Novatek (NT9665X) firmware studies

for mini0903 was a higher bitrate version where wifi was disabled, maybe some clues in those firmwares
 
The disassembly states that there is a file called setwifi.txt on the sdcard
Maybe it can be used to disable WiFi directly or disable it with a invalid configuration
 
Created the file setwifi.txt by reference.
But - he just stopped the wifi, but does not switch to video mode. :(
 
Дорогие друзья, объясните. Есть возможность восстановить видеорегистратор НТ 96655bg jooy НОВАТЭК jooy A1 1624ds 96655bg для обычного домашнего пользователя. После покупки от нового, он вел себя так по ссылке
Продавец прислал прошивку на карту и поместить файл прошивки. Через 2 минуты, индикаторы вышел и все, прибор не реагирует и не включается теперь. Я могу сделать что-то? Подключение к AV изображения нет.
 
Do you have access to the old firmware? Try flashing another one
 
Нет доступа.Теперь он не включается и световой индикации нет чип NT96655GB 1624-DS KWHR6/8
 
You still could try to reflash the same firmware. But I'd recommend to contact the reseller and ask for another firmware file.
 
You still could try to reflash the same firmware. But I'd recommend to contact the reseller and ask for another firmware file.
After flashing the device does not respond, the lamp does not blink.The gain AV is also no signal....
 
Gentlemen!
To which processor family does Novatek belong?
Of all the samples on IDA, i approached the MIPS architecture.
Is not it?
 
mips24kec 32bit little endian
 
Yes, load adress 0x80000000 afaik
 
If it would work, I may just unsolder it from the main PCB as last resort.
AndreyN!!
Did you solve the problem?
Also I try, to solve it programmatically !!
In the extreme case - the relay with a delay and сlick on button on the s-video!

If you unbind the wifi board, the DVR does not work.

Gentlemen, I'm interested!
Who writes the program to these devices, the Chinese?
I can not find, even in China, these programmers! (y)
They are ghosts !! :D
 

Attachments

  • WiFi_MIPS.txt
    15.1 KB · Views: 44
Last edited:
Novatek seems to have changed something in NT96663 since I'm unable to create a valid modified firmware image..
 
Novatek seems to have changed something in NT96663 since I'm unable to create a valid modified firmware image..
Can you share any NT96663 firmware?
 
Can you share any NT96663 firmware?
Ok, it's not completely broken. But it's also very very weird:

Used firmware is from Mini 0906: http://www.mini0906.com/firmware/FIRMWARE-20170504.zip

It works (valid modified firmware) with these steps:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
3. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
4. Flash the firmware -> flash OK
-> Therefore BFC is still working

It also works when doing this:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
6. Flash the firmware -> flash OK
-> ntkcalc also still works (checksum algorithm was not modified)

Now the weird part:
1. Unpack FIRMWARE.bin with bfc (command used: bfc.exe d FIRMWARE.bin out.bin)
2a. Modify at 0x003cf38c from 00 00 19 00 to 00 10 27 00
2b. Modify at 0x003cf52c from 00 88 13 00 to 00 94 11 00
3. Validate out.bin with ntkcalc ( ntkcalc.exe -cw out.bin)
4. Repack out.bin -> fw.bin (command used: bfc.exe c lz out.bin fw.bin)
5. Validate fw.bin with ntkcalc (ntkcalc.exe -cw fw.bin)
6. Flash the firmware -> Bootloader fw update procedure fails: FW CHECK FAIL

So modifying at a specific adress results in an invalid firmware?! I have no idea whats happening there at the moment...
 
Last edited:
Tobi@s!!
I did everything, but through the files - ntkautomator.cmd, ntkcalc-v051.exe, bfc-v01.exe!
COMPRESS OR DECOMPRESS FIRMWARE(D/С)
Got - FIRMWARE_decomp.bin = 5583 kb
I changed the data to the addresses.
Got - FIRMWARE_decomp_comp.bin = 2954 kb
How to verify I do not know!

Check for yourself.
https://yadi.sk/d/8sRbUE743JBpRR
 
Last edited:
Back
Top