] by typing cd c:\flash2
5.Run loaddrv.exe (type loaddrv.exe – press enter)
6.In the window which opens, complete the location of the “giveio.sys” file (c:\windows\system32\drivers\giveio.sys)
7.Click on “Install” (This only needs to be done ONCE)
8.Click on Start (This needs to be done ONCE after every reboot)
9.Close the window.
Now You’re good to test out the cable:
Testing the cable & communication with the router:
1.If you have not got one open, then open a command prompt (Click Start; Run; type “cmd” & press enter)
2.If not already there change to the “flash” directory [C:\flash2] by typing cd c:\flash2
3.Type “brjtag -probeonly /window:1E000000” - DON'T press enter yet!
4.Switch on the router – wait 4 seconds – NOW press enter.
It may take a couple of attempts to get the timing right when to hit enter but you’ll get there. If it errors out unable to find a CPU then check your connections both ends of the cable.
If it all looks good then you're ready to back up your flash
Backing up the flash:
1.If you have not got one open, then open a command prompt (Click Start; Run; type “cmd” & press enter)
2.If not already there change to the “flash” directory [C:\flash2] by typing cd c:\flash2
3: Type “brjtag -backup:custom /window:1E000000 /start:1E000000 /length:1000000” into the dos window
4: Switch on the router – wait 4 seconds – press enter.
5: Wait until the backup has finished (This will take a couple of hours!) You will notice a custom.bin. file has been created in the flash folder. This is your backup of your entire flash.
The output from on screen should be something like this:
5: Turn off the router
7: Repeat steps 1 – 3 again.
8: Type “comp” in the dos window and press enter. You will be asked for File 1. type in the name of the 1st backup and press enter. You will be asked for File 2. Type in the name of the 2nd backup and press enter. If there are no differences the all is good. If the 2 files are different then delete them and try again until you get 2 identical backups. It may also be an idea to shorten the JTAG cable.
Flashing the New RootFS
All the firmware versions are different and are arranged in the flash differently. This meant I had to go for a standardised version. So I took the latest firmware - Version 8.1.H.J and used that to modify. Those that have routers that are not on version 8.1.H.J. Don't panic! You're getting an upgrade!
If you have a router with version 8.1.H.J. then read the next section. If you have any other firmware version then please skip the next section and go to the section entitled: Flashing the New RootFS if you have any other firmware Version. Warning! If you flash the wrong firmware file YOU WILL BRICK THE ROUTER!
Flashing the New RootFS if you have firmware Version 8.1.H.J. already:
1: Copy the custom.bin file from the 81HJ folder into the main flash2 folder
2:If you have not got one open, then open a command prompt (Click Start; Run; type “cmd” & press enter)
3:If not already there change to the “flash” directory [C:\flash2] by typing cd c:\flash2
4: Type “brjtag -flash:custom /window:1E000000 /start:1E420000 /length:05E0000 /bypass /forcealign” into the dos window
5.Switch on the router – wait 4 seconds – press enter.
6: Wait until the flashing has finished. Should take between 2 and 3 hours depending on your PC.
The output on your PC should look like this:
Flashing the New RootFS if you have any other firmware Version:
1: Copy the custom.bin file from the Any Other Firmware folder into the main flash2 folder
2.If you have not got one open, then open a command prompt (Click Start; Run; type “cmd” & press enter)
3.If not already there change to the “flash” directory [C:\flash2] by typing cd c:\flash2
4: Type “brjtag -flash:custom /window:1E000000 /start:1E040000 /length:0FC0000 /bypass /forcealign” into the dos window
5.Switch on the router – wait 4 seconds – press enter.
6: Wait until the flashing has finished. Should take between 3 and 4 hours depending on your PC.
The output on your PC should look like this:
Final Steps:
Now reboot the router and log in. You will be asked to do the Admin Password from the sticker on the back as usual.
Then reset to defaults.
Log in again - and do the Admin Pass again.
Now you can setup your non BT Username and password, ftp into the router and use telnet on 192.168.1.254
You're really good to go.
Notes:
In this firmware I have setup a default root account with the username: guru password guru You can use this for telnet and FTP. I strongly recommend you change this login via telnet immediately.
Automatic updates have been switched off as default so there is no chance of BT doing a sneaky auto update on your router to wipe out all your hard work!
Have Fun
PsiDOC
· Posted by PsiDOC
on December 21 2009 20:03:26
17441 Reads ·
Many thanks.... I'm looking forward to the time in between now and the stroppy teenager lol..... fingers crossed... my HH2 is packed away as it was too unstable on my current ISP (i tried two
.jpg)
