R479 > R47A
The manual is being published here at MotoX under author's permission.
For advanced users only! Use this at your own risk!
Author of the manual: GandjaFuzz (motofan.ru).
Translation: yours truly.
What we need: R47A firmware and my patches.
1) Preparing the firmware
2) Flashing the modified firmware
3) Change PDS component seems
1) *First we remove RSA (detailed information can be found in this thread.
*Apply the "RUN_PHONE" patch to the CG1 (in SMG format). The software will indicate that it has overwritten 32 bytes after patching. If you see this message, you did it the right way.
*We now have to enable an ability to write PDS component seems to phone. THE CODE WILL VARY DEPENDING ON FIRMWARE VERSION!
Here is an example (the code in your particular case may look different):
Find the following string in CG 1

Code:
00 00 00 00  00 00 00 00 00 AB 00 0When you find it you will see a similar code (example is based on R47A...D8.A1R, log taken from ID)

Code:
ROM:100BA010  10 0D 64 8B 00 00 00 00  00 00 00 00 00 AB 00 00  dЛ.........л..
ROM:100BA020  10 0D 64 8B 00 00 00 00  00 00 00 00 02 30 00 00  dЛ........0..
ROM:100BA030  10 0D 64 8B 00 00 00 00  00 00 00 00 02 31 00 00  dЛ........1..
ROM:100BA040  10 0D 64 8B 00 00 00 00  00 00 00 00 03 5A 00 00  dЛ........Z..
ROM:100BA050  10 0D 64 F7 00 00 00 00  00 00 00 00 03 5B 00 00  dў........[..
ROM:100BA060  10 0D 64 F7 00 00 00 00  00 00 00 00 03 59 00 00  dў........Y..
ROM:100BA070  10 0D 64 F7 00 00 00 00  00 00 00 00 03 5C 00 00  dў........\..
ROM:100BA080  10 0D 64 F7 00 00 00 00  00 00 00 00 03 71 00 00  dў........q..
ROM:100BA090  10 0D 64 F7 00 00 00 00  00 00 00 00 01 C1 00 00  dў........
+..
ROM:100BA0A0  10 0D 63 DB 00 00 00 00  00 00 00 00 01 BB 00 00  c-........
¬..
ROM:100BA0B0  10 0D 64 8B 10 0D 64 39  00 00 00 00 02 9C 00 00  dЛd9....Ь..lets view the first line of the code

Code:
10 0D 64 8B 00 00 00 00  00 00 00 00 00 AB 00 00The first 4 bytes - 10 0D 64 8B - represent a link to the function that allows us writing the seem 00 AB
Same for the other lines, i.e. the code indicates that I can overwrite seems
00 AB, 02 30, 02 31, 03 5A..., while the remaining seems cannot be overwritten...
To enable seem writing we edit the code, i.e. change the link from "disable write" to "enable write": 10 0D 64 F7 - to - 10 0D 64 8B. Same for the remaining seems, including seem 01 BB.
When done editing the code should look like this:

Code:
ROM:100BA010  10 0D 64 8B 00 00 00 00  00 00 00 00 00 AB 00 00  dЛ.........л..
ROM:100BA020  10 0D 64 8B 00 00 00 00  00 00 00 00 02 30 00 00  dЛ........0..
ROM:100BA030  10 0D 64 8B 00 00 00 00  00 00 00 00 02 31 00 00  dЛ........1..
ROM:100BA040  10 0D 64 8B 00 00 00 00  00 00 00 00 03 5A 00 00  dЛ........Z..
ROM:100BA050  10 0D 64 8B 00 00 00 00  00 00 00 00 03 5B 00 00  dў........[..
ROM:100BA060  10 0D 64 8B 00 00 00 00  00 00 00 00 03 59 00 00  dў........Y..
ROM:100BA070  10 0D 64 8B 00 00 00 00  00 00 00 00 03 5C 00 00  dў........\..
ROM:100BA080  10 0D 64 8B 00 00 00 00  00 00 00 00 03 71 00 00  dў........q..
ROM:100BA090  10 0D 64 8B 00 00 00 00  00 00 00 00 01 C1 00 00  dў........
+..
ROM:100BA0A0  10 0D 63 8B 00 00 00 00  00 00 00 00 01 BB 00 00  c-........
¬..
ROM:100BA0B0  10 0D 64 8B 10 0D 64 39  00 00 00 00 02 9C 00 00  dЛd9....Ь..We now can overwrite seems.
Once again, this is only an example for firmware version R47A...D8.A1R, the code will look different for other versions, i.e. links to "disable write" and "enable write" functions will be different.
We have successfully patched CG 1 and can now generate a reflash.
2) Flash the SHX file with RSD Lite.
3) The phone starts and we replace the two seems (download link for the seems is below) with P2K Manager of other P2K program.
YOU NOW HAVE A FULL-FLEDGED V3i iTunes PHONE.
P.S. The "RUN_PHONE" patch can be also used for unbricking the phones: just insert a PDS sample, add the bootloader, apply patch to CG 1, remove RSA, and flash the file.
P.P.S. APPLYING THE PATCH IS A MUST WHEN YOU INSTALL ANY DIFFERENT FIRMWARE VERSION, OTHERWISE YOUR PHONE WILL BE BRICKED!
P.P.P.S. Seem replacement procedure is needed only once in order to modify PDS.
P.P.P.P.S. I would like to thank the following testers Supshow and Shen. Special thanks to our guru Vilko for stimulating me to enhance my knowledge!!!

RUN_PHONE patch
Seems for iTunes


[disclaimer: This manual is NOT to be published outside of MotoX! The manual is being published here at MotoX under author's permission.]
__________________