MTPZ: Handshake Packets

05 Apr 2011 - zune - mtpz

In the previous post, I presented a USB session between the Windows Zune software and my Zune 8GB device. As I noted, the entire USB session conformed to the MTP protocol, in that it could be neatly and correctly split into a list of MTP packets. Well, I wrote a little Python script that took the USB data being sent back and forth and formatted it neatly into the MTP packets seen below, which makes it easier to understand this handshake.

MTP packets exist in the following format:

  • 32-bit length of the entire packet
  • 16-bit type of the packet (i.e: Command, Data, Response, and Event)
  • 16-bit opcode (e.g: PTP_OC_OpenSession)
  • 32-bit transaction number
  • variable-size payload

The transaction number allows you to see the relationship between the inbound and outbound packets.

Outbound MTP packets:

Length Type Command Transaction Data
0x10Command (1)0x1002: PTP_OC_OpenSession0View
0x0CCommand (1)0x1001: PTP_OC_GetDeviceInfo1
0x10Command (1)0x1016: PTP_OC_SetDevicePropValue2View
0x63Data (2)0x1016: PTP_OC_SetDevicePropValue2View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc3View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc4View
0x10Command (1)0x9801: PTP_OC_MTP_GetObjectPropsSupported5View
0x14Command (1)0x9802: PTP_OC_MTP_GetObjectPropDesc6View
0x0CCommand (1)0x1004: PTP_OC_GetStorageIDs7
0x10Command (1)0x1005: PTP_OC_GetStorageInfo8View
0x0CCommand (1)0x9216: PTP_OC_MTP_WMDRMPD_EndTrustedAppSession9
0x0CCommand (1)0x9216: PTP_OC_MTP_WMDRMPD_EndTrustedAppSession10
0x0CCommand (1)0x9216: PTP_OC_MTP_WMDRMPD_EndTrustedAppSession11
0x0CCommand (1)0x9212: PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest12
0x31DData (2)0x9212: PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest12View
0x0CCommand (1)0x9213: PTP_OC_MTP_WMDRMPD_GetWMDRMPDAppResponse13
0x0CCommand (1)0x9212: PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest14
0x20Data (2)0x9212: PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest14View
0x10Command (1)0x1005: PTP_OC_GetStorageInfo15View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc16View
0x10Command (1)0x1015: PTP_OC_GetDevicePropValue17View
0x10Command (1)0x1015: PTP_OC_GetDevicePropValue18View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc19View
0x10Command (1)0x1015: PTP_OC_GetDevicePropValue20View
0x1CCommand (1)0x9104: PTP_OC_MTP_WMDRMPD_GetSyncList21View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc22View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc23View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc24View
0x10Command (1)0x1014: PTP_OC_GetDevicePropDesc25View

Inbound MTP packets:

Length Type Command Transaction Data
0x0CResponse (3)0x2001: PTP_RC_OK0
0x345Data (2)0x1001: PTP_OC_GetDeviceInfo1View
0x0CResponse (3)0x2001: PTP_RC_OK1
0x0CResponse (3)0x2001: PTP_RC_OK2
0x0CResponse (3)0x200A: PTP_RC_DevicePropNotSupported3
0x1EData (2)0x1014: PTP_OC_GetDevicePropDesc4View
0x0CResponse (3)0x2001: PTP_RC_OK4
0x6AData (2)0x9801: PTP_OC_MTP_GetObjectPropsSupported5View
0x0CResponse (3)0x2001: PTP_RC_OK5
0x1EData (2)0x9802: PTP_OC_MTP_GetObjectPropDesc6View
0x0CResponse (3)0x2001: PTP_RC_OK6
0x14Data (2)0x1004: PTP_OC_GetStorageIDs7View
0x0CResponse (3)0x2001: PTP_RC_OK7
0x8CData (2)0x1005: PTP_OC_GetStorageInfo8View
0x0CResponse (3)0x2001: PTP_RC_OK8
0x0CResponse (3)0x2001: PTP_RC_OK9
0x0CResponse (3)0x2001: PTP_RC_OK10
0x0CResponse (3)0x2001: PTP_RC_OK11
0x10Response (3)0x2001: PTP_RC_OK12View
0x3D4Data (2)0x9213: PTP_OC_MTP_WMDRMPD_GetWMDRMPDAppResponse13View
0x0CResponse (3)0x2001: PTP_RC_OK13
0x10Response (3)0x2001: PTP_RC_OK14View
0x18Event (4)0x400C: PTP_EC_StorageInfoChanged0View
0x8CData (2)0x1005: PTP_OC_GetStorageInfo15View
0x0CResponse (3)0x2001: PTP_RC_OK15
0x1CData (2)0x1014: PTP_OC_GetDevicePropDesc16View
0x0CResponse (3)0x2001: PTP_RC_OK16
0x1604Data (2)0x1015: PTP_OC_GetDevicePropValue17View
0x0CResponse (3)0x2001: PTP_RC_OK17
0xCCData (2)0x1015: PTP_OC_GetDevicePropValue18View
0x0CResponse (3)0x2001: PTP_RC_OK18
0x1CData (2)0x1014: PTP_OC_GetDevicePropDesc19View
0x0CResponse (3)0x2001: PTP_RC_OK19
0xCCData (2)0x1015: PTP_OC_GetDevicePropValue20View
0x0CResponse (3)0x2001: PTP_RC_OK20
0x10Response (3)0xA101: PTP_RC_CANON_BATTERY_LOW21View
0x14Data (2)0x1014: PTP_OC_GetDevicePropDesc22View
0x0CResponse (3)0x2001: PTP_RC_OK22
0x64Data (2)0x1014: PTP_OC_GetDevicePropDesc23View
0x0CResponse (3)0x2001: PTP_RC_OK23
0x1AData (2)0x1014: PTP_OC_GetDevicePropDesc24View
0x0CResponse (3)0x2001: PTP_RC_OK24
0x62Data (2)0x1014: PTP_OC_GetDevicePropDesc25View
0x0CResponse (3)0x2001: PTP_RC_OK25

So where do we start?

Probably at the first packet. Quickly scanning through, you can see that the software first opens a session with the Zune which replies with PTP_RC_OK (success). Then, at transaction 2 (PTP_OC_SetDevicePropValue), the software sends its driver string, +Windows/6.1.7600 MTPZClassDriver/4.7.965.0, to which the Zune states that it does not support that property. Somewhat bizarre.

Skipping over a bit, the interesting packets start at transaction 9, PTP_OC_MTP_WMDRMPD_EndTrustedAppSession. This command is repeated two more times (I’m no doctor, but this seems like Obsessive Compulsive Disorder). Then, at transaction 12, comes our PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest which has a large data payload. As I mentioned in the previous post, this seems to be the first step of the handshake, containing two constant certificates appended with some generated data.

As I also mentioned previously, the software waits until the Zune sends a handshake response before continuing. This is seen at transaction 13, PTP_OC_MTP_WMDRMPD_GetWMDRMPDAppResponse, to which the Zune generates a PTP_OC_MTP_WMDRMPD_GetWMDRMPDAppResponse packet with a large data payload. This is the second step of the handshake. The software receives this response and presumably does some sort of verification.

Next, the software sends another PTP_OC_MTP_WMDRMPD_SendWMDRMPDAppRequest as transaction 14 with a relatively small payload. This is the last step of the handshake. I would assume that the Zune verifies this response and unlocks itself for synchronization (perhaps the cause of the PTP_EC_StorageInfoChanged event).

Cool beans, what now?

Now I have to figure out how these payloads are generated, which is clearly going to be the difficult part of this project.

Stay tuned.

blog comments powered by Disqus