Hacking the BT Home Hub V2.0A via software

Introduction:
The BT Home Hub 2.0A was until now only hackable by JTAG. This, however has all changed thanks to the efforts of forum member btsimonh. This is his method. He pioneered it on his own and all credit and HUGE thanks got out to him.
The root hack that we use initially was developed by Surreliz3 over on modem-help.co.uk when the owner of the site - Alex - threw down the challenge.

Disclaimer:

1: Flashing your router with anything other that standard BT firmware will really really definately invalidate your warranty and if done incorrectly may cause your router to cease functioning. If you are unsure in any way then don't do it.
2: The firmware supplied and this method and all files, whilst tested are provided as is with no warranty or liability on behalf of the author or the owner(s) of psidoc.com.
3: Just to repeat: If you are unsure in any way then don't do it!

Preparation:
This hack requires the use of 2 USB drives, 1 to help with the root hack, the other to hold the flash files.
Downloading the files:
Download the files from here: http://www.psidoc.com/showthread.php...re-flash-files and extract to your HDD
Password for the Archive = www.psidoc.com

Preparing the root hack drive:
In the folder FlashWithoutJTAG_btsimonh_v1 there is a disk image writer called DiskImage_1_6_WinAll.exe.
Insert your stick into your windows machine.
Run DiskImage as administrator.
Select the physical disk representing the USB stick. BE CAREFUL - YOU COULD DESTROY YOUR WINDOWS HD!
Select 'sysroot.sqsh' (Remember to select all files not just disk images in the open dialog)
Hit start. It should complete very quickly.
USB Prepared!

Step 1 The Root Hack - Courtesy of Surrealiz3 from modem-help.co.uk:
Connect your PC to the Homehub using an ethernet cable - NEVER TRY THIS WIRELESSLY! Make sure it is assigned an IP address.
Insert the USB drive we just prepared into the home hub and wait a few seconds.
In Windows Explorer, type \\192.168.1.253 into the address bar. You should get 'Disk_a' appear.
Navigate to \\192.168.1.253\Disk_a\sys\rw\dl\ and copy / paste in the utelnetd file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Navigate to \\192.168.1.253\Disk_a\sys\rw\etc\ and DELETE the smb.conf file. Now copy / paste in the smb.conf file from the FlashWithoutJTAG_btsimonh_v1 folder on your HDD.
Close the Windows Explorer window.
Open a new Windows Explorer window and type \\192.168.1.253\Disk_yyy in the address bar. If it errors out try \\192.168.1.253\Disk_a (It's a windows thing - don't panic!)
The router will have launched utelnetd in the background on port 4002
Click start >> run and type in Telnet 192.168.1.253 4002 you should be greeted by a telnet prompt with full root priviledges.
Hello Houston... WE HAVE ROOT!

Step 2: Flashing the new filesystem.
Take the other USB stick, and copy the v2reflash folder onto it.
Remove the first USB stick from the Homehub and insert the second.
It's worthwhile noting here. Some have tried with a 2 -3 partition USB stick with the root hack on 1 partition and the V2reflash files on another however it freezes at one of the commands later on so don't! Use 2 seperate USB sticks.

1: In the telnet window type:
mount
The output should be identical to the one below:

what we are interested in is this line: /dev/sda1 on /var/usbmount/sda1 type vfat (rw,sync,noatime,nodiratime,fmask=0000,dmask=0000)

If it says /sdb1 instead of /sda1 pull the USB drive out of the hub, wait 5 seconds and pop it back in then do the mount command again you will get the drive mounted as /sda1

2: First thing we need to do is Backup your original firmware. This is done by typing the command below into the telnet window: The command copies a full flash backup to your USB stick and calls it backup.bin.
cat /dev/mtdblock5 > /var/usbmount/sda1/backup.bin

3: In the telnet window type:
cd /var/usbmount/sda1/v2reflash then ls -l
The output should match the image below with the exception of 2 files. The flash_createextended and flash_newrootfs files are not required and are not included so their absence can be safely ignored.

What we have done here is simply check we have all the files in the right place.

4: In the telnet window type:
./startpivot
You will get a double check to confirm before anything happens. Press ENTER to continue or CTRL and C to cancel.
The output should match the image below.

This is where some linux magic is perfomed. Basically what happens is a new file system is made in memory and we switch to it so as the flash rom can be accessed and the files on the USB stick are copied to the /sbin directory on the router.
At this point the Telnet window will disconnect - don't panic this is expected. Wail till you see "Connection Lost to Host" and close the telnet window.

5: Telnet back in on port 4003 by Click start >> run and type in Telnet 192.168.1.253 4003 as per the image below.

And we should be back in business.

6: In the new Telnet window type:
unmount
The output should match the picture below.

At this stage we're just cleaning up a little more so we have plenty of space to work with.

Note: It's worthwhile mentioning here that so far NO changes have been made to the HomeHub in any way whatsoever, so if you are not happy in anyway you can unplug it and it will reboot as if nothing has ever happened.
The next step however will erase and reflash the home hub. It takes approx 3 - 4 minutes. So please DO NOT POWER OFF THE ROUTER TILL THIS PART IS COMPLETED.

7: In the new Telnet window type:
flash_allfrom40000
You will get a double check to confirm before anything happens. Press ENTER to flash or CTRL and C to cancel.
Now... Sit on your hands and do nothing! Just watch the telnet window for the next 3 -4 minutes. The output should be like this:


When you see the directories in blue that confirms the flash has been successful.
Congratulations you have softmodded your HH2.