Dumping the Zune firmware
Before you can dump the Zune firmware, you need to obtain the firmware files in the first place. The Zune software checks for firmware updates by downloading a file named zuneprod.xml. The URL to this file changes with each Zune software version, but it generally follows the format http://resources.zune.net/firmware/vX_Y/zuneprod.xml, where X and Y comprise the software's version number, plus or minus a few increments.
For quick reference, the latest firmware packages are located at:
| Models | Version | URL | |
|---|---|---|---|
| Pavo | HD16, HD32, HD64 | 4.5 | http://resources.zune.net/firmware/v4_5/ChopakaProduction04.05.0109.cab |
| Keel | SD30 | 3.3 | http://resources.zune.net/firmware/v3_3/Keel03300039.cab |
| Scorpius | SD4, SD8, SD16 | 3.3 | http://resources.zune.net/firmware/v3_3/scorpius03300039.cab |
| Draco | SD80, SD120 | 3.3 | http://resources.zune.net/firmware/v3_3/draco03300039.cab |
These firmware packages contain the following files:
| Included with | Type | Purpose | |
|---|---|---|---|
| eboot.bin | Draco, Keel, Scorpius | CE image | Bootloader for MX.31/32 devices |
| ext.bin | Pavo | CE image | Additional firmware image for Pavo (contains higher-level components) |
| games.cab | Draco, Keel, Scorpius | .cab file | Contains signed .zcp containers for bundled Zune 3.x games |
| nk.bin | Draco, Keel, Pavo, Scorpius | CE image | Primary firmware image (core files only on Pavo) |
| recovery.bin | Draco, Keel, Pavo, Scorpius | CE image | Firmware recovery mode |
| xldr.bin | Scorpius | CE image | Initial program loader for Scorpius |
| zboot.bin | Pavo | CE image | Bootloader for Tegra devices |
Generally nk.bin and ext.bin (if applicable) are of the greatest interest.
As the Zune is built on Windows CE, the format of its firmware images is quasi-standard. Fortunately, this means that there are a number of Microsoft and non-Microsoft tools for dealing with them. The following three utilities are needed to access the contents of the Zune firmware:
- viewbin.exe: Displays the offset values needed for cvrtbin.exe
- cvrtbin.exe: Converts a .bin file into a .nb0 file for dumprom.exe
- dumprom.exe: Extracts the contents of a .nb0 file into the specified directory
These tools are all part of a convenient bundle available on the T-hack wiki. Once you've extracted the files you need, follow these steps to dump their contents:
- Open a command prompt and
cdto the directory containing your firmware image files. Do not use PowerShell - doing so will result in unexplained spurious corruption of the dumped files (e.g. incorrect executable headers). - Run
\path\to\viewbin <imagename>.binto display header information from the image. - Run
\path\to\cvrtbin -r -a <start> -w 32 -l <length> <imagename>.binusing the start and length values produced byviewbin.exe, as shown in the screenshot below. These values are different for each firmware image, and will differ from the example here.
- Create a directory to house the dumped files
- Run
\path\to\dumprom -d <dir> -v -5 <imagename>.nb0to dump the contents of the firmware image
The directory you created should now contain all the files from the image you just dumped, suitable for analysis with anything that supports Windows CE ARM binaries (dumpbin, IDA, etc.).
