Guide: "RSA Removal for Dummies" and more

[overgrownmoose]

Well, I promised poetic_folly a nice guide with screenshots and here it is. Cheers! :beerchug:

This should be attempted by advanced users only. If you're new to modding don't come crying to me if you brick your phone. In fact I (or anyone at ModMyMoto) won't be responsible for ANYONE bricking their phone when attempting this. That being said, it's actually very easy to do as long as you follow the screenshots and instructions.

RSA Protection has been successfully removed from R479, R47A, and R4441D phones.
This particular guide is confirmed to work with:
R4441D_G_08.01.03R (me)
R4441D_G_08.02.05R (ArcherIV)

This has been comfirmed not working with bootloader OA.52

Programs I'm using:
Flash&Backup 3.0.058
Random's LTE2 RSA Remover
XVI32 (hex editor)

Let's dive on in!

1. Extracting the files to patch off of your phone.

Open Flash&Backup (I'll call this F&B from now on)
We need to create a backup of the files CG1, CG3, CG7, and CG18.
Plug your phone in and refer to the screenshot and instructions below.



1: Make sure you have all of the same boxes checked that I do.
2: Set backup format to SMG as shown
3: Click "Read Data"

NOTES: If you click on Settings in F&B, you can set the path to save your files. If you are using the free unregistered F&B, leave it open, you're going to use it again later.




2. Removing RSA Protection

Now we need to use Random's RSA Remover to get rid of the RSA Protection.

NOTE: Before you perform any modification, you should back up the unmodified files you just extracted in case something goes wrong.

Open Random's LTE2 RSA Remover.



1: It is VERY important that you have that value in that box
2: Press the "..." button and browse to wherever you saved CGs 1, 7, and 18, respectively and click open.
3: Click that button. It will appear that nothing happened (no popup window or anything). If you press the button again it will say the files cannot be patched. That's normal. Close the program.



3. Enabling the running of signed and unsigned CORElets

This next step is totally optional, but is required if you want to run iTunes or any other CORElets. It is also the "hardest" (it's still easy, just not as easy).

Open XVI32 and open your CG1.smg file.



Go to Search and click Find.

Write the following information in the Hex String box(1) and click OK:
B5 FF B0 91 20 00 90 05 90 04 27 0F 1C 1C 22 0C

The Search window will close and you will see a box highlighted in the background. (I highlighted the string we searched for in yellow) Click on any of the boxes and simply type to replace the information in it. You need to replace that string of bytes with:
B5 FF B0 91 20 00 E0 10 90 04 27 0F 1C 1C 22 0C (it is only neccesary to change the bytes that are different)

Do the same process for all of the following strings:

String: B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 66 1C 05 D1 04 48 37 30 4C F7 BB F9 C4 E0 DD (For this string you will probably need to only search for the first half, because SOME OF THE BYTES WILL DIFFER. You ONLY NEED TO CHANGE THE LAST 2 BYTES THAT I HAVE BOLDED)
Replace with: B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 66 1C 05 D1 04 48 37 30 4C F7 BB F9 C4 E0 DE

Find: B5 70 25 00 00 6B 18 1A 78 52 2A 01 D0 09 2A 02
Replace With: 20 01 47 70 00 6B 18 1A 78 52 2A 01 D0 09 2A 02

Find: 20 00 22 02 00 41 5C 6B 2B 05 D1 00 54 6A
Replace with: 35 01 22 03 00 41 5C 6B 2B 04 DA 00 54 6A

After you replace the specified strings, save the file and close XVI32.




4. Compiling a modified SHX file to flash.

Switch back to F&B3 and go to Firmware




Click Select RAMDLD (1) and browse to your F&B3 directory (standard is C:/Program Files/Random's Developments/Flash&Backup 3) then open the "Loaders" folder. Choose the file "V3i (0A40).ldr" and click open.
A box will then open asking you for a starting address. Enter 03FC8000 and click OK.
Click on Add (#2 in previous screenshot), navigate to the CG file you want (you'll need to add all of them) and you will get a box that looks like:



Use the previous screenshot to determine the starting address (the "start addr" column in #3) for the CG you chose when you clicked add. Make sure in the Code Group list you pick the CG that corresponds to the CG you loaded up.

Do this process for all CGs. Verify that your screen looks like my first screenshot for this section. Click "Save As" and name it whatever you want and save it where-ever you want. In the drop down box below the name, make sure it is set to save as an SHX file.


5. Flash the SHX with RSD Lite and you're done.

Later I may add an iTunes how-to and a bootscreen image replacement how-to (I actually haven't done this myself yet)

Thanks go to:
Random, for his RSA Remover program and F&B3, Supshow @ MotoX for his guide, and the smart-clip team for discovering how to remove RSA Protection.

Installing iTunes:
You must first remove the RSA per the instructions above (must have performed step 3). I have successfully tested this with iTunes Revolution and Vassio iTunes.

What you need: (you can find these in the download section)
MotoMidMan (under programs)
iTunes of your choice. (under Java Apps)

Open MotoMidMan and connect your phone.

Click Install, then go to "JAD file (recommended). Browse to the directory where you dowloaded iTunes and select the iTunes.jad file.


Go to "More", "Attributes". Then make sure the options "CORElet" and "Signed" are checked.

Then highlight iTunes and click the "Access" button in the bottom left corner and click "Enable". Restart your phone and you should have working iTunes without a song limit.

Whenever iTunes starts, play the beginning of 1 song (2 or 3 secs is sufficient) before you close it. Otherwise, you won't be able to reopen iTunes later. Sometimes you may experience a phone restart prior to iTunes finishing loading. This is because the iTunes programs are not optimized for the V3i. Just keep going, it will work eventually (it's restarted 2 or 3 times to me before)

[kirklestat]

nice share!

[adriangatillo]

well i´m sorry i´m still a noob but whats the deal with removing that freaking rsa??? okay lets supose i remove RSA FROM my r479 ??? then? whats new??

[overgrownmoose]

You can install hacked iTunes, you can change your "Hellomoto" bootloader image, and you can run R47A software on an R479 phone, just to name a few. Eventually we will be able to do other things with new software. Plus, it's just cool to be able to say "Hey man, I took the RSA Protection off of my V3i :cool23:"

[blake .l]

I followed the above instructions and my phone still works:corkysm21: but how can I tell if ive removed the RSA??

[kirklestat]

if you successfully flashed a patched MP to your phone and your phone boots then RSA is removed.

[blake .l]

I guess I must have done it right then.... I followed the above instructions and my phone still works... now I just need to figure out how to change the moto boot screen. I tried to do the bootloader downgrade like some of the tutorials say but I never could get it to downgrade the bootloader keeps giving error at 81% and says fail in rsd. I can open up the flip and it says criticle error??

[overgrownmoose]

I'm gonna get to work on a bootloader screen change tutorial pretty soon (gotta do it myself first though, lol). I'm also gonna do an install iTunes guide (very simple). Im just gonna tack them on to the end of this tutorial, so check back in a day or two.

[Kyle Matthews]

Great work moose man!

[overgrownmoose]

Thanks poetic!

[blake .l]

I'm gonna get to work on a bootloader screen change tutorial pretty soon (gotta do it myself first though, lol). I'm also gonna do an install iTunes guide (very simple). Im just gonna tack them on to the end of this tutorial, so check back in a day or two.

Thanks for the reply moose... Will check back soon.

[sstroud]

@blake

here is the guide for changing the Hellomoto screen

http://www.modmymoto.com/forums/showthread.php?t=7878

it actually points you to the L7 guide. the only difference is the hex address for Hellomoto and Welcome. at the end i posted the location for Hellomoto in R49A....A1R

[jpeel]

If you have ermoved the RSA from a phone allowing you to install a modified flash file, does that mean you could try to flash flex files from other phones that have the same hardware?

[blake .l]

@blake

here is the guide for changing the Hellomoto screen

http://www.modmymoto.com/forums/showthread.php?t=7878

it actually points you to the L7 guide. the only difference is the hex address for Hellomoto and Welcome. at the end i posted the location for Hellomoto in R49A....A1R

sstroud... Thanks for the link... Was wondering I've been told I was stuck with the HELLOMOTO screen since the bootloader cant be downgraded on the V3i w/itunes... Is this correct?? Can I still follow this guide??

[Archer]

Lovely guide. You're a genius. Confirmed to work with R4441D_G_08.02.05R too. Just done it

Stickied!!!!!!!!