Donate Downloads Get my CV
Site nav:

BT Home Hub Hacking

Please respect the license under which this work is made available. (See terms and conditions at the end of the page)

First a disclaimer: You must fully understand the risks involved in carrying out procedures on this page. I am not responsible for anything that may happen to anyone or any property as a result of following instructions on this page. If you're not comfortable with this then don't read any more.

Random information about BT home hub. Version of the hub abused here is 1.5.

Random information obout the BT Hub Phone can be found on this page

How to disassemble

To complete this procedure you'll need a philips screwdriver, a flat screwdriver and a scalpel. (You can skip the scalpel if you don't care about the label on the back - just rip it off!)

  1. Carefully remove label on the back covering the screw using a scalpel or something similar. (See this picture)
  2. Undo the screw.
  3. Carefully remove the rubber feet. You can use a flat screwdriver to help lift them away. (See this picture)
  4. Remove the two screws and pull the case apart.
  5. To remove the PCB, lift at the end where the sockets are. It might help to disconnect P8 and P14 antenna connectors.

What's inside?

Inside the hub theres a well populated PCB, a couple of additional antennas and connection to the hub phone front socket. The picture to the right shows one side of the PCB. The IC's are listed below.

PCB Side A

  1. IC4 = ST 24C64WP - 64kbit (8kbyte) serial EEPROM. This may contain the code for the ARM processor on the other side of the board
  2. IC24 = ST E9726 (Not sure what that is)
  3. IC21 = Appears to be a i6420 PWM controller perhaps used as part of the power supply for the microcontrollers
  4. P8 = Internal antenna connection.
  5. P14 = External antenna connection.
  6. IC27 = Broadcom BCM4318EKFBG WiFi transciever
  7. IC9 = S29GC064A 64-Mbit (8Mbyte) flash memory
  8. Main CPU = Broadcom BCM6348KPBG
  9. IC16 = Qimonda HY8395C256160FE-7 - 256-Mbit (32Mbyte) DRAM
  10. P2 = 3.3V TTL Serial port.
    (Note voltage - never connect directly to a PC serial port!)
    • Pin 1 = GROUND / 0V
    • Pin 2 = RXD (Input)
    • Pin 3 = TXD (Output)
    • Pin 4 = Vcc (3.3V)
    • Baud Rate: 115200bps
    • Other: 8N1 (8-bit, No Parity, 1 stop bit)

PCB Side B

An image is available here

  1. IC2 = NXP PCD80705 ARM7 Microcontroller
  2. IC26 = HCT4066 Quad switch
  3. IC14 = Broadcom 6301KSG ADSL2+ Line driver
  4. IC8 = ALTIMA AC101LKQTG Ethernet transciever
  5. IC1 = Si3230-FT - I think this is a SLIC for the analog phone port
  6. P3 = Possible JTAG port (see below)

Firmware hacking

The ultimate goal of this project is to allow all users to upload their own firmware to this device without specialised hardware. This *should* be provided for by the GPL as the Home Hub runs on Linux and uses BusyBox. BT have made available some GPL code, but this does not seem sufficient to actually create a firmware file that can be uploaded to the device. The released code can be found at this URL: http://www.btyahoo.com/broadband/adhoc_pages/gplcode.html. Make up your own mind whether or not they're violating the GPL license by witholding this information... I can't decide.

Firmware bootup (bootlog)

This boot-log was taken from the serial port on P2.

Bootup keypresses: Sending Ctrl+C during this sequence seems to kill the init routine dead resulting in the main application starting early. Sending it just after the nmon kernel module has loaded results in the application starting with the comment "[ERROR]: An illegal build is trying to run!" (What's illegal about that?!) Sending Ctrl+Q when bootup has completed turns on lots of application level debugging information. I can't login at the console with the latest firmware.

JTAG

On the reverse of the board, there is a small 8-pin connector footprint sited directly under the CPU. Googling about indicates this may be a JTAG port (2=TDI=TP33, 3=TDO=TP32, 5=TMS=TP34, 6=TCK=TP35) but I have not tried this yet - it's next! It was indicated that reading the firmware can be accomplished with a strangely named utility and a simple parallel port cable. (See here)

Recovery Mode

Holding down the Wireless Assoc button during poweron for about 5 seconds puts the device into firmware recovery mode. The device will attempt to acquire from a BOOTP/DHCP server, an IP address, TFTP filename and TFTP server. If it gets all these things it will download the file and use it. Giving it the .BLI file from BT's recovery zip file results in a firmware upgrade. (Status information is outputted to the console during the upgrade process.)

Recovery File (.BLI) File Format

I'm not yet sure of the format of this file. Feeding the device with a couple of "random" experimental files indicate:

  1. The BLI part at the beginning of the file indicates the file type to the bootloader - providing a file that doesn't begin with BLI (such as a linux kernel... we should be so lucky eh?!) results in the download being aborted.
  2. The file appears to have some header information after the initial BLI part. Making a random mod to this header resulted in errors about a "Seal..." *sigh* is it encrypted or is this just a checksum.
  3. Modifying a byte somewhere in the middle of the file results in the whole file being downloaded but it still won't flash.

Interesting forum

This forum - PsiDOC.com -, has current information about flashing the hub using JTAG. Also detailed is a software hack for HomeHub version 2. Great work guys!

User comments / feedback

  1. avatar anon says:
    2011-09-04 20:58
    i had a look. 0x0 - 0x2 - BLI - magic for the bootloader. 0x3 - 0x7 - dont know 0x20 - 0x23 - the version number of the firmware. 0x24 - 0x31 - dont know it looks like theres a 32 byte header. then the firmware file which is signed using IPKG2. but i cant find any tools or source to unpack it :( this is on the END of the firmware file as a clue: ipkg2_sign(in=6=6315615[byte], out=1=6315959[byte]) (ipkg2-header=344[byte])
  2. avatar graham says:
    2011-08-10 18:34
    using a netgear for all internet use. im no longer a bt customer but i use a bt home hub 2.0 and the 2.1 hub phones as they were expensive to buy. problem is the netgear clashes with the 2.0 hub. dsl and internet go out on netgear and the bt hub broadband light flashes orange. any idea how i can solve the issue? i have disconnected the wireless reciever on the bt hub 2.0 after unscrewing it and disconnecting 2 wires.
  3. avatar Ant says:
    2011-07-18 11:10
    It could but, the hub bootloader only knows how to initialize 8m x 16bit sdram.
  4. avatar Thomas says:
    2011-05-29 20:15
    PS: The SDRAM is a HYB39SC256160FE-7. I couldn't read the text either, but google was helpful in finding the datasheet. It is a 32 MByte chip (16 x 8M), and I wonder whether it can be replaced with 128 MByte (16 x 32M)...

captcha image