Develop Bugs

How to completely remove certification from rom

Hello,
how can i completely remove certification from rom (wm2005) prior to flashing?
The registry tweak only disables the security prompt.
This is not enough, as some dll's won't load at startup.
I know this has been done with the himalaya roms but how???
Thanks

i would realy appreciate some input here.
Thanks

i will join the in the hunt .

I found a post from maimach
Find in nk.nba bytes:
F0 40 2D E9 08 D0 4D E2 01 70 A0 E1 00 60 A0 E1 7C 41 9F E5
patch their beginning to:
01 00 A0 E3 1E FF 2F E1
and find F0 4F 2D E9 2C D0 4D E2 03 90 A0 E1 02 A0 A0 E1 01 B0 A0 E1 00 50 B0 E1 00 40 A0 E3 0C 40 8D E5
patch to:
01 00 A0 E3 1E FF 2F E1
find F0 43 2D E9 50 D0 4D E2 03 80 A0 E1 02 50 A0 E1 01 60 A0 E1 00 90 A0 E1 38 E1 9F E5
patch to:
01 00 A0 E3 1E FF 2F E1
first is CertVerify function, second is VerifyFile, third is VerifyCab. Only the first patch is necessary.
Click to expand...
Click to collapse
But when my prophet boots, my screen starts to flicker and it just hanngs at the first screen.
Any comments?

mission impossible - editing nk.exe

can someone assist me in changing the nk.exe in a way that allows me to change the deviceid from PU10 to HERM100
i succeded in hexediting the hk.nba from PU10 to HERM with the confirmation that Getdevice data recognize it as HERM
http://wiki.xda-developers.com/index.php?pagename=GetDeviceData
there are 2 places in the nk.nba where the device type is found
00007074h: 48 00 45 00 52 00 4D ; H.E.R.M
00316c74h: 48 00 45 00 52 00 4D ; H.E.R.M
i need to get H.E.R.M.1.0.0 instead (6 bytes to insert)
00007050h: 2C 00 25 00 64 00 2C 00 20 00 4E 00 61 00 6D 00 ; ,.%.d.,. .N.a.m.
00007060h: 65 00 20 00 69 00 73 00 20 00 25 00 73 00 0D 00 ; e. .i.s. .%.s...
00007070h: 0A 00 00 00 48 00 45 00 52 00 4D 00 00 00 00 00 ; ....H.E.R.M.....
00007080h: 4F 45 4D 47 65 74 43 50 4C 44 5F 47 50 49 4F 28 ; OEMGetCPLD_GPIO(
after dumping the rom including the boot XIP i found that the nk.exe contains this data.
the reason to do it is to "help" bbconnect to recognize it as a hermes
anyone can assist me ?

.efs_private directory

When I was messing with BitPim earlier, I tried out the Protocol Analyser and got this:
18:52:09.717 Other CDMA Phone: Listing files in dir: '.efs_private'
18:52:09.717 Other CDMA Phone: sendbrewcommand Data - 20 bytes
<#! phones.p_brew.listfilerequest !#>
00000000 59 0b 00 00 00 00 0d 2e 65 66 73 5f 70 72 69 76 Y.......efs_priv
00000010 61 74 65 00 ate.
18:52:09.765 Other CDMA Phone: brew response Data - 17 bytes
<#! phones.p_brew.listfileresponse !#>
00000000 13 0b 00 00 00 0d 2e 65 66 73 5f 70 72 69 76 61 .......efs_priva
00000010 74 t
18:52:09.765 Other CDMA Phone: Failed to list files in dir .efs_private
18:52:09.780 Other CDMA Phone: Listing subdirs in dir: '.efs_private'
18:52:09.780 Other CDMA Phone: X recurse=0
18:52:09.780 Other CDMA Phone: sendbrewcommand Data - 20 bytes
<#! phones.p_brew.listdirectoryrequest !#>
00000000 59 0a 00 00 00 00 0d 2e 65 66 73 5f 70 72 69 76 Y.......efs_priv
00000010 61 74 65 00 ate.
18:52:09.780 Other CDMA Phone: brew response Data - 17 bytes
<#! phones.p_brew.listdirectoryresponse !#>
00000000 13 0a 00 00 00 0d 2e 65 66 73 5f 70 72 69 76 61 .......efs_priva
00000010 74 t
18:52:09.780 Other CDMA Phone: Failed to list dir .efs_private
18:52:11.015 Other CDMA Phone: Listing files in dir: 'CGPS_ME'
18:52:11.015 Other CDMA Phone: sendbrewcommand Data - 15 bytes
<#! phones.p_brew.listfilerequest !#>
00000000 59 0b 00 00 00 00 08 43 47 50 53 5f 4d 45 00 Y......CGPS_ME.
18:52:11.030 Other CDMA Phone: brew response Data - 47 bytes
<#! phones.p_brew.listfileresponse !#>
00000000 59 0b 00 00 00 00 00 0f 00 01 00 93 1a e0 00 00 Y...............
00000010 6c 00 00 bb 1a e0 00 08 16 43 47 50 53 5f 4d 45 l........CGPS_ME
00000020 2f 43 47 50 53 43 65 6c 6c 44 42 46 69 6c 65 /CGPSCellDBFile
18:52:11.030 Other CDMA Phone: sendbrewcommand Data - 15 bytes
<#! phones.p_brew.listfilerequest !#>
00000000 59 0b 01 00 00 00 08 43 47 50 53 5f 4d 45 00 Y......CGPS_ME.
18:52:11.046 Other CDMA Phone: brew response Data - 55 bytes
<#! phones.p_brew.listfileresponse !#>
00000000 59 0b 00 01 00 00 00 0f 00 01 00 93 1a e0 00 2c Y..............,
00000010 00 00 00 bb 1a e0 00 08 1e 43 47 50 53 5f 4d 45 .........CGPS_ME
00000020 2f 43 47 50 53 43 65 6c 6c 44 42 4f 74 61 50 6f /CGPSCellDBOtaPo
00000030 73 52 65 63 6f 72 64 sRecord
18:52:11.046 Other CDMA Phone: sendbrewcommand Data - 15 bytes
<#! phones.p_brew.listfilerequest !#>
00000000 59 0b 02 00 00 00 08 43 47 50 53 5f 4d 45 00 Y......CGPS_ME.
18:52:11.062 Other CDMA Phone: brew response Data - 47 bytes
<#! phones.p_brew.listfileresponse !#>
00000000 59 0b 00 02 00 00 00 0f 00 01 00 93 1a e0 00 3c Y..............<
00000010 00 00 00 bb 1a e0 00 08 16 43 47 50 53 5f 4d 45 .........CGPS_ME
00000020 2f 67 70 73 6f 66 66 73 65 74 73 2e 62 69 6e /gpsoffsets.bin
18:52:11.062 Other CDMA Phone: sendbrewcommand Data - 15 bytes
<#! phones.p_brew.listfilerequest !#>
00000000 59 0b 03 00 00 00 08 43 47 50 53 5f 4d 45 00 Y......CGPS_ME.
18:52:11.078 Other CDMA Phone: brew response Data - 3 bytes
<#! phones.p_brew.listfileresponse !#>
00000000 59 0b 1c Y..
18:52:11.092 Other CDMA Phone: Listing subdirs in dir: 'CGPS_ME'
18:52:11.092 Other CDMA Phone: X recurse=0
18:52:11.092 Other CDMA Phone: sendbrewcommand Data - 15 bytes
<#! phones.p_brew.listdirectoryrequest !#>
00000000 59 0a 00 00 00 00 08 43 47 50 53 5f 4d 45 00 Y......CGPS_ME.
18:52:11.092 Other CDMA Phone: brew response Data - 3 bytes
<#! phones.p_brew.listdirectoryresponse !#>
00000000 59 0a 1c Y..
18:52:12.953 Other CDMA Phone: Getting file contents 'CGPS_ME/gpsoffsets.bin'
18:52:12.953 Other CDMA Phone: sendbrewcommand Data - 27 bytes
<#! phones.p_brew.readfilerequest !#>
00000000 59 04 00 17 43 47 50 53 5f 4d 45 2f 67 70 73 6f Y...CGPS_ME/gpso
00000010 66 66 73 65 74 73 2e 62 69 6e 00 ffsets.bin.
18:52:12.983 Other CDMA Phone: brew response Data - 71 bytes
<#! phones.p_brew.readfileresponse !#>
00000000 59 04 00 00 00 3c 00 00 00 3c 00 ff ff 38 00 00 Y....<...<...8..
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 .......
Near the beginning of these, it says things about being unable to open up the .efs_private directory, along with its subfolders. If someone were able to open these, we may find something interesting. Hope this helps!

i got interest in:
p_brew.readfileresponse
if brew lets you load things. i can do test like i did with mtp, through raw USB.

I wondered the same thing about the listing of "brew" there. Can't wait to see if John finds anything.
Using BitPim, which (I believe, from my google searches) references QPST content, the .efs_private folder seems to be specific to QPST. If we're seeing an error trying to list that area, it's probably because bitpim is designed to look for some standard folders, which the Kin does not have.

if we had a worthwhile alternative to BitPim, we may be able to see what's in there. And when you said QPST, does that have anything to do with Qualcomm? I was also looking at the configuration settings for the phone's modem, and i think it mentioned that. So this file could contain hardware, storage, and other files that we could use to break through the restrictions on the phone.

Yes, many phones use Qualcomm hardware or functionality, including Verizon ones. Bitpim simply takes advantage of some common functionality between these phones.
Which file did you mean?

Enter S8600 store with your Wave 1 or 2...

Any idea how Kies identify model? It seems not via AT Commands...
Or I am dumb...
AT+DEVCONINFO
I have used portmon to sniff communication...
Maybe it is the name, what Explorer shows?...
So the mass thingie USB driver...
How for instance S8600 answers in Explorer?
Best Regards

May be it?
http://forum.xda-developers.com/showpost.php?p=11286021&postcount=78

amss.bin I have checked... maybe not.
I have tried MANY combinations... maybe I have something not seen.
Maybe much easier.
Little example how bada Version is checked... Attention, high protection...
extreme hardcoded to prevent change...
2 parts needed...
Part 1:
SystemFS\User\OspSys\registry\buildnumber.ini
Part 2:
SystemFS/User/OspSys/registry/systeminfo.ini
Compare with latest Firmware and you know how to prepare your bada 1.x device for bada 3.0 Apps.
Anyway, I'm blind to manage Kies to work as S8600...
Best Regards

Okay, I've found Original Screenshot of S8600...
But I know where this Text String is stored...
But I can remember, I've tried this... and was not enough...
Maybe I'll try again.
Best Regards

It can be usb device description string in USB driver on phone or PC side (if it's PC side, description is paired with certain PID and VID), try to connect phone to linux in kies mode and use lsusb -a (aint sure if it's -a, anyway the thing is to get verbose info about device)

Hi, I think stune reads the same data that the kies when connected to the terminal.
I mean:
STUNE when you start telling us the firmware version terminal model of our product code, even our imei

Not fully correct
There is something in the PC driver that needs to be changed
You can see this in the driver details
Best Regards

Maybe Kies via Wi-Fi easier...
Not tested yet.
Best Regards

Bus reported device description is sent from device during USB enumeration. So model id is stored in Bada USB module. I'm nearly sure it's unicode string.

Maybe my fault...
AT+PROF="Device
Leads to file device.xml...
Will compare Wave 1, 2, 3 device.xml ...
Best Regards
Edit 1...
Code:
<ModelName value="GT-S8500"/>
<BaseModelName value="GT-S8500"/>
<ProjectName value="Lismore"/>
<FriendlyName value="Lismore"/>
<ProductLineup value="HHP"/>
Code:
<ModelName value="Wave 3"/>
<BaseModelName value="GT-S7250"/>
<ProjectName value="Wave3"/>
<FriendlyName value="Wave3"/>
<ProductLineup value="HHP"/>

Kies now shows other Error
Please, maybe someone can post from S8600 under Explorer...
Remember to remove IMEI...
I think this is MTP device... USB blabla portable Device Driver under Device Manager in Windows...
PS...
Text Samsung... in white Background is editable...
Edit 1.
Hmmm... Wave 2 can't edit ... grey colored...
Screenshot from S8600 would be nice.
Thanx in advance.

why do you think AT+DEVCONINFO is wrong? whole infos including imei in one packet

http://forum.xda-developers.com/showpost.php?p=20497198&postcount=15
Because I've found all files and positions to make 1:1 clone... including IMEI...
But this is not working for Kies.
Kies shows Error, that unsupported device is attached.
Best Regards

error it is kind of progress
what about these ones
Code:
Request: m-obex/connection_packet
82 00 23 CB 00 00 00 01 42 00 1B 6D 2D 6F 62 65 78 2F 63 6F 6E 6E 65 63 74 69 6F 6E 5F 70 61 63 6B 65 74
Answer:
A0 00 03
Request: m-obex/security/privacylock
83 00 27 CB 00 00 00 00 42 00 1F 6D 2D 6F 62 65 78 2F 73 65 63 75 72 69 74 79 2F 70 72 69 76 61 63 79 6C 6F 63 6B 00
Answer:
A0 00 12 C3 00 00 00 02 4C 00 05 00 00 49 00 05 00 00
Request: m-obex/fs/privacy_lock
83 00 22 CB 00 00 00 00 42 00 1A 6D 2D 6F 62 65 78 2F 66 73 2F 70 72 69 76 61 63 79 5F 6C 6F 63 6B 00
Answer:
A0 00 0D C3 00 00 00 02 49 00 05 4E 4F *
Request: m-obex/application/count
83 00 27 CB 00 00 00 00 42 00 1C 6D 2D 6F 62 65 78 2F 61 70 70 6C 69 63 61 74 69 6F 6E 2F 63 6F 75 6E 74 00 4C 00 03
Answer:
A0 00 14 C3 00 00 00 04 4C 00 05 00 00 49 00 07 2C 00 00 00
Request: m-obex/system/imsi
83 00 21 CB 00 00 00 00 42 00 16 6D 2D 6F 62 65 78 2F 73 79 73 74 65 6D 2F 69 6D 73 69 00 4C 00 03
Answer: IMSI ;)
A0 00 1F .....
Request: ƒm-obex/system/mnc
83 00 20 CB 00 00 00 00 42 00 15 6D 2D 6F 62 65 78 2F 73 79 73 74 65 6D 2F 6D 6E 63 00 4C 00 03
Answer: 02
A0 00 12 C3 00 00 00 02 4C 00 05 00 00 49 00 05 30 32
Request: ƒm-obex/system/csc
83 00 20 CB 00 00 00 00 42 00 15 6D 2D 6F 62 65 78 2F 73 79 73 74 65 6D 2F 63 73 63 00 4C 00 03
Answer: S8500OXAJID
A0 00 1B C3 00 00 00 0B 4C 00 05 00 00 49 00 0E 53 38 35 30 30 4F 58 41 4A 49 44
Request: m-obex/system/openapiversion
83 00 2B CB 00 00 00 00 42 00 20 6D 2D 6F 62 65 78 2F 73 79 73 74 65 6D 2F 6F 70 65 6E 61 70 69 76 65 72 73 69 6F 6E 00 4C 00 03
Answer: 1.2.0_1009152352_LIS_S8500XXJID_XEO
A0 00 33 C3 00 00 00 23 4C 00 05 00 00 49 00 26 31 2E 32 2E 30 5F 31 30 30 39 31 35 32 33 35 32 5F 4C 49 53 5F 53 38 35 30 30 58 58 4A 49 44 5F 58 45 4F
Request: m-obex/application/getinstallsetting
83 00 33 CB 00 00 00 00 42 00 28 6D 2D 6F 62 65 78 2F 61 70 70 6C 69 63 61 74 69 6F 6E 2F 67 65 74 69 6E 73 74 61 6C 6C 73 65 74 74 69 6E 67 00 4C 00 03
Answer:
A0 00 14 C3 00 00 00 04 4C 00 05 00 00 49 00 07 01 00 00 00
m-obex/system/csc and
m-obex/system/openapiversion ?

Thank you.
m-obex I have no success because also not enough knowledge.
See here:
http://forum.xda-developers.com/showpost.php?p=20954943&postcount=3
Best Regards

I've somewhere correct sequence to start obex on wave. I will post later

Good afternoon if it will not for anything in this case but I found this on apps_compressed:
x40BF86FF 'kDHd:! eNULL: @ STRENGTH'
0x40BF8765 'eNULL:! ANULL: @ STRENGTH'
0x40BF8784:'/../ cx / source / Xsupplicant / src / auth_methods / eapfast / eapfast.c '
0x40BF889C:'/../ cx / source / Xsupplicant / src / auth_methods / eapfast / eapfast_key.c '
0x40BFAE8C '/ www.openssl.org / support / faq.html'
0x40BFB506: '23456789ABCDEF '
0x40BFC610 '] VOHyrkd'
0x40BFD099: '56789.: AbcdefABCDEF '

ferrloz said:
Good afternoon if it will not for anything in this case but I found this on apps_compressed:
x40BF86FF 'kDHd:! eNULL: @ STRENGTH'
0x40BF8765 'eNULL:! ANULL: @ STRENGTH'
0x40BF8784:'/../ cx / source / Xsupplicant / src / auth_methods / eapfast / eapfast.c '
0x40BF889C:'/../ cx / source / Xsupplicant / src / auth_methods / eapfast / eapfast_key.c '
0x40BFAE8C '/ www.openssl.org / support / faq.html'
0x40BFB506: '23456789ABCDEF '
0x40BFC610 '] VOHyrkd'
0x40BFD099: '56789.: AbcdefABCDEF '
Click to expand...
Click to collapse
Umm, sorry, it's not helping anything in that case. FYI there are literally tenths of thousands such char strings in apps_compressed. Good you're looking tho. ;P

Maybe my goal is not clear enough...
Most of us have NO S8600...
But S8600 has few nice NEW Apps.
You can download without attached handset EVERY App you can find via Kies.
BUT not install if attached handset is not valid...
My goal is to make S8500 valid to install S8600 Apps via Kies.
Solution 1 is wait...
Maybe Samsung will offer these Apps like Tintin before Christmas 2012...
Really realistic...
I think minimum 2-3 months not available for S8500/S8530 to be exclusive for S8600...
Solution...
Move your bu ehm brain.
This mission is NOT impossible.
Best Regards

Sorry for them to lose the time, now I will focus more on the subject.
ferrloz thanks.

[WIP] ZuneDB.dat editing - HELP NEEDED !

Hello.
I'm currently investigating the ZundDB.dat file located in \My Documents\Zune on the phone, this because I need to be able to edit the information in it for my new project (izPictureTool) for the purpose of organizing pictures on-device, in stead of syncing with Zune, organizing, and syncing it back.
If this file is understood and a library is built for editing its content, it will also make it possible to add music to the Zune player ON-DEVICE, which has been wanted for some time, it will also make it able to edit the tags for tracks ON-DEVICE.
Is there anyone with any knowledge about this file that could be useful?
The file "type/identifier" or what ever it's called is "ZMDB" which I believe is an acronym for Zune Media DataBase.
Here are the data bound to the picture albums I've synced to my phone, including the information about the pictures. Albumnames in BOLD/ITALIC and filenames in ITALIC.
Code:
4:7B40h: [B][I]4D 69 73 63[/I][/B] 00 00 00 00 14 00 00 4B 00 00 00 00 [B][I]Misc[/I][/B].......K....
4:7B50h: 00 52 6E E1 36 E5 CC 01 32 30 31 32 5F 30 32 00 .Rná6åÌ.2012_02.
4:7B60h: D2 00 00 43 C0 01 00 05 C3 01 00 0B 00 00 00 00 Ò..CÀ...Ã.......
4:7B70h: DD E2 01 00 00 52 6E E1 36 E5 CC 01 [I]43 61 6E 6F[/I] Ýâ...Rná6åÌ.[I]Cano[/I]
4:7B80h: [I]6E 20 50 6F 77 65 72 53 68 6F 74 20 53 58 31 31 n PowerShot SX11 [/I]
4:7B90h: [I]30 20 49 53 2E 6A 70 67[/I] 00 E0 A5 5D 59 00 00 00 [I]0 IS.jpg[/I].à¥]Y...
4:7BA0h: 00 00 00 00 00 00 00 00 00 10 14 01 00 00 00 04 ................
4:7BB0h: 15 80 02 00 00 04 01 82 CB 01 00 00 04 01 83 01 .€.....‚Ë.....ƒ.
4:7BC0h: 00 00 00 04 1E 5C 00 4D 00 79 00 20 00 44 00 6F .....\.M.y. .D.o
4:7BD0h: 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 5C .c.u.m.e.n.t.s.\
4:7BE0h: 00 5A 00 75 00 6E 00 65 00 5C 00 43 00 6F 00 6E .Z.u.n.e.\.C.o.n
4:7BF0h: 00 74 00 65 00 6E 00 74 00 5C 00 30 00 33 00 30 .t.e.n.t.\.0.3.0
4:7C00h: 00 30 00 5C 00 30 00 31 00 5C 00 74 00 68 00 75 .0.\.0.1.\.t.h.u
4:7C10h: 00 6D 00 62 00 73 00 5C 00 63 00 31 00 5F 00 74 .m.b.s.\.c.1._.t
4:7C20h: 00 68 00 75 00 6D 00 62 00 2E 00 6A 00 70 00 67 .h.u.m.b...j.p.g
4:7C30h: 00 00 00 6E 01 8B 00 00 C7 00 00 43 C0 01 00 05 ...n.‹..Ç..CÀ...
4:7C40h: C3 01 00 0B 00 00 00 00 41 20 00 00 80 BF A1 15 Ã.......A ..€¿¡.
4:7C50h: AF EA CC 01 [I]45 6B 65 6E C3 A4 73 73 74 75 67 61[/I] ¯êÌ.[I]Ekenässtuga[/I]
4:7C60h: [I]6E 2E 6A 70 67[/I] 00 F9 AA 2F 62 00 00 00 00 00 00 [I]n.jpg[/I].ùª/b......
4:7C70h: 00 00 00 00 00 00 10 14 01 00 00 00 04 15 DE 00 ..............Þ.
4:7C80h: 00 00 04 01 82 3A 00 00 00 04 01 83 01 00 00 00 ....‚:.....ƒ....
4:7C90h: 04 1E 5C 00 4D 00 79 00 20 00 44 00 6F 00 63 00 ..\.M.y. .D.o.c.
4:7CA0h: 75 00 6D 00 65 00 6E 00 74 00 73 00 5C 00 5A 00 u.m.e.n.t.s.\.Z.
4:7CB0h: 75 00 6E 00 65 00 5C 00 43 00 6F 00 6E 00 74 00 u.n.e.\.C.o.n.t.
4:7CC0h: 65 00 6E 00 74 00 5C 00 30 00 33 00 30 00 30 00 e.n.t.\.0.3.0.0.
4:7CD0h: 5C 00 30 00 31 00 5C 00 74 00 68 00 75 00 6D 00 \.0.1.\.t.h.u.m.
4:7CE0h: 62 00 73 00 5C 00 63 00 32 00 5F 00 74 00 68 00 b.s.\.c.2._.t.h.
4:7CF0h: 75 00 6D 00 62 00 2E 00 6A 00 70 00 67 00 00 00 u.m.b...j.p.g...
4:7D00h: 6E 01 8B 00 14 00 00 4B 00 00 00 00 80 39 2E 04 n.‹....K....€9..
4:7D10h: E3 F5 CA 01 32 30 31 30 5F 30 35 00 BE 00 00 43 ãõÊ.2010_05.¾..C
4:7D20h: C0 01 00 05 C4 01 00 0B 00 00 00 00 92 B0 01 00 À...Ä.......’°..
4:7D30h: 80 39 2E 04 E3 F5 CA 01 [I]56 43 2B 2B 2E 6A 70 67[/I] €9..ãõÊ.[I]VC++.jpg[/I]
4:7D40h: 00 1C E8 26 31 00 00 00 00 00 00 00 00 00 00 00 ..è&1...........
4:7D50h: 00 10 14 01 00 00 00 04 15 92 04 00 00 04 01 82 .........’.....‚
4:7D60h: DC 05 00 00 04 01 83 01 00 00 00 04 1E 5C 00 4D Ü.....ƒ......\.M
4:7D70h: 00 79 00 20 00 44 00 6F 00 63 00 75 00 6D 00 65 .y. .D.o.c.u.m.e
4:7D80h: 00 6E 00 74 00 73 00 5C 00 5A 00 75 00 6E 00 65 .n.t.s.\.Z.u.n.e
4:7D90h: 00 5C 00 43 00 6F 00 6E 00 74 00 65 00 6E 00 74 .\.C.o.n.t.e.n.t
4:7DA0h: 00 5C 00 30 00 33 00 30 00 30 00 5C 00 30 00 31 .\.0.3.0.0.\.0.1
4:7DB0h: 00 5C 00 74 00 68 00 75 00 6D 00 62 00 73 00 5C .\.t.h.u.m.b.s.\
4:7DC0h: 00 63 00 33 00 5F 00 74 00 68 00 75 00 6D 00 62 .c.3._.t.h.u.m.b
4:7DD0h: 00 2E 00 6A 00 70 00 67 00 00 00 6E 01 8B 00 00 ...j.p.g...n.‹..
4:7DE0h: 0C 00 00 45 9F 01 00 05 00 00 00 00 ...EŸ.......
Regards
Izaac

Have you tried using the CE database functions? The typical file extension for old CE databases is .VOL and for the new ones (Embedded Database) it's .EDB, but it doens't have to be those. If it works using either type of DB, that would give an easy and quick programmatic access.
I've already got a test library cooked up that can poke a database volume and figure out what tables it contains. I could try pointing it at this file...

Hello. Yes please do so and tell me what you find
Done some research to find out if it's an old CEDB or a newer EDB but I don't think it is, but I'm not sure thou, at least the first data in the file is ZMDB as you can see down below.
Code:
0000h: [B]5A 4D 44 42[/B] 01 00 00 00 90 4A 03 00 AC 07 00 00 [B]ZMDB[/B]....J..¬...
0010h: 92 00 00 00 C4 42 03 00 80 01 00 00 00 00 00 00 ’...ÄB..€.......
0020h: 5A 4D 65 64 05 00 00 00 D8 01 00 00 1D 04 00 00 ZMed....Ø.......
0030h: 00 00 00 00 4C F4 76 08 5A 41 72 72 00 D0 08 00 ....Lôv.ZArr.Ð..
0040h: 31 00 00 00 40 1F 00 00 D0 07 00 00 5A 41 72 72 [email protected]Ð...ZArr
0050h: 00 E0 04 00 00 00 00 00 A0 0F 00 00 D4 01 01 00 .à......*...Ô...
0060h: 5A 41 72 72 01 E0 04 00 00 00 00 00 A0 0F 00 00 ZArr.à......*...
0070h: 58 40 01 00 5A 41 72 72 02 E0 04 00 00 00 00 00 [email protected]à......
0080h: E8 03 00 00 DC 7E 01 00 5A 41 72 72 03 E0 04 00 è...Ü~..ZArr.à..
Regards
Izaac

ZMDB - Zune Music Database?
ZArr - Zune Artist information or Zune Album art?
Just guessing, no need to answer

As I said before
IzaacJ said:
The file "type/identifier" or what ever it's called is "ZMDB" which I believe is an acronym for Zune Media DataBase.
Click to expand...
Click to collapse
This database stores music, videos and pictures
Regards
Izaac

Sorry, missed it

From other side I think it can be more useful to search API to access that DB inside DLLs?

Yeah, but I doubt there'll be some functions for creating new albums and moving pictures to an other album, but I could be wrong.
Regards
Izaac
EDIT: Found some API calls in zuneapi.dll (requires ossvcs.dll to load in IDA Pro).
MediaApi_AddPhoto
MediaApi_AddPhotoFile
Really not that used to doing this kind of stuff, but I'm learning Didn't find anything related to deleting a picture/album, nor anything about creating an album or moving a picture from an album, but that's easy as adding the picture to the destination album, and deleting it from the previous one, when there are enough information to manage to do that
Regards
Izaac

it's also can be exposed as COM interface for example . . .

Can the DLL be imported via the DLLImport project, i would love to have it imported.