Home > BT Home Hub > Unlocking BT Home Hub V2.0A

Unlocking BT Home Hub V2.0A

Unlock your BT Home Hub 2A with two USB sticks for use on most ADSL ISPs
By 28/01/11 [Last Edited by Joseph 24/03/11]
BOOKMARK
LOGIN
REGISTER
This tutorial is for the BT Home Hub V2.0A. For the BT Home Hub V1.0 or Virgin Media Customers, see the box below, labelled Other Home Hubs/Configurations.

At last, we can now unlock the BT Home Hub V2.0A for use on most UK ADSL ISPs without any hardware hacks!. With many thanks to PsiDOC and btsimonh for the know-how! The unlock process takes advantage of a loophole left by the developers, which allows an executable to be run on the Home Hub when a special trick is performed with the samba configuration. This allows us to run a Telnet server on the Home Hub to gain full root access. From there, in essence, we can also execute an executable to write the flash memory with an image of our choosing. NOTE: This process is risky and no responsibility is taken for any damage caused to your Hub! Do at your own risk!


Other Home Hub Unlocking Configurations

Before you continue, please check from this list that you are using the right tutorial:

Virgin Media & BT Home Hub 2 Customers: See this page: BT Home Hub V2.0 with Virgin Media NEW!
Virgin Media & BT Home Hub 1.0 Customers: See this page: BT Home Hub V1.0 Ethernet Router
BT Home Hub V2 users: See this page: Unlocking BT Home Hub V2.0A NEW!
BT Home Hub V1.0 users: See this page: Unlocking BT Home Hub V1.0

Requirements

  • Two USB flash drives. Ensure all your data is backed up, as one will be totally reformatted!
  • The files: can be downloaded from here
  • Telnet Client. Windows before Windows Vista has this included by default. Windows Vista/7/2008 users see this page on how to get it back.

Preparing USB Stick 1

First of all, download the self-extracting archive from above, open, and extract (you will be prompted for a password, see below).



Next, locate the disk image utility DiskImage_1_6_WinAll.exe, and launch. Ensure your first USB stick is plugged in. Select the Physical Disk corresponding to your USB stick, NOT the drive letter (you can get a fair idea which Physical Disk is your USB stick, by looking at the size). Ensure you select the correct disk, or you could overwrite your windows disk, or any other disk you have connected which will delete everything on it



Next to the Source File text box, click Browse, and locate sysroot.sqsh. Now click Start, the process will finish almost instantly, you can now close the disk image utility.

Getting Root

Now, ensure the Home Hub is connected via Ethernet, NOT wireless. Ensure you have obtained an IP address from the Hub and not another router. Insert the prepared USB stick into the Home Hub (the USB port is around the back on the right hand side). Open the command prompt, and type:

explorer \\192.168.1.253\Disk_a\sys\rw\dl

Copy and paste utelnetd from the FlashWithoutJTAG_btsimonh_v1 folder you extracted earlier into the folder on the Home Hub.

Now navigate to \\192.168.1.253\Disk_a\sys\rw\etc\, and copy and paste smb.conf from the same FlashWithoutJTAG_btsimonh_v1 folder you extracted earlier, this time overwriting the existing file.

Close the Windows Explorer window, and then go to the command prompt again, and type:

explorer \\192.168.1.253\Disk_yyy

If that fails, try:

explorer \\192.168.1.253\Disk_a

Without seeing anything, the Home Hub has now magically executed the utelnetd telnet daemon in the background! From the command prompt again, type:

telnet 192.168.1.253 4002

We now have root!

Writing the Filesystem

You will now need your other USB stick. I didn't have much luck when it was formatted in FAT, so ensure it is formatted in FAT32. Copy the v2reflash folder from the FlashWithoutJTAG_btsimonh_v1 folder, to the USB stick. Now unplug the first USB stick, and insert the second into the Home Hub. Wait a few seconds, then type into the telnet window:

mount

You should see something like the following. The USB stick should mount as either /dev/sda or /dev/sda1. If it mounts as /dev/sdb1, then remove the USB stick, insert it and retry mounting.



The next step is to back up the firmware on your BT Home Hub, just in case anything goes horribly wrong. Enter the following command, replacing /var/usbmount/sda with /var/usbmount/sda1 if your USB stick mounted as sda1

cat /dev/mtdblock5 > /var/usbmount/sda/backup.bin

That should complete after 10 or so seconds. Next is to check the files on the USB stick. The screenshot below shows the backup and the file listing. The files shown to you on your Hub should match the screenshot, except flash_createextended and flash_newrootfs, they can be safely ignored if they're missing.



Next, enter the following, and press Enter when prompted. Your connection to the Home Hub will drop after this has completed:

./startpivot



Reconnect to the Hub by typing into the Command Prompt:

telnet 192.168.1.253 4003

When connected, type in:

unmount



Now, we're on the last stage, the flashing. This is the only step so far that'll actually make changes to your Hub, so this is the last chance to back out now! It will take about 3-4 minutes and YOU MUST NOT DISCONNECT THE POWER. When you're sure, type:

flash_allfrom40000



Hopefully done!

Find a Home Hub