Increase the "R47A" iTunes song limit to 100 songs

[Russoeternal]

In order to do this modification, you must have first removed the RSA from a monster pack. If you haven't done this yet then go to the very top of this page and follow the RSA removal instructions there.

There are some seems that control some functions that Motorola does not want anyone to alter. Normally we can download a seem and edit it to activate or deactivate a particular feature. Once we upload the edited seem back to the phone, it has been reprogrammed to do what we want. Well Motorola didn't want some things to be changed (like swapping out the HelloMoto splash screen for a custom image, or running unsigned CORElets, or increasing your iTunes song limit from 50 to 100 songs, etc.). That has now changed. I'm sure over time more and more discoveries will be made by some very smart, and dedicated people (in Russia most likely).

First open your CG1(the 2.bin file from your extracted bin folder) with XVI32. Next click on the "Search" menu and look for this hex string "00 00 00 00 00 00 00 00 00 AB 00".

Here's what the hex string looks like in context:



All the code that we will edit is in this same small section of the screen. You won't have to scroll beyond these lines I'm showing.

Now let's look at the four bytes of data preceeding this hex string. I'm talking about the code "10 0D 64 8B" which I've outlined in green.

Note that this code outlined in green will vary depending on the firmware version of the monster pack that you are editing. In this example I am editing "R47A_G_08.D8.A1R" firmware.

As a comparison, I also decompiled the "R47A_G_08.D8.3CR" firmware and when searching for the same text string "00 00 00 00 00 00 00 00 00 AB 00", the four bytes of code preceeding it had changed to "10 0D 66 73". The hex string is always the same, just the four bytes preceeding it is what you have to be looking for. Adapt the following instructions accordingly.

Ok, so think of this section of code "10 0D 64 8B" as a key that allows us to overwrite the data in an unprotected seem. Look again at the hex string outlined in blue for the code "00 AB". That's actually a seem name in there.



If you look at this screen full of code long enough, you should see a pattern emerge. I'm outlining in green every occurrence of that "key" that allows a seem to be overwritten. Every one of those green boxes has a 2 byte code, following that is a string of 0s with the name of a seem inside of it. So, in this example, seem "00AB_0001", seem "0230_0001", seem "0231_0001", and seem "035a_0001" can all be overwritten, they are all unlocked seems.



There are some other keys which are locking the seems they control. I'm outlining these keys in red. See the slight difference in the code between an unlocked seem and a locked seem?



To unlock the seems so they can be overwritten, merely change the keys in red to match the keys in green. In this case simply change some keys' last byte from "F7" to "8B", for other keys you must change their last two bytes from "63 DB" to "64 8B" and so on.

Got it? When you are done changing all the keys to an unlocked state, it should look like this:



Save the file when you are done. You have now modified your CG1. Now it's time to recompile your monster pack from earlier that had its RSA removed. Hopefully you have already put your CG1 back into the extracted bin folder it was in at the beginning of these instructions. Start Random SHX Toolkit. Click the "Create SHX file from BINs" button.



It will take a while to compile and when it finishes it will save the shx into your extracted bin folder. You might want to rename your file to something more descriptive before you flash it, just so you can keep track of that file.



Start RSD Lite and flash the file.



It failed the flash, but it did work on the phone. It failed because of a checksum error, not a big deal and it can be fixed. So now I have a V3i with the RSA removed and the CG1 modified to allow seem overwrites in critical areas.

If you ever flash new firmware to your phone you must repeat the process of breaking down the monster pack into code groups, removing the RSA from the three code groups, and then enabling seem overwriting ability. If you don't you may damage your phone.

Now it's time for the final step: modifying a single seem to allow for 100 songs on iTunes. I want to say thanks to "imit8" at the MotoX forums, he reported on more simplified instructions to make this mod work on the "R47A" phone.

Start P2KMan and download seem "0371_0001". There are two 32s in this seem and not much else.



Change both the 32s to 64s. Don't forget to save the file.



I then used P2Kman to upload the seem. If you didn't unlock the seems correctly earlier, P2Kman will not upload the seem, and the program will appear to hang.



I restarted my phone and iTunes now displayed the ability to play 100 songs! Here's the before and after images of my "About" menu in iTunes.



Here's iTunes uploading the songs. I checked to make sure it really played all 100 songs and it did!



Credits to Mark of Mark World.

[Archer]

Thanks! Yu're getting a pretty good hang at making this stuff huh lol

[dev.meena]

(like swapping out the HelloMoto splash screen for a custom image, or running unsigned CORElets, or increasing your iTunes song limit from 50 to 100 songs, etc.)
are the offset changes suggested by u only for these above said stuff or something newer than those??

[chiragsingh]

I dont mean to be rude or anything.its good to see this guide finally here at M3.this guide has been there at hackthev3i.com for quite sometime.i've even modded the V3i's of my friends using it.BUT good work anyways.it must have taken some time to make the whole guide.

[luciana]

hi i have the v3i cellphone with no itunes ..and the bootloader is 0a52 that means that i can´t have the itunes or what? or maybe another digital player please help me guys i´m new in this and but the way how can i use some skins i don´t know how to install them in my cell. thanks luciana

[Russoeternal]

I dont mean to be rude or anything.its good to see this guide finally here at M3.this guide has been there at hackthev3i.com for quite sometime.i've even modded the V3i's of my friends using it.BUT good work anyways.it must have taken some time to make the whole guide.

Of course MarkWorld = HacktheV3i

hi i have the v3i cellphone with no itunes ..and the bootloader is 0a52 that means that i can´t have the itunes or what? or maybe another digital player please help me guys i´m new in this and but the way how can i use some skins i don´t know how to install them in my cell. thanks luciana

Hmm you can't remove the RSA from your phone too bad..

[Sean]

well he could remove RSA off his fone but he would have to testpoint his fone and flash 0a.30 bootloader then remove rsa off some firmware and put it on

[Russoeternal]

Yes I agree, but is difficult for a newbie...

[DKGbond3]

hi i have the v3i cellphone with no itunes ..and the bootloader is 0a52 that means that i can´t have the itunes or what? or maybe another digital player please help me guys i´m new in this and but the way how can i use some skins i don´t know how to install them in my cell. thanks luciana

just get familiar with M3 and your v3i first....
read the guides here at M3 and try to understand sumthing if you can and start modding your fone only when you become sure taht yoiu can do it...or else...
the fate of your fone:

[Russoeternal]

Yeah that's right you can learn reading the guides

[brijeshpatel612]

everyone want know about modding the motorola v3i

[DKGbond3]

hey can anybody help me...???
i've followed the pr0cedure for rsa removal for my v3i as given jn the v3i guide section...
the flashing process showed fail in rsd lite..but i guess its the checksum rror as many have told me...
now i wnat to install the new versiones(hacked versions) of iTunes...but whenever i do that, after reboot i get INVALID FILE : iTunes...
and i get the confirmation box for deleting the corlet...

can sumbody tell me what's wrong wid my fone...????

[Tommylee567]

I also experience the same dumb thing like it happened for DKGbond3.
Can anyone explain why and how?
It's not only itunes but the rEaL wAlKmAn and itunes revolution doesn't work, but only the itunes 1.0.1f3 worked and it is locked into my phone.
Works great.
MotoMidlets was used to install and then the phone reboots with the error info 'Delete iTunes Revolution?' and i have to erase it.
I took off the RSA protection and also tweaked the iTunes to 100 songs, but no other java applications from this forum i have dloaded has worked.
My S/W is R47A_G_08.D8.85R - RSA taken off
Do u have any ideas why
Thanks

[DKGbond3]

I also experience the same dumb thing like it happened for DKGbond3.
Can anyone explain why and how?
It's not only itunes but the rEaL wAlKmAn and itunes revolution doesn't work, but only the itunes 1.0.1f3 worked and it is locked into my phone.
Works great.
MotoMidlets was used to install and then the phone reboots with the error info 'Delete iTunes Revolution?' and i have to erase it.
I took off the RSA protection and also tweaked the iTunes to 100 songs, but no other java applications from this forum i have dloaded has worked.
My S/W is R47A_G_08.D8.85R - RSA taken off
Do u have any ideas why
Thanks

my problem solved bro..

for RSA removal...check this guide..
surely it'll work...
"RSA Removal for Dummies" and more

any difficulties....just post ur questions...

do 1 thing...
connect ur fone in memory card mode...
delete the iTunesDB file from the tf
install iTunes (any hacked version) again and restart..
after restart, wait for sumtime so the iTunes can load...
then play any song for atleast 3 seconds...
(for playing a song.. you'll have to upload ur songs with desktop iTunes)

and let us know whatever happens...
best of luck
happy modding

[carnage]

SO is there any way for bootloader 0A52 razrs to get 100 song capability ?? guys ??

Please tell me how to replace this 0a52 bootloader ... i aint noob guys .. i just can't find tutorial