User Tools

Site Tools


BT HomeHub 3.0b


Following the sad closure of, all members of the BT Home Hub Openwrt community are now encouraged to join in ongoing development efforts, concentrated on the Home Hub 2B, at

Although sharing identical cases, the HomeHub 3.0b has totally different hardware to the BT HomeHub 3.0a and the BT Business Hub 3.0.

The HH3.0b is based on the Broadcom BCM6361 SoC solution, whereas the HH3.0a and the BH3.0 are both driven by the Lantiq ARX168 SoC.

For identification purposes, the white boilerplate on the base of the device distinguishes the model number. The HH3.0a and the BT Business 3.0a, and the HH3.0b also have DC input sockets with a different diameter.

There is a successful root prompt hack by exploiting upnp (thanks Zach, end of kitz post).

Boot process: The CFE is run from a two part boot process. A pre-boot loader based on CFE code seems to run from the first sector of flash, (seems to have been copied to 0x80000000), which then loads cferam.000 from the jffs2 rootfs. The jffs2 is signed in some way, and if this signature is mismatched, then the cferam refuses to start linux, but reportedly goes into a firmware update mode.

No serial port or jtag connector has been identified.

unanswered questions: How does the first sector of flash get to 0x80000000 (assume something is present at bfc00000?, a pre-pre-boot loader?)

What username and pwd can be used to access the cli (exe available in .bin)?

Can we modify cferam.000? Has anyone else seen such a two-step cfe boot process?


toh/bt/homehub.3.0b.txt · Last modified: 2014/02/02 15:57 by benm