Not sure if anyone is interested, but just finished a project to get a tool working to decrypt the sw in some of these openbox models. Works on the f2 and 3, some of the x series too from what a report says.

I got a few of those boxes. What can be done with the decrypted sw?

possibly similar to the anonymousx approach to the s9/s10 with his tweaks,maybe somebody will come up with modded firmware.

Well, you can mod things in the code in a variety of ways. Change remotes, dump RAM contents, modify colors, modify text, modify menus (to an extent). One person thinks that a beep for Q reading is good thing to have and some boxes do and some do not have that--it might be possible to add it. There is one guy that likes to load other box's files into his and see what works and what does not--he can't load the encrypted ones, but might be able to load ones that he runs through decrypt. Testing is testing--one does what one is interested in.

one south american hacked firmware is very close to working on the openbox s10,but the tuner doesn't work.Another is hacked but is pal only,not ntsc.My attempts would be with ones like that,possibly comparing decrypted firmware that works with the almost ones.As a matter of fact most euro firmware would be a delight except for the tuner/front panel not working.
my s10 has globo hd x100 firmware loaded,but the front panel doesn't work and the tuner works in reverse; V transponders scan as H and vice versa.

Tuner not working might be as simple as what I/O line was used to reset the tuner, but it could be that they used different chips in the tuner and some of the code would have to be re-written to make it work. In the past I found that lots of info about tuners could be found from the Linux drivers for tuners that they support. You can compile code for the Ali based boxes with gcc optimized for mips. So, if the tuner routines were found, you might be able to hack the code to call your compiled code from Linux driver info.

I did find in s16 code disassembly where they read the Q and S info, so I might be able to trace back to the routines used to communicate with the tuner and I know routine to toggle H/V line from the factory test, so have some idea of how to control I/O lines . And also in the factory test is the routine to set the processor register that turns on the pattern test--I be the NTSC/PAL option is just a processor register too--maybe just a single bit of one register--so could be pretty easy fix if enough is know of the processor and the disassembly.

But, maybe first step would be to figure out if the tuners are the same or different--find pics of the insides of boxes and see if you can spot the tuner ID number or request someone pop open the tuner covers and read off the chip ID numbers for the box's files you wish to use and see what you have in your box as well. Learn to disassemble code for your box and find the I/O line control and figure out which are for the tuner. I'm willing to lend a hand with disassembly if you post where to find files that you are interested in--best to start with your box's file.

S16 tuner has a green sticker on the side.

GST GS4A-30
DVB-S2 TUNER
S4A30 CE293

sometimes just the writeup on the receiver specs will mention the tuner type,like sharp 7306 or mention the tuner in the maincode itself.The openbox without and sat signal will show a signal strength of around 45%,the obvious bad firmware will show 35% or less.
I would say maybe using a different io line on the ones that are close to working.

http://wenku.baidu.com/view/7c74850003d8ce2f01662305.html

there are examples of old s9 firmware that we know how to decrypt,but the receiver fails the hardware check of the security chip on boot and you just get -- on the front panel.
My first project may be to attack that to bypass the hardware check,then see if everything else then works like tuner and front panel.Then we would have a good unencrypted maincode to compare the euro firmware against.

Well, I took a look inside the old disassembly of s16 code that I did and compared what I see to the Truman code that comes with part of Ali SDK and then to newer disassembly I did for the f series decode--looks like PAL setting might be part of the system configure routine. As part of system configure, the default date is set--in Truman code it was 1/1/2005, in both openbox it was 11/1/2010 if I found the right code in all these--you might look at the EPG date if you start up the box and don't have any signal. The reason that is interesting is because the default video mode is set in system configure too--might mean that all you have to do is find the right instruction in that set to change from PAL to NTSC.

Also inside the two openbox main code, you can find the NIM tuner type w/M3501 and I think both are also using the av2011 chip. Newer Ali chips have the decode chip as part of the processor, so I would think finding M3501 support would be needed for the old box to have any chance of tuner working. The av2011 is the front end chip--the s16 code did have a string for that chip, the f code did not. I have another HD box (not openbox) that has the av2012 chip as front end and a diff decoder chip, but that box is a weird one.

the sabbat_ota_loader_090720.rar as mentioned on another site has interesting bits of code that may be useful.
I will be away from home for a while so I can't start playing right away.

http://db-pl.2ap.pl/blue/index.php?&direction=0&order=mod&directory=TakieTam

the euro firmware on the diagnostic screen lets you type in the code 98760,which kicks you into a screen that lets you read/write registers and read/write i2c bus registers,but that feature is disabled on the openbox s9/s10.
I don't know about the s16.If you knew what registers to look at/play with, another interesting feature.

I picked up http://www.satfix.net/showthread.php?140545-OpenBox-S9-S10-America
to see how the file is encrypted. Seems there is only main sw and no seecode, main sw is encrypted. If you XOR the first 0x10 bytes or so with FF, you get something that looks like it is close to clear code, but not quite. There is 0x1000 bytes following the main code that also has FFs for the first 16 bytes or so. It might be that the array is used to decrypt the lzma compressed code, but not all that sure of how or if that is true. Haven't found the code that would do that in the boot by looking around the same locations that I did in that skybox file--sort of looks like by the time the code gets to that spot, the code would have had to have been decrypted.

I just picked up http://www.satfix.net/showthread.php?119164-s9_s10_s11_s12_OPENBOX-UPDATED-FILE-9-23-12
as the oldest file here to see if it was much different.

It took a little looking around but I finally think I've found how the s9/s10 files are encrypted. Seems it is just a 0x100 byte table that is used to look up the real bytes to use. Hard part is getting the table--they start by writing the location value into the array ie, 1st byte has 0x00 in it, 2nd byte 0x1...last byte 0xff. Then they scramble the first 0x10 values around and then invert the array so that if the file has 0xff as a value, you look at the array position ff and see 0x00 there, value 0x93 gets 0x6c--so just about the value you get if you just XOR with FF or NOT the value, but with a few scrambled bytes here and there. At least that is what I've figured out so far, there is a far more complicated step in mixing up the array after that--still have to get that one right.

the old s9 firmware used a table in the bootloader section ,from the beginning of s9 to around sept 2010,then they changed the encryption method to what you see in the later firmwares for s9/s10.
anonymousx made his own program to decrypt and as a tease it even had tabs for patching the front panel and tuner sections,but he never made the program public.
xor works on the 1st line until you get to the hex 80,that is the same as the unencrypted.A lot of the links to ali dis-assemblers are from 2 years ago and are dead,so I don't know what a good one would would be for attacking the firmware.

It is a substitution cypher in the newer files--still uses 0x100 byte array, so I'm guessing the old ones used that simple cypher system too just hid the array in the newer files. I got it running--posted over at coder's corner of rookies to see how the guys there found it to run.
I used Ida Pro to disassemble the boot and find the code (eventually) but the version of IDA that I have does not do the mips16 in the boot well--I can get something good enough, but the un-disassembled instructions can be a real pain. The main sw is all mips32, so that is not really an issue in trying to mod code there. I can give hints, IDC's for IDA (for boot or main) or just post some of my results if any are interested--even have source code for a simple mips32 disassembler that I found on the web and fixed up so that my lcc-win32 compiler liked it--not great disassembler, but....

the 1st anonymousx firmware release from dec 2011,just the maincode unencrypted and uncompressed.
thanks to jvvh5897 for the tool.
It was the 1st firmware with hardware detection bypassed,so it would work on clones and receivers with the -- display on the front panel.I think it was based on the sept 2011 firmware for s10,s10 only.
He later came out with a version for the s9.

If any are interested in trying to mod the code here are some of the early steps I take:
Disassemble main with base address 0x80000200 as mips32 code. The code only is in the first half or so of the un-packed file, the upper part is data--I usually find the demarcation by finding a string and searching backward for the last addiu "bd 27" is the byte sequence I search for and that is only the first two bytes of the instruction (you find a negative addiu on the stackpointer at the start of routines in most cases and a positive addiu at the end if there was one at the start). In IDA I have the IDC look for addiu and start disassembling if it finds one. I also have IDC search out strings in the data section, and special case the Unicode strings--Unicode strings are used in most menus and are grouped by language--I find the first one that is usually English and do a special search on it as many routine use the index of the string to tell code what to display. I usually find the "No FAV Channels" string and do some labeling in the routine that uses it--that way I get the basic OSD message display routines labeled--Zoom and Factory test OSD stuff I look for too. I find MC: APP Init OK message and label the routine that uses it as APP init--you end up finding most of the device init in that routine--like the tuner init. I do special search for the front end chip routine--it has some specific values so it is easy to find in most cases. By the time you get here, you have enough stuff labeled to look for project specific routines.

I find a routine of interest and mod to dump the stack out the serial port. I might mod to dump RAM out serial port using serial routines found in my labeling.

Anyway that is one way to do it.

the anonymousx firmware was supposed to be based on the sept 2011 firmware.There were 3 releases that month for openbox and 1 for skybox,which is basically the same thing but with a different boot logo.I compared firmwares but they are way too different just to do a byte by byte comparison.I have ida 5.5.0.925t in the archives but I don't know if that is good enough.Still trying to track down decompilers from buddys on euro forums.

openbox s9 firmware from 4-4-2011 was the last firmware that did biss encrypted channels on 30w.There was only 1 release for april and the may 5th firmware was the 1st to have the lan manager support but biss stopped working from that release on.The rest of the world never complained so they must have tweaked the biss section to cater to euro providers.That is another side project I would like to look at eventually.

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.

I found a book on ida v5.3 in pdf format,I will have to read that.A 4shared site has v6.1 but I don't know if it is hacked or not.
a 100meg download.

Yep, with all the processors that IDA does and all the bells and whistles, it is pretty bloated. I don't think the old one I use was that big, but big enough. The source code and compiled program for just mips32 disassembler are about 40k bytes per--I'm guessing 30k zipped--you might want to pick up compiler like lcc-win32 too so add a few megs for that.

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.
Have you looked at the Tiger T6 firmware, I hear it can be used on the S16 but part of the code needs to be changed.

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.
odd,that firmware I have isn't encrypted just lzma compressed.
20130417 LED a.2.23755.abs
alitools.zip earlier in that thread was for the ariva 100 and uses the protection ic to decrypt via rs232 cable.

I downloaded ida 6.1.0110409 but I have to figure out how to set the offsets

I just tell IDA that I'm doing a new file, then drag and drop file into the main window. At the popup tell it that the processor is mipsl and click OK. Next window put in 0x80000200 in the ROM (middle) address line and then again in the lowest address line.

I've posted a mips IDC here before, but do have one that I've played with a little more--largely the fixes are simple things, the early ones had most of what really does the most work.

Have you looked at the Tiger T6 firmware, I hear it can be used on the S16 but part of the code needs to be changed.

If you post a link to a file, I could take a look. But I've never heard of that box so know nothing.

tiger actually had a model identical to the s10,I think it was the e100.I played with it on my s10 back in the old days.

ftp://tiger.satsale.net/tiger/FirmWare/

you will have to get your s16 going again

If you post a link to a file, I could take a look. But I've never heard of that box so know nothing.
http;//www.tiger-sat.nxx
I know it will load on the S16 as it is but it will kill the S16 if you don't mod it and that is a fact, I have a dead S16 from that firmware.

the 3602 processor had code built-in to keep the rs232 port working even if the flash was corrupt or blank,I guess 3606 owners aren't so lucky-or the correct loader was never made.I think they relied on the 2.0.0f loader and not the 2.0.0c that had support files that matched the processor.(eromclient.abs)

I found ali sdk v2.0.0.5 in my archives but it is too old to do the 3602
it only has m3327 m3355 in the processor choices.

I've found the SDK of some use in figuring out code, but not a lot of help. I've disassembled some of the compiled files for other boxes in the SDK stuff and found some helps there, but not a lot. Generally I just take a file apart and start looking at it, between strings and finding a few utilities you start getting a little info about what is happening and where--work a little more and you start getting some holes filled in. Eventually, you start making wild guesses and trying things. I find dump of stack contents tells you a lot. A dump of RAM helps. You can just use the same routine that sends out info on the serial port to dump stack. Ram dumps take a little more knowledge of how the serial port is used, but is not that hard to get going.

I found a disassembly of 3601 code in the archives,but it's in html format and is like 60 meg size, which lead me to the program disasmips win32,if that would be any help for us.
http://acade.au7.de/disasmips/disasmips.htm

I don't think passing disassemblies around is a good idea--a few megs of code swell to tens of megs pretty quick. But a list of labels for routines are only a few kbytes. You pick a disassembler, run code through it, then apply labels--that sort of thing can be done by qbasic as easy as with NotePad-like wordeditor, or build C or IDC to do it. Maybe share a few k here and there of commented disassembly, but anyone can run code through a disassembler.

openbox s9/s10 maincode decrypter v8.7

I found ali sdk v2.0.0.5 in my archives but it is too old to do the 3602
it only has m3327 m3355 in the processor choices.

v2.0.1.09 only has choices for platform i386 and m3327,I was told it does the 3602

you choose platform m3327 and it has another menu choice for chip,which has the 3602.
as part of the compiler process is also dumps a 70meg disassembly.Due to health problems I haven't really played with it yet.

The pc I was using back then is dead,I have been retrieving stuff off the hardrive.