Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[GigabitEthernet]

I would be interested SecTSys.

[SecTSys]

Send me the details of the address in a pm and i will have that sent to you next week arobert

[SecTSys]

This may be a silly question, but is there a way to disable PPoE on this device?  I'd like to assign an address either statically or with DHCP to the WAN port.

Thanks

In order to disable the PPoE on the hh3 - we have to get into the firmware i believe and would have to do that via telnet!

If you want to assign an address to the HH3 you can do this manually in the options available.

(From Default)

1. In Browser go to 192.168.1.254 and log into your router.
2. Enter advanced settings
3. Click "Home Network"
4. Select sub menu "IP Addresses"
5. Select the bottom option  (Radial button) "Configure Manually"

This will enable you to change the IP address that you use as a default gateway and the subnet mask as well as the IP address range that is assigned to devices that connect up to it.

I hope this helps

[asbokid]

I saw your post on the BT hub 3.0 nand dump using a sm/xD card reader. Can I ask where you did buy that spesific modell?  Thanks for posting all the info and pictures, it helps me on my project!:)

Hi toffit,

The Genesys Logic GL827 card reader?   It was 99p from ebay. The seller is in sunny Smethwick, iirc.  Anywhere near you?

modified USB reader for SM/XD cards (Genesys Logic GL827 controller)  (click to enlarge)

That card reader is not however the best choice for NAND hacking since it needs modifying.  It is hardwired for xD-Picture cards. The GL827 controller uses (active low) lines to detect a xD-Picture and a SmartMedia card (signals XD_CDZ on pin 1 and SM_CDZ on pin 2.  So these need swapping.  See GL827 Datasheet here [1] )

The GL827 also handles automatically the Error Correction Code specified in the xD and SM card standards.  However, the embedded device (BT Home Hub or whatever), will almost certainly use a different ECC algorithm in its own NAND driver. So while the GL827 is fine for dumping the NAND contents, it is probably no good for re-flashing new data into the NAND (since there is no control over the ECC contents).

Currently, just experimenting with a different (obsolete) card reader for NAND hacking - the Olympus MAUSB-10.

Olympus MAUSB-10
(click for full size)


Olympus MAUSB-10
(click for full size)


Olympus MAUSB-10
(click for full size)

The MAUSB-10 is based on the 'Alauda' NAND controller IC, believed to be from RATOC Systems of Japan.

RG85550 a.k.a Alauda' NAND controller
(click for full size)

Daniel Drake discovered that the Alauda IC supports raw access to the whole NAND page [2]. Allowing arbitrary data to be written to the main area and the spare (out of band) area used for ECC.  Which makes it a much more useful NAND controller.  Potentially putting it in the same category as a $2000 commercial NAND flash programmer. [3]

Daniel's Linux kernel device driver for the Alauda is broken today (and no longer maintained) but cory1492 has generously released his ported code that runs in userspace using the libusb library.  It works well in both Linux and BillyGatesWare.  [4]

Once this is working as intended (testing at the moment with another board) it can be documented properly.

cheers, a

[1] http://www.genesyslogic.com/manage/upfile/12021817731.pdf
[2] http://www.reactivated.net/weblog/archives/2005/08/alauda-mausb-10/
[3] http://www.xeltek.com/Nand-Flash-Programming/
[4] http://www.xboxhacker.org/index.php?topic=15596

[GigabitEthernet]

Send me the details of the address in a pm and i will have that sent to you next week arobert

Actually, I just realised this router cannot be unlocked so it won't be much use to me. Sorry for wasting your time .

[SecTSys]

Send me the details of the address in a pm and i will have that sent to you next week arobert

Actually, I just realised this router cannot be unlocked so it won't be much use to me. Sorry for wasting your time .

No worries.

[toffit]

Hi toffit,

The Genesys Logic GL827 card reader?   It was 99p from ebay. The seller is in sunny Smethwick, iirc.  Anywhere near you?

[.....]

Thank you so much:) No, im not from London. I will try it out and see if I can get it to work(if I can find it). I only need a dump for this time, but I will follow your progress on the new reader/writer board when you get time to document it.

[SecTSys]

Just a curiosity - Anyone made any progress?

[burakkucat]

Just a curiosity - Anyone made any progress?

No.    It's a right stubborn device, the HH3.0B. 

[jaydubya]

Hi all,

I've got one of these and dismantled it last night to see what it had inside. Just wondering if anyone has investigated the 4 JTx holes in the board (JT3-6) - I can't see mention of them anywhere. Could they be waiting for JTAG connectors to be soldered in?

[edit] In fact - having looked at the pictures earlier on - I have a different Homehub 3B than shown - mine appears to be a different variant of the HH 3B board - it's marked BTHUB3 VER.A. Definitely a B though as the layout is pretty similar otherwise. I noticed the one in the pics is a VER D - so maybe they refined the design and removed the JT connectors.

I took some pics last night and have attached one of either side of the board, and JT3-6.

[SecTSys]

ok so how many versions of the HH3.0 B Board are there?

[burakkucat]

As jaydubya's photograph shows, a type "A" board. Both Asbokid's and my HH3.0B devices are type "D" boards. So applying minimalistic logic, there must be (at least) types "B" & "C" boards out there, somewhere . . . 

I nearly forgot -- Welcome to the Kitz forum, JW. 

[SecTSys]

Oh Great - so in regards to the Exploitation of the HH3 B then it looks like that if it is successful on one board it may not be on another, and now when the time comes i may need to open up my router and find out if the hacks are applicable!

[snadge]

just want to thank everyone for their hard work at cracking these routers...you guys rock!!



welcome to forum new members SS and JW

[SecTSys]

Er, just to let people know - My HH3.0 Type B i had "In Stock" is not in stock and has been sent to someone about a week ago.

In the mean time however i do have 2 HH3 Type A's Available. one used, but reset to default
The other Brand new and still in the box!