Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[asbokid]

It turns out that the HH3.0b firmware is not in the usual Broadcom format.  It seems there's an extra (pre-CFE) stage to the bootstrap.

And instead of the CFE having its own space in the flash, it is stored in the root file system itself. And the CFE is much larger than the usual 64kB.

The root file system of the HH3.0b also holds the kernel image whereas, normally, the kernel has its own slot in a Broadcom f/w image.

Finally, the root file system is a JFFS2 rather than a squashfs(-lzma) which is what Broadcom had been using for years.

Not seen that configuration before. All in all, that makes the HH3.0b quite unusual.

EDIT:

In France, a telco called SFR (Société Française de Radiotéléphonie) supplies a device similar to the Home Hub 3.0b.  It is called the NeufBox 6 or NB6.

Like the HH3.0b, the NB6 is also powered by the Broadcom 6361. It is gaining popularity with hackers.   I dusted off my schoolboy French to see what they had discovered about it. (Okay, I used Google Translate!)  [1]

It turns out that the NB6 uses the traditional Broadcom firmware format. [2]  So the HH3.0b remains a peculiarly British affair!

cheers, a

[1] http://translate.google.com/translate?sl=fr&tl=en&u=http://www.neufbox4.org/wiki/index.php?title=Neufbox_6
[2] http://translate.google.com/translate?sl=fr&tl=en&u=http://www.neufbox4.org/wiki/index.php?title=Tuto_Rapido_NB6

[asbokid]

A full 32MByte NAND flash dump from a BT Home Hub 3.0b firmware version V100R001C01B031SP09_L_B_t2011-06-01_22_39 is linked below [1]

The HOWTO in the Google Docs folder illustrates mounting and extracting the file systems from that NAND flash dump.

The flash dump contains two root file system images. They are identical JFFS2 images, the master and the slave. Both images contain a MIPS32 kernel, and the CFE bootloader (cferam.000).

There are also two smaller JFFS2 file systems in the dump, and the pre-CFE bootstrap code (times two), as well as the NVRAM area found at the end of the flash.

cheers, a

[1] https://docs.google.com/folder/d/0B6wW18mYskvBMmNQTlhDeG5vT2c/edit

[Howlingwolf]

Excellent work.

The layout is very strange and certainly nothing I've ever encountered before. Generally, you want to reduce the number of potential points of failure, not add another one.

If all they are trying to do is prevent it from being unlocked, then it seems to be a rather extreme way of going about it to me.

[asbokid]

If all they are trying to do is prevent it from being unlocked, then it seems to be a rather extreme way of going about it to me.

Hello HowlingWolf,

It gets worse - if you peruse the extracted root file system of the Home Hub 3.0b [1] you will find, as normal, a file called /etc/defaultcfg.xml.   The file should contain the default MIB configuration for the device.   Normally it is a human-readable XML file.

But not so for the HH3.0b.  Even the device default configuration file is encrypted!

Code: [Select]

# ls -ln etc/defaultcfg.xml 
-r-xr-xr-- 1 0 1102 227136 Jun  1  2011 etc/defaultcfg.xml


Code: [Select]

# xxd -l 512 etc/defaultcfg.xml
0000000: 7da4 b624 cc2e 72c1 1efe 9617 beb0 31a7  }..$..r.......1.
0000010: 497f 51f2 c65e 06db 5864 01eb a98c ceeb  I.Q..^..Xd......
0000020: 3e6b 7baf 4919 909b 5d65 97cc 5292 6f77  >k{.I...]e..R.ow
0000030: cf06 dfe6 977f 66c5 b8cd de47 ac87 1c33  ......f....G...3
0000040: b2af e7a9 d39e 5246 ccbc 53ec 313c 61a3  ......RF..S.1<a.
0000050: 18fc 13ca e41c a498 0002 2ad2 52b4 eaee  ..........*.R...
0000060: 9ca4 4668 da26 781b 00f3 f13f 2378 bc0c  ..Fh.&x....?#x..
0000070: a764 f125 8466 df8b efb6 9810 a8ff 0dc4  .d.%.f..........
0000080: 4f4d 524a 6a77 4873 6e74 4f38 6c58 4d4f  OMRJjwHsntO8lXMO
0000090: 764b 6b78 6c37 7852 334a 4472 7449 4b41  vKkxl7xR3JDrtIKA
00000a0: 6d59 316d 627a 6d6f 7463 3836 5452 7774  mY1mbzmotc86TRwt
00000b0: 696c 4d47 3248 662b 6975 5955 7a47 346f  ilMG2Hf+iuYUzG4o
00000c0: 3970 3778 344e 446b 6735 746a 7377 3346  9p7x4NDkg5tjsw3F
00000d0: 5242 364b 3147 4837 3244 3167 4d33 3778  RB6K1GH72D1gM37x
00000e0: 5235 3959 6750 5048 4c56 6c43 322b 5569  R59YgPPHLVlC2+Ui
00000f0: 2f76 4b50 3276 4662 6371 794d 3751 3545  /vKP2vFbcqyM7Q5E
0000100: 696b 554e 4868 6c64 6b35 6a78 4157 3434  ikUNHhldk5jxAW44
0000110: 5a59 4635 6a6b 5439 644c 7543 2b4c 4b51  ZYF5jkT9dLuC+LKQ
0000120: 742b 6335 4b45 6c61 3636 4144 422f 4e51  t+c5KEla66ADB/NQ
0000130: 627a 4a31 3534 5350 586b 6657 4862 6d72  bzJ154SPXkfWHbmr
0000140: 7a4b 7761 304e 3342 5149 374a 3576 5937  zKwa0N3BQI7J5vY7
0000150: 6a51 4171 7a4e 5554 6c54 2b49 4649 7053  jQAqzNUTlT+IFIpS
0000160: 6731 6274 4b38 656e 6853 4539 4958 784c  g1btK8enhSE9IXxL
0000170: 7351 4b44 6d61 4e4b 3864 486d 4b4a 7139  sQKDmaNK8dHmKJq9
0000180: 5451 3279 7376 5239 326b 432b 476c 775a  TQ2ysvR92kC+GlwZ
0000190: 734c 4851 386c 4664 5a6e 594d 742b 4173  sLHQ8lFdZnYMt+As
00001a0: 5769 3159 532f 6f4e 664e 446d 316b 7442  Wi1YS/oNfNDm1ktB
00001b0: 4832 6f4b 6b66 6153 436b 5456 6378 5443  H2oKkfaSCkTVcxTC
00001c0: 3243 7a2f 3974 4a79 4a43 6265 4677 4162  2Cz/9tJyJCbeFwAb
00001d0: 5073 4763 7041 524f 4469 4a6c 4468 4846  PsGcpARODiJlDhHF
00001e0: 3559 5078 4a37 7238 7052 632f 702b 676c  5YPxJ7r8pRc/p+gl
00001f0: 484f 3466 4879 5078 4f6b 304e 2f34 4743  HO4fHyPxOk0N/4GC

cheers, a

[1] https://docs.google.com/open?id=0B6wW18mYskvBY2FZalRBUzRwR2M

[Howlingwolf]

Hi Asbokid,

I haven't got that far yet 

I'm in the 'final stretch' of another project which I'm hoping to wrap up within the next couple of days. I'm just taking a break before I start on the final code sections.

One thought does occur. There appears to be two sections. A binary 'header' block and what looks like an old-fashioned uuencoded data block.

[asbokid]

Hi HowlingWolf,

Hi Asbokid,

I haven't got that far yet 

I'm in the 'final stretch' of another project which I'm hoping to wrap up within the next couple of days. I'm just taking a break before I start on the final code sections.

Surely that can wait?! Priorities and all that!

One thought does occur. There appears to be two sections. A binary 'header' block and what looks like an old-fashioned uuencoded data block.

It's definitely a binary-to-text encoding.  But I fear it is encrypted, too.  Likely those first 128 bytes contain some sort of cryptographic key.

A Unix tool called uudeview was used to try and identify the encoding. The tool can reportedly handle "uuencoding,  xxencoding,  Base64 and BinHex encoding methods". [1]  But alas it still couldn't identify the encoding scheme to the defaultcfg.xml file in the HH3.0b firmware. 

Though there are a couple of HTML files to be found in the bootloader section of the HH3.0b firmware image. This HTML reveals that the bootloader has the same facility as the HG612 for flashing in new firmware:

Code: [Select]

$ dd if=./hh3.0b_V100R001C01B031SP09_l_B_t2011-06-01_22_39.rawnanddumpeccstripped.bin of=upload.html bs=1 count=$((0x5fa)) skip=$((0x35504))
1530+0 records in
1530+0 records out
1530 bytes (1.5 kB) copied

And that file upload.html contains this:



In the same area of the NAND dump (0x35504 onwards) is another HTML file relating to f/w uploading - mainly to do with failed flashes, etc..

Perhaps someone with a working HH3.0b would check something. (it won't do any harm).  By holding in the reset button of the HH3.0b while powering up the device (and keeping it pressed for 10 seconds), that should bring up a web interface on 192.168.1.1.

Once the firmware format is understood, in theory, that web interface would allow the HH3.0b to be reflashed with modified (unlocked) firmware  8)

cheers, a

[1] http://www.fpx.de/fp/Software/UUDeview/Manual-Unix-uudeview.html

[burakkucat]

Perhaps someone with a working HH3.0b would check something. (it won't do any harm).  By holding in the reset button of the HH3.0b while powering up the device (and keeping it pressed for 10 seconds), that should bring up a web interface on 192.168.1.1.

b*cat performed some experiments. 

In total, there were five sockets to check. The red one, with the legend "BT Infinity", to which the VDSL2 modem would connect and the four yellow ones, numbered 1 to 4, the last of which has the legend "GigE".

There is the "Reset" microswitch, operated via a hole with a straightened paper-clip and there is the "Reset" button for normal finger operation. Then there is the "Wireless WPS" button, adjacent to the "Reset" button, very convenient to give the device a "two finger salute".

The Ethernet port on my system was configured as 192.168.1.100 and a total of fifteen experiments were carried out by holding the various buttons depressed, allowing the device was allowed to power-up whilst continuing to hold the buttons depressed for a further 30 seconds. Once the lights had stopped flashing, the 192.168.1.1 address was entered into the browser's address bar.

And the results? Every one was negative.   

It's now time for b*cat to go and find his warm & sleepy spot.   

[asbokid]

The Ethernet port on my system was configured as 192.168.1.100 and a total of fifteen experiments were carried out by holding the various buttons depressed, allowing the device was allowed to power-up whilst continuing to hold the buttons depressed for a further 30 seconds. Once the lights had stopped flashing, the 192.168.1.1 address was entered into the browser's address bar.

And the results? Every one was negative.   

It's now time for b*cat to go and find his warm & sleepy spot.   

Thank you, burakkucat!  That's a shame and mysterious, too!   

cheers, a

[burakkucat]

Yes, I was a little disappointed with that result. 

However if you carry on with the good work, I'll be happy to perform any experiments.

Perhaps another close inspection of the PCB may suggest that a jumper would need to be added, for example? 

[Howlingwolf]

I'm in the 'final stretch' of another project which I'm hoping to wrap up within the next couple of days. I'm just taking a break before I start on the final code sections.

Surely that can wait?! Priorities and all that!

Nice Try

As it happens I'm just putting the finishing touchs to it so I should be able to devote some time to this quite soon.

I did briefly try getting to the update page using wget in infinite retry mode - nothing as comprehensive as b*cat - but no success either.

I did get the occasional connection rejected msg instead of no route to host but I'm not sure if that was from the homehub or something else.

[asbokid]

Is it possible that the Acme Labs mini/micro web server in the Broadcom bootloader [1] is listening on a port other than 80? If so, maybe a full TCP port scan would discover the little bugger?!

Back in July, Kitz contributor NewtronStar noted that BT had apparently stopped shipping the HH3.0b. [2]

Tom Espiner of ZDNet reported that there was a problem with the HH3.0b slowing down on the wired side, but strangely not on the wireless side which continued to work okay. [3]

Is there any news on whether the HH3.0b is being supplied once again by Blighty Telecom?

EDIT2:

BT is remotely pushing out a firmware fix (V100R001C01B031SP12) for the Home Hub 3.0b  [4]   Reports on BT's Care in the Community forum are generally positive [5]


cheers, a

[1] http://www.acme.com/software/
[2] http://forum.kitz.co.uk/index.php/topic,11377.msg220021.html#msg220021
[3] http://www.zdnet.com/bt-fixes-bug-that-cut-super-fast-broadband-down-to-super-slow-1mbps-3040155430/
[4] http://www.ispreview.co.uk/index.php/2012/07/bt-infinity-uk-deploy-firmware-fix-for-super-slow-fttc-broadband-bug.html
[5] http://community.bt.com/t5/BT-Infinity/Post-here-when-your-Type-B-updates-to-V100R001C01B031SP12/td-p/580525

[Howlingwolf]

Is it possible that the Acme Labs mini/micro web server in the Broadcom bootloader [1] is listening on a port other than 80? If so, maybe a full TCP port scan would discover the little bugger?!

Hmm... It seems that great minds do think alike 

Back in July, Kitz contributor NewtronStar noted that BT had apparently stopped shipping the HH3.0b. [2]

Tom Espiner of ZDNet reported that there was a problem with the HH3.0b slowing down on the wired side, but strangely not on the wireless side which continued to work okay. [3]

Is there any news on whether the HH3.0b is being supplied once again by Blighty Telecom?

EDIT2:

BT is remotely pushing out a firmware fix (V100R001C01B031SP12) for the Home Hub 3.0b  [4]   Reports on BT's Care in the Community forum are generally positive [5]

I don't think they actually stopped shipping them as I only got mine quite recently but I could be wrong. I only found out about the slowdown problem a couple of months ago when I started looking for a new isp and from what I read then it seemed to be an acknowledged issue rather than something very recent.

[burakkucat]

b*cat would be quite happy for HW to stop howling and start testing, then an easily disturbed feline can catch up on some essential sleeping!     

[Howlingwolf]

OW! OW! OW!

Watch what you're doing with those claws!


I dunno...

Next they'll be telling me I shouldn't scratching OR sniffing at things...

[burakkucat]

Some more testing was performed last night.

The two methods of held "Reset" were used at device power up. ("Paper-clip in hole" method and "Finger on button" method.)

All five sockets that can take an RJ-45 plug were checked. The following nmap command line was thus executed ten times --

Code: [Select]

nmap -T4 -Vs -Pn -p0-65535 192.168.1.1

Absolutely nothing was found. 

Now my question. How certain are we that 192.168.1.1 would be the correct IP address?