Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/mmm/public_html/guides/v3i/leftbar.php on line 13
Warning: include(http://www.modmymoto.com/guides/chooseyourmoto.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/mmm/public_html/guides/v3i/leftbar.php on line 13
Warning: include() [function.include]: Failed opening 'http://www.modmymoto.com/guides/chooseyourmoto.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/mmm/public_html/guides/v3i/leftbar.php on line 13
TheMotoGuides
- Motorola modding taken to the limits.
How to remove RSA protection and increase iTunes to 100 songs
by Pacificamark adapted from instructions by Kirklestat, Archy, Supshow and imit8
First we are going to remove the RSA protection from the phone's firmware and then
we will unprotect a seem which needs to be overwritten to allow iTunes
to play 100 songs. These instructions were written for the R47A V3i.
RSA is what is used by Motorola to protect code group 1 (CG1). CG1 contains
the firmware for the phone. Now that the ability to defeat the RSA exists,
many things can now be altered on the phone. For example you can change
your splash screen image to anything you want, increase your 50 songs iTunes
limit to 100 songs, and run signed and unsigned CORElets.
I followed the instructions posted
here at ModMyMoto.
Kirklestat is the author of this particular guide which was adapted from a
guide written by "Archy" (in Russian), which can be found
here at Motofan.
The first thing you must do is decide whether you want to alter a monster pack
that you already have on your computer, or if you want to make a monster pack
backup of your phone and alter that. I decided to backup my phone in its
current condition, with all the mods and everything else I like already in place.
Start Flash & Backup 3. Keep in mind, you must have the full version
of this program. If you have not registered your version, then it will
not create a complete backup for you and these instructions will not work.
Go to the "Active phone profile:" drop down box and select your phone.
Click the "Read Data" tab just below and to the left. Go to the bottom of
the code group list and check the "Select all" box. Go to the "Backup
format:" drop down box and select "SHX (S-Records file)". Then click the
"Read data" button at the bottom right.
You will get a status screen for each code group as it backs up the data.
When it finished backing up my phone, it left a file called "2007-01-21_234004.shx" in my
backups folder in my Flash & Backup 3 program folder. You might want
to rename your monster pack to something a bit more descriptive so you can keep
track of what that file really is.
Now that we have a monster pack to work with, start Random SHX Toolkit.
This will be used to take the monster pack shx file we just saved, and break it
down into its constitutent code groups. Click the button "Extract BIN
files from SHX".
You will then get a pop up window to navigate to where your monster pack file is.
Once you find it, select it and click "Open".
You'll get a status bar while it extracts the files and then you'll get a pop up
window when it's done. Click "OK".
Now go back to where your monster pack file was and you'll see a new folder
called "Extracted Bin". Open this folder and you'll see all the files
that make up a monster pack.
The first file (and I'm only referring to the last character and extension of the
file names, the previous characters will be different for everyone) is an .lst file.
This contains information on all the other files in this folder along with
their addresses. It serves as a checklist for the Random SHX program so that
it can recompile these files back into a single monster pack file (shx). The
rest of the files in order are:
0.bin This is the header.
1.bin This is the RAMdlr.
2.bin This is the CG1, or code group 1. This is the firmware
of the phone, and the file we will be editing.
3.bin This is the CG2, or code group 2. This is the flex.
4.bin This is the CG3, or code group 3. This is the
DSP firmware.
5.bin This is the CG4, or code group 4. This is the
language pack.
6.bin This is the CG7, or code group 7. This is the
digital signature.
7.bin This is the CG15, or code group 15. This is
the DRM.
8.bin This is the CG18, or code group 18. This is
another digital signature.
Start Simple RSA LTE2 Remover. In the text box by #2, make sure you enter
"12F80000".
Now click the button "..." next to the "CG1:" text box.
You will then get a pop up window to navigate to where your 2.bin file is.
Once you find it, select it and click "Open".
Now click the button "..." next to the "CG7" text box.
You will then get a pop up window to navigate to where your 6.bin file is.
Once you find it, select it and click "Open".
Now click the button "..." next to the "CG18" text box.
You will then get a pop up window to navigate to where your 8.bin file is.
Once you find it, select it and click "Open".
Your program screen should now look like this:
Now click this button (which is below the "CG18" text box):
At this point the RSA is now removed. You can now close the Simple RSA
LTE2 Remover program.
If you want to continue with modifying iTunes, then skip down a
few paragraphs where I discuss modifying iTunes. Otherwise do the
next steps in order to create a monster pack with just the RSA removed.
Now we have to recompile all the .bin files into a monster pack so we can flash
the phone. Start Random SHX Toolkit again. Now click the "Create SHX file
from BINs" button.
The open pop up window will appear. Navigate back to your extracted bin
folder and click on the only file that should appear. This is the .lst
file. Select it and click "Open".
It will take some time to recompile. The new shx file will be saved in the
extracted bin folder. In my case the new monster pack is called
"2007-01-21_234004.shx". Not too helpful. You may want to rename
this something like RSA removed monster pack so you know what it is.
Start RSD Lite and click the "..." button after your phone is recognized.
This will make the open file dialog box appear. In this picture I have already
renamed my file "2007-01-21_234004.shx" to "RSA Removed V3i.shx".
The flashing process failed, because of a checksum error (which I understand is
common with a non RSA monster pack), but my phone restarted and it worked just
fine. At this point you have a phone with its RSA removed.
Modifying iTunes
Now it's time to modify iTunes to play 100 songs. First I want to start
off by thanking the person known as "GandjaFuzz" at the MotoFan.ru website for
creating these instructions. Then I want to thank the person known as
"Supshow" for translating "GandjaFuzz's" instructions from
Russian into English and sharing them at the MotoX forums in
this thread.
Hats off to the work of these people for sharing their knowledge with the
rest of the community.
In my case I already have an "R47A" phone with iTunes and a 50 song limit.
You should note, if you want to convert your phone from "R479" to an "R47A"
phone which can run iTunes, then you should read the thread in the paragraph
above.
In order to do this modification, you must have first removed the RSA from a monster
pack.
There are some seems that control some functions that Motorola does not want
anyone to alter. Normally we can download a seem and edit it to activate
or deactivate a particular feature. Once we upload the edited seem back to
the phone, it has been reprogrammed to do what we want. Well Motorola didn't
want some things to be changed (like swapping out the HelloMoto splash screen for a
custom image, or running unsigned CORElets, or increasing your iTunes song limit
from 50 to 100 songs, etc.). That has now changed. I'm sure over time
more and more discoveries will be made by some very smart, and dedicated people
(in Russia most likely).
First open your CG1 (the 2.bin file from your extracted bin folder) with XVI32.
Next click on the "Search" menu and have the program look for this hex string
"00 00 00 00 00 00 00 00 00 AB 00".
Here's what the hex string looks like in context:
All the code that we will edit is in this same small section of the screen.
You won't have to scroll beyond these lines I'm showing.
Now let's look at the four bytes of data preceeding this hex string. I'm
talking about the code "10 0D 64 8B" which I've outlined in green.
Note that this code outlined in green will vary depending on the firmware
version of the monster pack that you are editing. In this example I am
editing "R47A_G_08.D8.A1R" firmware.
As a comparison, I also decompiled the "R47A_G_08.D8.3CR" firmware and when
searching for the same text string "00 00 00 00 00 00 00 00 00 AB 00", the four
bytes of code preceeding it had changed to "10 0D 66 73". The hex string
is always the same, just the four bytes preceeding it is what you have to be
looking for. Adapt the following instructions accordingly.
Ok, so think of this section of code "10 0D 64 8B" as a key that allows us to
overwrite the data in an unprotected seem. Look again at the hex string
outlined in blue for the code "00 AB". That's actually a seem name in there.
If you look at this screen full of code long enough, you should see a pattern
emerge. I'm outlining in green every occurrence of that "key" that allows a
seem to be overwritten. Every one of those green boxes has a 2 byte code
(which is actually a seem name) following it after a string of 0s. So, in
this example, seem "00AB_0001", seem "0230_0001", seem "0231_0001", and seem
"035a_0001" can all be overwritten, they are all unlocked seems.
There are some other keys which are locking the seems they control. I'm
outlining these keys in red. See the slight difference in the code between
an unlocked seem and a locked seem?
To unlock the seems so they can be overwritten, merely change the keys in red to
match the keys in green. In this case simply change some keys' last byte
from "F7" to "8B", for other keys you must change their last two bytes from
"63 DB" to "64 8B" and so on.
Got it? When you are done changing all the keys to an unlocked state, it
should look like this:
Save the file when you are done. You have now modified your CG1. Now
it's time to recompile your monster pack from earlier that had its RSA removed.
Hopefully you have already put your CG1 back into the extracted bin folder
it was in at the beginning of these instructions. Start Random SHX Toolkit.
Click the "Create SHX file from BINs" button.
It will take a while to compile and when it finishes it will save the shx into your
extracted bin folder. You might want to rename your file to something more
descriptive before you flash it, just so you can keep track of that file.
Start RSD Lite and flash the file.
It failed the flash, but it did work on the phone. It failed because of a checksum error,
not a big deal and it can be fixed. So now I have a V3i with the RSA removed
and the CG1 modified to allow seem overwrites in critical areas.
If you ever flash new firmware to your phone you must repeat the process of
breaking down the monster pack into code groups, removing the RSA from the three
code groups, and then enabling seem overwriting ability. If you don't you
may damage your phone.
Now it's time for the final step: modifying a single seem to allow for 100 songs
on iTunes. I want to say thanks to "imit8" at the MotoX forums, he
reported here
on more simplified instructions to make this mod work on the "R47A" phone,
instead of on the "R479" phone.
Start P2KMan and download seem "0371_0001". There are two 32s in this
seem and not much else.
Change both the 32s to 64s. Don't forget to save the file.
I then used P2Kman to upload the seem. If you didn't unlock the seems
correctly earlier, P2Kman will not upload the seem, and the program will appear to
hang.
I restarted my phone and iTunes now displayed the ability to play 100 songs!
Here's the before and after images of my "About" menu in iTunes.
Here's iTunes uploading the songs. I checked to make sure it really played
all 100 songs and it did!
Forums
Downloads
Guides 
Search
Links
v3i Guides Navigation
