Novatek (NT9665X) firmware studies

jokiin

Well-Known Member
Manufacturer
Joined
Jan 27, 2013
Messages
41,983
Likes
21,635
Location
Shenzhen, China - Sydney, Australia
Country
China
Dash Cam
Too many ¯\_(ツ)_/¯
for mini0903 was a higher bitrate version where wifi was disabled, maybe some clues in those firmwares
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
The disassembly states that there is a file called setwifi.txt on the sdcard
Maybe it can be used to disable WiFi directly or disable it with a invalid configuration
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
108
Likes
28
Country
Ukraine
Created the file setwifi.txt by reference.
But - he just stopped the wifi, but does not switch to video mode. :(
 

SlimLively

New Member
Joined
Apr 7, 2017
Messages
3
Likes
1
Country
Russian Federation
Дорогие друзья, объясните. Есть возможность восстановить видеорегистратор НТ 96655bg jooy НОВАТЭК jooy A1 1624ds 96655bg для обычного домашнего пользователя. После покупки от нового, он вел себя так по ссылке
Продавец прислал прошивку на карту и поместить файл прошивки. Через 2 минуты, индикаторы вышел и все, прибор не реагирует и не включается теперь. Я могу сделать что-то? Подключение к AV изображения нет.
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Do you have access to the old firmware? Try flashing another one
 

SlimLively

New Member
Joined
Apr 7, 2017
Messages
3
Likes
1
Country
Russian Federation
Нет доступа.Теперь он не включается и световой индикации нет чип NT96655GB 1624-DS KWHR6/8
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
You still could try to reflash the same firmware. But I'd recommend to contact the reseller and ask for another firmware file.
 

SlimLively

New Member
Joined
Apr 7, 2017
Messages
3
Likes
1
Country
Russian Federation
You still could try to reflash the same firmware. But I'd recommend to contact the reseller and ask for another firmware file.
After flashing the device does not respond, the lamp does not blink.The gain AV is also no signal....
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
108
Likes
28
Country
Ukraine
Gentlemen!
To which processor family does Novatek belong?
Of all the samples on IDA, i approached the MIPS architecture.
Is not it?
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
108
Likes
28
Country
Ukraine
If it would work, I may just unsolder it from the main PCB as last resort.
AndreyN!!
Did you solve the problem?
Also I try, to solve it programmatically !!
In the extreme case - the relay with a delay and сlick on button on the s-video!

If you unbind the wifi board, the DVR does not work.

Gentlemen, I'm interested!
Who writes the program to these devices, the Chinese?
I can not find, even in China, these programmers! (y)
They are ghosts !! :D
 

Attachments

Last edited:
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Novatek seems to have changed something in NT96663 since I'm unable to create a valid modified firmware image..
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Can you share any NT96663 firmware?
Ok, it's not completely broken. But it's also very very weird:

Used firmware is from Mini 0906: http://www.mini0906.com/firmware/FIRMWARE-20170504.zip

It works (valid modified firmware) with these steps:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
3. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
4. Flash the firmware -> flash OK
-> Therefore BFC is still working

It also works when doing this:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
6. Flash the firmware -> flash OK
-> ntkcalc also still works (checksum algorithm was not modified)

Now the weird part:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2a. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
2b. Modify at 0x003cf52c from 00 88 13 00 to 00 94 11 00
3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
6. Flash the firmware -> Bootloader fw update procedure fails: FW CHECK FAIL

So modifying at a specific adress results in an invalid firmware?! I have no idea whats happening there at the moment...
 
Last edited:

vvs49

Active Member
Joined
Jan 8, 2015
Messages
108
Likes
28
Country
Ukraine
Tobi@s!!
I did everything, but through the files - ntkautomator.cmd, ntkcalc-v051.exe, bfc-v01.exe!
COMPRESS OR DECOMPRESS FIRMWARE(D/С)
Got - FIRMWARE_decomp.bin = 5583 kb
I changed the data to the addresses.
Got - FIRMWARE_decomp_comp.bin = 2954 kb
How to verify I do not know!

Check for yourself.
https://yadi.sk/d/8sRbUE743JBpRR
 
Last edited:
Top