You posed this a while back Tobi. I recently acquired the Wolverine data 8mm machine which uses the same chip. Connected the console and got the same startup message but cannot switch to the command mode. Did you just hit the ">" key? I actually noticed the switch CMD prompt when I initially connected the TX line to The TX line. It same on a few times but nothing after that (obviously the lines were connected wrong). Maybe it is some sort of escape sequence? Any ideas?Edit 4: Also have a look at GoPrawn forums: https://www.goprawn.com/forum/novatek-cams
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again
The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages
I didn't think that it would be that easy but it indeed worked:
It even features a little "shell"
I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.
The firmware probably consists of two sections, regarding this debug output:
PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.Code:
[LOAD-FW] Total Sections = 2 Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD) PL_begin Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD) PL_end
Will update this thread as soon as I discover something interesting.
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)
Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000