Edit 4: Also have a look at GoPrawn forums: https://www.goprawn.com/forum/novatek-cams
Hello,
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again
The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages
I didn't think that it would be that easy but it indeed worked:
It even features a little "shell"
I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.
The firmware probably consists of two sections, regarding this debug output:
PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.
Will update this thread as soon as I discover something interesting.
Edit1:
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc
Edit2:
Theory:
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)
Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000
Cheers
Tobi
Hello,
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again
The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages
I didn't think that it would be that easy but it indeed worked:
It even features a little "shell"
I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.
The firmware probably consists of two sections, regarding this debug output:
Code:
[LOAD-FW]
Total Sections = 2
Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD)
PL_begin
Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD)
PL_end
Will update this thread as soon as I discover something interesting.
Edit1:
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc
Edit2:
Theory:
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)
Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000
Cheers
Tobi
Last edited: