 | RSA patch for motorola flash neptune LTE2 phones |
Warning: not for newbies, don't try if you are not experienced modders.
Warning: It seems that this RSA patch does not work on phones with 09.02 bootloader.
Steps to patch RSA:
1. download & install RandomRSA2;
2. split firmware/monsterpack using RandomSHX or SHXCodec;
3. open CG1, CG7 and CG18 in RandomRSA2, then click "patch RSA" button;
4. (do whatever change you want in CG1, such as replace hellomoto splash picture, change firmware version, change system sounds, etc)
- replace bootscreen picture
5. use RandomSHX or Shxcodec to replace modified CG1, CG7, CG18 in the shx file, and compile a new shx MP.
6. flash the new shx using RSD Lite.
Download:
RandomRSA2: [4shared]
RandomSHX: [4shared]
SHXCodec: [4shared]
| Sponsors links: |
60 comments:
Post a Comment or Discuss in forum
So some dumb noob question. What is RSA on a Motorola phone? Does it just prevent modders from hacking the firmware (CG1)? And this new patch will allow us to make hacks now?
Also, does Neptune LTE2 phones just refer to a family of Motorola phones of some sort?
Thanks...
Yuet i know this is off this subjuct, but i was wondering how u put custom start up & shut down & flip open & close sounds.
thanx,
babyhuye
jerry, RSA on a moto phone is the signature that used to verify the firmware (CG1) or PDS (CG6). This trick will bypass the checking of RSA signature of CG1, so we can hack CG1. LTE2 is a type of flash rom used in a family of moto phones. Older phones have Neptune LTE flash rom.
babyhuye, for custom startup/shutdown sounds, you can find the guide in this post. for flip open/close sounds, you need to install MediaViewer. Detail at this post.
Yo Yuet!
Ok, so here i am flashing/flexing/modding DRM's/seem editing/changing it to a L7 and what happens? she lays down on me. V360, 08.A0 bootloader, dosent do anything until you remove the battery then it will light up keypad for 2 seconds when you press the power button, but only once. i took a guess at putting it into program mode and flashed with a MP of somesort and it did nothing to help. i bought a new flex ribbon cable because i thought that might be worn out. still no help. It won't go into bootloader, won't display anything just flash a lil after u remove battery!, Tell me Yuet, have i bricked it or is there a way to revive this soldier? thank a million for all you do bro. TroY
blayze420, what did you do to make ur phone in such state? Try this. switch it off, then press and hold * and # keys then power on your phone to go into bootloader mode. (if you can't switch if off, remove the battery, then hold the # and * keys, then put back the battery.) If you can get there, connect your phone and flash a MP using rsdlite again. you may also want to try using different USB port. Good luck!
i did that and assume it was in bootloader mode cause rsd showed connected. so i flashed it with what i had handy which i think was the Kaiser-v2ok Mp. it went thru the whole process and said PASS at the end. keep in mind i cannot see the display at this time cause i thought my flex cable was bad. when i got my flex cable and installed it, i still had no display. I believe i can get it into bootloader mode by removing batt then holding #-* and so on. at that point is there some factory firmware or sumn that might bring this puppie outta its coma? and have you ever dealt much with the mpx220? i got one i need unlocked from cingular. Onward thru the Fog! TroY
TroY, what do RSDLite detect about your phone? "flash neptune LTE2" or "blank neptune LTE2"? Please try to flash to 56R firmware.
I don't know anything about mpx220.
Succesfully removed RSA on ABR, B7R, and heard they removed it on AER.
Also on B7R I was able to get iTunes and Mediaviewer working. But I'm still trying to see if there is a way to enable ringtones from transflash.
UGunit
UGunit, wow!! you rock. How did you get iTunes/MV on B7R? I haven't had time to dig into it yet.
Hey Yuet, thanks for the compliment. To get itunes to work on B7R I followed the procedures to patch the RSA. Then I used this guide on Running signed and unsigned CORElets
The steps are:
Open CG1 in hex editor.
1. Find the following string:
B5 FF B0 91 20 00 90 05 90 04 27 0F 1C 1C 22 0C
replace with:
B5 FF B0 91 20 00 E0 10 90 04 27 0F 1C 1C 22 0C
2. Find(specific for B7R)(Change bold):
B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 56 1C 05 D1 04 48 37 30 4C F7 BD F8 0C E0 DD
Modify the string:
B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 56 1C 05 D1 04 48 37 30 4C F7 BD F8 0C E0 DE
3. Find:
B5 70 25 00 00 6B 18 1A 78 52 2A 01 D0 09 2A 02
Replace with:
20 01 47 70 00 6B 18 1A 78 52 2A 01 D0 09 2A 02
4. Find:
20 00 22 02 00 41 5C 6B 2B 05 D1 00 54 6A
Replace with:
35 01 22 03 00 41 5C 6B 2B 04 DA 00 54 6A
5. Save changes, generate reflash and install using RSD Lite.
Now after that install itunes/mediaviewer but make sure that they are signed
Have Fun Modding
UGunit
UGunit, thanks for the info. I also found such info before u replied, and I am testing it on anohter firmware (0fr). the result of first test is a bricked phone. :) trying 2nd test.
Yuet could it be possible to add a new video player to play full screen and to fast forward?or at least to open photos in full screen?
Success I got acess to the filesystem and itunes running on 0fr. If you are using Shxcodec try using randomshx, it will take longer though. But if you do use randomshx make sure you use a full mp(lang pack included).
Hope it Helps
P.S. I didn't know that 0fr has picture styles, thats somethiong thats new to me. Hope your trials are going good with v3.1.
Oh and I'm still looking for a way to enable ringtones from TF
UGunit
One problem though. i can't seem to access itunes from shortcuts. But it autostarts when I dont have my TF card in.
UGunit
UGunit, I can remove RSA check on 0fr (even without langpack in the MP), but not disable midlet permission check. Not quite understand why LP must be included. Anyway, continue testing...
UGunit, what do you mean by "picture styles" in 0fr? what options do you see?
UGunit, finally I get the patched CG1 flashed successfully. Is this patch for corelet only? I tried PhoneManager, but still get no access to the file system. and it seems no way to start iTunes. :) more job need to be done.
and how do u start mediaviewer? it shows me "please wait" forever after I select the iTunes shortcut.
Yuet, you are right I just checked phonemanager and wasn't able to get it working. But for some reason dictaphone works, I don't know why for now but I will also do more tests. Also itunes started by itself when I took the TF card out and restated the phone, but after I exited it I couldn't access it by shortcuts. I kept getting Please Wait... also. And the picture style under the camera menu when you are taking a picture. You can change stlye to black & white antique and so on.
Hope you figure something out.
UGunit
UGunit, thanks for replying. I think dictaphone works even when CG1 is not hacked. Can you start Mediaviewer? I thought that styles are for video recording only. are u sure you get it when taking photo?
I found an alternative method for permission. First upload this file into /a/mobile/certs/root/x509/kjava
http://savefile.com/files/439541
Then start the application that needs permissiom. And just exit it. Then select that app and click the menu button and go to permissions. Set all the permissions you need to never ask and the app will run with permission.
Hope it helps, now all we have to do is find out what is wrong with itunes.
UGunit
Yuet you are right about dictaphone, but did you try the above method for 0fr.
I havent tried to start MV.
Oh and I'm pretty sure about the image styles
UGunit
UGunit, yes, tried on 0fr, work very well. Thanks for the tip. Where did you get the 0fr firmware? I want to find out how the image styles works.
im glad to hear that it worked. Also Im using the 0fr firmware and flex from yuet v3.
UGunit
UGunit, thanks, I figure out the image styles. I am about to release v3.1, just some finishing touch.
I wish you the best of luck and hope to figure out this itunes thing.
UGunit
does this mean that for those of us that accidentally installed the locked t-mobile monster pack in the beginning.....that after running this patch, we can go back to the cingular monster packs if we want to?
For ex.
"R4517_G_08.C4.32R_LP0939_DRM0101_JPJAVA_G_08_L7_0 6_03_01R_SE1111AXXB7129_1FF.sbf"
^That pack came straight out of hell and once i installed it i have never been able to successfully flash to any other pack. I really dislike this one and would like to go back to the cingular MP but it will flash successfully then the phone will just stay stuck in bootloader mode...
Is this the cure?
and if not, is there a cure for this problem?
Edit/Delete Message
I am not sure whether this trick works for R4517 firmware. Even it works, this trick is not for removing sticky firmware. I am not familiar with cingular L7 (R4517), so I can't give any advice. I think no advice is better than bad advice.
He Yuet
Somebody managed to deactivate RSA on a firm AER.
I do not arrive there.
Hello!
Is there a program to easily let me edit CG1? I mean to change those system sounds and startup splash screen like SHXcodec does for DRM?
BTW, keep up the good work Yuet, as you've done by now.
max, I heard somebody had success with AER, the procedure is same, but I didn't try it myself.
lord dizzy, there are some program like Splash Replacer, system sound changer. I will write some guides on these topics.
yuet, can you make a Yuet 2.1 MP including RSA removing hack? i have tried many times and many ways to remove RSA signature of B7R but all fail.thanks
yeah, will do.
Has anyone been able to RSA patch e0r? or change system sounds editing CG1 or any other way? I have tryed custom sounds.. that doesnt work. Once attempting to RSA Patch the CG1 I opened CG1 in system sounds changer and it says no sounds found :(
Anyone? all i wana do is KILL the low battery alert... not worried about other sounds...
Yuet,
ABR firmware... RSA is possible right?
I wana edit system sounds... i tryed custom sounds but that doesnt work...
I dont kno if im doing this right but this is what im doing:
1. Split SMG's from SHX
2. Use RandomRSA2
3. Open system sounds changer... and open cg1.smg and then wait few mins and tells me no sounds found...?
Did the RSA patch not work?
Hey Yuet good news. They found a way to get itunes icon with the RSA hack.
Maybe this can help with v3 and other mps.
Also I tries this on B7R and it works
http://www.modmymoto.com/forums/showthread.php?t=10830
UGunit
yes, I saw it. will try to put in the MPs.
e0r-stickied/envi, I will try the system sound changer and let u know later.
Yuet, i have split firmware/monsterpack using SHXCodec but i cannot press the "patch RSA" button. Please help, heres a screenshot.
http://img74.imageshack.us/img74/7814/rsalte2errorci9.png
What firmware were u trying to patch? one of my MPs?
Yeah, i'm trying to patch one of your monster packs. The 3.1.
I have already patched rsa in v3.1. there's why you couldn't patch it again. :-)
Well is there any way which i can set my own hellomoto screen and change system sounds then?
yes, but they are long guides. I wil post the guides when I have the time.
Well unfortunately i dont have time. I need to do this as quick as possible while i still have this free time on hand.
Please dont take this in the wrong way. I acknoledge the time and effort you put into "modding" its just that i really need to know how to do this before hand. Cause then i will have no time to do it and go in depth. SO i will ask you nicely if you could at least post me a link to some relevant info on doing this. Doest have to be your guide, though i do find you guides the best and easiest to follow.
ANywayz reqardless, thanks with your past help and future comitments on modding.
Hey Yuet,
I did that guide with your Yuet Mod v.4.0 (for AER) and when RSD Lite v2.7 did a checksum it was an error.
Critical error 84
I did a re-flash with your original version of the MP and then it worked again.
Is it possible to make the AER MP compatible with iTunes or MediaViewer?
My bootloader is 09.02.
And is it possible to flash to an another flash, like 56R or something. I got an 56R flash on my computer but I don't know if I mess up my phone if im flashing the 56R firm.
Thanks, d3mon
d3mon, you have to stay with AER, unless you get rid of it first. RSA patch is not working on 09.02 bootloader.
Yeah so i followed the steps to remove the welcome and hellomoto picture(the boot picture), and i arrived here...to RSA patch...and i find out that this won't work on bootloader 09.02...well i've got this type of bootloader...did i hit a dead end?...is there no way to change those picture or there is another way?
PS: it's possible that i understood wrong...if i did, pls explain to me ;)
TNX
unfortunately your understanding is correct. no way out yet until we find the rsa patch for the 09.02 bootloader.
I tryed to split the firmware/monsterpack using RandomSHX, It seems to be ok, It was my first try, but the resuld was:
Extracted BIN:
2007-03-10_034606.lst
2007-03-10_0346060.bin
2007-03-10_0346061.bin
2007-03-10_0346062.bin
2007-03-10_0346063.bin
2007-03-10_0346064.bin
2007-03-10_0346065.bin
2007-03-10_0346066.bin
2007-03-10_0346067.bin
2007-03-10_0346068.bin
And I don´t know if this is ok, because I can´t find the CG1, CG7 y CG18 file that I need to use with RandomRSA2.
I tryed to split using SHXCoDec_266 but some mesegges aperars telling me: "Error loading MIDAS.DDL" so I could not use it anyway... If someone could help me... THX
pela, they should be the files with number 2, 6 & 8. It is better that you rename your file to a meaningful name before split it.
Doesn't SmartClip remove the RSA lock, or just patch it?
Before having access to SmartClip, I had removed RSA-locks from V360, V3, and L7 without knowing what RSA was. That was in February 2007.
when you said "removed RSA-locks from V360, V3, and L7". What do u exactly mean? What's the lock you were talking and how did you remove it?
About the RSA... i understand you can change the firmware's name? let's just say you turn your phone on in bootloader mode... it will say for example
Boot Loader
08.A0.
SW Version: R4531_G_08.B7.ABR
OK to Program
Connect USB
Data Cable
but i want it to say
Boot Loader
08.A0.
SW Version: HEFE's MP v1.0
OK to Program
Connect USB
Data Cable
for example.... how can i do that? pls i'm desperate....
10x in advance
HEFE
first you must remove the RSA protection in your firmware. to change FW name, open CG1 binary file in hex editor, search for the firmware name, then replace the original FW name. after that recompile the MP. The new FW name must not longer than the original one and should not have space. Instead, it should be sperate by underscore "_". such as HEFE_MP_v1.0
10x a million yuet
HEFE
Hi Yuet, i have a L7 with BL:09.02 Firm:4513_G_08.B7.DER_RB, and i want to know if it's possible patch the RSA, with your method. The phone will be ready to put Itunes icon?
Thanks!
PD:Sorry the english.
Gus
Gus, no, the patch is not working with 09.02 phone.
two things Yuet,
1) Can I use for v360 with Wolf MP1.2 F&B3 to remove RSA? If so do I tick checkbox for L2TE or just normal remove RSA? Can I use a normal jpg or gif file for the start up/boot and shutdown screen? I just want a nice pic that will take 1sec not forever.
2)Since F&B3 is trial is F&B2 fully free? If so are you able to give me a link if possible? As if my phone screw up past 30day etc trial I'm kinda in a hard spot as most would be.
Hey Yuet, I have got Wolf MP working, got this p2k as intermediate level now i would say, however for Phone Manager app, says access denied. Some people have posted some similar experiences however i'm wondering if using fb3 for my v360 to remove RSA lte2 method will make PhoneMan work? if not some say edit mma_ucp but some things are not clear, could you make an answer for this? I basically want to have a powerful admin like, file browser that allows you to send skins etc via bluetooth or browse without the pc. Thanks again.
hello yuet...
where could I get moto razr v3i monsterpack??
Post a Comment or Discuss in forum