Photograph of BT voyager 205 router

The "Other Voyager Router" page.


The main page started getting a lot of non-205 action, particularly folk looking for ways to unlock the BT Voyager 2091 router to use with another ISP. Then it turns out that BT are adding this "capability" to other routers in their range. We know the 220, 210, and 2500 have been similarly nobbled, and perhaps others.

Here is a place, then, to share what we know so far. As we learn things, I will endeavour to put the information up here where you can easily get at it. Please note, I do not personally offer support or advice for these routers, simply provide a space where efforts to understand and hack these beasts can be coordinated. And a place to grab the hacked firmwares, of course.

What we know so far..

BT has started putting ISP-Locks on their routers. For a company that claims to be evironmentally friendly, this surely-criminal practice aims to create a mountain hardware that's soul function will be to pollute the environment. Our grandchildren will not thanks us.

While these devices are highly capable, they will be superceded, and unless we can bypass this insane "feature", discarding these perfectly functional units wil be the only option.

The BT Voyager 205 is not locked to any particular ISP, and when I eventually upgrade it, I will either pass it on to someone who needs it, or perhaps investigate turning the thing into an effects pedal. Hmm. What about the others..

210V ISP Unlocked!

The BT Voyager 210 has been cracked!
An unlocked firmware is available..

Check out the archive for an unlocked firmware.

The original email..
I added "_BB" to a file cfe-voyager210_roi-v301z_a2pb018c1
I downloaded from

http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I calculated CRC32 on bytes 0-235 and put it in 4 bytes 236-239
I am using voyager 210 with non BT ISP !!!!!!!!!!
it is also uploaded to your blog ftp !!!!!!!

host it and let's see feedback from ppl with 210 !!!!!!!!!
please keep my name private !!!!!!!
And there you have it. If it works, or doesn't, leave feedback, below.

220V ISP Unlocked!

The BT Voyager 220 has been cracked!
An unlocked firmware is available..

An unlocked firmware is available in the archive. There's also a copy of the original Pre-Lock v1.6 firmware, courtesy of Mark Eldon, which should take your 220V back to a time when BT had a clue. As well as firmwares for the 220, there's also this cute JavaScript hack..

Big thanks and full credits go to C1 (lost1e (at) hotmail (dot) com) for the following, extremely cute hack. In his own words, roughly..

I just bypassed the domainLock on a new BT voyager [220V] that I was trying to get working on Eclipse for a friend.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:
javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();
(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message smilie for :D You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

This new hack has been confirmed to work with the Voyager 220V. But not other ISP-locked BT Voyager routers like the Voyager 210. If you have such a device, feel free to give it a try and leave feedback below!

Note: even the older Voyager 220 is still locked into BT's VOIP service, and at the time of writing, no way to unlock this aspect of its functionality is known. If you know better, please get down to the commment form!

BT Voyager 2091 UNLOCKED!

The BT Voyager 2091 has been cracked!
An unlocked firmware is available..

Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can't use them with another ISP. More recently, 2091 users have unlocked it..

Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..

Hi,
I tried to put the Dynalink 1050W <http://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure http://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on http://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.

In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.

Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*

Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan's comment)..



2500V ISP Unlocked!

The BT Voyager 2500 has been cracked!
An unlocked firmware is available..

A firmware in the archive (untested). I have a few of these kicking around. If anyone has problems with any of the firmwares, leave a comment below, and I'll track down one of the others.

Voyager GPL Firmware..

Part of that many Voyager firmwares is GPL, and publicly available; we have recently aquired this. At this early stage, not much hacking as been done. If you want to download the firmware and have a crack at it yourself, the releases (as shipped for free on CD from BT) are available here..

Before you ask a question..

If you have a BT Voyager 205 router, try the main page . This is for the other routers. Feel free to ask questions, give advice, drop information, etc..


previous comments (fourty seven pages)   show all comments

colin - 13.02.08 5:45 am

Hi,
Can someone tell me how to unlock my bt voyager 2500v to work with any isp
Many thanks
Col


ryooda - 19.02.08 1:12 pm

col, check out the main page. It's up there!

Mike, maybe it has a bridge mode you could use.

MArtin, Lucas - is the vpi/vci setting correct?

Great page, thanks!!


digitaldazz - 25.02.08 1:46 am

Hi Cor,

I hope you can help me, I am trying to update the unlocked firmware on my 2091 which has the 1025w firmware on. I have obtained the updated firware and am trying to calculate the checksums as described in the process. but the first checksum area includes both checksums.

how does this work?

I am using xvi32 to calculate the blocks of checksums.
but cant seem to get it right?

Cheers



steve - 26.02.08 8:17 pm

Hi all, Just want to say Thankx. The firmware you cracked for the voyager2091 worked sweet as a nut!. You are a STAR!!.


MacMic - 26.02.08 11:11 pm

I'm new here and very impressed by the clever stuff I'm seeing. I don't know whether my question is too easy or too hard (or maybe just off-topic!).

I have just had my dead Voyager 205 replaced by a 210. The downside for me is that I used to use the Ethernet connection for a wireless transmitter and the USB connection to a (non-wireless) Mac. Reading the specs, I see that BT only have a USB driver for Windows not Mac. Any suggestions for an easy work-around?

Thanks for any help,

MacMic


cor - 28.02.08 11:09 am

digitaldazz, dunno dude, I never did do a lot of actual firmware hacking, I was more at the blowing-them-up end of things. Perhaps Alessio or someone might know, though. If you haven't cracked it yet, and want to send me your mail addy, I could pass it along, or just prod a few peeps, perhaps.

MacMic, add a switch, maybe; plug everything into that. You know, life would probably be a lot easier for you if you splashed out on a proper wireless-enabled router, or better yet, used something like (the wonderful and totally free) IPCop, and a regular broadband modem.

IPCop works like a router, only better, and because it's a real puter, you can plug *anything* into it; Wi-Fi dongles, whatever you like, expanding and customizing it your exact requirements; of course, it works right out of the box, too, just like a black-box router. An old laptop (even one with a broken screen) and an IPCop CD, is all you need.

Mike, it's always good to see another IPCop user. But now you have too much functionality. What you really need is a plain old modem, not some funky router. ryooda is right, a bridge mode (if the 190 has one) would make the router act like "just a modem", which is exactly what you need. This..

http://www.voyager.bt.com/wired_routers/voyager_190/downloads/BT%20Voyager%20190%20product%20specifications.pdf

seems to suggest its doable.

;o) Cor


MacMic - 28.02.08 11:35 pm

Thanks for the response, Cor. I'm getting a switch for now and will maybe try something more advanced later.

I had thought that since there already seems to be a Linux driver for the 210, maybe for the Mac OS X Unix system there would be something similar around.

Thanks,

MacMic


cor - 29.02.08 9:40 am

BT's OSX support is almost non-existant these days, except where the modems is manufactured by others (i.e. Thomson). I guess they expect if you are advanced enough to be using an OSX-capable Mac, you'll also be using Ethernet or WiFi.

I tend to agree, USB is for keyboards and cameras!

;o) Cor


digitaldazz - 29.02.08 5:51 pm

Thanks Cor, but I managed to create a new firmware for the 2091 with the latest 1025w firmware. The checksum description in the how to is a bit wrong. If your interested it should be written;

Bytes 0 to 236 are the file header of which bytes 216 to 219 are the checksum for the data part which
is at bytes 256 to EOF. To calculate the checksum, first you must make the CRC32 of bytes 256 to EOF,
you'll get something like 3A63B72E - convert it to binary, flip the bits then convert back to hex.

CRC32 3A63B72E 00111010011000111011011100101110
flipped C59C48D1 11000101100111000100100011010001

Using some hex editor like Hex Workshop, over type bytes 216, 217, 218, 219(This doesnt change so you can skip this first checksum!). Next make a CRC32 of bytes
0 to 235 and use the same bit flipping method as above. Then over type bytes 236, 237, 238, 239. Once you have
done this and saved the firmware image, you are ready to flash your router.

Cheers

Dazz

PS if you want a copy of the 3.30j firmware just email!


cor - 03.03.08 2:15 pm

Good work, Dazz! Of course I want a copy! I'll mail you.

About the how-to; are you certain that the instructions aren't correct for the older versions of the firmware? In other words, things may have changed, internally.

In that case, I'll put up both sets of instructions. However, if you (or anyone) know that the old version is definitely wrong; for old and new firmwares, I'll remove it, and put up only yours.

Anyways, nice one!

;o) Cor


el es - 17.03.08 12:11 am

Just have successfully... bricked (?) my 2091 :( It only lights up the wireless led (green) the DSL (green) and power (red) and stays so. Reset button does not work. Could it be because of uploading the firmware via wireless ? I don't think so, anyway, the router has said just before rebooting, that the firmware was received correctly... and just didn't show up again. Reset to factory defaults (holding the reset button for up to 30s) does nothing. Only three lights are lit and that's the end of story.

Or is it ?


next comments (1 page)

Posting here is disabled at this time.

Welcome to corz.org!

If something isn't working, I'm probably improving it, try again in a minute. If it's still not working, please mail me!