Zune HD on the PC

[uaktags]

hey guys...got the zif connector and my zune...trying to take out the hd now
i'll fill in as i go

[Nurta]

cool, are you able to jump onto the IRC

[uaktags]

idk...give me the link and we'll see

[Nurta]

irc://irc.webchat.org:7000/Zuneboards

[uaktags]

downloading an irc client...but so far it only recognizes the diskdrive, but its not accessible yet

[Nurta]

You have got it connected to the PC and it isn't plug and play?

[Nurta]

w007, we have successfully downgraded the firmware using this method.

Which means we (should) have a hard mod that allows us to load a custom firmware to some degree

[uaktags]

well heres what we got thus far (the whole irc log should come tomorrow?).
As nurta said, we've been able to switch out the firmwares with our method utilizing the Zif connector. What we suspect now is that we should be able to, at some point, use our own custom firmware. Only thing is we get stopped by what seems to be a 3 step process. Step one shows a picture of a Zune and a loading graphic, with a message box stating "Please Wait". Then theres step 2 (we'll get into in a moment), and step 3 which again says "Please wait" but with a larger picture of a zune and a loading graphic. Now heres the theory i've come up with. Step 1 checks to see that there IS a firmware to load on the zune, if that basic step is accomplished, on comes step2. Step 2 checks to see if it's a legit firmware, if so it goes to step 3 and you'll never see step 2 appear, if not then step 2 has a picture of a zune and a computer with the message "Please connect your zune and restore device firmware". Then step 3 has 1 of 2 outcomes...If you manage to make it here with an illegitmate firmware, the Please wait is getting ready to reboot the zune and delete the firmware. If you pass step 2 legitimately, then Please wait will then load up the main menu screen

so
Step1 checks for A firmware
Step2 checks if firmware is legit
Step3 loads firmware/crashes if bad

least thats what i think thus far, until we find out more, this is all we can guess.

[Marshillboy]

Interesting...Good work! Care to upload some of the contents/screenshots/file list/anything you found via the zif connector?

[lpxxfaintxx]

Did you try the font thing yet? xD

[Nurta]

ledzepp should have come in with the log...

uak did upload a couple of files, but they were in the log, I don't remember the URLs, uak might maybe

OK, the problem we have so far is that it still needs MS' sig or something. zepp made up a modified version of nk.bin with a different font, but it rejects it.

So the only thing currently we can try is modifying the files on there. Especially the edb files on there, that probably correspond to databases.


This still has potential, since we can return once again to buffer overflows and try modify the "databases" but to do that we need the software to do it Ana, you seem to have some experience with this, even though I haven't seen you post in here yet...

Also, could someone else try and make up a modified nk.bin file (and maybe mess with eboot somehow?) since zepp was coming up with some problems, maybe collingall or berdon? Keep it as similar as possible.

[lpxxfaintxx]

Hrm, I thought the font would be already in the device, and not in the firmware... I was thinking just "drag and drop" the font into the font directory. LOL, guess not.

[Nurta]

Quote:

Originally Posted by lpxxfaintxx

Hrm, I thought the font would be already in the device,

it is in the device, but it is packaged in nk.bin

ZunePet's postings on it we acaccurate after all, in that it is not decompiled by the Zune, it simply leaves everything wrapped up other than media and the bg and stuff.


A couple ideas:
get a 3x3 song from the HD and see if it has any actual drm to it or if that is managed by the device
overflow in the db
continue modifying the nk and trying to get it to boot
really **** with things and see if it recovers
delete the bg image/replace it with other image types/replace it with overflow images
mess with that xml document that zepp said shouldn't do anything
randomly put porn throughout the drive and see what happens
get the White Screen of Death back

[lpxxfaintxx]

What would happen if we loaded the Toshiba Gigabeat S firmware on it? Maybe it has the same signature as Microsoft's...

[Nurta]

Quote:

Originally Posted by lpxxfaintxx

What would happen if we loaded the Toshiba Gigabeat S firmware on it? Maybe it has the same signature as Microsoft's...

don't work

[LedZepp]

Im really sorry guys, there was a power outage in my neighborhood in the middle of the night. Lost everything i had on my computer that wasnt saved, including the log.

http://uaktechnology.com/localdiskzune.zip
http://uaktechnology.com/tfat.zip


those are the files that uak had given us, we had tried to put gigabeat fw on but it rejected it. Same with my modified nk.bin. Like nurta said we need more time to screw around with it. I should be getting my usb enclosure pretty soon(tomorrow or monday) so i will be able to do it too.

[uaktags]

"white screen of death" that nurta is refering to is something that i came across but may actually be done by others. What happened was while i was hooking my zune back up the battery wire was Fed and then when i finally got it to hook correctly and the zune logo to not keep flashing, what popped up for only a mere second was a White screen that resembled the old Blue Screen of Death, but had like jibberish all written in it. then it flashed away, i've been trying to recreate my mistake (all i kno is it came after having put the HD cord in the wrong way then the right way, then realized that the battery wasn't connected correctly becuz the logo was flashing..then when i fixed that, the popup came up) and since i havne't been able to recreate it, i haven't been able to get a pic/vid of it for nurta.

The TFAT file holds the firmware and the Local Disk holds the content folder (with all my music and stuff in it) and a few little files

Now my question is, anyone got any bricked Zunes. Broken ones, fed up ones, anything? i want to cross reference these hds..and see how different the data is on them thats stored (if i load up 3 completely wiped out hds) and start then from scratch with a 1.4 fw...then go in and look at the data it stores, whats different. maybe find our secret

[Nurta]

Yeah, one other thing I think we should try for is the 1.0 firmware, which might give us something useful.

For this we need a brand new Zune though.

[lpxxfaintxx]

What about the ones that you guys won (by cheating ) on Club Live?

[uaktags]

ok..so we need brokens and brandnews...lol...we sure that we cant find the fw on a ms site?