What I know:
Zune boot process:
imx31L loads Eboot.bin from ROM to protected on-cpu memory
Strips Verisign certificate, decrypts SHA-1 hash of image with on-cpu public key
computes SHA-1 of loaded image, compares to above.
If equal, Eboot loads NK.bin from system partition of HD
If not, Load Recovery.bin*1, whose only functionality is to connect (sync?) to pc, and
reload valid firmware.
Update Process:
I'm not clear if any verification happens when updating or not. Does the pc side check? The device? Both? Does the device verify before writing updates, or let the boot-time check catch
unauthenticated code?
Notes:
*1: I'm not clear on what gets loaded from where. Eboot is on the flash ROM. But where is Recovery.bin? One reference has it in ROM, the other says hard drive.
References:
Hardware info from
http://www.bunniestudios.com/wordpress/?p=131
http://forums.rockbox.org/index.php?topic=6848.0
Info on the imx31L ( the security features pdf is specially recommended)
http://www.freescale.com/webapp/sps/site/overview.jsp?nodeId=02XPgQ821729733642&tid=WMSG200506VANITYIMX31
Info on boot process and hard drive
http://zunerama.com/forum/index.php?&topic=1273.0
http://www.zuney.net/zune-hacks-mods/258-bad-news-firmware-hacking.html
