Page 1 of 3 123 LastLast
Results 1 to 15 of 39

Thread: Decrypting sw

  1. #1
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default Decrypting sw

    Not sure if anyone is interested, but just finished a project to get a tool working to decrypt the sw in some of these openbox models. Works on the f2 and 3, some of the x series too from what a report says.

  2. #2
    Join Date
    Sep 2012
    Posts
    494
    Satfix Buxs
    1,592
    Thanks
    331
    Thanked 292x in 156 Posts

    Default

    I got a few of those boxes. What can be done with the decrypted sw?

  3. #3
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    possibly similar to the anonymousx approach to the s9/s10 with his tweaks,maybe somebody will come up with modded firmware.

  4. #4
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Well, you can mod things in the code in a variety of ways. Change remotes, dump RAM contents, modify colors, modify text, modify menus (to an extent). One person thinks that a beep for Q reading is good thing to have and some boxes do and some do not have that--it might be possible to add it. There is one guy that likes to load other box's files into his and see what works and what does not--he can't load the encrypted ones, but might be able to load ones that he runs through decrypt. Testing is testing--one does what one is interested in.

  5. The Following User Says Thank You to jvvh5897 For This Useful Post:


  6. #5
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    one south american hacked firmware is very close to working on the openbox s10,but the tuner doesn't work.Another is hacked but is pal only,not ntsc.My attempts would be with ones like that,possibly comparing decrypted firmware that works with the almost ones.As a matter of fact most euro firmware would be a delight except for the tuner/front panel not working.
    my s10 has globo hd x100 firmware loaded,but the front panel doesn't work and the tuner works in reverse; V transponders scan as H and vice versa.
    Last edited by zelig; 08-12-2014 at 11:24 PM.

  7. The Following User Says Thank You to zelig For This Useful Post:


  8. #6
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Tuner not working might be as simple as what I/O line was used to reset the tuner, but it could be that they used different chips in the tuner and some of the code would have to be re-written to make it work. In the past I found that lots of info about tuners could be found from the Linux drivers for tuners that they support. You can compile code for the Ali based boxes with gcc optimized for mips. So, if the tuner routines were found, you might be able to hack the code to call your compiled code from Linux driver info.

    I did find in s16 code disassembly where they read the Q and S info, so I might be able to trace back to the routines used to communicate with the tuner and I know routine to toggle H/V line from the factory test, so have some idea of how to control I/O lines . And also in the factory test is the routine to set the processor register that turns on the pattern test--I be the NTSC/PAL option is just a processor register too--maybe just a single bit of one register--so could be pretty easy fix if enough is know of the processor and the disassembly.

    But, maybe first step would be to figure out if the tuners are the same or different--find pics of the insides of boxes and see if you can spot the tuner ID number or request someone pop open the tuner covers and read off the chip ID numbers for the box's files you wish to use and see what you have in your box as well. Learn to disassemble code for your box and find the I/O line control and figure out which are for the tuner. I'm willing to lend a hand with disassembly if you post where to find files that you are interested in--best to start with your box's file.
    Last edited by jvvh5897; 08-15-2014 at 05:09 PM.

  9. #7
    Join Date
    Sep 2012
    Location
    in the dog house
    Posts
    3,185
    Satfix Buxs
    565,182
    Thanks
    4,376
    Thanked 6,643x in 2,116 Posts
    Items G&R
Gift received at 11-06-2012, 02:51 AM from Styx_N_Stones
Message: Merry Christmas and Happy Birthday,

     I noticed your signature was looking a little bare, so here's a little something to help you decorate it.

Happy Holidays,
S_N_SImmunity to Theft
Gift received at 07-25-2011, 12:29 AM from ICEMAN
Message: merry chritmas

    Default

    S16 tuner has a green sticker on the side.

    GST GS4A-30
    DVB-S2 TUNER
    S4A30 CE293

  10. #8
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    sometimes just the writeup on the receiver specs will mention the tuner type,like sharp 7306 or mention the tuner in the maincode itself.The openbox without and sat signal will show a signal strength of around 45%,the obvious bad firmware will show 35% or less.
    I would say maybe using a different io line on the ones that are close to working.
    Code:
    http://wenku.baidu.com/view/7c74850003d8ce2f01662305.html

  11. #9
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    there are examples of old s9 firmware that we know how to decrypt,but the receiver fails the hardware check of the security chip on boot and you just get -- on the front panel.
    My first project may be to attack that to bypass the hardware check,then see if everything else then works like tuner and front panel.Then we would have a good unencrypted maincode to compare the euro firmware against.

  12. #10
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    Well, I took a look inside the old disassembly of s16 code that I did and compared what I see to the Truman code that comes with part of Ali SDK and then to newer disassembly I did for the f series decode--looks like PAL setting might be part of the system configure routine. As part of system configure, the default date is set--in Truman code it was 1/1/2005, in both openbox it was 11/1/2010 if I found the right code in all these--you might look at the EPG date if you start up the box and don't have any signal. The reason that is interesting is because the default video mode is set in system configure too--might mean that all you have to do is find the right instruction in that set to change from PAL to NTSC.

    Also inside the two openbox main code, you can find the NIM tuner type w/M3501 and I think both are also using the av2011 chip. Newer Ali chips have the decode chip as part of the processor, so I would think finding M3501 support would be needed for the old box to have any chance of tuner working. The av2011 is the front end chip--the s16 code did have a string for that chip, the f code did not. I have another HD box (not openbox) that has the av2012 chip as front end and a diff decoder chip, but that box is a weird one.

  13. The Following User Says Thank You to jvvh5897 For This Useful Post:


  14. #11
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    the sabbat_ota_loader_090720.rar as mentioned on another site has interesting bits of code that may be useful.
    I will be away from home for a while so I can't start playing right away.
    Code:
    http://db-pl.2ap.pl/blue/index.php?&direction=0&order=mod&directory=TakieTam

  15. #12
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    the euro firmware on the diagnostic screen lets you type in the code 98760,which kicks you into a screen that lets you read/write registers and read/write i2c bus registers,but that feature is disabled on the openbox s9/s10.
    I don't know about the s16.If you knew what registers to look at/play with, another interesting feature.

  16. #13
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    I picked up http://www.satfix.net/showthread.php...S9-S10-America
    to see how the file is encrypted. Seems there is only main sw and no seecode, main sw is encrypted. If you XOR the first 0x10 bytes or so with FF, you get something that looks like it is close to clear code, but not quite. There is 0x1000 bytes following the main code that also has FFs for the first 16 bytes or so. It might be that the array is used to decrypt the lzma compressed code, but not all that sure of how or if that is true. Haven't found the code that would do that in the boot by looking around the same locations that I did in that skybox file--sort of looks like by the time the code gets to that spot, the code would have had to have been decrypted.

    I just picked up http://www.satfix.net/showthread.php...D-FILE-9-23-12
    as the oldest file here to see if it was much different.
    Last edited by jvvh5897; 08-17-2014 at 07:35 PM.

  17. The Following User Says Thank You to jvvh5897 For This Useful Post:


  18. #14
    Join Date
    Dec 2012
    Posts
    1,365
    Satfix Buxs
    7,987
    Thanks
    9
    Thanked 1,523x in 764 Posts

    Default

    It took a little looking around but I finally think I've found how the s9/s10 files are encrypted. Seems it is just a 0x100 byte table that is used to look up the real bytes to use. Hard part is getting the table--they start by writing the location value into the array ie, 1st byte has 0x00 in it, 2nd byte 0x1...last byte 0xff. Then they scramble the first 0x10 values around and then invert the array so that if the file has 0xff as a value, you look at the array position ff and see 0x00 there, value 0x93 gets 0x6c--so just about the value you get if you just XOR with FF or NOT the value, but with a few scrambled bytes here and there. At least that is what I've figured out so far, there is a far more complicated step in mixing up the array after that--still have to get that one right.

  19. #15
    Join Date
    Oct 2012
    Posts
    397
    Satfix Buxs
    84,460
    Thanks
    17
    Thanked 258x in 142 Posts

    Default

    the old s9 firmware used a table in the bootloader section ,from the beginning of s9 to around sept 2010,then they changed the encryption method to what you see in the later firmwares for s9/s10.
    anonymousx made his own program to decrypt and as a tease it even had tabs for patching the front panel and tuner sections,but he never made the program public.
    xor works on the 1st line until you get to the hex 80,that is the same as the unencrypted.A lot of the links to ali dis-assemblers are from 2 years ago and are dead,so I don't know what a good one would would be for attacking the firmware.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •