Zune hard drive and boot-up details

None of what follows is new, this is just my 'lab notebook', posted here for my own benefit, and maybe other zune modders.

I've taken apart my zune, per the guide at rapidrepair.com. With some adapters, I can mount the zune hard drive in my choice of OS. The device has two FAT32 partitions, one for media, and the other a 'system' partition of ~150 Mb. The sys partition (shows up with label 'TFAT' in Explorer) contains:
nk.bin, eboot.bin, recovery.bin, pmcver.dat. and pmcstore.edb, which is a database of the user settings (radio presets, theme, etc.)
The media partition contains: drmstore.dat, MediaLibrary.edb, MediaLibrary_thumbs.edb, devcert.dat, and a directory for your content.

With direct access to the system files, I tried the following. First, power on zune with no hard drive connected. The Zune logo appears, and then a graphic of a zune, a yellow circle with the number 5 (a status code, I assume), and "Contact Support" printed in three languages. Using the XVI32 hex editor, I changed a single bit in eboot.bin. Put the hard drive back in. The results: Zune logo, progress bar with status code 3 and "Please Wait". The device appears to restart (screen blanks briefly) and we see status code 1, "Connect Zune to your PC".

I shut it off, and put the hard drive back in my pc. The system partition was blank. So I copied the original files back over to it. Now it works like new. I did the same procedure three times with each bin file, and with the same results. The second trial, I switched the zune off the moment I saw the "Please wait" screen. It had already wiped the partition. The last time, I left nk.bin broken and changed recovery. Why I did this is explained below.


My assumption of how things go:

1. The CPU loads a copy of eboot from the flash ROM, checks it for errors, and runs it. (This is probably when the zune logo first appears)

2. Eboot checks the system partition for errors. If everything's fine, it loads nk.bin from the hard drive and boot proceeds normally. (I'm guessing this is the progress bar)

3. If Eboot finds a problem (signatures don't match), it wipes the system partition and reboots Recovery.bin from flash ROM. I'm not sure how this happens, but the Recovery file on the hard drive is not loaded at reboot (or it wouldn't have rebooted in experiment 3)

4. Recovery looks for zune pc software and reloads the OS (I haven't tried the 'approved' way of doing this, copying the files back seems to work fine)


Further directions:

I know a little bit more about the boot process now, but there are still lots of questions. My next attempts will be at corrupting the edb databases - I'm not sure if anything beyond the bin files is checked or not.