Tinkering with Zune 4.0, enabling the unfinished “Radio”

PETA would be proud...

Back on the 17th, I posted a quick registry hack for those that wanted to force certain Zune software features on or off. One of my readers inquired, however, about Radio features that seemed to exist but were disabled. Double-checking my previous research, there was nothing available to enable anything related to Radio, so I had to dig deeper.

Before you see Zune’s cute UI, the software has to jump through a number of hoops beforehand. Some of these hoops involve asking the Zune Gods (pictured to the right) if certain features are enabled or disabled. This inquiry is made by calling a special function called IsFeatureEnabled, implemented by a special object returned from Zune’s native (as opposed to managed) library. (This function is one of many that are described by an interface called IFeatureEnablement.)

Why is this important?

While it is true that most of the Zune features were implemented with a “ignore the Gods” override, this isn’t true for the unfinished Radio feature. This feature was marked as permanently disabled, hiding unfinished/unstable code from the public.

Re-enabling this feature isn’t exactly easy.

At first, I was inclined to simply disassemble all the managed code into IL, edit, and re-assemble. This turned into a nightmare involving digital signatures, Steven Sinofsky, and embedded native code (which cannot be disassembled properly). My second idea involving writing a loader that patched the relevant code at runtime fell flat too, due to my inexperience with the whole managed/native mish mash environment. Growing tired, I simply resorted to old school patching-on-disk of the Zune native library.

Zune Function Location 0.1 output

First, I wrote a utility to identify what I need to patch. Static analysis is fun, but not that fun. The Zune Function Locator utility (pictured above) may have a corny name but it does its job. (I plan on further expanding the tool’s capabilities, hence the generic name.) It will locate, within Zune’s native library (ZuneNativeLib.dll), where the IsFeatureEnabled function starts.

Err… why do we care?

Well, as I mentioned before, this function asks the Zune Gods if a feature is enabled or disabled. It returns the “answer” to the Zune software, controlling whether or not the user sees the feature. We’ll need to rewrite this function’s logic to always return “can haz”.

XVI32 Hex Editor w/ ZuneNativeLib.dll open

Second, I opened the library in a disassembler to provide a machine code listing of what’s going on here. The contents weren’t really relevant – I was going to rewrite it.

Third, I opened the library in trusty ol’ XVI32, jumped to the offset my tool spat out earlier, moved a few bytes in and… mashed the keyboard, inputting a bunch of random characters.

No, not really.

I typed in the hexadecimal characters for several assembly opcodes that ensured the feature was always considered enabled. The actual x64 code for this is below:

xor rax, raxinc rax
mov [r8], al
dec rax
pop rdi
retn

(The x86 code is very similar, therefore I won’t spend two hours trying to format it properly in Windows Live Writer.)

Fourth, I saved everything and fired up Zune. Crossing my fingers, the UI appeared and lo’ and behold the Radio feature appeared.

Zune interface, new Radio feature

As mentioned earlier, the Radio feature is very unpolished and unstable. The baked in stations don’t play or display station graphics, but I’m willing to bet the folks at Zunerama will have it tamed in a few days.

All the resources I used are available for download from either here or the internet. Enjoy your private tinkering, but remember: I’m not responsible if your entire Zune music collection is replaced with Katy Perry albums. Also keep in mind the patched library may inhibit proper servicing (i.e. updating) by Microsoft. YMMV.

Download: Zune Function Locator 0.1 [x86/x64] // Raw patching instructions