Novatek (NT9665X) firmware studies

OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Now it's getting even more interesting:
Example:
Original binary:
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 [1e]00 00 00 ................ //ORIGINAL VALUE: 1e
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[3c]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Failed/invalid binary, only one value modified, results in new checksum:
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00 1e 00 00 00 ................
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Valid modified binary, two values exchanged, therefore still the same checksum
Code:
003cf2e0 01 00 00 00 00 09 00 00 10 05 00 00[3c]00 00 00 ................ //ORIGINAL VALUE: 1e, exchanged with 3c
003cf2f0 00 48 26 00 00 00 00 00 06 00 00 00 00 00 00 00 .H&.............
003cf300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf310 00 00 00 00 01 00 00 00 80 07 00 00 38 04 00 00 ........€...8...
003cf320 60 00 00 00 00 48 26 00 00 00 00 00 06 00 00 00 `....H&.........
003cf330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003cf340 00 00 00 00 00 00 00 00 01 00 00 00 80 07 00 00 ............€...
003cf350 38 04 00 00[1e]00 00 00 00 28 23 00 00 00 00 00 8...<....(#..... //ORIGINAL VALUE: 3c, exchanged with 1e
003cf360 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Conclusion: NT9666X uses even more checksums for different parts/areas of code (but probably still the same algorithm)
Next task is to find these new checksums.......
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Tobi@s!!
I did everything, but through the files - ntkautomator.cmd, ntkcalc-v051.exe, bfc-v01.exe!
COMPRESS OR DECOMPRESS FIRMWARE(D/С)
Got - FIRMWARE_decomp.bin = 5583 kb
I changed the data to the addresses.
Got - FIRMWARE_decomp_comp.bin = 2954 kb
How to verify I do not know!

Check for yourself.
https://yadi.sk/d/8sRbUE743JBpRR
What do you mean exactly?
decomp = decompressed, therefore the file has to be larger
comp = compressed, therefore it is smaller?
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
But how can you explain it was working with one bitrate value changed? :)
Good question. Maybe it's just a specific area of code thats protected with another checksum. The working single value modification was at a lower offset than the failed one.
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
Tobi@s
You watched my attachment, did I manage to change the data?
So hard to understand posts by an interpreter ... :cry:
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Tobi@s
You watched my attachment, did I manage to change the data?
So hard to understand posts by an interpreter ... :cry:
It should be ok if you used ntkautomator.cmd from @Alfsoft


You can always unbrick the camera by doing the update procedure with an original firmware
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
I was able to resolve the FW CHECK FAIL issue:
upload_2017-5-17_16-49-15.png

The final bcl compressed binary has to be divisible by 4.. The bootloader probably checks if filesize%4==0 respectively only reads DWORDS

Will soon update the bcl library to comply with the loader check...

This "new check" is definitely backward compatible (nt9665X) so it shouldnt be an issue for future releases :)

Edit: Changes are live: http://git.p-mc.eu/Tobi/bcl_for_ntk/
 
Last edited:

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
st.jpg
 

Attachments

Last edited:
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
View attachment 31013
Thats no problem. The final filesize can differ because the compressed file size depends on the "content" of the binary. Change some bytes can result in smaller or bigger final files.


I have no idea why bfc crashed for you.. Maybe try compiling bfc.exe from source http://git.p-mc.eu/Tobi/bcl_for_ntk
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
Tobi
There is a processor NT96660, did not get through сmd, throws an error. - ???
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin) - throws an error
Needed .NET Framework, №? It is worth Net 4.5
Can you succeed?
There MP4 - for viewing, the original.
There bitrate ~, need to make a constant at the maximum - 24000 (C05D)
Addresses in the file search.
https://yadi.sk/d/fXWpjAf13JGVDm

It seems that it's already decompiled and when they are stitching, it will compile.
There, too, strange, separately the file = 3.88, as soon as the folder is put, became = 3,99.
Compiled received 3.88 .... !!! ???
View attachment 31013
This one is not compatible with bfc, yet.

The firmware you attached contains two compressed partitions. The first one at 0x00000000 and the second one at 0x002c5a44.

At the moment BFC only supports one single partition per firmware binary. Two or more are not possible right now. I will try to fix this soon, but this will still take a while.
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
I will try to fix this soon, but this will still take a while.
Excellent news.
And very interesting.
Thank you!!

I checked to your addresses, yes everything is OK
Everything is decompiled / compiled!!

Gentlemen, is there an opportunity to walk through the firmware on a step-by-step basis?
We install the STOP command in the firmware and run the firmware on the DVR and determine where the stop is?

Waiting for another DVR without wifi on the same hardware.
I want to compare the firmware, determine how to include the wifi by the button, not by default.
OK
 
Last edited:

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
Waiting for another DVR without wifi on the same hardware.
I got a DVR !!
The seller turned out to be a crook.
Slipped the old stuff - NT96223FG and sensor 9712
Opened the argument, but I'm not the only one and lose everything !!
Surprisingly, Ali covers the scammers !!

Tell me how to open the firmware, I want to increase the bitrate and sell.
I post the full firmware.
Thank you.
https://yadi.sk/d/XhdIgTQt3JtYJ9
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
no matter what you do it's not going to improve
OK, for parts and in the trash! :D
Here's the data
Video #0
ID : 0
Format : JPEG
Codec ID : MJPG
Duration : 10 s 0 ms
Bit rate : 17.9 Mb/s
Width : 1 280 pixels
Height : 720 pixels
Display aspect ratio : 16:9
Frame rate : 30.000 FPS

This is not its firmware, the chip was empty!
I had a firmware from another on this processor !!

I can not enter the menu, the selection button does not work.
Why was the chip empty?
The programmer failed -?
 
Last edited:

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
All probably on vacation? :(
I would like to understand how it is regulated here:
Brightness
Contrast
Sharpness
Where are the excerpts data.
 
OP
OP
Tobi@s

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,370
Likes
835
Location
Bavaria
Country
Germany
Dash Cam
some
All probably on vacation? :(
I would like to understand how it is regulated here:
Brightness
Contrast
Sharpness
Where are the excerpts data.
More or less, I'm still developing the novatek resource editor (sounds/fonts/bitmaps) but was unable to make any progress for weeks since I'm busy with university exams again.
 

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
While with the firmware - ??, made switching wifi hardware.
In ~ 10 seconds. switching.
The operation of the buttons is not affected.
The Wifi network - naturally disappears.
ROi.jpg
So installed.
1 (1).JPG
1 (3).JPG

Suddenly, smoke reg, and burned plume from the button.
Defect found, it's burned chip timer !!
It is necessary to feed from 5 volts (Imax = 5 ma), instead of 12 (max = 17 ma), it was blown up in the region of 1, 8 output.
Let's correct it - it's easy.
 
Last edited:

vvs49

Active Member
Joined
Jan 8, 2015
Messages
109
Likes
29
Country
Ukraine
Has altered, will be so.
n5V.jpg
In car, the voltage jumps reach more than 14 volts.
So the chip burnt out.
I protected the car in the Dvd player, but I did not think for the video registrar, so I got it !!
HERE
P. S.
Already for a week I skate, everything is fine.
ACC completely feed from 5 volts !!
 
Last edited:
Top