Zune HD ROM Dump

Da_G · Oct 10, 2009

There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

12aon · Oct 10, 2009

Da_G said:
There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

You mean this one?

http://xdaforums.com/showthread.php?p=4655594

Da_G · Oct 10, 2009

Yep, that's the one

Oops, it was about CE6, but the gist of it remains the same!

bieza · Oct 10, 2009

Hey,

i got a question. I'm from Germany and I want a Zune HD. But my problem is that I'm using Napster (music download with DRM) and somebody told me that the Zune HD is only compatible to US DRM services. Is there a way to play other drm music???

ElCondor · Oct 10, 2009

Da_G said:
There's another thread floating around here re: porting CE7/WM7 to current devices, look for recent posts by user no2chem.

But to sum it up, the kernel consists of 2 parts, the MSFT supplied bits and the OEM supplied bits. For any existing device that does not currently come with a CE7/WM7 kernel (all of the shipped devices) - the OEM bits need to be coded from ground up. And/or disassembled, isolated, and ported purely in a binary manner (asm code)

Option 1 is nearly impossible without source, and option 2 requires a monumental amount of work that would need to be largely duplicated for every device targetted.

This is not like porting a WM 6.x kernel (which are all based on CE 5.2 and so do not have this issue because the majority of the code remains the same and thus usable)

Okay. thanks for your explanation! So it would take too much time to port...
Is it harder to port CE7 than linux?
BTW Da_G, I was wondering, how do you get all those windows builds?

aeroflyluby · Oct 10, 2009

Also it won't be bad to try to port ce7 into himalaya!
Let give it a try, I really like my himalaya not booting

Blackwheel · Oct 11, 2009

So how about the zune hd device itself ? Does the rom reveal anything about security handshakes, etc.?

Solar257 · Oct 11, 2009

bieza said:
Hey,

i got a question. I'm from Germany and I want a Zune HD. But my problem is that I'm using Napster (music download with DRM) and somebody told me that the Zune HD is only compatible to US DRM services. Is there a way to play other drm music???

You'd have to switch from Napster to Zune Pass if you wanted to use a subscription service with a Zune HD. One plus is that through windows media player, you can sync Zune Pass songs to other WMA-DRM capable (a.k.a. napster capable) devices. And since you're in Germany you'd have to make a US based Live account so you could access the Marketplace.

@Da_G
I'm still curious, how does one go about showing that the Zune HD is running a build of WCE6/WM7? I read the above link talking about the splitting of kernel and sorta understand what it's talking about with respect to the differences in kernel architecture. But when I look through the posted files, other than the zegoe fonts and some of the device pictures (both super cool by themselves) , I can't see anything indicating that the executables are designed for CE6 or any version of CE. What should I look at/for? I'm interested in this and don't know anything about ROM dumps. -- Following these instructions I was able to dump the recovery bin (a personal first

- Thanks ND4SPD).

@hairchrm
As for the references to a camera, one of Tegra's 8 cores is an image processing core with support for up to a 12 mp camera. Perhaps that's where it's leading in another device? Also, where did you see that camera reference in recovery.bin? I opened it in wordpad and couldn't find 'lens' or 'autofocus.'

TFGBD · Oct 12, 2009

votum said:
WOW....they were trying to dump a zune rom for years.... so this means the protection on the zune HD is not nearly as strong as the regular zune...this is good news indeed...Mine is on backorder still =x

It means no such thing. You could always easily dump the Zune roms with dumprom and other tools. It's like any other Windows CE 5.0 device. Convert to nb0 and dump. The protection is in the device's bootloader and hardware itself and so far nobody has been able to crack it. (to my knowledge) You can cook a custom ROM for it today but it's not going to be of much use if the device rejects it. If breaking it's security was that easy the original Zune would have had Opera Mobile running on it years ago.

Despite the presence of an app store, something tells me this device may be as locked down as all the other Zunes. I hope it isn't the case but looking at the previous generations doesn't give me much hope. Even the current generation Zunes have a few apps but all must be signed by MS using a private key and are installed from some encrypted cab format. Now you may point to the new XNA SDK for the Zune HD and think this gives us hope but again it means nothing. The last generation Zunes had this too and it's a heavily sandboxed .NET Compact Framework environment with no access to the internal OS whatsoever. I hear Micosoft actually forces a reboot on exit of applications as one more way to prevent attempts to access the underlying OS.

The Zune is strange. For a company that is so well known for it's supposed security holes, it's funny they finally created something that still hasn't been cracked in over 3 years.
But Interestingly enough, there is a picture from the FCC of an HD running the Windows CE Explorer shell. Of course, it's likely MS just gave the FCC a less crippled version for testing purposes. And even if the retail versions do have an explorer in rom that can be accessed, that doesn't mean it will be able to execute unsigned applications.

FCC Zune HD: http://www.engadget.com/2009/08/10/zune-hd-hits-fcc-in-prolific-photo-shoot-16gb-and-32gb-capaciti/

About dumping it: Unless MS added IMGFS support to the core OS in version 7, taking modules from this device will be much more tedious than a WM5+ Pocket PC. It's not impossible but plain Windows CE still uses mostly the same BIN image format as WM2003 did and so most of the modules will have their relocation information stripped when dumped. It will be a tedious process to restore the relocs of every dll you want to use from it's rom. (unless I haven't been paying attention and someone wrote some to automatically add missing reloc info to stripped dlls) And even then, it's very possible the media player app/shell uses a lot of Tegra GPU specific features. Of course, I could be wrong. I have yet to even look at a ROM dump of the thing. Is it even confirmed that it runs CE7? If so, that's wild MS would ship a beta OS. Do the dumped modules report a 7.0 OS/subsystem version?

hairchrm · Oct 14, 2009

Solar257 said:
@hairchrm
As for the references to a camera, one of Tegra's 8 cores is an image processing core with support for up to a 12 mp camera. Perhaps that's where it's leading in another device? Also, where did you see that camera reference in recovery.bin? I opened it in wordpad and couldn't find 'lens' or 'autofocus.'

Your explanation for the camera makes sense.

I didn't actually dump the rom from the zune hd, I actually grabbed the rom on the computer as the update, and then extracted it out into pieces.

See this old post for how I did it, and then try searching in wordpad-

http://xdaforums.com/showpost.php?p=4627614&postcount=17

Some of the lines-

--------------------------------------------
# Lens shading data
lensShading.leftPatchWidth = 642;
lensShading.centerPatchWidth = 1296;
--------------------------------------------

.....

--------------------------------------------
# Continuous autofocus setup
af.cont.positionsMap = { 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120 };
--------------------------------------------

There are more, but that gives the general idea that they are present.

TFGBD · Oct 14, 2009

Are you guys sure this is even CE 7? I was finally able to download and have a look at these dumps and to my shock depends.exe reported that every file had a 6.0 WinCE subsystem(OS) version. Do you really think MS would leave the OS version of the generated system libraries at 6.0 even if this were a beta 7.0 kernel? Being based on 6.0r3 would really make more sense. The Tegra currently only supports CE 5.0 and 6.0 and it really doesn't sound wise for MS to ship a potentially buggy and unproven beta OS with drivers designed for another kernel in a retail device. Most of the other Tegra devices that ship will have either CE 5.0 or 6.0. Of course, I don't mind being proven wrong.

Blackwheel · Oct 15, 2009

It is just frustrating to have such powerful hardware tied down like this. Just please tell me one thing. Is it possible, or will it ever be possible to get Windows Mobile 7 onto the Zune HD?

chota_shivaji · Oct 15, 2009

Solar257 said:
Aside from what Da_G said, how can one tell that the Zune HD is running Windows CE 7?

- I guess ZuneHD runs on Windows CE 6.0 and not Windows CE 7.0.
- Also it seems that WinCE 7.0 is not officially out yet !!

TFGBD · Nov 6, 2009

Blackwheel said:
It is just frustrating to have such powerful hardware tied down like this. Just please tell me one thing. Is it possible, or will it ever be possible to get Windows Mobile 7 onto the Zune HD?

As with anything, I'm sure it's not impossible. Though, It depends how locked down it is. If it's anything like the previous generation Zunes, I wouldn't hold my breath. But if it's popular enough, just the fact that so many people own one may lead to more people attempting to crack the thing. Or, maybe MS will just open it up completely as time goes on like Apple did.

Blackwheel · Nov 7, 2009

TFGBD said:
As with anything, I'm sure it's not impossible. Though, It depends how locked down it is. If it's anything like the previous generation Zunes, I wouldn't hold my breath. But if it's popular enough, just the fact that so many people own one may lead to more people attempting to crack the thing. Or, maybe MS will just open it up completely as time goes on like Apple did.

Apple didn't open up their players did they? You still have to use itunes for that stuff correct?

adp9626 · Nov 7, 2009

I'll add in another 40

[ElCondor] said:
Donation of 60 euros for the one who succesfully ports the whole Zune UI to WM!

I just need the music function to work on WM 6.5 using the Zune HD interface.

ElCondor · Nov 8, 2009

adp9626 said:
I just need the music function to work on WM 6.5 using the Zune HD interface.

Hehe yeah it's very cool. But well I think waiting for WM7 is a better option.

AL_CAPONE_X3 · Nov 8, 2009

this would be great news if we can make roms for the zune hd.

i currently have the 120gb zune

hairchrm · Nov 11, 2009

setix said:
after messing around with it, looks like nothing can really be recmoded to make dll files. it may need another way to rec mod than in the vk.

I've had the exact same problem... recmod fails with odd errors, like "Error! ProcessCase0: bit 5 is zero!" I was not able to find any documentation of that error anywhere, so I'm lost as to what that means. I'm specifically looking at the zkeyboard.dll folder, as currently the Zune SDK does not allow keyboard access and I was hoping to take a peek at that, but apparently all zune specific dlls fail, while more standard dlls (coredll.dll, quartz.dll) succeed. Has anybody had any luck in assembling anything?

ND4SPD, did you ever succeed in fixing the error xipport gave you on the last file, mentioned a while back?

ND4SPD · Nov 11, 2009

hairchrm said:
ND4SPD, did you ever succeed in fixing the error xipport gave you on the last file, mentioned a while back?

I never tried fixing the error; i didn't get any time to do so. however, xipport.exe didn't have any errors when I dumped the 4.3 ROM Update that just released.

i'll see if I can take some time tomorrow to get Xipportto dump the modules without splitting them up into the S000x parts.

btw, I'm afraid I might have implanted the idea in Da_G's head that the Zune is based on CE 7. I was getting excited, hoping we could get winmo7 on the zune hd, which is based on ce7. It makes more sense that it's based on CE 6 production code rather than a beta CE 7 kernel.

Zune HD ROM Dump

Inactive Senior RD / Moderator Emeritus

Retired Senior Moderator

Inactive Senior RD / Moderator Emeritus

Member

Retired News Writer

Retired Forum Moderator

Member

Senior Member

Senior Member

hairchrm

Guest

Senior Member

Member

Senior Member

Senior Member

Member

Member

Retired News Writer

Senior Member

hairchrm

Guest

Senior Member

Similar threads