The goal is to unlock the Home Hub 2.0A using a Linux PC and a parallel port, then configure the device to work as a VoIP phone only through an existing connection. This information is available in other places (in fact the first half is mostly a reproduction of PsiDoc's excellent JTAG tutorial). I can't take credit for any of this, but because it took me a couple of days to find some of the Linux specific and VoIP information I thought it would be worth putting together a brief tutorial. It is very likely that any used hub will be running 8.1.H.U, and as there is no known software exploit, we will need to use a JTAG interface.
While this guide contains Linux instructions, the same procedures (with the exception of compling BRJTAG) will be applicable to Windows users.
Step 1 - Build a JTAG interface
We build a cable from the PC parallel port to the Home Hub. The diagram below shows which pins to use on the PC side. 2 of them are ground and should be connected together and the others should be connected through 100 Ohm resistors as shown here: http://www.psidoc.com/articles/hh1/jtag.gif
This image shows a neat way to build the plug on the PC side using heat shrink sleeving if you have some: http://www.psidoc.com/articles/hh2/jtag25waylptend.jpg
These 2 pictures show the location on the HH board to connect to: http://www.psidoc.com/articles/hh2/hh2pcb.jpg http://www.psidoc.com/articles/hh2/homehub2_jtag.jpg
I would recommend using the finest wire you can find to solder to the HH board. Once the connections have been made, you can put a blob of hot glue over the wires to make sure they dont tear off. You can then connect these wires to the main part of the cable. I actually glued a small socket to the HH board so I could plug in the JTAG any time. High res photo of one of my (not very neat) first attempt here. I damaged one of the pads, and put the socket in a stupid place, but you get the idea: http://nutty.tk/HH.jpg
Thanks to PsiDoc for the images. His original post on this can be found here: http://www.psidoc.com/showthread.php...ick-Guide-quot
Step 2 - Obtain BRJTAG
My usual JTAG tool is URJTAG, but after several tests, I found that this does not appear to be able to read the flash chip (Spansion S29GL128N) in the HH. Therefore to flash the device, we will be using BRJTAG. The latest version is available here: http://www.hackchina.com/en/cont/109250
If you are using windows, this will probably work out of the box, but to compile under Linux we need to make 2 changes to brjtag.c
First, we delete the line that defines that we're using windows
Code:
#define WINDOWS_VERSION
Second, we need to fix a bug that causes a buffer overflow in brjtag on Linux (this bug appears in all versions so I have no idea why it's never been fixed). Search for:
Replace it with
Finally, run "make" to build the tool.
You will also need to temporarily disable Linux's line printer (lp) driver, as this is likely to hog the parallel port. Run the following before trying to use BRJTAG:
Step 3 - Back up your existing firmware
The flash memory on the device extends from 0x1e000000 to 0x1f000000 (16MB). There are 2 areas we are interested in, and I would recommend backing up both of them:
0x1e000000 - 0x1e000000 (length 0x0040000) This contains the bootloader and your hub's settings including the default root password and probably the MAC address so it's best to look after it (I accidentally erased mine without backing it up and now have a hub that doesn't match the details printed on its case).
0x1e040000 - 0x1f000000 (length 0x0FC0000) - This contains the remainder of the firmware. We will be overwriting this with our new firmware but it's probably wise to back up the original firmware.
To make these backups, we run the following commands. I hope they're fairly self explanatory. The second will take quite some time.
Code:
./brjtag -backup:custom /window:1E000000 /start:1E000000 /length:0040000 /fc:88
./brjtag -backup:custom /window:1E000000 /start:1E040000 /length:0FC0000 /fc:88
To make these work, you will need to enter the command ready to go, then reset your HH, wait approx 3 seconds, then execute the command. The device will only respond during the period between being reset and the software starting. It may take a couple of attempts.
You will then have 2 CUSTOM.BIN files (each with a timestamp). Keep them somewhere safe.
Step 4 - Flash the unlocked firmware
Thanks to PsiDoc, we have a ready-made unlocked firmware. This is near identical to the original firmware, but allows telnet access, allows custom ISPs to be used, and disables BT's remote updates. The zipped firmware is attached to this post. It was originally posted by PsiDoc but was in a Windows self extracting EXE here: http://www.psidoc.com/showthread.php...ick-quot-files
Put the extracted CUSTOM.BIN in your BRJTAG directory and run the following to flash the firmware, again resetting the device a couple of seconds before pressing enter.
Code:
./brjtag -flash:custom /window:1E000000 /start:1E040000 /length:0FC0000 /fc:88
Note the start location is set to only overwrite the portion of the firmware after the bootloader / config.
When this has finished, if you're lucky and have done everything right, you should have an unlocked hub. Press reset and see if it boots.
Step 5 - Logging into the unlocked hub
Plug into the HH and browse to http://192.168.1.254 - log in with the default password and check everything is working. After that, you can telnet to 192.168.1.254. Log in with username guru and password guru. You will get a nice CLI. It is worth noting at this point that the backspace key will probably not work. If it doesn't, you can press ctrl-h instead.
I would recommend that you first create a new root user:
Code:
user add name charlie password mynewpassword role root
Disconnect and log back in with your new user. Finally, delete the default account:
Code:
user delete name guru
Step 6 - Configurung the network interfaces
I wanted to connect my hub to an existng network with a static IP, so I run the following to set up a new address and disable the DHCP server. I also disable WIFI which I have no use for.
Code:
ip ipadd intf LocalNetwork addr 192.168.0.254 netmask 255.255.255.0
dhcp server config state disabled
wireless ifconfig state=disabled
config save filename user
Sometimes, the 'config save' command seems to crash for me. When this happens I had to reboot the hub and start configuring again. Not a huge problem.
Reboot the device, plug it into your existing network and see if you can still telnet to it. At this point you may wish to delete some of its old IP addresses:
Then for each address you don't want. Make sure to leave 127.0.0.1 and the address you just added.
Code:
ip ipdelete addr 192.168.1.254
Finally, add configuration to route through your existng router (192.168.0.1 in this example)
Code:
ip rtadd dst 0.0.0.0 gateway 192.168.0.1 intf LocalNetwork
dns client dnsadd addr 192.168.0.1
dns server config WANDownSpoofing=disabled
dns server route add dns 192.168.0.1 intf LocalNetwork
system config defaultconnection LocalNetwork
voice config intf LocalNetwork
When you're done save the changes again
Code:
config save filename user
Step 7 - Configuring the VoIP
We're going to configure the hub phones to connect to our VoIP provider. I have tested this with http://dial9.co.uk and everything seems to work perfectly.
First, add a VoIP account:
Code:
voice profile add
URI = charlie-home (your username)
[username] =charlie-home (your username again)
[password] = (I hope you know what to enter here)
[displayname] = Charlie (enter anything you like here)
[voiceport] = COMMON (use the up key to select COMMON)
[abbr] = (leave this blank)
[enable] = enabled (use the up key to select enabled)
[directorynumber] = (leave this blank)
Code:
Then we configure the VoIP server settings:
voice sip config primproxyaddr=sip.dial9.co.uk
voice sip config primregaddr=sip.dial9.co.uk
voice sip config notifier_addr=sip.dial9.co.uk
config save filename user
Wait a while and if you're lucky, VoIP will connect. Register a Hub Phone with your HH and you should be able to make calls. I am using my HH behind a new Sky router and did not need to set up any port forwards to make this work. Other routers, SIP servers, or having multiple SIP devices on your network may cause problems with NAT, but I didn't have any trouble with this.
Unlock the Home Hub 2.0A with Linux and using a custom VoIP provider
Reply With Quote
Originally Posted by stuntmaster
