Before you can dump the Zune firmware, you need to obtain the firmware files in the first place. The Zune software checks for firmware updates by downloading a file named
zuneprod.xml. The URL to this file changes with each Zune software version, but it generally follows the format
http://resources.zune.net/firmware/vX_Y/zuneprod.xml, where X and Y comprise the software's version number, plus or minus a few increments.
For quick reference, the latest firmware packages are located at:
|Pavo||HD16, HD32, HD64||4.5||http://resources.zune.net/firmware/v4_5/ChopakaProduction04.05.0109.cab|
|Scorpius||SD4, SD8, SD16||3.3||http://resources.zune.net/firmware/v3_3/scorpius03300039.cab|
These firmware packages contain the following files:
|eboot.bin||Draco, Keel, Scorpius||CE image||Bootloader for MX.31/32 devices|
|ext.bin||Pavo||CE image||Additional firmware image for Pavo (contains higher-level components)|
|games.cab||Draco, Keel, Scorpius||.cab file||Contains signed .zcp containers for bundled Zune 3.x games|
|nk.bin||Draco, Keel, Pavo, Scorpius||CE image||Primary firmware image (core files only on Pavo)|
|recovery.bin||Draco, Keel, Pavo, Scorpius||CE image||Firmware recovery mode|
|xldr.bin||Scorpius||CE image||Initial program loader for Scorpius|
|zboot.bin||Pavo||CE image||Bootloader for Tegra devices|
Generally nk.bin and ext.bin (if applicable) are of the greatest interest.
As the Zune is built on Windows CE, the format of its firmware images is quasi-standard. Fortunately, this means that there are a number of Microsoft and non-Microsoft tools for dealing with them. The following three utilities are needed to access the contents of the Zune firmware:
These tools are all part of a convenient bundle available on the T-hack wiki. Once you've extracted the files you need, follow these steps to dump their contents:
cdto the directory containing your firmware image files. Do not use PowerShell - doing so will result in unexplained spurious corruption of the dumped files (e.g. incorrect executable headers).
\path\to\viewbin <imagename>.binto display header information from the image.
\path\to\dumprom -d <dir> -v -5 <imagename>.nb0to dump the contents of the firmware image
The directory you created should now contain all the files from the image you just dumped, suitable for analysis with anything that supports Windows CE ARM binaries (dumpbin, IDA, etc.).