Dumping the Zune firmware

Before you can dump the Zune firmware, you need to obtain the firmware files in the first place. The Zune software checks for firmware updates by downloading a file named zuneprod.xml. The URL to this file changes with each Zune software version, but it generally follows the format http://resources.zune.net/firmware/vX_Y/zuneprod.xml, where X and Y comprise the software's version number, plus or minus a few increments.

For quick reference, the latest firmware packages are located at:

These firmware packages contain the following files:

Included with Type Purpose
eboot.bin Draco, Keel, Scorpius CE image Bootloader for MX.31/32 devices
ext.bin Pavo CE image Additional firmware image for Pavo (contains higher-level components)
games.cab Draco, Keel, Scorpius .cab file Contains signed .zcp containers for bundled Zune 3.x games
nk.bin Draco, Keel, Pavo, Scorpius CE image Primary firmware image (core files only on Pavo)
recovery.bin Draco, Keel, Pavo, Scorpius CE image Firmware recovery mode
xldr.bin Scorpius CE image Initial program loader for Scorpius
zboot.bin Pavo CE image Bootloader for Tegra devices

Generally nk.bin and ext.bin (if applicable) are of the greatest interest.

As the Zune is built on Windows CE, the format of its firmware images is quasi-standard. Fortunately, this means that there are a number of Microsoft and non-Microsoft tools for dealing with them. The following three utilities are needed to access the contents of the Zune firmware:

  • viewbin.exe: Displays the offset values needed for cvrtbin.exe
  • cvrtbin.exe: Converts a .bin file into a .nb0 file for dumprom.exe
  • dumprom.exe: Extracts the contents of a .nb0 file into the specified directory

These tools are all part of a convenient bundle available on the T-hack wiki. Once you've extracted the files you need, follow these steps to dump their contents:

  1. Open a command prompt and cd to the directory containing your firmware image files. Do not use PowerShell - doing so will result in unexplained spurious corruption of the dumped files (e.g. incorrect executable headers).
  2. Run \path\to\viewbin <imagename>.bin to display header information from the image.
  3. Run \path\to\cvrtbin -r -a <start> -w 32 -l <length> <imagename>.bin using the start and length values produced by viewbin.exe, as shown in the screenshot below. These values are different for each firmware image, and will differ from the example here.
  4. Create a directory to house the dumped files
  5. Run \path\to\dumprom -d <dir> -v -5 <imagename>.nb0 to dump the contents of the firmware image

The directory you created should now contain all the files from the image you just dumped, suitable for analysis with anything that supports Windows CE ARM binaries (dumpbin, IDA, etc.).

development/firmware_dump.txt · Last modified: 2010-04-16 04:33 by itsnotabigtruck
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki