BT HomeHub 1.0 and 1.5
White or black boxes given away with a bt broadband subscription. It comes in two versions The V1 and the V1.5. The first noticeable difference between the two versions is the shape and size. Under the cover they are identical apart from a slight pcb revision, addition of 5 extra red led's and two extra buttons on the V1.5.
There are other routers based on the same board as the homehub V1. Known to me are: speedtouch 7g and Aolbox. There may be more.
The homehub includes ADSL2+, 802.11b/g wireless, host and slave USB ports, 2 wired ethernet ports, DECT, FXS & FXO ports and VOIP functionality.
Hardware Highlights
| CPU | Ram | Flash | Ethernet | USB | Wireless | Serial | JTag | VOIP | FXS |
|---|---|---|---|---|---|---|---|---|---|
| Broadcom BCM96348@256MHz | 32MB | 8MB | 2 | Yes | yes | Yes | Yes | yes | yes |
Hardware Details
| CPU: Broadcom BCM6348@256MHz |
| RAM: Qimonda HYB39SC256160FE-7, 8Mbitx16bit, 32MByte, 133MHz |
| Flash: Spansion S29GL064A11TFIR4, 64Mbit, 8MByte, Pointless bottom boot (see below) |
| Wireless: BCM4318 802.11b/g, using seperate radio amplifier and diversity switch via pci |
| Ext. ethernet: Altima AC101 MII PHY |
| DECT: Philips/NXP PCD80705 Baseband DECT processor via spi |
| Slic: Silicon Labs si3230 ProSLIC |
Flash Layout
Based on FIrmware 6.2.2.6
| 0x00000000-0x0003FFFF Space allocated for bootloader - includes board parameters (serial number, Board type, MAC address, etc) |
| 0x00040000-0x000FFFFF JFFS2 User partition |
| 0x00100000-0x0010000F Firmware version magic |
| 0x00100010-0x001AFFFF Linux Kernel |
| 0x001B0000-0x007FFFFF Squashfs root fs |
It is somewhat different from the usual Broadcom layout. Probably due to the fact that this board does not use the CFE bootloader but uses a proprietory loader instead who's origins are unknown. This supplied bootloader is useless. I went through Tens of bootloaders before i come across a redboot loader from the inventel livebox and modified it to work with the homehub. Now i have recently discovered that this very same bootloader from the livebox is used in the Aolbox wich has a board identical to the homehub but uses different RAM memory thus the Aolbox/livebox and homehub bootloaders are not directly interchangeable.
Flash Details
You can access the flash via jtag at 1f400000 provided the homehub bootloader is running. If the loader is not running ie, bad flash you can access bootloader at 1fc00000+. The The flash chip is actually mapped at 1f800000-1fffffff while the mips boot address is 1fc00000 (half way through the physical flash address). The hub bootloader actally remaps the 4MB at 1fc00000 back before the physical start of the flash. Eg, actual 1f800000-1fffffff # copy 1fc00000-1fffffff to 1f400000 # now the flash lives at 1f400000-1fbfffff.
Photos
There are plenty of pictures of the homehub on the internet so i wont fill this space with its cover on.
| HomeHub V1 | HomeHub V1.5 |
|---|---|
| Top view | Top view |
 |
 |
| This one has had its led wiring changed to suit the Speedtouch 7G firmware | Note the extra 2 buttons and their position and the shape of the board. The led's are now on the other side too. |
| Bottom view | Bottom view |
 |
 |
| Note changes to the led type. They are now tri colour (green+red=orange). I have fitted it with a crude jtag connector. |
Tags
toh/bt/homehub_v1.txt · Last modified: 2013/05/29 12:36 by danitool
This text is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.