User Tools

Site Tools


toh:bt:homehub.3.0b

BT HomeHub 3.0B

NEWSFLASH (JANUARY 2014):

Following the sad closure of http://psidoc.com, all members of the BT Home Hub Openwrt community are now encouraged to join in ongoing development efforts, concentrated on the Home Hub 2B, at http://openwrt.ebilan.co.uk.

Supported Versions

Version/Model Launch Date S/N OpenWrt Version Supported Model Specific Notes
Type-B ~2010 - support possible, but not supported yet Broadcom BCM63xx

Although sharing identical cases, the HomeHub 3.0b has totally different hardware to the BT HomeHub 3.0a and the BT Business Hub 3.0.

For identification purposes, the white boilerplate on the base of the device distinguishes the model number. The HH3.0a and the BT Business 3.0a, and the HH3.0b also have DC input sockets with a different diameter.

NOTE: Anything not included in model specific notes, or where a short comment couldn't be included on the notes.

OEM source code available at: http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub%2C-bt-voyager-and-connected-devices-gpl-code

Hardware Highlights

SoC Ram Flash Network USB Serial JTag
Broadcom BCM6361 64MiB 32MiB 4 x 1 Yes No ?

Manufacturer's site: http://www.shop.bt.com/products/bt-business-hub-3-80QC.html

Forum: http://forum.kitz.co.uk/index.php/topic,10161.0.html

Specific values you need

Bootloader tftp server IPv4 address FILL-IN
Bootloader MAC address (special) FILL-IN
Firmware tftp image Latest OpenWrt release (NOTE: Name must contain "tftp")
TFTP Transfer Window FILL-IN seconds
TFTP Window Start approximately FILL-IN seconds after power on
TFTP Client Required IP Address FILL-IN

FIXME

Basic configuration

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

Specific Configuration

Interfaces

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & WiFi 192.168.1.1/24
vlan0 (eth0.0) LAN ports (1 to 4) None
vlan1 (eth0.1) WAN port DHCP
wl0 WiFi Disabled

Failsafe mode

Buttons

hardware.button on howto use and configure the hardware button(s).

The BT HomeHub 3.0b has four buttons. They are Reset, Power, Restart and Secure Easy Setup.

BUTTON Event
Reset reset
Secure Easy Setup ses
Power Toggle
Restart

FIXME

Hardware

Info

Instruction set: MIPS
Vendor: Broadcom
Bootloader: CFE
System-On-Chip: Broadcom BCM6361
CPU @Frq MIPS 32Kc @400MHz
Flash size: 32 MiB
Flash Chip: STMicroelectronics NAND256W3ABN6
RAM size: 64 MiB
RAM Chip: Hynix H5PS5162FFR-S6C
Wireless No1: SoC-integrated: Broadcom BCM6361 w/ 2x2 MIMO for 2.4GHz 802.11b/g/n
Switch: Broadcom BCM6361 (Gigabit) , Broadcom B50612E x 2
Modem: ADSL2+
USB: Yes 1 x 2.0
Serial: No
JTAG: No

Photos

Model Number

Front:

Photo of front of the casing https://upload.wikimedia.org/wikipedia/en/1/10/Front_view_of_BT_Home_Hub_3.jpg

Back:

Photo of back of the casing http://www.techdigest.tv/home-hub-3-mid.jpg

Opening the case

Note: This will void your warranty!

  • To remove the cover do a/b/c

Main PCB

Photo of PCB https://wikidevi.com/w/images/a/a1/Bthh3b_board_top.jpg

Photo of Back of PCB https://wikidevi.com/w/images/d/dd/Bthh3b_board_bot.jpg

Photo of SOC https://wikidevi.com/w/images/4/4c/Bthh3b_cc.jpg

Photo of PHYs https://wikidevi.com/w/images/6/66/Bthh3b_phy.jpg

Mods

Two U.FL connectors for mini-coax connector can be found of the PCB for a possible external antenna mod

Notes

There is a successful root prompt hack by exploiting upnp (thanks Zach, end of kitz post).

Boot process: The CFE is run from a two part boot process. A pre-boot loader based on CFE code seems to run from the first sector of flash, (seems to have been copied to 0x80000000), which then loads cferam.000 from the jffs2 rootfs. The jffs2 is signed in some way, and if this signature is mismatched, then the cferam refuses to start linux, but reportedly goes into a firmware update mode.

No serial port or jtag connector has been identified.

unanswered questions: How does the first sector of flash get to 0x80000000 (assume something is present at bfc00000?, a pre-pre-boot loader?)

What username and pwd can be used to access the cli (exe available in .bin)?

Can we modify cferam.000? Has anyone else seen such a two-step cfe boot process?

Zack's (zcutlip) exploit

Requires a firmware before V100R001C01B036SP03_L_B

http://forum.kitz.co.uk/index.php?topic=10161.msg234358#msg234358

Bootlogs

OEM Firmware Dump

$ ls -l total 32768 -rw-r--r-- 1 asbokid asbokid 33554432 Jul 17 22:53 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin $ md5sum hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin 0e1364cf226f3078d1371e633968b985 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin $ xxd -s $((0x4000)) -l 256 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin 0004000: 6e88 b7e4 99d1 3e51 f8de edcf 5398 001d n.....>Q....S... 0004010: 2687 ce64 98a3 793e 36fb 919a 11eb 5945 &..d..y>6.....YE 0004020: 9450 69f3 ef80 dc0e a3fa c50f 5900 b00b .Pi.........Y... 0004030: f1e8 7d0b 0676 aefb d11b deaf 1876 42ae ..}..v.......vB. 0004040: ab49 657c 6dba 5344 d571 af42 6551 596a .Ie|m.SD.q.BeQYj 0004050: 8ecc 277d 3d51 2f0c 8e88 c434 568d 0109 ..'}=Q/....4V... 0004060: a97a c1ee 3a95 f59b 3eff e0e6 17da b28c .z..:...>....... 0004070: 74dd 93f0 c3ce c288 87d5 06cc 76e4 2828 t...........v.(( 0004080: 0001 5898 00b9 c014 0001 486f 6d65 4875 ..X.......HomeHu 0004090: 6233 5631 3030 5230 3031 4330 3142 3033 b3V100R001C01B03 00040a0: 3153 5030 395f 4c5f 425f 7432 3031 312d 1SP09_L_B_t2011- 00040b0: 3036 2d30 315f 3232 3a33 3900 0000 0000 06-01_22:39..... 00040c0: 3132 3137 3333 3332 0000 2d35 3937 3135 12173332..-59715 00040d0: 3931 3139 3100 0000 3000 0000 0000 0000 91191...0....... 00040e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00040f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ $ dd if=hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin of=jffs2_be skip=$((0x8000)) count=12173332 bs=1 12173332+0 records in 12173332+0 records out 12173332 bytes (12 MB) copied, 25.1295 s, 484 kB/s $ sudo jffs2dump --bigendian jffs2_be --endianconvert=jffs2_le Wrong bitmask at 0x00b9c000, 0x3113 Wrong bitmask at 0x00b9c004, 0x0000 Wrong bitmask at 0x00b9c008, 0x0000 Wrong bitmask at 0x00b9c00c, 0x0000 Wrong bitmask at 0x00b9c010, 0x0000 $ file jffs2_le jffs2_le: Linux jffs2 filesystem data little endian $ sudo modprobe mtdblock $ sudo modprobe mtdram total_size=300000 $ sudo dd if=./jffs2_le of=/dev/mtdblock0 23776+1 records in 23776+1 records out 12173332 bytes (12 MB) copied, 0.0913846 s, 133 MB/s $ sudo mount -t jffs2 /dev/mtdblock0 /mnt/ $ cd /mnt $ ls -l total 1359 dr-xr-xr-x 2 root 1101 0 Jun 1 2011 bin drwxrwxrwx 3 root root 0 Jun 1 2011 BTAgent -rw-r--r-- 1 root root 187416 Jun 1 2011 cferam.000 drwxrwx--- 2 root 1102 0 Jun 1 2011 config drwxr-xr-x 3 root root 0 Jun 1 2011 dev dr-xr-xr-- 8 root 1102 0 May 31 2011 etc drwxrwxrwx 5 root root 0 Jun 1 2011 lib lrwxrwxrwx 1 root 1101 11 Jun 1 2011 linuxrc -> bin/busybox drwxr-xr-x 2 root root 0 Jun 1 2011 mnt drwxr-xr-x 2 root root 0 Jun 1 2011 proc dr-xr-xr-x 2 root 1101 0 Jun 1 2011 sbin drwxr-xr-x 2 root root 0 Jun 1 2011 tmp dr-xr-xr-x 3 root 1101 0 Jun 1 2011 usr drwxrwx--- 2 root 1102 0 Jun 1 2011 var -rw-r--r-- 1 root root 1202746 Jun 1 2011 vmlinux.lz $ tree -s /mnt/ /mnt/ ├── [ 0] bin │ ├── [ 24884] acs_cli │ ├── [ 90824] acsd │ ├── [ 11328] arpsender │ ├── [ 7] ash -> busybox │ ├── [ 81384] bcmupnp │ ├── [ 28096] brctl │ ├── [ 249280] busybox │ ├── [ 7] cat -> busybox │ ├── [ 7] chgrp -> busybox │ ├── [ 7] chmod -> busybox │ ├── [ 7] chown -> busybox │ ├── [ 89739] cli │ ├── [ 707988] cms │ ├── [ 3] console -> cli │ ├── [ 7] cp -> busybox │ ├── [ 68376] cwmp │ ├── [ 7] date -> busybox │ ├── [ 36424] ddnsc │ ├── [ 27752] dhcpc │ ├── [ 59748] dhcpr │ ├── [ 65988] dhcps │ ├── [ 39084] dns │ ├── [ 10984] dsldiagd │ ├── [ 48296] eapd │ ├── [ 64324] ebtables │ ├── [ 7] echo -> busybox │ ├── [ 37716] equipcmd │ ├── [ 18192] ethcmd │ ├── [ 51864] ethswctl │ ├── [ 7] false -> busybox │ ├── [ 10608] fapctl │ ├── [ 8920] fcctl │ ├── [ 7] gunzip -> busybox │ ├── [ 7] gzip -> busybox │ ├── [ 39568] igmpproxy │ ├── [ 199728] ip │ ├── [ 20816] ipcheck │ ├── [ 25156] ipp │ ├── [ 198888] iptables │ ├── [ 7] kill -> busybox │ ├── [ 3832] klog │ ├── [ 56424] lld2d │ ├── [ 7] ln -> busybox │ ├── [ 20968] log │ ├── [ 7] ls -> busybox │ ├── [ 54096] mic │ ├── [ 17824] MidServer │ ├── [ 7392] mirror │ ├── [ 7] mkdir -> busybox │ ├── [ 7] mknod -> busybox │ ├── [ 7] mount -> busybox │ ├── [ 7] mv -> busybox │ ├── [ 56860] nas │ ├── [ 10] nas4not -> ../bin/nas │ ├── [ 7] netstat -> busybox │ ├── [ 916196] nmbd │ ├── [ 46960] ntfs-3g │ ├── [ 3768] nvram │ ├── [ 7] ping -> busybox │ ├── [ 214140] pppc │ ├── [ 7] ps -> busybox │ ├── [ 10788] pwrcmd │ ├── [ 570592] racoon │ ├── [ 80240] ripd │ ├── [ 7] rm -> busybox │ ├── [ 5228] rsaEnfile │ ├── [ 30904] scp │ ├── [ 90560] setkey │ ├── [ 7] sh -> busybox │ ├── [ 188444] siproxd │ ├── [ 7] sleep -> busybox │ ├── [ 2174532] smbd │ ├── [ 67056] smbpasswd │ ├── [ 20900] sntp │ ├── [ 5800] spuctl │ ├── [ 133556] sshd │ ├── [ 961] startbsp │ ├── [ 2370] swapdev │ ├── [ 7] tar -> busybox │ ├── [ 234544] tc │ ├── [ 5944] telnetd │ ├── [ 4264] tops │ ├── [ 7948] tr111 │ ├── [ 7] umount -> busybox │ ├── [ 37440] upg │ ├── [ 108816] upnp │ ├── [ 50548] urlfilterd │ ├── [ 16704] usbmount │ ├── [ 111868] web │ ├── [ 5] wl -> wlctl │ ├── [ 58795] wlancmd │ ├── [ 2172] wlctl │ ├── [ 196844] wps_monitor │ ├── [ 59760] xdslcmd │ ├── [ 29932] xtmcmd │ ├── [ 7] zcat -> busybox │ └── [ 71860] zebra ├── [ 0] BTAgent │ └── [ 0] ro │ ├── [ 10079] btagent │ ├── [ 732] btagent.conf │ ├── [ 187] btagentstart.sh │ ├── [ 1659] copy_hh3 │ ├── [ 4936] libparseplugins.so │ ├── [ 5588] libplugin.so │ ├── [ 5248] libplugins.so │ ├── [ 6812] libsourceplugins.so │ ├── [ 7620] libtcp.so │ ├── [ 5192] libtransportplugins.so │ ├── [ 0] plugin_parse │ │ └── [ 14072] libxml.so │ ├── [ 0] plugin_source │ │ ├── [ 8964] libbtagent.so │ │ ├── [ 11724] libfwm.so │ │ ├── [ 4044] libhuawei.so │ │ ├── [ 11444] liblogger.so │ │ └── [ 7260] libprobe.so │ ├── [ 0] plugin_transport │ │ └── [ 51424] libsec.so │ ├── [ 286] publickeys.dat │ └── [ 17] RWPath ├── [ 187416] cferam.000 ├── [ 0] config ├── [ 0] dev │ ├── [ 0] console │ ├── [ 9] fuse -> /var/fuse │ ├── [ 0] misc │ │ └── [ 9] fuse -> /var/fuse │ └── [ 0] null ├── [ 0] etc │ ├── [ 0] adsl │ │ └── [ 525344] adsl_phy.bin │ ├── [ 227136] defaultcfg.xml │ ├── [ 23] dhcps2.leases -> /var/dhcp/dhcps/leasesF │ ├── [ 22] dhcps.conf -> /var/dhcp/dhcps/config │ ├── [ 22] dhcps.leases -> /var/dhcp/dhcps/leases │ ├── [ 1317] ethertypes │ ├── [ 34] fstab │ ├── [ 198] group │ ├── [ 458] handy_dss_key │ ├── [ 427] handy_rsa_key │ ├── [ 2836] hurlwebidx │ ├── [ 1431932] hurlwebimg │ ├── [ 71] inetd.conf │ ├── [ 0] init.d │ │ └── [ 3660] rcS │ ├── [ 105] inittab │ ├── [ 0] jffs.img │ ├── [ 20] lmhosts │ ├── [ 9] mtab -> /var/mtab │ ├── [ 507] passwd │ ├── [ 51] printers.ini │ ├── [ 133] profile │ ├── [ 132] radius.conf │ ├── [ 20] resolv.conf -> /var/dns/resolv.conf │ ├── [ 0] rlog │ │ ├── [ 344] rlog1 │ │ ├── [ 344] rlog2 │ │ └── [ 344] rlog3 │ ├── [ 1005] root.crt │ ├── [ 1147] root.pem │ ├── [ 426] rsa_host_key │ ├── [ 10] samba -> /var/samba │ ├── [ 2993] servercert.crt │ ├── [ 1119] servercert.pem │ ├── [ 963] server.key │ ├── [ 951] serverkey.pem │ ├── [ 1995] services │ ├── [ 33044] share.map │ ├── [ 0] ssh │ │ └── [ 614] authorized_keys │ ├── [ 11] sysmsg -> /var/sysmsg │ ├── [ 7] TZ -> /var/TZ │ ├── [ 0] upnp │ │ ├── [ 5124] DevCfg.xml │ │ ├── [ 6362] DevInfo.xml │ │ ├── [ 619] IGDInfoScpd.xml │ │ ├── [ 2773] LANEthernetCfg.xml │ │ ├── [ 517] LANSec.xml │ │ ├── [ 1749] WanCommonIfc1.xml │ │ ├── [ 1867] WANDslDiag.xml │ │ ├── [ 11799] WanDslIfCfg.xml │ │ ├── [ 3152] WanEthInterCfg.xml │ │ ├── [ 608] WanEthLinkCfg.xml │ │ ├── [ 11593] WanIpConn.xml │ │ ├── [ 11426] WanPppConn.xml │ │ └── [ 18803] WLANCfg.xml │ ├── [ 6785] webidx │ ├── [ 1428438] webimg │ ├── [ 0] wlan │ │ ├── [ 448] bcm43112_map.bin │ │ ├── [ 448] bcm4313_map.bin │ │ ├── [ 448] bcm4321_map.bin │ │ ├── [ 448] bcm43222_map.bin │ │ ├── [ 448] bcm43224_map.bin │ │ ├── [ 448] bcm43225_map.bin │ │ ├── [ 448] bcm43226_map.bin │ │ ├── [ 448] bcm4322_map.bin │ │ ├── [ 448] bcm4331_map.bin │ │ ├── [ 448] bcm6362_map.bin │ │ └── [ 89] nvram_params │ ├── [ 7358] wrt54g.large.ico │ ├── [ 3262] wrt54g.small.ico │ └── [ 2100] wsc_config_1a_ap.txt ├── [ 0] lib │ ├── [ 0] codepages │ ├── [ 0] extra │ │ ├── [ 341048] adsldd.ko │ │ ├── [ 145388] bcm_enet.ko │ │ ├── [ 136388] bcmfap.ko │ │ ├── [ 91168] bcmvlan.ko │ │ ├── [ 83344] bcmxtmcfg.ko │ │ ├── [ 3852] otp.ko │ │ ├── [ 10704] p8021ag.ko │ │ ├── [ 38956] pktflow.ko │ │ ├── [ 8948] pwrmngtd.ko │ │ └── [ 3089688] wl.ko │ ├── [ 0] kernel │ │ ├── [ 0] crypto │ │ │ ├── [ 5356] ecb.ko │ │ │ └── [ 6908] pcbc.ko │ │ └── [ 0] drivers │ │ ├── [ 0] scsi │ │ │ └── [ 2168] scsi_wait_scan.ko │ │ ├── [ 0] usb │ │ │ └── [ 0] storage │ │ │ └── [ 77204] usb-storage.ko │ │ └── [ 0] watchdog │ │ └── [ 8796] bcmdog.ko │ ├── [ 20700] ld-uClibc.so.0 │ ├── [ 58008] libatputil.so │ ├── [ 13068] libbhalapi.so │ ├── [ 167140] libcfmapi.so │ ├── [ 18] libcrypto_openssl.so -> libcrypto.so.0.9.8 │ ├── [ 131836] libcrypto.so │ ├── [ 18] libcrypto.so.0.9.7 -> libcrypto.so.0.9.8 │ ├── [ 1433876] libcrypto.so.0.9.8 │ ├── [ 10420] libcrypt.so.0 │ ├── [ 364392] libc.so.0 │ ├── [ 4820] libdhcpoptionsapi.so │ ├── [ 4944] libdhcpstackapi.so │ ├── [ 8304] libdl.so.0 │ ├── [ 54272] libethswctl.so │ ├── [ 3648] libfcctl.so │ ├── [ 174632] libgcc_s.so.1 │ ├── [ 2404] libgplutil.so │ ├── [ 46216] libhttpapi.so │ ├── [ 17] libiconv.so -> libiconv.so.2.5.0 │ ├── [ 17] libiconv.so.2 -> libiconv.so.2.5.0 │ ├── [ 297288] libiconv.so.2.5.0 │ ├── [ 15592] libMidClient.so │ ├── [ 18476] libmsgapi.so │ ├── [ 98056] libm.so.0 │ ├── [ 917] libnsl.so.0 │ ├── [ 410992] libntfs-3g.so.73 │ ├── [ 8048] libnvram.so │ ├── [ 71628] libpthread.so.0 │ ├── [ 917] libresolv.so.0 │ ├── [ 18940] librsa.so │ ├── [ 3348] librt.so.0 │ ├── [ 15] libssl_openssl.so -> libssl.so.0.9.8 │ ├── [ 12] libssl.so -> libcrypto.so │ ├── [ 15] libssl.so.0.9.7 -> libssl.so.0.9.8 │ ├── [ 268464] libssl.so.0.9.8 │ ├── [ 14840] libstuncapir.so │ ├── [ 11160] libthread_db.so.1 │ ├── [ 3948] libutil.so.0 │ ├── [ 95548] libwlbcmcrypto.so │ ├── [ 60688] libwlbcmshared.so │ ├── [ 344884] libwlctl.so │ ├── [ 51304] libwps.so │ ├── [ 25624] libxmlapi.so │ ├── [ 78420] libz.so │ └── [ 7] libz.so.1 -> libz.so ├── [ 11] linuxrc -> bin/busybox ├── [ 0] mnt ├── [ 0] proc ├── [ 0] sbin │ ├── [ 14] arp -> ../bin/busybox │ ├── [ 14] flash_eraseall -> ../bin/busybox │ ├── [ 14] ifconfig -> ../bin/busybox │ ├── [ 14] init -> ../bin/busybox │ ├── [ 14] insmod -> ../bin/busybox │ ├── [ 14] reboot -> ../bin/busybox │ ├── [ 14] rmmod -> ../bin/busybox │ ├── [ 14] route -> ../bin/busybox │ ├── [ 14] smuxctl -> ../bin/busybox │ ├── [ 14] vconfig -> ../bin/busybox │ ├── [ 14] watchdog -> ../bin/busybox │ └── [ 14] zcip -> ../bin/busybox ├── [ 0] tmp ├── [ 0] usr │ └── [ 0] bin │ ├── [ 17] [ -> ../../bin/busybox │ ├── [ 17] [[ -> ../../bin/busybox │ ├── [ 161909] dbclient │ ├── [ 17] ftpget -> ../../bin/busybox │ ├── [ 17] ftpput -> ../../bin/busybox │ ├── [ 17] killall -> ../../bin/busybox │ ├── [ 17] renice -> ../../bin/busybox │ ├── [ 17] test -> ../../bin/busybox │ ├── [ 17] top -> ../../bin/busybox │ └── [ 17] wget -> ../../bin/busybox ├── [ 0] var └── [ 1202746] vmlinux.lz 33 directories, 273 files $

OpenWrt bootlog

PUT HERE YOUR BOOTLOG

Tags

For some Help with the Tags, please have a look here: tags

Tags

toh/bt/homehub.3.0b.txt · Last modified: 2015/01/14 20:02 by mrpromaster