BT Home Hub 3.0 Type B
NEWSFLASH (JANUARY 2014):
Following the sad closure of http://psidoc.com, all members of the BT Home Hub Openwrt community are now encouraged to join in ongoing development efforts, concentrated on the Home Hub 2B, at http://openwrt.ebilan.co.uk.
OEM source code available at: http://bt.custhelp.com/app/answers/detail/a_id/35298/~/bt-home-hub%2C-bt-voyager-and-connected-devices-gpl-code
Supported Versions
Not supported
Identification
Although sharing identical cases, the HomeHub 3.0b has totally different hardware to the BT HomeHub 3.0a and the BT Business Hub 3.0.
For identification purposes, the white boilerplate on the base of the device distinguishes the model number. The HH3.0a and the BT Business 3.0a, and the HH3.0b also have DC input sockets with a different diameter.
Hardware Highlights
SoC | Ram | Flash | Network | USB | Serial | JTag |
---|---|---|---|---|---|---|
Broadcom BCM6361 | 64MiB | 32MiB | 4 x 1 | Yes | No | ? |
Manufacturer's site: http://www.shop.bt.com/products/bt-business-hub-3-80QC.html
Specific values you need
Bootloader tftp server IPv4 address | FILL-IN |
Bootloader MAC address (special) | FILL-IN |
Firmware tftp image | Latest OpenWrt release (NOTE: Name must contain “tftp”) |
TFTP Transfer Window | FILL-IN seconds |
TFTP Window Start | approximately FILL-IN seconds after power on |
TFTP Client Required IP Address | FILL-IN |
Basic configuration
→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.
Specific Configuration
Interfaces
The default network configuration is:
Interface Name | Description | Default configuration |
---|---|---|
br-lan | LAN & WiFi | 192.168.1.1/24 |
vlan0 (eth0.0) | LAN ports (1 to 4) | None |
vlan1 (eth0.1) | WAN port | DHCP |
wl0 | WiFi | Disabled |
Failsafe mode
Buttons
→ hardware.button on howto use and configure the hardware button(s).
The BT HomeHub 3.0b has four buttons. They are Reset, Power, Restart and Secure Easy Setup.
BUTTON | Event |
---|---|
Reset | reset |
Secure Easy Setup | ses |
Power Toggle | |
Restart |
Hardware
Info
Instruction set | MIPS |
---|---|
Vendor | Broadcom |
bootloader | CFE |
BoardID | 6362hhb3 |
System-On-Chip | Broadcom BCM6361 |
CPU @Frq | MIPS 32Kc @400MHz |
Flash size | 32 MiB |
Flash Chip | STMicroelectronics NAND256W3ABN6 |
RAM size | 64 MiB |
RAM Chip | Hynix H5PS5162FFR-S6C |
Wireless No1 | SoC-integrated: Broadcom BCM6361 w/ 2×2 MIMO for 2.4GHz 802.11b/g/n |
switch | Broadcom BCM6361 (Gigabit) , Broadcom B50612E x 2 |
Modem | ADSL2+ |
USB | Yes 1 x 2.0 |
Serial | No |
JTAG | No |
Photos
Model Number
Front:
Photo of front of the casing https://upload.wikimedia.org/wikipedia/en/1/10/Front_view_of_BT_Home_Hub_3.jpg
Back:
Photo of back of the casing http://www.techdigest.tv/home-hub-3-mid.jpg
Opening the case
Note: This will void your warranty!
- To remove the cover do a/b/c
Main PCB
Photo of PCB https://wikidevi.com/w/images/a/a1/Bthh3b_board_top.jpg
Photo of Back of PCB https://wikidevi.com/w/images/d/dd/Bthh3b_board_bot.jpg
Photo of SOC https://wikidevi.com/w/images/4/4c/Bthh3b_cc.jpg
Photo of PHYs https://wikidevi.com/w/images/6/66/Bthh3b_phy.jpg
Mods
Two U.FL connectors for mini-coax connector can be found of the PCB for a possible external antenna mod
Notes
There is a successful root prompt hack by exploiting upnp (thanks Zach, end of kitz post).
Boot process: The CFE is run from a two part boot process. A pre-boot loader based on CFE code seems to run from the first sector of flash, (seems to have been copied to 0x80000000), which then loads cferam.000 from the jffs2 rootfs. The jffs2 is signed in some way, and if this signature is mismatched, then the cferam refuses to start linux, but reportedly goes into a firmware update mode.
No serial port or jtag connector has been identified.
unanswered questions: How does the first sector of flash get to 0x80000000 (assume something is present at bfc00000?, a pre-pre-boot loader?)
What username and pwd can be used to access the cli (exe available in .bin)?
Can we modify cferam.000? Has anyone else seen such a two-step cfe boot process?
Under the main nandflash chip is the positioning for a SPI flash. Which could possibly be used as an alternative bootup if the main flash gets damaged (connected, but untested). These pins are much easier to solder to.
Zack's (zcutlip) exploit
Requires a firmware before V100R001C01B036SP03_L_B
http://forum.kitz.co.uk/index.php?topic=10161.msg234358#msg234358
Bootlogs
OEM Firmware Dump
$ ls -l total 32768 -rw-r--r-- 1 asbokid asbokid 33554432 Jul 17 22:53 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin $ md5sum hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin 0e1364cf226f3078d1371e633968b985 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin $ xxd -s $((0x4000)) -l 256 hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin 0004000: 6e88 b7e4 99d1 3e51 f8de edcf 5398 001d n.....>Q....S... 0004010: 2687 ce64 98a3 793e 36fb 919a 11eb 5945 &..d..y>6.....YE 0004020: 9450 69f3 ef80 dc0e a3fa c50f 5900 b00b .Pi.........Y... 0004030: f1e8 7d0b 0676 aefb d11b deaf 1876 42ae ..}..v.......vB. 0004040: ab49 657c 6dba 5344 d571 af42 6551 596a .Ie|m.SD.q.BeQYj 0004050: 8ecc 277d 3d51 2f0c 8e88 c434 568d 0109 ..'}=Q/....4V... 0004060: a97a c1ee 3a95 f59b 3eff e0e6 17da b28c .z..:...>....... 0004070: 74dd 93f0 c3ce c288 87d5 06cc 76e4 2828 t...........v.(( 0004080: 0001 5898 00b9 c014 0001 486f 6d65 4875 ..X.......HomeHu 0004090: 6233 5631 3030 5230 3031 4330 3142 3033 b3V100R001C01B03 00040a0: 3153 5030 395f 4c5f 425f 7432 3031 312d 1SP09_L_B_t2011- 00040b0: 3036 2d30 315f 3232 3a33 3900 0000 0000 06-01_22:39..... 00040c0: 3132 3137 3333 3332 0000 2d35 3937 3135 12173332..-59715 00040d0: 3931 3139 3100 0000 3000 0000 0000 0000 91191...0....... 00040e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00040f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ $ dd if=hh3.0b.V100R001C01B031SP09_l_B_t2011-06-01_22_39.eccstripped.bin of=jffs2_be skip=$((0x8000)) count=12173332 bs=1 12173332+0 records in 12173332+0 records out 12173332 bytes (12 MB) copied, 25.1295 s, 484 kB/s $ sudo jffs2dump --bigendian jffs2_be --endianconvert=jffs2_le Wrong bitmask at 0x00b9c000, 0x3113 Wrong bitmask at 0x00b9c004, 0x0000 Wrong bitmask at 0x00b9c008, 0x0000 Wrong bitmask at 0x00b9c00c, 0x0000 Wrong bitmask at 0x00b9c010, 0x0000 $ file jffs2_le jffs2_le: Linux jffs2 filesystem data little endian $ sudo modprobe mtdblock $ sudo modprobe mtdram total_size=300000 $ sudo dd if=./jffs2_le of=/dev/mtdblock0 23776+1 records in 23776+1 records out 12173332 bytes (12 MB) copied, 0.0913846 s, 133 MB/s $ sudo mount -t jffs2 /dev/mtdblock0 /mnt/ $ cd /mnt $ ls -l total 1359 dr-xr-xr-x 2 root 1101 0 Jun 1 2011 bin drwxrwxrwx 3 root root 0 Jun 1 2011 BTAgent -rw-r--r-- 1 root root 187416 Jun 1 2011 cferam.000 drwxrwx--- 2 root 1102 0 Jun 1 2011 config drwxr-xr-x 3 root root 0 Jun 1 2011 dev dr-xr-xr-- 8 root 1102 0 May 31 2011 etc drwxrwxrwx 5 root root 0 Jun 1 2011 lib lrwxrwxrwx 1 root 1101 11 Jun 1 2011 linuxrc -> bin/busybox drwxr-xr-x 2 root root 0 Jun 1 2011 mnt drwxr-xr-x 2 root root 0 Jun 1 2011 proc dr-xr-xr-x 2 root 1101 0 Jun 1 2011 sbin drwxr-xr-x 2 root root 0 Jun 1 2011 tmp dr-xr-xr-x 3 root 1101 0 Jun 1 2011 usr drwxrwx--- 2 root 1102 0 Jun 1 2011 var -rw-r--r-- 1 root root 1202746 Jun 1 2011 vmlinux.lz $ tree -s /mnt/ /mnt/ ├── [ 0] bin │ ├── [ 24884] acs_cli │ ├── [ 90824] acsd │ ├── [ 11328] arpsender │ ├── [ 7] ash -> busybox │ ├── [ 81384] bcmupnp │ ├── [ 28096] brctl │ ├── [ 249280] busybox │ ├── [ 7] cat -> busybox │ ├── [ 7] chgrp -> busybox │ ├── [ 7] chmod -> busybox │ ├── [ 7] chown -> busybox │ ├── [ 89739] cli │ ├── [ 707988] cms │ ├── [ 3] console -> cli │ ├── [ 7] cp -> busybox │ ├── [ 68376] cwmp │ ├── [ 7] date -> busybox │ ├── [ 36424] ddnsc │ ├── [ 27752] dhcpc │ ├── [ 59748] dhcpr │ ├── [ 65988] dhcps │ ├── [ 39084] dns │ ├── [ 10984] dsldiagd │ ├── [ 48296] eapd │ ├── [ 64324] ebtables │ ├── [ 7] echo -> busybox │ ├── [ 37716] equipcmd │ ├── [ 18192] ethcmd │ ├── [ 51864] ethswctl │ ├── [ 7] false -> busybox │ ├── [ 10608] fapctl │ ├── [ 8920] fcctl │ ├── [ 7] gunzip -> busybox │ ├── [ 7] gzip -> busybox │ ├── [ 39568] igmpproxy │ ├── [ 199728] ip │ ├── [ 20816] ipcheck │ ├── [ 25156] ipp │ ├── [ 198888] iptables │ ├── [ 7] kill -> busybox │ ├── [ 3832] klog │ ├── [ 56424] lld2d │ ├── [ 7] ln -> busybox │ ├── [ 20968] log │ ├── [ 7] ls -> busybox │ ├── [ 54096] mic │ ├── [ 17824] MidServer │ ├── [ 7392] mirror │ ├── [ 7] mkdir -> busybox │ ├── [ 7] mknod -> busybox │ ├── [ 7] mount -> busybox │ ├── [ 7] mv -> busybox │ ├── [ 56860] nas │ ├── [ 10] nas4not -> ../bin/nas │ ├── [ 7] netstat -> busybox │ ├── [ 916196] nmbd │ ├── [ 46960] ntfs-3g │ ├── [ 3768] nvram │ ├── [ 7] ping -> busybox │ ├── [ 214140] pppc │ ├── [ 7] ps -> busybox │ ├── [ 10788] pwrcmd │ ├── [ 570592] racoon │ ├── [ 80240] ripd │ ├── [ 7] rm -> busybox │ ├── [ 5228] rsaEnfile │ ├── [ 30904] scp │ ├── [ 90560] setkey │ ├── [ 7] sh -> busybox │ ├── [ 188444] siproxd │ ├── [ 7] sleep -> busybox │ ├── [ 2174532] smbd │ ├── [ 67056] smbpasswd │ ├── [ 20900] sntp │ ├── [ 5800] spuctl │ ├── [ 133556] sshd │ ├── [ 961] startbsp │ ├── [ 2370] swapdev │ ├── [ 7] tar -> busybox │ ├── [ 234544] tc │ ├── [ 5944] telnetd │ ├── [ 4264] tops │ ├── [ 7948] tr111 │ ├── [ 7] umount -> busybox │ ├── [ 37440] upg │ ├── [ 108816] upnp │ ├── [ 50548] urlfilterd │ ├── [ 16704] usbmount │ ├── [ 111868] web │ ├── [ 5] wl -> wlctl │ ├── [ 58795] wlancmd │ ├── [ 2172] wlctl │ ├── [ 196844] wps_monitor │ ├── [ 59760] xdslcmd │ ├── [ 29932] xtmcmd │ ├── [ 7] zcat -> busybox │ └── [ 71860] zebra ├── [ 0] BTAgent │ └── [ 0] ro │ ├── [ 10079] btagent │ ├── [ 732] btagent.conf │ ├── [ 187] btagentstart.sh │ ├── [ 1659] copy_hh3 │ ├── [ 4936] libparseplugins.so │ ├── [ 5588] libplugin.so │ ├── [ 5248] libplugins.so │ ├── [ 6812] libsourceplugins.so │ ├── [ 7620] libtcp.so │ ├── [ 5192] libtransportplugins.so │ ├── [ 0] plugin_parse │ │ └── [ 14072] libxml.so │ ├── [ 0] plugin_source │ │ ├── [ 8964] libbtagent.so │ │ ├── [ 11724] libfwm.so │ │ ├── [ 4044] libhuawei.so │ │ ├── [ 11444] liblogger.so │ │ └── [ 7260] libprobe.so │ ├── [ 0] plugin_transport │ │ └── [ 51424] libsec.so │ ├── [ 286] publickeys.dat │ └── [ 17] RWPath ├── [ 187416] cferam.000 ├── [ 0] config ├── [ 0] dev │ ├── [ 0] console │ ├── [ 9] fuse -> /var/fuse │ ├── [ 0] misc │ │ └── [ 9] fuse -> /var/fuse │ └── [ 0] null ├── [ 0] etc │ ├── [ 0] adsl │ │ └── [ 525344] adsl_phy.bin │ ├── [ 227136] defaultcfg.xml │ ├── [ 23] dhcps2.leases -> /var/dhcp/dhcps/leasesF │ ├── [ 22] dhcps.conf -> /var/dhcp/dhcps/config │ ├── [ 22] dhcps.leases -> /var/dhcp/dhcps/leases │ ├── [ 1317] ethertypes │ ├── [ 34] fstab │ ├── [ 198] group │ ├── [ 458] handy_dss_key │ ├── [ 427] handy_rsa_key │ ├── [ 2836] hurlwebidx │ ├── [ 1431932] hurlwebimg │ ├── [ 71] inetd.conf │ ├── [ 0] init.d │ │ └── [ 3660] rcS │ ├── [ 105] inittab │ ├── [ 0] jffs.img │ ├── [ 20] lmhosts │ ├── [ 9] mtab -> /var/mtab │ ├── [ 507] passwd │ ├── [ 51] printers.ini │ ├── [ 133] profile │ ├── [ 132] radius.conf │ ├── [ 20] resolv.conf -> /var/dns/resolv.conf │ ├── [ 0] rlog │ │ ├── [ 344] rlog1 │ │ ├── [ 344] rlog2 │ │ └── [ 344] rlog3 │ ├── [ 1005] root.crt │ ├── [ 1147] root.pem │ ├── [ 426] rsa_host_key │ ├── [ 10] samba -> /var/samba │ ├── [ 2993] servercert.crt │ ├── [ 1119] servercert.pem │ ├── [ 963] server.key │ ├── [ 951] serverkey.pem │ ├── [ 1995] services │ ├── [ 33044] share.map │ ├── [ 0] ssh │ │ └── [ 614] authorized_keys │ ├── [ 11] sysmsg -> /var/sysmsg │ ├── [ 7] TZ -> /var/TZ │ ├── [ 0] upnp │ │ ├── [ 5124] DevCfg.xml │ │ ├── [ 6362] DevInfo.xml │ │ ├── [ 619] IGDInfoScpd.xml │ │ ├── [ 2773] LANEthernetCfg.xml │ │ ├── [ 517] LANSec.xml │ │ ├── [ 1749] WanCommonIfc1.xml │ │ ├── [ 1867] WANDslDiag.xml │ │ ├── [ 11799] WanDslIfCfg.xml │ │ ├── [ 3152] WanEthInterCfg.xml │ │ ├── [ 608] WanEthLinkCfg.xml │ │ ├── [ 11593] WanIpConn.xml │ │ ├── [ 11426] WanPppConn.xml │ │ └── [ 18803] WLANCfg.xml │ ├── [ 6785] webidx │ ├── [ 1428438] webimg │ ├── [ 0] wlan │ │ ├── [ 448] bcm43112_map.bin │ │ ├── [ 448] bcm4313_map.bin │ │ ├── [ 448] bcm4321_map.bin │ │ ├── [ 448] bcm43222_map.bin │ │ ├── [ 448] bcm43224_map.bin │ │ ├── [ 448] bcm43225_map.bin │ │ ├── [ 448] bcm43226_map.bin │ │ ├── [ 448] bcm4322_map.bin │ │ ├── [ 448] bcm4331_map.bin │ │ ├── [ 448] bcm6362_map.bin │ │ └── [ 89] nvram_params │ ├── [ 7358] wrt54g.large.ico │ ├── [ 3262] wrt54g.small.ico │ └── [ 2100] wsc_config_1a_ap.txt ├── [ 0] lib │ ├── [ 0] codepages │ ├── [ 0] extra │ │ ├── [ 341048] adsldd.ko │ │ ├── [ 145388] bcm_enet.ko │ │ ├── [ 136388] bcmfap.ko │ │ ├── [ 91168] bcmvlan.ko │ │ ├── [ 83344] bcmxtmcfg.ko │ │ ├── [ 3852] otp.ko │ │ ├── [ 10704] p8021ag.ko │ │ ├── [ 38956] pktflow.ko │ │ ├── [ 8948] pwrmngtd.ko │ │ └── [ 3089688] wl.ko │ ├── [ 0] kernel │ │ ├── [ 0] crypto │ │ │ ├── [ 5356] ecb.ko │ │ │ └── [ 6908] pcbc.ko │ │ └── [ 0] drivers │ │ ├── [ 0] scsi │ │ │ └── [ 2168] scsi_wait_scan.ko │ │ ├── [ 0] usb │ │ │ └── [ 0] storage │ │ │ └── [ 77204] usb-storage.ko │ │ └── [ 0] watchdog │ │ └── [ 8796] bcmdog.ko │ ├── [ 20700] ld-uClibc.so.0 │ ├── [ 58008] libatputil.so │ ├── [ 13068] libbhalapi.so │ ├── [ 167140] libcfmapi.so │ ├── [ 18] libcrypto_openssl.so -> libcrypto.so.0.9.8 │ ├── [ 131836] libcrypto.so │ ├── [ 18] libcrypto.so.0.9.7 -> libcrypto.so.0.9.8 │ ├── [ 1433876] libcrypto.so.0.9.8 │ ├── [ 10420] libcrypt.so.0 │ ├── [ 364392] libc.so.0 │ ├── [ 4820] libdhcpoptionsapi.so │ ├── [ 4944] libdhcpstackapi.so │ ├── [ 8304] libdl.so.0 │ ├── [ 54272] libethswctl.so │ ├── [ 3648] libfcctl.so │ ├── [ 174632] libgcc_s.so.1 │ ├── [ 2404] libgplutil.so │ ├── [ 46216] libhttpapi.so │ ├── [ 17] libiconv.so -> libiconv.so.2.5.0 │ ├── [ 17] libiconv.so.2 -> libiconv.so.2.5.0 │ ├── [ 297288] libiconv.so.2.5.0 │ ├── [ 15592] libMidClient.so │ ├── [ 18476] libmsgapi.so │ ├── [ 98056] libm.so.0 │ ├── [ 917] libnsl.so.0 │ ├── [ 410992] libntfs-3g.so.73 │ ├── [ 8048] libnvram.so │ ├── [ 71628] libpthread.so.0 │ ├── [ 917] libresolv.so.0 │ ├── [ 18940] librsa.so │ ├── [ 3348] librt.so.0 │ ├── [ 15] libssl_openssl.so -> libssl.so.0.9.8 │ ├── [ 12] libssl.so -> libcrypto.so │ ├── [ 15] libssl.so.0.9.7 -> libssl.so.0.9.8 │ ├── [ 268464] libssl.so.0.9.8 │ ├── [ 14840] libstuncapir.so │ ├── [ 11160] libthread_db.so.1 │ ├── [ 3948] libutil.so.0 │ ├── [ 95548] libwlbcmcrypto.so │ ├── [ 60688] libwlbcmshared.so │ ├── [ 344884] libwlctl.so │ ├── [ 51304] libwps.so │ ├── [ 25624] libxmlapi.so │ ├── [ 78420] libz.so │ └── [ 7] libz.so.1 -> libz.so ├── [ 11] linuxrc -> bin/busybox ├── [ 0] mnt ├── [ 0] proc ├── [ 0] sbin │ ├── [ 14] arp -> ../bin/busybox │ ├── [ 14] flash_eraseall -> ../bin/busybox │ ├── [ 14] ifconfig -> ../bin/busybox │ ├── [ 14] init -> ../bin/busybox │ ├── [ 14] insmod -> ../bin/busybox │ ├── [ 14] reboot -> ../bin/busybox │ ├── [ 14] rmmod -> ../bin/busybox │ ├── [ 14] route -> ../bin/busybox │ ├── [ 14] smuxctl -> ../bin/busybox │ ├── [ 14] vconfig -> ../bin/busybox │ ├── [ 14] watchdog -> ../bin/busybox │ └── [ 14] zcip -> ../bin/busybox ├── [ 0] tmp ├── [ 0] usr │ └── [ 0] bin │ ├── [ 17] [ -> ../../bin/busybox │ ├── [ 17] [[ -> ../../bin/busybox │ ├── [ 161909] dbclient │ ├── [ 17] ftpget -> ../../bin/busybox │ ├── [ 17] ftpput -> ../../bin/busybox │ ├── [ 17] killall -> ../../bin/busybox │ ├── [ 17] renice -> ../../bin/busybox │ ├── [ 17] test -> ../../bin/busybox │ ├── [ 17] top -> ../../bin/busybox │ └── [ 17] wget -> ../../bin/busybox ├── [ 0] var └── [ 1202746] vmlinux.lz 33 directories, 273 files $
OpenWrt bootlog
PUT HERE YOUR BOOTLOG