Photograph of BT voyager 205 router

The "Other Voyager Router" page.


The main page started getting a lot of non-205 action, particularly folk looking for ways to unlock the BT Voyager 2091 router to use with another ISP. Then it turns out that BT are adding this "capability" to other routers in their range. We know the 220, 210, and 2500 have been similarly nobbled, and perhaps others.

Here is a place, then, to share what we know so far. As we learn things, I will endeavour to put the information up here where you can easily get at it. Please note, I do not personally offer support or advice for these routers, simply provide a space where efforts to understand and hack these beasts can be coordinated. And a place to grab the hacked firmwares, of course.

What we know so far..

BT has started putting ISP-Locks on their routers. For a company that claims to be evironmentally friendly, this surely-criminal practice aims to create a mountain hardware that's soul function will be to pollute the environment. Our grandchildren will not thanks us.

While these devices are highly capable, they will be superceded, and unless we can bypass this insane "feature", discarding these perfectly functional units wil be the only option.

The BT Voyager 205 is not locked to any particular ISP, and when I eventually upgrade it, I will either pass it on to someone who needs it, or perhaps investigate turning the thing into an effects pedal. Hmm. What about the others..

210V ISP Unlocked!

The BT Voyager 210 has been cracked!
An unlocked firmware is available..

Check out the archive for an unlocked firmware.

The original email..
I added "_BB" to a file cfe-voyager210_roi-v301z_a2pb018c1
I downloaded from

http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I calculated CRC32 on bytes 0-235 and put it in 4 bytes 236-239
I am using voyager 210 with non BT ISP !!!!!!!!!!
it is also uploaded to your blog ftp !!!!!!!

host it and let's see feedback from ppl with 210 !!!!!!!!!
please keep my name private !!!!!!!
And there you have it. If it works, or doesn't, leave feedback, below.

220V ISP Unlocked!

The BT Voyager 220 has been cracked!
An unlocked firmware is available..

An unlocked firmware is available in the archive. There's also a copy of the original Pre-Lock v1.6 firmware, courtesy of Mark Eldon, which should take your 220V back to a time when BT had a clue. As well as firmwares for the 220, there's also this cute JavaScript hack..

Big thanks and full credits go to C1 (lost1e (at) hotmail (dot) com) for the following, extremely cute hack. In his own words, roughly..

I just bypassed the domainLock on a new BT voyager [220V] that I was trying to get working on Eclipse for a friend.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:
javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();
(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message smilie for :D You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

This new hack has been confirmed to work with the Voyager 220V. But not other ISP-locked BT Voyager routers like the Voyager 210. If you have such a device, feel free to give it a try and leave feedback below!

Note: even the older Voyager 220 is still locked into BT's VOIP service, and at the time of writing, no way to unlock this aspect of its functionality is known. If you know better, please get down to the commment form!

BT Voyager 2091 UNLOCKED!

The BT Voyager 2091 has been cracked!
An unlocked firmware is available..

Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can't use them with another ISP. More recently, 2091 users have unlocked it..

Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..

Hi,
I tried to put the Dynalink 1050W <http://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure http://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on http://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.

In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.

Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*

Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan's comment)..



2500V ISP Unlocked!

The BT Voyager 2500 has been cracked!
An unlocked firmware is available..

A firmware in the archive (untested). I have a few of these kicking around. If anyone has problems with any of the firmwares, leave a comment below, and I'll track down one of the others.

Voyager GPL Firmware..

Part of that many Voyager firmwares is GPL, and publicly available; we have recently aquired this. At this early stage, not much hacking as been done. If you want to download the firmware and have a crack at it yourself, the releases (as shipped for free on CD from BT) are available here..

Before you ask a question..

If you have a BT Voyager 205 router, try the main page . This is for the other routers. Feel free to ask questions, give advice, drop information, etc..


return to paged comments
swapmeetpete - 18.11.05 1:24 pm

Anyone know how to unlock the BT Voyager 2091? It looks identical to the 205 but when you try to use it with another ISP you get a message saying 'Unsupported Broadband Service. This device has been supplied as part of a BT service and cannot be used with any other services'.


hohoho ( just make it up you said) - 18.11.05 4:46 pm

swapmeetpete - access is via browser as 205 - http:\\voyager.com and gives the connect page as 205.
Mine says ask isp for details - on my old isp with 205 i used my log on .
Aint done anything more with 2091 - was hoping for a better wireless modem - so me and lad will stick with our wired router, and maybe one day, if we get m/bs with wireless try it out if when its out of warranty and i can apply my heat solution like on the 205 to it.



Sylver123 - 19.11.05 8:22 am

cor, Just upgraded my "BT Broadband" package to "Option 4" with the "BT Voyager 2091" and a "BT Wireless PCI Adapter".

My Connection/delivery/activation date is on the 22/11/05.

I will test the "Voyager 2091" to see if the telnet commands are the same as the ones on the "Voyager 205". Will also make comment about it here.


swapmeetpete - 19.11.05 1:13 pm

re the 2091, got the connect page hohoho, still getting 'Unsupported Broadband Service' as I'm not on BT Broadband, tried putting in username/password before connecting to phone line, still won't let me in. This is going to be fun though!


bigcat - 20.11.05 9:58 pm

How can I get my 2091 to work on a VPN what settings need to be changed?


cor - 22.11.05 10:58 pm

[205 stuff snipped] swapmeetpete, Mort, hohoho, thanks for the Voyager 2091 information, but until someone can verify that 205 telnet commands are in any way useful (I look forward to that, Sylver123), bigcat, I simply have no idea! The tag "Voyager" is BT's own family name for their routers, under the hood they are, so far, altogether different beasts. I don't even know what chipset this thing uses!

;o) Cor



Jim - 03.12.05 1:07 pm

Hi mate,

Any chance you can help me unlock my Voyager 2091 to use with Tiscali? Any help apreciated........

Thanx in advance, Jim


cor - 03.12.05 2:36 pm

nope. I haven't even seen a 2091. If I had one, I might figure it out and do a page like this 205 page. But I don't, and it's unlikely that I ever will. If I needed a wireless router, I'd probably get a WRT54G.

;o) Cor


Jim - 03.12.05 6:30 pm

Guess I'll be standing in the kitchen freezing my watsits off till I suss it out then:( (only place with telephone point, missus dont want me to run an extension cable) It looks exactly the same as the 205, I will just have try every command till I get it done.

Thanx anyway,

Jim


cor - 03.12.05 8:59 pm

Jim, chances are it's just a rebranded *something*. Open a telnet session with the unit and get the system info (try the commands above, they are fairly generic, i.e. get system) try help in the session for help (or just ?)

Once you know what chipset lives inside the thing, you can download the manual for that, which is exactly how we all got a handle on the 205, being a Viking router under the hood. BT are useless when it comes to supplying technical documentation, but other ISP's and manufacturers perform excellently in this respect (thank you solwise!).

Having said that, perhaps BT are improving, God knows they've had enough hassle for this, so there might even be some useful documentation on the CD.

Have you raked about in there?

;o) Cor


Jim - 04.12.05 11:05 pm

Thanx for the suggestions, I couldnt find anything useful in the cd and the get command didnt work, so I got the screwdriver out and managed to find out its a Broadcom BCM6348 chipset. Looked at their website and foundfirmware for it but it seems to be for adifferent implementation of the chipset. Will have a better look tomorrow and see if I can find something useful. The print on the board says its a RTA1032W-D51 but google didnt like that.


Regards, Jim


cor - 05.12.05 5:42 am

Okay, Jim, that's a start, definitely. If it's Broadcom BCM6348 chipset, there's a high chance that it has a similar configuration to the Netgear DG834GT, its support page, with user manuals and all that, is here.

No sign of a CLI manual, or even a CLI, though perhaps everything can be done from the web interface. It may even be possible to upgrade the firmware to something like open wrt. Their forum even has a section especially for it. Hmm. Worth a look, but extreme caution should be excercised if you are considering upgrading its firmware until you know more, much more about the exact specifications of this device.

Perhaps I could offer to do a page for it if BT send me one. Or a rather, a page and free unlimited broadband for a year. Actaually, no, I've had enough of BT, 40GB/month! pffff You can see what they're up from to a mile off.

By the way, Tiscali do an UNLIMITED (with certainly the most intelligent fair usage policy I've ever read) 2MB broadband service for only £17.99/month, which is a good £12 cheaper than my current LIMITED package from BT. Erm.. Bye bye!

One thing's for sure, anyone who's ever doubted the Voyager 205's capabilities, be it for 24/7 operation, or overall capacity, just need to take a look at my latest letter from BT, 135GB in October, and that was me cutting back! smiley for :lol:

All the best peeps, and good luck with the investigations, Jim.

for now..

;o) Cor


Jim - 05.12.05 9:33 pm

Hi Cor,

Thanx for the open wrt link, I feel I might be getting somewhere now. I posted in their forum to see if anyone knows anything about this 2091 and I'm just waiting for a reply now but I get the feeling I might just have to dive in and flash the damned thing with one of the firmwares available on their site as they seem to be all the same for the Broadcom chipsets. Will keep you guys posted anyway.

Thanx for all your help so far.

Jim


cor - 06.12.05 8:53 am

Jim! CAUTION! As far as I know, that chipset has no WiFi capabilities, which will be probably be provided by a second batch of silicon, and this may be completely different from the stuff these firmwares were designed for.

But having said that; if you have a back-up router, and can afford to lose the unit (a bricked router can sometimes be recovered) then boldly go where no man has gone! and report back your findings!

Somehow I'm in the top page for "BT Voyager 2091" at google, so others would doubtless be helped by any success or failure you might have.

May The Force be with you!

;o) Cor


pete - 07.12.05 11:27 pm

Hi Cor and Jim, re the Voyager 2091, these are being issued for a tenner to current subscribers and free to new users to tie them in to their broadband service. Good luck with unlocking this, partly for revenge, but more usefully as a source of cheap wireless routers for all smiley for :ken:


squbel - 20.12.05 3:11 am

Hello everybody!

This site kicks ass! Anyway still no good info about new voyager 2091 - you should really put more effort to "hack" this one - wireless access is much more handy than ethernet.

I'v made some reserch today and thats what i'v found: voyager 2091 is veeeery similar to USR 9106

Maybe flashing voyager with usr firmware will unlock it for other isp? Maybe u will find good configuration values with this manuals provided by USR ?

Manual for 9105(?) (looks same but no wifi):
http://www.paradyne.com/support/manuals/docs/6211-A2-GB23-00.pdf


Commands for 9106:
http://www.usr.co.nz/links/usr9106-reference.doc

USR firmware for 9106 - not tested ! :

http://www.usr.co.nz/support.htm

Hope this will help.


cor - 20.12.05 1:24 pm

squbel, thanks for the info. It may be of some use to the 2091 pioneers. Not to me though, I don't even own a 2091! If someone want to send me one, sure, I'll check it out.

note: I am also desperately seeking your old 205s, in any state whatsoever (preferably bricked), for further experiments in unlocking the flash chip and it's weird 7-pin connector. If anyone can help out with that, mail me!

for now..

;o) Cor


Unclebob - 20.12.05 2:04 pm

Hey everyone

I've got a 2091 with the updated firmware, got the box for free so if there's anyway i can unlock it would definitely be a bonus!

From hunting around i've found that the router can be opened up when using the older firmware, BT obviously sussed the loophole and hence decided to update with the newer firmware. This therfore suggests that the easiest way to unlock the damn thing is to find the older firmware, but as yet i can't find it anywhere. I've tried driverguide etc, and obviously the BT site only has the newer version.

I might try squbel's idea about the USR 9106, but i may hold out for a couple of days and see if i can find the old firmware. I'm presuming it should be simple to install etc....

Great site by the way fella, nice to see someone putting a bit of time and effort into a good cause! ;-)

Cheers

Robbie


BTV - 20.12.05 9:50 pm

I have a BT voyger 2091 and want to use it on a diffrent provider .How do I change the settings to allow this as BT have been a little crafty in stopping you??


Unclebob - 21.12.05 6:12 pm

Hey Guys

The only person i know who has the older firmware version is that guy who was selling the unlock info on Ebay (he pulled the listing cause his method didn't work on the newer firmware). I've sent a message asking him for the firmware version (or maybe he might just send it.......???) so fingers crossed i might have at least a filename within a few days.

Cheers Cor, happy Chrimbo!

Robbie


Father Ted - 21.12.05 6:24 pm

I also have a BT Voyager 2091, and I cannot find anyway of using it with another service provider! It would be great if you guys could figure this out - I've searched the internet and no one has managed it yet.

If you manage it, a free mass and confession for everyone!!! lol

[ this comment was pulled from my ath.cx dev mirror, another few hours and it would have been overwritten, just like it warns in the site notice at the top of all the dev mirror's pages! ;o) ]


Squbel - 24.12.05 1:03 am

Hello again,

I was wrong about this usr 9106 - it is based on older broadcom chip BCM6345

According to Broadcom - BCM6348 (wich is used in voyager 2091) is a BCM6345 that supports ADSL2+.

I've found only this 5 models using BCM6348:

Paradyne 6218
Comtrend CT-536+
Belkin F5D7633
Netgear DG834G
Dynalink RTA1025W

As Jim reported voyager 2091 has "RTA1032W-D51" printed on board - my guess is that Dynalink just ripped
off switch (3 additional Ethernet ports) from RTA1025W and that's how Voyager 2091 is made.

Could someone post here results of the following commands (typed in Voyager 2091 shell) ?

cat /proc/kmsg

cat /proc/cpuinfo

cat /proc/meminfo

I'll be back in UK (and have my v2091 in hands) on 3/01 so I can't post it now.

Cheers,

Squbel


PS. Great site with many firmware tricks for BCM6345 based routers (all file tricks should work on BCM6348 chips as well). Netgear cpuinfo. Comtrend cpuinfo.


cor - 24.12.05 3:06 pm

Och well, variant, it was worth a shot! Now, how about old firmwares for the 2091? smiley for :ken:

Thanks for the info, Squbel, chipset data, links and all! Good work! Certainly, if you guys want to check it all out, report back, I can put up a wee page for this stuff, Google has already linked me with the bloody thing! (And that blessing from Father Ted could come in handy right now, too!)

Clive Long, hi.

1) Yes. In fact, this is the very best way to set things up. A switch is superior to a hub, but a hub should work fine. And if you plan to run any servers or p2p apps, you will definitely want to consider static IP's rather than DHCP assigned addresses.

2) Check the static IP page. You probably just need to tweak the ethernet interface, or perhaps enter a few DNS server entries in your /etc/resolve.conf (or system equivilent)..
nameserver 192.168.1.1
nameserver 194.73.73.94
etc..
or whatever.

If it still doesn't happen, get back here. I'm always glad to help get another Linux box online.

;o) Cor


Lunar Wolf - 25.12.05 9:59 pm

Hi there,
for what is worth BT has just sent me a nice new 2091 to replace my trusty old 205. Nice chaps down at BT homemovers agreed to send me a new wireless one since i was signing up for another year, anyhoo...

I've breifly had a play with it and it lets me 'disconnect' and change the username/paswword. I dunno if you guys who are having problems getting yours to run with other ISP's can do this but if not maybe mine contains an older firmware.

My firmware revision is '2.21.05.08m_A2pB018c1.d16d' is there anyway i can save/backup this firmware to a bin file from the router? I seem to remember the 205 having that facility.

On a side note, anyone know whats new with the 1.8 firmware for the 205? Any bugfixes, performance enhancements, or does it cripple the 205 in anyway (ISP Lock)?


cor - 26.12.05 12:31 pm

Lunar Wolf, yes, the 205 has this functionality. The 2091? Dunno.

Can you other 2091 guys disconnect and change your user/pass?

If not, then we need your firmware, Lunar Wolf! There's gotta be a way to get it out. Feel free to continue coordinatung your efforts right here.
[205 stuff snipped]

for now..

;o) Cor


Unclebob - 26.12.05 2:11 pm

Hey guys

Lunar Wolf, u defo have the older firmware version. From what i heard u simply click a disconnect button on the quickstart screen and it then allows u to enter your own details?....

This seems to be the required firmware version, and yet mine is exactly the same!I can only presume that bt have over written the old firmware version perhaps?????? It should be possible for you to backup the firmware and then what you decide to do with it is up to you.... ;-)


This is really quite strange....

Cheers

Robbie


cor - 26.12.05 3:23 pm

Very interesting, Unclebob. Very interesting indeed!

And when you get that firmware exported, Lunar Wolf, feel free to back it up to my inbox!

for now..

;o) Cor


Lunar Wolf - 26.12.05 9:30 pm

@Unclebob, yes it lets me change the username and password after 'disconnecting' although i don't have access to another ISP's DSL to try anything out.

I've had a look through the routers menu's in a telnet session and can't see any options for saving/exporting/backingUp the firmware.

Tried a google search for the firmware '2.21.05.08m_A2pB018c1.d16d' and turned up nothing. However i then tried a search for '2.21.05.08m' and guess what other router popped up, the 2110 http://www.voyager.bt.com/2110/firmware_update.htm

I think the 2091 is a stripped down 2110, anyone want to have a go at loading up that firmware and see what happens?

If anyone can point me in the direction of any firmware removal tools, maybe the OEM manufacturers website then i'll give that a go.


Lunar Wolf - 27.12.05 12:00 am

okay, i had a bit of a play with the router again and it appears i do not have an older unlocked verion of the router, i tried changing the username to someting not ending in @btbroadband/btinternet/etc and it gave me the popup window stating that the router was for use with BT internet etc. so my apologies for getting your hopes up.

I e-mailed the guy who was selling the Unlock instructions in ebay and sadly he had nothing to help use with either:

"Hi, I removed the listing because this doesn't seem to work for everyone, here is the step by step guide.
Connect the dsl to the router and connect your router to the PC via ethernet.
Open your web browser and type in http://192.168.1.1
You should connect automatically
Now click on Quick Start
Now click DISCONNECT
the option to put your own username and password now appears, enter them and reconnect, thanks"

Looks like the search for an older firmware continues, or maybe someone can extract and edit the existing firmware, anyone know how to hexedit?


cor - 27.12.05 1:00 am

Ahh. dashed again! smiley for :lol: The search continues!

Worry not, Lunar Wolf, all data is useful, failures and mistakes is the best way to learn, and make the triumphs all the more sweet. Keep up the good work!

Okay, 2100 and 2091. What's the connexion?
I feel like Inspector Morse!

;o) Cor


Squbel - 27.12.05 2:00 am

Lunar Wolf said..:
I think the 2091 is a stripped down 2110, anyone want to have a go at loading up that firmware and see what happens?

Lunar Wolf - i believe that you are perfectly right about this! More over i think that Voyager 2110 is the same box as all 5 BCM6348 models listed by me above.

I'm not sure if flashing 2091 with 2110 firmware will remove 'user change' blockade - BT could have locked it as well.

I've compared (using firmware format info) headers of Voyager 2110 and Belkin F5D7633 recent firmware files. They really look pretty compatible.

I'm trying to get Dynalink RTA1025W firmware. If it's similar to Voyager 2110 I'll have a try with flashing my 2091 with it on 3th of Jan.

Regards


Squbel - 05.01.06 2:38 am

I think i'll give up. Tried to flash my Voyager 2091 with 2 different firmwares (Voyager 2110 and Belkin) - not working via http - "The firmware update is failed. The selected file contains an illegal image." I'v tried to modify firmware header but no luck. im not sure about tftpd...

I've tried to analyse http code in /webs/ folder (esp. /webs/connect.html) - it looks like javascript is calling 'conprocess.cgi?' which i can't find - is it encoded in kernel ? httpd? - i'm not a coder or linux guru :)

Tried simply to:

sh
BusyBox v0.60.4 (2005.11.21-02:17+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands.

# pppd -c 0.38.1 -a 0.0.38 -u dupa

Invalid domain = dupa
PPP username is out of valid domains.
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...

looks like this lock is really deeply encoded...

even tried to start modding my firmware with tricks given on http://skaya.enix.org/wiki/BroadCom96345 but can't get this damn octify.py script working with my cygwin python...
Wanted to try Debian 31r1 but i can't install it on my amilo 3438 - RAID problem?

Anyway i've no particular reason to unlock this device...

But if i would be really desperate i would order source code from BT (this firmware is GPL) and i would search for domain lock there.


cor - 05.01.06 6:45 pm

Good info, Squbel, especially the GPL part. Are you sure? If so, this is excellent news, because it would mean BT has "done a linksys", and inadvertantly (or perhaps not) made themselves obliged to share the source code for the firmware. More info!

;o) Cor


Squbel - 05.01.06 10:52 pm

http://www.voyager.bt.com/gpl.htm - but probably you have to pay few pounds for "shipping".


cor - 06.01.06 5:01 am

Cheers Squbel! That's outrageous, isn't it? Why don't they just put it up for download? smiley for :roll:

l*rz..

;o) Cor


Tigger - 07.01.06 1:38 pm

Here is a fix to unlock the BT Voyager 2091...... At last

http://www.uk-bug.net/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=10&page=1

I have been unable to try this yet, I someone has time please advise, Thanks


Squbel - 08.01.06 12:15 am

Tigger : I'm afraid it's not going to work with voyager 2091. It's a guide to unlock totally different ADSL router - EN5861


cor - 08.01.06 6:33 am

smiley for :lol: so it is! I haven't even read it yet, just had a brief glance. I'll not be adding it to the useful links anytime soon, then.

Looks like you 2091 guys are gonna be waiting some, yet. Mind you, there may be clues on that page. Did someone say that the 2091 was also a busybox type Linux inside? Perhaps a similar procedure would work here. Hmm.

Anyone care to have a prod about?

;o) Cor


ItsRich - 21.01.06 10:38 pm

anyone out there manage to get hold of the 2091 firmware code from BT? I've emailed them a few times, no response yet.... I'd love to hack the code and use the 2091 as my adsl router (tiscali)

Rich


vof - 23.01.06 1:35 am

Since my last post re Voyager 220V about a month back, I've managed to get through the BT system - having been sent from pillar to post and back - and persuade them to send me a Voyager GPL CDROM. (It came with a Scotland postmark, and without charge smiley for :eek:). Now this may prove interesting for any corzlings with Voyager 2xxx boxes. (These boxes are Askey sourced and use mips32 based Broadcom 63xx parts.)

The CD has 5 files on it:

bcm963xx_2.14L.02_consumer_release.tar.gz (74MB)
bcm963xx_2.18L.01_consumer_release.tar.gz (95MB)
bcm963xx_2.21L.05_consumer_release.tar.gz (77MB)
bcm963xx_3.02L.02V_consumer_release.tar.gz (119MB)

plus a Word doc describing where each open source component came from. I suspect the 4 code packages relate to different BT Voyager products. It would be interesting to know if any of the obvious version numbers match firmware in the other Voyager 2xxx (i.e. 2000/2091/2500/etc) boxes.

I've had a quick look at the 2.18L.01 file the name of which seems to correspond to the first part of my 220V firmware version. This file is so big because they seem to have managed to tar up a large part of the release twice smiley for :lol: but it appears to include the cross-compile toolset plus the Linux kernel plus a set of user apps. The web server scripts in the released firmware have clearly been 'enhanced' by BT but I am hopeful that I may be able to unlock the VOIP features and free the device from BT's Broadband Voice service.

Cor: do you want to make these files available in your site's download area? Let me know if you do and I'll mail you a copy of the CD.

Keep up the good work - and don't overdo it on Wed night smiley for :D
BTW, your scanoramic stuff is amazing!

vof



cor - 23.01.06 1:25 pm

Good work vof!

Yes, I would be delighted to host the files, though being so large, perhaps a torrent might be better! My monthly corz.org bandwidth usage hovers around 90% and growing. smiley for :eek: They do seem very large, even if they did tar some stuff twice smiley for :roll:

Someone on the main page mentioned they'd be keen to get hacking the firmware, too, so getting this "out there" sounds like a very good idea. It will save BT staff many hours dealing with the likes of YOU, for a start! smiley for :lol:

Is the firmware for the 2091 there? That's the one everyone wants to crack, I think, being "locked" into the BT Network. One version that was mentioned was "2.21.05.08m_A2pB018c1.d16d" which looks remarkably similar to one of the above.

Interesting times ahead..

[snipped]
;o) Cor



Manaboutathing - 23.01.06 12:06 pm

Anyone managed to unlock the BT VOYAGER 2091 router to other ISP's ?

Thanks
Raj


cor - 24.01.06 12:03 pm

ItsRich, Manaboutathing, check the advanced page. The firmware should be on its way to me sometime very soon. Then all we'll need are folks willing to hack and pack. Up for it?

I might create a 2091 page so we can coordinate the effort. Though I just know that's asking for trouble.
[snipped]

;o) Cor



ItsRich - 25.01.06 2:53 pm

I'm up for hacking the GPL code and (trying to) unlock it from BT. I can host the files for a while too, if needed.
Cool scanoramic pics


AdamH - 25.01.06 4:34 pm

I've also managed to get hold of the firmware source from BT - I just emailed them at voyager2@bt.com asking for it, with my postal address and they sent it out for free on CD (they did to me anyway!)
It's about 360MB so I won't upload it!
If you don't get your copy any time soon cor, let me know and I'll send you my CD (otherwise I'll put it on the HTTP server I'm running - 256k up could be fun!!)
Adam


digitaldazz - 26.01.06 11:25 am

hi cor,

used your site a number of times when I first got my 205. flashed it with dynalink and had no probs since.

I have now just received a 2091 wireless router and was wondering if you could start a new page/forum for this router because its begging to be hacked. It has the same firmware as the 2100 but when you ftp into it you just get a menu of choices so its not letting me put any nat rules from this site. any ideas?

cheers



digitaldazz - 26.01.06 7:52 pm

hi cor,

this 2091 router uses a BusyBox v0.60.4 shell do u know anything about this?
here is a list of commands the router allows:
?
help
logout
reboot
adsl
atm
brctl
cat
df
dumpcfg
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dns
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
ping
ps
pwd
sysinfo
tftp
wlctl

cheers!


vof - 27.01.06 3:52 pm

digitaldazz: Busybox is not strictly a shell, more a program which provides a lot of the standard functions needed on a Linux system in a much smaller space than the sum of the original programs. It's creator calls it the Swiss Army Knife of embedded Linux - that is Linux which is used, usually invisibly, as the operating system in a device which often has a limited amount of memory and no disk smiley for :eek:. Google for busybox to learn more.

I suspect you have already discovered that if you type sh at the menu prompt on your 2091, you start the standard shell. If you probe deeper - assuming you are comfortable with command line unix/linux - you will find that much of the guts of the router's work is done, unfortunately, by non-GPL programs from Askey. 'ps ax' is a good command to start with to see exactly which processes are running on your box...

vof


Squbel - 27.01.06 11:39 pm

vof: how can you tell that they r Askey non-GPL apps ?


vof - 28.01.06 12:33 am

Squbel: I have a BT Voyager 220V which offers VOIP via BT's very expensive Broadband Voice service. I also have the GPL source code CD from BT. One of the running programs is 'vodsl' - I can't find any source for it on the CD so I presume BT have built the executable into the firmware. No source->very difficult to hack smiley for :erm:

I suspect cor would prefer this conversation to continue on the advanced hacking page here and leave this area free for pure Viking based stuff (which the BT 2xxx boxes aren't).

I'll post more about BT/Dynalink/Askey/GPL issues over on that page as I discover it.

vof


cor - 28.01.06 1:24 am

Thanks vof! I got that in the mail this morning. I'm a bit tied up just now, but I'll put it somewhere tomorrow, make it available for download, probably one of my local servers, then ItsRich and everyone else can get stuck in.

for now..

;o) Cor

ps.. thanks for mucking in on the main page, I'll scoop up the dregs over the week-end!


cor - 29.01.06 5:39 am

[snipped]
I have the source for the 2091 now (thanks vof) and yes, it's probably best to speak about that on the advanced page. I haven't had a chance to have a good rake about, but from what's been said so far, it looks as though it will be more than a simple case of removing some string, or whatever, essential tools will need to be replaced, and more.

Maybe I should put a page somewhere for the wireless routers, a place to put what's known so far. I don't even have one of the things, this could be weird. smiley for :aargh: By the way, has anyone tried an openwrt distro on the thing?

for now..

;o) Cor


edinclimb - 29.01.06 7:26 pm

Hi i have just got a voyager 220v! I have tried switching the isp, when i input the username and password i get a message saying "usupported broadbad service" and that its basically only bt that can be sed with it. is there any way to hack the router to use another isp - i tried the recommendation on troubleshooting with no help. i need help quickly! im using a usb modem at the mo and its annoying me severly


vof - 29.01.06 10:30 pm

edinclimb: Do you mean use the 220V for another UK broadband ISP or for a non-BT Voice-Over-IP (VOIP) service?

You should have no problems with the first one - I use my 220V and I'm with PlusNet - you do need to enter your correct ISP username and password as given to you by your ISP. If your broadband was working with a previous router, use the same settings! smiley for :D

Now the VOIP side is a different kettle-of-poisson. If you don't sign up for BT's Broadband Voice service (and who can afford it?), you should see the following on your initial configuration screen:

Broadband Voice Status

Status: Broadband Voice registration has failed. You will not be able to make Broadband Voice calls.
Phone 1: Broadband Voice is not connected.
(Authentication failure. Please make sure that your Broadband Voice password is correct.)
Phone 2: Broadband Voice is not connected.
(Authentication failure. You may not have subscribed to a second line.)

Attempts are being made to work out how to modify the settings in a 220V to allow it to work with other VOIP services but there's nothing more to be said at the mo.

In case you've problems with basic configuration of the 220V, here's a very quick run-through:

If you've read anything on this site, you will probably realise that we don't recommend using routers via their USB interfaces. If you are using the 220V thusly, you will need to have installed the USB driver. I connect to my 220V via its ethernet interface so I'm afraid I'm completely in the dark about how a USB connection might affect what follows...

Click on Advanced... in left hand menu.
Click on Advanced... at bottom of page.
Click on Quick Setup in left hand menu.
Set VPI to 0, VCI to 38. Click Next.
Set Protocol to PPPoA, Encapsulation Type to VC MUX. Click Next.
Click on Obtain an IP address automatically, Enable NAT should be checked. Click Next.
Enter your correct ISP username and password. Click on Session established by Always On. Click Next.
Leave LAN side settings and Voice settings at default.
Click on Finish to confirm settings and reboot router.

Let us know how you get on.

BTW, what is the Firmware Version listed on your Status/Overview config page?

vof


edinclimb - 29.01.06 11:10 pm

vof - im using uk online. when i try to enter my ukonline details in the window (enter your username and broadband details) i get the following message "UNSUPPORTED BROADBAND SERVICE - This device has been supplied as part of a BT service and cannot be used with any other services. Please contact BT for further information" - so i did and they said the same "you should be able to use it with another isp". firmware version 2.21.05.07_A2pB018c1.d16d. i cannot upgrade the firmware as i cannot connect to the internet with the 220v. the only reason i got the voyager was so that i could connect it to my airport express via ethernet. im really frustrated that i cant get this to work - im sure there is a simple enough way to overwrite this setting!

Hope this helps and thanks for your reply.

I HATE USB - NO WAY WOULD I BE USING THAT ;o)


ragnorak - 29.01.06 12:44 pm

hi peeps,

just got bt broadband basic package this month, which came with the wireless router for £25 (i thought it was good at the time!)

anyway, i have seen better isps around for the same price, with unlimited caps, so i was wondering if it is possible to unlock the voyager 2091 from bt isp to use with other isps?

i'm guessing this would be done with hacked firmware or patch or something?

cheers,
rag.


vof - 30.01.06 10:42 am

edinclimb: Interesting! Very interesting!! Your 220V has a later firmware version than mine, and your version appears to be the same one as is blocking Voyager 2091 users from use of other ISPs. (BTW, have you seen the other posts on the advanced page containing more info on this topic? That page is probably the preferred page to use for continuing this debate.)

This implies that one approach to unblocking is to downgrade to the 2.18L.01 firmware, at least for the 220V. That's the one I use successfully with PlusNet. It would be interesting to know if the firmware within any version varies according to the Voyager model, or whether the same firmware version file can be uploaded to any 2xxx Voyager.

Does anyone have a file copy of any of these Voyager firmware versions, or know where they can be obtained? (The BT sites don't have any to my knowledge.)

vof


edinclimb - 30.01.06 12:22 pm

vof cheers for the reply - anyone who could get a version of this firmware to me would be much appreciated, i will arrange details with someone as and when to send to me.


edinclimb - 30.01.06 12:26 pm

Hi can anyone help - please see below from the main page forum!

edinclimb - 29.01.06 7:26 pm

Hi i have just got a voyager 220v! I have tried switching the isp, when i input the username and password i get a message saying "usupported broadbad service" and that its basically only bt that can be sed with it. is there any way to hack the router to use another isp - i tried the recommendation on troubleshooting with no help. i need help quickly! im using a usb modem at the mo and its annoying me severly

vof - 29.01.06 10:30 pm

edinclimb: Do you mean use the 220V for another UK broadband ISP or for a non-BT Voice-Over-IP (VOIP) service?

You should have no problems with the first one - I use my 220V and I'm with PlusNet - you do need to enter your correct ISP username and password as given to you by your ISP. If your broadband was working with a previous router, use the same settings!

Now the VOIP side is a different kettle-of-poisson. If you don't sign up for BT's Broadband Voice service (and who can afford it?), you should see the following on your initial configuration screen:

Broadband Voice Status

Status: Broadband Voice registration has failed. You will not be able to make Broadband Voice calls.
Phone 1: Broadband Voice is not connected.
(Authentication failure. Please make sure that your Broadband Voice password is correct.)
Phone 2: Broadband Voice is not connected.
(Authentication failure. You may not have subscribed to a second line.)

Attempts are being made to work out how to modify the settings in a 220V to allow it to work with other VOIP services but there's nothing more to be said at the mo.

In case you've problems with basic configuration of the 220V, here's a very quick run-through:

If you've read anything on this site, you will probably realise that we don't recommend using routers via their USB interfaces. If you are using the 220V thusly, you will need to have installed the USB driver. I connect to my 220V via its ethernet interface so I'm afraid I'm completely in the dark about how a USB connection might affect what follows...

Click on Advanced... in left hand menu.
Click on Advanced... at bottom of page.
Click on Quick Setup in left hand menu.
Set VPI to 0, VCI to 38. Click Next.
Set Protocol to PPPoA, Encapsulation Type to VC MUX. Click Next.
Click on Obtain an IP address automatically, Enable NAT should be checked. Click Next.
Enter your correct ISP username and password. Click on Session established by Always On. Click Next.
Leave LAN side settings and Voice settings at default.
Click on Finish to confirm settings and reboot router.

Let us know how you get on.

BTW, what is the Firmware Version listed on your Status/Overview config page?

vof

edinclimb - 29.01.06 11:10 pm

vof - im using uk online. when i try to enter my ukonline details in the window (enter your username and broadband details) i get the following message "UNSUPPORTED BROADBAND SERVICE - This device has been supplied as part of a BT service and cannot be used with any other services. Please contact BT for further information" - so i did and they said the same "you should be able to use it with another isp". firmware version 2.21.05.07_A2pB018c1.d16d. i cannot upgrade the firmware as i cannot connect to the internet with the 220v. the only reason i got the voyager was so that i could connect it to my airport express via ethernet. im really frustrated that i cant get this to work - im sure there is a simple enough way to overwrite this setting!

Hope this helps and thanks for your reply.

I HATE USB - NO WAY WOULD I BE USING THAT ;o)
vof - 30.01.06 10:42 am

edinclimb: Interesting! Very interesting!! Your 220V has a later firmware version than mine, and your version appears to be the same one as is blocking Voyager 2091 users from use of other ISPs. (BTW, have you seen the other posts on the advanced page containing more info on this topic? That page is probably the preferred page to use for continuing this debate.)

This implies that one approach to unblocking is to downgrade to the 2.18L.01 firmware, at least for the 220V. That's the one I use successfully with PlusNet. It would be interesting to know if the firmware within any version varies according to the Voyager model, or whether the same firmware version file can be uploaded to any 2xxx Voyager.

Does anyone have a file copy of any of these Voyager firmware versions, or know where they can be obtained? (The BT sites don't have any to my knowledge.)

vof

edinclimb - 30.01.06 12:22 pm

vof cheers for the reply - anyone who could get a version of this firmware to me would be much appreciated, i will arrange details with someone as and when to send to me.




edinclimb - 30.01.06 7:21 pm

Does anyone know how to edit the web interface of the browser? i have discovered the following code which is preventing me using other isp details...

//if(modelName == '210' || modelName == '2091'){
if(domainLock == '1'){
if(pppUserNameCheck(pppUserName.value) == true) ;
else {
alert("UNSUPPORTED BROADBAND SERVICE\n\nThis device has been supplied as part of a BT service and cannot be used with any other services.\n\nPlease contact BT for further information.\n");
return;

providing i can acess the guts of the router and change this code it will work! HOORAY - I JUST NEED TO FIND OUT HOW TO DO IT - THIS WOULD MEAN THE 2091 USERS AS VOF SAID WOULD ALSO BE ABLE TO USE IT

Euan


cor - 30.01.06 8:06 pm

Okay, here's the page!

The comments above are culled from the main page (and a couple from the advanced page), I may have missed a few. Hopefully this should make it easier for new non-205 visitors to get up to speed.

From here on in, it's all live.
Have fun!

;o) Cor


vof - 30.01.06 8:20 pm

Well, prompted by my response to edinclimb earlier today, I decided to spend some 'quality time' (as they say) with the GPL firmware, and I think things are looking quite promising.

First of all, I can now clarify some of the things I've said/asked recently:

- It looks as if most (all?) that we need is included in the GPL release packages.

- It is possible to build firmware for a number of products from each release I think. I've managed to rebuild a firmware file for a 96348 based box. The choices available in the 2.18L.01 GPL release are 96345 or 96348 based, and for each of these, an R, GW or GWV version. (Router, Gateway, Gateway with Voice??)

- There are quite a few problemettes to be overcome on the way - I will document them somewhere more appropriate later - but eventually I managed to rebuild the kernel + modules + user apps on a RH9 box (using the supplied cross-build tools).

Some files are apparently missing from the release but this is usually because they are not vital but the makefiles or c sources assume they are there. Some bits are supplied precompiled - no source - but I'm pretty sure we would not need to modify them if all we were looking to do was remove BT tie-ins.

The GPL releases are from Broadcom/Askey and not BT so they include no BT stuff. Thus the result of rebuilding is vanilla firmware without any of the BT blocks built in. I doubt whether BT added anything significant or useful that we would miss.

I won't be rushing to upload the results of any early firmware builds since I depend on my 220V for internet access, and I don't have a copy of my current firmware file to fall back on. We might therefore be looking for boxes to test our results on...smiley for :eek:

While sorting out one of the problemettes, I came upon this site which has put up one of the Broadcom/Askey GPL releases. There may be more, and possibly some with firmware files...smiley for :D let us know if you find any.

vof


vof - 30.01.06 9:26 pm

...or possibly GW=(802.11)g Wireless?


vof - 30.01.06 9:28 pm

...and I think I was wrong about the double packing too - it's just big and there are two .tgz with similar names (consumer, consumer_release).


cor - 30.01.06 10:21 pm

Good work vof!

I think your first explanation of the G/GW/GWV is more likely, but that doesn't mean much.

I haven't spent any quality time with the GPL code, but I may try a few cross-compiles myself. What version are you working with, vof? Is that only for the 220v? And, any more tips for cross-compile success?

While I'm, here, vof, isn't there a way to dump the existing (working) firmware from your 220V? Perhaps with tftp. That would provide a simple solution for latter 220v users.

edinclimb, as far as I know, you can't edit the web interface, only replace it, a la firmware upgrade. However, it might be possible to intercept that (JavaScript?) and return an alternative result.

Hmm. Probably easier to replace it, though.

;o) Cor


edinclimb - 30.01.06 10:41 pm

im quite happy to use my 220v as a "test" router, if you just talk me through what i need to download and do, im pretty clueless at the mo - put it this way ive only recently discovered the joy (if you want to call it that) of terminal.app in mac os. smiley for :lol: give me a shout.


vof - 30.01.06 10:55 pm

cor: I started with 2.18L.01 since that is what I have in my 220V. After unpacking the original file, you get a couple more .tar.gz plus a consumer install script. One of the tar.gz contains all the kernel + user apps stuff, t'other one has a couple of .rpms for the cross-compile bits (they get installed automatically if you have an rpm based distro. (There is a reference to Debian somewhere in the unpacked dir hierarchy.)

As I say, my Linux server is RH9. gcc is 3.2.2-5. The rpms installed and worked without me doing anything special.

The problems I remember/noted were:

- working out how to run the configure scripts, particularly for siproxd and libosip2. There are some READMEs - can't remember exactly what I needed to do.

- no Makefile in siproxd - I used a minimal one with empty all:/install:/dynamic:/clean: targets.

- missing impl2 dirs in ...../net - I used copies of impl1 which is there.

- if you build for a PROFILE other than 96345GW, you hit loads of errors because the precompiled bits are for that PROFILE, and so include the 96345GW string in the file name whereas the Makefiles will be looking for e.g. 96348R if that's the PROFILE you are building (which I was!). I ended up creating what seemed like lots of symlinks for the missing files pointing to the existing 96345GW examples. (All the PROFILES are code compatible so it's just a question of using the code provided, and ignoring the name of the file!)

- there's a syscall.c which #INCLUDES half a dozen header files which it does not need and aren't in the package - I commented them out.

It would probably be better you looking at the next release (2.21L.05?) to see how it differs. Oh, BTW, the kernel in my release is 2.4.17. Assuming that later releases are better/more bugs fixed, I'll probably look next at the most recent of the series.

Have fun!

vof


vof - 30.01.06 11:05 pm

Not found a way of downloading existing f/w. The tftp server in the box says get not supported. This page is relevant but inactive - it may prove useful later.

vof


Squbel - 30.01.06 11:33 pm

Vof: Re: GW - the latter for sure :)

1. edinclimb: You can put your custom files to router with trick mentioned on site I was quoting long time ago:

http://skaya.enix.org/wiki/BroadCom96345

Unfortunately you can't modify content in "/webs/" folder as it is in read only "area".
It's probably possible to dump firmware, unpack and modify files and than upload it again as described @ the same webpage but i don't have enough skill to do so.

You could also find a place in router memory where "domainLock" value is stored and modify it with the two following commands: dumpmem, setmem ;)))

Finally I don't believe that any changes in web interface would solve the problem. I suppose that web interface is only calling "pppd" with proper parameters. As I reported earlier lock is encoded not only in web interface:

"Tried simply to:

sh
BusyBox v0.60.4 (2005.11.21-02:17+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands.

# pppd -c 0.38.1 -a 0.0.38 -u dupa

Invalid domain = dupa
PPP username is out of valid domains.
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...

looks like this lock is really deeply encoded..."

Maybe lock is coded in pppd or iptables...

Anyway I'm not able to investigate it, as source of httpd, pppd or iptables is not included in firmware release linked above by vof. I'm not sure if it's the same version that BT is sending to ppl (I haven't received it yet despite I requested it twice).

2. Vof: Even if you are able to compile your own firmware will you still be able to upload it to router?

Quote:
I think i'll give up. Tried to flash my Voyager 2091 with 2 different firmwares (Voyager 2110 and Belkin) - not working via http - "The firmware update is failed. The selected file contains an illegal image." I've tried to modify firmware header but no luck. I'm not sure about tftpd...

tftpd and ftpd source is not included in this customer release as well. No way you can check what exactly it's checking during upload.




vof - 31.01.06 1:25 am

Squbel: I may have misled you in an earlier post. Some of the code is supplied only as precompiled but all the things you mention, ftpd, httpd, tftpd, iptables, are GPL and the source is provided. The block - whever it is - will probably not be found by looking at the GPL source since I suspect it has been added by BT, and what we've got was not produced by BT. It is possible that Broadcom/Askey have put a generic block in the 2.21L.05 release which BT are using but I doubt it.

The router has an upload capability via tftp and all the web interface script sets I've seen provide an upload script too.

As you suggest, building a firmware image is one thing, ensuring it works when uploaded is much more demanding.

vof



vof - 31.01.06 1:48 am

edinclimb: Where did you discover that code fragment that does checks against model types and domainlock? Was it in util.js?

Anyone interested in changing how these other Voyager boxes behave should understand that nearly all the code and data inside them is in a read-only filesystem, so (nearly) all changes have to be made outside the box then rebuild the firmware then upload the new version (tortuous!!).

So, if the 2091 domain lock is indeed in util.js, a file we have the source for, we can only change it by changing our copy of the source file then rebuilding the complete firmware from scratch then uploading it (and it might not work first time so the whole process needs to be repeated again (and again) until it does ...).

Good night all!

vof


Squbel - 31.01.06 11:00 am

vof: It's in the /webs/connect.html

the problem is:

quote:
I've tried to analyse http code in /webs/ folder (esp. /webs/connect.html) - it looks like javascript is calling 'conprocess.cgi?' which i can't find - is it encoded in kernel ? httpd? - i'm not a coder or linux guru :)

util.js looks unimportant for me but I don't know JS smiley for :D

Cheers

I'm glad that you have all the sources - can you put your BT package on some web account ? any freedrive or something ?


vof - 31.01.06 11:00 pm

Squbel: Not sure what you mean by 'BT package'. I haven't got a disk file copy of my existing firmware, i.e. the file you would upload when upgrading firmware - BT seem very cagey about letting them out - I've seen one for the 240 but not for the 220V. Without it, I'm not sure I want to try any experimental firmware on my box cos there would be no way back...

If however you mean the GPL source code packages we've acquired recently, cor is putting them up somewhere on this site I believe at the moment so watch this space (or rather the one at the top of this very page).

conprocess.cgi would seem to be a CGI script on the ISP server which processes the username and password. The code fragment that edinclimb posted seemed to be javascript which was doing a check independent of conprocess.cgi. That, plus the fact that my connect.html also uses conprocess.cgi makes me suspect that this cgi script is not part of the problem.

vof


Squbel - 01.02.06 12:39 pm

Finally I've done it - at least i think so :)

conprocess.cgi is a key.

It has to be local script wich controls connection process and it can bypass bt domain lock.

Following line in your browser will conect you with dupa@tpsa.pl (or any desired login and pass)

command::
http://192.168.1.1/conprocess.cgi?checkNum=5974&pppUserName=dupa@tpsa.pl&pppPassword=yourpassword

# ps
PID TTY Uid Size State Command
1 squbel 1240 S init
2 squbel 0 S [keventd]
3 squbel 0 R [ksoftirqd_CPU0]
4 squbel 0 S [kswapd]
5 squbel 0 S [bdflush]
6 squbel 0 S [kupdated]
7 squbel 0 S [mtdblockd]
13 squbel 1296 S -sh
52 squbel 2768 S cfm
94 squbel 588 S pvc2684d
323 squbel 2768 S sshd
324 squbel 2784 S telnetd
327 squbel 676 S dhcpd
331 squbel 944 S bftpd
332 squbel 1224 S tftpd
403 squbel 2832 S httpd
408 squbel 676 S dproxy
3954 ttyp0 squbel 2800 S telnetd
3971 ttyp0 squbel 1284 S sh -c sh
3972 ttyp0 squbel 1296 S sh
4320 squbel 652 S /bin/igmp ppp_0_38_1
4452 squbel 1224 S pppd -c 0.38.1 -a 0.0.38 -u dupa@tpsa.pl -p
4566 ttyp0 squbel 1236 R ps

I'll post later info how to get your proper "checkNum=" value (have to go back to work now).

Cheers




cor - 01.02.06 1:17 pm

Nice work Squbel! smiley for :D

That's what I meant by..

it might be possible to intercept that (JavaScript?) and return an alternative result.

But really, I wasn't hopeful!
Very cool Indeed, dude!! smiley for :ken:

;o) Cor

ps.. other 2091 owners: when the checksum calculation arrives.. confirmations please!


Squbel - 01.02.06 5:56 pm

So here it is:

1. Open your web browser (make sure you have ticked "Status bar" in "View" menu of your browser)
2. Type in your router address i.e. http://192.168.1.1/ and press enter
3. Click "Advanced" from left menu, then "Advanced" link in main window
4. Choose "Internet" from left menu and login
5. Point your mouse cursor over "Connect" link. DO NOT CLICK on it!
6. Note down your "checkNum" value shown in status bar (i.e. 4373 in case shown on this screenshot)
7. Open another web browser window (DO NOT CLOSE previous one)
8. Put in your Adress bar following line:

http://192.168.1.1/conprocess.cgi?checkNum=****&pppUserName=username@other.provid.er&pppPassword=yourpassword

where:

"****" is your noted "checkNum" value

"username@other.provid.er" is your username provided by ISP other than BT

"yourpassword" should come with your username as well :)

7. Press enter smiley for :D


PS. I would be very grateful if you could confirm this workaround. I'm still with BT :)
PS II. cor: as you can see these "calculations" were really tricky smiley for :lol:



cor - 01.02.06 7:06 pm

Squbel! Blimey! It's Quantum Physics! smiley for :lol:

Dude, if this works for other ISP's, you are a FARKING HERO! smiley for :ken:

I gotta grab that pic and put it somewhere.
Chocolate medal on its way!

;o) Cor


vof - 01.02.06 11:21 pm

Well done Squbel!

I'm curious about the significance of the checkNum value. You said previously conprocess.cgi was a local script file. I've not got a 2091 so could you post the source or appropriate bits from the script here?

vof


vof - 01.02.06 11:40 pm

...and does the checkNum value change over time? If so, what kind of values does it have?


Squbel - 02.02.06 12:56 am

I don't have access to conprocess.cgi or any other cgi script used in web interface - thats why i would like to see source files - mainly custom apps in newest firmware version from BT cd with GPL code. It would be very nice to analyse them. Especially httpd and ftpd.

I can access only sources from /webs/ folder.

So in connect.html you can find:

"(...)
<!-- hide
var randomNum = '<%ejGet(CheckNum)%>';
(...)"

than just after the code posted by edinclimb:

"(...)
var loc = 'conprocess.cgi?';
loc += 'checkNum=' + randomNum + '&';
loc+='pppUserName='+encodeUrl(pppUserName.value);
if(urlError==1) return;
loc+='&pppPassword='+encodeUrl(pppPassword.value);
if(urlError==1) return;
var code = 'window.location.href="/'; // for Mac safari browser compatibility
code += loc + '"';
eval(code);
(...)"

Yes checkNum changes over time - with each action where this value has to be verifyed.
checkNum is in my opinion random number (within a 1-9999 range?) generated by httpd and is used to ensure that command is produced by web interface (not by user like in workaround smiley for :ken: ).

Fortunately there are few places in the web interface where you can read this value in your status bar. I'm only afraid that BT will fix this bug with next firmware rel and this trick will be useless. I'm using firmware version 2.21.05.09_A2pB018c1.d16d




cor - 02.02.06 1:18 pm

Even if they "fix" it smiley for :roll: folk can simply use that firmware version. Do we have a dump of that firmware?

As to the sources: I spent three days (Flash FXP, rather, in the background) trying to upload the sources to my "alternative" web host (where I keep my MP3s and such) but it takes two steps forward for every step back, can only upload about 1MB before needing to reconnect, and if that takes longer than X minutes, the whole upload has to start from scratch. In short; forget that!

So, I've put up a torrent, tracker running on my Slackware box, something I've not done before (ie. hosted a torrent inside Azzy itself) so let me know how it goes..

Grab the torrent here.

;o) Cor


Squbel - 02.02.06 2:01 pm

cor: Thats awesome (torrent) ! Tracker is working perfectly but nobody is seeding at the moment... have you set your port forwarding correctly? smiley for :lol: (just kiddin) :)

I wish someone would report that this unlocking thing is working or not... maybe you could expose it a bit more? Just to make it easier for ppl to find it? Can you link it on your main 205 how to page as a possible unlock? smiley for :D

Re: securing the "proper" current firmware version - I really hope that I'll find relevant cgi scripts in this sources. There is a scritp which is meant to download updated firmware from ISP server - need to find the address, file name and you we could download it and put on your webpage :)

PS II after 26 min still no seed or peer...


cor - 02.02.06 3:14 pm

hmmm.. I've been seeding since I put it up. I opened it on another box and it came up one seed. Weird. I *think* setup the port-forwarding correctly! smiley for :lol:

Do you get an error of any kind?

;o) Cor


Squbel - 02.02.06 3:48 pm

Azerus shows: Tracker status : connection error (timeout)

Tracker url: http://corz.ath.cx:6969/announce

I've tried earlier with bitspirit


cor - 02.02.06 4:48 pm

The only port probe I trust is my own, but sadly it runs on the same box as the tracker! However, the grc thing says no go on 6969. Dunno. I wonder if my ISP.. Hmm. Another day.

Anyways, I created a new torrent, and the tracker is now running on port 46969. grc says it's AOK! Weird.

I've upped it to the same place, so the link (above) is fine, but if you have the old torrent file, trash it and use this one instead.

If that doesn't work, I have an experimental tracker running here at the .org, needs much work, but might be up for the job. We'll see.

Let me know if it's still fecked!
Fingers crossed. smiley for :aargh:

;o) Cor


Squbel - 02.02.06 7:13 pm

It's working perfectly now !!! You are a GENIUS !!!
Only 5 days and i'll have it smiley for :D !


Very nice unlock guide on top smiley for :D - I hope somebody will confirm that it's working :)


cor - 02.02.06 8:41 pm

Yes, the red text sets it off, I think. smiley for :D
I might add some of that on the main page.

w00t! The tracker works! smiley for :D

As for the speed, oops! I forgot about that erm Linux Distribution I had going in the background, now capped, you should get about 15-20Kb/s all the way. I'll seed it for a week or so at that rate or thereabouts, then put it in on a slow burner in the background. Anyone else that wants to do the same is very welcome!

Azzy's built-in tracker. What a cool feature!
That will be used again!

;o) Cor


vof - 02.02.06 11:04 pm

I'm not sure what's going on with the CGI stuff in these boxes. The HTML on my 220V, though it is not locked, has a number of refs to various .cgi files such as conprocess.cgi and disconnect.cgi. I've had a good look through the Linux filestore but I can't find any of these *.cgi. I think they must come from BT but since the GPL packages seem to come from Broadcom, those GPL packages don't include the sources. I guess BT claim a non-GPL licence for their additions. There certainly wasn't any *.cgi in the GPL package I've used. The box is (obviously) running an httpd daemon but finding either a binary or source file for that is also problematic. Busybox does provide some of the daemons, e.g. tftpd, but claims not to offer httpd. Conventionally, CGI files live in cgi-bin but there doesn't appear to be such a dir in the Linux fs either.

Any suggestions cor, squbel?

vof


col - 03.02.06 1:24 pm

Hi,
The fix for the 2091 will not work for me, i have tried a few times.

It just comes back to the login screen and when i connect is says "unsuported broadb....." etc

It has my new login/pass in the box's.

My firmware is 2.21.05.08m_A2pB018c1.d16d if that helps.


Squbel - 03.02.06 4:39 pm

col: that's sad news. It was tried only on 2.21.05.09m version. Can you post your ps list after applying the command? (telnet your router and type ps)


cor - 03.02.06 4:45 pm

Aaarrghh! Strike one! Thanks col.

I don't know how significant the firmware is in this case; they look the same or similar, but I'll let Squbel confirm that.

Three strikes and it's outta here!

;o) Cor

ps.. Squbel, did you get all the source? My internet went down last night (my own fault) before you reached 100%. I notice another leecher today.

[edit]hah! I didn't spot you slipping in there Squbel, bummer eh![/edit]


col - 03.02.06 8:56 pm

Heres the ps list you wanted


Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
-> ps
PID TTY Uid Size State Command
1 admin 1240 S init
2 admin 0 S keventd
3 admin 0 S ksoftirqd_CPU0
4 admin 0 S kswapd
5 admin 0 S bdflush
6 admin 0 S kupdated
7 admin 0 S mtdblockd
13 admin 1296 S -sh
52 admin 2744 S cfm
94 admin 588 S pvc2684d
319 admin 2744 S sshd
320 admin 2776 S telnetd
326 admin 676 S dhcpd
327 admin 944 S bftpd
328 admin 1224 S tftpd
399 admin 2744 S httpd
404 admin 676 S dproxy
408 admin 1224 S pppd -c 0.38.1 -a 0.0.38 -u zen*****@zen -p
614 ttyp0 admin 2780 S telnetd
649 ttyp1 admin 2788 S telnetd
666 ttyp1 admin 1284 S sh -c ps
667 ttyp1 admin 1236 R ps

Hit <enter> to continue




It remembered my user name, hence the zen***** stared out.


If you want more info let me know.


IMAKECRISPS - 03.02.06 9:18 pm


I have tried this but it did not work.
2.21.05.08m_A2pB018c1.d16d firm ware.

I am with BT but tried to use my Dad's ISP.



What I want to be able to do though is stop the bloody thing disconnecting all the time. Im with BT. Been onto them about 100 times about it randomly cutting off the internet.

They say nothing wrong. some one said something about changing the Tx Power Attenuation as my SNR is only 16.5. But I dont know how to do it.





Thomas - 04.02.06 9:50 am

Hi,

I have just acquired a BT Voyager 210 and when I try to connect to my non BT ISP I get the following message:

Unsupported Broadband service
This device has been supplied as part of a BT service and cannot be used with any other services
Please contact BT for further information

Just wondering if any found a way to unlock modem for use with other ISP.
Much appreciated with any info on how to do this.

Oh Cor I have tried that possible fix for the 2091 and that doesn’t work for my router
Fyi….

My Current firmware version is 2.21.05.08m_A2pB018c1.d16d

Cheers

Thomas



SOLIDSNAKE - 04.02.06 1:21 pm

WHATS UP GUYS NEED SOME ADVICE HERE I WANNA USE THIS 2091 ON A TISCALI DSL LINE YEAH AND PLAY PS2/XBOX ONLINE WILL IT WORK WITHOUT DOING THIS PROCESS...tB ASAP YOUR ONE AND ONLY TRUE HEARTED KILLA TC BOYSSS........................................smiley for :cool:smiley for :cool:smiley for :cool:smiley for :cool:smiley for :cool:smiley for :geek:smiley for :geek:smiley for :geek:smiley for :Dsmiley for :ken:smiley for :Dsmiley for :ken:smiley for :lol:smiley for :lol:smiley for :lol:smiley for :ken:smiley for :ken:smiley for :geek:


cor - 04.02.06 1:51 pm

SOLIDSNAKE, see above.

And please fix the CAPS-lock on your keyboard.

Thanks Thomas and IMAKECRISPS, it looks like workaround 1 is a no-go. Damn!

At the moment, there is no known way to circumvent the ISP-Lock on these Voyager routers, but feel free to grab the GPL source code (link above) and hack away!

IMAKECRISPS, I don't know, nor offer any advice for non-205 routers, but perhaps you could try modify dsl config ? in a telnet session.

;o) Cor


Squbel - 04.02.06 3:25 pm

Col: Thx for your help.

Looks like this command is only capable to run pppd with proper parameters but thats not enough to use another ISP.

I can't work on it properly as I don't have access to other ISP than BT.

I figured out recently that if you kill httpd 1-2 secs after "fix" command my Internet light is not going down. You can try this by typing kill PID (you can get httpd PID number in your ps list before) in simultanous telnet session just after entering "http://192.168.1.1/conprocess.cgi?checkNum=****&pppUserName=username@other.provid.er&pppPassword=yourpassword" in your web browser.
Then give 1 min to your modem and than try google browsing.

I'm not really expecting this to work after your reports but you can always give it another try smiley for :D
If google is still not responding try to unplug router from phone line and reconnect it after 20 secs. Check google browsing after another 2 min.


digitaldazz - 04.02.06 10:51 pm

cor,

managed to get a directory and file list of whats on the 2091 - is this of any use to anyone ?




digitaldazz - 04.02.06 11:13 pm

why is ac97 on the 2091 ?

can it play my mp3's ??

lol


Just - 06.02.06 9:16 pm

Hey guys, I have a couple of spare 220v routers and gave one to my cousin the other day who was stuck with a supplied Speedtouch modem. I entered his account details using the standard 220v web interface and got him connected on Tesco Broadband no problem. I don't know if Tesco is actually BT but it certainly didn't refuse it.

Also, does anyone know if we can use VOIP with anyone else somehow?

Cheers,
Just


vof - 06.02.06 11:51 pm

Just: I have a 220V router which is not locked to BT - it seems as if it is only more recent 220Vs with later firmware versions which have that feature smiley for :erm:

However it is locked to BT's expensive Broadband Voice service and no-one has discovered how to undo it so that the 220V can be used with other VOIP services AFAIK. Let us know if you find anything which may help in this.


vof - 08.02.06 1:25 am

I have an idea for another approach to this ISP lock problem but first I would like to find out the system types that these routers are internally known by.

Would owners of any Voyager 2xxx series routers please post on this page the system type which is displayed if you do the following (or if it does not work what errors you saw):

1. telnet to your router
2. login - default username/password is probably admin/admin
3. Main Menu is displayed
4. Type sh followed by enter after the Main Menu
5. At the # prompt, type cat /proc/cpuinfo followed by enter
6. Post on this page the system type from the first line of the output from the cat command, plus ideally the next three lines as well.
7. Type exit followed by enter, then hit enter again to get back to the Main Menu.

My Voyager 220V has a system type of RTA1052V. I would like to know the system types of Voyager 2091, (1500), 2000, 2100, 2110, 2500 routers.

vof


digitaldazz - 08.02.06 9:03 am

hi vof,

heres mine off a 2091:

# cat /proc/cpuinfo
system type : V2091_BB
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 239.20

dazz


Squbel - 08.02.06 5:14 pm

Cor: Can you tell me why did you choose Tiscali? Why not AOL ? Tiscali has this strange Fair Usage Policy.

I think I'll have to change ISP - BT wants me to pay 55£ per month.....
smiley for :lol:


cor - 08.02.06 8:18 pm

digitaldazz, yes, it probably could play MP3's. Even the lowly 205 has some interesting audio-capable hardware. I wasn't joking when I said I was considering its after-life as a guitar effects pedal!

And YES! All info is useful, drop anything you feel is relevant.

vof, my curiosity is peaked!

Come on 20191 users, get your info in here!

I wanna see what's up vof's sleeve! Don't you?

Just, nope, at this time there is no known way to unlock the VoIP functionality for another ISP. By the way, did you say you had a spare 220V? smiley for :D

Squbel, in fact, Tiscali's fair use policy is one of the main reasons I chose them. As I see it, it's one of the most sensible in the industry.

The other is the large amounts of money they are investing in LLU. I'm seriously looking forward to an 8Mb/s link, and Tiscali are serious about delivering it.

AOL is evil, everyone knows that.

;o) Cor


martin - 10.02.06 11:36 am

I have a 2091 router and when I put music cd's into my PC,as I have an Ipod, it tries to access the gracenote database, but the router is preventing the return traffic, how can I resolve this problem?


Mike - 10.02.06 6:11 pm

Help i tried to unlock the voyager 2091 to use with tiscali broadband and it didn't work

Can anyone help me please?



sr4470 - 11.02.06 9:23 pm

Anyone know if I can use a 220V (purchased in december) with other ISPs?


C1 - 13.02.06 10:39 am

I just bypassed the domainLock on a new BT voyager that I was trying to get working on Eclipse for a friend. Not sure of the model, but there's no reason why this should not work on all voyagers.

No need to mess about with firmware or process lists, the solution really is incredibly simple thanks to a little JavaScript magic :)

1. Navigate (using Internet Explorer, FireFox is untested) to this URL:
http://192.168.1.1/connect.html (replace IP with whatever your voyager is)
The purpose of this is to make the connect page the only frame - other frames screw up the JavaScript below.

2. Open Notepad, and type in the following text exactly as it appears:
javascript:function C1() { if (domainLock == 1) { domainLock = 0; } } C1();
(the above must be all on 1 line).

3. You will notice that the connect page in your router refreshes every 10-20 seconds or so. After the next refresh, immediately copy and paste the text in step 2 into the URL bar of Internet Explorer and hit ENTER.

4. It will seem to you like nothing has happened - but now just enter (or preferably paste) your new ISP details in and hit connect - no more annoying "unsupported broadband service" message smiley for :D You must do all of this before the next refresh happens - so have everything ready in notepad for quick pasting.

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.

I'll post a full step by step guide for using the CLI part when I next have access to the router (next week) - feel free to have a try by telnetting to your router's IP (it's WAN settings you want).

- C1 (lost1e (at) hotmail (dot) com)


uncle dave - 13.02.06 10:57 pm

Hi all,

My ISP is telewest.

I was hopeing someone would be able to tell me how i would use a 205 router with this internet connection. I've never used a router before and i'm totaly lost as i can't get it to work! Telewest don't connect a modem to regular telephone socket (as BT braodband would use) to access braodband, they uses cable connection to a modem to recive the braodband.

I hope some computer genious out there can help, as i'm at a loss!!

thanks




cor - 13.02.06 11:19 pm

martin, I don't know the 2091, but I do know that you don't need "incoming" traffic to get data from gracenote. Check your settings.

Nice work C1! I look forward to those telnet instructions. I'll put the whole thing up top for folk to see, when they arrive. cheers! (by the way, I edited your corrections into the first post, pre tags are best for code things, especially if you want to show javascript, all that stuff has to be filtered). You can edit your own most recent comment, too.

uncle dave, you are on the wrong page. At any rate, see the links at the top for the tricks page, what you need is on there; assuming that telewest is an ADSL supplier, and not cable or something.

;o) Cor


Just - 14.02.06 8:39 am

Cor - sure do, you can have it for the P&P to experiment on :)


C1 - 14.02.06 5:03 pm

Cor: hopefully at the weekend I'll get my router back, it's a brand new Voyager 205 that I have loaned to a friend until his other replacement router arrives - he's now happily using it on Eclipse internet via the method above, despite the BT lock ;)

When I get the router back, I'll post up some user-friendly step-by-step instructions on Sunday - I've thought up an even easier way to do this (using more javascript) that doesn't involve using telnet or navigating to any non-standard pages like connect.html.

I'm impressed at the quality and features of this little Voyager 205 (ISP lock aside!) - it may even persuade me to ditch my trusty Cisco 827 ;)


cor - 15.02.06 12:34 pm

C1, are you telling me that BT have started locking the 205 as well???   smiley for :eek:   Please confirm this, and tell me, what firmware version is that? Shouldn't be too hard to bypass with a firmware flash; we have a few versions kicking around now.

A 205 with an ISP lock, really? Yikes!
Maybe we should add something to the 205 page, which this isn't.

Anyways, your right, it's a great wee unit. Apart from perhaps the 512 maximum simultanous connexions which some people find inhibiting. It's easy enough to work with that, though. I find.

Just, use pidgeon post, and you've got a deal! smiley for :lol:

;o) Cor


Squbel - 15.02.06 4:55 pm

C1: this javascript hack is really great - so simple :)) Respect ! :)

I can't confirm that this is working for 100% but it is disabling lock temporarly for sure and allows to change user/pass to non-BT.

I'v tested it with my voyager 2091 today. I typed in non-bt user/pass after entering javascript line and it attepmpted to connect with it. Obviously I couldn't connect as I'm still with BT.

Great work C1 :)!


Martin - 15.02.06 6:38 pm

C1 - I can confirm your method works with my 220v voyager, well done! My annoyance goes out to eBay sellers who are selling these modems by the bucketloads without warning that they wont work on non-bt services and to BT for trying to lock them in the first place!


cor - 15.02.06 7:12 pm

Ahh, this is great news!

For sure, C1's work can definitely be labelled as a "cute hack".
Respect indeed!

Now, for a non-BT using 2091 user to give the final okidokee...

;o) Cor

ps.. Martin, can you confirm that you have successfully connected the 220V to another ISP, and which one?


Martin - 15.02.06 10:21 pm

Very cute hack! and yes I have successfully connected my 220v (I am right now infact) to eclipse!


new to this world! - 16.02.06 1:29 pm

I have a voyager 220V.

How does it differ from the 205V?

How do i get it to re-lease a client's IP Address?
I have tried rebooting but I still can't gain access to the internet. May i also add that this problem occur on the client pc after I uninstalled ZoneLabs security suite.

Also BT recommends a software base firewall in addition to the one on the Voyagerr, what's your opinoin?

Cheerio matesmiley for :lol:


cor - 16.02.06 2:11 pm

Excellent, Martin! I've added the cute hack to the main page (above).

220V Users: All this "*AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI"; how difficult is that with the 220V? Does it need telnet? Does it need any action at all, in fact? On a 205, nothing needs to be done, you just enter your details, and away you go. C1, were you referring to geographically specific details? The VCI, etc?

I'd love to see the details of what needs to be done before this hack, from a fresh router. Anyone?

And also, confirmation of 205 + ISP lock, which was previously unheard of. Does such a thing really exist? smiley for :eek:

new to this world!, as far as I know, it differs a great deal. It certainly sounds like a peecee problem, as opposed to a router issue.

With a good router, you don't need a local firewall on your puter (assuming the router is correctly setup) but some people run one anyway, to prevent unauthorized out-going connexions (trojans, etc) as well as the many other services these beasts now provide; Bad JavaScript protection, email quarantine, outgoing personal data screening, etc., etc. Really, it's your call.

As to your current issue, try resetting the unit. When the pidgeons arrive with my 220V, I'll play with it and have a better idea of these things, but I'd imagine it has some sort of recessed reset button at the rear somewhere; the 205 certainly does; quite useful at times.

Welcome to our world! smiley for :lol:

;o) Cor


Seamus - 16.02.06 5:05 pm

I tried this with BT Voyager 2091, but with no luck. I believe I setup the Telnet CLI with the correct information, but cannot be sure. It would be great if C1 could post a full step by step guide for using the CLI part, because I think this is where I am falling down

Thanx


ross - 16.02.06 6:17 pm

Im with seamus, ive tryied the hack on my bt2091 it aint working, i ran thru the telnet thingy to but no luck!
Ive phoned BT who said "We dont lock our routers" i said "you have!".
They said "we dont beacause it is against our licence to do that"
oftel gave me a number for Head management complaints who are looking into it and getting back to me, but bacically because i aint a customer anymore they aint too interested and i might need to really get stuck into them!
Ill let you know.


mcfly - 16.02.06 7:29 pm

after reading C1's comments about getting around the javascript block, has anyone tried simply disabling javascript or using a non-js browser to enter details?? unfortunately I dont have my router here to try it but if thats the mothod being used by bt to block other ISP's then surely this would get around the problem... When i try it out myself ill let you know.

[recovered from corz.ath.cx development mirror, posted: 15.02.06 5:39 pm]


cor - 16.02.06 7:40 pm

Good work, ross! pity about the 2091, perhaps something very similar might work, or perhaps it's the underlying configuration that's wrong. C1 is tied up this week, methinks, but I shouldn't think there's any rocket science going on with the ISP config.

Thanks (and Seamus) for trying it out on your 2091's. Perhaps you might like to have a wee fiddle while you're there; mcfly's drop-dead-simple approach does sound highly unlikely, but if I were a 2091 user, I'd sure give it a try!

Remember, it's not a failure, it's simply knowing one more way that definitely doesn't work, and that's if it doesn't! Anyone?

But yes, ross, of course you guys shouldn't have to be dealing with ANY of this! smiley for :aargh:
OFTEL! Good call! I hadn't thought of that! smiley for :cool:

So, we have a working hack for the 220V, and a question mark for the 2091. We're getting there. One thing's for sure, whatever happens, it'll likely happen here!

Thanks all!

;o) Cor


C1 - 17.02.06 12:55 am

All: Apologies I made a mistake in an earlier post - my router is a 220v, NOT a 205! I was so concentrated on hacking the ISP lock on my brand new router, that I didn't take note of which model it was :)

mcfly: Simply blocking JavaScript will not work - trust me I spent hours on this. Most of the URL's in the connection process are made up on the spot using JavaScript, and there's also a unique sequence number which must be present for anything to work at all.

On Sunday (or thereabouts) I'll post a much better method that anyone can do. No need for any telnet/CLI or navigating to strange URL's ;)

ross/seamus: hopefully the new code coming in a couple of days should work with the Voyager 2091 as well (50:50 chance). If it doesn't, then I'll need one of you to e-mail me various bits of data from your router via e-mail - I'll provide specific instructions if/when the time comes. BT must pay for this ISP-locking sin! :)

- C1 (lost1e TA hotmail TOD com).


cor - 17.02.06 10:40 am

C1, great news! and great news!

The prospect of having to deal with a swathe of ISP-locked 205 users was a tad daunting! smiley for :eek: In fact, I saw a 220V in the flesh the other day (though sadly they wouldn't let me take it home!) and it looks *very* similar to a 205, so that would be an easy error to make. You are still our hero! smiley for :cool:

Looking forward to Sunday!*

;o) Cor

references:
mainly because it's the start of my week-end! smiley for :D



Trig - 17.02.06 10:56 am

I've had a 220v for about 3 months. When I got hold of it I didn't know that it could only be used for BT ISP's. After a lot of trial and error I did manage to configure it to use my ISP (Pipex). Most of the commands where available on telnet. If I didn't use the web interface I could configure the connection account, as I wanted. However not all the options are available in telnet.
This was fine until last night. I was having issues where the line would drop out. For some reason I decided to do an online firmware updatesmiley for :ehh:. That was my mistake. It rebooted and I then had a Authentication failure with the ISP. I checked the config with a back up that I had some time ago and it was the same. BT must have put more lock downs somewhere else.

I have the CD the came with the router and there is a firmware on the version 2.18.01.12_A2pB016a.d15g. This was not the version that the router was shipped with. Tried to configure it and didn't work again. I was now desperate. I have searched the web before and found nothing but I tried again (on another machine). Much to my surprise I found this site and C1's amendment. I thought that I would give bit a go. My hat goes off to C1. An excellent "amendment".smiley for :ken:

Having read the other comment I thought that I would re-download the online firmware, get the version and try out C1's code. Now I can't do the online update (This may be a good thing). I have tried to look at the code to find the site that it is going to. Nothing. (Skills not that good)

I think that I will leave it now it is working and hope that the line doesn't drop out any more.

Thanks again C1. I thought that I would have to ditch the 220v and actually buy a router.smiley for :D

Trig:smiley for :lol:


Nu2Routers - 17.02.06 5:30 pm

Hi,

Is the Voyager 210 a cut down 205? Does anyone know where I can get some info on the 210 please?


seamus - 17.02.06 5:48 pm

Cor, gave disabling javascript a go on the 2091, but, unfortunately, it's a no go. The whole Web Interface is just not accessible when you do it. Look forward to C1’s post and see if we can crack it. He seems confident.


snags - 18.02.06 9:04 am

may the firmware from a bt voyager modem that isn't ISP locked may work with the 2091?

or it might have to be edited a bit,so its a mix of the original 2091 firmware, with bits of another router's firmware cut and pasted in.


Worcesternet - 18.02.06 2:19 pm

Does anyone have a driver to allow a BT Voyager 220V to work via a USB connection to an IPCop Linux based router.

I'm using BT Broadband so the ISP lock is not an issue, I just need to get the IPCop box to talk to the Voyager.

Any ideas?

Thanks

Pete


Squbel - 19.02.06 12:58 am

Hi again,

If C1's unlocking trick works properly, Bt may release new V220 and V2091 firmware with better ISP lock soon. Because of that I've decided to track down and save current firmware for V2091. I've done some sniffing with rerouting today with my voyager and look what I've found:

http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

<!---Voyager 2091 Files Start--->
VOYAGER2091_BTR#2.21.05.11e_a2#
http://www.voyager.bt.com/firmware_upgrades/cfe-voyager2091_btr-v022105_11e_a2pb018c1#0#
Upgrade to this firmware if you are having issues with your VPN client.#
<!---Voyager 2091 Files End--->

<!---Voyager 2090 Files Start--->
VOYAGER2090#2.21.05.06c_a2#
http://www.voyager.bt.com/firmware_upgrades/cfe-voyager2090-v022105_06c_a2pb018c1#0#
One-click firmware upgrade should work in BT website since this version.#
<!---Voyager 2090 Files End--->

<!---Voyager 220 MGCP Files Start--->
VOYAGER220V_MGCP_BTR#2.21.05.11e#
http://www.voyager.bt.com/firmware_upgrades/cfe-voyager220v_mgcp_btr-v022105_11e_a2pb018c1#0#
Upgrade to this firmware if you are having issues with your VPN client.#
<!---Voyager 220 MGCP Files End--->

<!---Voyager 220 SIP Files Start--->
VOYAGER220V_SIP_BTR#2.21.05.11f#
http://www.voyager.bt.com/firmware_upgrades/cfe-voyager220v_sip_btr-v022105_11f_a2pb018c1#0#
Official BT Broadband Talk Firmware#
<!---Voyager 220 Files End--->

Go grab your firmware backup now! :)

I wonder why they have two different V220 firmwares? One is BT locked VOIP and the other is not?

I want to cross-flash my v2091 with v2090. I'm struggling with proper CRC32 values which are written in bytes 236 to 239. This CRC32 is header checksum (from byte 0 to byte 235). After changing ID tag from "2090" to "V2091_BB" in bytes 44 to 51 I should change header checksum but don't know how to calculate it :(

I know that "the checksums are regular CRC32 checksums, but with all bits flipped". Can anyone help me with this?


Squbel - 19.02.06 10:19 am

Finally I've managed to flip this CRC and flash my voyager with different firmware... I'm running now on backup ADSL modem ;DDD

cfe-voyager2090-v022105_06c_a2pb018c1 is not compatible with v2091 ;D


vof - 20.02.06 12:58 am

Some excellent posts on unlocking these routers while I have been away smiley for :D

I was thinking of suggesting using the closest looking Dynalink firmware in these 2xxx Voyager routers but a lot of what has been discovered recently seems more promising.

Trig: The 2.18.01.12_A2pB016a.d15g 220V firmware you mention is the version my 220V came with - it is not ISP locked but it is locked to BT's Broadband Voice VOIP service. I would suggest that this version is hosted by cor in his download area if you have a firmware file on your CD - my version 1.0 CD does not seem to have any firmware on it, and yours is the first file copy of this firmware version that I've heard of. It is the easiest way to permanently ISP unlock the 220V. Unless you know you need later firmware, I would upgrade your 220V with the version on your CD.

Has anyone else with an unlocked Voyager got a firmware file on the CD that came with it?

C1: I've been trying variations of your javascript trick to see if I can unlock the 220V VOIP feature in the above firmware, so far without success. Any thoughts on this?

Squbel: There are two versions of 220V firmware on the BT Voyager firmware upgrade site because their original VOIP service - Broadband Voice - uses the MGCP protocol whereas their latest VOIP service - Broadband Talk - uses the SIP protocol like most other VOIP providers. I suspect Broadband Voice is effectively obsolete so users need to upgrade to the second firmware version if they use Broadband Talk.



holly - 20.02.06 3:19 pm

I have a BT Voyager210 ADSL Router

I would like to know how I can make a programme on My computer available to My friends.

I know it works in range 9990 to 9998 but shold I disable te NAT manager


ross - 20.02.06 10:35 pm

Ive got a unlocked 220v with firmware 2.18.01.12_A2pB016a.d15g
When i say unlocked i dont know about voip service ( i dont subscribe to it!)
I might be able to dig out the cd if anyone knows were the firmware is located, or if i can "Backup" the settings and publish them!

Happy to help BUT the 220v is my backup and im really trying to get my 2091 unlocked so i can use plusnet on it! Please help???


essexman - 21.02.06 10:39 am

I have not been able to unlock my bt2091 router using the "checkNum" or the "javascript" methods. The firmware version of the router is 2.21.05.08m_A2pB018c1.d16d




Joonz - 22.02.06 2:23 pm

Hi, very useful site this!

Does anybody know if the BT Voyager 2500V is ISP locked?



Tux Warrior - 22.02.06 10:03 pm

Anybody got a voyager 240.

How do we examine the firmware upgrade files.
I can see that my box runs a cut down linux but I can't tell what file system it uses.
Telnet access goes to a restricted shell.
Anyone know if there is another user apart from admin but with unrestricted shell access?





vof - 22.02.06 11:38 pm

Tux Warrior: I've got a 220V which I suspect comes from the same OEM as your 240.

Look here for info about examining structure of the firmware image files.

My root filesystem is mounted ro - I believe it is probably cramfs, somewhere in the firmware held in flash memory - mounted at /dev/mtdblock0, with /var mounted rw in system RAM.

There is only the one very limited shell provided by BusyBox with ususally only a single admin (=root) user.

That's as unrestricted as it gets and is what makes it all so much fun...smiley for :lol:



Tux Warrior - 23.02.06 3:31 am

Thanks vof
This is the only menu I get when I telnet in to my Voyager 240

"Note: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends.


Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
->
"
However it did allow me to set sylogd to log remotely and discover this:

Feb 21 20:55:33 voyager.home BCM63XX started: BusyBox v0.60.4 (2005.05.23-11:08+0000)
Feb 21 20:55:33 voyager.home klogd: klogd started: BusyBox v0.60.4 (2005.05.23-11:08+0000)
Feb 21 20:55:33 voyager.home klogd: Flash 2249 with cs0 0x00000017
Feb 21 20:55:33 voyager.home klogd: Total Flash size: 2048K with 35 sectors,nvram start block at 0
Feb 21 20:55:33 voyager.home klogd: Scratch pad is not used for this flash part.
Feb 21 20:55:33 voyager.home klogd: RTA230 prom init
Feb 21 20:55:33 voyager.home klogd: CPU revision is: 00028000
Feb 21 20:55:33 voyager.home klogd: Primary instruction cache 8kb, linesize 16 bytes (2 ways)
Feb 21 20:55:33 voyager.home klogd: Primary data cache 4kb, linesize 16 bytes (2 ways)
Feb 21 20:55:33 voyager.home klogd: Linux version 2.4.17 (wilson@AndrewLinux) (gcc version 3.1) #1 Mon May 23
19:05:27 CST 2005
Feb 21 20:55:33 voyager.home klogd: Determined physical RAM map:
Feb 21 20:55:33 voyager.home klogd: memory: 007c0000 @ 00000000 (usable)
Feb 21 20:55:33 voyager.home klogd: On node 0 totalpages: 1984
Feb 21 20:55:33 voyager.home klogd: zone(0): 1984 pages.
Feb 21 20:55:33 voyager.home klogd: zone(1): 0 pages.
Feb 21 20:55:33 voyager.home klogd: zone(2): 0 pages.
Feb 21 20:55:33 voyager.home klogd: Kernel command line: root=/dev/mtdblock0 ro
Feb 21 20:55:33 voyager.home klogd: bcm_console_setup
Feb 21 20:55:33 voyager.home klogd: Calibrating delay loop... 92.97 BogoMIPS
Feb 21 20:55:33 voyager.home klogd: Memory: 6248k/7936k available (1110k kernel code, 1688k reserved, 76k data
, 44k init, 0k highmem)
Feb 21 20:55:33 voyager.home klogd: Dentry-cache hash table entries: 1024 (order: 1, 8192 bytes)
Feb 21 20:55:33 voyager.home klogd: Inode-cache hash table entries: 512 (order: 0, 4096 bytes)
Feb 21 20:55:33 voyager.home klogd: Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Feb 21 20:55:33 voyager.home klogd: Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Feb 21 20:55:33 voyager.home klogd: Page-cache hash table entries: 2048 (order: 1, 8192 bytes)
Feb 21 20:55:33 voyager.home klogd: Checking for 'wait' instruction... unavailable.
Feb 21 20:55:33 voyager.home klogd: POSIX conformance testing by UNIFIX
Feb 21 20:55:33 voyager.home klogd: Linux NET4.0 for Linux 2.4
Feb 21 20:55:33 voyager.home klogd: Based upon Swansea University Computer Society NET3.039
Feb 21 20:55:33 voyager.home klogd: Initializing RT netlink socket
Feb 21 20:55:33 voyager.home klogd: Starting kswapd
Feb 21 20:55:33 voyager.home klogd: brcmboard: brcm_board_init entry
Feb 21 20:55:33 voyager.home klogd: Module bcm63xx_cons.c v1.1 May 23 2005 19:05:41
Feb 21 20:55:33 voyager.home klogd: block: 64 slots per queue, batch=16
Feb 21 20:55:33 voyager.home klogd: PPP generic driver version 2.4.1
Feb 21 20:55:33 voyager.home klogd: NET4: Linux TCP/IP 1.0 for NET4.0
Feb 21 20:55:33 voyager.home klogd: IP Protocols: ICMP, UDP, TCP, IGMP
Feb 21 20:55:33 voyager.home klogd: IP: routing cache hash table of 512 buckets, 4Kbytes
Feb 21 20:55:33 voyager.home klogd: TCP: Hash tables configured (established 512 bind 1024)
Feb 21 20:55:33 voyager.home klogd: Linux IP multicast router 0.06 plus PIM-SM
Feb 21 20:55:33 voyager.home klogd: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Feb 21 20:55:33 voyager.home klogd: Ebtables v2.0 registeredNET4: Ethernet Bridge 008 for NET4.0
Feb 21 20:55:33 voyager.home klogd: VFS: Mounted root (cramfs filesystem) readonly.
Feb 21 20:55:33 voyager.home klogd: Freeing unused kernel memory: 44k freed
Feb 21 20:55:33 voyager.home klogd: Algorithmics/MIPS FPU Emulator v1.5
Feb 21 20:55:33 voyager.home klogd: atmapi: init_module entry 0xc000d060
Feb 21 20:55:33 voyager.home klogd: blaadd: blaa_detect entry
Feb 21 20:55:33 voyager.home klogd: adsl: adsl_init entry
Feb 21 20:55:33 voyager.home klogd: var 1.0 initialised
Feb 21 20:55:33 voyager.home klogd: Broadcom BCM6345A0 Ethernet Network Device v0.1 May 23 2005 19:08:20 Exter
nal PHY
Feb 21 20:55:33 voyager.home klogd: eth0: MAC Address: 00:90:96:F7:AD:AE
Feb 21 20:55:33 voyager.home klogd: BcmAdsl_Initialize=0xC001F8B8, g_pFnNotifyCallback=0xC0033E9C
Feb 21 20:55:33 voyager.home klogd: AdslCoreHwReset: AdslOemDataAddr = 0xA07E05D0
Feb 21 20:55:33 voyager.home klogd: eth0 Link UP.
Feb 21 20:55:33 voyager.home klogd: ip_conntrack_rtsp v0.01 loading
Feb 21 20:55:33 voyager.home klogd: ip_conntrack_sip v0.01 loading
Feb 21 20:55:33 voyager.home klogd: ip_nat_rtsp v0.01 loading
Feb 21 20:55:33 voyager.home klogd: ip_nat_sip v0.01 loading
Feb 21 20:55:33 voyager.home klogd: ADSL G.994 training
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 started
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 channel analysis
Feb 21 20:55:33 voyager.home klogd: ADSL link down
Feb 21 20:55:33 voyager.home klogd: ADSL G.994 training
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 started
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 channel analysis
Feb 21 20:55:33 voyager.home klogd: ADSL link down
Feb 21 20:55:33 voyager.home klogd: ADSL G.994 training
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 started
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 channel analysis
Feb 21 20:55:33 voyager.home klogd: ADSL link down
Feb 21 20:55:33 voyager.home klogd: ADSL G.994 training
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 started
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 channel analysis
Feb 21 20:55:33 voyager.home klogd: ADSL G.992 message exchange
Feb 21 20:55:33 voyager.home klogd: ADSL link up, fast, us=288, ds=1152
Feb 21 21:05:30 voyager.home klogd: Intrusion -> IN=ppp41 OUT= MAC= SRC=212.174.26.147 DST=82.26.226.252 LEN=6
0 TOS=0x00 PREC=0x00 TTL=54 ID=58365 DF PROTO=TCP SPT=50139 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 21:14:39 voyager.home klogd: Intrusion -> IN=ppp41 OUT= MAC= SRC=221.128.155.28 DST=82.26.226.252 LEN=4
8 TOS=0x00 PREC=0x00 TTL=110 ID=48394 DF PROTO=TCP SPT=1068 DPT=4899 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 21:57:09 voyager.home -- MARK --
Feb 21 22:19:57 voyager.home klogd: ADSL link down
Feb 21 22:44:23 voyager.home klogd: Intrusion -> IN=ppp41 OUT= MAC= SRC=82.61.0.62 DST=82.26.226.171 LEN=48 TO
S=0x00 PREC=0x00 TTL=114 ID=1003 DF PROTO=TCP SPT=4400 DPT=4899 WINDOW=16384 RES=0x00 SYN URGP=0
Feb 21 22:57:09 voyager.home -- MARK --
Feb 21 23:18:05 voyager.home syslog: insmod -s -k wl0
Feb 21 23:20:04 voyager.home klogd: Intrusion -> IN=ppp41 OUT= MAC= SRC=82.253.56.9 DST=82.26.226.171 LEN=48 T
OS=0x00 PREC=0x00 TTL=113 ID=30791 DF PROTO=TCP SPT=3359 DPT=6129 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 21 23:34:11 voyager.home syslog: insmod -s -k wl0

Which will be a help.
Cramfs it is then.

More news later after I have had a hack about.



vof - 23.02.06 9:18 am

Tux Warrior: After telnetting in, type sh <return> at the -> prompt to drop into a shell.

Have fun!

¬o<


Katash - 23.02.06 12:33 pm

I'm with BT yahoo! and have a V205 - Have just upgraded to BT Buisiness Broadband because Yahoo! expected me to pay £75 a month for 'excess ussage'
My question is this - Due to the fact they have sent me a new v220, has anyone got the zipb mode to work on this router? - Cant try myself until 28th Feb


Squbel - 23.02.06 5:30 pm

Tux Warrior : is your router locked ? What exactly do you want to hack?

Taking in to account "Feb 21 20:55:33 voyager.home klogd: RTA230 prom init" line your modem is probably comaptible with RTA 230 unit. You can get original firmware @ dynalink site. Password for download is "dynalink".


essexman - 24.02.06 5:21 pm

BT still claim that their Bt2091 Router is not locked.

Ofcom do not want to know, the arguement being that BT supplied the kit for a BT service. However when the customer contributes £25 for the wireless addition to BT Broadband (Option 1&2)and is not told up front that the kit is locked seems to be bad pr for BT.

Has anyone successfully unlocked the latest Bt2091 Router?


vof - 24.02.06 5:25 pm

Trig: In your post of 17.02.06 10:56 am, you said you have the 220V firmware version 2.18.01.12_A2pB016a.d15g on your Voyager CD. Can I ask you to email me a copy of the file so that I have a backup in case my experiments on my 220V screw up. I assume the file is around 3MB in size. If you are prepared to email it, please send it to vince TA jovian TOD co TOD uk (address needs to be unmunged!)

Many thanks,

vof


David Richards - 24.02.06 9:33 pm

I wonder if anyone now has a definitive answer for unlocking the Voyager 2091 wireless router to allow it to be used with another ISP?

Please either post a comment here or email me david@NOSPAMdesigndeal.co.uk

Thanks for any help in advance


David


Tux Warrior - 25.02.06 1:54 am

thanks vof and squbel

The sh tip is just what I wanted.

I only wanted to be able to fine tune what the router already does.

And I thought it might be fun to see what else I could do with it.

Run a terminal server with snort and squid and dansguardian. Use wget to notify the rest of the network when the link is up.

I'm only using the router as a modem replacement. The speedtouch 330 was very poor at keeping the line up. It connects only to my IPCop firewall/router with the rest of the network behind that.

I have a very flakey connection at the limits of a 1meg service, so more log output would be useful to inform BT of the line quality................


vof - 25.02.06 4:55 pm

Tux Warrior: What did you do to get the log output you posted? I presume you configured your 240 to log remotely rather than somehow attach a serial console? In particular, what did you change the Management/System Log/Configure values to? My 220V only produces a handful of klogd log messages according to my remote syslogd - certainly nowhere near as much detail as you posted.


Squbel - 25.02.06 5:36 pm

vof: try

cat /proc/kmsg

or change remote log message level in default router telnet menu.


suresh - 25.02.06 8:52 pm

Hi,
This is suresh from Manchester. I want to know where i can find the public IP address which is assigned by ISP in the voyager router configuration page.
Plz kindly sent the mail as earlier
Thanking u Your's
suresh











vof - 26.02.06 1:24 am

Squbel: cat /proc/kmsg outputs nothing, behaves a bit like a tail -f, needs Ctrl/C to end.

The telnet menu was what I used to configure the system log - messages are being sent to my remote syslogd, just there's not much to them, and none of the really interesting stuff from early startup. That's why I was curious about the exact values Tux Warrior used on his 240 in case I was missing something obvious...

Here's the start of the sort of thing I see (level set to 7 I think):

Feb 24 20:53:23 modem-on-subnet1 BCM63XX started: BusyBox v0.60.4 (2005.05.09-1
1:18+0000)
Feb 24 20:53:23 modem-on-subnet1 klogd: klogd started: BusyBox v0.60.4 (2005.05.
09-11:18+0000)
Feb 24 20:53:23 modem-on-subnet1 klogd:
Feb 24 20:53:23 modem-on-subnet1 klogd: ENDPT: hdspVhdOpen Secondary Connection
VHD success. VHD (0x50) of type: 0x3
Feb 24 20:53:23 modem-on-subnet1 klogd: Change default VBD mode to G711 A-law
Feb 24 20:53:23 modem-on-subnet1 klogd:
Feb 24 20:53:23 modem-on-subnet1 klogd:
Feb 24 20:53:23 modem-on-subnet1 klogd: DEBUG_3341: Register #2, handle 0x51 for
debug
Feb 24 20:53:23 modem-on-subnet1 klogd:
Feb 24 20:53:23 modem-on-subnet1 klogd: ENDPT: HAPI_RM_OPEN_VHD_EVT event VHD (0
x51)
Feb 24 20:53:23 modem-on-subnet1 klogd:
Feb 24 20:53:23 modem-on-subnet1 klogd: ENDPT: hdspVhdOpen Secondary Connection
VHD success. VHD (0x51) of type: 0x3
Feb 24 20:53:23 modem-on-subnet1 klogd: Change default VBD mode to G711 A-law
Feb 24 20:53:23 modem-on-subnet1 klogd: INFO: APM Ring A Frequency Register 6d3

Feb 24 20:53:23 modem-on-subnet1 klogd: INFO: Set0 SLIC I/O Register 2 f00, val

What does display value in System Log configuration do?



Squbel - 26.02.06 2:20 pm

vof: try to cat /proc/kmsg just after router restart - I had similar problem few times. I think that the reason of this is too much messages being logged in kmsg - you can even disconnect your modem from phone socket during restart to reduce your kmsg


murix - 26.02.06 3:39 pm

BT Voyager 205 router. a.k.a. "Globespan Viking" (Globespan is now owned by conexant)
is a SPARC cpu, 2mb flash , 8mb ram, anyone where boot linux 2.4.20 + busybox in BT Voyager 205 ??????????????
who start up reverse engineer on wiki page?







shaun - 27.02.06 7:12 pm

Anyone got any ideas how to unlock voyager 2091 from isp lock??? i`m desperate...


shaun - 27.02.06 7:20 pm

If i don`t find a answer soon! i`ll gladly try tests on it firmware upgrades on it to find a solution. How do i change the firmaware version if i cannot connect the router to download versions.
Can it be upgraded downgraded from a file on the pc??...

Has any one succesfully used the two hacks for the 2091 on this page, if so what version of fimware was it done with???

Someone ou there must have some idea how to do this.. I f===in hate bt,!!!

Someone on the page mention they had exceeded bandwidth with bt by 100 and something gig! i exceeded by using 360gig in december on the 40 gig cap limit...

They informed me in february lol!!! i either changed isp or had to pay an extra 350 quid, if i changed isp they let me off with the excess charges..

Nice of them, but now i`m stuck with a crapy little modem and 2 other pc`s i cant` get on line due to them floggin me a locked router....




TalcumBoy - 27.02.06 8:58 pm

I've just got a BT Voyager 2091 from a friend at work who is on BT. I am on Force 9 and so tried the java script fix above.
After I pasted in the line in the address bar and then my user name and password I got the connecting screen below
an image
This seemed to keep refreshing for a while then went back to the connect screen with my F9 details still in it, so then I pressed connect again and was shown the only for BT users message.
One thing I didn't understand was the paragraph after step 4 about the telnet CLI and how or where to enter those details.

If anyone has further instructions on what to do about the telnet CLI and any other details that need entering to get the damn thing unlocked then please post here.

Thanks.


TalcumBoy - 27.02.06 9:04 pm

hey, where'd the image go?


TalcumBoy - 27.02.06 9:48 pm

OK, I tried the check sum process under other things we've tried above and there is a step missing from the process which is 3. and that is the router username and password which is admin admin. Once that is entered you can get to the screen in the screenshot and check your check num. However I did all that and it just got me to the connecting screen as before.

My F9 user name and password are still saved in the router though and even after a reboot from the web interface it is still saved but after pressing the big red connect button in the quick start screen it still shows the popup UNSUPPORTED BROADBAND SERVICE This router was supplied as part of a BT service and is not for use with any other ISP.

BTW my 2091 firmware version details are:
Firmware Version 2.21.05.08m_A2pB018c1.d16d
Boot Loader Version 1.0.37-21.6.8
Wireless Driver Version 3.91.39.0 (Wireless is enabled)


ross - 27.02.06 10:45 pm

this is the latest from BT head complaints/product manger
If the router was supplied "Free" they are allowed to lock it!
if not supplied free....
then they are not allowed to lock it, and you are entitled to an unlocked one?
I dont know about the upgrade. eg add more money for the wireless option, cause technically you are paying for something????


Squbel - 27.02.06 10:46 pm

TalcumBoy: I think you are doing everything right - but these hacks don't work on 2091.

You can try to combine both techniques and apply "javascript hack" after "checknum trick" or try to fiddle a little with killing the httpd process after. Check all posts on this page (show all comments).

shaun: You can change firmware using image file stored on your hard disk. If you are really desperate you can try to cross-flash your router with firmware designated for another model simillar to v2091. I have to warn you that this is dangerous and can damage your router. I've flashed my v2091 with v2090 firmware and my router is not working anymore - It hangs during boot-up. I would like to try to cross-flash v2091 with following firmwares : v2110 and rta1025w

There are at least 3 ways to flash a router. One is using http interface, another using windows tftp and the last and the best one using telnet and tftpd on your machine. Before you start you need to modify downloaded firmware so it can pass ID tag and CRC checkups during flashing process.

I can post flashing instructions and modified firmwares if you want :) but it's most likely that you will end up with dead router like me smiley for :D


damian elder - 27.02.06 11:32 pm

Just received a 200v as part of our broadband package. Does anyone know how to set it up as modem only (transparent bridging) as we have our own dual wan router which I want to use instead of the 220v as a router? Never used bridging before will the Public WAN IP then be assigned to my wan port of my router or an internal ip of the 220v. as you can tell I’m a shooting the dark lol ;-). any help much appreciated first correct answer gets £10 voucher for amazon.co.uk


Joonz - 27.02.06 11:44 pm

So nobody has any info on the 2500V then?

:-(




Tux Warrior - 28.02.06 2:38 am

vof
I did this:
System Log Menu

1. Configure
2. Show
3. Exit
/ Management/System Log -> 2

System Log Information

Log : enable
Display level : 7
Log level : 7
Option : remote
Server IP address : 192.168.1.2
Server UDP port : 514

Then I grep voyager /var/log/messages|less to view the results on 192.168.1.2
I think the data I got was from a hard reboot.

Damian,
To pass through the router just set the dmz address to your router.
The wan address from ISP is assigned to the ppp adsl connection on the 220v
The 220v probably has a default address of 192.168.1.1 on its ethernet port.
Connect with an ethernet cable and give your router an address on the same network eg 192.168.1.2.
Then on the 220v set the dmz address to pass everything to 192.168.1.2
On my 240 it looks like this:
Virtual Server Configuration

DMZ HostPort Forwarding Dynamic DNS
DMZ Host Help
A DMZ host is a computer on your local network that can be accessed from the Internet regardless of port forwarding and firewall settings.

Those IP packets from the Internet that do NOT belong to any applications configured in the port forwarding table will be:
Discarded
Forwarded to the DMZ host

IP address of DMZ host: 192.168.1.2

Assuming nothing is configured in the port forwarding tables the 220v should appear transparent to your router.

If you are already using the 192.168.1.0 subnet you can set both addresses to be on another subnet say 192.168.200.1 and 192.168.200.2

If you are connecting with USB someone else will have to help.








shaun - 28.02.06 6:29 pm

Dead router! rather have a replacement, unlocked version that is, but if no luck off bt i`ll give it a go!..
Does anyone have a direct telephone number of who to phone to get this thing replaced? i don`t think i got it free! i was originally on a voice router which i payed about 25.00 quid for.
I like the idea of the wireless as they just brought the package out on tv.
So i phoned and said they`d sent the wrong router but still had to pay another 50.00 quid for the wireless 2091 and 1 wireless adapter card. So maybe i`m entitled to an exchange off them.

The thing with bt is everyone that works for them are thick imigrants, that have probably never even seen the homepage of a router.
I phoned 6 times the other day trying to resolve it, i explained i had changed to pipex broadband but still they all told me to input a btbroadband usernames dah!!. check the dsl light is on, uninstall the software from bt, god i had steem coming out my ears!!..






andy - 02.03.06 7:43 am

can anyone tell me how to unlock my btvoyager2091 in plain english?lf you can.


Katash - 02.03.06 7:25 pm

Tux Warrior

In your reply to Damian you reccomended using the DMZ method to bypass his 220's router - Seeing as how you have tried it on your 240 I'll ask you this :-

Will the modem pass a public IP onto the 3rd party router or is it still a 192?

Also by using DMZ, is the 220/240's router completly bypassed or is it just forwarding all data on. The reason I ask is because the 220's max conn and ttl limitations are not great for on-line gaming, If I scan game servers using ASE the modem just hangs for about 20 secs. Am using a 205 at the moment with the max conn & ttl hacks and that works fine but I would like to use my new 220 that BT sent me.

TIA


Spikeeee - 03.03.06 2:56 am

Damian Elder....I have my setup in this configuration. I think its what you are after.

Voyager 220v Internet connection set up using telnet.Bridged mode selected with NAT and QOS disabled.It needs to have DHCP enabled, mine currently has the ip 192.168.1.1 with dhcp set to allocate 192.168.1.3 - 192.168.1.5. Ethernet cable connected from ethernet port(no sh*t) to the Internet port of router.

On my router(Linksys WRV54G) the internet connection is set to PPPOE with my username and password entered. Domain and hostname left as default(Currently Linksys). The Linksys router also has DHCP enabled but using 192.168.50.1 - 192.168.50.25 as its scope.

I cannot see the 220V from my LAN, the only way to do this is to make adirect connection to the Ethernet port. However the router initiates the connection and it doesnt seem to care that its not a BT username.

Ive just ordered BT Talk on 3 month trial to test if I can still use the VOIP functionality of the 220v in this configuration. Update will be posted as and when.

I know this is a brief reply, Im rather new to these forums. I have an in depth understanding of routing protocols and ADSL authentication, however I couldnt create a simple folder using linux!!!!!! If you want further info, or configs, then mail me on
220v at z1net dot co dot uk


Eric Manzie - 03.03.06 12:11 pm

So, since I bought my BT Voyager 2091 for a tenner, it should be unlocked and I can transfer to Tiscali without any hassle!!!

Is this correct??


vof - 04.03.06 12:25 am

cor: links to this page now on ebay listings! See

here

http://cgi.ebay.co.uk/BT-VOYAGER-220V-ADSL-Broadband-Router-SEALED-BRAND-NEW_W0QQitemZ5872771103QQcategoryZ101270QQssPageNameZWDVWQQrdZ1QQcmdZViewItem

(cbparser seems to get constipated with the above url ;>)


Gladio - 05.03.06 3:56 pm

Hi,I've read the posts above,and I've got a Bt Voyager 2091 Wireless too ! My choose was Bt option1,and when I will come back in Italy,I will use my Bt Voyager 2091 with an italian ISP : I'ts possible to unlock it ?


shaun - 07.03.06 2:51 pm

NO! Cannot find a working unlock hack, anybody have any news on the subject????????


Migman - 07.03.06 8:06 pm

Could you please tell me in a little more detail how to use a voyager 220v router not using BT I have read the fix on this page with great interest but not sure exactly how to do it using windows XP many thanks


r33 - 10.03.06 9:36 pm

how do i unlock bt voyager 2500v to use with different isp?



jeevan - 11.03.06 7:59 am

hello sir,

i need BT voyager 220v adsl voice router welcome letter, because i don't have that router username and password, Item no is = 016176,
can u help me,

thank u



Fat Boy - 11.03.06 8:53 am

Hey I Recently Purchased a Bt Voyager 2091 Router with the idea of being able 2 unlock it to my isp 'Wanadoo' i was under the idea that i was able i have tried loadz of different ideas including the javascript one and my only problem that i feel is hindering me from using it is that i am unable 2 connect i can unlock it but it still says Modem not ready to connect :S confused and very pissed off help please smiley for :D


Sean - 13.03.06 10:48 pm

'thick imigrants'???


Ed - 14.03.06 9:44 am

Hi,
anyone knows why the Voyager 240 looses its ARP table when the PC is switched off (S3/STR with Ethernet card still powered) for let say a minute? I'm trying to use WOL in order to switch on my home PC from around the world but without the router ARP table pointing to my LAN the router simply cannot forward the Magic Packet. Instead if I leave my home PC on then I can remotely switch off and back on many times without problem, but I have to do it in less then a minute.

Any help would be very appreciated
Ed


Mike - 15.03.06 12:06 am

How do you enter a command in telnet? I'm trying to get my 220V Voyager to stop disconnecting, and I want to type into telnet the commands you suggest (modify global keepalive etc). When I open a telnet session I type them but it says they're not recognised. Help please!


Antonio - 15.03.06 10:00 am

Hi everyone.

Hi have a BT Voyager 220V and is working ok,
I need some information if is possible to use the Voip fecture with another company?

can anyone help me .

Thanks



Sean - 15.03.06 11:38 am

Just got the equipment for BT Broadband Talk (evening and weekend) package which is free for BT Broadband option 4 exising and new users (so if your an option 4 customer its well worth it - free equipment, free rental, free evening and weekend calls and discounted international calls)

The free piece of kit I got - the voyager 10v plugs into my 2091- I was expecting some smallish device but its actually the same size (or slightly bigger) that the 2091 itself.

Seems to be an interesting device - it can operate in router or bridge mode. In router mode the 10v sits in a differnet subnet(192.168.192.1), it also has its own DHCP server, IP filtering rules, HTTP config and UPnP.

As I also had my PC plugged into it I didnt like my PC in a different subnet so configured it to work in bridge mode. It has 2 telephone ports on the back of it.

I did a quick telent onto it using the standard admin/admin password and was able to do a help to list its commands. It reports its version of firmware and OS its running. I'll post this when I get a chance. I think I'll have a look and see if I can enable the 2nd phone port to work on another VOIP supplier via the telnet interface - this would be sweeeeet smiley for :ken:.

Cheers


Sean - 15.03.06 6:10 pm

unlocking the Voyager 2091: loadz of different ideas

Fat Boy - in my experience it says 'Modem not ready to connect' when the phone line connection is not plugged in. When you say 'i can unlock it' what exactly do you mean? Have you tried anything other than the javascript methods described above to unlock your 2091?

I have tried the ways described above and agree with TalcumBoy in that they don't work for the 2091


Chris - 16.03.06 6:56 pm

if u would like to login to the router to update ur firmware enter the bt speedtest login details , speedtest@speedtest_domain password testing , i done this then searched for updates smiley for :) hope it helps


Recall - 16.03.06 10:24 pm

Hi coz, how ya doing? i finally got myself back up and running with a ethernet modem, except they have given me a Voayager 210. None of the telnet commands work thus far :( However the good thing is it comes secure out of the box! I have a couple of questions though in terms of port forwarding.

I managed to get DHCP disabled and setup a static IP no problem. I just want to know is port forwarding the NAT and IP Filtering the firewall? Cause I forwarded ports and also added the same IP filters. Is this correct way? When I normally probe my ports they come up stealthed on your port check. Therefore I assume I am doing it right?

Also any idea what the maximum connections is for the 210? I cant apply your max connections hacks and have no idea how many to set it to for Torrents?

Thanks in advance!


vof - 17.03.06 12:22 am

Mike: the 220V runs a different OS (Linux actually) to the 205 so the Viking commands from the main page are a foreign language to it...

Antonio: I'm not aware of, nor have I worked out, a way of using the 220V VOIP feature with a non-BT service yet...but if you find anything, post it on this page!smiley for :D


drewish - 18.03.06 3:33 pm

Hi, i have the voyager 2500V and it is loced to bt broadband or yahoo or whichever , both the same.

i was charged 30 quid for this unit aswell and they didnt even ask me if i was on btbroadband and i didnt even order it on a bt account which had btbroadband , i ordered it on a tiscali line !

good job im on btbroadband here though

i also have two voyager 2091 both locked but im not sure how to use telnet , never realy used it for anything other than chat.




Ahmad Rabbani - 18.03.06 10:54 pm

I have a bt line. I am so confused, I have never used bt voyager! what should I do. Will it be easier for me to make full use of it!


Recall - 19.03.06 11:57 am

has anyone got a maximum connections and timeout telnet commands for a voyager 210? router keeps timing out with torrents if i set my connections as high as i did with my 205 :(


stephanjs - 23.03.06 8:41 am

Hi all,smiley for :lol:
I have recently bought a voyager 2500V and discovered that it is locked.

I have tried the "Java" hack which seems to work but the modem times out before completing connection. This means that I have to run the scrip again.smiley for :erm:

Has anyone got any real hacks that will sort these problems out? I notice that most of the effort has been on 2091s. And with the conflicting information flying around it might even be possible that some anyhack bt person is having an input.

I'll keep checking these pages but more users are taking the 2500v now (like me).
I am on PlusNet though, and their techi-peoplesmiley for :eek: are not really interested or able (the one I spoke to did not even know that this modem existed).smiley for :ehh:

Regards to allsmiley for :roll:


AAX - 23.03.06 4:30 pm

I have a Voyager 220 and I'm trying to connect it to my Linksys VPN Router(BEFVP41) and am not having ANY luck. I can surf on the modem fine, but if I try to plug the ethernet into the Linksys internet port, nothing happens. They do not work together. I tried switching the Voyager to Bridge mode but not sure what else I need to do in order to get it working with the Linksys. Any ideas?


jajababa - 23.03.06 6:27 pm

great!

thanks to your resource i've now unblocked SIP functionality on my 220V - suspect i have more to do but a good start - passes REGISTER fir sure, but not sure about NOTIFY/SUBSCRIBE etc yet
smiley for :ken:


stephanjs - 23.03.06 11:02 pm

2500V update:
I have tried the java script and the checksum edit. I have tried them several times but it fails totally.
It goes into the connecting.... and flashes a few times but then times out and returns me to the login/connect screen.
I have tried downloading the two different versions of firmware (09 and 11f) as my version was 08n but in all instances none of the crack hacks worked.smiley for :erm:
I am not a programmer of a hacker just an end user with a little bit of common sense.
Any ideassmiley for :idea: anybody?
Regardssmiley for :eek:


MonkeyMan - 24.03.06 9:00 am

Hi! just tried the javascript hack on my 2091. It does get me past the domain lock issue, the screen changes and says "connecting" and refreshes 4/5 times, still displaying connecting then returns me to the login screen. Status was ready to connect so not a line issue. Any thoughts?


Decksperiment - 25.03.06 8:22 pm

Does anyone ever answer anything here? ?

I never saw the point of asking questions that are never answered..

C'mon admin, get a grip, the more info we receive, the more you'll understand...

Lots of interesting questions, but, like 98% of all bbs etc, no answers.. wtpoint?


drew - 25.03.06 8:54 pm

it's not a bbs. read the page, idiot, then you'll get the point.

all those fools asking the same questions over and over, they didn't read the page either, or they would have known.



vof - 25.03.06 10:20 pm

Decksperiment: I'm not cor, who runs this site, but I can say we do try and answer as fully and as often as we can. (cor does not have a non-205 router and set up this page so that we had somewhere to post.) There are a lot of non-205 Voyager models - I've only got a 220V - so most people have no experience of the model in question. Then of course, even if you own the model, you might not understand enough to be able to contribute... smiley for :lol: If you read the earlier comment pages here, you will see that me and others have been trying hard to work round the blocks that BT have put in place.

jajababa: Tell us more! What have you done? Which firmware version are you using? Is it a standard BT version or from elsewhere? It would be great to test your approach.

AAX: I am using a 220V via a Linksys router (BEFW11S4) quite successfully. I use separate subnets for my LAN (192.168.1.0) and the Linksys WAN<->220V connection (192.168.0.0) and avoid ZIPB/bridge mode, a hangover from my Netgear DM602 (which is a 205 clone on which bridge mode don't work with a separate router). If you search for my posts on the main 205 page, you will find detailed descriptions (if you need them) of how to set it up.


paul - 26.03.06 9:51 am

i posted this on the main page before i knew about this separate forum for non 205. mine is 220v.


hi,

i read the article on getting a static ip address.

what i understand is:

1. you switch dhcp off on the router.
2. allocate an ip address on the same subnet to your machine.
3. use NAT to redirect incoming traffic to your machine.

my question is if for example your address is 192.168.1.3
and you type this in a browser outside your network
(say in an internet cafe) how will this locate your router.?

even if you can get a url for this address by specify bt's nameservers
how will the bt server know which router you are looking for.?

i hope i have mis-understood as i would very much like to be free
to purchase a url of my own choosing but avoid the 5 quid a month fee from bt for a static ip.

cheers paul.


vof - 26.03.06 11:41 am

paul: I think you would like a static IP address on your WAN (internet) interface but what you've described is to do with allocating static IP addresses on your LAN side. That may be useful in some situations but not if it is your variable WAN (i.e. public) IP address which is giving you grief.

If you register (and pay for!) your own domain name and, separately, a dynamic DNS service, you will be able to keep your fixed domain name pointing to your varying public IP address. cor has a page describing how to configure the service on the 205 here. The principles are the same for the 220V but the way you configure the router is different. You need to look at the 220V's Configuration/Virtual Server/Dynamic DNS page.

I don't use Dynamic DNS - I use a static IP from my ISP - but I hope this explanation helps.


Jamie - 26.03.06 4:15 pm

Hi,
Just tried the javascript hack on my Voyager 2091, successfully gets past the "UNSUPPORTED BROADBAND SERVICE" but just refreshes when connecting. I gather I have to somehow put the NTL:Freedom broadband settings into the CLI but can't seem to work out how using Telnet. Will update if I manage to sort it out.
Jamie


nathan - 26.03.06 7:57 pm

hi im curently looking to open up the voip on the 220v i have had a read through on here, however nobody has mentioned the when you go into the router via ssh/telnet, if you type voice show, it will give you the current settings. to reconfigure it should be pretty simple, as if you just type voice it will give you a list of commands to type.

im gunna give it a try and will let you know how i get on.

good luck all.


nathan - 26.03.06 8:05 pm

forgot to mention im using sw version 2.18.01.12_A2pB016a.d15g


vof - 26.03.06 9:58 pm

nathan: When I first read your posts, I thought Hmmm...same firmware version as me yet I can't run those commands. Then I thought about it and wondered whether the commands could be entered at the prompt at the end of the Main Menu - I've always dropped into a standard shell and operated from there. Of course, it worked just like you said!! Nobody had mentioned it cos I suspect nobody else knew! Thanks for the info - I think your post may be a breakthrough.

Now, the bad news. This firmware version is for BT's old and now defunct I think Broadband Voice service which used the MGCP protocol. Most current VOIP systems (except Skype!) use SIP. There is a later SIP version of the firmware which is downloadable from a BT site but I'm scared of uploading it in case it uses the ISP lock which all other recent BT firmware versions seem to do. I don't have a disk file copy of our current firmware version to retreat to if the lock is present. Do you have an uploadable file copy of 2.18.01.12_A2pB016a.d15g which you could send me or post on this site?

The BT MGCP gateway machine - www.bbvservice-jade.bt.com - seems not to exist anymore. I've tried enabling the MGCP voice using the voice command and rebooting but there is no voice process running afterwards and no dial tone on the attached phone.

Keep posting any successes you have and we may yet crack this!

BTW, you have probably also spotted that ? and help list all the available commands of which voice is just the last.


cor - 28.03.06 2:17 am

Decksperiment, I wish I could be more help on this page, but a) like vof says, I don't even own a non-205 router, and b) I barely have enough time to keep up with comments on the main page, let alone this one! I wish I did. I wish this place paid me enough to devote myself entirely to it, but sadly it doesn't, not yet.

"admin", is just me, and I've already given hundreds, probably thousands of hours, for free, maintaining just this wee voyager router area. The main page has almost three thousand comments, a large proportion of them, my answers. Think about it. I didn't ask for the job, but clearly it needs doing, so I do it joyfully.

This page here simply to get the noise off my 205 page - I do well at google smiley for :erm: - and you're on your own! It's simply a space where interested people can exchange ideas about ways to hack and unlock these devices, a place to come to find out if that's yet been done.

The 220V is unlocked now, so it's certainly not been a waste, but loads of people asking "How do I unlock my 2091", again, is just going to get boring. Trust me, as soon as we know, I'll make the time to add that information into the TOP OF THE PAGE!

Unanswered questions probably means no one knows the answer. Posting "Sorry, I don't know" is just silly! Hopefully you get it now.

vof, thank you for your efforts, very much appreciated.

;o) Cor


Decksperiment - 28.03.06 10:31 am

Heh, I always liked a wind up..

Suggestions:

A step by step guide for each modem, each modem having its own page, in lay mans terms, with linx 2 advanced sections for tech heads..

I only just got this 210 modem, trying to run a hotline server or kdx server, but although I can see my server on the trackers, I cannot connect.

Done the port forwarding but to no effect.

Perhaps I should have stuck with my sigma sb4100..

Blueyonder come Bak..

Respekt to adminz here, nae offence n a' that smiley for :evil:


Decksperiment - 28.03.06 10:39 am

As 4 the idiot drew... I never asked a question..




Mikedg - 28.03.06 3:55 pm

hi there i use a voyager 220v modem and I am trying to get edonkey to work but it is staying at the testing firewall bit. I have set what should be a virtual server but still none of my downloads are doing anything or even recognising that many people have the file i'm looking for.
A helping hand would be much appreciated.


Steve - 28.03.06 9:38 pm

I have a voyager 220V router. I have successfully unlocked the ISP and it now works with my ISP Pipex.

However I want to configure the VOIP with another provider other than BT. I currently use sipgate.

I have read Nathens comments above about going into the router via ssh/telnet. What is this and how do I get into it?

I have also read you comments regarding upgrading the software version which will allow the SIP protocol rather than the MGCP. You do not need the original firmware because you can go into your router settings and save a backup of your current configuration and firmware. There is then an option to restore to this saved backup.

Can anyone provide a link to new firmware because I am struggling to find it.


vof - 29.03.06 12:25 am

Steve: Use 'telnet 192.168.1.1' or whatever your router address is to open a telnet window. Enter your username (admin) and password. After the main menu list, enter one of Nathan's commands or 'sh' if you are Unix-aware to drop into a shell.

The save backup copy just saves the configuration data - about 17KB. The firmware is not backed up.

The new firmware versions are *listed* on this BT page.


Decksperiment - 29.03.06 11:55 pm

Okay.. I need heeelp!! Using 210, and trying to run a bog standard Omni server, as well as a hotline one. Got dynip installed, and all runs fine. Hotline appears in trackers, but I cannot connect- 'remote host refused connection'

As for dynip, it finds me okay.. in fact, it points directly to my modem/router admin page (192.168.1.1), instead of my http server(192.168.1.2)!

Obviously this is nae gid ataw.

I did the port forwarding -(modem config pages appears same as 2110) not using usb, connected via 3com pcmcia card into laptop (192.168.1.2), which is used to network to other comp.

Wot the ****?


Zetetic - 31.03.06 3:11 pm

Decksperiment, have you tried accessing the dynip address from outside your network?


welshman - 31.03.06 10:18 pm

Hi all,
I have same problem with Voyager 2091, i found the Java bit works to over come that bit but i need to change my ISP in the Telnet CLI, I have not used Telnet so dont know what to change, any advice on what commands i need to chnage my ISP in CLI ??
I will feedback any thing i do if it works or not.

Many thanks in advance



gemo - 01.04.06 5:11 pm

considering 'madasafish' for broadband BUT can they transmit thru BT Voyager 2000 bought Oct.2003? BT tech. helpline have said YES (1ST.CALL) then NO,then YES again!...HELP


Decksperiment - 01.04.06 5:48 pm

To Zetetik: done that, ftp works, nowt else, cheers for the hint smiley for :)



Recall - 01.04.06 7:42 pm

Decksperiment under security you have to open ports there as well. At least my router kept dying until i did this. Try that and see if it works.


jasonp - 03.04.06 12:28 pm

Just update my 220v firmware from "2.21.05.07_A2pB018c1.d16d" to "2.21.05.07_A2pB018c1.d16d" the javascript hack does not seem to connect to the server now although the pop up box does not appear. Does anyone else have any problems with this firmware version.

Plus how do I get the 220v to update the VOIP to SIP. I know that its possible as its listed on BTs site (->here-<). But it was not listed as a firmware update option when I tried from the router.

I see jajababa seems to have his upgraded to SIP functionality any clues on how you did it...?
jajababa - 23.03.06 6:27 pm

great!

thanks to your resource i've now unblocked SIP functionality on my 220V - suspect i have more to do but a good start - passes REGISTER fir sure, but not sure about NOTIFY/SUBSCRIBE etc yet
smiley for smiley for :ken:




coolcomp - 03.04.06 4:13 pm

I have a Locked Bt Voyager 210 ADSL Router.

I have tried to unlock it with no success, does anyone have any ideas?


Thanks

coolcomp


jasonp - 04.04.06 9:34 am

To answer my own question about updating router to SIP (Std Voip) download the firmware by lookin at This Page goto the relevant firmware and copy the url minus the #0# into the browser address bar.

You then have the firmware and can update your router. This was probably very obvious to everyone else but it was not clear to me.

Here are direct links

cfe-voyager220v_mgcp_btr-v022105_11e_a2pb018c1

cfe-voyager220v_sip_btr-v301n_a2pb018c1

cfe-voyager220v_sip_bbv-v301n_a2pb018c1

Have not yet tested to see if ISP is locked with this though..

Will update when I do


paul - 04.04.06 11:42 am

thanks Vof for your reply last week.
been offline since.

just moved house and from ntl to bt.
received a voyager 220v modem.
telneted in and was presented with this.

Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
->

Where can I type in the Nat commands etc?

cheers,
paul.



jasonp - 04.04.06 12:00 pm

Paul
I am assuming you are not familiar with telnet.

just type in number for nat (6) then enter, the next menu will appear.

NAT Menu

1. Virtual Server
2. DMZ
3. Exit
/ NAT ->

type 1 then "enter" etc..

basically its a menu system.

If you have direct commands then you can just type them at the main menu and they will work ie type "ifconfig" will give you IP information..


paul - 04.04.06 12:16 pm

thanks for your reply jason,

with the create comamnd from nat recpies - home webserver
i got create: not found
I assumed i cound only input a menu option.

is there a different command for the 220v

cheers,
paul.



jasonp - 04.04.06 12:52 pm

Yeah the commands you are looking at are for "viking based routers" whereas the 220V is Linux based.

So your talking to it in Chinese but it only understands english..

Just follow the menu system and input your required ports for NAT.


paul - 04.04.06 1:05 pm

thanks again jason

but don't i have to set up a firewall rule as described
in the home webserver section i.e.

create ipf rule entry ruleid 808 ifname public dir in act accept transprot eq tcp destport eq num 80 seclevel high medium low

is there any documentation any where on this because i don't
know which menu options to select.

cheers,
paul.


Isaac - 07.04.06 1:04 pm

Worked a treat for my v220! thanks very much


BT Sucks - 08.04.06 4:05 am

Re We have a working ISP unlock

Doesn't work with my 2091- Have given up and bought a D-link wireless. Took 10 mins to install and get up and running.


Dan - 08.04.06 10:22 pm

hi
i have a BT voyager 2091 and want to use with uk based talktalk tried the java stuff as quoted above and looks like its going to work. but how do i do configure my ISP settings as discribed below ?

IMPORTANT NOTE: This worked for me *AFTER* I had actually set up my new ISP (Eclipse) in the router's Telnet CLI - you will have to do this first. WAN settings are always VPI:0 VCI:38 PPPoATM, VCMUX encapsulation, and most other stuff can be left as default except your new ISP details. The above 4 steps simply allow you to CONNECT with your new ISP details AFTER the details are saved in the router.



C1 - 09.04.06 3:16 am

Hi all, been away for a month or two on unexpected business but I'm back now, and I come bearing gifts! Here is a present that 220v owners in particular will enjoy ;-)

NEW 220v unlock hack
javascript:void(basefrm.domainLock = 0);void(basefrm.Conbut());void(alert("Router temporarily unlocked!\nConnection in progress..."))

That baby will just work - no need to mess about in the CLI/telnet, or navigate to strange URL's, or race against the page refresh timer ;-) This is a very safe hack, it doesn't involve any changes to firmware and it won't void your warranty.

Simple usage instructions for everyone:

1. Navigate to your router's homepage (typically http://192.168.1.1/). It should be on the page where you enter in your connection details and press the red 'connect' button.

2. Paste (or type if you have time to waste!) the single line of code above into the URL bar of your web browser - and press ENTER. It is important that the code be all on ONE line, paste it into notepad first if you are not sure.

3. That's it. Enjoy ;-)

2901
----
This might even work on 2091's - someone should try it and let us know. If it doesn't work, then I'll have a go at hacking it - but I'm going to need help from you owners to provide things like page source dumps unless someone is willing to send me a 2091 in the post. I can be contacted via email at lost1e aat hotmail dot com.

220v VOIP
---------
During my experiments I came across many mentions of VOIP, is it also locked or something? If someone tells me where this "feature" is on the 220v's router homepage, I can have a go at unlocking that too - hopefully with a solution as simple as the ISP lock ;-)


cor - 09.04.06 8:54 am

C1 does it again! You da man!

I'll slap that up the top later today, if all goes to plan, and it is Sunday, so that's unlikely!

Nice one, dude! smiley for :)

;o) Cor

ps.. If Santa pulls through (main 205 page), I should have a 2091 myself sometime soon, along with a few other voyager models, so if you like, we can get together, swap data, dumps, etc. Thanks again!

pps.. BT Sucks, why not send you 2091 to C1!


C1 - 09.04.06 9:37 am

I forgot to mention that one needs to input new ISP's username and password in the boxes before the above steps, so this should be step 1 and the above steps should be 2, 3 and 4.

I've just put my 220v on eBay, so if anyone wants me to look at the VOIP lock (if there is one) - you'll have to be quick ;-)


Iko - 09.04.06 11:18 am

Hi guys,
I'm an Italian man and I've some troubles with my Telit AR520 router (CastleNet AR520 router).
Just a few days ago I've discovered that router's control panel is visibel and open to external IP.
All my internet connections're dangerous!
Is someone there who could teach me step to step how I can lock and HIde my control panel to external IP?
You should write to my e-amil address (henrydix@libero.it).
I hope you would excuse me for my bad English!
Thanks to everyone will answer to my question.


Dan - 09.04.06 11:44 am

Hi

Tried latest fix on my Bt Voyager 2901 as posted above by C1 - 09.04.06 3:16 am
Seems to unlock to allow the broadband username and password to be accepted but then only displays a screen saying connecting ..but it never does !

any ideas ?

Cheers


cor - 09.04.06 12:07 pm

Iko, do these two things..

  • change your username/password to something other than the default. here.
    Currently it is admin/password.

    I know. I just logged in. smiley for :ken:

  • set your security level to something! probably "high". (at the moment it is set to "none"). Do that here.

DO THEM NOW!

Sadly, the page to set WAN admin access doesn't exist on the Viking II chipset. I tried to set it up in a telnet session to your router (I better logout now!), but it looks like the feature isn't supported..
$modify mctl access httpwanaccess disable
Error: Feature not supported
$get mctl ?
Command        Description
-------        -----------
access         MCTL Access command
inactivity     MCTL Inactivity command
iplist         MCTL IPLIST command
$get mctl access
Error: Feature not supported
But if you follow the two steps above and you should be just fine.

;o) Cor

ps.. I will now mail you about this.


muz - 09.04.06 4:35 pm

hi - this all looks good for the 205, 2200 series of voyagers, but has anyone managed to unblock the voyager 10v ATA? doesn't have any routing capability but just voice. i've got one but it's tied to BT and would be good to use with other services - have a linksys ATA as well which i got unblocked...

let me know if anyone has any ideas on that.

thx
Marc


C1 - 09.04.06 7:06 pm

A kind soul has just offered via email to send me a 2091 in the post so that I can have a crack at unlocking it. No promises of course, but hopefully not long now ;-)


bloody bt - 10.04.06 12:19 am

hi there, i just got a bt voyager 2091, and currently have blueyonder broadband, how would i go about unlocking the router? do i need 2 connect the router to the pc with the usb lead??

Any help would b great.

Garnt


vof - 10.04.06 12:34 am

C1: Surprised you didn't find the Voice page in the 220V Configuration menu. VOIP is not strictly locked, more tied to BT's Broadband Voice service. If you enable it on that Voice page, you need to input various magic numbers that identify your BT BBV account. Only way apparently of using VOIP with this router.

You may be able to load the SIP config page (voicesipcfg.html, not mentioned in the menu) but it keeps refreshing before I have time to enter all the details. I don't think BT BBV uses SIP.


C1 - 10.04.06 2:08 am

I did find it, didn't realise what it was though, looked like just another one of BT's "value added" (ripoff) services which I have a natural urge to ignore :P

Does anyone have the 220v GPL firmware? I can't be arsed asking them for it, apparently they charge for "cd media and handling fee" - lol.

vof: "voicesipcfg.html" does not exist in the router's firmware. I know this because I've made a lot of progress this evening - managed to break out of the stupid BT "menu" in the telnet CLI and can now read/execute anything in the firmware - and even write to anything in /var/ (which is the only filesystem that is mounted read-write excluding /proc/). I'll post anything interesting that I come up with.

The above findings are great news for 2091 owners, means there are now many different angles of attack for disabling the ridiculous ISP lock smiley for :D

Below this line is just some random data I pulled from my 220v during this evening's hack-a-thon, including such things as the router's CPU benchmark(!), a dir listing of every web page on the router hidden or not, and filesystem information.
----------------------
# /bin/cat /proc/cpuinfo
system type : RTA1052V
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 255.59 <--- very slow!!!
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
# /bin/mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
ramfs on /var type ramfs (rw)
# /bin/df -h
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock0 1.8M 1.8M 0 100% / <--- LOL!
DIR LISTING OF ROUTER'S WEB SERVER:
BT_45pix_pos.gif accessaccount.html accessremote.html accessremoteerr.html adslc
fg.html advcfg.html asstart.html authfail.html authnumfail.html autoscan.html au
toscanerr.html autoscanstop.html berrun.html berstart.html berstop.html blue_blo
ck_border_top.gif btgui.css colors.css connect.gif connect.html connect_bottom.g
if connect_top.gif connoppp.html conprocess.html constatus.html ddnssetup.html d
elete.gif dhcperr.html dhcpmacflt.html dhcps.html diag.html disconnect.html dnsc
fg.html dotted_divider.gif dotted_line_blue.gif dotted_line_blue_149.gif dotted_
line_blue_270.gif dotted_line_blue_340.gif dotted_line_blue_470.gif dotted_line_
white.gif download.html downloadfail.html downloadfail2.html downloadinfo.html d
ownloadinfo1.html downloadinfo2.html empty.jpg footer.html footer_btm.gif footer
_top.gif help_adslline.html help_system.html index.html info.html infodsl.html i
nfodsl2.html infotracount.html infotracountreset.html ipfilteradd.html ipfilterm
odify.html ipoacfg.html lancfg.html lancfg2.html logofrm.html main.html menuTitl
e.js menuTree.js menu_advanced.html menu_diag.html menu_quickstart.html menu_red
advanced.html menu_status.html menu_system.html modify.gif navbar_footer.gif ntw
kprtcl.html ntwksum.html ntwksum2.html pppoe.html problem.gif problem_small.gif
processing.html psiError.html psiMenu.html psiSame.html pvccfg.html pvccfgerr.ht
ml qoscls.html qoscls2.html qoscls3.html qsvoice.html rebootinfo.html resetroute
r.html restart_now2.gif restorebackup.html restoreinfo.html right.gif routeadd.h
tml scdmz.html scprttrg.html scvrtsrv.html sidebar_curved_footer.gif sidebar_cur
ved_header.gif snmpconfig.html spacer.gif statsadslreset.html stylemain.css tabl
e_footer_large.gif tick.gif tick_small.gif title.gif title_420.gif unnumppp.html
upload.html uploadinfo.html uploadinfo1.html upnpcfg.html util.js v_del.gif v_e
dit.gif v_mtu.gif viewdhcprelist.html viewreiplist.html voicemgcpcfg.html voicem
gcpcfgprocess.html voicemgcpcodec.html voicemgcpcodecprocess.html voicemgcpcon.h
tml voicemgcpprocess.html voicemgcppstn.html voicemgcppstnprocess.html vpivci.ht
ml wancfg.html warn_bg.gif warn_box_bottom.gif welcome.gif


vof - 10.04.06 9:57 pm

C1: Thanks for that. Having been away, you may have missed many of the original posts on the subject of the Voyager 2xxx firmware - particularly in Feb - where a number of these points were mentioned.

It looks as if you may have different (older?) firmware to me. Mine is 2.18.01.12_A2pB016a.d15g. I've listed my webs directory at the end of this post - it includes a few SIP html files. This firmware version is not locked so finding an uploadable file copy of it would be great. The CD which came with my 220V does not include any firmware files at all.

********* If anyone has an uploadable file of Voyager 220V firmware version 2.18.01.12_A2pB016a.d15g, please let us know ***********

255.59 BogoMIPS seems to be the standard BCM6348 V0.7 speed - fast enough I think. (My Linux server runs on an old 450MHz K6/2, nominally 900 BogoMIPS but more than fast enough for that purpose smiley for :D)

The mtdblock0 device holds the compressed read-only filesystem in firmware, hence its 100% usage.

A couple of months ago, I received from BT - free smiley for :eek: - the GPL CD. I sent cor a copy and he has put it up as a torrent here - see the section about third way down this page. I've done some initial firmware build experiments but it needs a lot more work to produce a firmware build that I would have confidence in!

webs contents:
==========
BT_45pix_pos.gif menu_status.html
accessaccount.html menu_system.html
accessremote.html modify.gif
accessremoteerr.html navbar_footer.gif
adslcfg.html navbar_footer2100.gif
advcfg.html navbar_footer240.gif
asstart.html navbar_footeriad.gif
authfail.html ntwkprtcl.html
autoscan.html ntwksum.html
autoscanerr.html ntwksum2.html
autoscanstop.html pppoe.html
berrun.html problem.gif
berstart.html problem_small.gif
berstop.html processing.html
blue_block_border_top.gif psiError.html
btgui.css psiMenu.html
colors.css pvccfg.html
configdefault.html qoscls.html
confirm_cancel_adsl.html qoscls2.html
confirm_cancel_wireless.html qoscls3.html
confirm_chg_dial.html qsvoice.html
confirm_del.html rebootinfo.html
confirm_del_defconf.html resetrouter.html
confirm_del_dhcp.html restart_now.gif
confirm_del_route.html restart_now2.gif
confirm_del_wireless.html restorebackup.html
confirm_restart_voip.html restoreinfo.html
confirm_save_defconf.html right.gif
connect.gif routeadd.html
connect.html scdmz.html
connect_bottom.gif scprttrg.html
connect_top.gif scvrtsrv.html
connoppp.html sidebar_curved_footer.gif
conprocess.html sidebar_curved_header.gif
constatus.html snmpconfig.html
ddnssetup.html spacer.gif
delete.gif statsadslreset.html
dhcperr.html stylemain.css
dhcpmacflt.html table_footer_large.gif
dhcps.html tick.gif
diag.html tick_small.gif
dialplan.html title.gif
dialplan2.html title_420.gif
dialplancalling.html unnumppp.html
disconnect.html upload.html
dnscfg.html uploadinfo.html
dotted_divider.gif uploadinfo1.html
dotted_line_blue.gif upnpcfg.html
dotted_line_blue_149.gif util.js
dotted_line_blue_270.gif v_del.gif
dotted_line_blue_340.gif v_edit.gif
dotted_line_blue_470.gif v_mtu.gif
dotted_line_white.gif viewdhcprelist.html
empty.jpg viewreiplist.html
footer.html voicemgcpcfg.html
footer_btm.gif voicemgcpcfgprocess.html
footer_top.gif voicemgcpcodec.html
help_adslline.html voicemgcpcodecprocess.html
help_system.html voicemgcpcon.html
help_system2100.html voicemgcpprocess.html
index.html voicemgcppstn.html
info.html voicemgcppstnprocess.html
infodsl.html voicesipcfg.html
infodsl2.html voicesipcfgcalling.html
infotracount.html voicesipcfgprocess.html
infotracountreset.html voicesipcodec.html
ipfilteradd.html voicesipcodeccalling.html
ipfiltermodify.html voicesipcodecprocess.html
ipoacfg.html voicesipexten.html
lancfg.html voicesipextencalling.html
lancfg2.html voicesipextenprocess.html
logo_2100.gif voicesippstn.html
logofrm.html voicesippstncalling.html
main.html voicesippstnprocess.html
menu.html vpivci.html
menuBcm.js wancfg.html
menuTitle.js warn_bg.gif
menuTree.js warn_box_bottom.gif
menu_advanced.html welcome.gif
menu_diag.html welcome2100.gif
menu_quickstart.html welcome240.gif
menu_redadvanced.html welcomeiad.gif



h2 - 12.04.06 12:29 pm

i have just tried the NEW 220v unlock hack by C1, it lets me try to log in but after the screen refreshes about 6 times saying connecting it goes back to the connect page.
I have set my log on details in the router.
So we seem to be getting there but still cant connect.





C1 - 12.04.06 5:33 pm

That means you entered your userid or password incorrectly.
I can assure you it does work, I just tried it on both my BT and Eclipse ADSL lines after a complete factory reset of the router - it connected just fine... Although I am using Firefox not Internet Explorer...


Barry - 12.04.06 7:58 pm

Let us know how you get on C1 with your experimenting with the 2091 as im another one unfortunate enough to require an ISP unlock as i use Tiscali BB. Cheers


SCOOBY - 12.04.06 9:42 pm

How did you get on with 2091 hack C1, I am another fed up customer of BT, and want to change ISP. Thanks


stephanjs - 13.04.06 3:54 pm

C1: I have the same problems as h2. The log in details are correct. There is something else preventing it from loggin on to other ISP. I have checked from the other end (the ISP) and there is no indication of an attempt to log on. So, my conclusion is that it may pass a shell but still does not do the actual logging on bit.
I have given up for the moment and will wait until someone else comes up with a working crack or a new firmware.smiley for :eek:


C1 - 13.04.06 7:27 pm

h2/stephanjs: What version of the firmware are you using? You are DEFINITELY using BT Voyager 220v's?

2091 owners: My 2091 arrived just now, many many thanks to our generous benefactor who sent it to me smiley for :) I'll post an update in a few hours, no promises of course!


C1 - 13.04.06 10:55 pm

Right, 3 hours later, this f*cking device is doing my head in.

Made huge progress, got a root shell and coaxed the connection string out of it (which means one can control the whole damn thing without having to use the web interface OR the stupid CLI "menu"). But just when I figured out exactly how to force it into making a PPP connection to a non-BT ISP, it denied me right at the very last hurdle!!!

The firmware for the 220v, 2091 and probably lots of other models is identical, or extremely close to being identical. So flashing a 2091 with an older unlockable 220v firmware will probably work, and vice-versa(!!!). The recent 220v/2091 firmware has a much more robust ISP locking mechanism, it's built right into the pppd binary so it would appear that flashing with a hacked/old firmware is the only way to unlock these devices.

I've tried absolutely everything for the last 3 hours, the pppd binary will not establish a ppp connection if the username is not one of BT's, it's hardcoded right into the binary so it ignores all config files like chap-secrets and psi.xml!

Ways forward: Need to get a hackable pppd binary from an older 220v onto there somehow. Perhaps if it was TFTP'd to the ramdisk in /var/ somehow, then executed from there? The firmware's busybox includes a TFTP client... Failing that, it's new firmware time!

Findings: I'll post my finding here, I'm fortunate enough to have 2 ADSL lines one of which is BT, so I can see what happens when the router makes a successful connection and what happens when it is denied. You can see the warning message in the second one, and the blank name = "" value which should not be blank...

Successful connection to BT ISP:
# pppd -c 0.38.1 -a 0.0.38 -d -u a123456@hg28.btclick.com -p password -f 0 -w 1
500
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...
using channel 11
Using interface ppp0_38_1
Connect: ppp_0_38_1 <-->
sent [lcp confreq id=0x1 <mru 1500> <magic 0x8a62e13e>]
rcvd [lcp confreq id=0x0 <auth chap md5> <magic 0x27f3e198>]
sent [lcp confack id=0x0 <auth chap md5> <magic 0x27f3e198>]
sent [lcp confreq id=0x1 <mru 1500> <magic 0x8a62e13e>]
rcvd [lcp confack id=0x1 <mru 1500> <magic 0x8a62e13e>]
sent [lcp echoreq id=0x0 magic=0x8a62e13e]
rcvd [chap challenge id=0xf6 <2ba0c3b5fb068b94d46433ac8be7118a>, name = "ERX19.M
anchester4"]
sent [chap response id=0xf6 <1cd07848f49b51672b2e68a12dfca8ac>, name = "a123456@
hg28.btclick.com"]
rcvd [lcp echorep id=0x0 magic=0x27f3e198]
rcvd [chap success id=0xf6 ""]
sent [ipcp confreq id=0x1 <addr 0.0.0.0> <compress vj 0f 01> <ms-dns1 0.0.0.0> <
ms-dns3 0.0.0.0>]
rcvd [ipcp confrej id=0x1 <compress vj 0f 01>]
sent [ipcp confreq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
rcvd [ipcp confnak id=0x2 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
sent [ipcp confreq id=0x3 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
rcvd [ipcp confack id=0x3 <addr 82.123.236.98> <ms-dns1 194.72.0.98> <ms-dns3 19
4.72.9.38>]
rcvd [ipcp confreq id=0x70 <addr 217.47.108.58>]
sent [ipcp confack id=0x70 <addr 217.47.108.58>]
Failed to create /var/fyi/sys/dns: No such file or directory
local  IP address 82.123.236.98
remote IP address 217.47.108.58
primary   DNS address 194.72.0.98
secondary DNS address 194.72.9.38
PPP: PPP0_38_1 Connection Up.


Failed connection to a non-BT ISP (Eclipse):
# pppd -c 0.38.1 -a 0.0.38 -d -u na12345@adsl.eclipse.co.uk -p password -f 0 -w 1500
Invalid domain = [na12345@adsl.eclipse.co.uk]
PPP username is out of valid domains.
PPP: PPP_0_38_1 is standby and ready to connect(PPP connection is not up yet)...
PPP: PPP_0_38_1 Start to connect ...
using channel 16
Using interface ppp0_38_1
Connect: ppp_0_38_1 <-->
sent [lcp confreq id=0x1 <mru 1500> <magic 0x48b6b7cf>]
rcvd [lcp confreq id=0x1 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confack id=0x1 <auth chap md5> <magic 0x8f6c9d57>]
rcvd [lcp confreq id=0x2 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confack id=0x2 <auth chap md5> <magic 0x8f6c9d57>]
sent [lcp confreq id=0x1 <mru 1500> <magic 0x48b6b7cf>]
rcvd [lcp confack id=0x1 <mru 1500> <magic 0x48b6b7cf>]
sent [lcp echoreq id=0x0 magic=0x48b6b7cf]
rcvd [chap challenge id=0x1 <7915caa978af84c7e0845fa9ae5161b4>, name = "ESR4.Man
chester5"]
sent [chap response id=0x1 <5dd83630bd2c7ff65b8529dc6357e256>, name = ""]
rcvd [lcp echorep id=0x0 magic=0x8f6c9d57]
rcvd [chap failure id=0x1 "Authentication failed"]
Remote message: Authentication failed
CHAP authentication failed
sent [lcp termreq id=0x2 "Failed to authenticate ourselves to peer"]
PPP: Authentication failed.
rcvd [LCP TermReq id=0x3]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.



Zibri (zibree@gmail.com) - 15.04.06 9:32 pm

Please HELP
I need the voyager.firmware cd with souces...
I downloaded the torrent but it can't even get the tracker..

Please !
Can Anyone write me an email to arrange the download somehow ?

Thanks in advance.



Zibri (zibree@gmail.com) - 15.04.06 9:50 pm

PLEASE HELP ME.


Dan - 17.04.06 1:29 pm

no pressure by any progress on the 2901 ?


C1 - 18.04.06 8:46 am

The 2091 (and more recent 220v's, and the 4-port ethernet version of the 2091) is going to take quite some time before they can be unlocked - I'm talking weeks/months as the firmware itself needs to be modified (see above posts). So watch this space, but don't hold your breath :P


xxxx - 19.04.06 1:38 pm

I have just attempted to install a 220v on my F2S ISP account under XP SP2, I could not get past the user & password screen!!

I went to BT's site and got the USB driver but could not connect at all. It screwed up my previous connection too. Took an hour to get back online with the crappy Sagem 800, then Firefox & OE refused to connect. Got them working now but am a bit reluctant to try again.

Can you help?


xxxx - 19.04.06 1:46 pm

I have just attempted to install a 220v on my F2S ISP account under XP SP2, I could not get past the user & password screen!!

I went to BT's site and got the USB driver but could not connect at all. It screwed up my previous connection too. Took an hour to get back online with the crappy Sagem 800, then Firefox & OE refused to connect. Got them working now but am a bit reluctant to try again.

Can you help?


sb742 - 19.04.06 9:20 pm

Hey has anyone had any joy connecting either the 220V or 2091 (I have both) to a PPPoE LLU ISP that does not use a username and password as such (in my case, Be Unlimited

Many Thanks


skyhorse - 19.04.06 10:41 pm

Hi,

I got a 2091 from ebay, I'm using eclipse ISP. The DSL light never turns on and the web interface says "DSL Link down" . I have complained to the seller but he says this router is locked to BT (I know it is) but I would expect the DSL line to be UP and simply refuse to take my username and password. Before I bug the seller a bit more, is this normal?
I have an usb adsl modem and it works fine, so the line and filters are working ok.


skyhorse - 19.04.06 11:40 pm

can someone supply me with the GPL code for the 2091? I dont have the CD and cant download it from anywhere... I can give you an ftp username and password to upload it to if you can. mail me at : hackingvoyager AT skyhorse DOT org

thanks


skyhorse - 19.04.06 11:47 pm

firmwares: http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update

I think this is where all routers go to for auto upgrade?

direct link to voyager 2091 firmware from bt: http://www.voyager.bt.com/firmware_upgrades/cfe-voyager2091_btr-v301m_a2pb018c1

please, someone get me the GPL code!!!!!! i wana hack this thing!


vof - 20.04.06 12:42 am

skyhorse: are you saying cor's link to his GPL code torrent at top of this page is broken? Though I provided the copy of the GPL code, I'm not a torrenteer so don't ask me how to make it work smiley for :lol:


skyhorse - 20.04.06 1:01 am

thats right, i cant download using the link above, I can't even get the torren file.

sky


cor - 20.04.06 1:03 am

Oops!

In actual fact, it's not a torrent; I gave up on that, after uploading it over a dozen times (356MB a pop!) and having exactly zero peers seed even 1:1 smiley for :roll: I figured it would be just as well on my workshop ftp server, which it is. Ignore "torrent" in the link, I'll fix that.

The link should be good now, but the server itself may experience periods of inaccessibility due to my current network debuggling, and IPCoP customization.

note: you may even have to use a port (aka "active") connexion sometimes.

"normal" service will resume, soon, ish.

;o) Cor


skyhorse - 20.04.06 10:42 am

Hey, thanks for that, ill try to download it.

Regarding the other bit, which is important: The DSL light never turns on and the web interface says "DSL Link down" . Is this normal when you use another ISP? As far as I could tell, the locking system is in the software only, the DSL lights should pop up still, right?




vof - 20.04.06 1:44 pm

skyhorse: lack of DSL sync light suggests the WAN/DSL i/f of the box is stuffed (though the ethernet LAN side is clearly still working). I don't believe the ISP lock can affect the DSL syncing.

One thing that may be worth checking is the ADSL tab on the Internet configuration page. On my 220V, it is possible to enable/disable the DSL port and the various line modes. All my boxes have ticks except for Seamless Rate Adaptation.


jason - 20.04.06 11:03 pm

hi there,came across your website whilst lookng at the bt voyager 220v online, that is being sent out to me (i live in spain) i have signed up to btbbvoice as iwas told i could use t with any internet service provider,so they sent me a 10v to use in conjunction with my modem router that telefonica sent me (spains equiv to bt) i configured the 10 v online no problem and used it for almost a month over here with no problems,then it started messing around,after resetting it i couldnt get it to configure with my router at all and spent an hour on the phone to bt helpdesk,there answer was that either it was a faulty 10v or the modem wasnt letting me configure for some reason,so they are sending me a 220v modem router voice adaptor all in one,and assured me it should work anywhere in the world as long as i had a broadband connection over a certain speed( i cant remember what it was but i checked it and it was ok.
but after reading your techical chat online am i to gather that it will not necesariliy work over here??
Please can someone help and advise me accordingly
Sorry for my lack of technical jargon.

regards

jason daniels

jasonmdanielsAT gmail dotcom



sport - 23.04.06 1:50 pm

Hi, the temp fix works for me, thanks.
(for 220V on tiscali).

Last week I'm 100% sure i saw a post by C1 for a permanent domainBreaker hack for the 220V, and now it seems to have disappeared.
Would it be possible to add the permanent domainBreaker hack on top of the page right below the temp hack?

Thanks! N



cor - 23.04.06 7:25 pm

jason, I don't know of any reason why it wouldn't work elsewhere, at least, so long as you are with BT.

sport, nothing's been deleted, so what you see is what you get. The 220 hack up the page (in the main body) is "permanent". Is that what you meant?

Any joy with the firmware hacking, skyhorse?

;o) Cor


matix - 24.04.06 12:08 am

Hi anyone know how to pack and unpack the firmware ???
or know of any way i can edit the web pages inside the router cos i think its only 3 lines of code which needs adding.

if anyone has any ideas pm me using hotmail


vof - 24.04.06 12:36 am

sport: you are probably looking for the post from C1 at 09.04.06 3:16 am on an earlier page.

matix: yes, you need a linux system and a fair bit of software development/build knowledge - too much to give simply here.

You may be right about modifying the html but the stumbling block is that it is all in a read-only filesystem smiley for :eek:

Have you read all the comments at the beginning of this page? (You will need to show all comments or earlier pages.) There was quite a lot of discussion about the 220V and 2091 systems in January and February.


sb742 - 24.04.06 7:24 pm

Is it impossible to use the 220V or 2091 with a ADSL2+ ISP that does not use username and passwords?


stevegt - 25.04.06 3:45 pm

Have tried the above on my 220V, doesn't seem to work.

is it possible to telnet the command, and where do I put it?

regards

steve


matix - 25.04.06 5:39 pm

im working on compiling busybox anyone had experience playing with busy box and how did they manage to get it on the router ???

is it as straigt forward as compiling into a bin file and uploading to the router or what ???. i have read what u say in other posts but no one has commented on banging an unmodified version of busybox but im worried bout bricking the router lol anyway here goes nothing please say i can flash the router again after lol

l8rs ill post what i find


Zeff - 25.04.06 7:14 pm

Is there a Work round on the Voyager 210????
ive tried the above one and it dont work.
is there a way to get past the
"UNSUPPORTED BROADBAND SERVICE"

message???

Zeff


vof - 25.04.06 7:43 pm

matix: I don't think you can upload just a new version of busybox - you need to incorporate it into a complete firmware build. The few experiments I have done so far involve investigating rebuilding the complete firmware (and I did not bother with any busybox changes since they are actually some of the easier problems).

Make sure you have a working firmware file to fall back on in case you do brick it (and even then the upload function may not work anymore...)


matix - 26.04.06 12:19 am

Is there a way to decompress or open the firmware so i could build another one i have dissassembled it using hex editors but it does not give the full picture


vof - 26.04.06 10:39 am

matix: this seems to be the site with the most info.


conno - 27.04.06 11:16 pm

Hi i have a bt voyager 2500v wireless ADSL voice router ive tryed all them hacks and none work with this 2500v.
if anyone as hacked it please let me know how to do it smiley for :lol:


joe pineapples - 30.04.06 11:35 am

Hu

tried the above hacks with my 210, but none have worked. Anyone else with a 210 been successful?.

cheers

joe


Julesxp - 30.04.06 10:32 pm

this might be worth a look.....
http://www.voyager.bt.com/gpl.htm
smiley for :lol:


Dan - 01.05.06 10:12 pm

just checking back ... any progress on the 2901 anyone ? Looks like BT have this one :(


XX - 02.05.06 10:23 pm

I have got the two Voyager 220V 's one has a version of the firmware on it that allows you to use on a different ISP with the hack mentioned above the other seems to block this. Does anyone have a link to a version of the previous firmware to upload on the 2nd Voyager to unlock it or have a mechanism to extract the firmware from the unlocked Voyager 220V


vof - 02.05.06 11:37 pm

XX: If you check back through my old comments, you will see I have been asking that very question for some time.....but without any answer.smiley for :eek:

Have you got any of the original 220V installation CDs from BT? If so, have you checked to see if there are any firmware files on those CDs, probably with filenames that start cfe-voyager.....?

I have an original completely ISP-unlocked Voyager 220V but my v1.0 CD does not have any firmware files on it at all.smiley for :aargh:


another mouse - 04.05.06 9:53 pm

Despite BT claiming they only support PPPoA, I set the Voyager 220V up
as PPPoE and guess what! It connects! Some exchanges have kit that is PPPoE
capable. Kenmore (Scotland) was the one in in question which I found odd cos
it's in the sticks. Anyway. If you need PPPoE connectivity, give your ADSL router
a try. Try connecting max 3 times with the PPPoE settings instead of PPPoA
and see if it works :-)


sb742 - 05.05.06 9:01 pm

another mouse

PPPoE worked here too. I got a higher SNR as well, not sure why.


octavian - 06.05.06 10:40 pm

220v SIP firmware upgrade?

Found this -

http://www.voyager.bt.com/firmware_upgrades/cfe-voyager220v_sip_btr-v301n_a2pb018c1

If everyone else has also 'found' it, please don't stomp all over me.

I'm posting the link as I find it before BT remove it.

Can we do anything with it?




vof - 07.05.06 1:31 am

<removes stomping boots and puts on comfy slippers...>

Sorry octavian, that is a known firmware upgrade listed on this BT page.

It supports a later BT VOIP SIP based product (BT Broadband Talk?). Be careful - it may be ISP lockedsmiley for :eek: so you probably don't want it unless you use the Broadband Talk service.


Cassandra - 07.05.06 2:32 am

For anyone masochistic / pedantic enough to want to use the BT Voyager 210's USB connection under Linux, all you need do is add its (0x069a, 0x0318) USB vendor/product IDs to the drivers/usb/net/cdc_subset.c file in the Linux source tree. That's it.

The modem's USB device is just a USB 1.1 network adapter (max theoretical bandwidth of 12 Mbps), which will be completely useless for ADSLv2 when it arrives. So just get a NIC, OK ;-)?

T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=02(comm.) Sub=00 Prot=00 MxPS=32 #Cfgs= 2
P: Vendor=069a ProdID=0318 Rev= 1.01
S: Manufacturer=ADSL
S: Product=USB Network Interface
S: SerialNumber=xxxxxxxxxxxx
C: #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=
E: Ad=85(I) Atr=03(Int.) MxPS= 8 Ivl=100ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=
E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
C:* #Ifs= 2 Cfg#= 2 Atr=c0 MxPwr= 0mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=(none)
E: Ad=85(I) Atr=03(Int.) MxPS= 8 Ivl=64ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_subset
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_subset
E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms


Cassandra - 08.05.06 6:48 pm

In fact, the Voyager 210's USB port works out-of-the box with Linux's cdc-ether driver.


Zeff - 10.05.06 12:40 pm

Hi, just got a Linksys adsl2MUE router today, and for the life of me is there any way of turning of the NAT firewall?
its messing up me downloads:/

any help would b cool ty.

Zeff


Ace - 10.05.06 11:42 pm

Hello all,

Ive just switched from using my voyager 205 to my voyager 220v, does this tweak still apply and should I add it to my 220v ?

modify nbsize maxipsess 512

Thanks for any help.


Squbel - 11.05.06 12:27 am

C1 : If you want to run custom binaries on your voyager you might need to check some early posts here. I've posted external link with guide to upload and run executables on bcm6345/48 router. If you want to cross flash yor voyager with different firmware - read the same link or ask here - I can post small how to.


vof - 11.05.06 3:27 pm

Ace: No, the 220V is completely different internally - 205 commands are not understood.


Sharpy - 11.05.06 6:34 pm

You Gem!
The java hack worked a treat with a Voyager 220V.

Well done, and many thanks.


Ace - 12.05.06 2:19 am

Ah I see thanks vof smiley for ;)

Im glad I didn't try to add it before asking. Are there any suggested commands to tweak the 220V, anything that was similar as to what was suggested on the 205 ?

Thanks again.


roy - 12.05.06 11:49 am

Tried you commands on a locked Voyager 210. Dont work. Any ideas or suggestions?


vof - 13.05.06 12:47 am

Ace: I don't know of any suggested tweaks, possibly because the 220V runs a more general system, a basic version of Linux actually on a non-Intel architecture (MIPS) processor. The design of Linux means it is sufficiently flexible to be able to cope with most TCP/IP situations, provided the processor has enough 'grunt' and the system has enough memory to work in.


Ace - 13.05.06 4:43 am

Thanks for the info vof, no worries mate and thanks for the help so far smiley for ;)


Yokel - 13.05.06 7:25 pm

Well I've tried the above on my 2091 and nowt seems to work but maybe its me, mines a newish one and always throws up the BT Broadband only warning. It would be great to hear of some one cracking this.


Bonsai - 15.05.06 2:03 pm

>PPPoE worked here too. I got a higher SNR as well, not sure why.<

Does this mean that PPPoE will work with BT DSL in the UK?
I'm asking because we want to use a Cisco Pix501 for a VPN connection. This device supports
only PPPoE.


rpruen - 19.05.06 2:24 pm

Those of you with Voyager 2091 may want to try this.

Apparently PPPoE comes with the upgrade to 'up to 8meg' so if your exchange has that, then you should be able to use PPPoE.

Change your connection to PPPoE and also select realtime VBR with the params as follows...

Peak cell rate 2500
Sustanable cell rate 250 (try changing if you have a better line than me)
Maximum burst rate 1000 (you could try changing this too)

Then click on configuration > Advanced > Internet, then ADSL (top of the main frame) select everything including seemless rate adaption.

I go from 1.9Mb/s to 3.0Mb/s by doing the above, and loose all the drop outs I was getting.

I have a very poor line, but maybe it will help some others.

Richard


Paco - 19.05.06 2:50 pm

Those with a voyager 2091 check this link.http://www.uk-bug.net/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=10&page=1. You can get the adapter needed at http://www.necables.co.uk/nec/.


rory - 19.05.06 9:06 pm

Paco that's for a different router, the "EN5861".


Alessio - 20.05.06 4:09 pm

Hi,
I tried to put the <a href=http://www.dynalink.com.au/firmware.htm?prod=RTA1025W>Dynalink 1050W</a> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure http://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).

I did this pretty much what I found on http://skaya.enix.org/wiki/FirmwareFormat:

From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file

36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00

and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.
In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:

bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22

byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96

Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem. Some info:

# cat /proc/cpuinfo
system type : V2091_BB
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available

( this shouldn't have changed)

# cat /proc/version
Linux version 2.6.8.1 (compiled by michaelc) (gcc version 3.4.2) #1 Tue May 2 16:37:07 CST 2006
#

(I think this was 2.4.17 before)

# dmesg
13 C6 43
usb0: Host MAC Address: 00 16 E3 13 C6 44
USB Vendor id=069a, USB Product id=0311
PCI: Setting latency timer of device 0000:00:01.0 to 64
PCI: Enabling device 0000:00:01.0 (0004 -> 0006)
wl: srom not detected, using main memory mapped srom info (wombo board)
eth0 Link UP.
wl0: Broadcom BCM4318 802.11 Wireless Controller 3.91.41.0
pSdramPHY=0xA0FFFFF8, 0xEDEAF76D 0xCBFBDEE7
AdslCoreHwReset: AdslOemDataAddr = 0xA0FFA664
SharedMemAlloc: ptr=0xA0FFFC38 size=936
ADSL G.994 training
disable vlan
ADSL G.992 channel analysis
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (125 buckets, 0 max) - 368 bytes per conntrack
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
ip_conntrack_h323: init
ADSL G.994 training
ip_nat_h323: initialize the module!
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading
board_ioctl: boot complete!
ADSL G.992 started
ADSL G.992 channel analysis
ADSL link down
ADSL G.994 training
ADSL G.992 started
ADSL link down
ADSL G.994 training
ADSL G.992 channel analysis
ADSL link up, interleaved, us=64, ds=1024



Now I've set emule to work with 200 max connetions and I can still browse the Internet - still testing tho. I am on BT, so I can't tell for sure, but now the router shouldn't be locked to any ISP.

Alessio



Paulo - 20.05.06 9:03 pm

Hey Alessio,

That sounds quite cool really, been trying to do what you said with my 2091 as I'm not on BT but I'm not having any luck uploading it. Think for some reason it's corrupting the file as I try and edit it.

There's no chance you could stick the firmware on megaupload or you send it, is there? I'll gladly test it if you want.

Regards

Paul




Paulo - 20.05.06 10:10 pm

Actually, Ignore my last post. I've edited it using XVI32 and upoaded it without a problem and it works!

Just connected using AOL without any probems!smiley for :cool:

Here's a link to the firmware


2091 done!

P.s. Corz, could you remove my email addy from that last post please?
[ edit: yup, and also edited f/w link to on-site version ;o) ]


cor - 20.05.06 10:40 pm

Done!

And well, knock-me-sideways-with-a-WiFi-antenna! Voyager 2091 DONE!!
Alessio and Paulo, real nice work guys! smiley for :D

/me rubs eyes and reads it again..

2091... connected... AOL... Works!


It's real! smiley for :eek: smiley for :D

My brain is half-comatose, and I gotta sleep real bad, but even in this state I can see this is a major break-through for all the stranded BT Voyager 2091 owners. Excellent stuff.

Let's hear about some other ISPs now, 2091 dudes!
Back soon with more permanent firmware links, etc..

/me bows.

Zzz..

;o) Cor

ps.. I'm just reading your cute hack again, Alessio, very clever! I wonder what the telecom giant's response will be. smiley for :ken:


Paulo - 20.05.06 10:47 pm

Thanks for removing the addy dude!
I'll test Zen tomorrow when I get back to my place... smiley for :D

Paul


cor - 20.05.06 10:55 pm

Excellent, Paulo! It would be great to hear some positive reports from folk using the major ISPs, but to me, this looks like a winner!

By the way, what is XVI32?

;o) Cor

ps. bed now, no really...

2091 cracked! w00t! smiley for :evil:

*ahem*


Paulo - 20.05.06 10:59 pm

XVI32 = Freeware Hex editor!

http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Really good program actually... Simple but really effective!

P


digitaldazz - 21.05.06 12:56 am

mint,

good work lads--just what i've been waiting for.

eorks mint - will let u know of any probs but looks spot on. good work . and thanks to cor for this spot on site!!!smiley for :lol:


Alessio - 21.05.06 1:34 pm

Some more infos:

first 256 bytes: header - we know already

00000028 | 20 56 32 30 39 | V209 | ㉖㤰
00000030 | 31 5F 42 42 00 00 00 00 | 1_BB.... | 弱䉂..
00000038 | 00 00 00 00 31 00 32 35 | ....1.25 | ..1㔲
00000040 | 35 32 31 35 38 00 00 00 | 52158... | ㈵㔱8.
00000048 | 33 32 31 37 30 33 31 31 | 32170311 | ㈳㜱㌰ㄱ
00000050 | 36 38 00 00 36 33 39 32 | 68..6392 | 㠶.㌶㈹
00000058 | 38 00 00 00 00 00 33 32 | 8.....32 | 8..㈳
00000060 | 31 37 30 39 36 39 36 30 | 17096960 | 㜱㤰㤶〶
00000068 | 00 00 32 30 36 34 33 38 | ..206438 | .〲㐶㠳
00000070 | 34 00 00 00 33 32 31 39 | 4...3219 | 4.㈳㤱
00000078 | 31 36 31 33 34 34 00 00 | 161344.. | 㘱㌱㐴.
00000080 | 34 32 33 38 34 36 00 00 | 423846.. | ㈴㠳㘴.
00000088 | 00 00 00 00 00 00 00 00 | ........ | ....

(cut)

then there is some padding (?) till we get the CFE code.
Then from 0x0000FAB8 there is the root filesystem (cramfs filesystem):

0000FAB8 | 28 CD 3D 45 00 1F 80 00 | (Í=E..€. | 촨䔽ἀ€
0000FAC0 | 00 00 00 03 00 00 00 00 | ........ | .̀..
0000FAC8 | 43 6F 6D 70 72 65 73 73 | Compress | 潃灭敲獳
0000FAD0 | 65 64 20 52 4F 4D 46 53 | ed ROMFS | 摥删䵏卆
0000FAD8 | E8 8A CB 41 00 00 00 00 | èŠËA.... | 諨䇋..
0000FAE0 | 00 00 01 AB 00 00 01 70 | ...«...p | .ꬁ.瀁
0000FAE8 | 43 6F 6D 70 72 65 73 73 | Compress | 潃灭敲獳
0000FAF0 | 65 64 00 00 00 00 00 00 | ed...... | 摥...
0000FAF8 | 41 FF 00 00 00 00 B4 00 | Aÿ....´. | a..´
0000FB00 | 00 00 00 13 41 ED 01 FA | ....Aí.ú | .ጀ度
0000FB08 | 00 04 10 F4 04 00 00 40 | ...ô...@ | Ѐ.䀀
0000FB10 | 62 69 6E 00 41 ED 00 00 | bin.Aí.. | 楢n.
0000FB18 | 00 03 20 00 04 00 01 44 | .. ....D | ̀ .䐁
0000FB20 | 64 65 76 00 41 ED 01 FA | dev.Aí.ú | 敤v度
0000FB28 | 00 01 CC F4 04 00 02 10 | ..Ìô.... | Ā.ဂ
0000FB30 | 65 74 63 00 41 ED 00 00 | etc.Aí.. | 瑥c.
0000FB38 | 00 00 D4 00 04 00 02 B5 | ..Ô....µ | .Ô.딂
0000FB40 | 6C 69 62 00 A1 FF 00 00 | lib.¡ÿ.. | 楬bᄀ.
0000FB48 | 00 00 0B 00 08 07 15 23 | .......# | ..܈⌕
0000FB50 | 6C 69 6E 75 78 72 63 00 | linuxrc. | 楬畮牸c
0000FB58 | 41 ED 00 00 00 00 00 00 | Aí...... | ...
0000FB60 | 04 00 00 00 6D 6E 74 00 | ....mnt. | ..湭t
0000FB68 | 41 ED 00 00 00 00 00 00 | Aí...... | ...
0000FB70 | 04 00 00 00 70 72 6F 63 | ....proc | ..牰捯
0000FB78 | 41 ED 01 FA 00 00 E8 F4 | Aí.ú..èô | 度.
0000FB80 | 04 00 04 52 73 62 69 6E | ...Rsbin | .刄扳湩
0000FB88 | 41 ED 01 FA 00 00 10 F4 | Aí.ú...ô | 度.
0000FB90 | 04 00 04 8C 75 73 72 00 | ...Œusr. | .谄獵r
0000FB98 | 41 ED 00 00 00 00 00 00 | Aí...... | ...
0000FBA0 | 04 00 00 00 76 61 72 00 | ....var. | ..慶r
0000FBA8 | 41 ED 01 FA 00 0F 44 | Aí.ú..D | 度ༀD

Some of it should make sense (linuxrc/mnt/proc/etc): to mount the rootfs and see what is inside of it:

dd if=cfe-voyager2091_btr-v301m_a2pb018c1 of=rootfs bs=1 skip=64184 (this number is the address - 0x0000FAB8 - in decimal)

then:

alex@localhost tmp# file rootfs
rootfs: Linux Compressed ROM File System data, big endian size 2064384 version #2 sorted_dirs CRC 0xe88acb41, edition 0, 427 blocks, 368 files

(note that the size is the same as declared in the header)

If I try to mount it:

alex@localhost tmp# mount -t cramfs -o loop rootfs /mnt/cramfs/
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
or too many mounted file systems
(could this be the IDE device where you in fact use
ide-scsi so that sr0 or sda or so is needed?)


Apparently you can't mount it because of the architecture - big-endian vs little-endian (http://slackware.osuosl.org/slackware-8.0/docs/linux-2.4.5/filesystems/cramfs.txt) - can anyone give it a go on the right machine? I've not been able to get the source code for the 2091, can someone make it available please?
Cheers
Alessio







Tim - 22.05.06 9:31 am

Does anyone know how to configure the BT Voyager 210 in Bridge mode? I would like my device to act as a basic modem and forward packets directly to a separate router (Netgear RP614v2) whose WAN IP address I would like to give the static IP address my ISP has assigned me.

I've seen this mode described as ZIPB mode on a 205, but the 210 doesn't share the same CLI interface.

Background:

I opted for a BT Voyager 210 from Madasafish as it was free, and I already had a Netgear RP614v2 router and Buffalo Wireless kit from my previous ISP which was a Cable Modem set up (I had to change from NTL following a house move).

Because the 210 is acting as a router, I'm suffering from a dose of double NATting because my Netgear does this as well. The effects of this are certain web sites don't work - for example BT online billing, Ebay sign-on etc only work if I connect via USB (i.e. bypass the Netgear router and its NAT layer).

The Netgear doesn't allow itself to be configured as a simple switch, so one alternative is to get the BT 210 to not act as a router but as a basic modem, just like my old Cable Modem. I have a static IP address from Madasafish, and would like to give this IP address to the WAN settings of the Cable Modem.

I emailed my ISP with the above description, but they replied with a brief note saying that I could change configuration parameters by going to the Advanced menu, but not what settings to change. I get the impression that I'm more likely to get a useful reply from the folk on this site.

Of course I could go out and buy an all-in-one ADSL wireless modem router, but that would be admitting defeat...

Tim.


mart702 - 22.05.06 12:46 pm

good work guys,
i can confirm the new firmware works well
with bulldog

thanks

mart.smiley for :lol:


Cassandra - 22.05.06 10:41 pm

To configure a Voyager 210 for "bridging", you need to delete your existing PPPoA configuration and then replace it with a "Bridging" one using the same VPI and VCI numbers.


Recall - 22.05.06 11:26 pm

is PPPoA or PPPoE better? i have a voyager 210 atm.


Cassandra - 22.05.06 11:50 pm

PPPoA is "better" than PPPoE in that PPPoE adds an extra 8 bytes of overhead to each network packet. However, your ISP determines whether the modem should use PPPoE or PPPoA to connect, and BT requires PPPoA.

Now, you could configure the modem to use "ATM bridging" instead of PPPoA, and then provide your own PPPoE client to "go over" this ATM bridge. This puts the public IP address onto your own PC instead of the modem, as well as all the responsibility for firewalling and NAT. But if none of this makes any sense to you then you should use PPPoA smiley for ;).


vof - 23.05.06 12:53 am

Tim: on my 220V, on the Quick Setup second page (Configure Connection type), 'Bridging' is one of the protocol choices. Does your 210 have a similar page? Another way in is via Internet config page, then Edit your pppoa_0_38 PVC - again it is on the second page which appears after you click on Next.


nic - 23.05.06 8:21 am

I've downloaded the voyager 2091 firmware hack but how do I upload it to the router? I've tried ftp'ing it but it just keeps saying "failed". Once I find out how to do it, do I have to upload both files? All help gratefully received.


Paulo - 23.05.06 9:11 am

If you log into the web based interface and have a dig there's an upgrade feature there, just choose upgrade by file and point it to the firmware on your pc!


Tim - 23.05.06 12:27 pm

Cassandra: The connection options displayed are PPPoA, PPPoE, IPoA and Bridging. There is then a suboption for encapsulation which is currently set to VC MUX but defaults to LLC/SNAP for Bridging.

So if I change this to Bridging with LLC/SNAP the following option allows me to specify the WAN IP address. I can either set this to None, DHCP or type in a value/mask/gateway. My initial reaction is to set this to None - and configure my Router with my assigned, static IP address. If I don't I then get an option to enable/disable NAT so I guess this is the WAN IP address of the router its asking for, which I don't want.

I'm then asked for a LAN IP address - which I assume is so that I can still connect to the device for configuration.

So the last part of my plan is to configure my Netgear router to use PPPoE and give it my static IP address, and to connect with my supplied username and password.

I'll give this a go tonight.


nic - 23.05.06 12:43 pm

Paulo - many thanks - it worked perfectly. Must have been having a senior moment - can't believe I missed the upgrade from PC option.


scooby - 23.05.06 1:52 pm

Hi, My isp is talktalk.net, I still have my BT Voyager 2091 Wireless Modem/Router. I am a computer beginner, can someone supply a idiot's step by step guide on how to unlock the 2091 and set it up to use with TalkTalk Broadband.


Dan - 23.05.06 3:31 pm

Hi,

Just to confirm the 2901 hack works with TalkTalk !

Simple guide (this is what i did )
download firmware from or link above see post Paulo - 20.05.06 10:10 pm
unzip firmware should be 3 files
Connect router up via ethernet
enter 192.168.1.1 in browser
select advanced from menu
bt password is admin admin
select upgrade
selcet from pc to router (top of page)
browse to previously downloaded file (cfe-rta1025wnz-v328q_a2pb021)
select upgrade
do not power off during upgrade
wait a good 5mins
all lights should be green on router
point browesr at 192.168.1.1 again
ensure adsl connected and web page says ready to connect
enter broadband login details
should connect and your away !smiley for :lol:

Thanks to the guys who cracked this one !


SK - 23.05.06 8:18 pm

Great news on cracking the 2091 firmware - I've a few questions hopefully some people can answer.

Apart from removing the ISP lock does the new firmware offer any benefits? Alessio mentioned upping the numebr of connections - is this something that be changed in the new firmware?

Does the router still use the same admin web pages with the new firmware?

Are there a list of commands/manual available for the new firmware?

Is this firmware newer or older than the BT one? I know BT's latest firmware made a fix to the VPN software running through it (more reliable). I wouldnt want to loose this?

Finally has anyone who has flashed it tried reverting to the original BT firmware after the new firmware is loaded (just incase something goes titups.com)

OK so thats a lot of questions and if I dont get any anwsers I'll probably go ahead and put the hacked firmware on it - just for the hell of it.

Thanks,

SK


Cassandra - 23.05.06 9:25 pm

Tim: On my Voyager 210, I have the following:

VPI/VCI: 0/38
Category: UBR
Protocol: Bridge LLC/SNAP

I wasn't given an option to set the WLAN address or use NAT, nor did I expect to be. The bridge is just a dumb two-way street to push Ethernet packets across. The modem's LAN interface is unaffected by all of this, too.

Now that the Voyager is in Bridging mode, you need to configure your router to be a PPPoE client so that you can authenticate a PPP session with BT.



Alessio - 23.05.06 9:32 pm

Hi SK,
this router is just a small linux distribution, to do some tuning (like in the Voyager 205 section) you need access to the small OS behind the scenes.

telnet 192.168.1.1

login; at the menu type in "sh": now the system is yours - some of the parameters you may want to change:

echo some_value > /proc/sys/net/ipv4/ip_conntrack_max ---> # max connections
echo some_value > /proc/sys/net/ipv4/tcp_fin_timeout ---> timeout
echo some_value > /proc/sys/net/ipv4/tcp_keepalive_time ----> keepalive

you can monitor your connections:
cat /proc/net/ip_conntrack

and memory usage:
cat /proc/meminfo

type in "ps" and you'll see what is running on your router.

Dynalink runs a 2.6.* kernel while BT is on 2.4.* - not sure about VPN access.
Alessio




moggie - 23.05.06 11:11 pm

O brilliant brains lurking out there, please regard me as stupid: It helps me underestand. I need to replace a problematic Belkin Pre-N wireless router (connection dropping, speed variabnle from mediochre to nowt) on a 3 PC + server network on BT connect using a Voyager 220v. The Belkin initially refused to deal with the Voyager 220v, because there was too much smart-arseing going on; both wanted to DHCP and NAT etc etc. Belkin advised me that these 2 don't particularly like each other and I ended up on their advice setting the Belkin to be merely an access point.
The desire is to go wired using a Cisco PIX 501 firewall/router which is available. I've nailed it all together with the PC (Pix inside) network on 192.168.1.x and the pix outside (220v) on 192.165.1.1 (220v DHCP off). The 220v internet ip is generated by BT. What do I need to do to stop the 220v doing all its firewalling, Natting etc and just pass the BT generated ip to the PIX outside address so only the PIX does the fancy stuff?


scooby - 23.05.06 11:51 pm

Thanks Dan,
I got the 2091 unlocked, got the 5 green lights, but still cannot get connected to internet. I think I need to configure some of my internet settings for it to let me connect to the internet. As I posted earlier, I am a beginner. Can anyone help.

Thanks to everyone who discovered the crack. Cheeers


Gazza - 24.05.06 1:04 am

Fantastic!!! 2091 unlock works for Tiscali

Well done to all


Paulo - 24.05.06 7:29 am

Scooby, Check the VPI/VCI connections...
If you've got no previous settings in the Router it often changes the settings from 0 / 38 (UK standard) to 0 / 100 if you reset it. Have a quick look under the connections settings and change it back to 38 if it's set to 100.


Scooby - 24.05.06 12:58 pm

Paulo, Thanks for the info, I thought I did change the VPI/VCI settings, but it seems I did'nt. The router is up running and on wireless. Great!

Thanks again to all who makes it all possible.


SOLIDSNAKE - 24.05.06 2:27 pm

Hi can someone help me, i updated the firmware on the 2091 and i get all lights except the internet what do i do, im on bt but i wanted to give this modem to a firend because i have 2 2091s is there anyway you can put the original firmware back on the modem?
Also will the modem i put the firmware on work if i connect it up to tiscali?

Thank you for the help asapppppp!


JorH - 24.05.06 4:32 pm

Does Anyone Know If Ukonline Works With A Bt Voyager 220v Router, Just I Am Going To Buy One ??smiley for :ken:




sb742 - 24.05.06 7:04 pm

Yep this works. And it works very well at that.

Nice work, and thanks. Up with Wanadoo.


Squbel - 24.05.06 9:28 pm

Congratulations Alessio! Great job!

I've tried the same few months ago with wrong firmware version and I've ended up with dead router.


cor - 25.05.06 12:25 am

Alessio, you can get the source from the Useful Links section (as supplied by BT on CD) but it doesn't look to be the whole thing, just the bits that were covered by the GPL.

It's hosted on my workshop server, and the connexion is quite slow, but stick with it, and you'll get the lot. I recently re-enabled the passive connexions on that server, too, so that should make connecting a bit easier. Have fun!

Unfortunately, "Santa" never did come through with the promised box of routers, so I can't help you, moggie. Also the word "Pix" confuses me!

By the way, SK, as far as I know, Linux kernel 2.6 includes built-in support for a range of VPN services, even Microsoft encryption methods, so I would imagine, if anything, VPN support would be improved.

Thanks for the "simple guide", Dan, I'll probably do something with that useful text before it slides off the page.

And thanks for all the reports! It's great to hear that the other ISP's working with the new 2091 firmware, excellent news indeed.

l*rz..

;o) Cor

ps..

JorH, have you tried the javascript hack?




Lee - 25.05.06 1:22 am

I just want to shout out a huge THANKYOU to Alessio, I bought the voyager 2091 on ebay befoire i realised that it was locked to BT and well im now so happy i can use it on my own ISP as i cant get BT in my area anyways you sir are a STAR!!!!


Tim - 25.05.06 8:49 am

Cassandra: Thanks, that helped. Problem was with the router config. Am unable to access Modem config function on configured LAN IP though. Router is on 192.168.0.1, modem on 192.168.0.2. Should it be on a separate subnet?


RJ - 25.05.06 11:54 am

2091 hack........Bloody brilliant........soooooo happy, thankssmiley for :Dsmiley for :Dsmiley for :Dsmiley for :Dsmiley for :Dsmiley for :D


Cassandra - 25.05.06 1:36 pm

Tim:

So to summarise, you have
{Internet} <-ADSL-> [Voyager 210 Modem] <-Ethernet-> [Netgear Router] <-??-> PC

Yes, I can see that you might have trouble accessing the Voyager's Web config page via the router. Don't forget that the router has your public IP address, and that your modem is beyond it. Assuming that the modem and router are connected via an Ethernet cable, I suspect that you're going to have to connect your PC directly to the modem as well via a USB cable in order to configure the modem. And yes, I do think that you'll want to put the modem on a separate subnet to the router so that the PC knows to send modem-config network packets down the USB link.


carnelian - 25.05.06 5:54 pm

**HELP**

The firmware I have downloaded and unzipped is cfe-rta1025wnz-v328q_a2pb021 as above and yet the upgrade fails because "The firmware update is failed. The selected file contains an illegal image."

I'm fairly green as far as far as this kind of thing is concerned, so the idiot proof instructions were great until i hit a brick wall.

Any ideas on how to beat the broadband fascists?

:-)




carnelian - 25.05.06 6:16 pm

ok i give up too easily. i downloaded the firmware via the link above and not from dynalink and it worked. also changed VCI/VPI settings to 0/38 and YAY! it worked.

so many thnks for everyone who contributed above.

:-)


Tim - 25.05.06 8:03 pm

Cassandra: You're quite right. However I can reach the modem via USB by modifying the route metric of the relevant interface. I'm happy now, thanks for your help!

Tim.


scooby - 25.05.06 8:41 pm

SOLIDSNAKE. Not sure if you can put it back to BT firmware. The updated 2091 should work with Tiscali.
1.Did you change the VPI/VCI setting to 0/38 as after the installing the firmware, these settings are 8/35


Trotchk - 26.05.06 2:55 pm

Many thanks for your help, have just switched from BT to Tiscali and was about to bin my 220v. C1's hack dated 09.04.06 worked a treat my 220 is up and running and the Sagem 800 can be chucked in the shed. Thank you, Thank you, Thank you.


Chris - 27.05.06 12:58 pm

I have a voyager 210 router from BT, Does anyone know how to UNLOCK it from BT so I can use it with another ISP
Thankssmiley for :roll:


Jim - 27.05.06 1:08 pm

Hi all,

Someone gave me a BT Voyager 2100 with a broken ADSL port. Not important for me 'cause I use Telepest. Thing is I would like to use it as a bridge or relay from my linksys WRT54GS. Is there anyway of doing this? Looking at the config page or telnet-ing in to it its not obvious how (if it can) be done.

Cheers, Jim


willy - 27.05.06 7:38 pm

NOTE FOR VOYAGER 2091 OWNERS RUNNING ON DYNALINK FIRMWARE:

http://api.home won't work anymore

use http://192.168.1.1


Andy - 27.05.06 7:46 pm

VOYAGER 2500V Any ISP

Hi, ive been wanting the voyager 2500v unlocking for a bit now and havnt come across anything until today, i ordered the 2500v but said i was with another ISP and the router came already unlocked!!!

the firmware version it came with is 3.01k

i have another 2500v that is locked,

any ideas how to copy the opened up firmware?


sb742 - 28.05.06 12:06 pm

"VOYAGER 2500V Any ISP

Hi, ive been wanting the voyager 2500v unlocking for a bit now and havnt come across anything until today, i ordered the 2500v but said i was with another ISP and the router came already unlocked!!!

the firmware version it came with is 3.01k

i have another 2500v that is locked,

any ideas how to copy the opened up firmware?"


--

That would be extremely useful to a lot of people if you could manage it. Stick around on this forum matey, you have a resource there which might produce an unlock for the 2500V.


Skull - 29.05.06 2:29 am

found this link "http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update" doing a search on google, have d/led 3 files that are updates for the 2500v firmware, how do I find out exactly what ver firmware my new 2500v is running? only detail I have found so far is through router manager which tells me the following

Firmware Version 2.21.05.11g_A2pB018c1.d16d
Boot Loader Version 1.0.37-21.6.9
Wireless Driver Version 3.91.39.0 (Wireless is enabled)
Wireless BSSID 00:11:F5:FC:BB:A7
Ethernet MAC Address 00:11:F5:F7:76:C0





willy - 29.05.06 2:55 pm

just a quick note on voyager 2091 running on dynalink firmware,does it have the same features?
i tried to use wpa2-psk aes, and that didn't work, so i left it on wep (not very secure). it also says that it is adsl2 compatible, but i haven't seen an official bt release for 2091 being adsl2 compatible.

i've set my MTU at 1458, and RWIN at 12762, running on an 8mb bt connection. is this a decent setting?

thanks,
willy


Skull - 29.05.06 10:31 pm

Just had an interesting conversation with bt, they tell me that the 2500v can be used with any ISP, yet an email from their bt voyager helpdesk said the following "Thank you for e-mailing the BT Voyager Helpdesk.

Please accept my apologies for the delay in responding to your query, and any inconvenience that this delay may have had.

The Voyager 2500v router is supplied as part of a business package from BT Broadband, and as such are locked to the BT Business Broadband ISP.

Thank you once again for contacting BT.

Yours sincerely,


BT Voyager Helpdesk
0870 243 3204"

So who's right and whose wrong?



Gladio - 29.05.06 11:44 pm

Hi !
Congratulations for unlock BT 2091 !
I'm a beginner in this kind of things....Please
Can you explain here,in simple words,and feeds,what I must do
for unlock my BT Voyager 2091 ?
Many thanks to you !
Roberto from Italy,in Central London.


not clever - 30.05.06 10:08 am

Hi i have recieved a bt voyager 220v and i done everything possible and at the end it said cannot connect.
I notice that the DSL light flashes but does not stay on is my router at fault or as BT not switch me on.


Rich J - 30.05.06 11:52 am

Ref - BT Voyager 2091 unlocked firmware
Just had to say well done Paulo I cant believe my eyes it works and some nice new features on this firmware as well. Good job i didnt bin the router. A massive thankyou from Myself your a very clever guy.
From one very happy person smiley for :Dsmiley for :Dsmiley for :Dsmiley for :Dsmiley for :D


btsucks - 30.05.06 9:20 pm

Gladio - 29.05.06 11:44 pm

Roberto read post from Dan - 23.05.06 3:31 pm
He gives step by step procedure for applying the 2091 modified software.

If in doubt read BT's instructions for upgrade and substitute your downloaded hacked software and location for theirs.

David F.


redial - 30.05.06 9:39 pm

Hi i used to use a 205 and did the azureus torrent thing, through telnet
now im using 2091 my speed is rubbish on azureus
would this firmware hack solve that or is it just so you can use a diffferent ISP
rather than BT?


cor - 31.05.06 8:11 am

redial, you will need to setup port-forwarding again, regardless of the firmware or ISP.

not clever, is your activation day here, yet?

sb742, can you export that firmware? Please!

Skull, check out sb742's post.

;o) Cor


Skull - 31.05.06 9:49 am

cor Spoke to BT voyager helpline and they tell me that the 2500v is locked to bt and even if you hack the firmware it will reset itself to BT


Skull - 31.05.06 11:29 am

Need to work out whether I can unlock the 2500v before friday as that is the cutoff for my 7 day return, tossing up between returning and getting either a netgerar dg834guk and a voyager 2110


Skull - 31.05.06 8:45 pm

Hi, me again guys sorry if I'm becoming a pain, but could this be the origins of the 2500v? RTA1045G Dynalink ADSL2+ Wireless VoIP Modem Router read about here http://www.dynalink.com.au/news.htm?news=ADSL2


Griff - 01.06.06 3:35 pm

Just like to say a huge thanks to all involved in the Voyager 2091 hack.

Tried it today with Virgin.Net and it worked (Second Time) had to changed the VPI/VCI default of 0,100 to 0,38

Works like a dream.

Thanks a million Guys :o)


vmlemon - 01.06.06 3:57 pm

Just for those interested, the Voyager 205 runs on Mentor Graphics' Nucleus operating system, but the 210 runs on a customised Linux. Not sure about the others, though.


Affamole - 01.06.06 4:43 pm

Hi I have a voyager 210 I also have a safe com 4 port broadband/dsl router, my problem is I can't get the two to talk, at the moment I am force to only allow one machine with access to the internet, I want my bt voyager to work just as a modem and connect it to my router so that all my machine have internet access.

Any help on how to do this will be greatly recieved.

Thank you in advance.


Mike - 01.06.06 5:30 pm

I've bought a Voyager 2091 and want to unlock it work with my Wanadoo/Orange broadband and have downloaded the firmware update files and instructions above. My question is do I have to set it up with BT broadband (using their installation CD & BT broadband account username & password) in order to unlock it or can I do it somehow by connecting it via an ethernet lead to my pc which is already online with my current wanadoo broadband using a usb modem?
thanks


cor - 01.06.06 10:26 pm

No Mike, just plug it in, surf to 192.168.1.1 and go for it. You DEFINITELY do not want to put a BT CD in your computer.

Skull, there's no doubt that the 2500 is a re-badged "something*, and there will doubtless be a way to get it to accept the *somthing*'s firmware, perhaps in a similar way to the 2091. Feel free to have a crack at it!

Sadly, sb742 didn't get back with that unlocked firmware, so at this time, who knows?

As for it reverting to BT. In a word.. bollocks!

Affamole, I don't know much about the 210. Try logging in via telnet and firing up a shell. Scroll back through the comments here for tips and tricks to pull once you are in.

l*rz..

;o) Cor


mikezoe65 - 02.06.06 6:31 am

VOYAGER 2091 unlocked and connecting Ok to Wanadoo BB!
To anyone else about to use a 2091- first thing is to throw away the BT disc!
Thanks a million for firmware and idiot-proof instructions
Mike


Chromefox - 02.06.06 8:42 pm

hi guys im using aol silver now my m8 gave me his old bt voyager 205 but i cant seem to get the thing setup and working any ideas would be very appreciated as im tryin to connect my ps2 online my email is jig20009@aol.com thnx



tony - 02.06.06 11:35 pm

any1 got the bt voyager 2091 firmware old 1 pls smiley for :)


sb742 - 03.06.06 1:42 am

I was quoting another user

I haven't got the unlocked firmware.

I do have a VOYAGER 2500V but I don't use it anymore as I'm now with

Be Unlimted 24 Meg.

They provide a free Speedtouch router (780) and I'm connected at 21000 Kb


jukeboxwizard - 03.06.06 9:49 pm

Howdy howdy all...

I'm new to the idea of hacking your own router...it hadn't really occured to me the any supplier would be soo evil as to "lock ya in"
but hey ho...I guess it was only a matter of time before the idea migrated from mobile phone suppliers etc...

Now with that, I'm interested in the Voyager 2500V
from comments here I see it's one of the locked to BT variety, and apparently also without a cure...

There was one comment that was interesting however, from Andy, in that he somehow managed to obtain an unlocked version of this router from BT, but alas it seems none of the more experienced peers here have taken up the challenge of backing up the firmware from him. Well that is, unless I'm missing something here...

My interest in this particular router lies in it's VOIP features, particularly if it can be used in place of the small gateway type device I currently use, which connects to the pc via USB and to the pstn and allows me to use skype or voipbuster etc with my normal cordless phone. Can it be done ? or is my wish list longer than the feature set of the router, I welcome your comments...



firelinxxx - 03.06.06 11:37 pm

i have tiscali broadband and trying to use BT Voyager a m8 gave me. Spent days with no joy...any help pleazzzzzzzze. I'm such a novice!


Neil - 04.06.06 9:37 am

Hi,

BY Voyager 210

Affamole - I am using an upgraded firmware version 2.18.01.13_a023g1.d15g and will get around the porblem if you can get your hands on, suggest you google it.

Anyone please help - However my only problem is that it wants to sit at Your BT Voyager is ready to connect to broadband. In the advanced settings it is set to connect automatically "always connected" it never used to do this?
Could this be a firmware or ISP issue? Again i'm using wanadoo/orange

Any input would be very much appreciated. smiley for :idea:


Bar - 04.06.06 12:57 pm

does the Voyager 210 support the 205 telnet commands..? tnx


bob2eyes - 04.06.06 3:14 pm

i have a bt voyager 2091 and i downloaded the hacked firmware but it wont upgrade
my firmware is 2.21.05.08m_A2pB018c1.d16d:•


jukeboxwizard - 04.06.06 8:52 pm

just a rambling...I have been looking into the possible origins of the Voyager 2500V from BT, and after much digging about on the net, my conclusions lead me to believe that it may be the new Dynalink RTA1046VW in disguise, or a very close cousin, unfortunately it's not actually out yet from Dynalink so I have no way to confirm my theory. Anyone else got more information on this ?


cor - 05.06.06 10:42 am

sb742, ahh right, so you were! It was Andy who said he had the unlocked 2500.
By the way, there's [quote] tags for that! smiley for ;)
And oh! If you don't need that 2500, you know where to send it! smiley for :D

ANDY! Have you got that firmware exported yet?
If other 2500 users can help with this, please do!


firelinxxx, more details!

Bar, no, not as far as I know, sadly.

bob2eyes, did you follow the instructions to the letter? Try again!

l*rz..

;o) Cor


Bar - 05.06.06 12:21 pm

tnx cor...


bob2eyes - 05.06.06 12:36 pm

when i try upgrading the firmware the screen goes white and does nothing i left it for 10mins and it was still white at the bottom of screen it says done


bob2eyes - 05.06.06 2:04 pm

unzip the firmware
connect the router to the computer via ethernet
in your web browser, go to http://192.168.1.1
select "Advanced" from the menu
then advanced again
system then upgrade
select from pc to router (top of page)
browse to previously unzipped file (cfe-rta1025wnz-v328q_a2pb021)
select "Ugrade"
waited a good 5mins lights on router dont go green

can anyone help no matter how many times i try it they dont all go green

thx



southwestcd - 05.06.06 6:32 pm

Tried the above fix for 220v but got a javascript error of Function domainlock not found(I have the command correct, honest!)
Any suggestions?


Chris - 05.06.06 9:03 pm

Same here, did everything to the book, lights don't all go green, help help help.

Thanks


vmlemon - 05.06.06 10:51 pm

I'm starting work on a site for the Voyager 210. It'll probably have details put into a kind of blog-format, but I'll happily take info when it's up. The URL will be http://210thvoyage.awardspace.com/index.html

I've also found a great deal of info related to this box, just by telneting into it and doing a quick "cat /proc/cpuinfo".


Andy - 06.06.06 12:06 am

Hi

Can anyone help in how to backup the firmware from the Voyager 2500V? the one i have is UNLOCKED and works with any ISP without saying Unsupported Broadband Service

the firmware is 3.01 k as it says on the botton left hand side of the webpage.

Ive tried to simply log in using Ftp but it disconnects me everytime i login with default passwords of admin

If anyone knows how to copy the firmware, please let me know and then i can give you a copy of it

I have the Cd which came with the router but its the bog standard Bt Broadband Talk Cd and doesnt appear to contain any firmware on there.

If someone can tell me how to extract some information from the routers auto update of firmware page, maybe this could help? Im not sure wether doing this will make the device lock to bt broadband though so i havnt tried this.

Comon guys lets crack it!

i want to use this with a different VoIP providor too seen as its using the SIP firmware and not the MGCP one !




jukeboxwizard - 06.06.06 1:38 am

Hey Cor, I'll try...

Andy, I am an electronics engineer, and have a number of years programming/reverse engineering experience behind me on all sorts of stuff, but for slightly different reasons than untangling BT's weird take on the planet. In fact, as I stated up there ^ somewhere, having to hack your own router never occured to me before...so I have never bothered trying. I use DLink routers whenever I can primarily because they are pretty idiot proof and generally work, and I dabble on 'ix boxes with such things as ipcop etc for my own pleasure.
Anyway, I digress, I will be taking delivery of a brand new BT Voyager 2500V next week, just because I can't resist the challenge any longer, and the first thing I will be doing is looking under the hood so to speak...so I'll let you know my results. In the meantime, do not mess with your firmware in anyway or you may lose your unlocked status. Of course, if you hear of a way to save/back-up a copy of your firmware beforehand, let me know smiley for :D

hey sb742, unless I'm mistaken, the BT Voyager 2500V that you have, is adsl2+ capable, so if you unlock it, you can use it on your new BE connection and still be connected at 21mbps...lucky so 'n so.... smiley for ;)


cor - 06.06.06 12:17 pm

Good news, vmlemon, I look forward to seeing it evolve, and then I'll certainly link to you from here. Good luck!

Thanks for getting back here, Andy, your unit is currently the only hope for 2500 users! When you say your firmware is "3.01 k", is that a version number? Anyways, here's hoping we can get that thing cracked. And yes, in the meantime, touch nothing! smiley for :ken:

Thanks, jukeboxwizard! The 2500 looks fairly impressive; it would be good to see it opened up and working with Non-Gestapo ISP's. By the way, I've been using IPCoP as my gateway for a couple of months now; impressive stuff. For me, build-your-own is the way to go for routers. My voyager only gets used for testing ARSE.

southwestcd, perhaps your unit isn't locked to BT, or perhaps it's a later firmware version that uses a different locking system (I can't prevent BT employees visiting this page!). More details would be good.

bob2eyes, you might want to try putting in a fresh BT Firmware first, perhaps a different version, and then try again.

Chris, is that a 2091?

Getting there..

;o) Cor


bob2eyes - 06.06.06 10:29 pm

thanks cor is there anywhere i can get a firmware for the 2091 so i can upgrade 2 the hacked one.....


giles - 06.06.06 10:45 pm

I'm not sure if I can help out in anyway. I have a brand new 2500V and would like to unlock this and use on a onetel/pipex connection. Just found out it's locked and came across this page. Fingers crossed that there are some clever folks here, shout me if you need any help, I'm techy... but not a coder... smiley for :)

Here's hoping!


cor - 07.06.06 10:15 am

bob2eyes, check this page.

giles, feel free to dig into the 2500V and see if you can find a way to export the firmware. All hands on deck!

;o) Cor


bob2eyes - 07.06.06 12:24 pm

i think i,ll give up my 2091 wont upgrade any firmware

thanks 4 all ur help cor


timmytopper - 07.06.06 1:55 pm

Hi just wondering what the upgrade/unlock options were on the 10v box. thanks

Tim


xenaxel - 07.06.06 5:33 pm

does anyone know how to unlock the bt hub (inventel DV4212)


Wonko - 09.06.06 11:46 am

You can telnet the 210 and you get a menu. However, you are not restricted to using that menu. Its a bit like the old menus we used in DOS. IE you get a cursor and you are prompted to type 1 - 5, but you can actually type whatever you want.



jukeboxwizard - 12.06.06 6:43 pm

Ok folks...here's the lowwww down so far on the Voyager 2500V...but first...welcome back Corz.org...I thought BT had smothered ya in legal claims for a moment there smiley for ;)

Ok folks...the BT Voyager 2500V is in fact as I suspected...see earlier post up there ^ somewhere...
It is in fact the spanking new Dynalink RTA1046VW Mark II
complete with all the trinkets and goodies ya can expect from such a combination device like this...
After I have a few cups of coffee and get to wiring in my extension etc...I'll settle down and have a play with it....in the meantime...anyone with the new Dynalink firmware for this router shouldn't have any more lock problems I hope...

rgds


jukeboxwizard - 12.06.06 6:57 pm

actually...on a side note...it makes me wonder if the BT 2091 is in fact the RTA770W...anyone care to comment ?

rgds

p.s. ignore that brain fart...it's more likely the RTA1025W...


DIGITALDAZZ - 12.06.06 10:46 pm

hi all,

just a quick question, as I now have the modded firmware on my 2091 can i update to the original firmware or any updates that come from dynalink?


cheers


Giles - 13.06.06 12:18 am

Surely we don't need to export the old firmware - just need to edit the new one from BT to disable all these stupid lock downs. A link to the new one is posted somewhere in the above thread. Anyone familiar with editing a firmware?

If this is the new Dynalink RTA1046VW Mark II then a link to this firmware will mean that my search (and time) has not been in vain!


Giles - 13.06.06 12:22 am

Anyone that hadn't guessed (and I hadn't mentioned it) this is the new 2500V that I'm talking about.

Welcome back online corz.org!


jukeboxwizard - 13.06.06 7:11 am

Ok folks...I had a quicksie look under the bonnet so to speak and here is what I know so far about the 2500V...it is for sure and certain the new Askey/Dynalink RTA1046VW. Though I'm buggered if I can find out anything much about it from the manufacturers, let alone any support for it.
Major chipset and associated passives in no particular order are as follows:-

BCM6348KPBG - Single chip Adsl2+ controller.
BCM5325EK - Single chip 5 Port ethernet switch using LANKom's SQ-H48W 100baseT magnetics package.

BCM6341KPBG - I assume single chip router solution.
BCM4318 - Single chip Wireless Lan controller.
M12L64164A * 2 - 4mb by 16 3.3v asyncronous sdram - I assume configured as 8mb * 16.
IS61LV6416-10T - 64K * 16 asyncronous sram.
LE9502BTC - Legerity Voslic (Voice Over Subscriber Line Interface)
BCM6301 - 5V adsl2+ line driver chip and associated Linkcom LaL0683 Annex-A adsl2+ transformer.
CP152's * 2 - Tansient voltage protection for slic.
MP1410ES - 2amp DC-DC converter ic, awfully similar to ACT4060 in fact, in any case this one is made by Monolithic Power Semiconductors, but obviously they deny it's existance.
S29GL064M90TFIR4 - Spansion 64K * 16 Flash memory chip, I'm guessing this is where BT hid their dirty linen.

I haven't played with the firmware as yet, not even been in the settings beyond the status, so I have no real comments as yet, save this, I did try testing out the upgrade mechanism and found out that there is indeed a valid firmware upgrade to version 3.01N from BT,
the firmware as it was shipped is version 2.21.05.11G
For those of you mad enough or remotely interested in seeing what this animal actually looks like, I took a few pics for ya, and I will upload them to the public archive. The filename is "Inside the 2500V.rar" and is just shy of 7mb.

I have sent Askey an email asking them for a copy of the firmware, I await their reply, as they obviously don't manufacture this router for Dynalink, or you would think so with the lack of support, it will be interesting to see how they deal with my request. I will also email BT when I get a chance and ask them for a copy of the non-locked version too - we shall see...

I have the equipment and the expertise to remove the flash chip, read/program it and replace it back on board etc, but I see this as pointless due to my firmware being of the locked variety, so if anyone has a knackered one of these 2500V's with the unlocked firmware, contact me and I'll arrange something.

In the meantime I will look into some other ways to pull out the firmware without resorting to a board rework.
Of course, I expect a little help from you guys too smiley for :)


rgds


jukeboxwizard - 13.06.06 7:31 am

Which brings me to another point Cor!!!

can you move that file into the public archive somewhere smiley for :lol:

rgds


cor - 13.06.06 5:06 pm

jukeboxwizard said..
I thought BT had smothered ya in legal claims for a moment there

That was the first thing that crossed my mind, too, jukeboxwizard! smiley for :lol:

So, the 2500 is a re-branded Dynalink RTA1046VW Mark II, excellent news! Hopefully it should only be a matter of time before its firmware can be adapted. (Giles, go for it!)

Hey! I found the file! (I forget about the uploads folder until someone reminds me!) and I've upped the images I got to the "circuit board" folder in the archives. The archive was truncated, strangely, so there's a couple missing (feel free to mail me the others). Also note, I reduced the pics to half size.

Thanks for all the info and images, jukeboxwizard, always appreciated. By the way, I can accept a gigabyte in my email, too, give or take.

DIGITALDAZZ, No, you can't upgrade the 2091 with future Dynalink firmwares, UNLESS you apply a hack similar to the one above. If they release a new firmware, I do hope someone does exactly that!

l*rz..

;o) Cor


patrick - 13.06.06 9:19 pm

Hello Folks -
thank you for the hack unlocking the 2091...
i have been following this site for a long while and sooo pleased there are excellent tech-minded people out there
just one question: i have managed to unlock the 2091, but it seems to refuse to run on wireless...

Any suggestions would be hugely welcome!

thanks
P


AoL_HaTeR - 14.06.06 11:46 am

@southwestcd - your text shows Function domainlock not found ... but you're supposed to be calling function domainLock (according to the text further up).

Check your capitalisation smiley for ;)


jukeboxwizard - 14.06.06 10:09 pm

Hey Cor...all done...check your email...


Alessio - 14.06.06 10:40 pm

Hi guys,
I haven't checked this site for a while, but you're really doing a great job here.

jukeboxwizard,

check this out for some ideas on the firmware- and let us know what's in the 2500 box

Once the 2500 is unlocked (it looks like it won't take long smiley for :D), shall we go for some exotic stuff with these routerz?

Cheers

Alessio


jukeboxwizard - 15.06.06 10:48 am

Ok, just for you Alessio !


Note: If you have problem with Backspace key, please make sure you configure you
r terminal emulator settings. For instance, from HyperTerminal you would need to
use File->Properties->Setting->Back Space key sends.


Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
-> sh


BusyBox v0.60.4 (2006.02.10-03:26+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
ramfs on /var type ramfs (rw)
#
#
# cat /proc/version
Linux version 2.4.17 (michaelc@AskeyBrcmServer) (gcc version 3.1) #1 Fri Feb 10
11:19:28 CST 2006
#
#
# cat /proc/cpuinfo
system type : V2500V_BB
processor : 0
cpu model : BCM6348 V0.7
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available
#
#
# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 14499840 13828096 671744 0 466944 3747840
Swap: 0 0 0
MemTotal: 14160 kB
MemFree: 656 kB
MemShared: 0 kB
Buffers: 456 kB
Cached: 3660 kB
SwapCached: 0 kB
Active: 1220 kB
Inactive: 6052 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 14160 kB
LowFree: 656 kB
SwapTotal: 0 kB
SwapFree: 0 kB
#
#
# cat /proc/modules
ipt_state 552 2
ipt_mark 364 1
ipt_limit 956 2
ipt_TCPMSS 2524 0 (unused)
ipt_REDIRECT 708 2
ipt_MASQUERADE 1380 1
ipt_MARK 668 8
ipt_LOG 3532 2
ipt_FTOS 972 0 (unused)
ip_nat_tftp 1784 0 (unused)
ip_nat_rtsp 5448 0 (unused)
ip_nat_pptp 1708 0 (unused)
ip_nat_irc 2360 0 (unused)
ip_nat_ipsec 37040 0 (unused)
ip_nat_h323 2672 0 (unused)
ip_nat_ftp 3192 0 (unused)
ip_conntrack_tftp 1676 0 (unused)
ip_conntrack_rtsp 8284 0 (unused)
ip_conntrack_pptp 3260 0 (unused)
ip_conntrack_irc 2828 0 (unused)
ip_conntrack_ipsec 20684 0 (unused)
ip_conntrack_h323 2060 0 (unused)
ip_conntrack_ftp 3932 0 (unused)
iptable_mangle 1900 0 (unused)
iptable_nat 19656 8 ipt_REDIRECT ipt_MASQUERADE ip_nat_tftp ip_nat
_rtsp ip_nat_pptp ip_nat_irc ip_nat_ipsec ip_nat_h323 ip_nat_ftp
ip_conntrack 22880 9 ipt_state ipt_REDIRECT ipt_MASQUERADE ip_nat_t
ftp ip_nat_rtsp ip_nat_irc ip_nat_ipsec ip_nat_h323 ip_nat_ftp ip_conntrack_tftp
ip_conntrack_rtsp ip_conntrack_pptp ip_conntrack_irc ip_conntrack_ipsec ip_conn
track_h323 ip_conntrack_ftp iptable_nat
iptable_filter 1708 0 (unused)
ip_tables 14624 14 ipt_state ipt_mark ipt_limit ipt_TCPMSS ipt_RE
DIRECT ipt_MASQUERADE ipt_MARK ipt_LOG ipt_FTOS iptable_mangle iptable_nat iptab
le_filter
bcm_usb 17920 0
bcm_enet 21208 2
wl 408752 0 (unused)
endpointdd 1080384 0 (unused)
bcmprocfs 14968 0
adsldd 136564 0 (unused)
blaa 8132 0 (unused)
atmapi 51952 0 adsldd blaa
#
#
# cat /proc/pci
PCI devices found:
Bus 0, device 1, function 0:
Class 0280: PCI device 14e4:4318 (rev 2).
IRQ 32.
Non-prefetchable 32 bit memory at 0x8000000 0x8001fff.
#
#
# ps
PID TTY Uid Size State Command
1 admin 2716 S init
2 admin 0 S keventd
3 admin 0 S ksoftirqd_CPU0
4 admin 0 S kswapd
5 admin 0 S bdflush
6 admin 0 S kupdated
7 admin 0 S mtdblockd
13 admin 2772 S -sh
55 admin 2916 S cfm
72 admin 2916 S cfm
98 admin 588 S pvc2684d
325 admin 2916 S sshd
326 admin 2940 S telnetd
329 admin 676 S dhcpd
333 admin 944 S bftpd
334 admin 2700 S tftpd
401 admin 2976 S httpd
403 admin 2712 S vodsl sipstart 3
407 admin 2712 S vodsl sipstart 3
408 admin 2712 S vodsl sipstart 3
409 admin 2712 S vodsl sipstart 3
410 admin 2712 S vodsl sipstart 3
411 admin 2712 S vodsl sipstart 3
419 admin 676 S dproxy
420 admin 2712 S vodsl sipstart 3
421 admin 2712 S vodsl sipstart 3
422 admin 2712 S vodsl sipstart 3
423 admin 2712 S vodsl sipstart 3
431 admin 1224 S pppd -c 0.38.1 -a 0.0.38 -u voyager2500v.u
438 admin 2712 S vodsl sipstart 3
439 admin 2712 S vodsl sipstart 3
440 admin 2712 S vodsl sipstart 3
441 admin 2712 S vodsl sipstart 3
442 admin 2712 S vodsl sipstart 3
756 admin 792 S upnp -L br0 -W ppp_0_38_1 -D
804 admin 3368 S iad
833 admin 3368 S iad
834 admin 3368 S iad
835 admin 3368 S iad
1089 ttyp0 admin 2952 S telnetd
1106 ttyp0 admin 2760 S sh -c sh
1107 ttyp0 admin 2772 S sh
1114 ttyp0 admin 2712 R ps
#
#
#

Bye bye. Have a nice day!!!


I also recieved an email back from Askey, telling me that there are "many" models of this router, and they have have variations in their firmware, suggested that the model number should be RTA1046VW-?? the ?? denoting which firmware should be in it I assume. I have replied to them telling them there is no such ID mark on the router anywhere I can see, and I have included some photos of the board refs and chips etc to see if they can id the router and supply the firmware....the saga continues...


jukeboxwizard - 15.06.06 10:55 am

ok, this is going to sound really dumb....prolly cos they are dumb questions to ask...

Does anyone here know the url for the upgrade page for the 2500V ?
or does anyone know of a way to sniff the ip address etc that the firmware is running off to in order to get the update details ?
I figure if we can spot that, then at least Andy could snag a copy of the latest "unlocked" firmware from BT themselves smiley for :)

I was hoping the ip_conntrack would show up something, but alas no...


rgds


DIBDAB - 15.06.06 12:40 pm

I have just got me a 2500v and a bit confused on how to crack it can some one help please.


bob2eyes - 15.06.06 1:23 pm

can anyone tell me another way to upgrade the firmware for a voyager 2091.
when i upgrade my screen goes white and does nothing and the lights on router dont go green. ive been tryin for ages please help

thnx


Skull - 15.06.06 1:24 pm

jukeboxwizard here is a link I found, http://www.voyager.bt.com/firmware_upgrades/btvoyager-one-click-fw-update, hope it helps


bob2eyes - 15.06.06 1:28 pm

can anyone tell me another way to upgrade the firmware for a voyager 2091.
when i upgrade my screen goes white and does nothing and the lights on router dont go green. ive been tryin for ages please help

thnx


mick - 15.06.06 5:05 pm

can anyone help me with bt2500v


jukeboxwizard - 15.06.06 9:52 pm

Thanks Skull, I got three different files from that link, trouble is I have no idea which is the upgrade for my router, one looks like an older version, the other two look like they could be mine, one lists _BBV the other _BTR anyone got any idea ?

On another note, if Andy is still with us, try using the web interface and clicking the upgrade button, don't upgrade though, click cancel again just in case it locks you in, if it says there is an upgrade available etc, it stands to reason that it's on the BT site somewhere, just need to find where....

Thanks again Skull smiley for :)


pudsam - 15.06.06 11:14 pm

jukeboxwizard,
Of the three files the BBV one is unlocked. I've flashed into the 2500V and connect to Plusnet OK. No luck with the BT Voice connection though.
pudsam


jukeboxwizard - 16.06.06 2:36 am

Thanks Pudsam, I was thinking that it may be that one myself, but really wasn't sure. The BT Voice stuff will require a SIP enabled service, I have the BT Broadband Talk thingy, but as they have failed to email me my number and password etc...I can't activate the damn thing to try it out, I'm sure though that as with all my experiences with BT kit, it will be rock solid quality. I'm curious about whether BT are doing something proprietory with their SIP stuff other than just locking it to their service, I guess it's all in the firmware..so to speak...


neiled - 16.06.06 1:18 pm

Just received my BT 2019 router and wondered 2 things, is there any intrusion detection settings on it as I can't see any and also I still have my 205 which from what I can gather is the better of the two but will I be able to run at 8mb with the 205 ?

Cheers

Neil


Macspeedy - 16.06.06 6:32 pm

Oh wise one !!!! please help I have a BT-Hub DV4212-BT and its gathering dust as im not with the fat cats at BT anymore. Id rather use aol but there modem is very lame being the voyager 105. please please please can you fix it for me to unlock my hub and use my mighty router once again !!!!!smiley for :lol: please ?



jukeboxwizard - 16.06.06 10:01 pm

Howdy all, Askey has finally put this to bed for me...here's the email I received back from them...

"Dear Sir/Madam,

According to the photos that you provide, and the serial number of it,
the exact model of this router should be our model named: RTA1048VW-D51

It is one of our ODM products for British Telecom,
the firmware is also particular made for them,
we are not be authorized and also have no rights to distribute the
firmware separately, please contact with your local dealer or BT directly to find the most suitable firmware for it.

Best Regards,
Askey tech support"


Personally, I think the model number is a typo, I think it's meant to be 1046VW...I don't see any manufacturer deliberately stamping the wrong model number on the main pcb...that coupled with the odm typo....tells me it's just that, a typo...but hey, at least we now know it's an RTA1046VW-D51...
I wonder why Askey didn't offer me a generic firmware though, I suppose it's because the router itself is made under licence as well as the firmware....the fight goes on....


Harry - 17.06.06 12:29 am

I've followed the update for the firmware but still no green light for the DSL or the INTERNET lights. There wasn't any before the upgrade and there still isn't. Though the upgrade seems to have gone ok.
Is this then a hardware problem or am i missing some procedure?


bob2eyes - 17.06.06 9:38 pm

got the bt voyager 2091 firmware working but it wouldnt update using a gforce4 ethernet on board card
on asus motherboards i used another computer and all went well so if anyones having trouble upgrading the firmware try another computer

thx cor gr8 page keep up the good work..






8-)


bob - 13.10.07 3:49 pm

how do i open port 6112 for my warcraft 3 game?


btbaracus - 15.10.07 7:10 am

So how do you people find this sort of technical info out
are you telecom engineers or communications specialists?
it's handy to have this info to hand for future reference
Cheers people keep it up btbaracus[james,london] smiley for :eek:


cor - 15.10.07 2:28 pm

mainly just interested amateurs, though there have been a few specialists guesting on occasion. scroll around these pages, and their comments.

BTW, I have a load of firmwares and stuff I've been sent that need sorting, but no time! I'll maybe just make a dump folder and drop em in, no warantees, etc.

;o) Cor


HackerBob - 18.10.07 7:01 pm

Thanks, purchased a BT locked 2091 from Ebay...locking not mentioned of course! But thanks to your softwear, now free of BT....Thanks a million.
Bob


Talktalk customer - 21.10.07 5:26 pm

Just got given this old 2091 Router from a freind - Previously used the modem sent with talk talk, now i can configure the 2091 Router to operate wirelessly with any ISP - instructions where a doddle to follow.

Thanks (Saved me 80 quid or so buying a new router)

smiley for :D


vof - 22.10.07 10:43 pm

Good to see you - and the site - back! smiley for :cool:


cor - 23.10.07 11:40 am

Right back at ye, vof! smiley for ;)

Talktalk customer, HackerBob , story of my life, m8! smiley for :roll: smiley for :lol:

By the way, if any of you lot run Vista (even if you don't, I guess) I'm looking for beta testers for my new app..

http://corz.org/windows/software/checksum/

Beta version released this very morning. If interested, mail me soon.

l*rz..

;o) Cor


kabatia - 24.10.07 5:37 pm

http://corz.org/.../BT_Voyager_2091_Unlocked_firmware-v1.zip

I used above link to unlock my BT voyager to work on my tiscali broad band.....it works 100%


bozo - 30.10.07 3:37 pm

could someone please email me the firmwares source code if it is under GPL, how can i request it? or where can i download it online?

the link on this page doesn't appear to work.

i'm particularly interested in firmware for the voyager 2110 router.

any advice would be greatly appreciated.

Best Regards

0x7FFFFFFF [at] gmail.com


Geezer - 03.11.07 3:44 pm

Thanks for the great page. I couldnt get the hack to work for the 220. But the firmware unlocked it. Keep up the good work


cor - 06.11.07 1:25 pm

No problem.

Note: I managed to track down the most important of the firmwares that had been stockpiling in my mail archives over the last year, including an original pre-lock v1.6 BT 200V firmware.

This page had a wee update, too.

l*rz..

;o) Cor

sp. bozo, ask BT. If it's GPL, they have to send you a copy for no more than a minimal fee (Post+Handling+materials). I've got a few older GPL firmwares kicking around, even had a torrent going for a while, but I haven't seen anything for the 2110.


musiu - 06.11.07 4:28 pm

Hey,
I just got Voyager 2091 from my sister and trying to make it work with me, i've downloaded the firmware, and when i'm trying to flash it, the router configuration page refreshes and says :
cannot upgrade ...bla bla bla, file contains an illegal image .

Can any1 help me out ?? i would be greatfull


musiu - 06.11.07 4:53 pm

Hey its me again, I dont know why but the problem was the internet browser. The problem occured in OPERA but in IE7 the upgrading process went just fine.
THX the CORZ for all help.


defnotageek - 09.11.07 1:47 pm

I have followed your guidance and changed the VCI to 38 but the ADSL says it is either down, handshaking or training. Is it just a question of waiting or I have missed something obvious? (I have entered the talktalk user name and password supplied)
By the way, thanks for a great site with clear instructions....I will think of it as even better if I get my wireless router to work!


cor - 09.11.07 2:15 pm

And VPI to 0, I presume. Hmm..
What modem are you talking about?

;o) Cor


richnfruity - 12.11.07 12:33 am

for defnotageek
i had probs with talktalk and 2091
went dead after network upgrade
these settings have worked for me

Primary DNS server 62.24.199.13
Secondary DNS server 62.24.199.23
vpi 0 vci 38
mtu 1400


defnotageek - 14.11.07 2:16 pm

thanks for all your comments guys. I have got the router(2091) unlocked but talktalk doesnt recognise the user name and password that I have inputted. I changed it from admin/admin to the ones talktalk gave me but no joy. Any more clues?(I have changed all the settings to the ones recommended on here btw)
cheers


cor - 14.11.07 4:39 pm

You did disconnect the router before trying all this, right?
And your web browser isn't doing magic on the user/pass fields, no?

If yes/no, I'd reset* the thing and start again.

;o) Cor

references:
I mean, with a paper-clip



defbecominageek - 22.11.07 7:31 pm

Cor you legend. Reset the router and tried again and am now connected wirelessly to my unlocked BT router. Saved us a few bob and keeps the lodger happy too.
Keep up the good work,
;-)


jezza - 02.12.07 7:01 pm

I get that same illegal image message when trying to upgrade the firmware - using both Firefox and IE7... any suggestions? Have tried resetting the router etc


r@y - 04.12.07 9:08 pm

Is there a way i can change the MAC adress of my bt voyager 2500v router, we upgraded to a home hub router but when we moved house the router is too far from my room to get a signal so i now want to change the mac adress of the voyager to the same as the home hub so i can use it at the same time

if you have any ideas let me know

st_jimi[at]hotmail.co.uk


cor - 04.12.07 11:43 pm

jezza, clear your cache, and restart your browser, try again.

r@y, even if it were possible, it's probably not something you actually want to do. You can only have one gateway at a time.

Solution: Get a LAN. Wired, Wireless, whatever; but you only need one gateway to the internet. It feeds the LAN, and you are on the LAN. See?

;o) Cor


JamesE - 06.12.07 12:26 pm

I've just loaded my Voyager 210 with the firmware and it's now up and running not locked to BT. Wonderful. Now I can look for an alternative provider. This was a most necessary pre-requisite because the 210 is such a good and easy performer on my home network.


Nicky - 15.12.07 11:30 pm

brilliant! many thanks i can now connect to plusnet no problem. only problem is i cannot get wireless connection to work - does the firmware upgrade change the WEP key? if so is there a way i can reconfigure it? thanks again


Nugget - 18.12.07 1:11 am

After the java trick failed on my spare v220, I tried the newer firmware upgrade, that bricked it. Just as well I didn't use that router normally :P

Any chance of a program/telnet code to force new firmware onto it?


Suttons - 19.12.07 1:38 am

How do u get the 2091 to operate in "BT Turbo" mode for wireless ? I'm using a compatible BT 1055 USB WiFi adapter.

Cheers



martin - 23.12.07 4:33 pm

Solution perfect, but my 2091 is unableto connect to aol. Now is dynalink menu inside, I put login and user name to login screen, and nothing, back tu main menu, also its some wizzard connection and freezing on second page. Any idea ?
thanks guys.
Merry Christmas


banjo - 01.01.08 11:16 am

Please could you tell me if the bt voyager 190 can be used wireless, or gives out any wifi connections. do i need a wep number. or is it safe to use



KB - 04.01.08 8:14 pm

WILL MY BT VOYAGER WIRELESS ROUTER 2091 WORK WITH ANOTHER ISP (TALKTALK)? I BOUGHT IT FROM A RETAIL SHOP AND NOT DIRECTLY FROM BT. ANY ADVICE PLEASE.


Martin - 07.01.08 8:48 pm

Yes. Just do step-by-step how to unlock this simple BT 2091. My working perfect now with Tiscali, and AOL, but AOL is realy the bigest sheet in UK.


john - 12.01.08 4:35 pm

I done everything that was said and i tryed to upload the firmware and it said cannot upload it as it contains an illigal image. please can someone help me please.


hopskip - 13.01.08 7:51 pm

How can I find out the BT Broadband Talk SIP settings on the BT Voyager 2500v?


BlackRussian - 14.01.08 1:58 am

Great fix, thanks guys!

Just bought a second hand 2091 Voyager, the guy hadn't told me it wouldn't work with a non BT line - you saved my bacon!! Brilliant hacking and easy to follow instructions!

Thanks,
BlackRussian


renato - 15.01.08 1:37 pm

hi, how do i know witch is exactly the model of mi router, there are no names or inscriptions, does not have usb or wireless port.


::FrAnTiK:: - 17.01.08 2:29 am

i recently bought a bt voyager 190 modem and understand that i need it unlocked to be able to use it with other isps.
what i need to know is how do i unlock it, i have downloaded the firmware hack from this site but i am sorta stuck now as what to do with it, how do i unlock the modem with this hack, a step by step explanation of the unlocking procedure would be brilliant.
sorry for the noobish question lol!

::FrAnTiK::




mick - 17.01.08 5:27 pm

trying to set an BT voyager 2110 wireless adsl router up to bridge as I need to connect to my office network and it seems i can only do it bridging. had no problems with old Zykel adsl router but only received the 2110 yesterday and cant get it working


Lucas - 22.01.08 5:51 am

Hi there!

I have got same problem as MArtin:

"Solution perfect, but my 2091 is unableto connect to aol. Now is dynalink menu inside, I put login and user name to login screen, and nothing, back tu main menu."

I have tried at least 3 times, did every thing from the begining, reset router few times, set ips, gateway etc. and nothing! can't connect to the aol. it showing me internet connection in 30sec....5sec.... and coming back where my user and pass is.

I have got kwnoladge about computing, network and communication as I'm on Netowrk support course, but can't find solution for this :/

Can any one help? Have any one resolve this problem?

Waiting for help, and thx in advance!


mark - 25.01.08 8:43 pm

Hi. Have just got a 190 uploaded new firmware now unlocked but is there a way of changing the modems mac code ? by useing a programe or telnet ect.
cheerssmiley for :idea:


Mike - 04.02.08 6:46 am

I have uploaded the firmware to my bt 190 modem and I am having problems routing all incoming traffic to my IPCop (firewall) box which it is connected to.

I have disabled uPNP and have setup a port forwarding rule for all traffic on any protocol to be forwarded to this box.

Anytime I try to connect to it I am presented with my modems management page.

If you can help me i would be really grateful

Mike


Si - 06.02.08 6:34 pm

Excellent information, super easy to follow, thanks for giving me the chance to use a piece of hardware that's been lying around, instead of having to bin it.
Cheers
Si


Pookie - 10.02.08 1:35 am

I've been trying to get a bt voyager 220v router to work with my tiscali account. I tried the javascript method, but the quick start menu would just keep coming back to the same menu for login details after going to a connecting... page for a minute or so. Still would not connect to the internet.

So i tried the firmware update. Now the router is continually connecting and disconnecting to my ethernet card. The power light is red all the time, and the phone line light comes on and off without a phone attached (not previously on).
Is the router now 'bricked'/useless?
Can anyone help?


colin - 13.02.08 5:45 am

Hi,
Can someone tell me how to unlock my bt voyager 2500v to work with any isp
Many thanks
Col


ryooda - 19.02.08 1:12 pm

col, check out the main page. It's up there!

Mike, maybe it has a bridge mode you could use.

MArtin, Lucas - is the vpi/vci setting correct?

Great page, thanks!!


digitaldazz - 25.02.08 1:46 am

Hi Cor,

I hope you can help me, I am trying to update the unlocked firmware on my 2091 which has the 1025w firmware on. I have obtained the updated firware and am trying to calculate the checksums as described in the process. but the first checksum area includes both checksums.

how does this work?

I am using xvi32 to calculate the blocks of checksums.
but cant seem to get it right?

Cheers



steve - 26.02.08 8:17 pm

Hi all, Just want to say Thankx. The firmware you cracked for the voyager2091 worked sweet as a nut!. You are a STAR!!.


MacMic - 26.02.08 11:11 pm

I'm new here and very impressed by the clever stuff I'm seeing. I don't know whether my question is too easy or too hard (or maybe just off-topic!).

I have just had my dead Voyager 205 replaced by a 210. The downside for me is that I used to use the Ethernet connection for a wireless transmitter and the USB connection to a (non-wireless) Mac. Reading the specs, I see that BT only have a USB driver for Windows not Mac. Any suggestions for an easy work-around?

Thanks for any help,

MacMic


cor - 28.02.08 11:09 am

digitaldazz, dunno dude, I never did do a lot of actual firmware hacking, I was more at the blowing-them-up end of things. Perhaps Alessio or someone might know, though. If you haven't cracked it yet, and want to send me your mail addy, I could pass it along, or just prod a few peeps, perhaps.

MacMic, add a switch, maybe; plug everything into that. You know, life would probably be a lot easier for you if you splashed out on a proper wireless-enabled router, or better yet, used something like (the wonderful and totally free) IPCop, and a regular broadband modem.

IPCop works like a router, only better, and because it's a real puter, you can plug *anything* into it; Wi-Fi dongles, whatever you like, expanding and customizing it your exact requirements; of course, it works right out of the box, too, just like a black-box router. An old laptop (even one with a broken screen) and an IPCop CD, is all you need.

Mike, it's always good to see another IPCop user. But now you have too much functionality. What you really need is a plain old modem, not some funky router. ryooda is right, a bridge mode (if the 190 has one) would make the router act like "just a modem", which is exactly what you need. This..

http://www.voyager.bt.com/wired_routers/voyager_190/downloads/BT%20Voyager%20190%20product%20specifications.pdf

seems to suggest its doable.

;o) Cor


MacMic - 28.02.08 11:35 pm

Thanks for the response, Cor. I'm getting a switch for now and will maybe try something more advanced later.

I had thought that since there already seems to be a Linux driver for the 210, maybe for the Mac OS X Unix system there would be something similar around.

Thanks,

MacMic


cor - 29.02.08 9:40 am

BT's OSX support is almost non-existant these days, except where the modems is manufactured by others (i.e. Thomson). I guess they expect if you are advanced enough to be using an OSX-capable Mac, you'll also be using Ethernet or WiFi.

I tend to agree, USB is for keyboards and cameras!

;o) Cor


digitaldazz - 29.02.08 5:51 pm

Thanks Cor, but I managed to create a new firmware for the 2091 with the latest 1025w firmware. The checksum description in the how to is a bit wrong. If your interested it should be written;

Bytes 0 to 236 are the file header of which bytes 216 to 219 are the checksum for the data part which
is at bytes 256 to EOF. To calculate the checksum, first you must make the CRC32 of bytes 256 to EOF,
you'll get something like 3A63B72E - convert it to binary, flip the bits then convert back to hex.

CRC32 3A63B72E 00111010011000111011011100101110
flipped C59C48D1 11000101100111000100100011010001

Using some hex editor like Hex Workshop, over type bytes 216, 217, 218, 219(This doesnt change so you can skip this first checksum!). Next make a CRC32 of bytes
0 to 235 and use the same bit flipping method as above. Then over type bytes 236, 237, 238, 239. Once you have
done this and saved the firmware image, you are ready to flash your router.

Cheers

Dazz

PS if you want a copy of the 3.30j firmware just email!


cor - 03.03.08 2:15 pm

Good work, Dazz! Of course I want a copy! I'll mail you.

About the how-to; are you certain that the instructions aren't correct for the older versions of the firmware? In other words, things may have changed, internally.

In that case, I'll put up both sets of instructions. However, if you (or anyone) know that the old version is definitely wrong; for old and new firmwares, I'll remove it, and put up only yours.

Anyways, nice one!

;o) Cor


el es - 17.03.08 12:11 am

Just have successfully... bricked (?) my 2091 :( It only lights up the wireless led (green) the DSL (green) and power (red) and stays so. Reset button does not work. Could it be because of uploading the firmware via wireless ? I don't think so, anyway, the router has said just before rebooting, that the firmware was received correctly... and just didn't show up again. Reset to factory defaults (holding the reset button for up to 30s) does nothing. Only three lights are lit and that's the end of story.

Or is it ?


cor - 17.03.08 3:09 pm

el es, yup, uploading firmware via wireless sounds way too risky to me. As for de-bricking it, dunno if anyone has managed that with a 2091.

Och well..

;o) Cor


Daniel - 21.03.08 5:39 pm

Hi,

How do i use the firmware for the bt voyager 190 ADSL?
Please email me instructions. danielgtrindade@gmail.com


Daniel


Dennis - 22.03.08 3:46 pm

Hi, am trying to unlock my bt voyager 2500v no joy useing your mode any help would be appreciated.
Dennis


paul - 23.03.08 6:21 pm

hi there, im having a problem with a bt voyager 2100, i purchased this off ebay, ive connected to the net fine using the config manager and my username and password, but for some reason i cant change any of the settings in the config manager page 192.168.1.1, its asking me for a user anme and password but wont acept mine. i only want to security enable the router as its currently set to an open network,

any ideas on what the problem is and how to fix it?
much appreciated
paul


rejake2 - 24.03.08 3:57 pm

:A great site smiley for :D


Gregory - 31.03.08 3:13 pm

the firmware for BT Voyager 220v worked a treat alough the first firmware update got erased because the BT Voyager 220v can automatically update it's own firmware so discovered an a cracked firmware update 3.30m not shure whate it is because I havent looked at the router webpage for a while but everything is working fine. Just a nother thing is what are the parmeters id and password for setting up broadband voice so that I can connect my sky box to skyhq via way of the BBV connection.


The Creeper - 05.05.08 3:41 pm

just bought voyager 2110 for £2 off a strange man, having difficulty cracking it open, am on tesco broadband.
any ideas where am going wrong? i changed the vpi/vci to 0,32 from 0,38 username and password are correct but it keeps training then says ready to connect, i hit 'connect' and it cycles round to tell me am ready to connect. bloody thing.

anyone out there got a clue????smiley for :lol:


cor - 06.05.08 1:14 pm

The Creeper, I assume you applied a hacked firmware of some kind. If not, you have no chance. If so, can I have a copy for the archives, please?

;o) Cor


yippee - 06.05.08 4:34 pm

Just unlocked my Voyager 2091!

Much appreciated, good work!

smiley for :D


cor

I don't have the time, nor inclination to remain in this loop.

IPCop, all the way baby!

Thanks for all the comments!

;o) Cor


Posting here is disabled at this time.

Welcome to corz.org!

If something isn't working, I'm probably improving it, try again in a minute. If it's still not working, please mail me!