Managed to compile a command line tool capable to pack/unpack firmware files used by Novatek based cams. Now I can see another possible way of hacking NT based products with SPI NOR flash contents modifications.
Announcement
Collapse
No announcement yet.
Reversing Novatek NT966xx firmware.
Collapse
This is a sticky topic.
X
X
-
Reversing Novatek NT966xx firmware.
-
Here is the command line tool for unpacking Novatek FW .bin files: https://drive.google.com/file/d/0B4t...ew?usp=sharing
This tool works with firmware files containing one packed file. You'll have to split your files if it is more than one FW combined into the file.
Password for archive is "GoPrawn.com".
Based on BFC tool from BCL package by Marcus Geelnard.Last edited by nutsey; 01-08-2017, 07:50 PM.
- 2 likes
-
WinXP driver for older Novatek devices.Attached Files
- 1 like
Comment
-
You can try flashing this dump (F68 and SOOCOO C30 are VERY similar inside): https://drive.google.com/file/d/0B4t...ZIYVNDRVE/view
But you'll need to desolder flash IC and upload dump image into it with a USB SPI programmer.
-
I'm glad to have a dump of a Novatek 660 firmware (thanx regzno and MSW users from 4pda):
https://drive.google.com/file/d/0B4t...ew?usp=sharing
Dumped from MX 25L3206E flash chip. Should work with IMX078 equipped Elephone Explorer Pro, SOOCOO C30 V1.0, Discovery Adventures DS300 and one of SJ8000 compatible.Last edited by nutsey; 06-22-2016, 09:14 PM.
Comment
-
So...not possible then. need some real modding. well damn.
thank you sir!
would ambarella A9 with Xiaomi yi 2 be possible to edit?(bitrates) in theory , what do you think?
thanks!
Comment
-
- 1 like
Comment
-
DENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.
https://drive.google.com/file/d/0B4t...ew?usp=sharing
Comment
-
-
-
Originally posted by nutsey View PostDENOVA script for unpacking Novatek NT96650/NT96660-series SoC firmware. See readme.txt.
https://drive.google.com/file/d/0B4t...ew?usp=sharing
good to see someone made progress while I lost interest in it. I have holidays now and some sparetime and would love to get back into it. Tried downloading your unpacker, unfortunately gdrive thinks it is infected and prevents any downloads. Could you mirror it somewhere?
EDIT: Ok, managed to get the file through a 3rd party google drive application, its basically a wrapper for bfc, right?Last edited by [email protected]; 12-27-2016, 02:10 PM.
- 1 like
Comment
-
I'm on the checksum part right now. I'm starting with finding out which area of the binary is used to calculate it. But it's behaving weird..
-
Just took me an hour to realize that the DWORD before checksum is the binary filesize haha
-
There are many bricked NTK devices? Didn't know that. I'm trying to flash firmwares with random bits flipped but the loader wont accept it due to checksum fail.. even changing some zero bytes in the header before the checksum results in a invalid firmware: So I assume all bytes except the ones from the checksum are used to calculate it.
"NPT
Loader B40SB Start ...
655B_DDR3_LV1_3_2048Mb 09/26/2015 09:27:27
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRNonComp
FW check fail"
-
There are some dead bricked NTKs, not 'so many' indeed. My mistake.
Here is an example: 660 based Soocoo C30 and its clones were switched to V2 hardware revision at once (they had to use different SPI memory chips, twice capacity) so when you try to flash the older V1 hardware with a firmware intended to use with newer version the cam gets bricked. I mean the problem was not in checking the checksum with the loader, but in not comparing the FW file with the hardware presented.
-
Oh I see. I get it now. But same applies to ambarella firmwares afaik.
Seems like the checksum only is a WORD or the higher bytes are a constant: 55 aa.
checked some firmwares from different cameras and this seems to be the same for every firmware:
SJ9000: 55 aa 38 f7
SJ9000: 55 aa 70 73
SG DC: 55 aa ca e8
SG DC: 55 aa 58 9bLast edited by [email protected]; 12-27-2016, 10:00 PM.
-
@[email protected] Great results, thanx a lot for your efforts!
A little addition to this:
Code://algorithm: short chksm; little endian // init: chksm=?; // for every byte in firmware binary except checksum address at 0x6c,0x6d,0x6e,0x6f // evenb: chksm-=<BYTE> // oddb: chksm-=<BYTE>*0x100 // done
Comment
Comment