Announcement

Collapse
No announcement yet.

Reversing Novatek NT966xx firmware.

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reversing Novatek NT966xx firmware.

    Managed to compile a command line tool capable to pack/unpack firmware files used by Novatek based cams. Now I can see another possible way of hacking NT based products with SPI NOR flash contents modifications.
    Last edited by nutsey; 06-15-2016, 09:32 PM.

  • #2
    Here is the command line tool for unpacking Novatek FW .bin files: https://drive.google.com/file/d/0B4t...ew?usp=sharing
    This tool works with firmware files containing one packed file. You'll have to split your files if it is more than one FW combined into the file.
    Password for archive is "GoPrawn.com".

    Based on BFC tool from BCL package by Marcus Geelnard.
    Last edited by nutsey; 01-08-2017, 07:50 PM.

    Comment


    • juniornove
      juniornove commented
      Editing a comment
      Can someone help me? I put a microsd on sjcam m20 with the firmware sj6legend, the m20 locked, tried to put the electronic device of the m20, but does not recognize

    • nutsey
      nutsey commented
      Editing a comment
      Did you flashed your M20 cam with SJ6 firmware?

  • #3
    WinXP driver for older Novatek devices.
    Attached Files

    Comment


    • Parffilm
      Parffilm commented
      Editing a comment
      No.I have only F68 with black screen after unsuccessful upgrade.

    • nutsey
      nutsey commented
      Editing a comment
      You can try flashing this dump (F68 and SOOCOO C30 are VERY similar inside): https://drive.google.com/file/d/0B4t...ZIYVNDRVE/view
      But you'll need to desolder flash IC and upload dump image into it with a USB SPI programmer.

    • Parffilm
      Parffilm commented
      Editing a comment
      May I write in section,part for Russian.

  • #4
    I'm glad to have a dump of a Novatek 660 firmware (thanx regzno and MSW users from 4pda):
    https://drive.google.com/file/d/0B4t...ew?usp=sharing

    Dumped from MX 25L3206E flash chip. Should work with IMX078 equipped Elephone Explorer Pro, SOOCOO C30 V1.0, Discovery Adventures DS300 and one of SJ8000 compatible.
    Last edited by nutsey; 06-22-2016, 09:14 PM.

    Comment


    • Pruikki
      Pruikki commented
      Editing a comment
      what to do with this? any programs to open it up?
      i have half broken SJ8000 to test hacking on with
      что вы думаете
      Last edited by Pruikki; 07-05-2016, 06:27 PM.

    • nutsey
      nutsey commented
      Editing a comment
      You need a SPI programmer and basic soldering skills to flash this dump into proper SOC8 IC chip.

  • #5
    So...not possible then. need some real modding. well damn.
    thank you sir!

    would ambarella A9 with Xiaomi yi 2 be possible to edit?(bitrates) in theory , what do you think?

    thanks!

    Comment


    • nutsey
      nutsey commented
      Editing a comment
      A9 has limited script functionality but it's possibe to patch a FW to add this feature.

  • #6
    Hi there.

    nutsey how can I pack fw back?

    Comment


    • #7
      Novatek chips support both packed and non-packed firmware files so there is no need to pack it back.

      Comment


      • kotysoft
        kotysoft commented
        Editing a comment
        So, in theory, I just have to rename it to FIRMWARE.bin, copy to SD and it will update as usual? Did you already tried it?

      • kotysoft
        kotysoft commented
        Editing a comment
        0903 nanoQ dashcam (Novatek 96655) just ignoring the unpacked firmware.bin

      • nutsey
        nutsey commented
        Editing a comment
        I suppose the boot loader compares the checksum and doesn't let it to be flashed.

    • #8
      http://imgur.com/a/54zdC

      This doesn't looks like Novatek!
      It says "SPCA6330M-HHM11"

      Comment


      • #9
        @AntiVirGear Yep.
        Click image for larger version

Name:	i-told-you.jpg
Views:	1
Size:	44.9 KB
ID:	1029

        Comment


        • #10
          DENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.

          https://drive.google.com/file/d/0B4t...ew?usp=sharing

          Comment


          • #11
            Here is very interesting SoC model list from recent unpacked FW for NT96660 chip:
            • NT96660
            • NT96663
            • NT96665
            • NT96668
            • NT96665YI
            • NT96668YI
            • NT96660YI
            • NT96022YI
            • NT96663YI

            Comment


            • #12
              Hi, i have a sjcam m10 <novatek 96650> . its frezze on logo when startup. i try all fw and loader bin files but there not fix it. can u help me?

              Comment


              • nutsey
                nutsey commented
                Editing a comment
                What was the cause for this camera behaviour?

            • #13
              i dont know maybe wrong fw

              Comment


              • #14
                Originally posted by nutsey View Post
                DENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.

                https://drive.google.com/file/d/0B4t...ew?usp=sharing
                Hi there,
                good to see someone made progress while I lost interest in it. I have holidays now and some sparetime and would love to get back into it. Tried downloading your unpacker, unfortunately gdrive thinks it is infected and prevents any downloads. Could you mirror it somewhere?

                EDIT: Ok, managed to get the file through a 3rd party google drive application, its basically a wrapper for bfc, right?
                Last edited by Tobi@s; 12-27-2016, 02:10 PM.

                Comment


                • Tobi@s
                  Tobi@s commented
                  Editing a comment
                  There are many bricked NTK devices? Didn't know that. I'm trying to flash firmwares with random bits flipped but the loader wont accept it due to checksum fail.. even changing some zero bytes in the header before the checksum results in a invalid firmware: So I assume all bytes except the ones from the checksum are used to calculate it.

                  "NPT
                  Loader B40SB Start ...

                  655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27

                  RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRNonComp

                  FW check fail"

                • nutsey
                  nutsey commented
                  Editing a comment
                  There are some dead bricked NTKs, not 'so many' indeed. My mistake.
                  Here is an example: 660 based Soocoo C30 and its clones were switched to V2 hardware revision at once (they had to use different SPI memory chips, twice capacity) so when you try to flash the older V1 hardware with a firmware intended to use with newer version the cam gets bricked. I mean the problem was not in checking the checksum with the loader, but in not comparing the FW file with the hardware presented.

                • Tobi@s
                  Tobi@s commented
                  Editing a comment
                  Oh I see. I get it now. But same applies to ambarella firmwares afaik.

                  Seems like the checksum only is a WORD or the higher bytes are a constant: 55 aa.
                  checked some firmwares from different cameras and this seems to be the same for every firmware:
                  SJ9000: 55 aa 38 f7
                  SJ9000: 55 aa 70 73
                  SG DC: 55 aa ca e8
                  SG DC: 55 aa 58 9b
                  Last edited by Tobi@s; 12-27-2016, 10:00 PM.

              • #15
                @Tobi@s Great results, thanx a lot for your efforts!

                A little addition to this:
                Code:
                 
                 //algorithm: short chksm; little endian         //        init: chksm=?;         //        for every byte in firmware binary except checksum address at 0x6c,0x6d,0x6e,0x6f         //            evenb: chksm-=<BYTE>         //            oddb:  chksm-=<BYTE>*0x100         //        done
                Offsets of skipped bytes for the 2nd FW partition (if any) are 0x46c-f

                Comment

                Working...
                X