Photograph of BT voyager 205 router

The "Other Voyager Router" page.


The main page started getting a lot of non-205 action, particularly folk looking for ways to unlock the BT Voyager 2091 router to use with another ISP. Then it turns out that BT are adding this "capability" to other routers in their range. We know the 220, 210, and 2500 have been similarly nobbled, and perhaps others.

Here is a place, then, to share what we know so far. As we learn things, I will endeavour to put the information up here where you can easily get at it. Please note, I do not personally offer support or advice for these routers, simply provide a space where efforts to understand and hack these beasts can be coordinated. And a place to grab the hacked firmwares, of course.

What we know so far..

BT has started putting ISP-Locks on their routers. For a company that claims to be evironmentally friendly, this surely-criminal practice aims to create a mountain hardware that's soul function will be to pollute the environment. Our grandchildren will not thanks us.

While these devices are highly capable, they will be superceded, and unless we can bypass this insane "feature", discarding these perfectly functional units wil be the only option.

The BT Voyager 205 is not locked to any particular ISP, and when I eventually upgrade it, I will either pass it on to someone who needs it, or perhaps investigate turning the thing into an effects pedal. Hmm. What about the others..

210V ISP Unlocked!

The BT Voyager 210 has been cracked!
An unlocked firmware is available..

Check out the archive for an unlocked firmware.

The original email.. 
I added "_BB" to a file cfe-voyager210_roi-v301z_a2pb018c1
I downloaded from

https://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I calculated CRC32 on bytes 0-235 and put it in 4 bytes 236-239
I am using voyager 210 with non BT ISP !!!!!!!!!!
it is also uploaded to your blog ftp !!!!!!!

host it and let's see feedback from ppl with 210 !!!!!!!!!
please keep my name private !!!!!!!
And there you have it. If it works, or doesn't, leave feedback, below.

220V ISP Unlocked!

The BT Voyager 220 has been cracked!
An unlocked firmware is available..

An unlocked firmware is available in the archive. There's also a copy of the original Pre-Lock v1.6 firmware, courtesy of Mark Eldon, which should take your 220V back to a time when BT had a clue. As well as firmwares for the 220, there's also this cute JavaScript hack..

Big thanks and full credits go to C1 (lost1e (at) hotmail (dot) com) for the following, extremely cute hack. In his own words, roughly..

I just bypassed the domainLock on a new BT voyager [220V] that I was trying to get working on Eclipse for a friend.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:
javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();
(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message smilie for :D You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

This new hack has been confirmed to work with the Voyager 220V. But not other ISP-locked BT Voyager routers like the Voyager 210. If you have such a device, feel free to give it a try and leave feedback below!

Note: even the older Voyager 220 is still locked into BT's VOIP service, and at the time of writing, no way to unlock this aspect of its functionality is known. If you know better, please get down to the commment form!

BT Voyager 2091 UNLOCKED!

The BT Voyager 2091 has been cracked!
An unlocked firmware is available..

Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can't use them with another ISP. More recently, 2091 users have unlocked it..

Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..

Hi,
I tried to put the Dynalink 1050W <https://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure https://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on https://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.

In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.

Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*

Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan's comment)..



2500V ISP Unlocked!

The BT Voyager 2500 has been cracked!
An unlocked firmware is available..

A firmware in the archive (untested). I have a few of these kicking around. If anyone has problems with any of the firmwares, leave a comment below, and I'll track down one of the others.

Voyager GPL Firmware..

Part of that many Voyager firmwares is GPL, and publicly available; we have recently aquired this. At this early stage, not much hacking as been done. If you want to download the firmware and have a crack at it yourself, the releases (as shipped for free on CD from BT) are available here..

corz.org public archive
collection of useful things
Unlocked BT Voyager 190 Firmware
Want to use your 190 with someone other that AOL. Grab this.
Unlocked BT Voyager 2091 Firmware
Want to use your 2091 with a different ISP? This is what you need.
Unlocked BT Voyager 210 Firmware
Want to use your 210 with a different ISP? Look here!
Unlocked BT Voyager 220 Firmware
Want to use your 220V with a different ISP? You have choices!
Unlocked BT Voyager 2500 Firmware
Want to use your 2500 with a different ISP? I recommend this.
Open WRT
promising open source router firmware.

Before you ask a question..

If you have a BT Voyager 205 router, try the main page . This is for the other routers. Feel free to ask questions, give advice, drop information, etc..

previous comments (twenty four pages)   show all comments

C1 - 09.04.06 9:37 am

I forgot to mention that one needs to input new ISP's username and password in the boxes before the above steps, so this should be step 1 and the above steps should be 2, 3 and 4.

I've just put my 220v on eBay, so if anyone wants me to look at the VOIP lock (if there is one) - you'll have to be quick ;-)

Iko - 09.04.06 11:18 am

Hi guys,
I'm an Italian man and I've some troubles with my Telit AR520 router (CastleNet AR520 router).
Just a few days ago I've discovered that router's control panel is visibel and open to external IP.
All my internet connections're dangerous!
Is someone there who could teach me step to step how I can lock and HIde my control panel to external IP?
You should write to my e-amil address (henrydix@libero.it).
I hope you would excuse me for my bad English!
Thanks to everyone will answer to my question.

Dan - 09.04.06 11:44 am

Hi

Tried latest fix on my Bt Voyager 2901 as posted above by C1 - 09.04.06 3:16 am
Seems to unlock to allow the broadband username and password to be accepted but then only displays a screen saying connecting ..but it never does !

any ideas ?

Cheers

cor - 09.04.06 12:07 pm

Iko, do these two things..

  • change your username/password to something other than the default. here.
    Currently it is admin/password.

    I know. I just logged in. smiley for :ken:

  • set your security level to something! probably "high". (at the moment it is set to "none"). Do that here.

DO THEM NOW!

Sadly, the page to set WAN admin access doesn't exist on the Viking II chipset. I tried to set it up in a telnet session to your router (I better logout now!), but it looks like the feature isn't supported..
$modify mctl access httpwanaccess disable
Error: Feature not supported
$get mctl ?
Command        Description
-------        -----------
access         MCTL Access command
inactivity     MCTL Inactivity command
iplist         MCTL IPLIST command
$get mctl access
Error: Feature not supported
But if you follow the two steps above and you should be just fine.

;o)

ps.. I will now mail you about this.

muz - 09.04.06 4:35 pm

hi - this all looks good for the 205, 2200 series of voyagers, but has anyone managed to unblock the voyager 10v ATA? doesn't have any routing capability but just voice. i've got one but it's tied to BT and would be good to use with other services - have a linksys ATA as well which i got unblocked...

let me know if anyone has any ideas on that.

thx
Marc

C1 - 09.04.06 7:06 pm

A kind soul has just offered via email to send me a 2091 in the post so that I can have a crack at unlocking it. No promises of course, but hopefully not long now ;-)

bloody bt - 10.04.06 12:19 am

hi there, i just got a bt voyager 2091, and currently have blueyonder broadband, how would i go about unlocking the router? do i need 2 connect the router to the pc with the usb lead??

Any help would b great.

Garnt

vof - 10.04.06 12:34 am

C1: Surprised you didn't find the Voice page in the 220V Configuration menu. VOIP is not strictly locked, more tied to BT's Broadband Voice service. If you enable it on that Voice page, you need to input various magic numbers that identify your BT BBV account. Only way apparently of using VOIP with this router.

You may be able to load the SIP config page (voicesipcfg.html, not mentioned in the menu) but it keeps refreshing before I have time to enter all the details. I don't think BT BBV uses SIP.

C1 - 10.04.06 2:08 am

I did find it, didn't realise what it was though, looked like just another one of BT's "value added" (ripoff) services which I have a natural urge to ignore :P

Does anyone have the 220v GPL firmware? I can't be arsed asking them for it, apparently they charge for "cd media and handling fee" - lol.

vof: "voicesipcfg.html" does not exist in the router's firmware. I know this because I've made a lot of progress this evening - managed to break out of the stupid BT "menu" in the telnet CLI and can now read/execute anything in the firmware - and even write to anything in /var/ (which is the only filesystem that is mounted read-write excluding /proc/). I'll post anything interesting that I come up with.

The above findings are great news for 2091 owners, means there are now many different angles of attack for disabling the ridiculous ISP lock smiley for :D

Below this line is just some random data I pulled from my 220v during this evening's hack-a-thon, including such things as the router's CPU benchmark(!), a dir listing of every web page on the router hidden or not, and filesystem information.
----------------------
# /bin/cat /proc/cpuinfo
system type : RTA1052V
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 255.59 <--- very slow!!!
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
# /bin/mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
ramfs on /var type ramfs (rw)
# /bin/df -h
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock0 1.8M 1.8M 0 100% / <--- LOL!
DIR LISTING OF ROUTER'S WEB SERVER:
BT_45pix_pos.gif accessaccount.html accessremote.html accessremoteerr.html adslc
fg.html advcfg.html asstart.html authfail.html authnumfail.html autoscan.html au
toscanerr.html autoscanstop.html berrun.html berstart.html berstop.html blue_blo
ck_border_top.gif btgui.css colors.css connect.gif connect.html connect_bottom.g
if connect_top.gif connoppp.html conprocess.html constatus.html ddnssetup.html d
elete.gif dhcperr.html dhcpmacflt.html dhcps.html diag.html disconnect.html dnsc
fg.html dotted_divider.gif dotted_line_blue.gif dotted_line_blue_149.gif dotted_
line_blue_270.gif dotted_line_blue_340.gif dotted_line_blue_470.gif dotted_line_
white.gif download.html downloadfail.html downloadfail2.html downloadinfo.html d
ownloadinfo1.html downloadinfo2.html empty.jpg footer.html footer_btm.gif footer
_top.gif help_adslline.html help_system.html index.html info.html infodsl.html i
nfodsl2.html infotracount.html infotracountreset.html ipfilteradd.html ipfilterm
odify.html ipoacfg.html lancfg.html lancfg2.html logofrm.html main.html menuTitl
e.js menuTree.js menu_advanced.html menu_diag.html menu_quickstart.html menu_red
advanced.html menu_status.html menu_system.html modify.gif navbar_footer.gif ntw
kprtcl.html ntwksum.html ntwksum2.html pppoe.html problem.gif problem_small.gif
processing.html psiError.html psiMenu.html psiSame.html pvccfg.html pvccfgerr.ht
ml qoscls.html qoscls2.html qoscls3.html qsvoice.html rebootinfo.html resetroute
r.html restart_now2.gif restorebackup.html restoreinfo.html right.gif routeadd.h
tml scdmz.html scprttrg.html scvrtsrv.html sidebar_curved_footer.gif sidebar_cur
ved_header.gif snmpconfig.html spacer.gif statsadslreset.html stylemain.css tabl
e_footer_large.gif tick.gif tick_small.gif title.gif title_420.gif unnumppp.html
upload.html uploadinfo.html uploadinfo1.html upnpcfg.html util.js v_del.gif v_e
dit.gif v_mtu.gif viewdhcprelist.html viewreiplist.html voicemgcpcfg.html voicem
gcpcfgprocess.html voicemgcpcodec.html voicemgcpcodecprocess.html voicemgcpcon.h
tml voicemgcpprocess.html voicemgcppstn.html voicemgcppstnprocess.html vpivci.ht
ml wancfg.html warn_bg.gif warn_box_bottom.gif welcome.gif

vof - 10.04.06 9:57 pm

C1: Thanks for that. Having been away, you may have missed many of the original posts on the subject of the Voyager 2xxx firmware - particularly in Feb - where a number of these points were mentioned.

It looks as if you may have different (older?) firmware to me. Mine is 2.18.01.12_A2pB016a.d15g. I've listed my webs directory at the end of this post - it includes a few SIP html files. This firmware version is not locked so finding an uploadable file copy of it would be great. The CD which came with my 220V does not include any firmware files at all.

********* If anyone has an uploadable file of Voyager 220V firmware version 2.18.01.12_A2pB016a.d15g, please let us know ***********

255.59 BogoMIPS seems to be the standard BCM6348 V0.7 speed - fast enough I think. (My Linux server runs on an old 450MHz K6/2, nominally 900 BogoMIPS but more than fast enough for that purpose smiley for :D)

The mtdblock0 device holds the compressed read-only filesystem in firmware, hence its 100% usage.

A couple of months ago, I received from BT - free smiley for :eek: - the GPL CD. I sent cor a copy and he has put it up as a torrent here - see the section about third way down this page. I've done some initial firmware build experiments but it needs a lot more work to produce a firmware build that I would have confidence in!

webs contents:
==========
BT_45pix_pos.gif menu_status.html
accessaccount.html menu_system.html
accessremote.html modify.gif
accessremoteerr.html navbar_footer.gif
adslcfg.html navbar_footer2100.gif
advcfg.html navbar_footer240.gif
asstart.html navbar_footeriad.gif
authfail.html ntwkprtcl.html
autoscan.html ntwksum.html
autoscanerr.html ntwksum2.html
autoscanstop.html pppoe.html
berrun.html problem.gif
berstart.html problem_small.gif
berstop.html processing.html
blue_block_border_top.gif psiError.html
btgui.css psiMenu.html
colors.css pvccfg.html
configdefault.html qoscls.html
confirm_cancel_adsl.html qoscls2.html
confirm_cancel_wireless.html qoscls3.html
confirm_chg_dial.html qsvoice.html
confirm_del.html rebootinfo.html
confirm_del_defconf.html resetrouter.html
confirm_del_dhcp.html restart_now.gif
confirm_del_route.html restart_now2.gif
confirm_del_wireless.html restorebackup.html
confirm_restart_voip.html restoreinfo.html
confirm_save_defconf.html right.gif
connect.gif routeadd.html
connect.html scdmz.html
connect_bottom.gif scprttrg.html
connect_top.gif scvrtsrv.html
connoppp.html sidebar_curved_footer.gif
conprocess.html sidebar_curved_header.gif
constatus.html snmpconfig.html
ddnssetup.html spacer.gif
delete.gif statsadslreset.html
dhcperr.html stylemain.css
dhcpmacflt.html table_footer_large.gif
dhcps.html tick.gif
diag.html tick_small.gif
dialplan.html title.gif
dialplan2.html title_420.gif
dialplancalling.html unnumppp.html
disconnect.html upload.html
dnscfg.html uploadinfo.html
dotted_divider.gif uploadinfo1.html
dotted_line_blue.gif upnpcfg.html
dotted_line_blue_149.gif util.js
dotted_line_blue_270.gif v_del.gif
dotted_line_blue_340.gif v_edit.gif
dotted_line_blue_470.gif v_mtu.gif
dotted_line_white.gif viewdhcprelist.html
empty.jpg viewreiplist.html
footer.html voicemgcpcfg.html
footer_btm.gif voicemgcpcfgprocess.html
footer_top.gif voicemgcpcodec.html
help_adslline.html voicemgcpcodecprocess.html
help_system.html voicemgcpcon.html
help_system2100.html voicemgcpprocess.html
index.html voicemgcppstn.html
info.html voicemgcppstnprocess.html
infodsl.html voicesipcfg.html
infodsl2.html voicesipcfgcalling.html
infotracount.html voicesipcfgprocess.html
infotracountreset.html voicesipcodec.html
ipfilteradd.html voicesipcodeccalling.html
ipfiltermodify.html voicesipcodecprocess.html
ipoacfg.html voicesipexten.html
lancfg.html voicesipextencalling.html
lancfg2.html voicesipextenprocess.html
logo_2100.gif voicesippstn.html
logofrm.html voicesippstncalling.html
main.html voicesippstnprocess.html
menu.html vpivci.html
menuBcm.js wancfg.html
menuTitle.js warn_bg.gif
menuTree.js warn_box_bottom.gif
menu_advanced.html welcome.gif
menu_diag.html welcome2100.gif
menu_quickstart.html welcome240.gif
menu_redadvanced.html welcomeiad.gif


h2 - 12.04.06 12:29 pm

i have just tried the NEW 220v unlock hack by C1, it lets me try to log in but after the screen refreshes about 6 times saying connecting it goes back to the connect page.
I have set my log on details in the router.
So we seem to be getting there but still cant connect.




next comments (24 pages)

Posting here is disabled at this time.