Visit our new site - The source for all your Motorola ROKR E2 modding needs

Home arrow Tutorials arrow How to patch E1 fullflash to E398
How to patch E1 fullflash to E398
Monday, 27 February 2006

A great tutorial for creating ROKR E1 full flash and to patch it to work on E398. Posted by Yrovi in this thread

Creating Fullflash for E1

1. Using flashbackup, make custom range backup of this address: 10040000-12000000. This will create backup of almost everything sans BL and PDS. Since it is not full 32 MB in size, FB will refuse to make fullflash out of it. You need a hex editor to add empty 256 KB at the beginning of the file to expand its size to 32 MB.

2. Open the bin backup in xvi32. Make sure the cursor is at the beginning of the file. In edit > insert string:
   - Insert: Hex string
   - Value: 00
   - Insert times: hexadecimal, value: 40000
3. Save it, e.g: "proper size full backup.bin"

4. Use the file to generate E790/E1 ROKR fullflash from flashbackup

Patching E1 fullflash for E398

I won't write detailed step by step here, as this is intended for people who are familiar with modding.

1. Split E1 fullflash with shxcodec.

2. Edit CG1 and CG18 smg with hex editor.

Replace the original values at this offsets with these values:

At the beginning part (this is CG0):
Offsets: hexadec.
0: 11 
1: FE 
2: 00 
3: 00 
B0: FF 
B1: FF 
B2: FF 
C4: 11 
C5: FE 
C6: 00 
C7: 00 

Motorola E398

The middle part:

  • Locate this hex values: 396BE59FC000. You should find it in the middle part of CG1
  • Right above it you should see quite a few of this hex pattern: 47 78 46 C0
  • Replace the fifth of that pattern (counting from the bottom up from current location) with 20 01 47 70
  • Save it as different file with .smg extention.

Motorola E398

Replace the first 16 bytes with these values:
Offsets: hexadec.
0: E5
1: 9F
2: 10
3: 04
4: E5
5: 91
6: 10
7: 00
8: E1
9: 2F
B: 11
C: 10
D: 04
E: 00
F: 00

Save it.

Replace the original cg1 and 18 with the patched ones in shxcodec, compile it to a nex shx, and there, your patched firmware

Things to consider before flashing:

Some version of shxcodec (can't remember which ones) incorrectly written wrong address of codegroups in the ramdownloader. Split your patched MP and compare its ramdownloader with other ramdownloader that has similiar cg structure and make sure there are no difference in codegroups addresses. To check them manually:

codegroup, memory address, offsets in file:
3, 10040000-1007FFFF, 110-117
1, 10080000-10CFFFFF, 100-107
15, 10D00000-10F3FFFF, 170-177
4, 10F40000-110FFFFF, 118-11F
2, 11100000-11F5FFFF, 108-10F
7, 11F80000-11F90000, 130-137
18, 11FE0000-11FE07FF, 188-18F

Hope that helps.

Last Updated ( Sunday, 25 June 2006 )
< Prev   Next >
© 2005 – 2024 Motorola E398 Modders