Question powkiddy x16 SoC droid clone?

Search This thread

godkingofcanada

Senior Member
Nov 13, 2013
1,008
460
Anyone seen these handheld retro units from China? Gba, gb, gbc, nes, snes, Sega, psx, cps1+2.

I'm trying to locate firmware. Factory or otherwise, trying to figure out what this is running.
 

Attachments

  • IMG_20181218_130547.jpg
    IMG_20181218_130547.jpg
    252.7 KB · Views: 552

JohnnySJ

Senior Member
Apr 4, 2012
72
14
LG V20
OnePlus 7T Pro McLaren
Anyone seen these handheld retro units from China? Gba, gb, gbc, nes, snes, Sega, psx, cps1+2.

I'm trying to locate firmware. Factory or otherwise, trying to figure out what this is running.

Hello,

I bought one, and after watching a few videos i wrote in the comments of a Youtuber who's pretty knowledgeable about these kind of units. He told that it runs some kind of linux, and that several similar units are hacked and flashed with a distro that while imo is still very dated, runs a lot better and truly shows the potential of the device. The distro is called open dingu os, if im not mistaken. Here is the link of the video. Hopefully this helps. I would love to have the device with a better os. https://youtu.be/izKA3_rtDD0

EDIT:

I also found the forum for the OS used to improve these devices:
https://boards.dingoonity.org
 
Last edited:
  • Like
Reactions: godkingofcanada

godkingofcanada

Senior Member
Nov 13, 2013
1,008
460
Plus, there has to be a way. They flashed it at the factory. I opened it up looking to see if maybe there was an internal sd, but no. It's a flash memory. And I don't think I saw two. So it must be partitioned to keep us out. Maybe I can find a tool to unpartition it or locate the hidden partition.
 

JohnnySJ

Senior Member
Apr 4, 2012
72
14
LG V20
OnePlus 7T Pro McLaren
I am definitely not at your technical skill level, but does that mean it actually comes with an SD that has been specifically partitioned to be seen by that os? Is it removable? Maybe inside a linux distro you can see the contents or the partition table. Also, you mentioned "flash" thats a term i normally hear for Android. So does this unit probably have a bootloader of some sort?
 

JohnnySJ

Senior Member
Apr 4, 2012
72
14
LG V20
OnePlus 7T Pro McLaren
Ok. I saw your other post, it answered my questions. As i am nowhere near your technical skill level, i can help by doing some research, maybe i can find the firmware files. If they intended to update the device at some point, then there must be a repo somewhere with the OG firmware...

---------- Post added at 01:56 PM ---------- Previous post was at 01:53 PM ----------

Found their website:
http://www.powkiddygame.com

Now I'll do some digging and try to find the firmware...
 

JohnnySJ

Senior Member
Apr 4, 2012
72
14
LG V20
OnePlus 7T Pro McLaren
Haven't had any luck finding the firmware. Their site afaikn cannot be translated bc it uses images instead of text. I am trying to contact a Chinese friend with some tech knowledge to see if he can find out more in the site, or in the social network used in china (Weiboo). I'll keep you posted.
 
  • Like
Reactions: godkingofcanada

legumbre19

New member
Mar 14, 2019
1
0
Haven't had any luck finding the firmware. Their site afaikn cannot be translated bc it uses images instead of text. I am trying to contact a Chinese friend with some tech knowledge to see if he can find out more in the site, or in the social network used in china (Weiboo). I'll keep you posted.


i have this model too . there is no information about this console

I have see that if you press power buton + vol- the computer recognizes it as ADF device and is possible that enter in flash mode ????
 

ooMoo

Senior Member
Apr 23, 2012
262
68
Is there a way of changing what games appear on the home screens? I just got one for £30 and am trying to set it up with games my son will like.
 

JohnnySJ

Senior Member
Apr 4, 2012
72
14
LG V20
OnePlus 7T Pro McLaren
No news about this device ?
There is another thread here with more up to date information, including a newer firmware. Here is the link:

https://xdaforums.com/general/off-topic/powkiddy-x16-7-retro-arcade-t3880966/page4#post79818633

---------- Post added at 05:25 PM ---------- Previous post was at 05:22 PM ----------

Has anybody got further with this I'm needing the powkiddy x18 firmware and I'm stuck cant find it anywhere.

Was it a typo? Do you mean the X16?
If so, like i mentioned there's another thread here in XDA with a link to a newer firmware. Here is the link:
https://xdaforums.com/general/off-topic/powkiddy-x16-7-retro-arcade-t3880966/page4#post79818633
 
  • Like
Reactions: roli1000

godkingofcanada

Senior Member
Nov 13, 2013
1,008
460
The other threads on this seem to have vanished, i have the firmware download linked on techtoytinker.com

I was digging into this device more today, despite seeing the internal memory im not convinced we are 100% in yet. the emulators seem to launch from ./emulator but we cant see that folder. I do however have a theory it might be possible to add an emulator to G drive as it now pops up on pc, and write a script that points there. there is a lib folder on g, and on other devices like this putting libs in there is detected at launch, so thats something at least.
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
16
2
The other threads on this seem to have vanished, i have the firmware download linked on techtoytinker.com

I was digging into this device more today, despite seeing the internal memory im not convinced we are 100% in yet. the emulators seem to launch from ./emulator but we cant see that folder. I do however have a theory it might be possible to add an emulator to G drive as it now pops up on pc, and write a script that points there. there is a lib folder on g, and on other devices like this putting libs in there is detected at launch, so thats something at least.
Please keep us posted, its a shame that those old posts disappeared because there was a lot of good info there. Have you tried reading the flash with a bin walk? Kind of something similar to what they did with the game+watch handheld. Might be a good place to start.. or was that what you meant when you mentioned the dev boards/ps4 hacking?..
 
Last edited:
Feb 11, 2021
16
2
The other threads on this seem to have vanished, i have the firmware download linked on techtoytinker.com

I was digging into this device more today, despite seeing the internal memory im not convinced we are 100% in yet. the emulators seem to launch from ./emulator but we cant see that folder. I do however have a theory it might be possible to add an emulator to G drive as it now pops up on pc, and write a script that points there. there is a lib folder on g, and on other devices like this putting libs in there is detected at launch, so thats something at least.
I'm new here to posting but have been here a few times looking at the old x16 post. I have an x12 model so I've been digging around trying to find any information I can in regards to the hacking/homebrew scene. Not a bad device for the money but definitely has its shortcomings.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Hello @mforce2 and @ThegreatHAMbino !

    You just gave a lot of info, I had never found the PDF explaining the whole dev process before, I wish you were here few years ago when we started the first thread :LOL:
    There are still some issues because we don't have the toolchain they are using (SDE). SDE has been replaced and I was not able to find it back.

    Regarding the modified firmware, I did the step step as you did: I used the atjboottool you found, it gave me an SQL database. I guess it's the role of the flasher to go through the tables and flash the files one by one to the NAND flash. Anyway, I checked all the table with a classic SQL database explorer, then I checked the configuration files (txt), and there was a single flag called "mount system partition = 0" or something like that. My goal was to find the bit in the encrypted firmware in order to modify it. The fact is the encryption used by ATJ is quiet simple, each byte is encoded by using a XOR with a specific value, the good thing is each byte is encoded independently. This means that changing encrypted byte X will not affected byte X+1 encryption/decryption.

    Anyway, after understanding this, and after finding the byte to modify, it was quiet simple, so I used a hex editor (dhex on linux) to modify directly the encrypted firmware.

    I hope it was not too confusing :ROFLMAO:

    I haven't tried modifying/adding a whole file to the SQL database and re-encrypting it. In that case, we'd need to write an ATJEncryptTool as I couldn't find one
    Yeah, got that , thanks a lot. Well in the meantime I kinda figured it out, all except the modify the bit in the encrypted firmware, that didn't occur to me. I guess based on the decrypt software we could write one that does the encryption back.

    I also sent you an email ( because I didn't know if you'll be back around here ) telling that I've found the SDE and looking at the debug symbols in the files it's the same version of SDE gcc that was used to build the binaries on my Powkiddy J6.
    Both the Powkiddy J6 and the X16 were built under cygwin by this misterious Mr Huang , we really need to find him.
    Anyway the SDE is here: https://drive.google.com/file/d/1HWbOy6a19PbnGPQ_crRHC-a6Y-O7P1Em/view?usp=sharing
    2
    In the meantime I've made some discoveries of my own.

    1. There's no python script as I thought initially . The Actions Pad Tools does indeed support flashing using Python scripts but at least for the Q700 firmware ( where Q700 = X16 ) this is not how the update is done.
    2. Instead there's some sort of state machine as far as I can tell and it's mostly all in this Production.dll
    3. SQLite3 is statically linked inside Production.dll and queries are fun from the functions inside this dll


    Now for the interesting part. I've generated a text file , here: https://drive.google.com/file/d/1LSeQ4VLt3gwJQPyMkF6t3tgaUNdQ6lvM/view?usp=sharing

    with all or almost all of the SQL queries that are run during the update in the sequence that they're called in. I think this speaks a lot about what's actually being done.

    It also seem there's some functions defined the SQL Database under tables like : ExSymbol and FuncSpec. These functions are then using binaries like hwsc09.bin ( found in FileTable ) to perform operations.

    It also seems there is indeed some encryption :
    'select count(*) from sqlite_master where type=',27h,'table',27h,' ' 'and name=',27h,'ENCRYPT_EN',27h,0

    'select NumberA from ENCRYPT_EN ;',

    In the Q700 update this 'ENCRYPT_EN' is set to 1.

    The sequence itself of the update is.

    1. Check if ADFU and if not switch to ADFU mode
    2. Open Connection ( using winusb.dll )
    3. Use ADFU write from Hardware60u.dll to upload the ADFU binary to the device, adec09_1.bin
    4. Run various command using CHardware::ExtCommand

    The problem with using the Q700 firmware upgrade file to update the Powkiddy J6 is that it gets stuck and give and error in the flashing software. It's not bad since I don't want it to mess up my J6 which is not compatible for sure because of the NOR SPI vs NAND.

    Last query after which the failure happens is:

    debug1456:10C657F9 aSelectFilename_10 db 'select FileName from NAND_ID where NumberB = 909717587 ;',0

    I assume that 909717587 is the ID of the NOR flash on the J6 while the Q700 firmware only knows about 2 IDs :

    858796102 and 858801747.

    It all fails here and that's the end of the SQLite3 queries.


    If you have the time I really suggest browsing the text file with the queries, it tells quite a good story and better than I can in words.
    2
    @ThegreatHAMbino Waw, you still remember my name :LOL:
    @erexx Hello guys, I haven't connected to XDA for a while, I didn't even know that the old thread was down. Well, I reached the point where I was able to modify a firmware a user posted. This firmware was the one with bubbles on the screen (NOT the PSP-like one). Looking at my archives, I've found back the modified FW I made:

    The only modification done is when you plug the tablet to the PC, it will also mount the system partition, not only user partition, letting you see all the binaries used inside. both partitions will be writable! Interestingly, the binaries are not stripped, so all the debug symbols are still there.

    You'll need the powkiddy flasher program and ADFU drivers to install it. The name of the program is "Actions PAD Product Tools", you'll be able to find this on Google.



    Another interesting finding I've made is that if you open the console, on the motherboard itself, there is a test point to UART TX pin:
    45976bb6-2c2c-4935-941f-1f8bb321d27c.jpeg

    by soldering a cable there and connecting it to a USB TTL module or an Arduino, you'll be able to get message from the system (GND can be taken from the SD Card slot case).

    I could modify one of the binary by hand, i.e. by modifying the binary code, to print out a message on the UART when executing it. However, I was not able to rebuild a binary from scratch with an SDK I found online (which was for a similar device as stated in the archive you've found)


    Note: Multiple members of the former thread and I have tested the modified firmware and reported it working. Still, I am not responsible for any potential damage it could cause to your device.

    EDIT:
    The Powkiddy RES editor will let you modify the RES file you'll find in the system partition. thanks to this, you'll be able to modify the icons image. The icons title can be modified by editing the ".desktop" files

    EDIT2: Just found the following link online which SEEMS to be the original firmware:
    It also includes the Action Pad software for flashing the boards.
    2
    This script that is used is really weird,

    FUNCS_AHEAD( )
    {
    BYTE UPG_TOOL = 1 , MAKER_TOOL = 2 ;
    BYTE SCODE = 1 , SCODE_BAK = 2 ;
    __RunFunc("LFI" , "TOOL_TYPE" , UPG_TOOL , "SCODE_TYPE" , SCODE_BAK);
    __ReleaseFunc("LFI");
    __RunFunc("LFI" , "TOOL_TYPE" , UPG_TOOL , "SCODE_TYPE" , SCODE);
    __ReleaseFunc("LFI");
    __RunFunc("HideDisk");
    __ReleaseFunc("HideDisk");
    };

    And these __keywords are then defined in the production dll ... the functions are then expanded from what I can tell and it becomes recursise.
    The above extract seems like the main upgrade instructions.
    2
    Hallo
    Ich bin neu hier. Es tut mir leid, aber ich spreche kein Englisch, also benutze ich Google-Übersetzer. Zum Thema
    Ich habe auch die powkiddy X16 Konsole und fand eine Firmware. Habe es noch nicht ausprobiert.
    Hier ist ein Link:
    https://techtoytinker.com/powkiddy-x16-handheld