The "Other Voyager Router" page.

The main page started getting a lot of non-205 action, particularly folk looking for ways to unlock the BT Voyager 2091 router to use with another ISP. Then it turns out that BT are adding this "capability" to other routers in their range. We know the 220, 210, and 2500 have been similarly nobbled, and perhaps others.

Here is a place, then, to share what we know so far. As we learn things, I will endeavour to put the information up here where you can easily get at it. Please note, I do not personally offer support or advice for these routers, simply provide a space where efforts to understand and hack these beasts can be coordinated. And a place to grab the hacked firmwares, of course.

What we know so far..

BT has started putting ISP-Locks on their routers. For a company that claims to be evironmentally friendly, this surely-criminal practice aims to create a mountain hardware that's soul function will be to pollute the environment. Our grandchildren will not thanks us.

While these devices are highly capable, they will be superceded, and unless we can bypass this insane "feature", discarding these perfectly functional units wil be the only option.

The BT Voyager 205 is not locked to any particular ISP, and when I eventually upgrade it, I will either pass it on to someone who needs it, or perhaps investigate turning the thing into an effects pedal. Hmm. What about the others..

210V ISP Unlocked!

The BT Voyager 210 has been cracked!
An unlocked firmware is available..

Check out the archive for an unlocked firmware.

The original email..

I added "_BB" to a file cfe-voyager210_roi-v301z_a2pb018c1
I downloaded from

https://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I calculated CRC32 on bytes 0-235 and put it in 4 bytes 236-239
I am using voyager 210 with non BT ISP !!!!!!!!!!
it is also uploaded to your blog ftp !!!!!!!

host it and let's see feedback from ppl with 210 !!!!!!!!!
please keep my name private !!!!!!!

And there you have it. If it works, or doesn't, leave feedback, below.

220V ISP Unlocked!

The BT Voyager 220 has been cracked!
An unlocked firmware is available..

An unlocked firmware is available in the archive. There's also a copy of the original Pre-Lock v1.6 firmware, courtesy of Mark Eldon, which should take your 220V back to a time when BT had a clue. As well as firmwares for the 220, there's also this cute JavaScript hack..

Big thanks and full credits go to C1 (lost1e (at) hotmail (dot) com) for the following, extremely cute hack. In his own words, roughly..

I just bypassed the domainLock on a new BT voyager [220V] that I was trying to get working on Eclipse for a friend.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:
javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();
(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

This new hack has been confirmed to work with the Voyager 220V. But not other ISP-locked BT Voyager routers like the Voyager 210. If you have such a device, feel free to give it a try and leave feedback below!

Note: even the older Voyager 220 is still locked into BT's VOIP service, and at the time of writing, no way to unlock this aspect of its functionality is known. If you know better, please get down to the commment form!

BT Voyager 2091 UNLOCKED!

The BT Voyager 2091 has been cracked!
An unlocked firmware is available..

Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can't use them with another ISP. More recently, 2091 users have unlocked it..

Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..

Hi,
I tried to put the Dynalink 1050W <https://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure https://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on https://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.

In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.

Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*

Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan's comment)..

unzip the firmware
connect the router to the computer via ethernet
in your web browser, go to http://192.168.1.1
select "Advanced" from the menu
enter user/password (default is admin/admin)
select "Ugrade"
select from pc to router (top of page)
browse to previously unzipped file (cfe-rta1025wnz-v328q_a2pb021)
select "Ugrade"
DO NOT power off during the upgrade!
wait a good 5mins
all lights should be green on router
point web browser at http://192.168.1.1 again
ensure the VPI/VCI setting are set to 0/38
ensure ADSL is connected and web page says "ready to connect"
enter broadband login details
It should now connect without issue.

2500V ISP Unlocked!

The BT Voyager 2500 has been cracked!
An unlocked firmware is available..

A firmware in the archive (untested). I have a few of these kicking around. If anyone has problems with any of the firmwares, leave a comment below, and I'll track down one of the others.

Voyager GPL Firmware..

Part of that many Voyager firmwares is GPL, and publicly available; we have recently aquired this. At this early stage, not much hacking as been done. If you want to download the firmware and have a crack at it yourself, the releases (as shipped for free on CD from BT) are available here..

Useful Links..

corz.org public archive

collection of useful things

Unlocked BT Voyager 190 Firmware

Want to use your 190 with someone other that AOL. Grab this.

Unlocked BT Voyager 2091 Firmware

Want to use your 2091 with a different ISP? This is what you need.

Unlocked BT Voyager 210 Firmware

Want to use your 210 with a different ISP? Look here!

Unlocked BT Voyager 220 Firmware

Want to use your 220V with a different ISP? You have choices!

Unlocked BT Voyager 2500 Firmware

Want to use your 2500 with a different ISP? I recommend this.

Open WRT

promising open source router firmware.

Before you ask a question..

If you have a BT Voyager 205 router, try the main page . This is for the other routers. Feel free to ask questions, give advice, drop information, etc..

previous comments (fourty one pages) show all comments

patrick - 13.06.06 9:19 pm

Hello Folks -
thank you for the hack unlocking the 2091...
i have been following this site for a long while and sooo pleased there are excellent tech-minded people out there
just one question: i have managed to unlock the 2091, but it seems to refuse to run on wireless...

Any suggestions would be hugely welcome!

thanks
P

AoL_HaTeR - 14.06.06 11:46 am

@southwestcd - your text shows Function domainlock not found ... but you're supposed to be calling function domainLock (according to the text further up).

Check your capitalisation smiley for ;)

jukeboxwizard - 14.06.06 10:09 pm

Hey Cor...all done...check your email...

Alessio - 14.06.06 10:40 pm

Hi guys,
I haven't checked this site for a while, but you're really doing a great job here.

jukeboxwizard,

check this out for some ideas on the firmware- and let us know what's in the 2500 box

Once the 2500 is unlocked (it looks like it won't take long smiley for :D

), shall we go for some exotic stuff with these routerz?

Cheers

Alessio

jukeboxwizard - 15.06.06 10:48 am

Ok, just for you Alessio !

Note: If you have problem with Backspace key, please make sure you configure you
r terminal emulator settings. For instance, from HyperTerminal you would need to
use File->Properties->Setting->Back Space key sends.

Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
-> sh

BusyBox v0.60.4 (2006.02.10-03:26+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
ramfs on /var type ramfs (rw)
#
#
# cat /proc/version
Linux version 2.4.17 (michaelc@AskeyBrcmServer) (gcc version 3.1) #1 Fri Feb 10
11:19:28 CST 2006
#
#
# cat /proc/cpuinfo
system type : V2500V_BB
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
#
#
# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 14499840 13828096 671744 0 466944 3747840
Swap: 0 0 0
MemTotal: 14160 kB
MemFree: 656 kB
MemShared: 0 kB
Buffers: 456 kB
Cached: 3660 kB
SwapCached: 0 kB
Active: 1220 kB
Inactive: 6052 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 14160 kB
LowFree: 656 kB
SwapTotal: 0 kB
SwapFree: 0 kB
#
#
# cat /proc/modules
ipt_state 552 2
ipt_mark 364 1
ipt_limit 956 2
ipt_TCPMSS 2524 0 (unused)
ipt_REDIRECT 708 2
ipt_MASQUERADE 1380 1
ipt_MARK 668 8
ipt_LOG 3532 2
ipt_FTOS 972 0 (unused)
ip_nat_tftp 1784 0 (unused)
ip_nat_rtsp 5448 0 (unused)
ip_nat_pptp 1708 0 (unused)
ip_nat_irc 2360 0 (unused)
ip_nat_ipsec 37040 0 (unused)
ip_nat_h323 2672 0 (unused)
ip_nat_ftp 3192 0 (unused)
ip_conntrack_tftp 1676 0 (unused)
ip_conntrack_rtsp 8284 0 (unused)
ip_conntrack_pptp 3260 0 (unused)
ip_conntrack_irc 2828 0 (unused)
ip_conntrack_ipsec 20684 0 (unused)
ip_conntrack_h323 2060 0 (unused)
ip_conntrack_ftp 3932 0 (unused)
iptable_mangle 1900 0 (unused)
iptable_nat 19656 8 ipt_REDIRECT ipt_MASQUERADE ip_nat_tftp ip_nat
_rtsp ip_nat_pptp ip_nat_irc ip_nat_ipsec ip_nat_h323 ip_nat_ftp
ip_conntrack 22880 9 ipt_state ipt_REDIRECT ipt_MASQUERADE ip_nat_t
ftp ip_nat_rtsp ip_nat_irc ip_nat_ipsec ip_nat_h323 ip_nat_ftp ip_conntrack_tftp
ip_conntrack_rtsp ip_conntrack_pptp ip_conntrack_irc ip_conntrack_ipsec ip_conn
track_h323 ip_conntrack_ftp iptable_nat
iptable_filter 1708 0 (unused)
ip_tables 14624 14 ipt_state ipt_mark ipt_limit ipt_TCPMSS ipt_RE
DIRECT ipt_MASQUERADE ipt_MARK ipt_LOG ipt_FTOS iptable_mangle iptable_nat iptab
le_filter
bcm_usb 17920 0
bcm_enet 21208 2
wl 408752 0 (unused)
endpointdd 1080384 0 (unused)
bcmprocfs 14968 0
adsldd 136564 0 (unused)
blaa 8132 0 (unused)
atmapi 51952 0 adsldd blaa
#
#
# cat /proc/pci
PCI devices found:
Bus 0, device 1, function 0:
Class 0280: PCI device 14e4:4318 (rev 2).
IRQ 32.
Non-prefetchable 32 bit memory at 0x8000000 0x8001fff.
#
#
# ps
PID TTY Uid Size State Command
1 admin 2716 S init
2 admin 0 S keventd
3 admin 0 S ksoftirqd_CPU0
4 admin 0 S kswapd
5 admin 0 S bdflush
6 admin 0 S kupdated
7 admin 0 S mtdblockd
13 admin 2772 S -sh
55 admin 2916 S cfm
72 admin 2916 S cfm
98 admin 588 S pvc2684d
325 admin 2916 S sshd
326 admin 2940 S telnetd
329 admin 676 S dhcpd
333 admin 944 S bftpd
334 admin 2700 S tftpd
401 admin 2976 S httpd
403 admin 2712 S vodsl sipstart 3
407 admin 2712 S vodsl sipstart 3
408 admin 2712 S vodsl sipstart 3
409 admin 2712 S vodsl sipstart 3
410 admin 2712 S vodsl sipstart 3
411 admin 2712 S vodsl sipstart 3
419 admin 676 S dproxy
420 admin 2712 S vodsl sipstart 3
421 admin 2712 S vodsl sipstart 3
422 admin 2712 S vodsl sipstart 3
423 admin 2712 S vodsl sipstart 3
431 admin 1224 S pppd -c 0.38.1 -a 0.0.38 -u voyager2500v.u
438 admin 2712 S vodsl sipstart 3
439 admin 2712 S vodsl sipstart 3
440 admin 2712 S vodsl sipstart 3
441 admin 2712 S vodsl sipstart 3
442 admin 2712 S vodsl sipstart 3
756 admin 792 S upnp -L br0 -W ppp_0_38_1 -D
804 admin 3368 S iad
833 admin 3368 S iad
834 admin 3368 S iad
835 admin 3368 S iad
1089 ttyp0 admin 2952 S telnetd
1106 ttyp0 admin 2760 S sh -c sh
1107 ttyp0 admin 2772 S sh
1114 ttyp0 admin 2712 R ps
#
#
#

Bye bye. Have a nice day!!!

I also recieved an email back from Askey, telling me that there are "many" models of this router, and they have have variations in their firmware, suggested that the model number should be RTA1046VW-?? the ?? denoting which firmware should be in it I assume. I have replied to them telling them there is no such ID mark on the router anywhere I can see, and I have included some photos of the board refs and chips etc to see if they can id the router and supply the firmware....the saga continues...

jukeboxwizard - 15.06.06 10:55 am

ok, this is going to sound really dumb....prolly cos they are dumb questions to ask...

Does anyone here know the url for the upgrade page for the 2500V ?
or does anyone know of a way to sniff the ip address etc that the firmware is running off to in order to get the update details ?
I figure if we can spot that, then at least Andy could snag a copy of the latest "unlocked" firmware from BT themselves smiley for :)

I was hoping the ip_conntrack would show up something, but alas no...

rgds

DIBDAB - 15.06.06 12:40 pm

I have just got me a 2500v and a bit confused on how to crack it can some one help please.

bob2eyes - 15.06.06 1:23 pm

can anyone tell me another way to upgrade the firmware for a voyager 2091.
when i upgrade my screen goes white and does nothing and the lights on router dont go green. ive been tryin for ages please help

thnx

Skull - 15.06.06 1:24 pm

jukeboxwizard here is a link I found, http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update, hope it helps

bob2eyes - 15.06.06 1:28 pm

can anyone tell me another way to upgrade the firmware for a voyager 2091.
when i upgrade my screen goes white and does nothing and the lights on router dont go green. ive been tryin for ages please help

thnx

mick - 15.06.06 5:05 pm

can anyone help me with bt2500v

next comments (7 pages)