|
What you'll receive. |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
How to remove RSA protectionRSA is what is used by Motorola to protect code group 1 (CG1). CG1 contains the firmware for the phone. Now that the ability to defeat the RSA exists, many things can now be altered on the phone. For example you can change your splash screen image to anything you want, and run signed and unsigned CORElets.I want to say thank you and mention as many of the people involved in this as I can, because without their work, none of us would be able to do this. I followed the instructions posted here at ModMyMoto. "Kirklestat" is the author of this particular guide which was adapted from a guide written by "Archy" (in Russian), which can be found here http://forum.motofan.ru/index.php?showtopic=94215 at the Motofan forum. These instructions not only work on the L7, but also on the L6, V3i, and V360. The first thing you must do is decide whether you want to alter a monster pack that you already have on your computer, or backup your phone and alter that monster pack. I decided to backup my phone in its current condition, with all the mods and everything else I like already in place. Start Flash & Backup 3. Keep in mind, you must have the full version of this program. If you have not registered your version, then it will not create a complete backup for you and these instructions will not work. Go to the "Active phone profile:" drop down box and select your phone. Click the "Read Data" tab just below and to the left. Go to the bottom of the code group list and check the "Select all" box. Go to the "Backup format:" drop down box and select "SHX (S-Records file)". Then click the "Read data" button at the bottom right. |
You will get a status screen for each code group as it backs up the data.
When it finished backing up my phone, it left a file called "2007-01-21_234004.shx" in my backups folder in my Flash & Backup 3 program folder. You might want to rename your monster pack to something a bit more descriptive so you can keep track of what that file really is. Now that we have a monster pack to work with, start Random SHX Toolkit. This will be used to take the monster pack shx file we just saved, and break it down into its constitutent code groups. Click the button "Extract BIN files from SHX". 
You will then get a pop up window to navigate to where your monster pack file is. Once you find it, select it and click "Open". 
You'll get a status bar while it extracts the files and then you'll get a pop up window when it's done. Click "OK". 
Now go back to where your monster pack file was and you'll see a new folder called "Extracted Bin". Open this folder and you'll see all the files that make up a monster pack. The first file (and I'm only referring to the last character and extension of the file names, the previous characters will be different for everyone) is an .lst file. This contains information on all the other files in this folder along with their addresses. It serves as a checklist for the Random SHX program so that it can recompile these files back into a single monster pack file (shx). The rest of the files in order are: 0.bin This is the header. 1.bin This is the RAMdlr. 2.bin This is the CG1, or code group 1. This is the firmware of the phone, and the file we will be editing. 3.bin This is the CG2, or code group 2. This is the flex. 4.bin This is the CG3, or code group 3. This is the DSP firmware. 5.bin This is the CG4, or code group 4. This is the language pack. 6.bin This is the CG7, or code group 7. This is the digital signature. 7.bin This is the CG15, or code group 15. This is the DRM. 8.bin This is the CG18, or code group 18. This is another digital signature. 
Start Simple RSA LTE2 Remover. You can get the program here. In the text box by #2, make sure you enter "11F80000". 
Now click the button "..." next to the "CG1:" text box. 
You will then get a pop up window to navigate to where your 2.bin file is. Once you find it, select it and click "Open". 
Now click the button "..." next to the "CG7" text box. 
You will then get a pop up window to navigate to where your 6.bin file is. Once you find it, select it and click "Open". 
Now click the button "..." next to the "CG18" text box. 
You will then get a pop up window to navigate to where your 8.bin file is. Once you find it, select it and click "Open". 
Your program screen should now look like this: 
Now click this button (which is below the "CG18" text box): 
At this point the RSA is now removed. You can now close the Simple RSA LTE2 Remover program. Once you apply RSA patched firmware to your phone, be aware that before flashing a language pack or a DRM (or even a font if you are really paranoid), split the shx file first and check that there is no CG7 included in it. Some of these files will have a CG7 combined with it. If a CG7 is present, remove it and recompile it only with the the code group you want to flash. If you want to continue with modifying the splash screen, then click here to go to the next step. Otherwise, perform the following steps to create a monster pack with no RSA. Now we have to recompile all the .bin files into a monster pack so we can flash the phone. Start Random SHX Toolkit again. Now click the "Create SHX file from BINs" button. 
The open pop up window will appear. Navigate back to your extracted bin folder and click on the only file that should appear. This is the .lst file. Select it and click "Open". 
It will take some time to recompile. The new shx file will be saved in the extracted bin folder. In my case the new monster pack is called "2007-01-21_234004.shx". Not too helpful. You may want to rename this something like RSA removed monster pack so you know what it is. 
Start RSD Lite and click the "..." button after your phone is recognized. This will make the open file dialog box appear. In this picture I have already renamed my file "2007-01-21_234004.shx" to "RSA removed L7.shx". |
The flashing process failed, because of a checksum error (which I understand is
common with a non RSA monster pack), but my phone restarted and it worked just
fine. At this point you have a phone with its RSA removed.
Change the start up splash screenFor the Motorola splash screen, which is the first image displayed when turning on the phone, (the default image is on the left), there is an alternate image (on the right) which can be used by going to seem "004a_0001" at offset "1C0" and setting it to "01".
Now if you want to use any image you want as a splash screen, continue reading... How to replace the splash screen imageWe're going to change the splash screen, or as some call it the boot screen. This is the very first image that is displayed when turning on the phone. Now that we can remove RSA protection from the phone, we can finally swap out the HelloMoto or the Welcome screen with any image we want. My instructions come from the guide that Kirklestat made right here. You will need the Motorola Boot Screen Replacer program which is available right here. Now go to the folder where you downloaded the Motorola Boot Screen Replacer program. You might want to put the image that you want to swap out in this folder. Your image must be a bmp. 
Now double click the "offset.ini" file so you can edit it in notepad. Depending on what firmware you have, you must enter the following data into the .ini file exactly as it appears here: [L7 R4513...ABR] Hellomoto=534443 - you can also try "5345A3" Welcome=52043D - not yet confirmed. [L7 R4513...ACR] Hellomoto=534767 Welcome=520601 If you select this for your flash type and the image is not centered on the screen, do not proceed! [L7 R4513...DCR] Hellomoto=539BB7 Welcome=525A51 If you select this for your flash type and the image is not centered on the screen, do not proceed! [L7 R4513...DER] Hellomoto=539C37 Welcome=525AD1 If you select this for your flash type and the image is not centered on the screen, do not proceed! [L7 R4517...1ER] Hellomoto=53A5BF Welcome=526459 Perform this at your own risk! When you are done, don't forget to save the file. 
If you do not see your firmware listed then you will have to use the Samsung Flash Imager program here. Start the Samsung Flash Imager. Since everything in this program displays in gibberish, I'll describe what button you need to push to get through this. You'll see this screen first, just click the button on the lower left to close it. 
Here is the program screen. 
Now click on the "Oaee" menu and select the first item in the list with the word flash in it. You are going to find your 2.bin file at this point. 
Locate your 2.bin file, select it and click the "Open" button. 
Enter the values "176" and "220" in these two boxes manually. The up and down arrows won't raise the numbers that high. 
Go to this drop down box and select the last option "16bpp". 
You will now see a mess of color on both screens. 
Now use that group of eight buttons to find your HelloMoto or Welcome splash screen. You only need to do this if you do not know the hex address for your splash screen(s) for your particular firmware. The first pair of buttons skip hex addresses quickly. The left button goes down in value and the right button goes up in value. The second pair of buttons moves any displayed image (in both windows) up and down. The third pair of buttons moves any displayed image (in both windows) left and right. The fourth pair of buttons change hex addresses one digit at a time. The left button goes down in value, and the right button goes up in value. 
I clicked the uppper right button (since it skips addresses the quickest) until I got to hex address "53E580", which is where I first saw the HelloMoto image. 
I then clicked the lower left button, which reversed the color palette that I saw. 
Now align the image so that its top left corner (which has an alignment pixel) is in the top left corner of the window it appears in. You know you have it aligned correctly when you put the single green pixel in the top left corner on the big screen. It may not look it, but it will display correctly on the phone. 
Here's a close up of that alignment pixel. 
Now that you've done this, make a note of the hex address. You'll need this later. In this case, the HelloMoto screen is at hex address "539BB7". Remember this address is only for the "DCR" firmware. I tried to find the address for the Welcome splash screen, but didn't see the alignment pixel. If you are using the Welcome screen, you could just do the seem edit to set this back to the HelloMoto splash screen. To do this download seem "004a_0001" and at offset "1C0" change the setting to "00". Once you have your address(es), just close the program from the top right corner of the screen. Don't click any other buttons! Start the Motorola boot screen replacer program. Make sure you check the radio button at the very top for "Change image in firmware". Also be sure to check the radio button for "176x220". 
Click the folder icon by the number 1 text box and look for your 2.bin file. 
Go to the number 2 text box and choose your phone profile. 
You should now see your current splash screen displayed on the right. 
Click the "Load from file..." button and find your replacement splash screen image. 
Click "Save flash" and you will get a confirmation pop up saying "OK!" so click the "OK" button and close the program. Start Random SHX Toolkit to recompile your bins into an shx and reflash your shx. I used Flash & Backup 3. I like this method since you have a compiled shx you can just flash the CG1 which won't take as long. I named my file something unique so that I always know what mods I've done to the monster pack. 
If you flash with Flash & Backup 3, your phone will most likely display "CRITICAL ERROR 84" very briefly. Don't worry that's just a checksum error. In a few seconds your phone should beep and restart and work fine. This happened to me too a few times. You could also use RSD Lite to put on your new monster pack, the only difference is you can't select what code groups you want to flash, you'll just have to flash the whole thing.
|
