Novatek (NT9665X) firmware studies

Now it's getting even more interesting:
Example:
Original binary:
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 [1e]00 00 00 ................ //ORIGINAL VALUE: 1e
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[3c]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Failed/invalid binary, only one value modified, results in new checksum:
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 1e 00 00 00 ................
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Valid modified binary, two values exchanged, therefore still the same checksum
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00[3c]00 00 00 ................ //ORIGINAL VALUE: 1e, exchanged with 3c
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c, exchanged with 1e
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Conclusion: NT9666X uses even more checksums for different parts/areas of code (but probably still the same algorithm)
Next task is to find these new checksums.......
 
Tobi@s!!
I did everything, but through the files - ntkautomator.cmd, ntkcalc-v051.exe, bfc-v01.exe!
COMPRESS OR DECOMPRESS FIRMWARE(D/С)
Got - FIRMWARE_decomp.bin = 5583 kb
I changed the data to the addresses.
Got - FIRMWARE_decomp_comp.bin = 2954 kb
How to verify I do not know!

Check for yourself.
https://yadi.sk/d/8sRbUE743JBpRR
What do you mean exactly?
decomp = decompressed, therefore the file has to be larger
comp = compressed, therefore it is smaller?
 
What do you mean exactly?
Check, I put it ready, it's hard to understand through an interpreter !! :)

I realized that the data does not change?
 
Last edited:
But how can you explain it was working with one bitrate value changed? :)
Good question. Maybe it's just a specific area of code thats protected with another checksum. The working single value modification was at a lower offset than the failed one.
 
Tobi@s
You watched my attachment, did I manage to change the data?
So hard to understand posts by an interpreter ... :cry:
 
Tobi@s
You watched my attachment, did I manage to change the data?
So hard to understand posts by an interpreter ... :cry:
It should be ok if you used ntkautomator.cmd from @Alfsoft


You can always unbrick the camera by doing the update procedure with an original firmware
 
I was able to resolve the FW CHECK FAIL issue:
upload_2017-5-17_16-49-15.png

The final bcl compressed binary has to be divisible by 4.. The bootloader probably checks if filesize%4==0 respectively only reads DWORDS

Will soon update the bcl library to comply with the loader check...

This "new check" is definitely backward compatible (nt9665X) so it shouldnt be an issue for future releases :)

Edit: Changes are live: http://git.p-mc.eu/Tobi/bcl_for_ntk/
 
Last edited:
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
st.jpg
 

Attachments

  • err.jpg
    err.jpg
    100.8 KB · Views: 29
Last edited:
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
View attachment 31013
Thats no problem. The final filesize can differ because the compressed file size depends on the "content" of the binary. Change some bytes can result in smaller or bigger final files.


I have no idea why bfc crashed for you.. Maybe try compiling bfc.exe from source http://git.p-mc.eu/Tobi/bcl_for_ntk
 
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
View attachment 31013
This one is not compatible with bfc, yet.

The firmware you attached contains two compressed partitions. The first one at 0x00000000 and the second one at 0x002c5a44.

At the moment BFC only supports one single partition per firmware binary. Two or more are not possible right now. I will try to fix this soon, but this will still take a while.
 
I will try to fix this soon, but this will still take a while.
Excellent news.
And very interesting.
Thank you!!

I checked to your addresses, yes everything is OK
Everything is decompiled / compiled!!

Gentlemen, is there an opportunity to walk through the firmware on a step-by-step basis?
We install the STOP command in the firmware and run the firmware on the DVR and determine where the stop is?

Waiting for another DVR without wifi on the same hardware.
I want to compare the firmware, determine how to include the wifi by the button, not by default.
OK
 
Last edited:
Waiting for another DVR without wifi on the same hardware.
I got a DVR !!
The seller turned out to be a crook.
Slipped the old stuff - NT96223FG and sensor 9712
Opened the argument, but I'm not the only one and lose everything !!
Surprisingly, Ali covers the scammers !!

Tell me how to open the firmware, I want to increase the bitrate and sell.
I post the full firmware.
Thank you.
https://yadi.sk/d/XhdIgTQt3JtYJ9
 
no matter what you do it's not going to improve
OK, for parts and in the trash! :D
Here's the data
Video #0
ID : 0
Format : JPEG
Codec ID : MJPG
Duration : 10 s 0 ms
Bit rate : 17.9 Mb/s
Width : 1 280 pixels
Height : 720 pixels
Display aspect ratio : 16:9
Frame rate : 30.000 FPS

This is not its firmware, the chip was empty!
I had a firmware from another on this processor !!

I can not enter the menu, the selection button does not work.
Why was the chip empty?
The programmer failed -?
 
Last edited:
All probably on vacation? :(
I would like to understand how it is regulated here:
Brightness
Contrast
Sharpness
Where are the excerpts data.
 
All probably on vacation? :(
I would like to understand how it is regulated here:
Brightness
Contrast
Sharpness
Where are the excerpts data.
More or less, I'm still developing the novatek resource editor (sounds/fonts/bitmaps) but was unable to make any progress for weeks since I'm busy with university exams again.
 
Just found out that if I modify firmware resolutions list by only making difference in bitrate values (1920x1080@30 at 20 Mbit/s and 1920x1080@30 at 10 Mbit/s) then when I select first mode in smartphone app's settings, it selects second mode (10 Mbit/s). Is it an application bug (I use Lercenker, Okcam) or a standard firmware behavior?
P. S. These modes are named identically in an app: "1920x1080 30P".
 
Probably an application bug
 
Back
Top