Make your own free website on Tripod.com


Unlocking BT 2Wire 2700HGV Business Hub (wireless router)

 

Contents > BT v5.29 firmware:

 

 

 


BT Provisioning Server Settings

Last updated: 29 Aug 2010 (Editing using FireFox 'Action' fix added)

 

This is Simon’s method for changing the provisioning server information on hubs running v5 firmware to protect against unwanted upgrades, and to enable enhanced services.

 

Considerations:

A 2Wire BT2700HGV running v5 firmware optimised using the following method together with appropriate adjustments to the wireless power, as described elsewhere, is a match for any wireless ADSL router on the market today.

 

v5 firmware can be amended to allow wireless power levels to be adjusted.

v6 firmware does not at the time of writing allow wireless power levels to be adjusted.

v5 firmware is bug free.

v6 firmware features some bugs reported elsewhere which makes it undesirable for most users nevertheless BT continue to roll out automatic upgrades to v6 irrespective of the user's ISP.

Some users have employed DNS poisoning to stop upgrades to v6, this has not always been successful.

Some v5 hubs don’t have enhanced services enabled, namely Firewall Monitor, Access Controls and Content Screening.

 

Applicable hardware:

BT2700HGV routers (BT Business Hub v2.0), hardware version: 2701-100589-005, dual SSID models:

Assembly numbers:

4201-003003-007
  4201-003003-008

This should also apply to single SSID BT2700HGV routers if they are running v5 firmware though this is untested:

Assembly numbers:

4200-003003-004
  4200-003003-005
  4200-003003-006
  4201-003003-006

 

Applicable firmware versions:

5.29.107.12 - fully functional BT firmware though features obsolete provisioning information. It does not feature the enhanced services, namely Firewall Monitor, Access Controls and Content Screening.

 

5.29.107.19 - fully functional BT firmware though features obsolete provisioning information*. Many units have enhanced services enabled though a v5.29.107.19 hub set up from scratch today would probably not feature enhanced services due to the obsolete provisioning information.

 *It is possible that some active v5.29.107.19 hubs have updated provisioning information and may be vulnerable to being upgraded to v6 firmware.

 

5.29.117.6 - the definitive BT v5 firmware fully functional BT firmware, features current provisioning information so enables the enhanced services upon set up though is very vulnerable to being automatically upgraded to v6 firmware.

 

 

Why change the ACS URL?

The ACS URL is the internet address of the hub’s main provisioning server, this can be found in Home/MDC > Provisioning Info > Server Set configuration. The image below features the generic 2Wire ACS URL which is the default in some other non-BT v5 firmwares such as the Singtel 5.29.117.3 firmware.

 

Editor's update ( Sep 09)  By changing the ACS URL to https://gw-5-29-117.cwmp.cms.2wire.com the following can be achieved:

v5.29.107.12 - Enhanced services can be enabled making this previously less desirable firmware version comparable with v5.29.117.6, if the ACS URL is changed to https://gw-5-29-117.cwmp.cms.2wire.com

v5.29.107.19 - v6 firmware upgrades can be blocked. Enhanced services cannot be enabled using the 2wire.com server if the firmware has been previously automatically updated to use the BT motive.com servers.

v5.29.117.6 - v6 firmware upgrades can be blocked.  Note that Enhanced services was/is only appears to be installable from BT motive.com servers.  Enhanced services cannot be enabled using the 2wire.com server.

 

 

Editor's addition (1 Sep 09):  We have no evidence to suggest that changing the ACS URL on a hub with v5.29.107.12 from https://cwmp.cms.smehomehubrms.bt.com to any BT  motive.com server will encourage the hub to upgrade to v6 firmware.

 

If you want to block all upgrades, change the ACS URL to 10.0.0.0.   Note that you may observe more warnings in the Detailed Logs.

 

 

BT have removed the ability to edit the RPC URL parameters in their locked v5 firmware.   These instructions can be used to temporarily re-instate the missing options in the MDC to enable the values to be edited.

 

USE AT YOUR OWN RISK!

 

 

 

 

                   

 

                   

 

 

 

                   

 

 

 

           

 

 

 

NOTE: The ACS URL change will be maintained after a reboot or power off though will need to be reapplied after a factory reset.   

                           

 

 


Editing using FireFox

(New 29 Aug 2010)

 

AndrewR wrote to advise he used FireFox instead of Opera to edit the ACS URL, but he encountered the error "Firefox can't find the file at /xslt".  His solution was to search for the word 'action' and amend the URL as shown below:

 

Amended HTML source containing full IP address of the router:

 

 

 


Default RPC URLs

Firmware acs_url Key code
SingTel v5.29.117.3 Recovery https://gw-5-29-117.cwmp.cms.2wire.com  
BT v5.29.107.12 Recovery https://cwmp.cms.smehomehubrms.bt.com (Note A)
BT v5.29.107.19 Official (Single SSID) https://cwmp.cms.smehomehubrms.bt.com  (Note 3)  
BT v5.29.107.19 Official (Dual SSID) https://cwmp.cms.smehomehubrms.bt.com 

*motive.com (Note 4 & 6)

528Y-27G4-A222-22BJ-B22V (Note B, C)

?

BT v5.29.117.6 Official (Dual SSID) https://pbthdm.bt.motive.com/cwmpWeb/CPEMgt

https://pbthdmw2.bt.motive.com/cwmpWeb/CPEMgt

*motive.com

52AN-2374-WHE2-22AZ-B27S (Note B)

528Y-27G4-A222-22BJ-B22V (Note C)

528Y-2374-A222-22BJ-B2QA

Use to Block firmware upgrades 10.0.0.0  

All 2Wire hubs use the same   css_url:        css://css.cms.2wire.com:3428

 

Note 1: Firmwares marked as 'Official' in the above table are for hubs which have this firmware either pre-installed at the factory, or was due to a previous automated firmware upgrade from BT servers.

Note 2: Firmwares marked as 'Recovery' in the above table are for hubs where a Firmware Recovery file has been manually installed.  I believe these firmwares were intended for use with Single SSID hubs but have been subsequently found to be compatible with later Dual SSID hubs.

Note 3: BT v5.29.107.19 appears to be the last official automated upgrade release for Single SSID hubs.  The firmware release was originally configured to use the provisioning servers at 'smehomehubrms.bt.com'.  It is unclear whether or not BT subsequently updated this firmware to use the newer servers at bt.motive.com prior to apparently withdrawing the old provisioning servers at cwmp.cms.smehomehubrms.bt.com.

Note 4: Alan possesses a spare Dual SSID hub with official BT v5.29.107.19 firmware installed (ser. no. 4207*).  He advised it is rarely connected to his ADSL line, so it has never undergone any BT automatic upgrades.  The ACL URL of this hub is 'https://cwmp.cms.smehomehubrms.bt.com'.   I bought a 'used' Dual SSID hub with same firmware (with earlier ser. no. 1607*) in 2008, but the ACL URL contained *.motive.com' - the same hub was later automatically upgraded to BT v5.29.117.6.  This suggests BT may have deployed a minor update in late 2007 or early 2008 to change the ACS URL to use the new motive.com servers.

Note 5: We believe the provisioning server 'https://cwmp.cms.smehomehubrms.bt.com' appears to be no longer active since mid 2008.

Note 6: Majority of these hubs should have been upgraded to v5.29.117.6.  But I am aware of late 2007 made hubs with v5.29.107.19 to exist on the BT business broadband network which have not been upgraded.

Note A: info supplied by Simon

Note B: info supplied by Alan.  Spare rarely used BT v5.29.107.19 (ser. no. 1207*) hub.  Actively used BT v5.29.117.6 (ser. no. 4207*) hubs.

Note C: info supplied by Andrew.  Sealed brand new/unused: BT v5.29.107.19 (ser. no. 3407*), BT v5.29.117.6 (ser. no. 9108*) hubs.

Thank you to all those who have contributed information to date.  It has become clear ACS URL may possibly be linked to the key code too.  There is initial evidence to suggest BT updated the ACS URLs on earlier active hubs prior to decommissioning the old servers.

 

 


Test results:

Using BT v5.29.107.12 Recovery firmware:  Simon changed the ACS URL to poll current BT Provisioning servers.  The Detailed logs returned various events including: “failed to build or validate cert chain”.

Using SingTel v5.29.117.3 Recovery firmware:   When I changed the ACS URL to '10.0.0.0', the event 'cwmd:  httpc_req_set_url parse error / badformat" repeatedly appearing in the Detailed Logs.  The 'Check for Upgrades' button on the 'home' page now fails to return a result whereas it previously reported v5.29.117.3 was the latest version.

Using BT v5.29.107.12 Recovery firmware:  Simon also reports the same results as 'Alan', but added '....the hub was connecting with the BT provisioning server, though indicating that no upgrade was due. The user certificate error could perhaps be due to the BT roll out strategy.'

(16 Mar 09)  Using BT v5.29.117.6 firmware:  In an attempt to block the BT v6 upgrade on newly acquired 4201-003003-008 hubs, a number of readers including Alan, Simon and Andrew have started testing the ACS URL change, pointing to 10.0.0.0. 

(20 Mar 09)  This is an unexpected result using BT v5.29.107.12 Recovery firmware:  Philips reports he successfully installed/enabled Enhanced Services onto his 4201-003003.008 hub.  Firmware history of his hub was  BT v5.29.117.6 (factory) > Singtel v5.29.117.3 > BT v5.29.107.12.   He changed the ACS URL to 'https://gw-5-29-117.cwmp.cms.2wire.com' and was using BT key code: 528Y-27G4-A222-22BJ-B22V.  

(24 Mar 09): Barry reports success with his 4201-003003-006 (HW version: 2701-100588-005) Single SSID hub using the ACS URL 'https://gw-5-29-117.cwmp.cms.2wire.com'.

(24 Mar 09): Using BT v5.29.107.12 Recovery firmware:  IDnet user, 'Alan', applied the 'https://pbthdm.bt.motive.com/cwmpWeb/CPEMgt' to the ACS URL last week.  Today, he has noticed his hub has Enhanced Services installed.  Using BT key code: 528Y-2374-A222-22BJ-B2QA.  The Detailed Logs continues to report this event 'cwmd: failed to build or validate cert-chain: depth=0, error=unable to get local issuer certificate'. 

(12 Apr 09):  Simon has been testing his Dual SSID hub with BT v5.29.117.6 pointing to 'https://gw-5-29-117.cwmp.cms.2wire.com' with no reported ill-effects.  Enhanced Services was previously installed by initially allowing the hub to connect briefly to 'https://pbthdmw2.bt.motive.com/cwmpweb/CPEmgt' server.

(11 May 09): Jon reports he is unable to install Enhanced Services on his newly acquired Dual SSID hub with BT v5.29.117.6 firmware when configured to use  'https://gw-5-29-117.cwmp.cms.2wire.com' server.  The hub has never been allowed to contact a BT provisioning server.  It appears Enhanced services may perhaps only be installable from BT motive.com servers.   Messages reported in the logs when attempting to connect to the 2wire.com server:

WRN 2009-05-09T07:58:55+01:00 cwmd: authentication has already been tried once and we still don't get in
WRN 2009-05-09T07:58:55+01:00 cwmd: session failed...

(14 May 09): Daniel reports he had no difficulties installing Enhanced Services on a Dual SSID hub (Assy no. 4201-003003-008) he had downgraded to BT v5.29.107.12 and ACS URL pointing to 'https://gw-5-29-117.cwmp.cms.2wire.com' .  He used Google Chrome to edit the HTML source code.

(18 May 09):  Leigh reports no difficulties installing Enhanced Services on a Single SSID hub (Assy no. 4201-003003-006) when using BT v5.29.107.12 firmware and and ACS URL pointing to 'https://gw-5-29-117.cwmp.cms.2wire.com'.

(1 Sep 09):  John reports his hub with v5.29.107.19 firmware reports similar messages by Jon on 11 May 09 when configured to use  'https://gw-5-29-117.cwmp.cms.2wire.com' server:

WRN 2009-08-31T18:47:08+01:00 cwmd: authentication has already been tried once and we still don't get in
WRN 2009-08-31T18:47:08+01:00 cwmd: session failed...

The hub already had Enhanced Services installed and previously used the BT provisioning server https://pbthdm2.bt.motive.com/cwmpweb/CPEmgt.

(30 Sep 09): Myself and JohnC have successfully installed BT v5.29.107.19 recovery firmware on Dual SSID hub (Assy no. 4201-003003-007) and enabled Enhanced Services by changing the ACS URL to use 'https://gw-5-29-117.cwmp.cms.2wire.com' server. 

 

 


Previous Page: Setting up the 2700HGV (BT v5.x firmware)             Next Page: Adjusting Wireless Power Levels on BT v5.x firmwares

Use 'Back' button to return to previous page or click here to return to main menu