Decrypting sw

[jvvh5897]

It is a substitution cypher in the newer files--still uses 0x100 byte array, so I'm guessing the old ones used that simple cypher system too just hid the array in the newer files. I got it running--posted over at coder's corner of rookies to see how the guys there found it to run.
I used Ida Pro to disassemble the boot and find the code (eventually) but the version of IDA that I have does not do the mips16 in the boot well--I can get something good enough, but the un-disassembled instructions can be a real pain. The main sw is all mips32, so that is not really an issue in trying to mod code there. I can give hints, IDC's for IDA (for boot or main) or just post some of my results if any are interested--even have source code for a simple mips32 disassembler that I found on the web and fixed up so that my lcc-win32 compiler liked it--not great disassembler, but....

[zelig]

the 1st anonymousx firmware release from dec 2011,just the maincode unencrypted and uncompressed.
thanks to jvvh5897 for the tool.
It was the 1st firmware with hardware detection bypassed,so it would work on clones and receivers with the -- display on the front panel.I think it was based on the sept 2011 firmware for s10,s10 only.
He later came out with a version for the s9.

[jvvh5897]

If any are interested in trying to mod the code here are some of the early steps I take:
Disassemble main with base address 0x80000200 as mips32 code. The code only is in the first half or so of the un-packed file, the upper part is data--I usually find the demarcation by finding a string and searching backward for the last addiu "bd 27" is the byte sequence I search for and that is only the first two bytes of the instruction (you find a negative addiu on the stackpointer at the start of routines in most cases and a positive addiu at the end if there was one at the start). In IDA I have the IDC look for addiu and start disassembling if it finds one. I also have IDC search out strings in the data section, and special case the Unicode strings--Unicode strings are used in most menus and are grouped by language--I find the first one that is usually English and do a special search on it as many routine use the index of the string to tell code what to display. I usually find the "No FAV Channels" string and do some labeling in the routine that uses it--that way I get the basic OSD message display routines labeled--Zoom and Factory test OSD stuff I look for too. I find MC: APP Init OK message and label the routine that uses it as APP init--you end up finding most of the device init in that routine--like the tuner init. I do special search for the front end chip routine--it has some specific values so it is easy to find in most cases. By the time you get here, you have enough stuff labeled to look for project specific routines.

I find a routine of interest and mod to dump the stack out the serial port. I might mod to dump RAM out serial port using serial routines found in my labeling.

Anyway that is one way to do it.

[zelig]

the anonymousx firmware was supposed to be based on the sept 2011 firmware.There were 3 releases that month for openbox and 1 for skybox,which is basically the same thing but with a different boot logo.I compared firmwares but they are way too different just to do a byte by byte comparison.I have ida 5.5.0.925t in the archives but I don't know if that is good enough.Still trying to track down decompilers from buddys on euro forums.

[zelig]

openbox s9 firmware from 4-4-2011 was the last firmware that did biss encrypted channels on 30w.There was only 1 release for april and the may 5th firmware was the 1st to have the lan manager support but biss stopped working from that release on.The rest of the world never complained so they must have tweaked the biss section to cater to euro providers.That is another side project I would like to look at eventually.

[jvvh5897]

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.

[zelig]

I found a book on ida v5.3 in pdf format,I will have to read that.A 4shared site has v6.1 but I don't know if it is hacked or not.
a 100meg download.

[jvvh5897]

Yep, with all the processors that IDA does and all the bells and whistles, it is pretty bloated. I don't think the old one I use was that big, but big enough. The source code and compiled program for just mips32 disassembler are about 40k bytes per--I'm guessing 30k zipped--you might want to pick up compiler like lcc-win32 too so add a few megs for that.

[iq180]

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.

Have you looked at the Tiger T6 firmware, I hear it can be used on the S16 but part of the code needs to be changed.

[zelig]

If your IDA has mipsl on the list of processors, it likely will do just fine. The IDA I use is very old.

I added azbox bravissimo South America to the list of Ali based box's files that can be decrypted.

odd,that firmware I have isn't encrypted just lzma compressed.
20130417 LED a.2.23755.abs
alitools.zip earlier in that thread was for the ariva 100 and uses the protection ic to decrypt via rs232 cable.

[zelig]

I downloaded ida 6.1.0110409 but I have to figure out how to set the offsets

[jvvh5897]

I just tell IDA that I'm doing a new file, then drag and drop file into the main window. At the popup tell it that the processor is mipsl and click OK. Next window put in 0x80000200 in the ROM (middle) address line and then again in the lowest address line.

I've posted a mips IDC here before, but do have one that I've played with a little more--largely the fixes are simple things, the early ones had most of what really does the most work.

[jvvh5897]

Have you looked at the Tiger T6 firmware, I hear it can be used on the S16 but part of the code needs to be changed.

If you post a link to a file, I could take a look. But I've never heard of that box so know nothing.

[zelig]

tiger actually had a model identical to the s10,I think it was the e100.I played with it on my s10 back in the old days.

ftp://tiger.satsale.net/tiger/FirmWare/

you will have to get your s16 going again

[iq180]

If you post a link to a file, I could take a look. But I've never heard of that box so know nothing.

http;//www.tiger-sat.nxx
I know it will load on the S16 as it is but it will kill the S16 if you don't mod it and that is a fact, I have a dead S16 from that firmware.