Saturday, April 14, 2007

Zune Hacking

What I know:

Zune boot process:
imx31L loads Eboot.bin from ROM to protected on-cpu memory
Strips Verisign certificate, decrypts SHA-1 hash of image with on-cpu public key
computes SHA-1 of loaded image, compares to above.
If equal, Eboot loads NK.bin from system partition of HD
If not, Load Recovery.bin*1, whose only functionality is to connect (sync?) to pc, and
reload valid firmware.

Update Process:
I'm not clear if any verification happens when updating or not. Does the pc side check? The device? Both? Does the device verify before writing updates, or let the boot-time check catch
unauthenticated code?


*1: I'm not clear on what gets loaded from where. Eboot is on the flash ROM. But where is Recovery.bin? One reference has it in ROM, the other says hard drive.


Hardware info from

Info on the imx31L ( the security features pdf is specially recommended)

Info on boot process and hard drive