Rockbox Development > New Ports

Zune

<< < (6/19) > >>

nimdae:
Going back to the xbox buffer overflow vs gigabeat s possibility, the xbox overflow exploited a flaw that exists in intel processors. Had Microsoft not changed hardware at the last minute, the flaw would not have existed in the xbox. The xbox, xbox360, and I'm sure the gigabeat s/zune use a trusted computing model, so without cracking the signature, it would be very difficult to otherwise compromise the security put in place. That is not to say that it would be impossible. However, you can't use intel cpu exploits anymore ;)

If it does in fact use a trusted computing model, then simply signing a custom firmware with a valid or specific certificate may not be enough. I don't think we'll see rockbox/linux on the zune/gigabeat s for some time, especially considering I don't even think we've seen linux on the xbox360 yet (don't be fooled by the nifty hacked screensaver someone made...if it's even that much).

As far as extracting and cracking the certificate in order to sign a firmware...this borders on poor ethics. I would be afraid that it would be possible for the "wrong" people to use it for other purposes, as I'm sure it would be particularly useful to exploit the wifi sharing.

zune-online.com:
I broke the linux-zune story on my site, but I really can't tell if there is something real there or not.

How can we check if Zune really has enabled the security features on the freescale processor? For example checking the firmware file for a signature, it could be a first step. The firmware version v1.0 is on the Zune CD. There are also v1.1 and the current v1.2 versions which are harder to get because they are automatically downloaded and installed on Zune.

EDIT: you can download the v1.2 Zune firmware from here:
http://download.xboxlive.com:3074/content/firmware/Zune01020434.cab

ptw419:

--- Quote ---Going back to the xbox buffer overflow vs gigabeat s possibility, the xbox overflow exploited a flaw that exists in intel processors. Had Microsoft not changed hardware at the last minute, the flaw would not have existed in the xbox. The xbox, xbox360, and I'm sure the gigabeat s/zune use a trusted computing model, so without cracking the signature, it would be very difficult to otherwise compromise the security put in place. That is not to say that it would be impossible. However, you can't use intel cpu exploits anymore

If it does in fact use a trusted computing model, then simply signing a custom firmware with a valid or specific certificate may not be enough. I don't think we'll see rockbox/linux on the zune/gigabeat s for some time, especially considering I don't even think we've seen linux on the xbox360 yet (don't be fooled by the nifty hacked screensaver someone made...if it's even that much).

As far as extracting and cracking the certificate in order to sign a firmware...this borders on poor ethics. I would be afraid that it would be possible for the "wrong" people to use it for other purposes, as I'm sure it would be particularly useful to exploit the wifi sharing.

--- End quote ---

Hmmm..Thats very interesting about the intel exploit. That I didn't know. Nice to know though ;) . I do also agree about ripping the signature regarding questionable ethics. I don't even know if it is even legal. Good point on both accounts.


--- Quote ---How can we check if Zune really has enabled the security features on the freescale processor? For example checking the firmware file for a signature, it could be a first step. The firmware version v1.0 is on the Zune CD. There are also v1.1 and the current v1.2 versions which are harder to get because they are automatically downloaded and installed on Zune.

--- End quote ---

I'm more than sure that these features are enabled. I've talked to a couple of people who have tried to substitute the firmware files(nk.bin) and only got an error message asking to update the firmware to the original firmware(this happens when recovery.bin is executed i think). This seems to confirm the fact that the i.MX processors verify the firmware images before boot(if enabled). Another point is that if you look at the firmware images(both eboot.bin and nk.bin) in a disassembler or a hex editor you can see the Method names and error messages that are internal when the system verifies the firmware images. Not only that, you can also see a Verisign certificate, supporting the argument that the images are signed. One last point : Security is inherent to the Freescale i.MX processor series. It is literally built into the processor and surrounding architecture. If all these security checks are there for use why wouldn't Microsoft want to use them?

qables:
Well for all experiments and DIY (Do It Yourself) you can find and buy a Zune dock connector here:
http://www.qables.com/index.php?main_page=product_info&products_id=593

Rgds

andrew:
hmm...I recognize the filename in that Zune firmware package. NK.bin is the name of the output file for a Windows CE build :) If you run it through strings (or look at it in notepad) you see some very interesting text:

W i n d o w s   C E   K e r n e l   f o r   A R M   ( T h u m b   E n a b l e d )   B u i l t   o n   D e c     6   2 0 0 6   a t   1 6 : 4 2 : 0 1

So it really does run Windows CE :P

Some debugging file names
E:\pyxis\v1.2\platform\pyxis\target\ARMV4I\retail\kern.pdb
E:\pyxis\v1.2\platform\pyxis\target\ARMV4I\retail\ipu_base.pdb
E:\pyxis\v1.2\public\cebase\cesysgen\oak\target\ARMV4I\retail\waveapi.pdb
E:\pyxis\v1.2\public\cebase\cesysgen\oak\target\ARMV4I\retail\mspart.pdb

Some more random interesting strings
O E M I n i t S e c u r e C l o c k S t a t u s _ P h a s e 2 :   S e c u r e   C l o c k   I s   V a l i d
O E M I n i t S e c u r e C l o c k S t a t u s _ P h a s e 2:   S e c u r e   C l o c k   I s   L o s t
M S - P C M
M i c r o s o f t   P C M   C o n v e r t e r - C o p y r i g h t   ( c )   1 9 9 2 - 2 0 0 3   M i c r o s o f t   C o r p o r a t i o n    
 C o n v e r t s   f r e q u e n c y   a n d   b i t s   p e r   s a m p l e   o f   P C M   a u d i o   d a t a .  

There looks to be some wave files in it:
  1996-02-27  RIFF¦
 WAVEfmt

A power management DLL:
PMC_PM.dll PmDevicePowerNotify PmGetDevicePower PmGetSystemPowerState PmInit PmNotify PmPowerHandler PmRegisterPowerRelationship PmReleasePowerRelationship PmReleasePowerRequirement PmRequestPowerNotifications PmSetDevicePower PmSetPowerRequirement PmSetSystemPowerState PmStopPowerNotifications

Yay, windows directories:
\ W i n d o w s \ S y s t e m \ % s . w a v     \ W i n d o w s \ % s . w a v   \ W i n d o w s \ S y s t e m \ % s     \ W i n d o w s \ % s   % s . w a v

Maybe we can run some code on this thing :P
S Y S T E M \ K E R N E L   I n j e c t D L L

What is an XIP...
P a g i n g   i n   f r o m   u n c o m p r e s s e d   R / O   p a g e   f r o m   X I P   m o d u l e   - -   s h o u l d ' v e   n e v e r   h a p p e n e d

L o a d O 3 2   F A I L E D :   X I P   c o d e   s e c t i o n   n o t   p a g e   a l i g n e d ,   o 3 2 _ d a t a p t r   =   % 8 . 8 l x ,   o 3 2 _ r e a l a d d r   =   % 8 . 8 l x

E R R O R !   X I P   r e g i o n   s p a n   a c c r o s s   d i s c o n t i g i o u s   m e m o r y ! ! !   S y s t e m   H a l t e d !

Does anyone know of a Windows CE device simulator that we might be able to get this device image ("NK.bin") to run in (maybe with a little coaxing)

Hopefully that provides some insight into how the Zune runs internally, too bad that it isn't available in Canada yet.
-Andrew

Navigation

[0] Message Index

[#] Next page

[*] Previous page