Novatek (NT9665X) firmware studies

Discussion in 'Firmware Modifications' started by Tobi@s, Apr 17, 2016.

  1. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Hello,
    I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again ;)

    The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages :D
    sg96650gc-board-bp.jpg

    I didn't think that it would be that easy but it indeed worked:
    upload_2016-4-17_20-33-3.png

    It even features a little "shell" :)
    upload_2016-4-17_20-34-15.png

    I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.

    The firmware probably consists of two sections, regarding this debug output:
    Code:
    [LOAD-FW]
    Total Sections = 2
       Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD)
    PL_begin
       Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD)
    PL_end
    PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.

    Will update this thread as soon as I discover something interesting.

    Edit1:
    There are multiple consoles:
    CMD console, EXAM console and eCos console
    cmd console - switch key: ">": module based console for debugging
    exam console - switch key: "$": ? not implemented in SG dc
    ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc

    Edit2:
    Theory:
    Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
    It loads the firmware binary to 0x80000000 and executes it (...to be continued)
    Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
    Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)

    Edit3 (for disassembling):
    Architecture: MIPS32 24KEc
    Memory load address: 0x80000000

    Cheers
    Tobi
     
    Last edited: Apr 21, 2016
    za rulem, reverend, kamkar1 and 4 others like this.
  2. lacibaci

    lacibaci Well-Known Member

    Messages:
    867
    Likes Received:
    346
    Country:
    United States
    Can you give us more details about where to tap in and terminal settings?
     
  3. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Uhm can you be more specific? What do you mean with "tap in"?
     
  4. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    pretty much, the bootloader is separate to the firmware always
     
    Tobi@s likes this.
  5. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Good to know, so I can "safely" try to modify the firmware. Unfortunately the bootloader is not really chatty so I can't get information about whats wrong with invalid firmwares like ambarellas update program did.

    Failed fw update:
    Code:
    NPT
    Loader B40SB Start ...
    
    655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27
    
    RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp
    
    FW check fail
    Successful fw update:
    Code:
    NPT
    Loader B40SB Start ...
    
    655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27
    
    RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp
    
    Ud FW
    eeeeeeeeeeeeeeeeEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEeeeeeeeeWWWW[10621 'W' omitted]WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWR
    RFlsh
    R
    PL
    RCPU/OCP/APB = 432/432/80 Mhz, DMA = 372 Mhz
    Clk verify PASS
    
     
    Last edited: Apr 23, 2016
    za rulem and Falsificator like this.
  6. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    if the incorrect firmware is applied the correct one will generally be able to reinstalled no problem, start messing with the bootloader though and it can be a problem
     
  7. reverend

    reverend Well-Known Member

    Messages:
    5,393
    Likes Received:
    3,691
    Country:
    United Kingdom
    Dash Cam:
    Too many
    Nice Bus Pirate ;)
     
    Tobi@s likes this.
  8. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Alright, messing with the bootloader probably requires to jtag the dashcam (I have no idea about that kind of debugging so thats not even a choice :D) since there seems to be no other way to access it. Right now I'm dumping the memory, maybe I'll find something interesting in there. But this will take some time
     
    za rulem and thancam like this.
  9. nutsey

    nutsey Active Member

    Messages:
    284
    Likes Received:
    120
    Country:
    Turkey
    Any news? By the way bootloader can update itself from the memory card.
     
  10. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    yes it is also updated from memory card, if you get the bootloader wrong though you will have something you cannot recover, there is no process to restore by connecting to PC and using software like there is with some other solutions
     
  11. nutsey

    nutsey Active Member

    Messages:
    284
    Likes Received:
    120
    Country:
    Turkey
    A Novatek cam with broken loader turns into direct usb mode, but we don't have any drivers for it as well as no working flashing tool (I suppose it should be fresh version of EasyUSB writer) available at the moment.
     
  12. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    there is no software for this
     
  13. nutsey

    nutsey Active Member

    Messages:
    284
    Likes Received:
    120
    Country:
    Turkey
    But there is an outdated driver and its INF says:
    Code:
    ; Installation inf for the Novatek nt9x series USB Bulk IO for CameraTest Board
    
     
  14. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    Might relate to the webcam function, not sure, there's no software for loading firmware to dead boards like there is for Ambarella so it doesn't much matter really
     
  15. burak altunbas

    burak altunbas New Member

    Messages:
    16
    Likes Received:
    4
    Country:
    Turkey
    device manager find Novatek 98700 USB Firmware Update Device but how can Update
     
  16. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    no idea
     
  17. thegamut

    thegamut Active Member

    Messages:
    118
    Likes Received:
    67
    Country:
    Barbados
    Dash Cam:
    Q3H aparently.
    BulkIO is for writing flash. There IS a tool... we just don't have it. Trust, its not "for the webcam". Reach out to novatek and some manufacturers, tell them you bricked your cam and its in "Firmware Update Device" mode. Someone should have a solution.

    EasyUSB goes to v4.5, maybe it could be edited to correct the reason it doesn't work? Has anyone tried it. Obv I don't have this camera or I would be making attempts. Otherwise you can live with finding the checksum for the firmware 2nd portion and editing that.
     
  18. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    at best they will tell you to return the camera
     
  19. thegamut

    thegamut Active Member

    Messages:
    118
    Likes Received:
    67
    Country:
    Barbados
    Dash Cam:
    Q3H aparently.
    Eh, not always. I got the phoenix flash image from the maker (my camera was actually jacked). Ordered a PCB with BT interface from another factory as 1PC... why so much pessimism? Some times they are cool, some times they are not.
     
  20. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,119
    Likes Received:
    18,195
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    Novatek won't give you anything, most of the brands you see in the market have no engineering capability in house and no access to anything that would help you out of this situation either. it's not pessimism, just the reality of the situation
     
Loading...

Share This Page