I messed around with Wifi sniffing with a friend, and we found out a couple basic things. Song and picture transfers are done with WPA encryption, so we weren't able to analyze that traffic - and no one probably will be able to until someone modifies the Zune's firmware to not do file transfers with WPA, or until the WPA key is figured out. And, assuming that Microsoft is using a complex key (which they surely are), cracking it is probably unfeasible. But all Zunes must be using the same key, and maybe it's possible to analyze the contents of the harddrive or firmware to derive it.
We were able to capture and edit packets that the Zune broadcasts to populate the "Community list", and re-send them from our computers. So, I captured the packet he was sending, edited both his user name and the song he was listening to, turned off his Zune, and sent the modified packet to my Zune. And, easy as that that, apparently the user "Bill Gates" was listening to "Abcdefghijlkmnop."
Edit: I just read the
thread on Zuneboards, and holy God Mys Videl is arrogant. And wrong, as far as I can tell. A google search for "implied MAC address" yielded NO relevant search results, and it's very clear from sniffing the Wifi traffic that it has a MAC address.
Edit 2: More developments. My friend and I have basically broken down the Zune broadcast packet.
0x0000 50 00 A2 00 00 17 FA 00-2E EF 00 17 FA 03 B2 CF P.¢...ú..ï..ú.²Ã
0x0010 AA 08 A1 C6 87 B4 30 02-DE 1F BF 00 00 00 00 00 ª.¡Æ‡´0.Þ.¿.....
0x0020 64 00 32 00 00 00 01 08-82 84 8B 96 8C 98 B0 12 d.2.....‚„‹–Œ˜°.
0x0030 03 01 0B 2A 01 02 32 04-24 48 60 6C 06 02 0A 00 ...*..2.$H`l....
0x0040 DD 9E 00 50 F2 06 25 12-53 F5 02 00 00 00 70 01 Þ.Pò.%.Sõ....p.
0x0050 92 00 70 64 68 61 72 74-00 00 00 00 00 00 00 00 ’.pdhart........
0x0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0070 00 00 11 05 00 02 B2 CF-03 0A 00 17 FA 03 B2 CF ......²Ã....ú.²Ã
0x0080 39 31 2E 37 00 65 65 64-20 59 6F 75 20 42 6C 61 91.7.eed You Bla
0x0090 63 6B 20 45 6D 70 65 72-6F 72 21 20 27 30 39 2D ck Emperor! '09-
0x00A0 31 35 2D 30 30 20 28 50-61 72 74 20 4F 6E 65 29 15-00 (Part One)
0x00B0 27 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 '...............
0x00C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x00D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0x0000 05-10 is the destination MAC
0x0000 11-16 is the source MAC address
0x0050 03-
0x0070 -02 is the Zune name (31 characters). A hex value of 00 signals the end of the name and ignores any remaining data within this range.
0x0070 06 is the status flag (00: simple, 01: song, 02: radio, 03: video, 04: pictures, 05: basic, 06: busy, 07+: offline) *
0x0070 11-16 is a repeat of the source MAC address
0x0080 01-
0x00D0 -16 is the title. A hex value of 00 signals the end of the title and ignores any remaining data.
* These flags determine what is shown to nearby Zune users in the 'Community.' When set to 00, it just shows [title]. When set to 01, 'listening to [title]'. When set to 02, 'listening to radio [title] FM'. When set to 03, 'watching [title]'. When set to 04, 'Viewing Pictures'. When set to 05, it just says 'Online' for when online status is set to basic. When set to 06, 'Busy'. When set to 07 or above, 'Offline'.
In the above example, a Zune with the MAC address 00:17:FA:00:2E:EF is receiving the packet sent by a Zune with MAC address 00:17:FA:03:B2:CF. The Zune name for the sender is 'pdhart' and the receiving Zune displays pdhart's status as 'listening to radio 91.7 FM'. The "eed You Black Emperor..." is left over from what song pdhart was listening to before. New titles are inserted over the old ones. Because it is preceeded by the hex value 00, "eed You Black Emperor..." is ignored.
Dilber MC Theme by HarzeM