powkiddy x16 SoC droid clone?

Search This thread

godkingofcanada

Senior Member
Nov 13, 2013
1,000
454
Anyone seen these handheld retro units from China? Gba, gb, gbc, nes, snes, Sega, psx, cps1+2.

I'm trying to locate firmware. Factory or otherwise, trying to figure out what this is running.
 

Attachments

  • IMG_20181218_130547.jpg
    IMG_20181218_130547.jpg
    252.7 KB · Views: 257

mforce2

Senior Member
Feb 14, 2009
74
40
I contacted technical support about that old thread. If you know some admins maybe we can also ask them.
I just got the Powkiddy J6 and it has some similar SOC, the Actions ATS3603 and it runs on uCOS.
I opened a development thread for it with my findings so far here: https://boards.dingoonity.org/other-game-systems/powkiddy-j6-development-only-thread/
I would really have needed some resources from the old thread though.
Especially useful would have been some documentation. Does anyone have that ?
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
13
2
I contacted technical support about that old thread. If you know some admins maybe we can also ask them.
I just got the Powkiddy J6 and it has some similar SOC, the Actions ATS3603 and it runs on uCOS.
I opened a development thread for it with my findings so far here: https://boards.dingoonity.org/other-game-systems/powkiddy-j6-development-only-thread/
I would really have needed some resources from the old thread though.
Especially useful would have been some documentation. Does anyone have that ?
I think a guy named Omar and Kikione? helped figure a few things out. It's hard to remember back, I really hope the issue can be resolved..
 

erexx

New member
Mar 15, 2021
2
0
3 pages but page 2 is lost.
Page 2 seems to be the most important. :(

Page 1 - http://web.archive.org/web/20201203...rs.com/t/powkiddy-x16-7-retro-arcade.3880966/

Page 2 - lost

Page 3 - https://web.archive.org/web/2020120.../t/powkiddy-x16-7-retro-arcade.3880966/page-3

Firmware update - Looks like the result of the lost thread without details.

Tool created to mod res files.
 
Last edited:

o-marshmallow

Senior Member
Feb 26, 2011
78
5
@ThegreatHAMbino Waw, you still remember my name :LOL:
@erexx Hello guys, I haven't connected to XDA for a while, I didn't even know that the old thread was down. Well, I reached the point where I was able to modify a firmware a user posted. This firmware was the one with bubbles on the screen (NOT the PSP-like one). Looking at my archives, I've found back the modified FW I made:

The only modification done is when you plug the tablet to the PC, it will also mount the system partition, not only user partition, letting you see all the binaries used inside. both partitions will be writable! Interestingly, the binaries are not stripped, so all the debug symbols are still there.

You'll need the powkiddy flasher program and ADFU drivers to install it. The name of the program is "Actions PAD Product Tools", you'll be able to find this on Google.



Another interesting finding I've made is that if you open the console, on the motherboard itself, there is a test point to UART TX pin:
45976bb6-2c2c-4935-941f-1f8bb321d27c.jpeg

by soldering a cable there and connecting it to a USB TTL module or an Arduino, you'll be able to get message from the system (GND can be taken from the SD Card slot case).

I could modify one of the binary by hand, i.e. by modifying the binary code, to print out a message on the UART when executing it. However, I was not able to rebuild a binary from scratch with an SDK I found online (which was for a similar device as stated in the archive you've found)


Note: Multiple members of the former thread and I have tested the modified firmware and reported it working. Still, I am not responsible for any potential damage it could cause to your device.

EDIT:
The Powkiddy RES editor will let you modify the RES file you'll find in the system partition. thanks to this, you'll be able to modify the icons image. The icons title can be modified by editing the ".desktop" files

EDIT2: Just found the following link online which SEEMS to be the original firmware:
It also includes the Action Pad software for flashing the boards.
 
Last edited:
Feb 11, 2021
13
2
@ThegreatHAMbino Waw, you still remember my name :LOL:
@erexx Hello guys, I haven't connected to XDA for a while, I didn't even know that the old thread was down. Well, I reached the point where I was able to modify a firmware a user posted. This firmware was the one with bubbles on the screen (NOT the PSP-like one). Looking at my archives, I've found back the modified FW I made:

The only modification done is when you plug the tablet to the PC, it will also mount the system partition, not only user partition, letting you see all the binaries used inside. both partitions will be writable! Interestingly, the binaries are not stripped, so all the debug symbols are still there.

You'll need the powkiddy flasher program and ADFU drivers to install it. The name of the program is "Actions PAD Product Tools", you'll be able to find this on Google.



Another interesting finding I've made is that if you open the console, on the motherboard itself, there is a test point to UART TX pin:
View attachment 5312603
by soldering a cable there and connecting it to a USB TTL module or an Arduino, you'll be able to get message from the system (GND can be taken from the SD Card slot case).

I could modify one of the binary by hand, i.e. by modifying the binary code, to print out a message on the UART when executing it. However, I was not able to rebuild a binary from scratch with an SDK I found online (which was for a similar device as stated in the archive you've found)


Note: Multiple members of the former thread and I have tested the modified firmware and reported it working. Still, I am not responsible for any potential damage it could cause to your device.

EDIT:
The Powkiddy RES editor will let you modify the RES file you'll find in the system partition. thanks to this, you'll be able to modify the icons image. The icons title can be modified by editing the ".desktop" files

EDIT2: Just found the following link online which SEEMS to be the original firmware:
It also includes the Action Pad software for flashing the boards.
Yeah man there was a lot of good info there, name just kind of stuck lol. Thanks again for re-explaining your findings. I found the debugger too going through my drive. Rebuilding the binaries can only be done with the proper sdk then? How hard would it be to say start from scratch and build an operating system for the device? Tracking down an sdk for such a device when considering all the rebranding proves to be next to impossible..
 
Last edited:

o-marshmallow

Senior Member
Feb 26, 2011
78
5
@ThegreatHAMbino The debugger ? Have you tried it so far ? :oops:
I was only able to find documentation about a USB debugger but was never able to find the executable.
As I said, the SDK I found before is very similar to the one of the powkiddy. I am sure there were only few twicks to do before getting it to work: I compared the compiled code file from the SDK binary and the one embedded in the owkiddy and they are similar: same format (ELF), same sections, same start entry address, same address for OS functions, but still, whenever I tried to execute this bin on the powkiddy, I got a kernel panic (I could see it on the serial), I never udnerstood where was the problem. If only I could find back the link to the SDK...

Another solution is to ask Powkiddy themselves for an SDK. I did it 2 or 3 times but didn't get an answer. If multiple people do this, they may reply. The HW is pretty good honestly, but the SW is really bad. I was thinking about changing the OS, trying to port Linux on it for example but that would take a lot of time: we don't have a proper debugger, nor a JTAG interface, we only have a Serial interface, that's tricky.

EDIT: FOUND IT!
The last one is the SDK I was talking about
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
13
2
Sadly no, I haven't had a chance to really play around with it yet. It's from the old posts as well, another member had made a little headway iirc around p.15-19 and dropped the download link. It seems like all the information about the actions chipsets is scattered in the wind. I believe the hardware is a lot more capable than what the software is allowing for. The price point encourages the modding/homebrew aspect but it's lackluster performance out of the box it just doesn't stand out enough to be taken seriously. I'll try to put together a folder of what I've came across so far in the next couple days as a means to help further in the project.
@ThegreatHAMbino The debugger ? Have you tried it so far ? :oops:
I was only able to find documentation about a USB debugger but was never able to find the executable.
As I said, the SDK I found before is very similar to the one of the powkiddy. I am sure there were only few twicks to do before getting it to work: I compared the compiled code file from the SDK binary and the one embedded in the owkiddy and they are similar: same format (ELF), same sections, same start entry address, same address for OS functions, but still, whenever I tried to execute this bin on the powkiddy, I got a kernel panic (I could see it on the serial), I never udnerstood where was the problem. If only I could find back the link to the SDK...

Another solution is to ask Powkiddy themselves for an SDK. I did it 2 or 3 times but didn't get an answer. If multiple people do this, they may reply. The HW is pretty good honestly, but the SW is really bad. I was thinking about changing the OS, trying to port Linux on it for example but that would take a lot of time: we don't have a proper debugger, nor a JTAG interface, we only have a Serial interface, that's tricky.

EDIT: FOUND IT!
The last one is the SDK I was talking about
 
  • Like
Reactions: o-marshmallow

mforce2

Senior Member
Feb 14, 2009
74
40
Thanks guys for all the info you posted here.
I have Powkiddy J6 which is quite similar to this and I was hoping to do a bit of hacking on it because I really like the hardware and for the price paid it's cheap enough to play with. I am sure it can do more with the right software and it even has an IPS display.
I couldn't really find a firmware for the Powkiddy J6 so I am going to try and read the one that's currently on it. The other way would be to place a binary on the SD card that I can get it to execute and have that one dump the firmware but that's probably a bit more tricky.
 
  • Like
Reactions: ThegreatHAMbino

Billy_Blaze

New member
Jun 2, 2021
1
1
Oklahoma City
I recently ordered a Powkiddy X16 and it should arrive sometime this week. Once development (hopefully) starts, if you guys need someone to help test firmwares I’d like to help when needed. I agree that the hardware is more than likely being hampered by mediocre software. If a proper firmware can be written then this could turn into a great budget emulation handheld. You guys have my support. 👍👍
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
13
2
I recently ordered a Powkiddy X16 and it should arrive sometime this week. Once development (hopefully) starts, if you guys need someone to help test firmwares I’d like to help when needed. I agree that the hardware is more than likely being hampered by mediocre software. If a proper firmware can be written then this could turn into a great budget emulation handheld. You guys have my support. 👍👍
Sorry for the delay guys, I'll post a few things later after work. I have a pdf of the chipset. The debug tool, and a few other odds and ends like the actions tablet tools. Look for an update today..
 
  • Like
Reactions: Billy_Blaze

mforce2

Senior Member
Feb 14, 2009
74
40
@ThegreatHAMbino Waw, you still remember my name :LOL:
@erexx Hello guys, I haven't connected to XDA for a while, I didn't even know that the old thread was down. Well, I reached the point where I was able to modify a firmware a user posted. This firmware was the one with bubbles on the screen (NOT the PSP-like one). Looking at my archives, I've found back the modified FW I made:

The only modification done is when you plug the tablet to the PC, it will also mount the system partition, not only user partition, letting you see all the binaries used inside. both partitions will be writable! Interestingly, the binaries are not stripped, so all the debug symbols are still there.

You'll need the powkiddy flasher program and ADFU drivers to install it. The name of the program is "Actions PAD Product Tools", you'll be able to find this on Google.



Another interesting finding I've made is that if you open the console, on the motherboard itself, there is a test point to UART TX pin:
View attachment 5312603
by soldering a cable there and connecting it to a USB TTL module or an Arduino, you'll be able to get message from the system (GND can be taken from the SD Card slot case).

I could modify one of the binary by hand, i.e. by modifying the binary code, to print out a message on the UART when executing it. However, I was not able to rebuild a binary from scratch with an SDK I found online (which was for a similar device as stated in the archive you've found)


Note: Multiple members of the former thread and I have tested the modified firmware and reported it working. Still, I am not responsible for any potential damage it could cause to your device.

EDIT:
The Powkiddy RES editor will let you modify the RES file you'll find in the system partition. thanks to this, you'll be able to modify the icons image. The icons title can be modified by editing the ".desktop" files

EDIT2: Just found the following link online which SEEMS to be the original firmware:
It also includes the Action Pad software for flashing the boards.
How did you modify the firmware ? I mean what tools did you use to unpack it and pack it ? Also I was wondering what exactly did you modify on the file system.

Thanks a lot.

In the meantime I'm working on creating some software to run on the Powkiddy J6 and I imagine that with some small modifications it could also run on the X16. I'd have to check the X16 .app file to figure out but I'm not sure how to unpack the firmware.
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
13
2
Here you go guys, this is what ive came across/salvaged so far... Hopefully with the debug tool we can get some sort of development going. I do believe the last pdf, also has a section that talks about making apps for this software in particular. Hope this helps..
 

Attachments

  • Debug.zip
    87.2 KB · Views: 3
  • Firmware.zip
    125.5 MB · Views: 1
  • ATJ227X_Datasheet_V1.0_101126.pdf
    2.4 MB · Views: 3
  • ACTIONS IH FW Burning Tool_V2.01.03.zip
    25.6 MB · Views: 1
  • ACTIONS Pad Product Tool_V1.01.02.zip
    27.3 MB · Views: 1
  • US212A 应用程序设计指南.pdf
    8.3 MB · Views: 9

mforce2

Senior Member
Feb 14, 2009
74
40
I'm not sure if it's on any interest but I dug through the firmware of the Powkiddy X16 that o-marshmallow () posted. Still not sure how he unpacked it but I used this tool : https://github.com/Rockbox/rockbox/tree/master/utils/atj2137/atjboottool
It can decrypt the firmware which results in an .afi file. It wasn't able to unpack this .afi but Actions was quite clever and it's just an SQLite file.

Using a tool like this : https://sqlitebrowser.org you can go the table called : FileTable and you see the files, the file itself being stored as a blob ( the SQLite browser allows you to export the blob to a file ).
I was curious so I started digging and found the library for the PS1 emulation: "libp1.so". It's based on the PCSX-Reloaded , most likely an old version of it.
It's based on PCSX-Reloaded , probably and older version of it (and not the one from here: https://github.com/iCatButler/pcsxr ) but with some Actions modifications around it.

Also in the database there's a table called "VER" which for this Q700 Firmware.fw is "1.1.10.120301". Interesting with this is that my Powkiddy J6 has firmware version ( according to Advanced Settings ) "1.1.10.200605". This means these 2 could be quite similar and I plan to investigate more to see if I find the ADFU commands to dump the firmware.

If anyone knows how to use ADFU to dump the firmware from the device please let me know.
 
  • Like
Reactions: ThegreatHAMbino

mforce2

Senior Member
Feb 14, 2009
74
40
I'm back with more useful (or useless to some) information from looking at the Q700 Firmware.fw files.
I was very curious what types of emulators are used, it's unlikely that actions developed their own emulators , right ? well as it turns out it's all open source stuff so here's what they use.

libp1.so - Playstation 1 emulator - based on PCSX-Reloaded - github search for "Failed to initialise cpu68k module"
libm1.so - Sega Genesis (Mega Drive) emulator - based on Generator - github: https://github.com/mirror/pcsxr/network ("Error Opening CDR Plugin")
libf1.so - NES emulator - based on fakeNES - github search for "Konami VRC6V + ExSound" (old version) , newer here: https://github.com/d4ddi0/fakenes
libgb1.so - GameBoyColor emulator - gnuboy based - github search for "bind esc quit"
libsfc.so - SNES ( or SFC ) emulator - Snes9X based - SDL version: https://github.com/domaemon/snes9x-sdl ( also libretro seems to have it)
libsg1.so - Capcom CPS1 emulator - NJEMU based - https://github.com/phoe-nix/NJEMU
libsg2.so - NeoGeo emulator - probably MAME based - https://github.com/crazii/mame4allds
libsg3.so - MAME emulator - MAME based - https://github.com/mamedev/historic-mame/blob/master/src/mame/machine/cps2crpt.c
libg1.so - GBA emulator - some custom job, has Chinglish text ( my favorite "open gba rom is error!\n" )

Good news is that it should be quite clear where the open source code is integrated with the Actions stuff and how so it's possible to update the emulators based on newer open source versions ( either of these or other emulators ). That's not to say it will necessarily be easy but it's doable.
 
  • Like
Reactions: ThegreatHAMbino
Feb 11, 2021
13
2
I'm back with more useful (or useless to some) information from looking at the Q700 Firmware.fw files.
I was very curious what types of emulators are used, it's unlikely that actions developed their own emulators , right ? well as it turns out it's all open source stuff so here's what they use.

libp1.so - Playstation 1 emulator - based on PCSX-Reloaded - github search for "Failed to initialise cpu68k module"
libm1.so - Sega Genesis (Mega Drive) emulator - based on Generator - github: https://github.com/mirror/pcsxr/network ("Error Opening CDR Plugin")
libf1.so - NES emulator - based on fakeNES - github search for "Konami VRC6V + ExSound" (old version) , newer here: https://github.com/d4ddi0/fakenes
libgb1.so - GameBoyColor emulator - gnuboy based - github search for "bind esc quit"
libsfc.so - SNES ( or SFC ) emulator - Snes9X based - SDL version: https://github.com/domaemon/snes9x-sdl ( also libretro seems to have it)
libsg1.so - Capcom CPS1 emulator - NJEMU based - https://github.com/phoe-nix/NJEMU
libsg2.so - NeoGeo emulator - probably MAME based - https://github.com/crazii/mame4allds
libsg3.so - MAME emulator - MAME based - https://github.com/mamedev/historic-mame/blob/master/src/mame/machine/cps2crpt.c
libg1.so - GBA emulator - some custom job, has Chinglish text ( my favorite "open gba rom is error!\n" )

Good news is that it should be quite clear where the open source code is integrated with the Actions stuff and how so it's possible to update the emulators based on newer open source versions ( either of these or other emulators ). That's not to say it will necessarily be easy but it's doable.
I actually wondered about this myself. As the x series went on there were small improvements made to the emulation (mainly Snes and Gen/Md) all while the same chipsets/hardware were being used despite the model. That being said with how locked down the UI/software was, I thought they had to be using closed source emulators. The one thing that still makes me wonder thou is that any rom can be launched in any section. .NES files launched under the gba section and so forth. Why would this be based off your findings?..
 
Last edited:

mforce2

Senior Member
Feb 14, 2009
74
40
I actually wondered about this myself. As the x series went on there were small improvements made to the emulation (mainly Snes and Gen/Md) all while the same chipsets/hardware were being used despite the model. That being said with how locked down the UI/software was, I thought they had to be using closed source emulators. The one thing that still makes me wonder thou is that any rom can be launched in any section. .NES files launched under the gba section and so forth. Why would this be based off your findings?..
The emulators are all in common. There's an emulator app called ... emulator.app which uses some emulator lib that doesn't actually do much and then also these different libs that I mentioned above.
In the emulator.app of the Powkiddy X6 at least there's this function:
judge_gametype_byname(char *name)
which looks at the file extension I assume and based on this decides what type of game it is. For the .bin extension though it seems to look at something else also.
Once it determines this it assigns the gametype global variable a value ( 1 is NES , 6 is PS1 and there's like 7 numbers all till 10 ). There's some other variables I think to detect if it supports this emulator and what type of library it needs.
Then still in the emulator.app there's the function that loads the right emulator based on gametype and it loads one of the libs I mentioned above.
All of these libs have a common interface from what I can tell , probably something like save game, pause game, exit game and the emulator app transfers control to the appropriate lib ( based on gametype ) which then does its thing as it needs to.

I'm not sure what improvements are made to these emulation libraries, most seem to rely on quite old code even on the X16 which is quite a new device. In theory they could synchronize with the upstream emulator code but sometimes upstream is abandoned or semi-abandoned. Also depending on how much the needed to modify the emulator to fit into their framework it might not be trivial to pick up the newer changes especially if it diverged quite a bit.

There's also the question of the license , most of these emulators are licensed under GPL or LGPL so there's the obligation to publish the source code but I'm not sure there's any way to enforce this, especially in China. We could try though. Getting the source code to the emulators could allow either to synchronize them with upstream or to completely replace the emulation core while keeping only the interfaces.

Hope that answers your question :)
 
  • Like
Reactions: ThegreatHAMbino

mforce2

Senior Member
Feb 14, 2009
74
40
Also in the .app file I've found these strings
Powkiddy X16: /cygdrive/h/Mr_huang_work/ATJ2279B/ch7968_v1/usdk227c/case_tp/apps/desktop/emulator
Powkiddy J6:/cygdrive/e/Mr_hunag_work/ATS3603_UCOS/CD3670_nor_card_st/usdk227c/case_tp/apps/desktop/

Whoever this Mr is it seems he's very productive but sometimes misspells his name :) . We need to find him. As can be seen the SDKs used are very similar. Unfortunately I cannot locate this SDK , usdk227c.
 
  • Like
Reactions: ThegreatHAMbino

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Hello @mforce2 and @ThegreatHAMbino !

    You just gave a lot of info, I had never found the PDF explaining the whole dev process before, I wish you were here few years ago when we started the first thread :LOL:
    There are still some issues because we don't have the toolchain they are using (SDE). SDE has been replaced and I was not able to find it back.

    Regarding the modified firmware, I did the step step as you did: I used the atjboottool you found, it gave me an SQL database. I guess it's the role of the flasher to go through the tables and flash the files one by one to the NAND flash. Anyway, I checked all the table with a classic SQL database explorer, then I checked the configuration files (txt), and there was a single flag called "mount system partition = 0" or something like that. My goal was to find the bit in the encrypted firmware in order to modify it. The fact is the encryption used by ATJ is quiet simple, each byte is encoded by using a XOR with a specific value, the good thing is each byte is encoded independently. This means that changing encrypted byte X will not affected byte X+1 encryption/decryption.

    Anyway, after understanding this, and after finding the byte to modify, it was quiet simple, so I used a hex editor (dhex on linux) to modify directly the encrypted firmware.

    I hope it was not too confusing :ROFLMAO:

    I haven't tried modifying/adding a whole file to the SQL database and re-encrypting it. In that case, we'd need to write an ATJEncryptTool as I couldn't find one
    Yeah, got that , thanks a lot. Well in the meantime I kinda figured it out, all except the modify the bit in the encrypted firmware, that didn't occur to me. I guess based on the decrypt software we could write one that does the encryption back.

    I also sent you an email ( because I didn't know if you'll be back around here ) telling that I've found the SDE and looking at the debug symbols in the files it's the same version of SDE gcc that was used to build the binaries on my Powkiddy J6.
    Both the Powkiddy J6 and the X16 were built under cygwin by this misterious Mr Huang , we really need to find him.
    Anyway the SDE is here: https://drive.google.com/file/d/1HWbOy6a19PbnGPQ_crRHC-a6Y-O7P1Em/view?usp=sharing
    1
    Thanks guys for all the info you posted here.
    I have Powkiddy J6 which is quite similar to this and I was hoping to do a bit of hacking on it because I really like the hardware and for the price paid it's cheap enough to play with. I am sure it can do more with the right software and it even has an IPS display.
    I couldn't really find a firmware for the Powkiddy J6 so I am going to try and read the one that's currently on it. The other way would be to place a binary on the SD card that I can get it to execute and have that one dump the firmware but that's probably a bit more tricky.
    1
    I recently ordered a Powkiddy X16 and it should arrive sometime this week. Once development (hopefully) starts, if you guys need someone to help test firmwares I’d like to help when needed. I agree that the hardware is more than likely being hampered by mediocre software. If a proper firmware can be written then this could turn into a great budget emulation handheld. You guys have my support. 👍👍
    1
    I recently ordered a Powkiddy X16 and it should arrive sometime this week. Once development (hopefully) starts, if you guys need someone to help test firmwares I’d like to help when needed. I agree that the hardware is more than likely being hampered by mediocre software. If a proper firmware can be written then this could turn into a great budget emulation handheld. You guys have my support. 👍👍
    Sorry for the delay guys, I'll post a few things later after work. I have a pdf of the chipset. The debug tool, and a few other odds and ends like the actions tablet tools. Look for an update today..
    1
    I'll help out anyway I can. That's really why that first thread was so crucial because that's where the debugger and development pdf came from. I really appreciate the feedback and help you've given so far. Wasn't there for the first thread, but I'll damn sure be there for the second one 😆
    I'm not sure the debugger is doing much unfortunately. I couldn't get it to work myself but it mostly seems to show the contents or something ....
    I did find in some Actions SDK the other part of the debugger, what it's supposed to talk to.
    Hang around , we might get somewhere with this thread too.
    All these Actions devices seem to share the same SDK, the functions are the ones here: https://github.com/uli/actsemi/blob/master/libactsemi/actsemi.c

    They're all exactly the same addresses.
  • 2
    Hello @mforce2 and @ThegreatHAMbino !

    You just gave a lot of info, I had never found the PDF explaining the whole dev process before, I wish you were here few years ago when we started the first thread :LOL:
    There are still some issues because we don't have the toolchain they are using (SDE). SDE has been replaced and I was not able to find it back.

    Regarding the modified firmware, I did the step step as you did: I used the atjboottool you found, it gave me an SQL database. I guess it's the role of the flasher to go through the tables and flash the files one by one to the NAND flash. Anyway, I checked all the table with a classic SQL database explorer, then I checked the configuration files (txt), and there was a single flag called "mount system partition = 0" or something like that. My goal was to find the bit in the encrypted firmware in order to modify it. The fact is the encryption used by ATJ is quiet simple, each byte is encoded by using a XOR with a specific value, the good thing is each byte is encoded independently. This means that changing encrypted byte X will not affected byte X+1 encryption/decryption.

    Anyway, after understanding this, and after finding the byte to modify, it was quiet simple, so I used a hex editor (dhex on linux) to modify directly the encrypted firmware.

    I hope it was not too confusing :ROFLMAO:

    I haven't tried modifying/adding a whole file to the SQL database and re-encrypting it. In that case, we'd need to write an ATJEncryptTool as I couldn't find one
    Yeah, got that , thanks a lot. Well in the meantime I kinda figured it out, all except the modify the bit in the encrypted firmware, that didn't occur to me. I guess based on the decrypt software we could write one that does the encryption back.

    I also sent you an email ( because I didn't know if you'll be back around here ) telling that I've found the SDE and looking at the debug symbols in the files it's the same version of SDE gcc that was used to build the binaries on my Powkiddy J6.
    Both the Powkiddy J6 and the X16 were built under cygwin by this misterious Mr Huang , we really need to find him.
    Anyway the SDE is here: https://drive.google.com/file/d/1HWbOy6a19PbnGPQ_crRHC-a6Y-O7P1Em/view?usp=sharing
    2
    @ThegreatHAMbino Waw, you still remember my name :LOL:
    @erexx Hello guys, I haven't connected to XDA for a while, I didn't even know that the old thread was down. Well, I reached the point where I was able to modify a firmware a user posted. This firmware was the one with bubbles on the screen (NOT the PSP-like one). Looking at my archives, I've found back the modified FW I made:

    The only modification done is when you plug the tablet to the PC, it will also mount the system partition, not only user partition, letting you see all the binaries used inside. both partitions will be writable! Interestingly, the binaries are not stripped, so all the debug symbols are still there.

    You'll need the powkiddy flasher program and ADFU drivers to install it. The name of the program is "Actions PAD Product Tools", you'll be able to find this on Google.



    Another interesting finding I've made is that if you open the console, on the motherboard itself, there is a test point to UART TX pin:
    45976bb6-2c2c-4935-941f-1f8bb321d27c.jpeg

    by soldering a cable there and connecting it to a USB TTL module or an Arduino, you'll be able to get message from the system (GND can be taken from the SD Card slot case).

    I could modify one of the binary by hand, i.e. by modifying the binary code, to print out a message on the UART when executing it. However, I was not able to rebuild a binary from scratch with an SDK I found online (which was for a similar device as stated in the archive you've found)


    Note: Multiple members of the former thread and I have tested the modified firmware and reported it working. Still, I am not responsible for any potential damage it could cause to your device.

    EDIT:
    The Powkiddy RES editor will let you modify the RES file you'll find in the system partition. thanks to this, you'll be able to modify the icons image. The icons title can be modified by editing the ".desktop" files

    EDIT2: Just found the following link online which SEEMS to be the original firmware:
    It also includes the Action Pad software for flashing the boards.
    2
    Hallo
    Ich bin neu hier. Es tut mir leid, aber ich spreche kein Englisch, also benutze ich Google-Übersetzer. Zum Thema
    Ich habe auch die powkiddy X16 Konsole und fand eine Firmware. Habe es noch nicht ausprobiert.
    Hier ist ein Link:
    https://techtoytinker.com/powkiddy-x16-handheld
    1
    Haven't had any luck finding the firmware. Their site afaikn cannot be translated bc it uses images instead of text. I am trying to contact a Chinese friend with some tech knowledge to see if he can find out more in the site, or in the social network used in china (Weiboo). I'll keep you posted.
    1
    I'll help out anyway I can. That's really why that first thread was so crucial because that's where the debugger and development pdf came from. I really appreciate the feedback and help you've given so far. Wasn't there for the first thread, but I'll damn sure be there for the second one 😆
    I'm not sure the debugger is doing much unfortunately. I couldn't get it to work myself but it mostly seems to show the contents or something ....
    I did find in some Actions SDK the other part of the debugger, what it's supposed to talk to.
    Hang around , we might get somewhere with this thread too.
    All these Actions devices seem to share the same SDK, the functions are the ones here: https://github.com/uli/actsemi/blob/master/libactsemi/actsemi.c

    They're all exactly the same addresses.