Messages: Please use the forum for our discussions & Q&A.

News: It is reported that iTunes 9 is compatible with jailbroked iPhones... Now I got an iPhone 3GS. I will be posting something about it...

Sponsors links:

Friday, January 19, 2007

RSA Patch

RSA patch
for motorola flash neptune LTE2 phones
Well! Good day everybody. This is another milestone for moto modders. A trick was found to bypass CG1 RSA check on Flash Neptune LTE2 phones. Bypassing CG1 RSA check enables us to modify the CG1 flash. Open endless possibility for modders. Random has developed a tool "RandomRSA2" to patch code groups CG1, CG7 and CG18, so as to patch the RSA. Confirmed working on V360, L7, L6, and V3i.

Warning: not for newbies, don't try if you are not experienced modders.
Warning: It seems that this RSA patch does not work on phones with 09.02 bootloader.

Steps to patch RSA:

1. download & install RandomRSA2;

2. split firmware/monsterpack using RandomSHX or SHXCodec;

3. open CG1, CG7 and CG18 in RandomRSA2, then click "patch RSA" button;

4. (do whatever change you want in CG1, such as replace hellomoto splash picture, change firmware version, change system sounds, etc)
- replace bootscreen picture

5. use RandomSHX or Shxcodec to replace modified CG1, CG7, CG18 in the shx file, and compile a new shx MP.

6. flash the new shx using RSD Lite.

RandomRSA2: [4shared]
RandomSHX: [4shared]
SHXCodec: [4shared]

Sponsors links:


6:42 AM, January 19, 2007 Jerry said...

So some dumb noob question. What is RSA on a Motorola phone? Does it just prevent modders from hacking the firmware (CG1)? And this new patch will allow us to make hacks now?

Also, does Neptune LTE2 phones just refer to a family of Motorola phones of some sort?


11:05 AM, January 19, 2007 Anonymous said...

Yuet i know this is off this subjuct, but i was wondering how u put custom start up & shut down & flip open & close sounds.


1:18 AM, January 20, 2007 Yuet said...

jerry, RSA on a moto phone is the signature that used to verify the firmware (CG1) or PDS (CG6). This trick will bypass the checking of RSA signature of CG1, so we can hack CG1. LTE2 is a type of flash rom used in a family of moto phones. Older phones have Neptune LTE flash rom.

babyhuye, for custom startup/shutdown sounds, you can find the guide in this post. for flip open/close sounds, you need to install MediaViewer. Detail at this post.

5:07 AM, January 21, 2007 Anonymous said...

Yo Yuet!

Ok, so here i am flashing/flexing/modding DRM's/seem editing/changing it to a L7 and what happens? she lays down on me. V360, 08.A0 bootloader, dosent do anything until you remove the battery then it will light up keypad for 2 seconds when you press the power button, but only once. i took a guess at putting it into program mode and flashed with a MP of somesort and it did nothing to help. i bought a new flex ribbon cable because i thought that might be worn out. still no help. It won't go into bootloader, won't display anything just flash a lil after u remove battery!, Tell me Yuet, have i bricked it or is there a way to revive this soldier? thank a million for all you do bro. TroY

11:23 AM, January 21, 2007 Yuet said...

blayze420, what did you do to make ur phone in such state? Try this. switch it off, then press and hold * and # keys then power on your phone to go into bootloader mode. (if you can't switch if off, remove the battery, then hold the # and * keys, then put back the battery.) If you can get there, connect your phone and flash a MP using rsdlite again. you may also want to try using different USB port. Good luck!

12:04 PM, January 21, 2007 blayze420 said...

i did that and assume it was in bootloader mode cause rsd showed connected. so i flashed it with what i had handy which i think was the Kaiser-v2ok Mp. it went thru the whole process and said PASS at the end. keep in mind i cannot see the display at this time cause i thought my flex cable was bad. when i got my flex cable and installed it, i still had no display. I believe i can get it into bootloader mode by removing batt then holding #-* and so on. at that point is there some factory firmware or sumn that might bring this puppie outta its coma? and have you ever dealt much with the mpx220? i got one i need unlocked from cingular. Onward thru the Fog! TroY

4:39 PM, January 21, 2007 Yuet said...

TroY, what do RSDLite detect about your phone? "flash neptune LTE2" or "blank neptune LTE2"? Please try to flash to 56R firmware.

I don't know anything about mpx220.

2:13 PM, January 22, 2007 UGunit89 said...

Succesfully removed RSA on ABR, B7R, and heard they removed it on AER.
Also on B7R I was able to get iTunes and Mediaviewer working. But I'm still trying to see if there is a way to enable ringtones from transflash.


5:57 PM, January 22, 2007 Yuet said...

UGunit, wow!! you rock. How did you get iTunes/MV on B7R? I haven't had time to dig into it yet.

1:37 PM, January 23, 2007 Ugunit89 said...

Hey Yuet, thanks for the compliment. To get itunes to work on B7R I followed the procedures to patch the RSA. Then I used this guide on Running signed and unsigned CORElets

The steps are:
Open CG1 in hex editor.
1. Find the following string:
B5 FF B0 91 20 00 90 05 90 04 27 0F 1C 1C 22 0C
replace with:
B5 FF B0 91 20 00 E0 10 90 04 27 0F 1C 1C 22 0C

2. Find(specific for B7R)(Change bold):
B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 56 1C 05 D1 04 48 37 30 4C F7 BD F8 0C E0 DD
Modify the string:
B5 F0 1C 0F 1C 06 1C 14 1C 10 49 4C B0 85 F0 01 FC 56 1C 05 D1 04 48 37 30 4C F7 BD F8 0C E0 DE

3. Find:
B5 70 25 00 00 6B 18 1A 78 52 2A 01 D0 09 2A 02
Replace with:
20 01 47 70 00 6B 18 1A 78 52 2A 01 D0 09 2A 02

4. Find:
20 00 22 02 00 41 5C 6B 2B 05 D1 00 54 6A
Replace with:
35 01 22 03 00 41 5C 6B 2B 04 DA 00 54 6A

5. Save changes, generate reflash and install using RSD Lite.

Now after that install itunes/mediaviewer but make sure that they are signed

Have Fun Modding


6:44 PM, January 23, 2007 Yuet said...

UGunit, thanks for the info. I also found such info before u replied, and I am testing it on anohter firmware (0fr). the result of first test is a bricked phone. :) trying 2nd test.

2:55 AM, January 24, 2007 Anonymous said...

Yuet could it be possible to add a new video player to play full screen and to fast forward?or at least to open photos in full screen?

8:43 AM, January 24, 2007 UGunit89 said...

Success I got acess to the filesystem and itunes running on 0fr. If you are using Shxcodec try using randomshx, it will take longer though. But if you do use randomshx make sure you use a full mp(lang pack included).
Hope it Helps

P.S. I didn't know that 0fr has picture styles, thats somethiong thats new to me. Hope your trials are going good with v3.1.
Oh and I'm still looking for a way to enable ringtones from TF


8:45 AM, January 24, 2007 UGunit89 said...

One problem though. i can't seem to access itunes from shortcuts. But it autostarts when I dont have my TF card in.


2:27 PM, January 24, 2007 Yuet said...

UGunit, I can remove RSA check on 0fr (even without langpack in the MP), but not disable midlet permission check. Not quite understand why LP must be included. Anyway, continue testing...

6:10 PM, January 24, 2007 Yuet said...

UGunit, what do you mean by "picture styles" in 0fr? what options do you see?

8:42 PM, January 24, 2007 Yuet said...

UGunit, finally I get the patched CG1 flashed successfully. Is this patch for corelet only? I tried PhoneManager, but still get no access to the file system. and it seems no way to start iTunes. :) more job need to be done.

9:08 PM, January 24, 2007 Yuet said...

and how do u start mediaviewer? it shows me "please wait" forever after I select the iTunes shortcut.

8:22 AM, January 25, 2007 Ugunit89 said...

Yuet, you are right I just checked phonemanager and wasn't able to get it working. But for some reason dictaphone works, I don't know why for now but I will also do more tests. Also itunes started by itself when I took the TF card out and restated the phone, but after I exited it I couldn't access it by shortcuts. I kept getting Please Wait... also. And the picture style under the camera menu when you are taking a picture. You can change stlye to black & white antique and so on.
Hope you figure something out.


11:06 AM, January 25, 2007 Yuet said...

UGunit, thanks for replying. I think dictaphone works even when CG1 is not hacked. Can you start Mediaviewer? I thought that styles are for video recording only. are u sure you get it when taking photo?

11:07 AM, January 25, 2007 UGunit89 said...

I found an alternative method for permission. First upload this file into /a/mobile/certs/root/x509/kjava

Then start the application that needs permissiom. And just exit it. Then select that app and click the menu button and go to permissions. Set all the permissions you need to never ask and the app will run with permission.

Hope it helps, now all we have to do is find out what is wrong with itunes.


2:29 PM, January 27, 2007 UGunit89 said...

Yuet you are right about dictaphone, but did you try the above method for 0fr.
I havent tried to start MV.

Oh and I'm pretty sure about the image styles


12:18 AM, January 29, 2007 Yuet said...

UGunit, yes, tried on 0fr, work very well. Thanks for the tip. Where did you get the 0fr firmware? I want to find out how the image styles works.

12:25 PM, January 30, 2007 UGunit89 said...

im glad to hear that it worked. Also Im using the 0fr firmware and flex from yuet v3.


10:36 PM, January 30, 2007 Yuet said...

UGunit, thanks, I figure out the image styles. I am about to release v3.1, just some finishing touch.

9:53 AM, January 31, 2007 UGunit89 said...

I wish you the best of luck and hope to figure out this itunes thing.


4:52 PM, February 01, 2007 said...

does this mean that for those of us that accidentally installed the locked t-mobile monster pack in the beginning.....that after running this patch, we can go back to the cingular monster packs if we want to?

For ex.

"R4517_G_08.C4.32R_LP0939_DRM0101_JPJAVA_G_08_L7_0 6_03_01R_SE1111AXXB7129_1FF.sbf"

^That pack came straight out of hell and once i installed it i have never been able to successfully flash to any other pack. I really dislike this one and would like to go back to the cingular MP but it will flash successfully then the phone will just stay stuck in bootloader mode...

Is this the cure?

and if not, is there a cure for this problem?
Edit/Delete Message

10:12 PM, February 01, 2007 Yuet said...

I am not sure whether this trick works for R4517 firmware. Even it works, this trick is not for removing sticky firmware. I am not familiar with cingular L7 (R4517), so I can't give any advice. I think no advice is better than bad advice.

6:53 PM, February 03, 2007 Max said...

He Yuet
Somebody managed to deactivate RSA on a firm AER.
I do not arrive there.

12:24 PM, February 05, 2007 Lord Dizzy said...

Is there a program to easily let me edit CG1? I mean to change those system sounds and startup splash screen like SHXcodec does for DRM?
BTW, keep up the good work Yuet, as you've done by now.

4:25 PM, February 05, 2007 Yuet said...

max, I heard somebody had success with AER, the procedure is same, but I didn't try it myself.

lord dizzy, there are some program like Splash Replacer, system sound changer. I will write some guides on these topics.

4:49 PM, February 09, 2007 ayanamist said...

yuet, can you make a Yuet 2.1 MP including RSA removing hack? i have tried many times and many ways to remove RSA signature of B7R but all fail.thanks

6:00 PM, February 09, 2007 Yuet said...

yeah, will do.

6:00 PM, February 13, 2007 e0r-stickied said...

Has anyone been able to RSA patch e0r? or change system sounds editing CG1 or any other way? I have tryed custom sounds.. that doesnt work. Once attempting to RSA Patch the CG1 I opened CG1 in system sounds changer and it says no sounds found :(

Anyone? all i wana do is KILL the low battery alert... not worried about other sounds...

7:15 AM, February 14, 2007 envi said...

ABR firmware... RSA is possible right?
I wana edit system sounds... i tryed custom sounds but that doesnt work...
I dont kno if im doing this right but this is what im doing:

1. Split SMG's from SHX
2. Use RandomRSA2
3. Open system sounds changer... and open cg1.smg and then wait few mins and tells me no sounds found...?

Did the RSA patch not work?

7:57 AM, February 15, 2007 Ugunit89 said...

Hey Yuet good news. They found a way to get itunes icon with the RSA hack.
Maybe this can help with v3 and other mps.
Also I tries this on B7R and it works


1:23 PM, February 15, 2007 Yuet said...

yes, I saw it. will try to put in the MPs.

e0r-stickied/envi, I will try the system sound changer and let u know later.

8:25 PM, February 20, 2007 Anonymous said...

Yuet, i have split firmware/monsterpack using SHXCodec but i cannot press the "patch RSA" button. Please help, heres a screenshot.

12:38 AM, February 21, 2007 Yuet said...

What firmware were u trying to patch? one of my MPs?

11:36 AM, February 21, 2007 Anonymous said...

Yeah, i'm trying to patch one of your monster packs. The 3.1.

11:32 PM, February 21, 2007 Yuet said...

I have already patched rsa in v3.1. there's why you couldn't patch it again. :-)

7:47 PM, February 22, 2007 Anonymous said...

Well is there any way which i can set my own hellomoto screen and change system sounds then?

12:35 AM, February 23, 2007 Yuet said...

yes, but they are long guides. I wil post the guides when I have the time.

1:09 PM, February 23, 2007 Anonymous said...

Well unfortunately i dont have time. I need to do this as quick as possible while i still have this free time on hand.

Please dont take this in the wrong way. I acknoledge the time and effort you put into "modding" its just that i really need to know how to do this before hand. Cause then i will have no time to do it and go in depth. SO i will ask you nicely if you could at least post me a link to some relevant info on doing this. Doest have to be your guide, though i do find you guides the best and easiest to follow.

ANywayz reqardless, thanks with your past help and future comitments on modding.

9:32 PM, February 24, 2007 d3mon said...

Hey Yuet,

I did that guide with your Yuet Mod v.4.0 (for AER) and when RSD Lite v2.7 did a checksum it was an error.

Critical error 84

I did a re-flash with your original version of the MP and then it worked again.
Is it possible to make the AER MP compatible with iTunes or MediaViewer?

My bootloader is 09.02.

And is it possible to flash to an another flash, like 56R or something. I got an 56R flash on my computer but I don't know if I mess up my phone if im flashing the 56R firm.

Thanks, d3mon

10:24 PM, February 24, 2007 Yuet said...

d3mon, you have to stay with AER, unless you get rid of it first. RSA patch is not working on 09.02 bootloader.

2:24 AM, March 02, 2007 10nutz_413x said...

Yeah so i followed the steps to remove the welcome and hellomoto picture(the boot picture), and i arrived RSA patch...and i find out that this won't work on bootloader 09.02...well i've got this type of bootloader...did i hit a dead end? there no way to change those picture or there is another way?
PS: it's possible that i understood wrong...if i did, pls explain to me ;)

1:39 PM, March 02, 2007 Yuet said...

unfortunately your understanding is correct. no way out yet until we find the rsa patch for the 09.02 bootloader.

2:27 AM, March 11, 2007 Pela said...

I tryed to split the firmware/monsterpack using RandomSHX, It seems to be ok, It was my first try, but the resuld was:
Extracted BIN:
And I don´t know if this is ok, because I can´t find the CG1, CG7 y CG18 file that I need to use with RandomRSA2.
I tryed to split using SHXCoDec_266 but some mesegges aperars telling me: "Error loading MIDAS.DDL" so I could not use it anyway... If someone could help me... THX

7:19 PM, March 11, 2007 Yuet said...

pela, they should be the files with number 2, 6 & 8. It is better that you rename your file to a meaningful name before split it.

2:52 PM, April 17, 2007 Marcos said...

Doesn't SmartClip remove the RSA lock, or just patch it?

Before having access to SmartClip, I had removed RSA-locks from V360, V3, and L7 without knowing what RSA was. That was in February 2007.

4:01 PM, April 17, 2007 Yuet said...

when you said "removed RSA-locks from V360, V3, and L7". What do u exactly mean? What's the lock you were talking and how did you remove it?

2:59 AM, May 20, 2007 Anonymous said...

About the RSA... i understand you can change the firmware's name? let's just say you turn your phone on in bootloader mode... it will say for example

Boot Loader
SW Version: R4531_G_08.B7.ABR

OK to Program
Connect USB
Data Cable

but i want it to say

Boot Loader
SW Version: HEFE's MP v1.0

OK to Program
Connect USB
Data Cable

for example.... how can i do that? pls i'm desperate....

10x in advance

4:11 PM, May 20, 2007 Yuet said...

first you must remove the RSA protection in your firmware. to change FW name, open CG1 binary file in hex editor, search for the firmware name, then replace the original FW name. after that recompile the MP. The new FW name must not longer than the original one and should not have space. Instead, it should be sperate by underscore "_". such as HEFE_MP_v1.0

3:58 AM, May 21, 2007 Anonymous said...

10x a million yuet

3:30 AM, June 10, 2007 Anonymous said...

Hi Yuet, i have a L7 with BL:09.02 Firm:4513_G_08.B7.DER_RB, and i want to know if it's possible patch the RSA, with your method. The phone will be ready to put Itunes icon?


PD:Sorry the english.


5:04 PM, June 12, 2007 Yuet said...

Gus, no, the patch is not working with 09.02 phone.

9:05 AM, August 08, 2007 Anonymous said...

two things Yuet,
1) Can I use for v360 with Wolf MP1.2 F&B3 to remove RSA? If so do I tick checkbox for L2TE or just normal remove RSA? Can I use a normal jpg or gif file for the start up/boot and shutdown screen? I just want a nice pic that will take 1sec not forever.

2)Since F&B3 is trial is F&B2 fully free? If so are you able to give me a link if possible? As if my phone screw up past 30day etc trial I'm kinda in a hard spot as most would be.

7:11 PM, August 18, 2007 Phreakn said...

Hey Yuet, I have got Wolf MP working, got this p2k as intermediate level now i would say, however for Phone Manager app, says access denied. Some people have posted some similar experiences however i'm wondering if using fb3 for my v360 to remove RSA lte2 method will make PhoneMan work? if not some say edit mma_ucp but some things are not clear, could you make an answer for this? I basically want to have a powerful admin like, file browser that allows you to send skins etc via bluetooth or browse without the pc. Thanks again.

8:37 PM, August 15, 2008 fitra said...

hello yuet...
where could I get moto razr v3i monsterpack?? Web