Novatek (NT9665X) firmware studies

Tobi@s

Well-Known Member
App Developer
Joined
Nov 12, 2013
Messages
1,380
Reaction score
846
Location
Remote
Country
Germany
Dash Cam
none
Edit 4: Also have a look at GoPrawn forums: https://www.goprawn.com/forum/novatek-cams

Hello,
I finally got something interesting to play with after I got a bit "bored" (well not really bored but it wasn't that exciting anymore) with Ambarella A2-A7 chipsets. A fancy SG96650GC which is based on Novatek NT96650 from @niko - thanks again ;)

The first thing I did after receiving the camera was disassembling it (well ok, I mounted it in the car before to test it) and soldering some wires to it to get access to the terminal and see the kernel messages :D
sg96650gc-board-bp.jpg

I didn't think that it would be that easy but it indeed worked:
upload_2016-4-17_20-33-3.png

It even features a little "shell" :)
upload_2016-4-17_20-34-15.png

I don't know where this will go at the moment, maybe the same path as Ambarella or maybe somewhere completely else. I'll try to obtain information about the firmware and memory layout through the shell, maybe I am able to find something interesting.

The firmware probably consists of two sections, regarding this debug output:
Code:
[LOAD-FW]
Total Sections = 2
   Section-01: Range[0x80000000~0x800B0000] Size=0x000B0000 (LOAD)
PL_begin
   Section-02: Range[0x800AF1F0~0x803C9910] Size=0x0031A720 (LOAD)
PL_end
PL is probably payload, it starts within the range of section 01 but is much bigger. No idea what that means, yet.

Will update this thread as soon as I discover something interesting.

Edit1:
There are multiple consoles:
CMD console, EXAM console and eCos console
cmd console - switch key: ">": module based console for debugging
exam console - switch key: "$": ? not implemented in SG dc
ecos console- switch key: "#": probably console of eCos for WiFi support (https://en.wikipedia.org/wiki/ECos ) not implemented in SG dc

Edit2:
Theory:
Bootloader is permanent - atleast it cant be flashed using firmware binaries. Maybe it can be updated via USB.
It loads the firmware binary to 0x80000000 and executes it (...to be continued)
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)

Edit3 (for disassembling):
Architecture: MIPS32 24KEc
Memory load address: 0x80000000

Cheers
Tobi
 
Last edited:
Can you give us more details about where to tap in and terminal settings?
 
Can you give us more details about where to tap in and terminal settings?
Uhm can you be more specific? What do you mean with "tap in"?
 
Confirmed: https://dashcamtalk.com/cams/mobius/Novatek NT96650.pdf page 10 "On-chip Boot Strap Loader"
Sooo.. Are these cameras unbrickable? The bootloader cant be overwritten so it will always start. Bootloader also is responsible for firmware updates. After flashing a corrupted image the camera would still boot into the bootloader (and could start the update procedure again?)

pretty much, the bootloader is separate to the firmware always
 
pretty much, the bootloader is separate to the firmware always
Good to know, so I can "safely" try to modify the firmware. Unfortunately the bootloader is not really chatty so I can't get information about whats wrong with invalid firmwares like ambarellas update program did.

Failed fw update:
Code:
NPT
Loader B40SB Start ...

655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp

FW check fail

Successful fw update:
Code:
NPT
Loader B40SB Start ...

655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRNonComp

Ud FW
eeeeeeeeeeeeeeeeEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEeeeeeeeeWWWW[10621 'W' omitted]WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWR
RFlsh
R
PL
RCPU/OCP/APB = 432/432/80 Mhz, DMA = 372 Mhz
Clk verify PASS
 
Last edited:
if the incorrect firmware is applied the correct one will generally be able to reinstalled no problem, start messing with the bootloader though and it can be a problem
 
Nice Bus Pirate ;)
 
Alright, messing with the bootloader probably requires to jtag the dashcam (I have no idea about that kind of debugging so thats not even a choice :D) since there seems to be no other way to access it. Right now I'm dumping the memory, maybe I'll find something interesting in there. But this will take some time
 
Any news? By the way bootloader can update itself from the memory card.

yes it is also updated from memory card, if you get the bootloader wrong though you will have something you cannot recover, there is no process to restore by connecting to PC and using software like there is with some other solutions
 
there is no process to restore by connecting to PC and using software
A Novatek cam with broken loader turns into direct usb mode, but we don't have any drivers for it as well as no working flashing tool (I suppose it should be fresh version of EasyUSB writer) available at the moment.
 
A Novatek cam with broken loader turns into direct usb mode, but we don't have any drivers for it as well as no working flashing tool (I suppose it should be fresh version of EasyUSB writer) available at the moment.

there is no software for this
 
But there is an outdated driver and its INF says:
Code:
; Installation inf for the Novatek nt9x series USB Bulk IO for CameraTest Board
 
Might relate to the webcam function, not sure, there's no software for loading firmware to dead boards like there is for Ambarella so it doesn't much matter really
 
device manager find Novatek 98700 USB Firmware Update Device but how can Update
 
But there is an outdated driver and its INF says:
Code:
; Installation inf for the Novatek nt9x series USB Bulk IO for CameraTest Board

BulkIO is for writing flash. There IS a tool... we just don't have it. Trust, its not "for the webcam". Reach out to novatek and some manufacturers, tell them you bricked your cam and its in "Firmware Update Device" mode. Someone should have a solution.

EasyUSB goes to v4.5, maybe it could be edited to correct the reason it doesn't work? Has anyone tried it. Obv I don't have this camera or I would be making attempts. Otherwise you can live with finding the checksum for the firmware 2nd portion and editing that.
 
Eh, not always. I got the phoenix flash image from the maker (my camera was actually jacked). Ordered a PCB with BT interface from another factory as 1PC... why so much pessimism? Some times they are cool, some times they are not.
 
Novatek won't give you anything, most of the brands you see in the market have no engineering capability in house and no access to anything that would help you out of this situation either. it's not pessimism, just the reality of the situation
 
Back
Top