Novatek (NT9665X) firmware studies

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,361
Likes
812
Location
Bavaria
Country
Germany
Dash Cam
some
#1
Edit 4: Also have a look at GoPrawn forums: https://www.goprawn.com/forum/novatek-cams

Hello,
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again ;)

The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages :D
sg96650gc-board-bp.jpg

I didn't think that it would be that easy but it indeed worked:
upload_2016-4-17_20-33-3.png

It even features a little "shell" :)
upload_2016-4-17_20-34-15.png

I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.

The firmware probably consists of two sections, regarding this debug output:
Code:
[LOAD-FW]
Total Sections = 2
   Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD)
PL_begin
   Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD)
PL_end
PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.

Will update this thread as soon as I discover something interesting.

Edit1:
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc

Edit2:
Theory:
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)

Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000

Cheers
Tobi
 
Last edited:

lacibaci

Well-Known Member
Joined
Mar 5, 2015
Messages
1,033
Likes
422
Country
United States
#2
Can you give us more details about where to tap in and terminal settings?
 

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
40,104
Likes
20,604
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
#4
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)
pretty much, the bootloader is separate to the firmware always
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,361
Likes
812
Location
Bavaria
Country
Germany
Dash Cam
some
#5
pretty much, the bootloader is separate to the firmware always
Good to know, so I can "safely" try to modify the firmware. Unfortunately the bootloader is not really chatty so I can't get information about whats wrong with invalid firmwares like ambarellas update program did.

Failed fw update:
Code:
NPT
Loader B40SB Start ...

655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp

FW check fail
Successful fw update:
Code:
NPT
Loader B40SB Start ...

655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp

Ud FW
eeeeeeeeeeeeeeeeEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEeeeeeeeeWWWW[10621 'W' omitted]WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWR
RFlsh
R
PL
RCPU/OCP/APB = 432/432/80 Mhz, DMA = 372 Mhz
Clk verify PASS
 
Last edited:

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
40,104
Likes
20,604
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
#6
if the incorrect firmware is applied the correct one will generally be able to reinstalled no problem, start messing with the bootloader though and it can be a problem
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,361
Likes
812
Location
Bavaria
Country
Germany
Dash Cam
some
#8
Alright, messing with the bootloader probably requires to jtag the dashcam (I have no idea about that kind of debugging so thats not even a choice :D) since there seems to be no other way to access it. Right now I'm dumping the memory, maybe I'll find something interesting in there. But this will take some time
 

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
40,104
Likes
20,604
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
#10
Any news? By the way bootloader can update itself from the memory card.
yes it is also updated from memory card, if you get the bootloader wrong though you will have something you cannot recover, there is no process to restore by connecting to PC and using software like there is with some other solutions
 

nutsey

Active Member
Joined
May 12, 2015
Messages
330
Likes
147
Country
Turkey
#11
there is no process to restore by connecting to PC and using software
A Novatek cam with broken loader turns into direct usb mode, but we don't have any drivers for it as well as no working flashing tool (I suppose it should be fresh version of EasyUSB writer) available at the moment.
 

nutsey

Active Member
Joined
May 12, 2015
Messages
330
Likes
147
Country
Turkey
#13
But there is an outdated driver and its INF says:
Code:
; Installation inf for the Novatek nt9x series USB Bulk IO for CameraTest Board
 

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
40,104
Likes
20,604
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
#14
Might relate to the webcam function, not sure, there's no software for loading firmware to dead boards like there is for Ambarella so it doesn't much matter really
 

thegamut

Active Member
Joined
Jul 22, 2016
Messages
118
Likes
68
Country
Barbados
Dash Cam
Q3H aparently.
#17
But there is an outdated driver and its INF says:
Code:
; Installation inf for the Novatek nt9x series USB Bulk IO for CameraTest Board
BulkIO is for writing flash. There IS a tool... we just don't have it. Trust, its not "for the webcam". Reach out to novatek and some manufacturers, tell them you bricked your cam and its in "Firmware Update Device" mode. Someone should have a solution.

EasyUSB goes to v4.5, maybe it could be edited to correct the reason it doesn't work? Has anyone tried it. Obv I don't have this camera or I would be making attempts. Otherwise you can live with finding the checksum for the firmware 2nd portion and editing that.
 

thegamut

Active Member
Joined
Jul 22, 2016
Messages
118
Likes
68
Country
Barbados
Dash Cam
Q3H aparently.
#19
Eh, not always. I got the phoenix flash image from the maker (my camera was actually jacked). Ordered a PCB with BT interface from another factory as 1PC... why so much pessimism? Some times they are cool, some times they are not.
 

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
40,104
Likes
20,604
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
#20
Novatek won't give you anything, most of the brands you see in the market have no engineering capability in house and no access to anything that would help you out of this situation either. it's not pessimism, just the reality of the situation
 

Similar threads

Top