Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[asbokid]

That's excellent Burakkucat!  The results look quite significant 

cheers, a

[burakkucat]

Why, thank you. 

I propose, as soon as the time is available, to re-nmap scan port 443 of IP address 192.168.1.254 on both the LAN1 and LAN2 sockets to confirm that I was not mis-seeing things.

As a qualified scientist of many years standing, I appreciate that experimental results are only meaningful when they are reproducible. They are even more significant when they can be reproduced by an independent person. Wolfy, where are you?

[Howlingwolf]

Excellent work indeed!

I've just finished up my current dung-heap  erm... I mean project. 

Well... This version of it anyway. 

So I can devote some more time to this. I'll start by running the same set of tests.

I do like the idea of running the cfe in qemu but I wouldn't know where to start as I've never used it. I would appreciate it if someone could point me in the direction of a good beginner guide.

[burakkucat]

I submit another report which focusses on the LAN1 port only.

Whether performing a "factory reset" or a "power-up with reset asserted" the switch was held depressed until the Power light started to flash amber. (This took between 16 - 18 seconds.)

When performing a "power-up with reset asserted" it is essential that an Ethernet cable is connected from the LAN port of the device to the host computer and that the host computer is ready to perform the nmap scan. It is essential that the nmap scan is started with five seconds of both the Power and Wireless lights becoming solid blue. If left without starting the nmap scan, the Power light will revert back to amber, the Wireless light will go out, the Power light will begin to flash amber once again and then, once the device is back to two solid blue lights, the nmap scan will reveal that port 443 has reverted back to its "normal" condition.

I would appreciate independent analysis of the above results. Attached, below, is a log file which shows port 443 is normally "open  ssl/tcpwrapped" but can be found in a "filtered https" state following a "power-up with reset asserted".

[asbokid]

Hmm... thank you for experimenting, burakkucat!
Very interesting and certainly not the expected results 

If you've got a spare minute, perhaps you could report the outcome in the following circumstances,

PC attached via LAN1 or LAN2 of the HH3.0b,
HH3.0b booted as normal, and then after a "held-reset"
PC browser visits the following URLs:

https://192.168.1.1   (443/tcp by default)
http://192.168.1.1:37215
https://192.168.1.1:37443

cheers, a

[burakkucat]

HH3.0b booted as normal, and then after a "held-reset"

Am I correct in assuming that you would like a "factory reset" performed? Or have I misinterpreted your above direction? 

It will be sometime later today, for b*cat has heard the plaintive call of his bed. 

[asbokid]

HH3.0b booted as normal, and then after a "held-reset"

Am I correct in assuming that you would like a "factory reset" performed? Or have I misinterpreted your above direction? 

I meant to say, perhaps you could perform two sets of tests, (only when you're
in the mood again, of course!)

The first set of tests would be performed after powering up, and booting as normal.   The second set after powering up while asserting reset.

I must buy another HH3.0b since this one is now in several pieces. Although it's not easy to tell from the Home Hubs listed on ebay whether they are Home Hub 3 Type A or Type B.  Sellers don't seem to identify the type.

cheers, a

P.S. To HowlingWolf, [EDIT: see below]  if you don't find it first through Google, I will try and dig out the reports of running CFE under QEMU. It was probably on the openwrt forum.  Someone found that a specific version of CFE  would run in QEMU 'out of the box'. Whereas all(?) other CFE versions refuse (without coercion?) to run at all.   Ideally the whole userspace of the HH3.0b could run in QEMU.  Small inroads were made with that, to get the btagent (TR069) client running on a PC.  A project that is probably worth pursuing for the wider interest.


EDIT: see:  http://huaweihg612hacking.wordpress.com/2011/07/05/mips-emulation-on-the-x86/

[Howlingwolf]

Thanks Asbokid

I meant a good beginners guide to QEMU in general. Thinking about it, MIPS related would probably be a good idea too.

I did try looking briefly but Google turns up so much crap these days it takes forever to wade through it 

I am going to have another look of course but any help would be appreciated.

[burakkucat]

Some further experiments have been performed.

(1) The HH3.0B was allowed to power-up in a normal fashion. Attempts to connect were made via the following IP addresses:

https://192.168.1.1   (see image 1a.png, below)
http://192.168.1.1:37215   (see image 1b.png, below)
https://192.168.1.1:37443   (see image 1c.png, below)

(2) The HH3.0B was powered-up with the reset asserted. This condition was held for 20 seconds subsequent to the power-up state, then released. The device was allowed to complete its full "double cycle" of solid amber, flashing amber, solid blue, solid amber, flashing amber and solid blue lights. Attempts to connect were made to the same three IP addresses as above. The results were identical to those obtained in experiment (1), above.

(3) The HH3.0B was powered-up with the reset asserted. This condition was held for 20 seconds subsequent to the power-up state, then released. The device was allowed to complete just the first part of its "double cycle" sequence. That is to say the tests were performed within 2 - 3 seconds of the first period of solid blue lights. This state had, thus, to be entered three times to perform the three sub-tests for the three IP addresses. Unfortunately the results were, once again, identical to those obtained in experiments (1) and (2), above.

Suggestions, anyone? 

My only other comment is that perhaps we should not ignore the USB port on the HH3.0B? 

[asbokid]

Thank you very much Burakkucat, for going to that trouble. I've got you a little reward (see below). It is a pot of fresh Pacific sea cucumbers. An oriental delicacy enjoyed by man and cat alike     Beats a tin of sardines, any day!

http://item.taobao.com/item.htm?id=8810013125

Disappointing results though, but you have eliminated those avenues of attack.  You're right, the USB port could be an option.  Not an option here though, as the HH3.0b is in little bits.

More head-scratching!

cheers, a

[burakkucat]

Thank you very much Burakkucat, for going to that trouble. I've got you a little reward (see below). It is a pot of fresh Pacific sea cucumbers. An oriental delicacy enjoyed by man and cat alike     Beats a tin of sardines, any day!

http://item.taobao.com/item.htm?id=8810013125

Yummy!    b*cat starts to think about his evening meal.

More head-scratching!

In return, I have a little gift idea for you -- a nit-comb!

[BrianB]

Firmware upgrade released July 2012
Sorry if this is the wrong place for this.  I have spent several days unsuccessfully searching for the latest firmware for the BT HH3B.  As I do not have  a BT line the firmware does not upgrade.  Having been successful with the HH2, unlocking it, upgrading the firmware etc., I was hoping to be clever with this model but I have now pulled out all my hair going round in circles reading the same old nonsense time and time again.  Is there anyone out who can advise me please?  Much appreciated if you can.

[burakkucat]

Hello Brian,

Are you sure that a Beattie line and service is required to obtain the firmware upgrade for a HH3.0B?

From my limited understanding of how the BTAgent works, it makes an occasional connection to the update server, reports the current status of the modem/router and asks if there is anything to be done. If the server detects that the firmware should be updated, the client software (the BTAgent) allows the server to take control and perform the deed.

For example. I do not have a Beattie line or service. As part of some experiments, earlier this year, I had a 2Wire 2700HGV (a.k.a. a type two BT Business Hub, Version 2.0 connected to my line). It eventually (via the BTAgent) made contact with the update server and had its firmware updated from 6.1.x to 6.3.y . . . I would be very surprised it the agent in the HH3.0B acts any differently. 

[SecTSys]

Just a quick thought on this one.. - Hi sorry i am new to the forum btw...

I have got a working (though dismantled) BT HH3 type B. available as of tomorrow.

I Am A BT Customer - And to be honest i get through these routers more regularly than i do hot dinners. they are rubbish but they are free for me. - so - in an effort to reduce your costs of purchasing and to hopefully speed up the process of unlocking this router...

Where should i send my old type B routers to - they all work! though maybe a donation towards the postage would be nice!!!

... JUST A WARNING I AM NOT A HACKER CRACKER OR ANYTHING SO IF WHAT I SAY MAKES NO SENSE - SEND ME BACK TO MY HOLE! ...

Having read through the work your all doing here. - I am quite intrigued gone from the simple, to the complicated and back again.

With regards to the USB slot.

The router has got a boot sector, and a USB Port. - I saw the post with the html page that looks a promising thing... has anyone tried booting with reset pressed whilst having a bootable USB Stick with the software to flash the BT HH 3.0b already on it, using and attempting all various and prior mention button combos possible.

I would attempt to do this myself, - but i wouldn't know what software to begin testing this with...

******************

Something else that i have seen done before though that was at a convention i attended... is to create a virtual infrastructure that can possibly fool the HH3 into believing that it is connected to the internet - discovering the IP address that the router trys to connect to when looking for a connection to update its firmware. then mimicking that - with instruction to to flash the firmware with software that you want (that is compatible and not going to brick it) essentially getting the BTagent in the router to give up it's secrets somehow.

the key with this would be to grab the info as it leaves the router and before it gets to the openreach modem whilst capturing the data - maybe that could reveal something.

I know that this is pretty old school - but what about older methods of revealing things such as "lsof"

you probably know all this stuff but i went back over some of the old school techniques, using something like "netstat -tupac" running in realtime whilst having your connection between the homehub and the modem might reveal some open ports or even connections that the router attempts to make and what ports and such are being used to do it with and even more so at what point in the process does the router open these ports in order to try and obtain this information.

I am certain that if any unlocking of software is to be done - it will be through the USB - or from an external source. and the access to ports and other fun things will otherwise be closed off to the internal Ethernet network.

Inappropriate link removed by admin

[Howlingwolf]

Emulating the update infrastructure wouldn't work as BTAgent uses public key encryption and we only have access to the device key(s).

I did briefly consider 'recording' the update process using Honeywall to grab the update file but it's rather impractical as I've no way of predicting when BTAgent would actually do an update check and decrypting the data stream might prove rather complicated.

At the moment I'm looking into system emulation. It might be possible to determine what we need by actually getting the bootloader/cfe running in an emulator.

First I have to find a suitable emulator of course and there are so bloody many to chose from 

I was looking at QEMU but it doesn't really seem suited to emulating embedded systems and would probably require more patching that I'm capable of. Particularly as I'm not familiar with it's internal architecture.

However I've just gotten access to OVP this morning - the one listed on the MIPS Technologies website - which looks promising going by the website blurb.

But I'm sure we're all far too familiar with difference between marketing nonsense and reality