Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: BTHomeHub2 Default Router Algorithm

  1. #1
    Just burned his ISO
    Join Date
    May 2010
    Posts
    2

    Default BTHomeHub2 Default Router Algorithm

    Hi folks - first post!

    I have been following previous work conducted by several forum members exposing the default network key algorithms of various routers (i.e. Sky V1/V2, BTHomeHub V1, Tiscali etc).

    I have recently noticed that the BTHomeHub2 is becoming increasingly popular here in the UK and would like to try and secure some interest to assist in reverse engineering the algorithm in this baby. With such a large consumer base, any potential security defects should be explored in order to raise awareness of any exploitable problems.

    If anyone has done any work on this, is willing to contribute, or has any decent suggestions then please reply!

    Wikipedia info:-

    At the time of writing there are 2 versions of the BT Home Hub 2.0. The A and the B model The hardware contained within the HomeHub v2.0A was manufactured by Thomson Speedtouch whom bought up Inventel and all their hardware and software rights. This model is electronically identical to the Thomson Speedtouch TG797n.

    The hardware contained within the HomeHub v2.0B was manufactured by Siemens's Gigaset division in Germany. The middleware was developed by Jungo a subsidiary of NDS, and is based on their openRGTM product. The product is very similar to the smartBox sold by Orange Israel.

    Also, source code can be found at http://www.btyahoo.com/broadband/adh...s/gplcode.html which has been released under the GNU public licence. Hopefully someone has the expertise to pick through this and find the algorithm steps to encode SSID and network key.
    Last edited by rusty13; 05-03-2010 at 06:51 PM. Reason: Added additional information

  2. #2
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    1

    Default Re: BTHomeHub2 Default Router Algorithm

    I would also like to see something worked out here.

    I can provide a few BTHomeHub2 Mac addresses along with Serial/Default WPA keys.

    Searching the forum also displays a few also.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default Re: BTHomeHub2 Default Router Algorithm

    Hey wilsey
    I am working on it this algorithm, how could you provide those essids with macs and default keys?

    I have about 6 of them, we can exchange if you want

    Thanks

  4. #4
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    1

    Default Re: BTHomeHub2 Default Router Algorithm

    I would also be very interested to find out how the default key is generated for the home hub 2.0. Had tried many different combinations of encoding and hashing the serial, mac and different variations of both.

    I have 2 genuine box details if anyone would like to exchange please PM me.

    It seems all the keys I have seen do not contain any zeros or ones, I built a random generator of a restricted set of hexadecimal values to concatenate millions of keys piped through to Pyrit, using the power of a nvidia gtx 295 gpu. I have been able to match my own default keys by fixing the format of the last five, if it was a letter or a number.

    I keep thinking it has to be something obvious, as I have noticed default keys from hubs manufactured around the same time to be very similar in format were the last 5 characters are concerned.

    Would be good to see others ideas on this.

  5. #5
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    24

    Default Re: BTHomeHub2 Default Router Algorithm

    Hello ALL

    This link might help you. I know its not ver 2 but still something might popup

    I have started working on it already. Can also provide you with few MACs, S/Ns and SSIDs if required
    Last edited by pi4r0n; 12-16-2010 at 10:44 PM.

  6. #6
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default Re: BTHomeHub2 Default Router Algorithm

    Hey what is wrong, so long and no one yet was able to crack the algorithm of BTHv2?

    Now we have full access to all the files on router etc.


    Maybe there is a way of using the router to generate the password itself by changing the serial number in the firmware?

    If that would be possible then we could generate rainbow tables of all default passwords not knowing the algorithm

  7. #7
    Just burned his ISO
    Join Date
    May 2010
    Posts
    2

    Default Re: BTHomeHub2 Default Router Algorithm

    Quote Originally Posted by extreme View Post
    Hey what is wrong, so long and no one yet was able to crack the algorithm of BTHv2?

    Now we have full access to all the files on router etc.


    Maybe there is a way of using the router to generate the password itself by changing the serial number in the firmware?

    If that would be possible then we could generate rainbow tables of all default passwords not knowing the algorithm
    Any progress here folks? Does anyone have a BThomehub to try the above suggestion?

  8. #8
    Just burned their ISO
    Join Date
    Oct 2010
    Posts
    14

    Default Re: BTHomeHub2 Default Router Algorithm

    This was achieved for the first BTHomeHub routers

    http://www.gnucitizen.org/blog/defau...e-hub-routers/

    Someone even created a web frontend for doing it

    http://www.md5this.com/speedtoucher/speedtouchIT.html

    but it doesnt work for BTHomeHub2
    baring is mind this router is has probably the largest share in the UK of all routers it should make it worth the time to backcode

    watching the thread

  9. #9
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default Re: BTHomeHub2 Default Router Algorithm

    Had a quick look and looks like the install.sh makes a wget to http://jpkg.jungo.com/jpkg/jpkg This file is encypted by the looks of it (some-else have a look). I suspect this configurs the WPA key.

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Posts
    33

    Default Re: BTHomeHub2 Default Router Algorithm

    This would be quite interesting for me too, i also have 2 BTHomeHub2 routers i can supply default serial numbers WPA keys too if anyone is interested

Page 1 of 2 12 LastLast

Similar Threads

  1. Default username/Password Router Wordlist
    By imported_soultaker666 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-28-2010, 05:45 AM
  2. Sky router WPA algorithm available
    By letmein in forum OLD General IT Discussion
    Replies: 21
    Last Post: 12-14-2009, 06:29 PM
  3. bthomehub2 wpa help
    By rt45433 in forum OLD Wireless
    Replies: 3
    Last Post: 01-14-2009, 07:56 AM
  4. default router password for Dlink DSL-2640-T
    By sifuconman in forum OLD Newbie Area
    Replies: 4
    Last Post: 11-16-2008, 04:22 AM
  5. Replies: 1
    Last Post: 08-19-2008, 04:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •