Firmware Files

The following Information was taken from xda-developers forum:

The Zune uses the B000FF file format for its firmware. It is used by Windows CE devices to write to flash memory. It saves space by skipping empty areas.

There is a tutorial on how to use the tools at the bottom.

File Format

struct BIN_HEADER {
char[7] Signature;      // B000FF\n signature   
DWORD ImageStart;    // Image Start
DWORD ImageLength; // Image Length
};

Binary Block

struct BIN_BLOCK {
DWORD Address; // Address where the block should be flashed
DWORD Size; // Size of the block that is being flashed
DWORD Checksum; // Checksum (CRC32) of the block data
};

[[TODO]]: Rewrite the text below:

How it works

The file starts with the header structure, followed by N number of block structures each one followed by the respective data of the block. A block with Address / Size / Checksum set to 0 is a termination block and marks the end of the file.

Note that some blocks can be missing and depending on the bootloader the region could be left untouched or erased (erased bytes could have any value, it depends on the type of memory (NAND erased bytes have FF value) and on the bootloader).

How to check the integrity of a B000FF file

Read the header, read the first block and check that its address equals ImageStart, check that the termination block is present and check that the last block before the termination block address equals the sum of ImageStart + ImageLength.

How to convert a B000FF file to an absolute binary format file (NB0)

Allocate an empty file with the size of ImageLength and write each of the blocks' data inside at the absolute file position of Block Address - ImageStart.

The missing blocks are usually empty areas (or at least that's what are in the files generated by Microsoft tools) that could be ignored by the bootloader or erased (with the bytes values depending on the memory type and on the bootloader code) but in case you encounter them make sure you investigate what those missing belong to, it could be a fancy way for the manufacturer to leave some areas reserved for the phone or bootloader and should be left untouched when re-creating the file.

Available tools for working with BIN files

  • CVRTBIN/VIEWBIN to convert the file to a "ROM" file (ABX/NB0/ROM memory image, call it how you want)
  • OSNBTOOL (suggested, because it lets you figure out what is in the file) that can do the following operating:
    • split (-sp): finds the OS.NB inside the BIN and saves the OS.NB and the unrecognized data that comes before and after it
    • generate BIN (-2bin): converts a file to the BIN format and has two important switches, one to set the start address of the data and one to tell it to not write the header (so that you can example append other BIN data in front of it)
    • fix BIN header (-fixbinheader) scans the BIN file and adjusts the imagestart and imagelength according to the content

Extracting content

  1. Get the start and the length of the Image
    $ viewbin.exe nk.bin

    ViewBin... NK.bin
Image Start = 0x00014000, length = 0x00B7A4E4
            Start address = 0x00023F10

    Note down the Image Start and the length

  2. Convert the .bin file to a absolute .nb0 file
    $ cvrtbin -r -a IMAGE_START -w 32 -l LENGTH nk.bin
    Replace IMAGE_START and LENGTH with the values from the last step.

  3. Finnaly dump the contents of the rom
    $ dumprom.exe -d dump -v -5 nk.nb0

    Warning

    The folder specifies with -d must exist before executing the command.

These steps can be repeated with the other files as well.

Dumprom.exe source code

https://nah6.com/~itsme/cvs-xdadevtools/dumprom/

🗺️ File Types