OpenWrt Forum Archive

Topic: BT HomeHub 3 A

The content of this topic has been archived between 17 Apr 2018 and 7 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello all,

I have ability to upload openWRT to BT HomeHub 3 version A (ARX186), but when I start openWRT it is braked on initialization of ttyLQT0-1. After initialization of UART and switching from eraly0 to ttyLQT0-1 it is show noise on the serial port. Do you have any ideas of right IRQs for UART initialization on Lantiq ARX168  processor ?

thank you.

(Last edited by Tormal on 8 May 2012, 16:44)

I have tried add support of BT Home Hub 3 version A to openWRT. I have modified uboot-lantiq package to add compilation u-boot.asc for that router with nand memory and able upload via com port to that router. After that I can upload openwrt image via tftp and tried to start. But I have some problems with kernel:

I still have problem described above, but I am avoid it but kernel command line: bootargs=keep_bootcon ignore_loglevel.

Currently I have another problem with init process start up. Kernel entering into free_initmem which execute platform depended code. And under that code kernel have a hangs. I have modified that routine to print memory addresses:

void free_init_pages(const char *what, unsigned long begin, unsigned long end)
<------>unsigned long pfn;
<------>printk(KERN_INFO "Freeing %s:  %x - %x\n", what, (int)phys_to_virt(PFN_PHYS(PFN_UP(begin))), (int)phys_to_virt(PFN_PHYS(PFN_DOWN(end))));
<------>for (pfn = PFN_UP(begin); pfn < PFN_DOWN(end); pfn++) {
<------><------>struct page *page = pfn_to_page(pfn);
<------><------>void *addr = phys_to_virt(PFN_PHYS(pfn));
<------><------>printk(KERN_INFO "Freeing %s:  %x page\n", what, (int)phys_to_virt(PFN_PHYS(pfn)));
<------><------>memset(addr, POISON_FREE_INITMEM, PAGE_SIZE);
<------>printk(KERN_INFO "Freeing %s: %ldk freed\n", what, (end - begin) >> 10);

I have added printk(KERN_INFO in cycle and before it.  And I have follow result now:

[    0.972000] Call free_initmem function
[    0.972000] Freeing unused kernel memory:  802eb000 - 808b4000
[    0.976000] Freeing unused kernel memory:  802eb000 page
[    0.976000] Freeing unused kernel memory:  802ec000 page
[    0.976000] Freeing unused kernel memory:  802ed000 page
[    0.980000] Freeing unused kernel memory:  802ee000 page
[    0.980000] Freeing unused kernel memory:  802ef000 page
[    0.984000] Freeing unused kernel memory:  802f0000 page
[    0.984000] Freeing unused kernel memory:  802f1000 page
[    0.988000] Freeing unused kernel memory:  802f2000 page
[    0.988000] Freeing unused kernel memory:  802f3000 page

After  802f3000 kernel print "early" and hangs.

Do you have any ideas about that ?

(Last edited by Tormal on 1 Apr 2012, 22:33)


could you post your uboot changes and serial port location?




I add images with serial port location on wiki page. But I am not understand best way how to I can share my patches for uboot-lantiq package for supporting that router.

(Last edited by Tormal on 10 Apr 2012, 11:14)

Amazing discovery, Tormal!  Thank you for sharing the info.

Would you mind clarifying the connections you illustrate in your wiki photos [1] please..

In your third photo (p3070007_small.jpg) [2]  there are four wires shown..

From left to right..

a grey wire with black heatshrink to pin #3 of SOT-89 (marked BCR)
a grey wire to solder pad that is CPU-side of unpopulated R69
a grey wire emerging from yellow heatshrink from other side of PCB
a loose red wire from other side of PCB.

What is their purpose?

cheers, a

[2] … _small.jpg

(Last edited by asbokid on 18 Apr 2012, 06:05)

From left to right..

a grey wire with black heatshrink to pin #3 of SOT-89 (marked BCR) - Power for ttl-usb converter 3.3V

a grey wire to solder pad that is CPU-side of unpopulated R69 - that wire on the air. I have used it for connect config pin to ground. That is enable UART booting mode. For upload u-boot.asc

a grey wire emerging from yellow heatshrink from other side of PCB  - that wire is TX from second image.

a loose red wire from other side of PCB. - that is ground for ttl-usb converter.

Thanks for the info, Tormal.

UART connection established:

ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   
ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   
ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   
ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   
ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   
ROM VER: 1.1.3                                                                                                           
CFG 04                                                                                                                   

Where can we find the u-boot.asc file?  Is it a generic one?

cheers, a

Tormal wrote:

For install openwrt to that router, that is not needed. Please see follow:


I would like to backup the flash contents first (it is a BT Business Hub 3.0 - same hardware as the HH3.0a but seems to have higher sync speed).  It is not clear why, so maybe exploring the original flash contents would explain.

cheers, a


You can use … SH-Unlock*,

to get console for openrg.
After that you can simple use dd option to make flash image on usb drive:

dd if=/dev/mtd0 of=<patch to usb drive>/mtd0

The mtd0 file  should be created on usb. They size should be 32MB !!!!! This is dump of current flash

Hi Tormal,

Unfortunately, the Samba exploit won't work on the Business Hub 3.0 (BH3.0)

It has been patched in the official BT/OpenRG firmware (Version for the BH3.0.

Do you have the .conf file for u-boot-lantiq to create a working RAM bootloader image for this ARX168 board please?  It is exactly the same board as the HH3.0a.

I guess the MMIO register settings for the ARX168 you reversed from the original NAND bootloader image?  Clever stuff :-)

cheers, a

Heh, thanks Tormal.

When I got back to looking at it, the UART ports on the two Hubs I was playing with had died :-(  Completely dead.  However, both boards  still boot okay, so it looks like it's only the UART ports.   Hmm.. it's a surprise because I used a reliable PL2303 USB-UART bridge. In fact, I used a different bridge-cable for each board, so it can't be the cable.

I'm 99% sure the soldering on both boards was (and still is) okay.  So maybe there should have been series resistors on the output gates to limit the current.   Maybe that is why btsimonh reported several other bricked boards?  Not a fault with the soldering as such, perhaps the gates just burned out?!

cheers, a

As I remember, that converter support two modes 5 and 3.3. Please be sure that you use 3.3 V mode.

Also on my converter I have problem with using serial port if I install cable in computer while router is off.
So may be this help for you:

1. Detach usb cable from computer usb port.
2. Turn on router.
3. Attach usb cable to computer port
4. Try use serial port terminal.

Any tips on appropriate equipment and the technique for soldering to the tiny points on the PCB?

I've soldered before but nothing as tricky as this appears to be.

@j8soot: my experience is: the smaller it gets, the more generous I have to be with the flux. This way I've been soldering already some smd chips (down to tssop packages) with a regular 15 or 20 W soldering iron.

Thanks MBS.

For now I tried with an old HH2.0B and I successfully soldered the serial wires (the solder pads are big so it was easy to do) and now I have it running OpenWRT.

I only know the basics of soldering and while it works I probably don't do it the best way. I have looked for videos showing how to solder onto tiny pads like is required to add the serial wires to the HH3.0A but I haven't been able to find any yet. I will need to practice on tiny pads first but I also must buy more solder and a couple of other things so will do that soon.

Because I only know the basics I would appreciate a list of tools and materials used and a brief step by step list of what to do to attach a wire to a tiny pad using flux and solder.

I'm using some flux gel, that's very easy to apply. When soldering wires to pads, remove 0,5-1,0 mm of the isolation of the wire, apply some flux on that wire end and heat it up on the solder iron with a bit of solder added until it turns silver. Then put some flux on the pad, a bit solder on the tip of your solder iron, hold the wire on the pad and press with the tip of the solder iron on it for 2-3 seconds.
Just don't get too much solder on your tip (a thin film is fine, but no drops) and use plenty of flux.

I'll make sure to also buy flux gel and practice it. Thanks again MBS.

I finally received everything and have soldered the serial and it is working.

I used kapton tape to align the wires and with a small magnifying glass I soldered the wires to the pads. I still don't think I managed it like a soldering pro and the wires I used weren't as small as I probably should have used but I did take my time and was careful. At first I attempted to solder to the pad next to the white component but I think it was impossible because it did not have solder on it so I tried the pad above which did have solder on it and it worked.

The flux gel was a big part of my success so thanks again MBS!

Also for me the pad above R21 is RX and the pad above R39 is TX which is the opposite of what is labelled in the picture.

To backup the flash before installing OpenWRT:

1. Gain SSH access
2. Do the command 'system shell'

# dd if=/dev/mtdblock0 of=/mnt/<path>/mtdblock0.bin

For me the path is fs/B and when I do the above:

/ # dd if=/dev/mtdblock0 of=/mnt/fs/B/mtdblock0.bin
65536+0 records in
65536+0 records out
/ #

Is this correct?

And if I wanted to flash back to the backup how do I manipulate the backup image to be able to flash it using u-boot?


It looks like not correct command for nand flash dump. Please use follow:

dd if=/dev/mtd0 of=<patch to usb drive>/mtd0.bin

size of mtd0.bin should be 32Mb.

For returning  original firmware you can use u-boot nand write command

Thanks for the help Tormal.

The mtd0.bin and mtdblock0.bin are 32Mb however they do not contain identical data.

/ # dd if=/dev/mtd0 of=/mnt/fs/B/mtd0.bin
65536+0 records in
65536+0 records out
/ # ls /mnt/fs/B -l -h
-rwxrwxrwx    1 admin    root        32.0M Jan  1 01:07 mtd0.bin
-rwxrwxrwx    1 admin    root        32.0M Jan  1 00:04 mtdblock0.bin
/ #

They contain the same data until 01A38000 where mtd0.bin has 0xFF from 01A38000 to 01A3BFFF and the data after this appears to be what is stored from 01A38000 in mtdblock0.bin which appears to repeat in both images from 01A3C000. I did not compare further.

I will keep the mtd0.bin and investigate writing it using u-boot.

I have another Home Hub 3A and I've attached a serial to it but I can't break into u-boot. All I get from the serial is:

ROM VER: 1.1.3
CFG 06

ROM VER: 1.1.3
CFG 06
MC_DC15 0x0000014a
MC_DC21 0x00001542
MC_DC22 0x00001717
MC_DC24 0x00000068
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa3ffffff
DDR check ok... start booting...

I'm thinking perhaps I read some instructions somewhere on how to do it but I can't find it now.

What do I need to do to access u-boot from the serial?

Do you have shell access into openrg ?

If have you need remove silent from u-boot settings.

you need run follow commands under ssl_cle interface:

bootldr silent verbose
conf reconf 1

After that bootloader should be able to break.

Thanks Tormal, that was it.

Do you know anything about the BT GPL source for the HH3A?

Is it available and is it possible to use it to build a flashable image?