Unlocking BT HomeHub 5a

Why Do This?

There are various reasons for doing this, the main is to gain more control over the router allowing you to add more features.
Features the default firmware does not have: QoS, VPN, Dnscrypt, Dnsmasq, vlans, dyndns, live traffic analysis.
All of these can be added to OpenWrt

What is OpenWrt?

Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with optional package management.

This frees you from the restrictions of the application selection and configuration provided by the vendor and allows you to use packages to customize an embedded device to suit any application.

For developers, OpenWrt provides a framework to build an application without having to create a complete firmware image and distribution around it.

For users, this means the freedom of full customization, allowing the use of an embedded device in ways the vendor never envisioned.

Disclaimer: I have been modding routers, switches & embedded devices for years.
This article is just a writeup & not really meant as a guide. (info is intentionally missing)
I would not recommend anyone try this without previous experience in soldering & hardware modification.

BT HomeHub 5a is only supported by the trunk (testing/dev) build of OpenWrt

HomeHub 5a Spec

Bootloader: U-Boot
SoC: Lantiq Xway VR9 VRX268 PSB 80910 (MIPS 34Kc) v1.2.1
CPU/Speed: 500 MHz
NAND Flash: 128MiB Spansion ML01G100BHI00
RAM: DDR2 128MiB @ 250MHz Samsung
Wireless: Atheros AR9227 b/g/n 2x2 + Qualcomm QCA9880-BR4A a/b/g/n+ac 3x3
Ethernet: 5x 10/100/1000 BASE-TX Ethernet
xDSL: Lantiq XWAY VRX208
    ADSL1/2/2+ (G.992.1/3/5) Annexes A, B, I, J, M, L,
    VDSL1 (G.993.1, T1.424, TS 101 270),
    VDSL2 (G.993.2),
    ITU-T G 998.2 Bonding,
    EFM (IEEE 802.3ah)
USB: 1x USB 2.0

Serial UART

To start with we need to solder some SMD pads which are really small.
To get an idea of how small the points are here is a image of the full pcb.

hh5a_internal

We need to solder the UART points below the flash memory R77 & R78 which trace back to SoC VRX268 pins B22 & C23.
The U-Boot doesn’t have bootdelay variable so we also need to solder to BOOT_SEL2 to enable UART.

Here is a zoomed image of the points after soldering (R77, R78, R45).

serial_bootsel_solder

Connect up a serial device to TXD, RXD & GND (R77 is TXD, R78 is RXD, R45 is BOOT_SEL2).
I used a CH340G USB to Serial adapter. It’s also possible to use a Raspberry Pi.

U-Boot

To boot the device over UART you need to put BOOT_SEL2 to GND on powering the device.

You should see this message on powering the device:

ROM VER: 1.1.4
CFG 04
UART

If BOOT_SEL2 is not grounded you will see:

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

After you see UART send the u-boot ramdisk image over serial. (using picocom + cat in linux)

You should see:

Board: BT Home Hub 5A
SoC:   Lantiq VRX268 v1.2
CPU:   125 MHz
IO:    125 MHz
BUS:   125 MHz
BOOT:  UART
DRAM:  128 MiB
NAND:  128 MiB
Using default environment
In:    Serial
Out:   Serial
Err:   Serial
Net:   ltq-eth
BTHOMEHUBV5A #

Once U-Boot is loaded upload the openwrt install image over tftp using tftpboot from U-Boot to download the image to memory & then boot from memory using bootm.

Backup NAND

Before continuing make sure you backup the current NAND flash memory (128MB) to USB storage or over netcat.

mkdir /mnt/usb
mount /dev/sda1 /mnt/usb
nanddump -f /mnt/usb/hh5a.nanddump /dev/mtd6
dd if=/dev/mtd6 of=/mnt/usb/hh5a.dd

hh5a_nanddump

Backup UBI Calibration Data

Create a backup of the calibration data (required for full functionality)

Detatch any existing UBI’s

ubidetach -m 4
ubidetach -m 5

Attach UBI & Backup (if errors occur do not continue)

ubiattach -m 5
dd if=/dev/ubi0_3 of=/tmp/hh5a-caldata-backup
cp /tmp/hh5a-caldata-backup /mnt/usb/hh5a-caldata-backup

Installing Unlocked U-Boot & OpenWrt

If you are using the installation image provided by openwrt there should be a script to overwrite uboot & keep the calibration data.

./hh5a-uboot-install.sh

Read & follow the prompts

This script will wipe your flash and install u-boot on your BT HH5A
WARNING: DO NOT CONTINUE unless you have backups!

Once this has finished you should have a unlocked U-Boot & are now ready to install a openwrt image.

The BT HomeHub 5a is only supported by the trunk (testing/dev) build so you will need to compile from source using the OpenWrt build system or use a custom prebuilt image.

To install an image you need to use sysupgrade.
Build or download a image & copy it to the device then run sysupgrade to install.

On reboot the device will boot to UART prompt.

Power cycle the device & you should now see openwrt booting.

openwrt_logo

Related: Netgear wnr2200 Ref: Das U-Boot / About OpenWrt / OpenWrt HH5A

comments powered by Disqus