Novatek (NT9665X) firmware studies

Discussion in 'Firmware Modifications' started by Tobi@s, Apr 17, 2016.

  1. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Now it's getting even more interesting:
    Example:
    Original binary:
    Code:
    003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 [1e]00 00 00 ................ //ORIGINAL VALUE: 1e
    003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
    003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
    003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
    003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
    003cf350 38 04 00 00[3c]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
    003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    Failed/invalid binary, only one value modified, results in new checksum:
    Code:
    003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 1e 00 00 00 ................
    003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
    003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
    003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
    003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
    003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
    003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    Valid modified binary, two values exchanged, therefore still the same checksum
    Code:
    003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00[3c]00 00 00 ................ //ORIGINAL VALUE: 1e, exchanged with 3c
    003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
    003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
    003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
    003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
    003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c, exchanged with 1e
    003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    Conclusion: NT9666X uses even more checksums for different parts/areas of code (but probably still the same algorithm)
    Next task is to find these new checksums.......
     
    Falsificator likes this.
  2. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    What do you mean exactly?
    decomp = decompressed, therefore the file has to be larger
    comp = compressed, therefore it is smaller?
     
  3. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Check, I put it ready, it's hard to understand through an interpreter !! :)

    I realized that the data does not change?
     
    Last edited: May 15, 2017
  4. nutsey

    nutsey Active Member

    Messages:
    288
    Likes Received:
    124
    Country:
    Turkey
    But how can you explain it was working with one bitrate value changed? :)
     
  5. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Good question. Maybe it's just a specific area of code thats protected with another checksum. The working single value modification was at a lower offset than the failed one.
     
  6. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Tobi@s
    You watched my attachment, did I manage to change the data?
    So hard to understand posts by an interpreter ... :cry:
     
  7. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    It should be ok if you used ntkautomator.cmd from @Alfsoft


    You can always unbrick the camera by doing the update procedure with an original firmware
     
  8. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    I was able to resolve the FW CHECK FAIL issue:
    upload_2017-5-17_16-49-15.png

    The final bcl compressed binary has to be divisible by 4.. The bootloader probably checks if filesize%4==0 respectively only reads DWORDS

    Will soon update the bcl library to comply with the loader check...

    This "new check" is definitely backward compatible (nt9665X) so it shouldnt be an issue for future releases :)

    Edit: Changes are live: http://git.p-mc.eu/Tobi/bcl_for_ntk/
     
    Last edited: May 17, 2017
  9. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Tobi
    There is a processor NT96660, did not get through сmd, throws an error. - ???
    1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
    Needed .NET Framework, №? It is worth Net 4.5
    Can you succeed?
    There MP4 - for viewing, the original.
    There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
    Addresses in the file search.
    https://yadi.sk/d/fXWpjAf13JGVDm

    It seems that it's already decompiled and when they are stitching, it will compile.
    There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
    Compiled received 3.88 .... !!! ???
    st.jpg
     

    Attached Files:

    • err.jpg
      err.jpg
      File size:
      100.8 KB
      Views:
      16
    Last edited: May 18, 2017
  10. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    Thats no problem. The final filesize can differ because the compressed file size depends on the "content" of the binary. Change some bytes can result in smaller or bigger final files.


    I have no idea why bfc crashed for you.. Maybe try compiling bfc.exe from source http://git.p-mc.eu/Tobi/bcl_for_ntk
     
  11. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Ok!
    I will try.
    And you haven't tried?
    I'm curious how you have, what to compare.
     
  12. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    This one is not compatible with bfc, yet.

    The firmware you attached contains two compressed partitions. The first one at 0x00000000 and the second one at 0x002c5a44.

    At the moment BFC only supports one single partition per firmware binary. Two or more are not possible right now. I will try to fix this soon, but this will still take a while.
     
    Falsificator likes this.
  13. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Excellent news.
    And very interesting.
    Thank you!!

    I checked to your addresses, yes everything is OK
    Everything is decompiled / compiled!!

    Gentlemen, is there an opportunity to walk through the firmware on a step-by-step basis?
    We install the STOP command in the firmware and run the firmware on the DVR and determine where the stop is?

    Waiting for another DVR without wifi on the same hardware.
    I want to compare the firmware, determine how to include the wifi by the button, not by default.
    OK
     
    Last edited: May 20, 2017
  14. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    I got a DVR !!
    The seller turned out to be a crook.
    Slipped the old stuff - NT96223FG and sensor 9712
    Opened the argument, but I'm not the only one and lose everything !!
    Surprisingly, Ali covers the scammers !!

    Tell me how to open the firmware, I want to increase the bitrate and sell.
    I post the full firmware.
    Thank you.
    https://yadi.sk/d/XhdIgTQt3JtYJ9
     
  15. jokiin

    jokiin Well-Known Member Manufacturer

    Messages:
    36,965
    Likes Received:
    18,894
    Location:
    Shenzhen, China - Sydney, Australia
    Country:
    China
    Dash Cam:
    Too many ¯\_(ツ)_/¯
    don't waste your time, it's 720p, no matter what you do it's not going to improve
     
    Tobi@s likes this.
  16. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    OK, for parts and in the trash! :D
    Here's the data
    Video #0
    ID : 0
    Format : JPEG
    Codec ID : MJPG
    Duration : 10 s 0 ms
    Bit rate : 17.9 Mb/s
    Width : 1 280 pixels
    Height : 720 pixels
    Display aspect ratio : 16:9
    Frame rate : 30.000 FPS

    This is not its firmware, the chip was empty!
    I had a firmware from another on this processor !!

    I can not enter the menu, the selection button does not work.
    Why was the chip empty?
    The programmer failed -?
     
    Last edited: Jun 7, 2017
    Tobi@s likes this.
  17. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    All probably on vacation? :(
    I would like to understand how it is regulated here:
    Brightness
    Contrast
    Sharpness
    Where are the excerpts data.
     
  18. Tobi@s

    Tobi@s Well-Known Member App Developer

    Messages:
    1,353
    Likes Received:
    804
    Location:
    Bavaria
    Country:
    Germany
    Dash Cam:
    some
    More or less, I'm still developing the novatek resource editor (sounds/fonts/bitmaps) but was unable to make any progress for weeks since I'm busy with university exams again.
     
    Falsificator and kamkar1 like this.
  19. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    While with the firmware - ??, made switching wifi hardware.
    In ~ 10 seconds. switching.
    The operation of the buttons is not affected.
    The Wifi network - naturally disappears.
    ROi.jpg
    So installed.
    1 (1).JPG
    1 (3).JPG


    Suddenly, smoke reg, and burned plume from the button.
    Defect found, it's burned chip timer !!
    It is necessary to feed from 5 volts (Imax = 5 ma), instead of 12 (max = 17 ma), it was blown up in the region of 1, 8 output.
    Let's correct it - it's easy.
     
    Last edited: Jul 18, 2017
    nutsey and Tobi@s like this.
  20. vvs49

    vvs49 Member

    Messages:
    75
    Likes Received:
    11
    Country:
    Ukraine
    Has altered, will be so.
    n5V.jpg
    In car, the voltage jumps reach more than 14 volts.
    So the chip burnt out.
    I protected the car in the Dvd player, but I did not think for the video registrar, so I got it !!
    HERE
    P. S.
    Already for a week I skate, everything is fine.
    ACC completely feed from 5 volts !!
     
    Last edited: Aug 12, 2017
Loading...

Share This Page