V3


V3i
home
V3i
V3
V3i
backup
V3i
flash
V3i
flex
V3i
flex
V3i
seem
mail
 
V3i
unlock
V3i
mods
V3i
media
V3i
troubleshooting
V3i
faq
V3i
downloads
V3i
market
V3i



How to remove RSA protection

RSA is what is used by Motorola to protect code group 1 (CG1).   CG1 contains the firmware for the phone.   Now that the ability to defeat the RSA exists, many things can now be altered on the phone.   For example you can change your splash screen image to anything you want, increase your 50 songs iTunes limit to 100 songs, and run signed and unsigned CORElets.





I want to say thank you and mention as many of the people involved in this as I can, because without their work, none of us would be able to do this.

I followed the instructions posted here at ModMyMoto.   "Kirklestat" is the author of this particular guide which was adapted from a guide written by "Archy" (in Russian), which can be found here http://forum.motofan.ru/index.php?showtopic=94215 at the Motofan forum.

These instructions not only work on the V3i, but also on the L6, L7, and V360.

The first thing you must do is decide whether you want to alter a monster pack that you already have on your computer, or backup your phone and alter that monster pack.   I decided to backup my phone in its current condition, with all the mods and everything else I like already in place.

Start Flash & Backup 3.   Keep in mind, you must have the full version of this program.   If you have not registered your version, then it will not create a complete backup for you and these instructions will not work.

Go to the "Active phone profile:" drop down box and select your phone.   Click the "Read Data" tab just below and to the left.   Go to the bottom of the code group list and check the "Select all" box.   Go to the "Backup format:" drop down box and select "SHX (S-Records file)".   Then click the "Read data" button at the bottom right.


rsa removal on lte2



You will get a status screen for each code group as it backs up the data.

rsa removal on lte2



When it finished backing up my phone, it left a file called "2007-01-21_234004.shx" in my backups folder in my Flash & Backup 3 program folder.   You might want to rename your monster pack to something a bit more descriptive so you can keep track of what that file really is.

Now that we have a monster pack to work with, start Random SHX Toolkit.   This will be used to take the monster pack shx file we just saved, and break it down into its constitutent code groups.   Click the button "Extract BIN files from SHX".

rsa removal on lte2




You will then get a pop up window to navigate to where your monster pack file is.   Once you find it, select it and click "Open".

rsa removal on lte2



You'll get a status bar while it extracts the files and then you'll get a pop up window when it's done.   Click "OK".

rsa removal on lte2



Now go back to where your monster pack file was and you'll see a new folder called "Extracted Bin".   Open this folder and you'll see all the files that make up a monster pack.

The first file (and I'm only referring to the last character and extension of the file names, the previous characters will be different for everyone) is an .lst file.   This contains information on all the other files in this folder along with their addresses.   It serves as a checklist for the Random SHX program so that it can recompile these files back into a single monster pack file (shx).   The rest of the files in order are:

0.bin   This is the header.
1.bin   This is the RAMdlr.
2.bin   This is the CG1, or code group 1.   This is the firmware of the phone, and the file we will be editing.
3.bin   This is the CG2, or code group 2.   This is the flex.
4.bin   This is the CG3, or code group 3.   This is the DSP firmware.
5.bin   This is the CG4, or code group 4.   This is the language pack.
6.bin   This is the CG7, or code group 7.   This is the digital signature.
7.bin   This is the CG15, or code group 15.   This is the DRM.
8.bin   This is the CG18, or code group 18.   This is another digital signature.

rsa removal on lte2



Start Simple RSA LTE2 Remover.   You can get the program here.   In the text box by #2, make sure you enter "12F80000".

rsa removal on lte2



Now click the button "..." next to the "CG1:" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 2.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2



Now click the button "..." next to the "CG7" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 6.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2



Now click the button "..." next to the "CG18" text box.

rsa removal on lte2



You will then get a pop up window to navigate to where your 8.bin file is.   Once you find it, select it and click "Open".

rsa removal on lte2





Your program screen should now look like this:

rsa removal on lte2



Now click this button (which is below the "CG18" text box):

rsa removal on lte2



At this point the RSA is now removed.   You can now close the Simple RSA LTE2 Remover program.

Once you apply RSA patched firmware to your phone, be aware that before flashing a language pack or a DRM (or even a font if you are really paranoid), split the shx file first and check that there is no CG7 included in it.   Some of these files will have a CG7 combined with it.   If a CG7 is present, remove it and recompile it only with the the code group you want to flash.

If you want to continue with modifying iTunes, then click here to go to the next step.   Otherwise, perform the following steps to create a monster pack with no RSA.

Now we have to recompile all the .bin files into a monster pack so we can flash the phone.   Start Random SHX Toolkit again.   Now click the "Create SHX file from BINs" button.

rsa removal on lte2



The open pop up window will appear.   Navigate back to your extracted bin folder and click on the only file that should appear.   This is the .lst file.   Select it and click "Open".

rsa removal on lte2



It will take some time to recompile.   The new shx file will be saved in the extracted bin folder.   In my case the new monster pack is called "2007-01-21_234004.shx".   Not too helpful.   You may want to rename this something like RSA removed monster pack so you know what it is.

rsa removal on lte2



Start RSD Lite and click the "..." button after your phone is recognized.   This will make the open file dialog box appear.   In this picture I have already renamed my file "2007-01-21_234004.shx" to "RSA Removed V3i.shx".


rsa removal on lte2



The flashing process failed, because of a checksum error (which I understand is common with a non RSA monster pack), but my phone restarted and it worked just fine.   At this point you have a phone with its RSA removed.





Increase the "R47A" iTunes song limit to 100 songs

This mod could almost be called, "How to convert your 'R479' phone into a 'R47A' phone with iTunes."   In my case I already have an "R47A" phone with iTunes and a 50 song limit.   I wanted to raise that song limit to 100.   I did it with these instructions.   You should note, if you do want to convert your phone from "R479" to an "R47A" phone, then you should read the thread in the paragraph below.   I don't have an "R479" phone, so I have no way of personally verifying the information found in this thread, although I'm sure it is techincally correct.

First I want to start off by thanking the person known as "GandjaFuzz" at the MotoFan.ru website for creating these instructions.   Then I want to thank the person known as "Supshow" for translating "GandjaFuzz's" instructions from Russian into English and sharing them at the MotoX forums here http://www.motox.info/showthread.php?t=35941.   Hats off to the work of these people for sharing their knowledge with the rest of the community.

In order to do this modification, you must have first removed the RSA from a monster pack. If you haven't done this yet then go to the very top of this page and follow the RSA removal instructions there.


There are some seems that control some functions that Motorola does not want anyone to alter.   Normally we can download a seem and edit it to activate or deactivate a particular feature.   Once we upload the edited seem back to the phone, it has been reprogrammed to do what we want.   Well Motorola didn't want some things to be changed (like swapping out the HelloMoto splash screen for a custom image, or running unsigned CORElets, or increasing your iTunes song limit from 50 to 100 songs, etc.).   That has now changed.   I'm sure over time more and more discoveries will be made by some very smart, and dedicated people (in Russia most likely).

First open your CG1(the 2.bin file from your extracted bin folder) with XVI32. Next click on the "Search" menu and look for this hex string "00 00 00 00 00 00 00 00 00 AB 00".

Here's what the hex string looks like in context:


rsa removal on lte2



All the code that we will edit is in this same small section of the screen.   You won't have to scroll beyond these lines I'm showing.

Now let's look at the four bytes of data preceeding this hex string.   I'm talking about the code "10 0D 64 8B" which I've outlined in green.

Note that this code outlined in green will vary depending on the firmware version of the monster pack that you are editing.   In this example I am editing "R47A_G_08.D8.A1R" firmware.  

As a comparison, I also decompiled the "R47A_G_08.D8.3CR" firmware and when searching for the same text string "00 00 00 00 00 00 00 00 00 AB 00", the four bytes of code preceeding it had changed to "10 0D 66 73".   The hex string is always the same, just the four bytes preceeding it is what you have to be looking for.   Adapt the following instructions accordingly.

Ok, so think of this section of code "10 0D 64 8B" as a key that allows us to overwrite the data in an unprotected seem.   Look again at the hex string outlined in blue for the code "00 AB".   That's actually a seem name in there.


rsa removal on lte2



If you look at this screen full of code long enough, you should see a pattern emerge.   I'm outlining in green every occurrence of that "key" that allows a seem to be overwritten.   Every one of those green boxes has a 2 byte code, following that is a string of 0s with the name of a seem inside of it.   So, in this example, seem "00AB_0001", seem "0230_0001", seem "0231_0001", and seem "035a_0001" can all be overwritten, they are all unlocked seems.


rsa removal on lte2





There are some other keys which are locking the seems they control.   I'm outlining these keys in red.   See the slight difference in the code between an unlocked seem and a locked seem?


rsa removal on lte2





To unlock the seems so they can be overwritten, merely change the keys in red to match the keys in green.   In this case simply change some keys' last byte from "F7" to "8B", for other keys you must change their last two bytes from "63 DB" to "64 8B" and so on.

Got it?   When you are done changing all the keys to an unlocked state, it should look like this:


rsa removal on lte2



Save the file when you are done.   You have now modified your CG1.   Now it's time to recompile your monster pack from earlier that had its RSA removed.   Hopefully you have already put your CG1 back into the extracted bin folder it was in at the beginning of these instructions.   Start Random SHX Toolkit.   Click the "Create SHX file from BINs" button.

rsa removal on lte2






It will take a while to compile and when it finishes it will save the shx into your extracted bin folder.   You might want to rename your file to something more descriptive before you flash it, just so you can keep track of that file.

rsa removal on lte2



Start RSD Lite and flash the file.


rsa removal on lte2



It failed the flash, but it did work on the phone.   It failed because of a checksum error, not a big deal and it can be fixed.   So now I have a V3i with the RSA removed and the CG1 modified to allow seem overwrites in critical areas.

If you ever flash new firmware to your phone you must repeat the process of breaking down the monster pack into code groups, removing the RSA from the three code groups, and then enabling seem overwriting ability.   If you don't you may damage your phone.


Now it's time for the final step: modifying a single seem to allow for 100 songs on iTunes.   I want to say thanks to "imit8" at the MotoX forums, he reported http://www.motox.info/showthread.php?t=35931&page=3 on more simplified instructions to make this mod work on the "R47A" phone.

Start P2KMan and download seem "0371_0001".   There are two 32s in this seem and not much else.

rsa removal on lte2



Change both the 32s to 64s.   Don't forget to save the file.

rsa removal on lte2



I then used P2Kman to upload the seem.   If you didn't unlock the seems correctly earlier, P2Kman will not upload the seem, and the program will appear to hang.

rsa removal on lte2



I restarted my phone and iTunes now displayed the ability to play 100 songs!   Here's the before and after images of my "About" menu in iTunes.

rsa removal on lte2       rsa removal on lte2



Here's iTunes uploading the songs.   I checked to make sure it really played all 100 songs and it did!

rsa removal on lte2




Change the start up splash screen

For the Motorola splash screen, which is the first image displayed when turning on the phone, (the default image is on the left), there is an alternate image (on the right) which can be used by going to seem "004a_0001" at offset "1C0" and setting it to "01".

hello moto moto motorola


Now if you want to use any image you want as a splash screen, continue reading...



How to find & replace the splash screen image.


We're going to change the splash screen, or as some call it the boot screen on the V3i.   This is the very first image that is displayed when turning on the phone.   Now that we can remove RSA protection from the phone, we can finally swap out the HelloMoto or the Welcome screen with any image we want.

My instructions come from the guide that Kirklestat made for the L7 right here.   Those instructions work just fine for the V3i, the only difference being you must determine what the hex address is of your splash screen.   To do that we will need a program called the Samsung Flash Imager.   You can get that right here.   You will also need the Motorola Boot Screen Replacer program which is available right here.

If you already know the hex address(es) for your splash screen(s) then scroll down the page until you see the section for replacing the splash screen image.


Start the Samsung Flash Imager.   Since everything in this program displays in gibberish, I'll describe what button you need to push to get through this.   You'll see this screen first, just click the button on the lower left to close it.

replace the boot screen



Here is the program screen.

replace the splash screen



Now click on the "Oaee" menu and select the first item in the list with the word flash in it.   You are going to find your 2.bin file at this point.

replace the boot screen



Locate your 2.bin file, select it and click the "Open" button.

replace the splash screen



Go to this drop down box and select the last option "16bpp".

replace the boot screen



Enter the values "176" and "220" in these two boxes manually.   The up and down arrows won't raise the numbers that high.

replace the boot screen



I had to go back to the color drop down box and reselect "16bpp" to get the program to display the 2.bin file.   You will now see a mess of color on both screens.

replace the boot screen



Now use that group of eight buttons to find your HelloMoto or Welcome splash screen.   You only need to do this if you do not know the hex address for your splash screen(s) for your particular firmware.

The first pair of buttons skip hex addresses quickly.   The left button goes down in value and the right button goes up in value.

The second pair of buttons moves any displayed image (in both windows) up and down.

The third pair of buttons moves any displayed image (in both windows) left and right.

The fourth pair of buttons change hex addresses one digit at a time.   The left button goes down in value, and the right button goes up in value.

replace the boot screen



I clicked the uppper right button (since it skips addresses the quickest) until I got to hex address "53E580", which is where I first saw the HelloMoto image.

replace the boot screen



I then clicked the lower left button, which reversed the color palette that I saw.

replace the boot screen



Now align the image so that its top left corner (which has an alignment pixel) is in the top left corner of the window it appears in.   You know you have it aligned correctly when you put the single green pixel in the top left corner on the big screen.   It may not look it, but it will display correctly on the phone.

replace the boot screen



Here's a close up of that alignment pixel.

replace the boot screen



Now that you've done this, make a note of the hex address.   You'll need this later.   In this case, the HelloMoto screen is at hex address "5355A1".   Remember this address is only for the "A1R" firmware.   I tried to find the address for the Welcome splash screen, but didn't see the alignment pixel.   If you are using the Welcome screen, you could just do the seem edit to set this back to the HelloMoto splash screen.   To do this download seem "004a_0001" and at offset "1C0" change the setting to "00".

Once you have your address(es), just close the program from the top right corner of the screen.   Don't click any other buttons!


Replacing the splash screen image

For this step you will need the Motorola Boot Screen Replacer program which is available right here.   Now go to the folder where you downloaded the Motorola Boot Screen Replacer program.   You might want to put the image that you want to swap out in this folder.   Your image must be a bmp.

replace the boot screen



Now double click the "offset.ini" file so you can edit it in notepad.   If you have "A1R" firmware, then type exactly what I entered here, if not, then put your firmware code where "A1R" is and put your unique addresses where mine are. In my case, since I didn't care about the Welcome screen I actually left this address blank (the Welcome screen address is here for illustration purposes though).   I just wrote "Welcome=".   Don't forget to save the file.

replace the boot screen



Start the Motorola boot screen replacer program.   Make sure you check the radio button at the very top for "Change image in firmware".   Also be sure to check the radio button for "176x220".

replace the boot screen



Click the folder icon by the number 1 text box and look for your 2.bin file.

replace the boot screen



Go to the number 2 text box and choose your phone profile.

replace the boot screen



You should now see your current splash screen displayed on the right.

replace the boot screen



Click the "Load from file..." button and find your replacement splash screen image.

replace the boot screen





Click "Save flash" and you will get a confirmation pop up saying "OK!" so click the "OK" button and close the program.

Start Random SHX Toolkit to recompile your bins into an shx and reflash your shx.   I used Flash & Backup 3.   I like this method because since you have a compiled shx you can just flash the CG1 which won't take as long.   I named my file something unique so that I always know what mods I've done to the monster pack.

replace the boot screen



If you flash with Flash & Backup 3, your phone will most likely display "CRITICAL ERROR 84" very briefly.   Don't worry that's just a checksum error.   In a few seconds your phone should beep and restart and work fine.   This happened to me too a few times.

You could also use RSD Lite to put on your new monster pack, the only difference is you can't select what code groups you want to flash, you'll just have to flash the whole thing.




Compile your own DRM icon set

I have this page outside of the mods section because the instructions are so lengthy and over loaded with lots of screen shots. I don't think I'll cover how to create the actual graphics that go into a DRM icon set, but I will show you how to replace images in a DRM set and then recompile and flash them onto your phone.

There are some great looking DRM sets out there being made and in my case I liked elements of several and wanted to combine the best graphics into one DRM.   I used the Duracell battery (which is way cool) from the "Cocktail" DRM made by "DataFanatic".   I used the signal strength graphics from the unnamed DRM by "Supshow" and finally I used the speaker icons (which aren't all customized) from the "Dark" DRM made by "DarkPreacher".   Everything else remains stock.   There is a picture below of what this looks like on my phone and I have a link where you can download this DRM icon set.

These instructions were originally posted by "Motox" in this thread.   So a big thank you to "MotoX" for figuring this out for all of us!   If you go to that thread you can get a stock DRM file to work with which I'll reference throughout these instructions.

Launch SHX CoDec which you can download here, and click the "Split source SHX file".

drm creation


Now find the reflash file you got from the thread above and click "Open".

drm creation


The "CG15" section is already highlighted, so click "Edit".

drm creation


This window will now open. Click the "Parse" button.

drm creation


You'll get an information window on the path to your parsed file.

drm creation




Now pick the graphics you want to replace by scrolling through the list.   In my case I'm going to start replacing the outer battery icons.   I'm only going to show how to replace this one graphic, simply repeat these steps until you are done swapping out all the graphics you want.

Find the graphic you want, here it's image number 329.   Click the "Replace" button.

drm creation


Now find the graphic you want to take its place and click "Open".

drm creation


Your new graphic will now appear in the preview window.   I've just swapped out my first graphic.

drm creation


When you are done swaping out your graphics click on "Save changes".

drm creation


Make sure you save this file as the same CG15 file you just parsed.   Just don't rename it and you'll be fine. Here is the folder of my original reflash file and all the extra files SHXCoDec made.   There is only one CG15.smg file here.   Make sure yours has this exact same name when you save it.   It should by default.

drm creation


Here is your save as dialog box again showing the correct file name to be saved.

drm creation


Launch Random's SHX Toolkit, which you can download here, and click the button labeled "Extract BIN files from SHX".

drm creation


Now find your original .shx that you split the source on earlier using SHX CoDec and click "Open".

drm creation


The program will now extract three .bin files and one .lst file and put them into a subfolder called "Extracted Bin" where your .shx file was.

drm creation


These are the files in that new folder.

drm creation


Go back to the folder where you original .shx and your newly resaved CG15.smg file are.   You need to rename the CG15.smg file to the same thing as one of the files in the extracted bin folder.   It needs to be renamed to "R479_G_08.B4.34R_CG15_drm_reflash_MOTOX2.bin".   When you've renamed it put it into the extracted bin folder, which will overwrite the existing file there.

Launch Random's SHX Toolkit and click "Create SHX file from BINs" then find the .lst file in your extracted bin folder, then click "Open".

drm creation


The program will now make the new .shx and put it into the extracted bin folder.

drm creation


Launch RSD Lite and flash this .shx.   The flash will fail and give you two important checksums.

drm creation


If you can't get to the checksums in the RSD Lite program then you need to track down your error log file for this information.   Just go to wherever your RSD Lite program is installed at.   Here is my log file in the folder.

drm creation


I opened the log file with Notepad.   The critical information to know is underlined in red.   The checksum for your flash file is "0xC5A7", and the checksum of the phone is "0xD72B".

drm creation


My flash failed because the file had a checksum of "0xC5A7" and the phone's checksum is "0xD72B".   So all we do is change the file checksum to match the phone's checksum.   The file's new checksum will be "0xD72B".

I'm highlighting the file you need to open up with XVI32.   It will be in your extracted bin folder.

drm creation


Now that you've opened the file go to offset "5A8".   Here I have the value "A7" and in offset "5A9" the value is "C5".   Those are the values from the error log for this file.   This is not a coincidence.

drm creation


What you need to do now is look at the error for the phone checksum, which in my case is "0xD72B".   Now in offset "5A8" I will enter "2B", and in offset "5A9" I will enter "D7".   All I did here was take the last 4 digits in the checksum, break them into pairs and reverse their order and then enter them into the editor.   Your numbers will most likely be different than mine so consult your error log and just do what I did.

If you get a checksum error that appears to be missing a character like "0x55C" then all you need to do is add a "0" after the "x" and follow the steps above.

Now save the file.

drm creation


Launch Random's SHX Toolkit and click "Create SHX file from BINs" then find the .lst file in your extracted bin folder, then click "Open".

drm creation


The program will now make the new .shx and put it into the extracted bin folder.   When it's finished launch RSD Lite and flash your .shx file again.

drm creation


Here is what my mixed collection of DRMs turned out looking like:

drm creation


If you want this DRM icon set that I made you can download it here.   I also removed the static and animated Hello Moto graphics (#s 8, 454, 1482 and 1600).   You will however still see the Hello Moto splash screen which no one has figured out how to get rid of yet.

If after flashing you find some icons on your phone are missing then your CG15 file is too big.   You fix this by deleting some graphics you won't mind losing.   There are many unneeded graphics in that CG15 file.   Just make up a 1 pixel by 1 pixel transparent graphic and put this graphic in the place of other graphics.   When you've replaced enough graphics, your flash will work correctly.   I had to do this and I replaced about 15 graphics in the 1900 section.

Here are some of the more common numbers for graphics and their dimensions:

Battery, inner display (22x15)
329 - empty  drm
330 - empty, charging  drm
331 - 1 bar  drm
332 - 1 charging  drm
333 - 2 bars  drm
334 - 2 bars, charging  drm
335 - full  drm
336 - 3 bars, charging  drm

Battery, outer display (14x11)
663 - empty  drm
605 - 1  drm
606 - 2  drm
607 - full  drm

Signal strength, inner display (22x15)
403 - 0 bars  drm
411 - 1 bar  drm
412 - 2 bars  drm
413 - 3 bars  drm
414 - 4 bars  drm
415 - full bars  drm

Signal strength, outer display (19x11)
590 - 0  drm
591 - 1  drm
592 - 2  drm
593 - 3  drm
594 - 4  drm
595 - full  drm

Ring Styles (19x15)
416 - loud  drm
417 - soft  drm
418 - silent  drm
419 - vibe  drm
1569 - vibe then ring  drm
1678 - vibe & ring  drm

The only tips I can pass along on making your own icons are to make sure they have a transparent background unless your icon fills the dimensions that it is allowed to have.   Make sure all your images are .gif files.






This ends the "mods3" section of this tutorial. cell phone



V3i
home
V3i
V3
V3i
backup
V3i
flash
V3i
flex
V3i
flex
V3i
seem
mail
 
V3i
unlock
V3i
mods
V3i
media
V3i
troubleshooting
V3i
faq
V3i
downloads
V3i
market
V3i




Google
web Howard Forums
Mod My Moto Forums MotoModders Forums
MotoX Forums