The "Other Voyager Router" page.

The main page started getting a lot of non-205 action, particularly folk looking for ways to unlock the BT Voyager 2091 router to use with another ISP. Then it turns out that BT are adding this "capability" to other routers in their range. We know the 220, 210, and 2500 have been similarly nobbled, and perhaps others.

Here is a place, then, to share what we know so far. As we learn things, I will endeavour to put the information up here where you can easily get at it. Please note, I do not personally offer support or advice for these routers, simply provide a space where efforts to understand and hack these beasts can be coordinated. And a place to grab the hacked firmwares, of course.

What we know so far..

BT has started putting ISP-Locks on their routers. For a company that claims to be evironmentally friendly, this surely-criminal practice aims to create a mountain hardware that's soul function will be to pollute the environment. Our grandchildren will not thanks us.

While these devices are highly capable, they will be superceded, and unless we can bypass this insane "feature", discarding these perfectly functional units wil be the only option.

The BT Voyager 205 is not locked to any particular ISP, and when I eventually upgrade it, I will either pass it on to someone who needs it, or perhaps investigate turning the thing into an effects pedal. Hmm. What about the others..

210V ISP Unlocked!

The BT Voyager 210 has been cracked!
An unlocked firmware is available..

Check out the archive for an unlocked firmware.

The original email..

I added "_BB" to a file cfe-voyager210_roi-v301z_a2pb018c1
I downloaded from

https://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I calculated CRC32 on bytes 0-235 and put it in 4 bytes 236-239
I am using voyager 210 with non BT ISP !!!!!!!!!!
it is also uploaded to your blog ftp !!!!!!!

host it and let's see feedback from ppl with 210 !!!!!!!!!
please keep my name private !!!!!!!

And there you have it. If it works, or doesn't, leave feedback, below.

220V ISP Unlocked!

The BT Voyager 220 has been cracked!
An unlocked firmware is available..

An unlocked firmware is available in the archive. There's also a copy of the original Pre-Lock v1.6 firmware, courtesy of Mark Eldon, which should take your 220V back to a time when BT had a clue. As well as firmwares for the 220, there's also this cute JavaScript hack..

Big thanks and full credits go to C1 (lost1e (at) hotmail (dot) com) for the following, extremely cute hack. In his own words, roughly..

I just bypassed the domainLock on a new BT voyager [220V] that I was trying to get working on Eclipse for a friend.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:

javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();

(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

This new hack has been confirmed to work with the Voyager 220V. But not other ISP-locked BT Voyager routers like the Voyager 210. If you have such a device, feel free to give it a try and leave feedback below!

Note: even the older Voyager 220 is still locked into BT's VOIP service, and at the time of writing, no way to unlock this aspect of its functionality is known. If you know better, please get down to the commment form!

BT Voyager 2091 UNLOCKED!

The BT Voyager 2091 has been cracked!
An unlocked firmware is available..

Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can't use them with another ISP. More recently, 2091 users have unlocked it..

Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..

Hi,
I tried to put the Dynalink 1050W <https://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure https://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on https://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.

In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.

Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*

Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan's comment)..

• unzip the firmware
• connect the router to the computer via ethernet
• in your web browser, go to http://192.168.1.1
• select "Advanced" from the menu
• enter user/password (default is admin/admin)
• select "Ugrade"
• select from pc to router (top of page)
• browse to previously unzipped file (cfe-rta1025wnz-v328q_a2pb021)
• select "Ugrade"
• DO NOT power off during the upgrade!
• wait a good 5mins
• all lights should be green on router
• point web browser at http://192.168.1.1 again
• ensure the VPI/VCI setting are set to 0/38
• ensure ADSL is connected and web page says "ready to connect"
• enter broadband login details
• It should now connect without issue.

2500V ISP Unlocked!

The BT Voyager 2500 has been cracked!
An unlocked firmware is available..

A firmware in the archive (untested). I have a few of these kicking around. If anyone has problems with any of the firmwares, leave a comment below, and I'll track down one of the others.

Voyager GPL Firmware..

Part of that many Voyager firmwares is GPL, and publicly available; we have recently aquired this. At this early stage, not much hacking as been done. If you want to download the firmware and have a crack at it yourself, the releases (as shipped for free on CD from BT) are available here..

Useful Links..

# pppd -c 0.38.1 -a 0.0.38 -d -u a123456@hg28.btclick.com -p password -f 0 -w 1
500
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...
using channel 11
Using interface ppp0_38_1
Connect: ppp_0_38_1 <-->
sent [lcp confreq id=0x1 <mru 1500> <magic 0x8a62e13e>]
rcvd [lcp confreq id=0x0 <auth chap md5> <magic 0x27f3e198>]
sent [lcp confack id=0x0 <auth chap md5> <magic 0x27f3e198>]
sent [lcp confreq id=0x1 <mru 1500> <magic 0x8a62e13e>]
rcvd [lcp confack id=0x1 <mru 1500> <magic 0x8a62e13e>]
sent [lcp echoreq id=0x0 magic=0x8a62e13e]
rcvd [chap challenge id=0xf6 <2ba0c3b5fb068b94d46433ac8be7118a>, name = "ERX19.M
anchester4"]
sent [chap response id=0xf6 <1cd07848f49b51672b2e68a12dfca8ac>, name = "a123456@
hg28.btclick.com"]
rcvd [lcp echorep id=0x0 magic=0x27f3e198]
rcvd [chap success id=0xf6 ""]
sent [ipcp confreq id=0x1 <addr 0.0.0.0> <compress vj 0f 01> <ms-dns1 0.0.0.0> <
ms-dns3 0.0.0.0>]
rcvd [ipcp confrej id=0x1 <compress vj 0f 01>]
sent [ipcp confreq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
rcvd [ipcp confnak id=0x2 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
sent [ipcp confreq id=0x3 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
rcvd [ipcp confack id=0x3 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
rcvd [ipcp confreq id=0x70 <addr 217.47.108.58>]
sent [ipcp confack id=0x70 <addr 217.47.108.58>]
Failed to create /var/fyi/sys/dns: No such file or directory
local  IP address 82.123.236.98
remote IP address 217.47.108.58
primary   DNS address 194.72.0.98
secondary DNS address 194.72.9.38
PPP: PPP0_38_1 Connection Up.

# pppd -c 0.38.1 -a 0.0.38 -d -u na12345@adsl.eclipse.co.uk -p password -f 0 -w 1500
Invalid domain = [na12345@adsl.eclipse.co.uk]
PPP username is out of valid domains.
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...
using channel 16
Using interface ppp0_38_1
Connect: ppp_0_38_1 <-->
sent [lcp confreq id=0x1 <mru 1500> <magic 0x48b6b7cf>]
rcvd [lcp confreq id=0x1 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confack id=0x1 <auth chap md5> <magic 0x8f6c9d57>]
rcvd [lcp confreq id=0x2 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confack id=0x2 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confreq id=0x1 <mru 1500> <magic 0x48b6b7cf>]
rcvd [lcp confack id=0x1 <mru 1500> <magic 0x48b6b7cf>]
sent [lcp echoreq id=0x0 magic=0x48b6b7cf]
rcvd [chap challenge id=0x1 <7915caa978af84c7e0845fa9ae5161b4>, name = "ESR4.Man
chester5"]
sent [chap response id=0x1 <5dd83630bd2c7ff65b8529dc6357e256>, name = ""]
rcvd [lcp echorep id=0x0 magic=0x8f6c9d57]
rcvd [chap failure id=0x1 "Authentication failed"]
Remote message: Authentication failed
CHAP authentication failed
sent [lcp termreq id=0x2 "Failed to authenticate ourselves to peer"]
PPP: Authentication failed.
rcvd [LCP TermReq id=0x3]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.