Quite a few years ago (circa 2005), I was involved in a project that aimed to replace the firmware on inexpensive MP3 players using the Actions ATJ2085 controller chip. Whilst I was researching how these players worked, I ended up flashing incompatible firmware to the device and essentially bricked it.
Preamble
Searching for the firmware for no-name players like mine was practically impossible as almost all players claimed to be made by the same manufacturer: “Wilson Co. Ltd.” and they all bared the same model name: “S1 Mp3 Player”. A guy from Brazil, called Wladston, started a project to try and create an open source alternative firmware that would work on all these players based on the ATJ2085 chip. Whilst the goal was never reached, the site did unite many people with similar players and help thousands of people recover their players to working states after a bad upgrade.
Thanks to the strong community and documentation on the site, I was able to get the player into “recovery mode”, which in the majority of instances involved short circuiting a couple of pins on the player’s memory chip.
Thankfully, a tool developed by a guy who went by the name of wiRe, called S1FWX, allowed me to backup the player’s firmware (partially) before I started messing with other firmware files. Sadly though, a backup with S1FWX is only partial and will not flash back onto a player that’s in recovery mode as it lacks the bootloader files which, apparently, don’t seem to be updated with a regular upgrade.
After a few days of searching, I heard of someone who had a similar player recovering theirs by using a firmware file they found on a Chinese manufacturer’s website. Although it was a different form factor to mine, I was getting quite good at putting my device in recovery mode, and another firmware wasn’t going to hurt it. Their only complaint was that although their player worked, the button configuration was different.
After flashing it, to my amazement, my player powered up. The firmware had quite a different interface, but seems cleaner, a little faster, and an added screen dimming function to extend the life of the Area Colour OLED display. The only issue was that, like the other user, my player’s buttons were no longer functioned as labelled.
I continued to use my player with the “new” layout for a couple of days, until I happened to stumble upon a post in the S1MP3 forum from a guy, going by the name “timber0001” claiming he had been able to hack the firmware on multicolour backlit players to force the player to stick to the one colour.
I decided to get in contact with him to see if he could help me hack my player’s button configuration…
The hack
In late October 2005, I posted on the S1MP3 forum a guide on how to fix player’s button configuration.
With timber0001’s help, we found the player’s hardware configuration was in a file called KY_HARD.DRV. Using S1FWX, I was able to take apart the firmware file from the Chinese manufacturer’s website. Then using an assembly decompiler, we were able to look at the file in more detail. As I was, and still am, no expert on assembly code, I let timber0001 study this file more closely. He was pretty sure that lines starting with “LD A” were references to buttons.
Reprogramming the player’s buttons required a hex editor. A program called 2085RES, found on another Chinese site, was able to edit firmware files directly and save them in a state that would work with the player flashing software. Through trial and error I was able to figure out what each code was telling the player to do. For example “LD A,01H” meant “Play/Pause”.
Eventually, I was able to get my player working with the new firmware with the buttons functioning as labelled.
Sadly, the player got fried by static electricity a few years later, but I certainly got my monies worth from it. This certainly wasn’t the last S1MP3 related hack I did, but this one will always stick in mind as it was the first.
Cheers