Home > Uncategorized > BT HomeHub3 – rooting

BT HomeHub3 – rooting

# Downgrade firmware to exploitable OpenRG version
Available from google or direct from BT (HUB3A_4.‎)

# Set a new admin password on the HomeHub3A web interface now

# Create a USB key with a Samba directory traversal exploit
dd ext3.img to your USB key
Plug the USB key into the HomeHub3A (MD5 (ext3.img) = 859324f7d69fd618d6a63049766e9f52)

# Enable access to the CLI
# - Use the symlink to traverse to the root dir on the HomeHub3A,
#   hooking a telnet daemon into the Samba service

smbclient -U admin '\\\USB1'
lcd /tmp
mget smb.conf
mget utelnetd
cd sys\etc
mput smb.conf
mput utelnetd
# - Mount the share as the admin user to start the telnet daemon

# Log in to the newly started telnet service and start the SSH CLI
telnet 4002

# Enable SSH for the admin user
conf set /admin/user/0/permissions/ssh 1
# Dont drop SSH or SNMP packets from WIFI or LAN to the HomeHub
conf set fw/policy/0/chain/fw_br0_in/rule/0/enabled 0
conf set fw/policy/0/chain/fw_br1_in/rule/0/enabled 0
# Save the configuration
conf reconf 1

# (Optional)
# - Allow SSH access from the WAN port (internet)
conf set ssh/remote_access 1
# - Allow use of homehub with other ISPs
conf set persistent/bt/domain_locking/enabled 0
# - Disable the BT Agent (An IPSEC remote access tool?)
conf set bt/bt_agent/enabled 0
conf set fw/rule/remote_access/2/action drop
# - Disable SAAF
conf set bt/saaf/enabled 0
# - Allow inbound ping packets to the HomeHub from WAN port (internet)
conf set fw/rule/remote_access/1/action accept_conn
# - Disable UPNP
conf set upnp/igd/enabled 0
conf set upnp/tr064/enabled 0
# - Disable openwifi (btfon?)
conf set bt/openwifi/1/enabled 0
# - Set NTP servers
conf set admin/tod/server/0/name 0.uk.pool.ntp.org
conf set admin/tod/server/1/name 1.uk.pool.ntp.org
conf set admin/tod/server/2/name 2.uk.pool.ntp.org
# - Dont email klog to jungo.com
conf set klog/email/enabled 0
# - Set the Samba workgroup and Samba hostname to something else
conf set fs/workgroup WORKGROUP
conf set fs/hostname lust
# - Set the systems vhostname to something else and delete an alternate BT one
conf set dns/vhostname/0/hostname lust
conf del dns/vhostname/1
# - Save the configuration
conf reconf 1
Tags: , ,
  1. peter
    September 16, 2013 at 23:40

    Hello Inkhornne

    Many thanks for your posts. Is there anyway that one could have static ARP to try and get Wake on LAN to work properly? It seems the router clears it’s ARP cache after a few mins and WOL packets don’t get passed on. Something similar to below?

    arpadd intf=LocalNetwork ip=192.168.1.?? hwaddr=6c:f0:??:??:??:??

    The ip is your PC you want to wake and the hwaddr is the MAC address of that PC’s network card.

    Can this be added in the configuration?

    Thanks for your help.

  2. July 12, 2016 at 16:41

    Thanks for that. Is there a problem with the ext3.img file though? If I write that image to a USB stick, I can’t read it in Windows, and the Home Hub 3 router says “(File type not supported)”. I should be able to see files and folders right?

    I’ve tried 3 different USB sticks, two versions of DiskImage, and also dd, but I’ve never been able to read anything off the USB stick afterwards.

    The version of ext3.img I have is 33,208,222 bytes, and MD5 checksum 859324F7D69FD618D6A63049766E9F52.

    Thanks in advance for any help. Mark

    • July 14, 2016 at 09:54

      The ext3.img is fine, I confirm for you:
      MD5 (ext3.img) = 859324f7d69fd618d6a63049766e9f52

      Don’t worry about not being able to view files and folders on the USB key after writing the image,
      the rest of the process will still work if you have downgraded the firmware initially.

      • July 30, 2016 at 02:22

        Thanks for that, and sorry for the delay. I’m up and running now having run into the following problems:

        writing to the physical drive instead of the disk from DiskImage
        possibly two bad USB sticks, both very old (I bought a new one)
        assuming that I’d be able to read the image in Windows (it worked in Ubuntu)
        At some point, I had to start using instead of usb1. I have no idea why.
        I also had a problem when I was telneting to the router that the smb.conf somehow kept getting overwritten after maybe a minute or two, so that I couldn’t get a connection. I tried and failed a few times to connect to the router with kitty, and changing directories didn’t help, but somehow I did finally get a telnet connection.

        Thanks again!

  1. April 2, 2015 at 23:46

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: