A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Hacking the BT Home Hub 5a (was Routers)



 
 
Thread Tools Display Modes
  #1  
Old March 6th 19, 11:56 PM posted to uk.telecom.broadband,uk.telecom.mobile
Java Jive
external usenet poster
 
Posts: 463
Default Hacking the BT Home Hub 5a (was Routers)

I've now acquired a second of these and successfully hacked it also, as
a backup for the first. Given that the original thread got very long
and convoluted, I thought I'd try and summarise in one, albeit long,
post how to hack successfully a BT Home Hub 5a (BTHH5a), put an OpenWRT
image on it, get a Huawei E3372s working with it, and add a public WiFi
network.

A) Physical Stage

Requires:
USB to Serial 3.3V TTL cable
Small soldering iron to work at a level of fine detail
Solder
4 different coloured lengths of very thin insulated flex, say
whiTe Transmit
Red Receive
Blue Boot short
Green Ground

Optional:
Veroboard (or equivalent) - 70 x 32mm, 2.54mm pitch
4 x pins for above
Female 4-way SIL connector, 2.54mm pitch to connect to above
4 x 1mm dia x 2-3mm len self-tapping screws
Hand drill with approx 1mm drill bit
Means of safely making a hole around 12mm in diameter
Hacksaw to trim Veroboard
Smooth file, for example a warding file, to clean up edges
Hand lens to check your soldering work.

1) Remove the label from its holder at the middle top of the back, and
put it aside out of harm's way for now.

2) Remove the back of the clam-type casing with a pen-knife blade,
flat-bladed screw-driver, or similar. Noting that at the middle of the
top the join between the two halves is between the two grills - in
other words slightly back from the front rim - starting there, and
pushing the tool far enough in to separate the two halves well before
levering it over to push them apart - don't over force it or you'll
break the plastic clips - work out to each top-corner, then down each
side, finally each bottom corner, then it should just come apart. There
is a video he
https://www.youtube.com/watch?v=XhE_QpLFvpM

If you aren't planning to mount permanent connections to the PCB, you
can skip the following and go to step 13.

3) Unscrew the two self-tapping screws holding the PCB to the back of
the casing, and remove the PCB. Put it aside out of harm's way for now.

4) Examine the inside of the back at the top, just behind the label slot
on the outside. Note that there are four convenient little protruding
cylinders roughly behind each corner of the label slot. You are going
to cut out a piece of Veroboard the same size as the removable label and
mount it on the inside using these cylinders as mounting points. Also,
you will drill or otherwise make in the middle of the label slot a hole
about 12mm in diameter to allow four pins to be accessible without
having to open up the casing again. Hopefully the result will look
something like this:
http://www.macfh.co.uk/Temp/20190216_071340.jpg

5) Begin by getting a hand-drill with around a 1mm bit, or whatever size
will just fit snugly inside each of those four protruding cylinders, and
drill through to the outside. Later, these will each take a
self-tapping screw.

6) Prepare the Veroboard. Preferably, you want the copper strips going
horizontally, that is parallel to the longest edge. With hacksaw and
file, cut out and smooth the edges of a piece to cover these four
mounting points - the removable label makes a convenient template for
the size.

7) Being careful not to allow the new holes you are about to make to be
be pushed off centre by existing holes in the Veroboard, drill four
holes to match the positions of the above cylinders/mounting points.

8) From the coppered side of the Veroboard, insert four standard
Veroboard/Breadboard pins in a vertical line, one in each of four
successive copper-strip rows, so that as a whole they're as near to the
centre point of the four mounting holes as possible.

9) Mark out on the inside of the back casing where the four pins will be
- they should be as near as possible to the middle of the label slot.
Drill - if drilling work stepwise outwards with increasing drill bit
sizes, to avoid breaking the plastic - or otherwise cut a hole that
will be large enough to allow access to the pins when the Veroboard is
mounted inside the casing, preferably with no pin being closer than
about 2mm from the edge of the hole, so about 12mm diameter should be
adequate - a plug such as the following should be able to be connected
to the pins:

https://www.ebay.co.uk/itm/4-Pin-Dup...K/272536936185

10) Decide on the order for the pins - if you have existing kit that
your USB-Serial cable is sometimes used on, it obviously makes sense to
wire this header the same as that; apart from that, put Boot next to
GND. Feed the ends of the four corresponding coloured insulated cables
from the coppered side of the Veroboard, up to the uncoppered and back
down the next hole to the coppered side, so that the board will act as a
cable grip, and the end of each finally comes out one hole away from its
pin. Strip the ends, twist them, and solder them to the pins. Gently
feed any slack back through the 'cable-grip'.

11) With the self-tapping screws mount the Veroboard with the pins
sticking out through the large hole in the centre of the label holder,
and the cables hanging down inside. If the screws protrude beyond the
surface of the back into the label holder, level them off with a file.

12) Either now, or after the next step, replace and mount the PCB, being
careful to align the sockets with the holes in the casing, and bringing
out the cables around the edge of it for soldering to the back of the PCB.

13) As per the instructions and annotated photos on this page ...
https://openwrt.org/toh/bt/homehub_v5a
.... solder the ends of the cables to their corresponding attachment
points. As the scale of the work is very small, you are advised to
check the results with a hand lens or magnifier, if you have one.

14) Attach your USB-Serial cable (MUST be 3.3v TTL) to the pins or the
ends of the cables and plug it into your PC. Run Putty or other such
serial console program and open a connection window for the connection
via the USB-Serial lead to the HH5a. Connect a LAN port of the HH5a to
a PC, connect the router to the mains, and power it up. If you see log
output in the serial console program, then all should be good. Power
down the router.

15) Switch off the router, and leaving the other three serial
connections intact, with a bent paperclip or similar short Boot to GND
while switching on the router. If the boot log stops at UART, you're
good to go, otherwise you've erred and will have to revisit the steps
above to find your error.

B) Firmware Stage

You need to be running a TFTP server on the PC connected to the HH5a,
and have the chosen first boot image described on the above linked page
within the server's root directory.

16) Taking up the instructions on the OpenWRT BT Home Hub 5a page linked
above, at the 'UART' wait, load one of the specified *.asc files into
Notepad or equivalent, select all of it, copy this selection into the
clipboard, and then paste it into the Serial console window. You should
see a succession of stars as the data is read slowly into memory, until
eventually the code is run and finally a prompt appears.

17) Now follow the linked OpenWRT page to complete upgrading the firware
to OpenWRT. Once done, you should be able to do without the serial
cable and replace the front of the router.

C) Huawei E3372s USB 4G stick

!!!IMPORTANT!!! Note that the Huawei E3372s (serial) and Huawei E3372h
(hilink) models are *differently configured* versions of the *same*
hardware (in other words their firmware differs). The notes below refer
to the 's' (serial) models. Do not try to apply them to the 'h'
(hilink) models.

18) Using Putty or other equivalent serial console program, log in to
the router's serial console at ...
192.168.1.1
.... and run the following command:

opkg update && opkg install chat comgt comgt-ncm kmod-usb-net
kmod-usb-net-cdc-ncm kmod-usb-net-huawei-cdc-ncm kmod-usb-serial
kmod-usb-serial-option kmod-usb-serial-wwan kmod-usb-wdm luci-proto-3g
luci-proto-ncm usb-modeswitch wwan && reboot; exit

The above is meant to be all on one line but will be broken up by most
newsgroup software, so you will likely have to reassemble it. For
clarity the commands given a
opkg update
opkg install
chat
comgt
comgt-ncm
kmod-usb-net
kmod-usb-net-cdc-ncm
kmod-usb-net-huawei-cdc-ncm
kmod-usb-serial
kmod-usb-serial-option
kmod-usb-serial-wwan
kmod-usb-wdm luci-proto-3g
luci-proto-ncm
usb-modeswitch
wwan
reboot
exit

19) When the router comes back up, in a browser, enter as the address ...
192.168.1.1
.... and via the ribbon menu at the top, navigate to Network, Interfaces.

20) Click 'Add new interface' and enter the following settings, any
others not mentioned can be left on their default setting ...

General Setup
Protocol: NCM
Modem device: /dev/cdc/wdm0 or /dev/ttyUSB0
APN: Mobile suppliers' recommendation
PIN: If there's one set on your SIM
Advanced Settings
Bring up on boot: Yes
Use built-in IPv6: Yes
Firewall Settings
Firewall Zone: Add this interface to 'wan'

.... then click 'Save & Apply'. If the USB stick was not plugged in at
last boot, plug it in now and choose System, Reboot from the ribbon
menu. In fact you may have to reboot anyway.

Hopefully on reboot the new USB interface should come up working.

If not, here is the relevant section of my /etc/config/network file:

config interface 'WAN_USB'
option proto 'ncm'
option device '/dev/cdc-wdm0'
option pdptype 'IP'
option apn 'goto.virginmobile.uk'
option pincode 'xxxx'
option ipv6 'auto'

.... and here is Andy Burns' from the recent long convoluted thread ...

config interface 'LTE'
option ifname 'wwan0'
option proto 'ncm'
option mode 'auto'
option apn '3internet'
option ipv6 'auto'
option delegate '0'
option skipinit '1'
option peerdns '0'
option device '/dev/ttyUSB0'
option pdptype 'IP'
option auto '0'

You may also find the following has some useful information:
https://openwrt.org/docs/guide-user/...netoverusb_ncm

There are also other methods of using USB dongles linked from the top of
that page - ppp, qmi & mbim, rndis.

D) An extra public WiFi SSID to allow guests to access the internet
without being able to access your LAN. This is described here ...

https://openwrt.org/docs/guide-user/...n-webinterface

.... but note that you may have to go round some steps twice to fill-in
cross-references to other sections, once they have been created.

Remaining Problems:

:-( I never got multi-wan failover to work. Seemingly however I
configured it, if both the ADSL and the USB interfaces were enabled
together, I always ended up on the slow speeds of the ADSL interface.

:-( Exactly as was happening with DHCP clients beyond a client-bridge
(now fixed), PCs being booted via a W9x DOS environment for imaging
using Ghost hang at the DHCP stage. Only a problem on the old Dell
Latitude D600 XP laptop, because for some reason or other it can't see
the D: partition to save images to, but now it can't be imaged via the
network either, so now it must be imaged to a large enough USB stick,
which flogs the stick and takes ages.
  #2  
Old March 9th 19, 01:14 AM posted to uk.telecom.broadband,uk.telecom.mobile
Graham.[_3_]
external usenet poster
 
Posts: 306
Default Hacking the BT Home Hub 5a (was Routers)


Sorry Charles, largely TLR, but you have prompted me to obtain a HH5
A to play around with, and I've just ordered one from Ebay for 8GBP
delivered.

I'm a new Plusnet fibre customer and I'm rather disappointed with the
features of their device as received. As it's the only VDSL capable
router I have I don't want to mess with it just yet.

Some time ago I put OpenWRT on a TP-LINK TL-WR741ND which I got free
from "Sam Knows" as part of their "Whitebox" project, after three
years of supplying them with data I reckoned it was now mine to flash
back to a router, and I successfully did it with Open WRT "Gargoyle"

It's not got a DSL modem, but it makes a very good 2.4MHz wirless
repeater & client bridge.

I'll use the same USB serial cable.



--
Graham.

%Profound_observation%
  #3  
Old March 9th 19, 10:42 AM posted to uk.telecom.broadband,uk.telecom.mobile
Java Jive
external usenet poster
 
Posts: 463
Default Hacking the BT Home Hub 5a (was Routers)

For Graham's benefit, though hopefully it's obvious enough what I meant
to say ...

On 06/03/2019 23:56, Java Jive wrote:

2)*** Remove the back of the clam-type casing


Should read ...

2) Remove the front of the clam-type casing
  #5  
Old March 10th 19, 12:05 AM posted to uk.telecom.broadband,uk.telecom.mobile
Michael Chare[_2_]
external usenet poster
 
Posts: 56
Default Hacking the BT Home Hub 5a (was Routers)

On 06/03/2019 23:56, Java Jive wrote:
I've now acquired a second of these and successfully hacked it also, as
a backup for the first.* Given that the original thread got very long
and convoluted, I thought I'd try and summarise in one, albeit long,
post how to hack successfully a BT Home Hub 5a (BTHH5a), put an OpenWRT
image on it, get a Huawei E3372s working with it, and add a public WiFi
network.


I failed at my first attempt as the wire I attached ripped the circuit
copper of the circuit board when I accidentally knocked it. Where did
you get your very thin wires from?

--
Michael Chare
  #6  
Old March 10th 19, 02:38 PM posted to uk.telecom.broadband,uk.telecom.mobile
Java Jive
external usenet poster
 
Posts: 463
Default Hacking the BT Home Hub 5a (was Routers)

On 10/03/2019 00:05, Michael Chare wrote:

I failed at my first attempt as the wire I attached ripped the circuit
copper of the circuit board when I accidentally knocked it.* Where did
you get your very thin wires from?


Yes, others have mentioned this danger as well, so I deliberately chose
to use flex rather than solid core, and for good measure the thinnest I
could find, which was ...

For the first I chose flex which in a former existence in a vinyl record
turntable deck had connected the cartridge holder on the end of the
playing arm to a connecting block on the underside of the deck.
However, as with so many record decks, it hummed, so I rewired the
playing arm with shielded cable, which did indeed remove the hum. There
was actually enough flex there to do both routers, but having got the
first working, I didn't want to hack it about again, so ...

For the second I used cable that previously in an old tape-recorder had
connected the recording/playback head to the PCB, which for the same
reason I had similarly rewired.

In both cases I kept the old cables all these years, as it happened long
after their original hardware had gone to the great scrapyard in the
sky, in a bits 'n' bobs of cables drawer, because I'm mean like that :-)

Until recently you used to be able to get the very thin shielded cable I
used as replacements from Maplin, from which you could've extracted the
cores, but they too have gone to the great scrapyard in the sky. If,
like me, you have kept all your old audio DIN cables used with old audio
kit, eg Grundig tape-recorders, which consisted of 2 (cheap) or 4 (full
spec) cores, which IIRC were individually screened and very thin, you
could remove the outer insulation and the shielding and use the cores.
Failing that, strip the cores out of a cheap new one - for example, I
would imagine the cores in this are pretty thin:

https://www.amazon.co.uk/kenable-Pho.../dp/B00M0FXR8A
  #7  
Old March 10th 19, 05:06 PM posted to uk.telecom.broadband,uk.telecom.mobile
Graham J[_3_]
external usenet poster
 
Posts: 54
Default Hacking the BT Home Hub 5a (was Routers)

Java Jive wrote:
On 10/03/2019 00:05, Michael Chare wrote:

I failed at my first attempt as the wire I attached ripped the circuit
copper of the circuit board when I accidentally knocked it.* Where did
you get your very thin wires from?


Yes, others have mentioned this danger as well, so I deliberately chose
to use flex rather than solid core, and for good measure the thinnest I
could find, which was ...


In a previous existence I used to design and build computer interface
cards and the like, generally using surface-mount components. When I
needed to make modifications I found the wire used for wire-wrap (30 AWG
solid) was good, and the wrapping tool had a special blade in its body
for stripping the insulation. If there was a need for flexibility I
stripped apart some ribbon cable - the sort once used for IDE disk
drives and the like.


--
Graham J
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
BT Hub Phone & Home Hub - is it SIP? Locked? B. Wright uk.telecom.voip (UK VOIP) 3 September 3rd 08 05:41 PM
Hacking BT Hub SBS uk.telecom.voip (UK VOIP) 6 January 30th 08 05:46 PM
'hacking' a Sky router /Tx2 uk.telecom.broadband (UK broadband) 24 December 7th 07 09:00 AM
Broadband hacking NoSpam uk.telecom.broadband (UK broadband) 3 August 18th 04 10:55 AM
Security and hacking - Basic Knowledge Webmaster uk.telecom.broadband (UK broadband) 9 October 21st 03 09:09 AM


All times are GMT +1. The time now is 05:45 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.