Novatek (NT9665X) firmware studies

carpeDiem

New Member
Joined
Feb 9, 2019
Messages
2
Reaction score
0
Country
United States
Edit 4: Also have a look at GoPrawn forums: https://www.goprawn.com/forum/novatek-cams

Hello,
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again ;)

The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages :D

I didn't think that it would be that easy but it indeed worked:

It even features a little "shell" :)

I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.

The firmware probably consists of two sections, regarding this debug output:
Code:
[LOAD-FW]
Total Sections = 2
   Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD)
PL_begin
   Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD)
PL_end
PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.

Will update this thread as soon as I discover something interesting.

Edit1:
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc

Edit2:
Theory:
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)

Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000

Cheers
Tobi
You posed this a while back Tobi. I recently acquired the Wolverine data 8mm machine which uses the same chip. Connected the console and got the same startup message but cannot switch to the command mode. Did you just hit the ">" key? I actually noticed the switch CMD prompt when I initially connected the TX line to The TX line. It same on a few times but nothing after that (obviously the lines were connected wrong). Maybe it is some sort of escape sequence? Any ideas?
 
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,372
Reaction score
839
Location
Bavaria
Country
Germany
Dash Cam
some
you need to press enter afterwards. But not all of the console types are implemented.
 

carpeDiem

New Member
Joined
Feb 9, 2019
Messages
2
Reaction score
0
Country
United States
Thanks Tobi. I tried that but it did not work. Guess Wolverine turned off cmd console.
 

holender

New Member
Joined
Sep 11, 2019
Messages
2
Reaction score
1
Location
London
Country
United Kingdom
Hello all members :)

I'm very new at this forum, and I know that forum is dedicated for dash cams. But looks that you guys here are my last resort :oops:

I bought night vision scope brand PARD model NV-007 with camera recorder. Chip Genius detected as "Novatekn vt-DSC". After searching by VID (0603) and PID (8611) this website says that chip is "NTK96550 based camera".
My camera has menu in English, French, and some other languages, but not Czech which I would like to have. My friend has a unit with Czech language, which I don't have. I wrote to a producer 3 weeks ago, then I reiterate my email, but without any response until today. Czech distributor said that he will not provide me file with Czech language update., because I should buy camera from his distribution.

I know from UK distributor that the file with a firmware/update should be written on SD card, then should be put into the camera, then camera should be turned on, and bootloader will change the system - to the new firmware. If the firmware has Czech language, I would have Czech language in the camera menu.

So my questions are:
1. If I dig up a firmware from my friend unit (this one with a Czech language) - can I just write dug up file(s) on SD card, then I will be able to update my unit as described above? I mean - if I dug up the firmware from my friend's device, would it be the same as an update file to write on SD card.
2. If the answer for above is yes, how to "dig up" my friend's firmware? Dear @jokiin, you think only the way as @Tobi@s says?

(
if you can find someone that has the same camera as yours you may be able to backup their firmware to create a new firmware for yours
But: you have to get access to the shell which is impossible without hardware modifications
access to shell via uart is required.
 

Top