V3i


V3
home
V3
V3
V3
backup
V3
flash
V3
flex
V3
flex
V3
seem
mail
 
V3
unlock
V3
mods
V3
media
V3
troubleshooting
V3
faq
V3
downloads
V3
market
V3



How to remove RSA protection

RSA is what is used by Motorola to protect code group 1 (CG1).   CG1 contains the firmware for the phone.   Now that the ability to defeat the RSA exists, many things can now be altered on the phone.   For example you can change your splash screen image to anything you want, and run signed and unsigned CORElets.





I want to say thank you and mention as many of the people involved in this as I can, because without their work, none of us would be able to do this.

I followed the instructions posted here at ModMyMoto.   "Kirklestat" is the author of this particular guide which was adapted from a guide written by "Archy" (in Russian), which can be found here http://forum.motofan.ru/index.php?showtopic=94215 at the Motofan forum.

These instructions not only work on the L7, but also on the L6, V3i, and V360.

The first thing you must do is decide whether you want to alter a monster pack that you already have on your computer, or backup your phone and alter that monster pack.   I decided to backup my phone in its current condition, with all the mods and everything else I like already in place.

Start Flash & Backup 3.   Keep in mind, you must have the full version of this program.   If you have not registered your version, then it will not create a complete backup for you and these instructions will not work.

Go to the "Active phone profile:" drop down box and select your phone.   Click the "Read Data" tab just below and to the left.   Go to the bottom of the code group list and check the "Select all" box.   Go to the "Backup format:" drop down box and select "SHX (S-Records file)".   Then click the "Read data" button at the bottom right.


rsa removal on lte2




You will get a status screen for each code group as it backs up the data.

rsa removal on lte2



When it finished backing up my phone, it left a file called "2007-01-21_234004.shx" in my backups folder in my Flash & Backup 3 program folder.   You might want to rename your monster pack to something a bit more descriptive so you can keep track of what that file really is.

Now that we have a monster pack to work with, start Random SHX Toolkit.   This will be used to take the monster pack shx file we just saved, and break it down into its constitutent code groups.   Click the button "Extract BIN files from SHX".

rsa removal on lte2



You will then get a pop up window to navigate to where your monster pack file is.   Once you find it, select it and click "Open".

rsa removal on lte2



You'll get a status bar while it extracts the files and then you'll get a pop up window when it's done.   Click "OK".

rsa removal on lte2



Now go back to where your monster pack file was and you'll see a new folder called "Extracted Bin".   Open this folder and you'll see all the files that make up a monster pack.

The first file (and I'm only referring to the last character and extension of the file names, the previous characters will be different for everyone) is an .lst file.   This contains information on all the other files in this folder along with their addresses.   It serves as a checklist for the Random SHX program so that it can recompile these files back into a single monster pack file (shx).   The rest of the files in order are:

0.bin   This is the header.
1.bin   This is the RAMdlr.
2.bin   This is the CG1, or code group 1.   This is the firmware of the phone, and the file we will be editing.
3.bin   This is the CG2, or code group 2.   This is the flex.
4.bin   This is the CG3, or code group 3.   This is the DSP firmware.
5.bin   This is the CG4, or code group 4.   This is the language pack.
6.bin   This is the CG7, or code group 7.   This is the digital signature.
7.bin   This is the CG15, or code group 15.   This is the DRM.
8.bin   This is the CG18, or code group 18.   This is another digital signature.

rsa removal on lte2



Start Simple RSA LTE2 Remover.   You can get the program here.   In the text box by #2, make sure you enter "11F80000".

rsa removal on lte2





Now click the button "..." next to the "CG1:" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 2.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2



Now click the button "..." next to the "CG7" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 6.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2



Now click the button "..." next to the "CG18" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 8.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2


Your program screen should now look like this:

rsa removal on lte2



Now click this button (which is below the "CG18" text box):

rsa removal on lte2



At this point the RSA is now removed.   You can now close the Simple RSA LTE2 Remover program.

Once you apply RSA patched firmware to your phone, be aware that before flashing a language pack or a DRM (or even a font if you are really paranoid), split the shx file first and check that there is no CG7 included in it.   Some of these files will have a CG7 combined with it.   If a CG7 is present, remove it and recompile it only with the the code group you want to flash.

If you want to continue with modifying the splash screen, then click here to go to the next step.   Otherwise, perform the following steps to create a monster pack with no RSA.

Now we have to recompile all the .bin files into a monster pack so we can flash the phone.   Start Random SHX Toolkit again.   Now click the "Create SHX file from BINs" button.

rsa removal on lte2






The open pop up window will appear.   Navigate back to your extracted bin folder and click on the only file that should appear.   This is the .lst file.   Select it and click "Open".

rsa removal on lte2



It will take some time to recompile.   The new shx file will be saved in the extracted bin folder.   In my case the new monster pack is called "2007-01-21_234004.shx".   Not too helpful.   You may want to rename this something like RSA removed monster pack so you know what it is.

rsa removal on lte2



Start RSD Lite and click the "..." button after your phone is recognized.   This will make the open file dialog box appear.   In this picture I have already renamed my file "2007-01-21_234004.shx" to "RSA removed L7.shx".


rsa removal on lte2



The flashing process failed, because of a checksum error (which I understand is common with a non RSA monster pack), but my phone restarted and it worked just fine.   At this point you have a phone with its RSA removed.





Change the start up splash screen

For the Motorola splash screen, which is the first image displayed when turning on the phone, (the default image is on the left), there is an alternate image (on the right) which can be used by going to seem "004a_0001" at offset "1C0" and setting it to "01".

hello moto moto motorola


Now if you want to use any image you want as a splash screen, continue reading...



How to replace the splash screen image


We're going to change the splash screen, or as some call it the boot screen.   This is the very first image that is displayed when turning on the phone.   Now that we can remove RSA protection from the phone, we can finally swap out the HelloMoto or the Welcome screen with any image we want.

My instructions come from the guide that Kirklestat made right here.   You will need the Motorola Boot Screen Replacer program which is available right here.

Now go to the folder where you downloaded the Motorola Boot Screen Replacer program.   You might want to put the image that you want to swap out in this folder.   Your image must be a bmp.

replace the boot screen



Now double click the "offset.ini" file so you can edit it in notepad.   Depending on what firmware you have, you must enter the following data into the .ini file exactly as it appears here:

[L7 R4513...ABR]
Hellomoto=534443 - you can also try "5345A3"
Welcome=52043D - not yet confirmed.


[L7 R4513...ACR]
Hellomoto=534767
Welcome=520601
If you select this for your flash type and the image is not centered on the screen, do not proceed!


[L7 R4513...DCR]
Hellomoto=539BB7
Welcome=525A51
If you select this for your flash type and the image is not centered on the screen, do not proceed!


[L7 R4513...DER]
Hellomoto=539C37
Welcome=525AD1
If you select this for your flash type and the image is not centered on the screen, do not proceed!


[L7 R4517...1ER]
Hellomoto=53A5BF
Welcome=526459
Perform this at your own risk!


When you are done, don't forget to save the file.

replace the boot screen


If you do not see your firmware listed then you will have to use the Samsung Flash Imager program here.

Start the Samsung Flash Imager.   Since everything in this program displays in gibberish, I'll describe what button you need to push to get through this.   You'll see this screen first, just click the button on the lower left to close it.

replace the boot screen



Here is the program screen.

replace the splash screen





Now click on the "Oaee" menu and select the first item in the list with the word flash in it.   You are going to find your 2.bin file at this point.

replace the boot screen



Locate your 2.bin file, select it and click the "Open" button.

replace the splash screen



Enter the values "176" and "220" in these two boxes manually.   The up and down arrows won't raise the numbers that high.

replace the boot screen



Go to this drop down box and select the last option "16bpp".

replace the boot screen



You will now see a mess of color on both screens.

replace the boot screen



Now use that group of eight buttons to find your HelloMoto or Welcome splash screen.   You only need to do this if you do not know the hex address for your splash screen(s) for your particular firmware.

The first pair of buttons skip hex addresses quickly.   The left button goes down in value and the right button goes up in value.

The second pair of buttons moves any displayed image (in both windows) up and down.

The third pair of buttons moves any displayed image (in both windows) left and right.

The fourth pair of buttons change hex addresses one digit at a time.   The left button goes down in value, and the right button goes up in value.

replace the boot screen



I clicked the uppper right button (since it skips addresses the quickest) until I got to hex address "53E580", which is where I first saw the HelloMoto image.

replace the boot screen



I then clicked the lower left button, which reversed the color palette that I saw.

replace the boot screen



Now align the image so that its top left corner (which has an alignment pixel) is in the top left corner of the window it appears in.   You know you have it aligned correctly when you put the single green pixel in the top left corner on the big screen.   It may not look it, but it will display correctly on the phone.

replace the boot screen



Here's a close up of that alignment pixel.

replace the boot screen



Now that you've done this, make a note of the hex address.   You'll need this later.   In this case, the HelloMoto screen is at hex address "539BB7".   Remember this address is only for the "DCR" firmware.   I tried to find the address for the Welcome splash screen, but didn't see the alignment pixel.   If you are using the Welcome screen, you could just do the seem edit to set this back to the HelloMoto splash screen.   To do this download seem "004a_0001" and at offset "1C0" change the setting to "00".

Once you have your address(es), just close the program from the top right corner of the screen.   Don't click any other buttons!


Start the Motorola boot screen replacer program.   Make sure you check the radio button at the very top for "Change image in firmware".   Also be sure to check the radio button for "176x220".

replace the boot screen





Click the folder icon by the number 1 text box and look for your 2.bin file.

replace the boot screen



Go to the number 2 text box and choose your phone profile.

replace the boot screen



You should now see your current splash screen displayed on the right.

replace the boot screen



Click the "Load from file..." button and find your replacement splash screen image.

replace the boot screen



Click "Save flash" and you will get a confirmation pop up saying "OK!" so click the "OK" button and close the program.



Start Random SHX Toolkit to recompile your bins into an shx and reflash your shx.   I used Flash & Backup 3.   I like this method since you have a compiled shx you can just flash the CG1 which won't take as long.   I named my file something unique so that I always know what mods I've done to the monster pack.

replace the boot screen



If you flash with Flash & Backup 3, your phone will most likely display "CRITICAL ERROR 84" very briefly.   Don't worry that's just a checksum error.   In a few seconds your phone should beep and restart and work fine.   This happened to me too a few times.

You could also use RSD Lite to put on your new monster pack, the only difference is you can't select what code groups you want to flash, you'll just have to flash the whole thing.





This ends the "mods 3" section of this tutorial.



V3
home
V3
V3
V3
backup
V3
flash
V3
flex
V3
flex
V3
seem
mail
 
V3
unlock
V3
mods
V3
media
V3
troubleshooting
V3
faq
V3
downloads
V3
market
V3




Google
web Howard Forums
Mod My Moto Forums MotoModders Forums
MotoX Forums