Novatek (NT9665X) firmware studies

Yup, it's the same algorithm.
Conclusion: FullComp firmwares have a second checksum in the BCL header at position 0x04. Algorithm is the same one as for Novatek firmware images.

Updated algorithm:
Code:
uint16_t calc_checksum(uint16_t data[], uint32_t length, uint32_t skip_at, uint16_t startval) {
  uint32_t pos = 0;
  uint16_t checksum = 0;
  while(pos < length) {
    if(pos * 2 == skip_at) {
      checksum += pos;
    } else {
      checksum += pos + data[pos];         
    }
    pos++;
  }   
  return startval + (~checksum & 0xFFFF) + 1;
}

Attachment: checksum calculator for win32 and linux64
Usage:
./checksum filename
./checksum filename [start val] (for non standard checksum start values)
It will automatically detect FullComp firmwares and skip 0x04 for calculation, as well as NonComp (skips 0x6e in this case)
 

Attachments

  • checksum.zip
    25.8 KB · Views: 16
Seems like everything is "cracked" for simple firmwares with one partition:
I was able to unpack, modify and repack a SG firmware. Proof of concept high bitrate firmware (30mbits):
bitrate.png

I'm not sharing the patched firmware binary, since I'm not sure what @jokiin thinks about this.

What I did in detail:
1. unpacked partially compressed binary (compressed@0x000b0000)
2. updated filesize in raw firmware image at 0x68
2.1 changed Bin_Ctrl Flag from 1 to 0 (seems to be responsible for partial compression)
3. updated checksum at 0x6e (using my checksum calculator)
4. _fully_ repacked the image using a patched bcl version (will share soon)
5. calculated the checksum again for packed binary and put it at 0x04
6. flashed it and it works.

Maybe (only maybe) one day there will be a GUI tool like AFT for novatek. For now I'm focusing on command line tools.

checksum calculator v0.4: https://syncandshare.lrz.de/dl/fiUZtiJLeuGnpx2wF9eGuwAs/checksum-v04.zip
-removed entry point check
 
Last edited:
It's always amazed me how you make this look so easy @Tobi@s - amazing work :)
 
To be honest Novatek has been really frustrating until now. Thats why I lost interest in it half a year ago. But after seeing other people also tried it and the post from @nutsey regarding the discovery of the checksum location I started again.
All of this was a lot of guess work, but here we are. I'm excited to see where this might go or end :D
 
Yeah its a geek level way past me, so i just sit on the side line and clap my hands.
 
No problem, I wont. Users should also be aware that they are voidung their warranty using any of the tools here and flashing the result.
If the S/N of SG cameras is not incremental I could offer you that users are required to enter their serial number into a form (before using any of the tools) which stores it in a db to make it easier to check if the firmware has been altered on a device in case of a return.
 
No problem, I wont. Users should also be aware that they are voidung their warranty using any of the tools here and flashing the result.
If the S/N of SG cameras is not incremental I could offer you that users are required to enter their serial number into a form (before using any of the tools) which stores it in a db to make it easier to check if the firmware has been altered on a device in case of a return.

serial numbers are unique but too easy for someone to just supply a false number I think, wouldn't want them affecting someone else's warranty, as the product stands now it's pretty much impossible to brick and can always be rolled back to previous firmware, if people are modding the firmware though I don't know for sure if that will still be the case, needs more investigation

I'm not against the idea of modding as such, just need to see the possible implications first
 
It is like overclocking computers, when you set forth on that path, you better realize that the day after tomorrow you may have toasted your hardware and might need to go buy a new CPU and motherbord.
So if you are not ready to buy the same hardware several times you better stay off modding / overclocking.

And i see amping up bitrates as overclocking of cameras.
 
It is like overclocking computers, when you set forth on that path, you better realize that the day after tomorrow you may have toasted your hardware and might need to go buy a new CPU and motherbord.
So if you are not ready to buy the same hardware several times you better stay off modding / overclocking.

And i see amping up bitrates as overclocking of cameras.

depends what types of mods people are doing, I see people on Ambarella winding bitrates up to ridiculous levels just because they can, this is pretty likely going to lead to problems one way or another, heat, file handling issues etc, if anything has a permanent effect like excessive bitrate and heat might then that becomes an issue, realistically just winding up the bitrate doesn't achieve much and it's the equivalent of script kiddies where they don't really know what they're doing but do it anyway

on the other hand look at some of the work @Falsificator has been doing with firmware, he's looking at image adjustments etc to get better performance, that's useful and can lead to bigger and better things
 
Yeah there is lots of good things to be done in there too, i like the tweaking of the OV4689 sensor for better low light performance.
I wouldn't mind a low light updated x camera firmware.

But sadly i am afraid most people will just jump strait to higher bitrates as the other stuff need a more dedicated approach.

I remember when i first got on the internet, almost daily i had script kiddies port scanning my IP and what not, but it died off after a while.
 
Hello!!
Lord, did not come across on the firmware NT96658?
WH.161026.00
presented China to me this
Well it is very convenient for the mirror !!
Get a copy of the firmware is possible only through programming.
Wrote that:
1080p 60 fps
in fact
1080p 30 fps
Bitrate 11.
That would fix.
I look forward to making you !!!!
 
China without lies - not China !! :D
 
Regarding multi-image binaries:
The problem with the 2nd (most of the thime the eCos) partition was its weird header:
CODEINFO is still at 0x2f but everything else has an offset of 1KB. Therefore the checksum calculation also didn't work with this partition..
But I've found a way to bypass this inner checksum: The checksum inside BCL compressed partitions is not used for verifying the file. Only the outer checksum (inside the bcl header) is checked.
What that means: We can modify any novatek firmware partitions without recalculating the checksum. All we need to to is to compress the partition using bfc and then calculate the checksum for the compressed file.

Edit: Bootloader behavior after flashing a 'checksum bypass' image is a bit strange, see this video:

 
Last edited:
Hello!

I have a NT96655 DVR and everything works fine, except it turns on Wi-Fi every time it is turned on and I don't need this feature. I haven't found an option to disable this (firmware wh.161026.00), so I need to manually switch Wi-Fi off each time or just drive with it turned on.

Tobi@s, would it be theoretically possible to edit the firmware to make Wi-Fi don't turn on by default in the future, what do you think?

jokiin, maybe you know - would the DVR work (boot and record video normally) with Wi-Fi PCB removed (it is a separate PCB)? Or it would fail to boot at all? If it would work, I may just unsolder it from the main PCB as last resort.

Thanks in advance!
 
It could be possible. But I don't know how wifi is controlled in novatek (ambarella uses a linux kernel for this) so thats all I can say about it...
 
jokiin, maybe you know - would the DVR work (boot and record video normally) with Wi-Fi PCB removed (it is a separate PCB)? Or it would fail to boot at all? If it would work, I may just unsolder it from the main PCB as last resort.

it might work if the WiFi PCB is disconnected, depends on the firmware I guess
 
Lord, how to make the backup of the firmware?
Is there a command as for ambarella?
firmfl gen 5 bst bld pri rom dsp d:\backup.bin
 
It should work with the command "mem dumpcode"
But: you have to get access to the shell which is impossible without hardware modifications
 
Back
Top