How to modify the firmware of the K2

Just reported as spam, again😴

@innovv, do your best to avoid spam.

It seems that the forum is visited more by spammers than by serious visitors. So much spam is not good advertising for you.

Instead of searching all addresses for those settings, which can be changed by the app, I will now focus on finding those values, which can't be set. Like saturation, sharpness, etc.

Unless someone needs to know the address for a specific setting.

Added Motion Detection and Video Contrast to the list of settings.

Gosh, you've done a good job.

I am excited to get started with this myself.

Maybe if the weather here is too bad to ride a motorbike, I can also learn more about it.

4. How to do the modifications

In this section I will list all settings which I have discovered so far. For each one, I will provide..

- the original default value (as it is saved in the firmware)

- the offset where to find the setting in the V0.70 firmware.

- a search pattern for the setting

- the allowed value range

Why a search pattern? Because the offset for a setting differs from firmware to firmware. In V0.57 the sampling rate is at 4f68c0, but in V0.70 it is at 4f7a98.

So you would need some kind of pattern to search for it in future firmware releases.

Some words about the settings, which can also be changed via the App (e.g the Wifi Timer)

Changing them by modifying the firmware will only change the default value of this setting.

You can still change them via the App and the K2 will still save them.

Remember that any value is in hex and little endian encoded (see Basics).

Audio Volume

Default value : 08000000 (=8)

Offset : 0da300

search pattern : 08000000 14000000 03000000 58440000

Allowed value range : 0 - ff (decimal 0 - 255)

Audio Sampling Rate

Default value : 007d0000 (=32000)

Offset : 4f7a98

search pattern : 00000000 01000000 007D0000 02000000

Allowed value range : Did not check all values. 48000 kHz works. (80BB0000)

Video Brightness

Default value : 06000424 (=6)

Offset : 1d4b08

Search pattern : 06000424 F80044AC 05000424

Allowed value range : 00000424 - 0c000424 (00 (lighter) => 0c (darker))

Comment : This is an Assembler instruction. You are only allowed to change the first byte (default 06). Otherwise the firmware may not work.

Video Contrast

Default value : 32000324 (=50)

Offset : 1d54d0

Search pattern : 32000324 A80103AE (pattern may not work on all firmwares)

Allowed value range : 00000324 - 64000324 (00 (lighter) => 0c (darker))

Comment : This is an Assembler instruction. You are only allowed to change the first byte (default 32). Otherwise the firmware may not work.

Wifi Mode

Default value : 2c0340ac

Offset : 1d4b1c

Search pattern : 2C0340AC 400140AC 380140AC

Allowed value range : 2c0340ac = AP Mode (default), 2c0343ac = STA Mode

Comment : This is an Assembler instruction. You are only allowed use the two options for AP or STA Mode. Otherwise the firmware may not work.

Wifi SSID

Default value : 494E4E4F 56565F4B 325F0000 (String "INNOVV_K2_")

Offset : 4f6e38

Search pattern : Search for String "INNOVV_K2_". The first occurrence is the string you are looking for.

Allowed value range : Anything you want, except special characters like $,% or german umlaut. Max length is 32 characters.

Comment : In AP Mode, the K2 will automatically add the last four digits of the serial number to the SSID. In STA Mode, the SSID will be what you enter here.

Wifi Password

Default value : 31323334 35363738 (String "12345678")

Offset : 4f6e78

Search pattern : 31323334 35363738 00000000 00000000 00000000 00000000 00000000 31323334 35363738 This will find two passwords. The first one is the correct one.

Allowed value range : Anything you want, except special characters like $,% or german umlaut. Max length is 26 characters.

Wifi Timer

Default value : 02000324 (= 2 => Wifi Timer off)

Offset : 1d54e0

Search pattern : 02000324 8C0303AE 080202AE

Allowed value range : 00000324 - 02000324

Comment : This is an Assembler instruction. You are only allowed to change the first byte (default 02). Otherwise the firmware may not work.

Motion Detection

Default value : 700100ae (= 0 => Motion Detection off)

Offset : 1d5488

Search pattern : 700100AE 580100AE

Allowed value range : 700100ae = Motion Detection off (default), 700102ae = on

Comment : This is an Assembler instruction. You are only allowed to the two options for on or off. Otherwise the firmware may not work.

more to come

3.Compressing the firmware / How to make the (modified) firmware installable

• Start the ntkTool
  

• Click "Open" at the "Pack firmware" option on the right side and select the modified firmware.
  

• After that, simply click the "Run" button below.
  

• The Tool will calculate the checksums and compress the file, which takes some seconds. The compressed firmware will be saved with a .bcl extension. So if your uncompressed firmware is "K2@00000000.rbn", you will get a "K2@00000000.bcl".

If your firmware is a One-Partition firmware, you are done now. Simply rename the .bcl file to "K2.bin" and flash it to your K2.

If your firmware is a Two-Partition firmware, you have to do some more steps. So read on.

Two-Partition firmware only

We now have to concatenate the newly compressed firmware file and the second partition, we saved before uncompressing the firmware.

The easiest way to do this is by command shell.

So open up command.com (Windows) or Terminal (MacOS/Linux) in the folder where your firmware files are.

Then type the following command.

Windows:

copy /b <your modified compressed firmware> + part-1.bin <name-of-the-finished-firmware> For example

copy /b K2@00000000.bcl+part1.bin K2-modified.bin

Linux/MacOS:

cat <your modified compressed firmware> part-1.bin > <name-of-the-finished-firmware>

For example

cat K2@00000000.bcl part1-bin > K2-modified.bin

That was easy. Now to the tricky part. As the part of the firmware we modified now may have a slightly different size, we need to check the offset of the second partition and adjust it, if necessary.

• Open the K2-modified.bin in your Hex Editor
  

• Search for the string "BCL1". You should find it two times. Right at the beginning at Offset 0 and somewhere around Offset 2B3110. The later one is what we are searching for.
  

• Mark the "B" and write down its exact offset. In the screenshot, it is 2B 31 10. (click to enlarge the screenshot)
  

• Now move up 12 bytes. There you will find the old offset, but in reverse order. In the screenshot, this is 11 31 2B 00. Reading backwards, this is (00) 2B 31 11
  

• If the old and new offset do not match (which they don't here), you have to adjust it. So in this example, we would have to change the "11 31 2B 00" to "10 31 2B 00".
  

• Save the file and we are done. We can now rename the file to K2.bin and flash it to the K2.

2. Uncompressing the firmware / How to make the firmware editable.

The firmware file is compressed, like a zip file. So before doing any modifications, we have to uncompress it. But before doing this, we first have to check

what type of firmware file we've got. For reasons I don't know, the firmware file sometimes consists of two partitions and sometimes only of one partition.

This is important to check, because the tool we will use to compress/uncompress the firmware will can not handle multi-partition files.

Luckily, the types are easy to distiguish by its size.

Filesize = 2,8 MB => One Partition

Filesize = 4 MB => Two Partitions

If the firmware file only contains one partition, step over to "Uncompressing the firmware".

If the firmware consists of two partitions, we have to do some more steps to cut off the second partition to append it back later.

So head on.

Two-Partition Firmware only

• Open the firmware file in your hex editor
  

• Search for the string "BCL1". You should find it two times. Right at the beginning at Offset 0 and somewhere around Offset 2B3110. The later one is what you are searching for. Here is the second partition we want to cut off.
  

• Mark the first byte which makes the "B". Now move up 40 bytes and you are right at the beginng of the second partition. Cut off all above this point and save the remaining file as "part-1.bin". For better explanation, here is a screenshot of the V57 firmware
  

We have now saved the second partition and can go on uncompressing the firmware.

Uncompressing the firmware

• Start the ntkTool
  

• Click the "Load firmware" on the left and select your firmware file.
  

• Now click "Unpack" to uncompress the firmware. If you firmware consists of two partitions, you will see them both here. Ignore the lower one (partition-1) und simply unpack the upper one (partition-0).
  

• The tool will save the umcompressed firmware as <original filename>@00000000.rbn. Like K2@00000000.rbn

That's the file we are going to modify.

1.Basics

To modify the firmware of the K2, you will need some tools.

• NtkTool (for compressing/uncompressing) the firmware file. You can get it here. This tool requires Java to run. There are also two command line tools for packing/unpacking and Checksum calculation on this page (Windows/Linux), but in this guide I will only refer to the GUI based tool, because I think most of you will prefer this tool. Just because it is easier to use.
  

• A Hex Editor There are several free Hex Editors for Windows, MacOS or Linux in the net. For example: Windows => https://mh-nexus.de/en/hxd/ MacOS => https://sourceforge.net/projects/hexedit/ Linux => https://sourceforge.net/projects/wxhexeditor/ (should also be available in the repository of your Linux distribution)
  

• A Calculator which is able to convert hex > decimal and vice versa. You can switch the Windows Calculator into a different mode, where it can do this. Don't know if the Apple Calculator can do the same.
  

Now some basic stuff you should know to understand what I am talking about and what you will see when editing the firmware.

Byte

This is a unit of digital information. Without going into details, when using a hex editor you should know that a byte is always represented by two digits.

Hexadecimal

When using a hex editor, the bytes are shown as hexadecimal values. Like 4a, fe, 0c and so on. See also https://en.wikipedia.org/wiki/Hexadecimal

So if you, for example, want to change the volume from 8 to 12, you would have to enter 0c, as this is the hexadecimal representation of the 12.

Offset

An offset indicates the distance of an address, originating from another address. In our case, from the beginning of the file. Your Hex Editor will show you the offset.

DWord

This simply means four bytes. Any instruction is four bytes long and so are most of the data fields. Even if the value is small enough to fit into one byte, the firmware still uses four bytes.

Little Endian Encoding

The firmware uses something that is called little endian encoding. This means, that the least significant value is stored first. Or in other word, bytes are written in reverse order.

This is important to know when changing values within the firmware. So here are some examples.

10 decimal = 0a hex. Expanded to four bytes, this would be 00 00 00 0a. As the least significant bytes has to be written first, this changes to 0a 00 00 00

1920 decimal = 07 80 hex. Expanded to four bytes, this would be 00 00 07 80. The firmware will store it as 80 07 00 00

240570 decimal = 03 ab ba hex. Expanded to four bytes, this would be 00 03 ab ba. The firmware will store it as ba ab 03 00