Home
> Uncategorized > BT HomeHub3 – rooting
BT HomeHub3 – rooting
# Downgrade firmware to exploitable OpenRG version 4.7.5.1.83.8.57 Available from google or direct from BT (HUB3A_4.7.5.1.83.8.57_prod.exe) http://192.168.1.254/firmware_upgrade # Set a new admin password on the HomeHub3A web interface now http://192.168.1.254 # Create a USB key with a Samba directory traversal exploit dd ext3.img to your USB key Plug the USB key into the HomeHub3A (MD5 (ext3.img) = 859324f7d69fd618d6a63049766e9f52) # Enable access to the CLI # - Use the symlink to traverse to the root dir on the HomeHub3A, # hooking a telnet daemon into the Samba service smbclient -U admin '\\192.168.1.254\USB1' lcd /tmp mget smb.conf mget utelnetd cd sys\etc mput smb.conf mput utelnetd exit # - Mount the share as the admin user to start the telnet daemon smb:\\admin@192.168.1.254\USB1 # Log in to the newly started telnet service and start the SSH CLI telnet 192.168.1.254 4002 ssh_cli # Enable SSH for the admin user conf set /admin/user/0/permissions/ssh 1 # Dont drop SSH or SNMP packets from WIFI or LAN to the HomeHub conf set fw/policy/0/chain/fw_br0_in/rule/0/enabled 0 conf set fw/policy/0/chain/fw_br1_in/rule/0/enabled 0 # Save the configuration conf reconf 1 # (Optional) # - Allow SSH access from the WAN port (internet) conf set ssh/remote_access 1 # - Allow use of homehub with other ISPs conf set persistent/bt/domain_locking/enabled 0 # - Disable the BT Agent (An IPSEC remote access tool?) conf set bt/bt_agent/enabled 0 conf set fw/rule/remote_access/2/action drop # - Disable SAAF conf set bt/saaf/enabled 0 # - Allow inbound ping packets to the HomeHub from WAN port (internet) conf set fw/rule/remote_access/1/action accept_conn # - Disable UPNP conf set upnp/igd/enabled 0 conf set upnp/tr064/enabled 0 # - Disable openwifi (btfon?) conf set bt/openwifi/1/enabled 0 # - Set NTP servers conf set admin/tod/server/0/name 0.uk.pool.ntp.org conf set admin/tod/server/1/name 1.uk.pool.ntp.org conf set admin/tod/server/2/name 2.uk.pool.ntp.org # - Dont email klog to jungo.com conf set klog/email/enabled 0 # - Set the Samba workgroup and Samba hostname to something else conf set fs/workgroup WORKGROUP conf set fs/hostname lust # - Set the systems vhostname to something else and delete an alternate BT one conf set dns/vhostname/0/hostname lust conf del dns/vhostname/1 # - Save the configuration conf reconf 1
inkhorn.net 
Hello Inkhornne
Many thanks for your posts. Is there anyway that one could have static ARP to try and get Wake on LAN to work properly? It seems the router clears it’s ARP cache after a few mins and WOL packets don’t get passed on. Something similar to below?
arpadd intf=LocalNetwork ip=192.168.1.?? hwaddr=6c:f0:??:??:??:??
The ip is your PC you want to wake and the hwaddr is the MAC address of that PC’s network card.
Can this be added in the configuration?
Thanks for your help.
Thanks for that. Is there a problem with the ext3.img file though? If I write that image to a USB stick, I can’t read it in Windows, and the Home Hub 3 router says “(File type not supported)”. I should be able to see files and folders right?
I’ve tried 3 different USB sticks, two versions of DiskImage, and also dd, but I’ve never been able to read anything off the USB stick afterwards.
The version of ext3.img I have is 33,208,222 bytes, and MD5 checksum 859324F7D69FD618D6A63049766E9F52.
Thanks in advance for any help. Mark
The ext3.img is fine, I confirm for you:
MD5 (ext3.img) = 859324f7d69fd618d6a63049766e9f52
Don’t worry about not being able to view files and folders on the USB key after writing the image,
the rest of the process will still work if you have downgraded the firmware initially.
Thanks for that, and sorry for the delay. I’m up and running now having run into the following problems:
writing to the physical drive instead of the disk from DiskImage
possibly two bad USB sticks, both very old (I bought a new one)
assuming that I’d be able to read the image in Windows (it worked in Ubuntu)
At some point, I had to start using 192.168.1.254/usb2 instead of usb1. I have no idea why.
I also had a problem when I was telneting to the router that the smb.conf somehow kept getting overwritten after maybe a minute or two, so that I couldn’t get a connection. I tried and failed a few times to connect to the router with kitty, and changing directories didn’t help, but somehow I did finally get a telnet connection.
Thanks again!