Add known Zune HD exploits

yoshiask · yoshiask · commit c76fdad337bb · 2025-10-09T02:27:01.000-05:00
diff --git a/docs/Zune devices/Zune HD/Exploits.md b/docs/Zune devices/Zune HD/Exploits.md
@@ -0,0 +1,26 @@
+# Exploits
+
+There are a few known exploits for the Zune HD, each with varying capabilities. So far, no exploits have been discovered that allow for custom firmware or persistent modifications.
+
+## OpenZDK
+[OpenZDK](../Apps/OpenZDK/index.md) contains the earliest known exploit for the Zune, leveraging a bug in the shell to obtain arbitrary code execution within the app sandbox. This allows for the development of Zune apps that are not limited by XNA Framework or .NET Compact Framework 3.5.
+
+## Zuneslayer
+[Zuneslayer](https://github.com/CUB3D/zuneslayer/) by Argonaut [CUB3D](https://github.com/CUB3D) is a suite of exploits for various Zune models, two of which target the HD.
+
+### Kernel
+This is an exploit for firmware 4.5 built on [OpenZDK](../Apps/OpenZDK/index.md) to gain native code execution at the kernel level. It cannot be used to dump the full bootROM. When launched using the typical [XNA](../Apps/XNA%20Framework/index.md) loader, it cannot be used to read encrypted apps or DRM-protected media. 
+
+### Browser
+This is an exploit of the Zune's JScript engine based on [CVE-2019-1367](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-1367.html). It can be used to launch other programs from outside the [app sandbox](../Apps/XNA%20Framework/XNA%20Apps.md) and is a suitable alternative to the offical XNA loader. Programs launch using this technique can read encrypted apps and DRM-protected media.
+
+## Fusée Gelée
+It is believed that the Tegra APX 2600 used in the Zune HD is vulnerable to an attack similar to CVE-2018-6242, also known as [Fusée Gelée](https://switch.hacks.guide/fusee_gelee.html). Theoretically, an attacker with physical access to a Zune in Tegra Recovery Mode (RCM) could execute arbitrary code as the root of trust.
+
+This exploit has yet to be carried out on a Zune, since getting an HD into RCM is tricky. Any of the following conditions may trigger RCM as observed on other Tegra processors[¹](https://switch.hacks.guide/fusee_gelee.html#vulnerability-details):
+
+1. If the processor fails to find a valid Boot Control Table (BCT) + bootloader on its boot media
+2. If processor straps are pulled to a particular value e.g. by holding a button combination
+3. If the processor is rebooted after a particular value is written into a power management controller scratch register.
+
+One Argonaut was able to intentionally enter RCM by desoldering the bootROM flash chip, which triggers condition 3. Other users during Zune's lifetime reported their HDs suddenly entering RCM and appearing to Windows as "APX"[²](https://learn.microsoft.com/en-us/answers/questions/2504208/looking-for-apx-drivers), though no cause is known.
