Zune

[Genre9mp3]

Here's two other links about the wi-fi module here and here (translated)

and a nice pic:

[[IDC]Dragon]

Here's the source of the above picture, and more high-res photos of the internals:
http://www.bunniestudios.com/wordpress/?p=131
Nice hardware!

[keytotime]

http://en.wikipedia.org/wiki/Zune#Hardware

[zune-online.com]

A) The link was on my site valid for 2-3 days just before the launch and on launch of Zune. It has been removed since. It just points now to Zune.net where anybody with windows and IE (!!) can download, install and use the software (you don't have to own a Zune player).

B) I write an article about CC and Zune now! (How the hell did you know it  )
Based on: http://www.wired.com/news/columns/0,72172-0.html
And don't be so sure it is technically unfeasible...

[laberlaber]

I was reading an article on linux.com about one of the editor's trips to Microsoft and how he got a free Zune.  His response:

So here's the deal: If you want to either install Linux on a Zune or write a utility to make a Zune Linux-compatible, email editors@ostg.com and tell us why we should give this free Zune to you. The person we deem most likely to put it to good use, based on previous development track record and all-around desire, will get this Zune to have, hold, use as a development platform, and otherwise do with as he or she wishes.

All we ask in return is a reasonable description of the hacking effort -- successful or not -- within a reasonable time. Call it 90 days after you receive it. And to keep the "Who gets it?" question from going on forever, we'll close the entry period on December 22 and announce our decision on December 26, the day after Christmas, then mail it out on or about January 2nd, 2007, after the Christmas shipping (and return) rush has died down.

The only limitations we're imposing are:

    * You must be in a country where you can receive postal-mailed packages from the US.
    * If there are customs hassles or duties, you must take care of them at your end.

So go ahead and send those emails. We'll be waiting for them!

I realize that Rockbox isn't being developed to be able to install linux nor to ensure linux compatibility, but frankly I can't think of any better open source community which is better suited to improving the Zune.  Why don't one of the developer's send in a request?

[Bagder]

90 days is reasonable? Man, that is pretty ignorant I'd say.

We got several Sansas back in May. We're now >6 months later and we're a whole bunch of people with such targets and still we don't have a working Rockbox on it. But i guess we're just lame... :-)

[ptw419]

As far as I am aware all work on the Gigabeat S RB port has come to a standstill. The cpu security architecture of the Gigabeat S(and therefore the Zune) prevents any alteration of the bootloader/firmware on the hard drive because these files are hashed using SHA-1 20 bit  and signed/certified by a Verisign certificate/key. Tricking the Zune firmware update program to update w/ a custom firmware file that isn't signed will not work, because the firmware isn't signed, and therefore its not authenticated. It seems to me that more than likely the hardware will have to be reverse engineered much like how the digital signature [attempted] to be cracked on the Xbox in order to capture the signature of the bootloader/firmware. Either that or find someway to capture the signature by reverse engineering through the software. With this signature we can then sign a custom bootloader or firmware file.  That is unless anyone has any other ideas.....

Edited 12-13-06:

 I found out the Xbox digital signature was cracked but never officially released due to legal reasons. Because of this I'm not sure if this method would be legal for the zune/gigabeat s30. Maybe if the digital signature wasn't publicly released? See this page : http://www.xenatera.com/b.../proj/anatak/xboxmod.html

Another way could be to possibly search for any buffer overflow exploits in the current firmware to get some custom code working. This is the way that Xbox Linux is installed on the Xbox. A buffer overflow in the MechAssault game saving ( anyone familiar w/ Xbox modding would be familiar w/ this ) allows custom code to work, and Linux to be installed. One final alternative is flashing Flash ROM w/ a custom ROM, but this wouldn't be for the layman, its  possibly dangerous, and still might not work because of the cpu security mechanisms.

One last note. The reason why I refer to Xbox hacking is because even though the hardware, and security aren't the same between Zune/Gigabeat S and Xbox, the situations are very similar. The methodologies used in cracking the Xbox could be used in cracking the Zune....

[Febs]

90 days is reasonable? Man, that is pretty ignorant I'd say.

We got several Sansas back in May. We're now >6 months later and we're a whole bunch of people with such targets and still we don't have a working Rockbox on it. But i guess we're just lame... :-)

Actually, they ask for "a reasonable description of the hacking effort -- successful or not" within the 90 day period, not an actual working port.  I would think that something similar to the descriptions you've provided of your efforts on the Sansa project would easily fulfill that requirement.

[Bagder]

Actually, they ask for "a reasonable description of the hacking effort -- successful or not" within the 90 day period, not an actual working port.  I would think that something similar to the descriptions you've provided of your efforts on the Sansa project would easily fulfill that requirement.

Right, an unsuccessful attempt could easily be described within 90 days! ;-)

I did mail mr Miller (the author of the article) with some comments and he replied saying this about the time frame: "I'd just like some sort of progress report and assurance that someone has looked at the possibilities by then".

But as I'm not even able to hack the Sansa as much as I'd like, I'll pass this chance to someone else.

[Genre9mp3]

Quotes from the claimed-to-be developer at the Zuneboards Thread

The way to boot it to the zune right now is very complicated, takes some time, and is risky if you don't know how to do it. I won't be releasing this until there is no risk to Zune users when they use Zune Linux. We are looking for graphics people who are willing to make logos and stuff for Zune Linux

The loader to boot a new OS on to your Zune however will not go open source.

I've been holding this out from the public for about two months, that you can ask people like LPX. Why would I release my code to people before it is even stable enough to change a song?

it might be released on my own website but Zune Boards will have exclusive rights to host it and other files to it. Because guess what? I don't care about all these other boards such as Zune Scene and crap.

It sounds like a hoax. I can't find anywhere something a bit technical or specific on how he managed to bypass/crack or whatever the security features of the i.MX31 CPU. Nothing about the encryption of the firmware, nothing about the signature that is required for the Zune to run code. Instead ha asks people to help him out with the... graphics!

I really hope to be proven wrong but this whole thing seems to me like a nice way for people to visit their forums (the claimed-to-be developer is also administering these forums). Time will tell... I wouldn't hold my breath for it though.

[nimdae]

Going back to the xbox buffer overflow vs gigabeat s possibility, the xbox overflow exploited a flaw that exists in intel processors. Had Microsoft not changed hardware at the last minute, the flaw would not have existed in the xbox. The xbox, xbox360, and I'm sure the gigabeat s/zune use a trusted computing model, so without cracking the signature, it would be very difficult to otherwise compromise the security put in place. That is not to say that it would be impossible. However, you can't use intel cpu exploits anymore

If it does in fact use a trusted computing model, then simply signing a custom firmware with a valid or specific certificate may not be enough. I don't think we'll see rockbox/linux on the zune/gigabeat s for some time, especially considering I don't even think we've seen linux on the xbox360 yet (don't be fooled by the nifty hacked screensaver someone made...if it's even that much).

As far as extracting and cracking the certificate in order to sign a firmware...this borders on poor ethics. I would be afraid that it would be possible for the "wrong" people to use it for other purposes, as I'm sure it would be particularly useful to exploit the wifi sharing.

[zune-online.com]

I broke the linux-zune story on my site, but I really can't tell if there is something real there or not.

How can we check if Zune really has enabled the security features on the freescale processor? For example checking the firmware file for a signature, it could be a first step. The firmware version v1.0 is on the Zune CD. There are also v1.1 and the current v1.2 versions which are harder to get because they are automatically downloaded and installed on Zune.

EDIT: you can download the v1.2 Zune firmware from here:
http://download.xboxlive....firmware/Zune01020434.cab

[ptw419]

Going back to the xbox buffer overflow vs gigabeat s possibility, the xbox overflow exploited a flaw that exists in intel processors. Had Microsoft not changed hardware at the last minute, the flaw would not have existed in the xbox. The xbox, xbox360, and I'm sure the gigabeat s/zune use a trusted computing model, so without cracking the signature, it would be very difficult to otherwise compromise the security put in place. That is not to say that it would be impossible. However, you can't use intel cpu exploits anymore

If it does in fact use a trusted computing model, then simply signing a custom firmware with a valid or specific certificate may not be enough. I don't think we'll see rockbox/linux on the zune/gigabeat s for some time, especially considering I don't even think we've seen linux on the xbox360 yet (don't be fooled by the nifty hacked screensaver someone made...if it's even that much).

As far as extracting and cracking the certificate in order to sign a firmware...this borders on poor ethics. I would be afraid that it would be possible for the "wrong" people to use it for other purposes, as I'm sure it would be particularly useful to exploit the wifi sharing.

Hmmm..Thats very interesting about the intel exploit. That I didn't know. Nice to know though . I do also agree about ripping the signature regarding questionable ethics. I don't even know if it is even legal. Good point on both accounts.

How can we check if Zune really has enabled the security features on the freescale processor? For example checking the firmware file for a signature, it could be a first step. The firmware version v1.0 is on the Zune CD. There are also v1.1 and the current v1.2 versions which are harder to get because they are automatically downloaded and installed on Zune.

I'm more than sure that these features are enabled. I've talked to a couple of people who have tried to substitute the firmware files(nk.bin) and only got an error message asking to update the firmware to the original firmware(this happens when recovery.bin is executed i think). This seems to confirm the fact that the i.MX processors verify the firmware images before boot(if enabled). Another point is that if you look at the firmware images(both eboot.bin and nk.bin) in a disassembler or a hex editor you can see the Method names and error messages that are internal when the system verifies the firmware images. Not only that, you can also see a Verisign certificate, supporting the argument that the images are signed. One last point : Security is inherent to the Freescale i.MX processor series. It is literally built into the processor and surrounding architecture. If all these security checks are there for use why wouldn't Microsoft want to use them?

[qables]

Well for all experiments and DIY (Do It Yourself) you can find and buy a Zune dock connector here:
http://www.qables.com/ind...duct_info&products_id=593

Rgds

[andrew]

hmm...I recognize the filename in that Zune firmware package. NK.bin is the name of the output file for a Windows CE build If you run it through strings (or look at it in notepad) you see some very interesting text:

W i n d o w s   C E   K e r n e l   f o r   A R M   ( T h u m b   E n a b l e d )   B u i l t   o n   D e c     6   2 0 0 6   a t   1 6 : 4 2 : 0 1

So it really does run Windows CE

Some debugging file names
E:\pyxis\v1.2\platform\pyxis\target\ARMV4I\retail\kern.pdb
E:\pyxis\v1.2\platform\pyxis\target\ARMV4I\retail\ipu_base.pdb
E:\pyxis\v1.2\public\cebase\cesysgen\oak\target\ARMV4I\retail\waveapi.pdb
E:\pyxis\v1.2\public\cebase\cesysgen\oak\target\ARMV4I\retail\mspart.pdb

Some more random interesting strings
O E M I n i t S e c u r e C l o c k S t a t u s _ P h a s e 2 :   S e c u r e   C l o c k   I s   V a l i d
O E M I n i t S e c u r e C l o c k S t a t u s _ P h a s e 2:   S e c u r e   C l o c k   I s   L o s t
M S - P C M
M i c r o s o f t   P C M   C o n v e r t e r - C o p y r i g h t   ( c )   1 9 9 2 - 2 0 0 3   M i c r o s o f t   C o r p o r a t i o n    
 C o n v e r t s   f r e q u e n c y   a n d   b i t s   p e r   s a m p l e   o f   P C M   a u d i o   d a t a .  

There looks to be some wave files in it:
  1996-02-27  RIFF¦
 WAVEfmt

A power management DLL:
PMC_PM.dll PmDevicePowerNotify PmGetDevicePower PmGetSystemPowerState PmInit PmNotify PmPowerHandler PmRegisterPowerRelationship PmReleasePowerRelationship PmReleasePowerRequirement PmRequestPowerNotifications PmSetDevicePower PmSetPowerRequirement PmSetSystemPowerState PmStopPowerNotifications

Yay, windows directories:
\ W i n d o w s \ S y s t e m \ % s . w a v     \ W i n d o w s \ % s . w a v   \ W i n d o w s \ S y s t e m \ % s     \ W i n d o w s \ % s   % s . w a v

Maybe we can run some code on this thing
S Y S T E M \ K E R N E L   I n j e c t D L L

What is an XIP...
P a g i n g   i n   f r o m   u n c o m p r e s s e d   R / O   p a g e   f r o m   X I P   m o d u l e   - -   s h o u l d ' v e   n e v e r   h a p p e n e d

L o a d O 3 2   F A I L E D :   X I P   c o d e   s e c t i o n   n o t   p a g e   a l i g n e d ,   o 3 2 _ d a t a p t r   =   % 8 . 8 l x ,   o 3 2 _ r e a l a d d r   =   % 8 . 8 l x

E R R O R !   X I P   r e g i o n   s p a n   a c c r o s s   d i s c o n t i g i o u s   m e m o r y ! ! !   S y s t e m   H a l t e d !

Does anyone know of a Windows CE device simulator that we might be able to get this device image ("NK.bin") to run in (maybe with a little coaxing)

Hopefully that provides some insight into how the Zune runs internally, too bad that it isn't available in Canada yet.
-Andrew