Zune Hacker Challenge #1 - win some Zune wear!

[Zunerama Ed.]

Today we launch Zunerama's first Zune Hacker Challenge.

The first person to post a solution to the challenge below, will win our warm accolades, AND a Zune T-Shirt. I'll post a pic of the shirt soon... it's an official shirt, in Zune brown/orange, and is a somewhat rare pre-release item.

So here's the challenge:

Give me step-by-step instructions on how to extract the entire Zune Marketplace catalog into a file.

I don't need the content - just the album/artist/track info. So the file would essentially contain a list of all the content in ZMP.

From what I understand, if you have Zune software installed, the ZMP catalog is downloaded and is hidden somewhere on your local PC.

The question is, where? and how to extract that info?

This challenge will remain open until I get a winner, or choose to admit defeat. Good  luck hackerz!!

[pulse]

Looking through the marketplace DLL i found this:


                    val HttpPrefix = s 'http://store.'
                    val HttpsPrefix = s 'https://secure.'   
                    val MachineName = s 'zune.net'
                    val RetailerId = s 'ZUNE'


So the software is getting the marketplace off a site called store.zune.net - but i couldn't find a way to get to it yet....

[ronaldmonster]

Found a couple things in this area in a Zune file called "wlphonecv"

C:\WINDOWS\system32\DRVSTORE\wlphonecv_8800C151E3BB9442F62327FF05F053BF5567B318

; Installation inf for devices supporting Windows Live Phone interface
;
; Copyright (c) Microsoft Corporation.
;

[Version]
Signature="$WINDOWS NT$"
Class=USB
ClassGUID={36FC9E60-C465-11CF-8056-444553540000}
provider=%MSFTMSN%
LayoutFile=layout.inf
DriverVer=10/11/2006,1.2.0.6
CatalogFile="WLPhoneCV.cat"

Intresting no?

[Marshillboy]

How about this:

The marketplace SITE is xml file is here:

C:\Documents and Settings\[Username]\Local Settings\Application Data\Microsoft\Zune\site.xml
[Username] represents your windows login name

The actual catalog, however is here:

C:\Documents and Settings\[Username]\Local Settings\Application Data\Microsoft\Zune\Zune\en-us\Catalog.wmdb
Again, [Username] represents your windows login name

Now for the actual site (not local):

Using the an HTTP Debugging Proxy, I found the Zune marketplace url (and some others). Here it is (may need to be viewed in IE).

http://store.zune.net/switch/?section=home&page=main&version=1.2.5511.0

Update: How to navigate

Mouse your cursor over the link you want to click on
Look in the bottom left hand corner
You will see something like:

javascript:nav('/playlist/64861');

Note: It will either be playlist, artist, or album

Once you have that, enter it in here:

http://store.zune.net/switch/?section=*****&page=*****&id=*****&listType=1&viewParams=&version=1.2.5511.0

Read this carefully:

Replace the first five stars with the PLURAL word you got from the javascript function (I.E. Playlists, artists, or albums)

Replace the NEXT five stars with the SINGULAR word (I.E. playlist, artist, or album)

Replace the final five stars with the number in the javascript (this can be anything, artist and playlist numbers are 5 stars long, and album numbers are 6)

Congratulations, through this tedious process you have navigated a single link in the Zune marketplace!

Update 2: More urls!

Zune Marketplace page (.xml same one found in my "Zune marketplace site xml on your PC")
http://store.zune.net/sitewide/xml/config/site.jhtml?version=1.2.5511.0

Active Download Page: http://store.zune.net/switch/?section=downloads&page=manager&id=5&listType=0&viewParams=&version=1.2.5511.0

Zune library xml download:
http://store.zune.net/sitewide/dataservices/catalog/index.jhtml?catalogVersion=1245&schema=102&locale=409&version=1.2.5511.0

CSS:
http://store.zune.net/sitewide/css/common.css

Cookie manager (.js):
http://store.zune.net/sitewide/js/cookie_manager.js

libraries_light.jhtml:
http://store.zune.net/sitewide/js/libraries_light.jhtml

edgetime (?):
http://store.zune.net/sitewide/xml/config/esitime.jhtml

[Zunerama Ed.]

Thank you! That is something, to see the ZMP using a browser and that link - - bypassing Zune software!! Interesting...

I'm going to tinker with the Catalog.wmdb and see if I can extract the info in that Catalog. I presume (from the size of the file) that this is the entire ZMP catalog... i.e. not just a catalog of what's on your local PC.

(I need to find a utility that will let me read the .wmdb file.)

Thanks very much!!!

[harlemS]

I'm going to try notepad plus or maybe a web development tool like dreamweaver or expression. we may be able to use those to view it in a enviroment we can understand or at last notice any patterns in the coding.

[AK Water]

I couldn't figure out how to open a wmdb file either.  I guess it stands for Windows Media Database.  But searching on Google, I couldn't figure out any thing about how to open or extract it. 

[thenumberdevil]

The wmdb file does not work by itself. You need the database index file as well ...

C:\Documents and Settings\[Username]\Local Settings\Application Data\Microsoft\Zune\Zune\en-us\Catalog.wmdb.idx

The presence of .wmdb and .idx together points to a Microsoft Access or SQL database ...

ZuneSP.dll has interfaces that deal with "WMD" types ... __WMDRIGHTS,  __WMDMDDATETIME and __WMDMID and some interfaces

[thenumberdevil]

The Catalog.wmdb and Catalog.wmdb.idx files are most likely encrypted ...

[Marshillboy]

The Catalog.wmdb and Catalog.wmdb.idx files are most likely encrypted ...

Can't say I'd be very suprised if that was the case...

[Zunerama Ed.]

Yes, I've been checking a computer forensics forum to see if they have info on how to peek into those wmdb files (as used by WMP 11, anyway), and they appear to be stumped. Hmmm....

[masterbeta]

why may i ask would you want to do this?

it's encrypted

[Zunerama Ed.]

It's part of a larger research project.

I want to do a statistically-valid test of Zune wireless sharing - - one that is more comprehensive than the limited tests that I've run earlier.

The idea is, to generate a random sampling from the Zune Marketplace catalog. This would be done by generating a set number of random integers between 1 and roughly 3 million, then using those integers to select random songs from ZMP. The extracted list of songs would provide a simple (large) list from which I would choose the songs based on the generated random numbers.

The result of this would be a statistically-valid conclusion about the percentage of ZMP songs that are sharable wirelessly, bounded by a specific confidence interval. i.e. "we can say with 95% confidence that xx% of ZMP songs are sharable wirelessly, plus or minus xx%".
 

[jerry800]

How can i view system files that are hidden in Vista, because i can't access them i want to give this a try. Appdata folder won't appear because it is hidden. I think i know how but not quite sure anyone know.

[Vipralion]

Thus far I've been able to export WMP11's wmdb file into an xml format.

Next up, getting this same method to work on Zune's wmdb file. Anyone know how to use an executable to target a different file? lol