Here we go!

3 Relevant partitions on the Zune HD:

ZBoot (http://hotfile.com/dl/13482450/9ff0b57/ZuneHD-stuff-zboot.rar.html)
NK (http://hotfile.com/dl/13481855/8f967ea/ZuneHD-stuff.rar.html)
EXT (http://hotfile.com/dl/13482387/5fc543b/ZuneHD-stuff-ext.rar.html)

(there's actually a 4th partition, but it's a recovery partition for NK to facilitate fail-safe updating)

Enjoy :)

(a note: some files appear to be damaged, its my first time dumping a CE 7/Zune HD ROM :P)
(another note: thanks to nd4spd for getting the rom update to me, i don't have a zune hd :))

wow I'll take a look.

Anything usable?

These executables are designed for CE 7 and more than likely will not work at all on CE 5 (although things coded for .NET might)

Really, you tell me, though, I haven't actually tried :)

Awesome! Subscribed...

Wait...so you're telling me it might be possible to create custom roms on the zune hd?!?! i need them to come out with a 128 gb model asap then...

WOW....they were trying to dump a zune rom for years.... so this means the protection on the zune HD is not nearly as strong as the regular zune...this is good news indeed...Mine is on backorder still =x

Another quick Q, did you dump that yourself or find it somewhere?

been trying to find this for a few weeks :)
looking forward to see what can be done!

are the keyboard files in a format that we can use on windows mobile phones?

Another quick Q, did you dump that yourself or find it somewhere?

Actually, all I did was reset my Zune HD in recovery mode and plugged it in. When the Zune Software detected it, it downloaded the ROM from MS. When I was defragging my computer a few days earlier, I happened to find the folder where it saved all of the Firmware Updates. So I just looked in that folder and found the FirmwareUpdate.cab that had the .bin files in it.

after messing around with it, looks like nothing can really be recmoded to make dll files. it may need another way to rec mod than in the vk.

So does this mean that the Zune HD will be unlocked shortly?! :eek:

So does this mean that the Zune HD will be unlocked shortly?! :eek:
and does this mean that we will have Zune GUI on winmo devices :D?

and does this mean that we will have Zune GUI on winmo devices :D?

That could take some time, but once we are able to read the files, i will try to work on a keyboard

That could take some time, but once we are able to read the files, i will try to work on a keyboard

How about unlocking the Zune HD? Or is that a completely different animal?

Somebody please sticky this thread immediately. This can only lead to great things! :D

How about unlocking the Zune HD? Or is that a completely different animal?

Somebody please sticky this thread immediately. This can only lead to great things! :D

Err.. forgive my ignorance.. but is Zune HD locked?

In what way?

I think what he means by unlocking is to unlock for ROM modification and development.

When I was defragging my computer a few days earlier, I happened to find the folder where it saved all of the Firmware Updates. So I just looked in that folder and found the FirmwareUpdate.cab that had the .bin files in it.


The ROM is saved in a .cab file to %HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates

7-Zip or another unzipping software can extract it out into the 4 .bin files, ext.bin, nk.bin, recovery.bin, and zboot.bin.

I have not yet succeeded to breaking it down into DLLs, it seems like there are multiple DLLs compiled into one .bin file.

Interestingly enough, some of the plaintext I saw in the recovery file was associated with camera/photography code (do a ctrl-f for "autofocus" or "lens" in the recovery.bin file in wordpad). However, I'm guessing it is the remnants of WinCE code, not for the Zune HD (or a successor?). It still begs the question of why it would be included in the recovery code though...

Hope that someone can use this for something...

The ROM is saved in a .cab file to %HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates

7-Zip or another unzipping software can extract it out into the 4 .bin files, ext.bin, nk.bin, recovery.bin, and zboot.bin.

I have not yet succeeded to breaking it down into DLLs, it seems like there are multiple DLLs compiled into one .bin file.

Interestingly enough, some of the plaintext I saw in the recovery file was associated with camera/photography code (do a ctrl-f for "autofocus" or "lens" in the recovery.bin file in wordpad). However, I'm guessing it is the remnants of WinCE code, not for the Zune HD (or a successor?). It still begs the question of why it would be included in the recovery code though...

Hope that someone can use this for something...

To break it down, you need to use cvrtbin.exe to convert it to the .nb0 format. Once you have that, as Da_G pointed out to me, you can use Xipport.exe's dump xip function to dump whichever converted file. Unfortunately, xipport has an error on the last file, so I'm going to try to fix that this evening.

You can also view the files in Da_G's first post :D

To break it down, you need to use cvrtbin.exe to convert it to the .nb0 format. Once you have that, as Da_G pointed out to me, you can use Xipport.exe's dump xip function to dump whichever converted file. Unfortunately, xipport has an error on the last file, so I'm going to try to fix that this evening.

You can also view the files in Da_G's first post :D

Ahh... haha, I thought he linked to the raw .bin files and I figured that it would be easier to grab them from your own computer than download them. Whoooops!

I am curious, has anyone disected the Zune HD Hardware? I wonder what extra hardware got left behind that is not currently activated (and possilby not licensed). The core chipset can handle all of the common peripherals that you might find in a WM7 class phone chasis.
At the very least you should be able to see the sort of antenna and amps in there.

the Imageupdate system clearly works, so one approach to updating it (unlocking and or removing security) is to use the imageupdate system (on device or from your desktop, or possibly OTA). Although you would need to know a good bit about the NK and zloader for wm7. WM7 is a more streamlined, efficifient design, but - unfortunatey - there is a lot more in the kernel which makes updating individual bits more difficult without a full link.
It is a little bit more like the X360 design in this sense.
I believe that imageupdate is only known the to the end users as the engine for Windows Phone Update or -previously - FOTA (firmware over the air)

As Da_g mentioned, this is the first commercial device (to my knowledge) to use WCE7/WM7 (in general, WM is just a big OAK on WCE)

What certs are in the full CAB?

Here are a few links to Zune teardowns:

http://hackaday.com/2009/09/16/zune-hd-teardown/
http://blogs.zdnet.com/hardware/?p=5476

Doesnt look like any unregistered hardware, but the Tegra processor is sex for sure. I am leaving to Iraq in november and desperately hope there is going to be an HTC phone with android and a Tegra in it when I come home :D

I am curious, has anyone disected the Zune HD Hardware? I wonder what extra hardware got left behind that is not currently activated (and possilby not licensed). The core chipset can handle all of the common peripherals that you might find in a WM7 class phone chasis.
At the very least you should be able to see the sort of antenna and amps in there.

the Imageupdate system clearly works, so one approach to updating it (unlocking and or removing security) is to use the imageupdate system (on device or from your desktop, or possibly OTA). Although you would need to know a good bit about the NK and zloader for wm7. WM7 is a more streamlined, efficifient design, but - unfortunatey - there is a lot more in the kernel which makes updating individual bits more difficult without a full link.
It is a little bit more like the X360 design in this sense.
I believe that imageupdate is only known the to the end users as the engine for Windows Phone Update or -previously - FOTA (firmware over the air)

As Da_g mentioned, this is the first commercial device (to my knowledge) to use WCE7/WM7 (in general, WM is just a big OAK on WCE)

What certs are in the full CAB?

I thought that WinCE doesn't support IMGFS? In the dump, there's supposed to be a file called zuneroots.p7b but since Xipport couldn't dump the last file, the file is 0 bytes. There is also a sysroots.p7b, but that seems to be malformed - there is font copyright information in it. I think that once Xipport can be patched or redesigned to handle the file system, we can get a better idea of the certs.

EDIT: There are other certs referenced in the some of the files like the .zcp files

So do you guys think it will eventually be possible to put Windows mobile 6.5 or 7 onto the Zune HD? Or put the Zune's rom on another device?

So any progress on this stuff?

Donation of 60 euros for the one who succesfully ports the whole Zune UI to WM!

;4661779']Donation of 60 euros for the one who succesfully ports the whole Zune UI to WM!

Then take that "Zune/ WM 6.5 hybrid" OS and find a way to put it on the Zune HD. This would be INSANE!!! AH! :eek:

Then take that "Zune/ WM 6.5 hybrid" OS and find a way to put it on the Zune HD. This would be INSANE!!! AH! :eek:

Hehe but I haven't got a Zune HD;)
But I like the interface very much!

my ZuneHD comes this week, I'm so psyched! I can't wait to see what you guys can do with these resources on either the ZuneHD or WinMo phones!

Is anybody actually working on this stuff? It's kinda discouraging when the thread drops to page 4 in less than 24 hours. :(

;4661779']Donation of 60 euros for the one who succesfully ports the whole Zune UI to WM!

Might want to put your money away then :p I think it is highly unlikely considering the Zune runs CE7 and WinMo 6.0/6.1/6.5/6.5.1 are based of off CE5.2.

Rather, we should try getting WM7 running on the Zune HD! :D

Might want to put your money away then :p I think it is highly unlikely considering the Zune runs CE7 and WinMo 6.0/6.1/6.5/6.5.1 are based of off CE5.2.

Rather, we should try getting WM7 running on the Zune HD! :D

Lol! but WM7 also runs CE7, doesn't it?
I just like the interface of the Zune HD but well... indeed hardly doable.
WM7 would be a donation of 100 euros!:D:p

WM7 will most likely have Zune media abilities anyway... much like the iPhone and iPod.

someone needs to sticky this thread asap....it would be great if we can pull some stuff off the zuneHD for our winmo devices :)

Just to try, I cooked the d3d.dll into a rom. But no difference in speed.
But indeed, it should be stickied. If some good devs are working on this, I am sure they will get somethin' done!

;4692752']Just to try, I cooked the d3d.dll into a rom. But no difference in speed.
But indeed, it should be stickied. If some good devs are working on this, I am sure they will get somethin' done!

So, anybody with some sticky power want to help us out?

So, anybody with some sticky power want to help us out?

Not gonna happen. Per http://forum.xda-developers.com/showthread.php?t=567408 and mod timmymarsh, "There will be no stickies in D&H, so please don't ask. Go to the Wiki and put your sticky there"

Not gonna happen. Per http://forum.xda-developers.com/showthread.php?t=567408 and mod timmymarsh, "There will be no stickies in D&H, so please don't ask. Go to the Wiki and put your sticky there"

Okay, but if we put in in the wiki, no one will see it because nearly nobody really reads the wiki.
I guess we have no chance. Maybe if Da_G can help a little by linking to this thread in his "latest wm 6.5 releases" thread.
It would be really cool if we could have some Zune software on our WM devices.

Aside from what Da_G said, how can one tell that the Zune HD is running Windows CE 7?

How about a plain install of CE7 on it? It would be neat to see if you could install CE apps on it :)

Theriotically, it could be possible to fully port CE7. Because the kernel is included in the package. Still think it will not be possible though.
Maybe if we can get the best developers around here to work on the project, but next question is: on what device are we going to do it?

There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

You mean this one?

http://forum.xda-developers.com/showthread.php?p=4655594

Yep, that's the one :)

Oops, it was about CE6, but the gist of it remains the same!

Hey,

i got a question. I'm from Germany and I want a Zune HD. But my problem is that I'm using Napster (music download with DRM) and somebody told me that the Zune HD is only compatible to US DRM services. Is there a way to play other drm music???

There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

Okay. thanks for your explanation! So it would take too much time to port...
Is it harder to port CE7 than linux?
BTW Da_G, I was wondering, how do you get all those windows builds?

Also it won't be bad to try to port ce7 into himalaya!
Let give it a try, I really like my himalaya not booting :D

So how about the zune hd device itself ? Does the rom reveal anything about security handshakes, etc.?

Hey,

i got a question. I'm from Germany and I want a Zune HD. But my problem is that I'm using Napster (music download with DRM) and somebody told me that the Zune HD is only compatible to US DRM services. Is there a way to play other drm music???


You'd have to switch from Napster to Zune Pass if you wanted to use a subscription service with a Zune HD. One plus is that through windows media player, you can sync Zune Pass songs to other WMA-DRM capable (a.k.a. napster capable) devices. And since you're in Germany you'd have to make a US based Live account so you could access the Marketplace.

@Da_G
I'm still curious, how does one go about showing that the Zune HD is running a build of WCE6/WM7? I read the above link talking about the splitting of kernel and sorta understand what it's talking about with respect to the differences in kernel architecture. But when I look through the posted files, other than the zegoe fonts and some of the device pictures (both super cool by themselves) , I can't see anything indicating that the executables are designed for CE6 or any version of CE. What should I look at/for? I'm interested in this and don't know anything about ROM dumps. -- Following these instructions (http://www.t-hack.com/wiki/index.php/NK.BIN_toolset)I was able to dump the recovery bin (a personal first :D - Thanks ND4SPD).

@hairchrm
As for the references to a camera, one of Tegra's 8 cores is an image processing core with support for up to a 12 mp camera. Perhaps that's where it's leading in another device? Also, where did you see that camera reference in recovery.bin? I opened it in wordpad and couldn't find 'lens' or 'autofocus.'

WOW....they were trying to dump a zune rom for years.... so this means the protection on the zune HD is not nearly as strong as the regular zune...this is good news indeed...Mine is on backorder still =x

It means no such thing. You could always easily dump the Zune roms with dumprom and other tools. It's like any other Windows CE 5.0 device. Convert to nb0 and dump. The protection is in the device's bootloader and hardware itself and so far nobody has been able to crack it. (to my knowledge) You can cook a custom ROM for it today but it's not going to be of much use if the device rejects it. If breaking it's security was that easy the original Zune would have had Opera Mobile running on it years ago.


Despite the presence of an app store, something tells me this device may be as locked down as all the other Zunes. I hope it isn't the case but looking at the previous generations doesn't give me much hope. Even the current generation Zunes have a few apps but all must be signed by MS using a private key and are installed from some encrypted cab format. Now you may point to the new XNA SDK for the Zune HD and think this gives us hope but again it means nothing. The last generation Zunes had this too and it's a heavily sandboxed .NET Compact Framework environment with no access to the internal OS whatsoever. I hear Micosoft actually forces a reboot on exit of applications as one more way to prevent attempts to access the underlying OS.

The Zune is strange. For a company that is so well known for it's supposed security holes, it's funny they finally created something that still hasn't been cracked in over 3 years.
But Interestingly enough, there is a picture from the FCC of an HD running the Windows CE Explorer shell. Of course, it's likely MS just gave the FCC a less crippled version for testing purposes. And even if the retail versions do have an explorer in rom that can be accessed, that doesn't mean it will be able to execute unsigned applications.

FCC Zune HD: http://www.engadget.com/2009/08/10/zune-hd-hits-fcc-in-prolific-photo-shoot-16gb-and-32gb-capaciti/

About dumping it: Unless MS added IMGFS support to the core OS in version 7, taking modules from this device will be much more tedious than a WM5+ Pocket PC. It's not impossible but plain Windows CE still uses mostly the same BIN image format as WM2003 did and so most of the modules will have their relocation information stripped when dumped. It will be a tedious process to restore the relocs of every dll you want to use from it's rom. (unless I haven't been paying attention and someone wrote some to automatically add missing reloc info to stripped dlls) And even then, it's very possible the media player app/shell uses a lot of Tegra GPU specific features. Of course, I could be wrong. I have yet to even look at a ROM dump of the thing. Is it even confirmed that it runs CE7? If so, that's wild MS would ship a beta OS. Do the dumped modules report a 7.0 OS/subsystem version?

@hairchrm
As for the references to a camera, one of Tegra's 8 cores is an image processing core with support for up to a 12 mp camera. Perhaps that's where it's leading in another device? Also, where did you see that camera reference in recovery.bin? I opened it in wordpad and couldn't find 'lens' or 'autofocus.'


Your explanation for the camera makes sense.

I didn't actually dump the rom from the zune hd, I actually grabbed the rom on the computer as the update, and then extracted it out into pieces.

See this old post for how I did it, and then try searching in wordpad-

http://forum.xda-developers.com/showpost.php?p=4627614&postcount=17

Some of the lines-

--------------------------------------------
# Lens shading data
lensShading.leftPatchWidth = 642;
lensShading.centerPatchWidth = 1296;
--------------------------------------------

.....

--------------------------------------------
# Continuous autofocus setup
af.cont.positionsMap = { 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120 };
--------------------------------------------

There are more, but that gives the general idea that they are present.

Are you guys sure this is even CE 7? I was finally able to download and have a look at these dumps and to my shock depends.exe reported that every file had a 6.0 WinCE subsystem(OS) version. Do you really think MS would leave the OS version of the generated system libraries at 6.0 even if this were a beta 7.0 kernel? Being based on 6.0r3 would really make more sense. The Tegra currently only supports CE 5.0 and 6.0 and it really doesn't sound wise for MS to ship a potentially buggy and unproven beta OS with drivers designed for another kernel in a retail device. Most of the other Tegra devices that ship will have either CE 5.0 or 6.0. Of course, I don't mind being proven wrong.

It is just frustrating to have such powerful hardware tied down like this. Just please tell me one thing. Is it possible, or will it ever be possible to get Windows Mobile 7 onto the Zune HD?

Aside from what Da_G said, how can one tell that the Zune HD is running Windows CE 7?
- I guess ZuneHD runs on Windows CE 6.0 and not Windows CE 7.0.
- Also it seems that WinCE 7.0 is not officially out yet !!

It is just frustrating to have such powerful hardware tied down like this. Just please tell me one thing. Is it possible, or will it ever be possible to get Windows Mobile 7 onto the Zune HD?

As with anything, I'm sure it's not impossible. Though, It depends how locked down it is. If it's anything like the previous generation Zunes, I wouldn't hold my breath. But if it's popular enough, just the fact that so many people own one may lead to more people attempting to crack the thing. Or, maybe MS will just open it up completely as time goes on like Apple did.

As with anything, I'm sure it's not impossible. Though, It depends how locked down it is. If it's anything like the previous generation Zunes, I wouldn't hold my breath. But if it's popular enough, just the fact that so many people own one may lead to more people attempting to crack the thing. Or, maybe MS will just open it up completely as time goes on like Apple did.

Apple didn't open up their players did they? You still have to use itunes for that stuff correct?

;4661779']Donation of 60 euros for the one who succesfully ports the whole Zune UI to WM!

I just need the music function to work on WM 6.5 using the Zune HD interface.

I just need the music function to work on WM 6.5 using the Zune HD interface.

Hehe yeah it's very cool. But well I think waiting for WM7 is a better option.

this would be great news if we can make roms for the zune hd.

i currently have the 120gb zune

after messing around with it, looks like nothing can really be recmoded to make dll files. it may need another way to rec mod than in the vk.

I've had the exact same problem... recmod fails with odd errors, like "Error! ProcessCase0: bit 5 is zero!" I was not able to find any documentation of that error anywhere, so I'm lost as to what that means. I'm specifically looking at the zkeyboard.dll folder, as currently the Zune SDK does not allow keyboard access and I was hoping to take a peek at that, but apparently all zune specific dlls fail, while more standard dlls (coredll.dll, quartz.dll) succeed. Has anybody had any luck in assembling anything?

ND4SPD, did you ever succeed in fixing the error xipport gave you on the last file, mentioned a while back?

ND4SPD, did you ever succeed in fixing the error xipport gave you on the last file, mentioned a while back?

I never tried fixing the error; i didn't get any time to do so. however, xipport.exe didn't have any errors when I dumped the 4.3 ROM Update that just released.

i'll see if I can take some time tomorrow to get Xipportto dump the modules without splitting them up into the S000x parts.

btw, I'm afraid I might have implanted the idea in Da_G's head that the Zune is based on CE 7. I was getting excited, hoping we could get winmo7 on the zune hd, which is based on ce7. It makes more sense that it's based on CE 6 production code rather than a beta CE 7 kernel.

i'll see if I can take some time tomorrow to get Xipportto dump the modules without splitting them up into the S000x parts.

btw, I'm afraid I might have implanted the idea in Da_G's head that the Zune is based on CE 7. I was getting excited, hoping we could get winmo7 on the zune hd, which is based on ce7. It makes more sense that it's based on CE 6 production code rather than a beta CE 7 kernel.

Wow, that would be awesome. If you get them to stay together, will you post them up here or pm me with them? And explain the process you followed also?

Yes... well there was a lot of confusion in general about what it ran. At least now we're pretty certain about what it runs.

Wow, that would be awesome. If you get them to stay together, will you post them up here or pm me with them? And explain the process you followed also?

Yes... well there was a lot of confusion in general about what it ran. At least now we're pretty certain about what it runs.

I started looking around the code, which is a bit jumbled. So instead of trying to decipher all of the code, I just tried recmod on the new 4.3 rom stuff. It works without any errors. If anyone wants me to post it up here, I'll do so. I'm way too lazy to recmod everything.

I just tried recmod on the new 4.3 rom stuff. It works without any errors. If anyone wants me to post it up here, I'll do so. I'm way too lazy to recmod everything.

Wow... everything recmods on the new rom? That's odd.... I would love it if you could post it up here. I'm most interested in the zkeyboard.dll module, but I think that all of the z____.dll s are ZuneHD specific, so any/all of those would be really cool to have. Thanks for putting your time into this!

Wow... everything recmods on the new rom? That's odd.... I would love it if you could post it up here. I'm most interested in the zkeyboard.dll module, but I think that all of the z____.dll s are ZuneHD specific, so any/all of those would be really cool to have. Thanks for putting your time into this!

Looks like I was too hasty with my tests. Right before I uploaded, I realized that some "recmodded" dlls were only 1KB when their component S000x parts for larger. Guess there isn't an easy way out of this. Gonna have to decipher Xipport.

Looks like I was too hasty with my tests. Right before I uploaded, I realized that some "recmodded" dlls were only 1KB when their component S000x parts for larger. Guess there isn't an easy way out of this. Gonna have to decipher Xipport.

Ahhhh... well thanks for trying. So what do you think this means? Does the Zune use a different format for its binary files or something that recmod does not handle? And do you think that there will be any success on the xipport side?

EDIT: ND4SPD- Can you check what error you're getting when you recmod? Are you getting the same "Error! ProcessCase0: bit 5 is zero!" error as I am? And do you know what makes recmod throw that error?

EDIT2- I fixed it and was able to dump the ext, nk, and recovery partitions as fully compiled everything. After I made the .nb0s I just used dumprom, and it spit them all out completely whole. No recmod involved. If you want them, I can post them, but since I was the only one asking for them, I don't want to waste time uploading them if nobody wants them.

Ahhhh... well thanks for trying. So what do you think this means? Does the Zune use a different format for its binary files or something that recmod does not handle? And do you think that there will be any success on the xipport side?

EDIT: ND4SPD- Can you check what error you're getting when you recmod? Are you getting the same "Error! ProcessCase0: bit 5 is zero!" error as I am? And do you know what makes recmod throw that error?

EDIT2- I fixed it and was able to dump the ext, nk, and recovery partitions as fully compiled everything. After I made the .nb0s I just used dumprom, and it spit them all out completely whole. No recmod involved. If you want them, I can post them, but since I was the only one asking for them, I don't want to waste time uploading them if nobody wants them.

Please upload kind sir. Thanks :p

wait rom dump... total mb only around 21mb... somethings not right maybe?

Please upload kind sir. Thanks :p

Done-

http://www.megaupload.com/?d=OTZZFT3Y

Sorry for hosting it on such a horrid site that makes you wait before you can download but hey, it works, right?

wait rom dump... total mb only around 21mb... somethings not right maybe?

Yeah, that's not quite right. My compressed one is around 30, so you missed something. What were the steps you followed? unpack the cab, cvrtbin to a nb0, and then dumprom?


On a separate note.... I have essentially no experience with WinCE stuff, so I'm a little confused... maybe someone can help me out here. All of the resources seemed uncorrupted (eg bmps, ini files, etc. would all open fine), but whenever I try to look at a dll or exe with the Dependency Walker or ms visual studio, it claims that the dll is invalid ("At least one module was corrupted or unrecognizable to Dependency Walker, but still appeared to be a Windows module." and "Could not find the section that owns the Import Directory.") Do WinCE dlls have a different format or something that Win32 stuff can't read? Or am I doing something wrong? Has anybody else had any luck with anything similar?

I am very pleased at the work you have done thus far!

I will give my input here and say i can confirm none of the files are .Net executables, despite windows CE being able to have .net framework.

Does anybody know what the .gem files are?

Also, all Zune apps are downloaded in .zcp container format. I have looked at an example in a hex editor, and it had lots of blank padded space, as well as repetitive patterns. I am looking into writing a decompiler for this. From another forum I belong to:
http://www.zuneboards.com/forums/zune-hacks-mods/39035-loophole-microsoft-games.html#post357137

I hope this helps. This project is very interesting!

I am very pleased at the work you have done thus far!

I will give my input here and say i can confirm none of the files are .Net executables, despite windows CE being able to have .net framework.

Does anybody know what the .gem files are?

Also, all Zune apps are downloaded in .zcp container format. I have looked at an example in a hex editor, and it had lots of blank padded space, as well as repetitive patterns. I am looking into writing a decompiler for this. From another forum I belong to:
http://www.zuneboards.com/forums/zune-hacks-mods/39035-loophole-microsoft-games.html#post357137

I hope this helps. This project is very interesting!

.gem files are apparently vector graphic files. I don't have Corel, but you should be able to open those files with it.

Any progress?

Any progress?

Hehe... no. Not really. At least not on my side. I've attempted a few things...

First of all, I still cannot get anything to recognize the WinCE modules taken from the firmware. They are valid files, I am positive, since images and other files were uncorrupted, but I just don't have enough experience I guess, because no utility that I have can explore them properly... If anybody has experience with WinCE development, this would be a great time for you to speak up...

Second, I attempted to see if I could explore the driver for the Zune to see if I could get access to the lower-level usb stuff to (eventually, in the distant future) modify the firmware. Once again, I failed quite miserably. The driver is a COM object, so I was able to dig around a little, but again, I'm just not experienced enough with driver development to be able to communicate with the device... and that's skirting around the fact that eventually I (or someone) would need to find the private key that's in the Zune software/driver (probably by dissassembly or some other hackery) in order to make any communications at all possible. And, needless to say, usb communication with the device is crucial if anybody ever plans on placing full WinCE or WinMo on the device.

So in the end, no. And as far as I've checked on other forums, they have made no progress either. However I am interested in hearing if anybody else has made any progress....

wait rom dump... total mb only around 21mb... somethings not right maybe?
Dump ext.bin as well.

Done-

http://www.megaupload.com/?d=OTZZFT3Y

Sorry for hosting it on such a horrid site that makes you wait before you can download but hey, it works, right?



Yeah, that's not quite right. My compressed one is around 30, so you missed something. What were the steps you followed? unpack the cab, cvrtbin to a nb0, and then dumprom?


On a separate note.... I have essentially no experience with WinCE stuff, so I'm a little confused... maybe someone can help me out here. All of the resources seemed uncorrupted (eg bmps, ini files, etc. would all open fine), but whenever I try to look at a dll or exe with the Dependency Walker or ms visual studio, it claims that the dll is invalid ("At least one module was corrupted or unrecognizable to Dependency Walker, but still appeared to be a Windows module." and "Could not find the section that owns the Import Directory.") Do WinCE dlls have a different format or something that Win32 stuff can't read? Or am I doing something wrong? Has anybody else had any luck with anything similar?
When you dump the ROM, make sure you use do it like this: dumprom.exe -d dump -v -5 nk.nb0

Dump ext.bin as well.


When you dump the ROM, make sure you use do it like this: dumprom.exe -d dump -v -5 nk.nb0

You're awesome. :) It works perfectly... amazing.

You're awesome. :) It works perfectly... amazing.
Of course it does. You can use Dependency Walker to see the exported methods in the libraries. If XNA allowed p/invoke, those methods could be called.

Of course it does. You can use Dependency Walker to see the exported methods in the libraries. If XNA allowed p/invoke, those methods could be called.

Right, I knew that Dependency Walker would let me see that, I just forgot to use the -5 flag, which created the dlls incorrectly.

Yes, I also noticed that XNA does not allow p/invoke... I think it gives a security exception iirc... which is too bad. It would have been nice to be able to call these methods from an XNA program on the Zune...

Right, I knew that Dependency Walker would let me see that, I just forgot to use the -5 flag, which created the dlls incorrectly.

Yes, I also noticed that XNA does not allow p/invoke... I think it gives a security exception iirc... which is too bad. It would have been nice to be able to call these methods from an XNA program on the Zune...

Can you upload the latest rom dump with the dumprom fix?

Thanks

Also - does anybody have a compy of the 3.3 firmware cabinet file?

Can you upload the latest rom dump with the dumprom fix?

Thanks

Also - does anybody have a compy of the 3.3 firmware cabinet file?

Uhhh.... Zune software no longer keeps the firmware saved in the location I mentioned earlier (%HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates) in this thread. I don't know if that means that the Zune software deletes it after it restores the device, or if they have moved the location. I can check later if I recover my device, and if so maybe I can upload it. But use my old rom dump (which is 100% valid and will compile into modules with that fix) or get it off of your own computer (if you have a zune hd) first.

However, I think that you have misunderstood the posts before this. The dumprom "fix" just allows someone to compile the rom into dlls/modules. It doesn't change the rom, only fixes the problem which I had earlier, which was that dumprom (which does not actually dump the rom of the device) gave corrupted dlls. If you're asking for the actual dlls, I don't know if I can legally post those up, as those are getting a lot closer to the actual Microsoft code than just posting up a rom that they allow anyone to download to restore their zune device. If you're asking for the rom, find it on your computer (if you own a zune hd) or download the old one I posted a few pages back.

Uhhh.... Zune software no longer keeps the firmware saved in the location I mentioned earlier (%HOMEPATH%\AppData\Local\Microsoft\Zune\Firmware Updates) in this thread. I don't know if that means that the Zune software deletes it after it restores the device, or if they have moved the location. I can check later if I recover my device, and if so maybe I can upload it. But use my old rom dump (which is 100% valid and will compile into modules with that fix) or get it off of your own computer (if you have a zune hd) first.

However, I think that you have misunderstood the posts before this. The dumprom "fix" just allows someone to compile the rom into dlls/modules. It doesn't change the rom, only fixes the problem which I had earlier, which was that dumprom (which does not actually dump the rom of the device) gave corrupted dlls. If you're asking for the actual dlls, I don't know if I can legally post those up, as those are getting a lot closer to the actual Microsoft code than just posting up a rom that they allow anyone to download to restore their zune device. If you're asking for the rom, find it on your computer (if you own a zune hd) or download the old one I posted a few pages back.

Yea, I noticed the firmware files are not locally saved anymore...

The only upload I saw here was the one with the dlls, tff, files - the one that had been dumped by each .bin file.

Can you uplaod the 4.3 firmware somewhere? Or pm me? I only have a Zune 30...

Can you PM me the correctly dumped files. I have a moderate background in reversing, and I want to see about my 2 cents.

Yea, I noticed the firmware files are not locally saved anymore...

The only upload I saw here was the one with the dlls, tff, files - the one that had been dumped by each .bin file.

Can you uplaod the 4.3 firmware somewhere? Or pm me? I only have a Zune 30...

Can you PM me the correctly dumped files. I have a moderate background in reversing, and I want to see about my 2 cents.

Here's the dumped firmware (organized by bin). http://rapidshare.com/files/353174529/ZuneFirmware4.3Dump.zip.html

I went through some of the files and looked at the resources, strings, etc and here's what I figured out...

Gemstone.exe seems to be the main shell and there’s several .gem files that contain the data for the UI. Although within there, I believe they’ve borrowed some from the Xbox 360. There’s a xuidll.dll that seems to be almost directly from the Xbox 360. This is what actually does the Direct3D rendering of the various objects.

VALUE "CompanyName", "Microsoft Corporation"
VALUE "FileDescription", "Xbox UI Runtime"
VALUE "FileVersion", "2.0.5200.0"
VALUE "InternalName", "XUIDLL"

Also of note is how applications function. The leaked WP7 docs note that each app runs in its own “isolated sandbox”. This is how the Zune HD functions as well. Each application is packaged into a “zcp” file which (as someone else in this thread said) seems to be some sort of almost VHD file format. Then when the app loads, it basically mounts that ZCP file and everything runs within that (zctfs.dll). The app is only allowed to read/write to that file. Although it doesn’t seem like XNA game studio apps get packaged into this (unless the Zune builds a new file and packages everything?).

anything useful for ce 5.2 platforms? anything at all even sounds or some images?

anything useful for ce 5.2 platforms? anything at all even sounds or some images?
There's a boot screen, some other 'please wait' style stuff, the 'Zegoe' (a modified version of Segoe) fonts, but not much else.

Just out of curiosity wanted to know if we can port the ui of zune to windows mobile, common xda can do anything we have the dump of zune and microsoft created wp7 series with the zune concept why we cant atleast something that we can extract from zune and merge with windows mobile?

Although it doesn’t seem like XNA game studio apps get packaged into this (unless the Zune builds a new file and packages everything?).

I was under the impression that .zcp files are essentially .ccgame files, which one can create in XNA Game Studio by selecting "Package as XNA Creator's Club Game". Correct me if I'm wrong?

I was under the impression that .zcp files are essentially .ccgame files, which one can create in XNA Game Studio by selecting "Package as XNA Creator's Club Game". Correct me if I'm wrong?
That's possible. Although FWIW I tried renaming a zcp to .ccgame and opening it (which should work) and it failed just saying it wasn't a valid package. Of course they could still be essentially the same but just a bit different.

There's a boot screen, some other 'please wait' style stuff, the 'Zegoe' (a modified version of Segoe) fonts, but not much else.

Where is the boot screen stuff? I found the fonts, and the disable TV out image, but no boot screen or other images. I'm primarily interested in some of the music interface images (play, shuffle & the like) and the boot screen. They are all simple enough to make in PS, but having them will be MUCH easier.

Where is the boot screen stuff? I found the fonts, and the disable TV out image, but no boot screen or other images. I'm primarily interested in some of the music interface images (play, shuffle & the like) and the boot screen. They are all simple enough to make in PS, but having them will be MUCH easier.
The boot image is just a simple bitmap embedded in zsplash.exe. They just manipulate it to make it look/animate the way it does. I haven't seen any of the rest. I'm guessing most of the UI stuff is embedded in the .gem files. Figure out how to unpack them and you should be able to get to what you're looking for.
http://img8.imageshack.us/img8/2487/zsplash.png

The boot image is just a simple bitmap embedded in zsplash.exe. They just manipulate it to make it look/animate the way it does. I haven't seen any of the rest. I'm guessing most of the UI stuff is embedded in the .gem files. Figure out how to unpack them and you should be able to get to what you're looking for.
http://img8.imageshack.us/img8/2487/zsplash.png

Ah ok I looked there but 7zip didn't want to show me any real data, just compressed images inside the exe (.text .data .data1 .data2 [data-1] [data-2] to be specific). How did you open them?

Ah ok I looked there but 7zip didn't want to show me any real data, just compressed images inside the exe (.text .data .data1 .data2 [data-1] [data-2] to be specific). How did you open them?
Resource Hacker (free windows app).

That's possible. Although FWIW I tried renaming a zcp to .ccgame and opening it (which should work) and it failed just saying it wasn't a valid package. Of course they could still be essentially the same but just a bit different.

I might be wrong... I'm beginning to doubt myself now. http://74.125.155.132/search?q=cache:X8hMkEHu0dAJ:www.zuneboards.com/forums/zune-hacks-mods/39035-loophole-microsoft-games.html+zune+zcp&cd=1&hl=en&ct=clnk&gl=us has some interesting information about the zcp format, see post 4.

I might be wrong... I'm beginning to doubt myself now. http://74.125.155.132/search?q=cache:X8hMkEHu0dAJ:www.zuneboards.com/forums/zune-hacks-mods/39035-loophole-microsoft-games.html+zune+zcp&cd=1&hl=en&ct=clnk&gl=us has some interesting information about the zcp format, see post 4.
I think that may be what I read. A few of the dll's (just judging from their exports, etc) seem to agree with that.

I think that may be what I read. A few of the dll's (just judging from their exports, etc) seem to agree with that.

Yea, that link is correct, its from my original Zune community. The important info is here:



Here's a primer on what .zcp files are all about:

a) .zcp files have nothing to do with Zortech, even though they apparently have the same file extension.
b) A .zcp file is like a mini-filesystem that can be mounted and accessed on the Zune. They're kinda like .iso images, but writable as well.
c) Everything in XNA is stored in containers. There's 3 types of containers: game containers, runtime containers, and storage containers. All three are stored on the Zune itself as .zcp files.
d) Runtime containers include the XNA runtime files and are identified by a particular runtime token.
e) Game containers store everything deployed along with a game and specify the runtime container needed by the game, which is automatically loaded when the game is started.
f) Storage containers are what games use for storing data, and have to be manually loaded through code in the game.
g) The built-in Zune games are both signed and encrypted, making them near-impossible to modify and difficult to even analyze.
h) The integrated runtime, which is deployed along with the games, is not encrypted, but it is signed. It isn't much different from the ordinary runtime that's deployed automatically along with user-created Zune games.
i) The built-in games and integrated runtime are not deployed through the same method that user-created games are: they're dumped straight onto the Zune.


RustyGrom - Thanks for the Firmware dump,, im going to see what I can do.

EDIT: RustyGrom - are you sure those are correctly dumped. They all say not a valid win 32 program for me, and my resource hacker doesn't find anything with them...

Yea, that link is correct, its from my original Zune community. The important info is here:



RustyGrom - Thanks for the Firmware dump,, im going to see what I can do.

EDIT: RustyGrom - are you sure those are correctly dumped. They all say not a valid win 32 program for me, and my resource hacker doesn't find anything with them...
I think it is but I wouldn't say I'm 100% certain. Some of the binaries have resources, most don't. I've opened all of them with Dependency Walker and a few with IDA pro and neither reported issues.

It looks like the Zunes have been hacked!

zuneboards.com/forums/zune-news/50442-zune-hd-hacked-well-previous-zune-models.html

It looks like the Zunes have been hacked!

zuneboards.com/forums/zune-news/50442-zune-hd-hacked-well-previous-zune-models.html

"Hacked" should be used loosely. Really, its just an exploit of the way the zune is implementing the .net compact framework that allows arbitrary code execution. Is it great, and do I think the team did a great job? Yes, of course. But don't get your hopes up quite yet... Hopefully someone can take this exploit and do something really great with it that really opens up the platform... but until then, its really just a first step.

"Hacked" should be used loosely. Really, its just an exploit of the way the zune is implementing the .net compact framework that allows arbitrary code execution. Is it great, and do I think the team did a great job? Yes, of course. But don't get your hopes up quite yet... Hopefully someone can take this exploit and do something really great with it that really opens up the platform... but until then, its really just a first step.
Yeah. The firmware is too secure. No firmware is allowed to run unless it is signed.

Also, to get a better quality dump, use the Visual Studio command prompt.