BT Home Hub Hacking - Hub Phone

On the hub side, the DECT radios appear to be a standalone sub-system driven by a separate microcontroller with hooks into code running on the main CPU. I may look into this stuff after the main board has been cracked open. As a side note, pressing the wireless assoc button appears to send random junk to the serial port - this is probably the same stuff sent to the phone over the charger serial link.

Inside the Hub Phone

Hub phone processor is similar to the ARM processor within the Hub so I guess we know the function of that processor now! Components of interest:

  1. DECT radio.
  2. A port of some sort. Pads and holes for some sort of plug?
  3. A similar port - perhaps JTAG? Connects to pins 1-5 of uC
  4. NXP PCD80721HL/B ARM Microcontroller
  5. EEPROM programming port. 1 = GND, 2 = Vbatt, 3=SDA, 4=SCL
  6. ATMEL 24C128N EEPROM. (I guess used for identity and perhaps NV settings - only 16k!)
  7. (I forgot this one in the pic - it's the small IC just north of the microcontroller) - ATMEL 45DB041D - 4-mbit DataFlash

Test Mode

To access test mode, hold down the top left "-" key whilst powering up the handset. The words "TEST MODE" will appear on the display. To access test mode functions, press a number. I'm not sure what most of them do:

  • 1 Causes the phone to display "TBR 6." This might have something to do with DECT testing. TBR 6 is the RF air interface test. OK key seems to lock the handset. Batteries removed and we're back online!
  • 2 Causes the phone to display "TBR 10." This might be related to DECT acoustic telephony test.
  • 3 Causes the phone to display "LOAD FLASH." Sounds interesting... This completely locks the device!
  • 5 Phone displays "CLEAR SUB?" Pressing OK here clears the DECT registration information from the phone and causes a reboot.
  • 6 Phone displays "SEL SLOT" Pressing a number here causes my handset to display "SLOT: 2"
  • 7 Phone screen dims slightly but nothing obvious displayed. Pressing OK seems to exit the testmode.
  • 0 Phone displays software version.
  • # Phone displays "Translation Items" Pressing OK quits test mode.