In order to do this modification, you must have first removed the RSA from a monster pack. If you haven't done this yet then go to the very top of this page and follow the RSA removal instructions there.
There are some seems that control some functions that Motorola does not want anyone to alter. Normally we can download a seem and edit it to activate or deactivate a particular feature. Once we upload the edited seem back to the phone, it has been reprogrammed to do what we want. Well Motorola didn't want some things to be changed (like swapping out the HelloMoto splash screen for a custom image, or running unsigned CORElets, or increasing your iTunes song limit from 50 to 100 songs, etc.). That has now changed. I'm sure over time more and more discoveries will be made by some very smart, and dedicated people (in Russia most likely).
First open your CG1(the 2.bin file from your extracted bin folder) with XVI32. Next click on the "Search" menu and look for this hex string "00 00 00 00 00 00 00 00 00 AB 00".
Here's what the hex string looks like in context:
All the code that we will edit is in this same small section of the screen. You won't have to scroll beyond these lines I'm showing.
Now let's look at the four bytes of data preceeding this hex string. I'm talking about the code "10 0D 64 8B" which I've outlined in green.
Note that this code outlined in green will vary depending on the firmware version of the monster pack that you are editing. In this example I am editing "R47A_G_08.D8.A1R" firmware.
As a comparison, I also decompiled the "R47A_G_08.D8.3CR" firmware and when searching for the same text string "00 00 00 00 00 00 00 00 00 AB 00", the four bytes of code preceeding it had changed to "10 0D 66 73". The hex string is always the same, just the four bytes preceeding it is what you have to be looking for. Adapt the following instructions accordingly.
Ok, so think of this section of code "10 0D 64 8B" as a key that allows us to overwrite the data in an unprotected seem. Look again at the hex string outlined in blue for the code "00 AB". That's actually a seem name in there.
If you look at this screen full of code long enough, you should see a pattern emerge. I'm outlining in green every occurrence of that "key" that allows a seem to be overwritten. Every one of those green boxes has a 2 byte code, following that is a string of 0s with the name of a seem inside of it. So, in this example, seem "00AB_0001", seem "0230_0001", seem "0231_0001", and seem "035a_0001" can all be overwritten, they are all unlocked seems.
There are some other keys which are locking the seems they control. I'm outlining these keys in red. See the slight difference in the code between an unlocked seem and a locked seem?
To unlock the seems so they can be overwritten, merely change the keys in red to match the keys in green. In this case simply change some keys' last byte from "F7" to "8B", for other keys you must change their last two bytes from "63 DB" to "64 8B" and so on.
Got it? When you are done changing all the keys to an unlocked state, it should look like this:
Save the file when you are done. You have now modified your CG1. Now it's time to recompile your monster pack from earlier that had its RSA removed. Hopefully you have already put your CG1 back into the extracted bin folder it was in at the beginning of these instructions. Start Random SHX Toolkit. Click the "Create SHX file from BINs" button.
It will take a while to compile and when it finishes it will save the shx into your extracted bin folder. You might want to rename your file to something more descriptive before you flash it, just so you can keep track of that file.
Start RSD Lite and flash the file.
It failed the flash, but it did work on the phone. It failed because of a checksum error, not a big deal and it can be fixed. So now I have a V3i with the RSA removed and the CG1 modified to allow seem overwrites in critical areas.
If you ever flash new firmware to your phone you must repeat the process of breaking down the monster pack into code groups, removing the RSA from the three code groups, and then enabling seem overwriting ability. If you don't you may damage your phone.
Now it's time for the final step: modifying a single seem to allow for 100 songs on iTunes. I want to say thanks to "imit8" at the MotoX forums, he reported on more simplified instructions to make this mod work on the "R47A" phone.
Start P2KMan and download seem "0371_0001". There are two 32s in this seem and not much else.
Change both the 32s to 64s. Don't forget to save the file.
I then used P2Kman to upload the seem. If you didn't unlock the seems correctly earlier, P2Kman will not upload the seem, and the program will appear to hang.
I restarted my phone and iTunes now displayed the ability to play 100 songs! Here's the before and after images of my "About" menu in iTunes.
Here's iTunes uploading the songs. I checked to make sure it really played all 100 songs and it did!
Credits to Mark of Mark World.
07-09-2007, 11:18 AM
too bad..
Linear Mode
