FWIW (in case someone has an open ticket with OBi, and wants to send some addtional info), I took a look at the traffic on the wire (well, actually the logs).
It appears that the new firmware is responding to the first unauthenticated registration request with the expect 401 (not authenticated), asking for authentication with an interesting WWW-Authenticate string of the form:
WWW-Authenticate: Digest algorithm=MD5,nonce="37b7b4ad3BCEF40E",opaque="f66fc17e4fff9789",realm="pnn.obihai.com",nonce="5E7F538C",response="5E7F538C5E7F538C5E7F538C5E7F538C"
The old firmware replies with:
WWW-Authenticate: Digest algorithm=MD5,nonce="7fdddb54F4FF4579",opaque="5aafd8f577bcdc0d",realm="pnn.obihai.com"
Note that the new firmware is sending two nonces (which it really should not), along with a response value (which should not exist) which is just the second nonce value repeated 4 times. It would appear my SIP phone is replying using the second nonce value (which is arguably correct (use the last value, based on Postel's law))), but I am guessing the OBi is calculating the values with the first.
Anyway, I see a bug.