Exploits

There are a few known exploits for the Zune HD, each with varying capabilities. So far, no exploits have been discovered that allow for custom firmware or persistent modifications.

OpenZDK

OpenZDK contains the earliest known exploit for the Zune, leveraging a bug in the shell to obtain arbitrary code execution within the app sandbox. This allows for the development of Zune apps that are not limited by XNA Framework or .NET Compact Framework 3.5.

Zuneslayer

Zuneslayer by Argonaut CUB3D is a suite of exploits for various Zune models, two of which target the HD.

Kernel

This is an exploit for firmware 4.5 built on OpenZDK to gain native code execution at the kernel level. It cannot be used to dump the full bootROM. When launched using the typical XNA loader, it cannot be used to read encrypted apps or DRM-protected media.

Browser

This is an exploit of the Zune's JScript engine based on CVE-2019-1367. It can be used to launch other programs from outside the app sandbox and is a suitable alternative to the offical XNA loader. Programs launched using this technique can read encrypted apps and DRM-protected media.

The exploit by default loads whatever file is located at \\Flash2\payload.exe. Typically, the \\Flash2 directory is inaccessible, but the Zuneslayer kernel exploit provides suffcient permissions to write files there. The browser exploit can be chained with kernel exploit as follows:

  1. Use the zuneslayer_kernel template to create the payload you wish to run with kernel permissions.
  2. Install the kernel exploit app as you would any other OpenZDK app.
  3. Open the kernel exploit app. If you used the template, it will automatically copy nativeapp to \\Flash2\payload.exe.
  4. Serve index.html on a machine accessible from the Zune HD. For example, running an Apache web server on a machine in the same local network.
  5. Visit the hosted page from the Zune HD browser and follow the on-screen instructions.
  6. For applications that require reading DRM-protected content, the Zune must be restarted before the required permissions are granted.

Fusée Gelée

It is believed that the Tegra APX 2600 used in the Zune HD is vulnerable to an attack similar to CVE-2018-6242, also known as Fusée Gelée. Theoretically, an attacker with physical access to a Zune in Tegra Recovery Mode (RCM) could execute arbitrary code as the root of trust.

This exploit has yet to be carried out on a Zune, since getting an HD into RCM is tricky. Any of the following conditions may trigger RCM as observed on other Tegra processors¹:

  1. If the processor fails to find a valid Boot Control Table (BCT) + bootloader on its boot media
  2. If processor straps are pulled to a particular value e.g. by holding a button combination
  3. If the processor is rebooted after a particular value is written into a power management controller scratch register.

One Argonaut was able to intentionally enter RCM by desoldering the bootROM flash chip, which triggers the third condition. Other users during Zune's lifetime reported their HDs suddenly entering RCM and appearing to Windows as "APX"², though no cause is known.