Novatek (NT9665X) firmware studies

Discussion in 'Firmware Modifications' started by Tobi@s, Apr 17, 2016.

  1. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,090
    Likes Received:
    18,163
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    for mini0903 was a higher bitrate version where wifi was disabled, maybe some clues in those firmwares
     
  2. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    The disassembly states that there is a file called setwifi.txt on the sdcard
    Maybe it can be used to disable WiFi directly or disable it with a invalid configuration
     
  3. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    There is no such file.
     
  4. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Last edited: Mar 18, 2017
  5. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Last edited: Mar 18, 2017
    Falsificator likes this.
  6. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    Created the file setwifi.txt by reference.
    But - he just stopped the wifi, but does not switch to video mode. :(
     
  7. SlimLively

    SlimLively New Member

    Messages:
    3
    Likes Received:
    0
    Country:
    Russian Federation
    Дорогие друзья, объясните. Есть возможность восстановить видеорегистратор НТ 96655bg jooy НОВАТЭК jooy A1 1624ds 96655bg для обычного домашнего пользователя. После покупки от нового, он вел себя так по ссылке Продавец прислал прошивку на карту и поместить файл прошивки. Через 2 минуты, индикаторы вышел и все, прибор не реагирует и не включается теперь. Я могу сделать что-то? Подключение к AV изображения нет.
     
  8. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Do you have access to the old firmware? Try flashing another one
     
  9. SlimLively

    SlimLively New Member

    Messages:
    3
    Likes Received:
    0
    Country:
    Russian Federation
    Нет доступа.Теперь он не включается и световой индикации нет чип NT96655GB 1624-DS KWHR6/8
     
  10. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    You still could try to reflash the same firmware. But I'd recommend to contact the reseller and ask for another firmware file.
     
  11. SlimLively

    SlimLively New Member

    Messages:
    3
    Likes Received:
    0
    Country:
    Russian Federation
    After flashing the device does not respond, the lamp does not blink.The gain AV is also no signal....
     
  12. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    Gentlemen!
    To which processor family does Novatek belong?
    Of all the samples on IDA, i approached the MIPS architecture.
    Is not it?
     
  13. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    mips24kec 32bit little endian
     
  14. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    ОК!
     

    Attached Files:

    • IDA.jpg
      IDA.jpg
      File size:
      139 KB
      Views:
      35
  15. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Yes, load adress 0x80000000 afaik
     
  16. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    AndreyN!!
    Did you solve the problem?
    Also I try, to solve it programmatically !!
    In the extreme case - the relay with a delay and сlick on button on the s-video!

    If you unbind the wifi board, the DVR does not work.

    Gentlemen, I'm interested!
    Who writes the program to these devices, the Chinese?
    I can not find, even in China, these programmers! (y)
    They are ghosts !! :D
     

    Attached Files:

    Last edited: May 10, 2017
  17. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Novatek seems to have changed something in NT96663 since I'm unable to create a valid modified firmware image..
     
    nutsey likes this.
  18. nutsey

    nutsey Active Member

    Messages:
    284
    Likes Received:
    120
    Country:
    Turkey
    Can you share any NT96663 firmware?
     
  19. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,350
    Likes Received:
    801
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Ok, it's not completely broken. But it's also very very weird:

    Used firmware is from Mini 0906: http://www.mini0906.com/firmware/FIRMWARE-20170504.zip

    It works (valid modified firmware) with these steps:
    1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
    2. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
    3. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
    4. Flash the firmware -> flash OK
    -> Therefore BFC is still working

    It also works when doing this:
    1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
    2. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
    3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
    4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
    5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
    6. Flash the firmware -> flash OK
    -> ntkcalc also still works (checksum algorithm was not modified)

    Now the weird part:
    1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
    2a. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
    2b. Modify at 0x003cf52c from 00 88 13 00 to 00 94 11 00
    3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
    4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
    5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
    6. Flash the firmware -> Bootloader fw update procedure fails: FW CHECK FAIL

    So modifying at a specific adress results in an invalid firmware?! I have no idea whats happening there at the moment...
     
    Last edited: May 15, 2017
    nutsey and Falsificator like this.
  20. vvs49

    vvs49 Member

    Messages:
    74
    Likes Received:
    10
    Country:
    Ukraine
    Tobi@s!!
    I did everything, but through the files - ntkautomator.cmd, ntkcalc-v051.exe, bfc-v01.exe!
    COMPRESS OR DECOMPRESS FIRMWARE(D/С)
    Got - FIRMWARE_decomp.bin = 5583 kb
    I changed the data to the addresses.
    Got - FIRMWARE_decomp_comp.bin = 2954 kb
    How to verify I do not know!

    Check for yourself.
    https://yadi.sk/d/8sRbUE743JBpRR
     
    Last edited: May 15, 2017
Loading...

Share This Page