Announcement

Collapse
No announcement yet.

Reversing Novatek NT966xx firmware.

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reversing Novatek NT966xx firmware.

    Managed to compile a command line tool capable to pack/unpack firmware files used by Novatek based cams. Now I can see another possible way of hacking NT based products with SPI NOR flash contents modifications.
    Last edited by nutsey; 06-15-2016, 08:32 PM.

  • #2
    Here is the command line tool for unpacking Novatek FW .bin files: https://drive.google.com/file/d/0B4t...ew?usp=sharing
    This tool works with firmware files containing one packed file. You'll have to split your files if it is more than one FW combined into the file.
    Password for archive is "GoPrawn.com".

    Based on BFC tool from BCL package by Marcus Geelnard.
    Last edited by nutsey; 01-08-2017, 06:50 PM.

    Comment


    • #3
      WinXP driver for older Novatek devices.
      Attached Files

      Comment


      • Parffilm
        Parffilm commented
        Editing a comment
        No.I have only F68 with black screen after unsuccessful upgrade.

      • nutsey
        nutsey commented
        Editing a comment
        You can try flashing this dump (F68 and SOOCOO C30 are VERY similar inside): https://drive.google.com/file/d/0B4t...ZIYVNDRVE/view
        But you'll need to desolder flash IC and upload dump image into it with a USB SPI programmer.

      • Parffilm
        Parffilm commented
        Editing a comment
        May I write in section,part for Russian.

    • #4
      I'm glad to have a dump of a Novatek 660 firmware (thanx regzno and MSW users from 4pda):
      https://drive.google.com/file/d/0B4t...ew?usp=sharing

      Dumped from MX 25L3206E flash chip. Should work with IMX078 equipped Elephone Explorer Pro, SOOCOO C30 V1.0, Discovery Adventures DS300 and one of SJ8000 compatible.
      Last edited by nutsey; 06-22-2016, 08:14 PM.

      Comment


      • Pruikki
        Pruikki commented
        Editing a comment
        what to do with this? any programs to open it up?
        i have half broken SJ8000 to test hacking on with
        что вы думаете
        Last edited by Pruikki; 07-05-2016, 05:27 PM.

      • nutsey
        nutsey commented
        Editing a comment
        You need a SPI programmer and basic soldering skills to flash this dump into proper SOC8 IC chip.

    • #5
      So...not possible then. need some real modding. well damn.
      thank you sir!

      would ambarella A9 with Xiaomi yi 2 be possible to edit?(bitrates) in theory , what do you think?

      thanks!

      Comment


      • nutsey
        nutsey commented
        Editing a comment
        A9 has limited script functionality but it's possibe to patch a FW to add this feature.

    • #6
      Hi there.

      nutsey how can I pack fw back?

      Comment


      • #7
        Novatek chips support both packed and non-packed firmware files so there is no need to pack it back.

        Comment


        • kotysoft
          kotysoft commented
          Editing a comment
          So, in theory, I just have to rename it to FIRMWARE.bin, copy to SD and it will update as usual? Did you already tried it?

        • kotysoft
          kotysoft commented
          Editing a comment
          0903 nanoQ dashcam (Novatek 96655) just ignoring the unpacked firmware.bin

        • nutsey
          nutsey commented
          Editing a comment
          I suppose the boot loader compares the checksum and doesn't let it to be flashed.

      • #8
        http://imgur.com/a/54zdC

        This doesn't looks like Novatek!
        It says "SPCA6330M-HHM11"

        Comment


        • #9
          @AntiVirGear Yep.
          Click image for larger version

Name:	i-told-you.jpg
Views:	1
Size:	44.9 KB
ID:	1029

          Comment


          • #10
            DENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.

            https://drive.google.com/file/d/0B4t...ew?usp=sharing

            Comment


            • #11
              Here is very interesting SoC model list from recent unpacked FW for NT96660 chip:
              • NT96660
              • NT96663
              • NT96665
              • NT96668
              • NT96665YI
              • NT96668YI
              • NT96660YI
              • NT96022YI
              • NT96663YI

              Comment


              • #12
                Hi, i have a sjcam m10 <novatek 96650> . its frezze on logo when startup. i try all fw and loader bin files but there not fix it. can u help me?

                Comment


                • nutsey
                  nutsey commented
                  Editing a comment
                  What was the cause for this camera behaviour?

              • #13
                i dont know maybe wrong fw

                Comment


                • #14
                  Originally posted by nutsey View Post
                  DENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.

                  https://drive.google.com/file/d/0B4t...ew?usp=sharing
                  Hi there,
                  good to see someone made progress while I lost interest in it. I have holidays now and some sparetime and would love to get back into it. Tried downloading your unpacker, unfortunately gdrive thinks it is infected and prevents any downloads. Could you mirror it somewhere?

                  EDIT: Ok, managed to get the file through a 3rd party google drive application, its basically a wrapper for bfc, right?
                  Last edited by Tobi@s; 12-27-2016, 01:10 PM.

                  Comment


                  • Tobi@s
                    Tobi@s commented
                    Editing a comment
                    There are many bricked NTK devices? Didn't know that. I'm trying to flash firmwares with random bits flipped but the loader wont accept it due to checksum fail.. even changing some zero bytes in the header before the checksum results in a invalid firmware: So I assume all bytes except the ones from the checksum are used to calculate it.

                    "NPT
                    Loader B40SB Start ...

                    655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

                    RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRNonComp

                    FW check fail"

                  • nutsey
                    nutsey commented
                    Editing a comment
                    There are some dead bricked NTKs, not 'so many' indeed. My mistake.
                    Here is an example: 660 based Soocoo C30 and its clones were switched to V2 hardware revision at once (they had to use different SPI memory chips, twice capacity) so when you try to flash the older V1 hardware with a firmware intended to use with newer version the cam gets bricked. I mean the problem was not in checking the checksum with the loader, but in not comparing the FW file with the hardware presented.

                  • Tobi@s
                    Tobi@s commented
                    Editing a comment
                    Oh I see. I get it now. But same applies to ambarella firmwares afaik.

                    Seems like the checksum only is a WORD or the higher bytes are a constant: 55 aa.
                    checked some firmwares from different cameras and this seems to be the same for every firmware:
                    SJ9000: 55 aa 38 f7
                    SJ9000: 55 aa 70 73
                    SG DC: 55 aa ca e8
                    SG DC: 55 aa 58 9b
                    Last edited by Tobi@s; 12-27-2016, 09:00 PM.

                • #15
                  @Tobi@s Great results, thanx a lot for your efforts!

                  A little addition to this:
                  Code:
                   
                   //algorithm: short chksm; little endian         //        init: chksm=?;         //        for every byte in firmware binary except checksum address at 0x6c,0x6d,0x6e,0x6f         //            evenb: chksm-=<BYTE>         //            oddb:  chksm-=<BYTE>*0x100         //        done
                  Offsets of skipped bytes for the 2nd FW partition (if any) are 0x46c-f

                  Comment

                  Working...
                  X