diff --git a/CUSTOM-SERVER-CONFIGURATION.md b/CUSTOM-SERVER-CONFIGURATION.md
new file mode 100644
index 000000000..d3152b2da
--- /dev/null
+++ b/CUSTOM-SERVER-CONFIGURATION.md
@@ -0,0 +1,607 @@
+# 🌐 RR3 Custom Server Configuration - Complete Guide
+
+**Problem:** Someone is concerned about SSL/certificate validation AND hardcoded server URLs  
+**Reality:** They're absolutely right - this is the real challenge!  
+**Solution:** Multiple Smali + XML modifications required to redirect game to custom servers
+
+---
+
+## ⚠️ IMPORTANT CORRECTION
+
+**My previous SSL-CERTIFICATE-BYPASS.md was INCOMPLETE!**
+
+While SSL validation is indeed disabled for basic TrustManager checks, **the real challenge is:**
+
+1. **Hardcoded server URLs** in compiled bytecode
+2. **Native code** (libRealRacing3.so) that handles network communication
+3. **Configuration passing** from Java → Native layer
+
+The person questioning Part 3 was **100% correct**! ✅
+
+---
+
+## 🔍 The Real Technical Reality
+
+### What We Found
+
+#### 1. Hardcoded EA Server URLs (In Java/Smali)
+
+**File:** `smali_classes2/com/ea/nimble/SynergyEnvironmentImpl.smali`
+
+```smali
+# Line 19
+.field private static final SYNERGY_INT_SERVER_URL:Ljava/lang/String; = "https://director-int.sn.eamobile.com"
+
+# Line 21
+.field private static final SYNERGY_LIVE_SERVER_URL:Ljava/lang/String; = "https://syn-dir.sn.eamobile.com"
+
+# Line 23
+.field private static final SYNERGY_STAGE_SERVER_URL:Ljava/lang/String; = "https://director-stage.sn.eamobile.com"
+```
+
+**These are COMPILED INTO THE BYTECODE** - not in a config file!
+
+---
+
+#### 2. Server Environment Configuration (In XML)
+
+**File:** `res/values/strings.xml`
+
+**Line 137:**
+```xml
+<string name="cc_server_env">live</string>
+```
+
+**This selects which hardcoded URL to use:**
+- `"live"` → Uses `syn-dir.sn.eamobile.com`
+- `"stage"` → Uses `director-stage.sn.eamobile.com`
+- `"int"` → Uses `director-int.sn.eamobile.com`
+
+**Line 350-353 (Nimble API Keys):**
+```xml
+<string name="nimble_api_key_live">1cd0dfa4-c34c-4b0a-b444-aca954c96d50</string>
+<string name="nimble_api_key_stage">aea852db-02b4-42f1-8a4a-7c167953b46e</string>
+<string name="nimble_api_secret_live">4757e3d6-bb9e-4766-92bd-fd6a9e97eca6</string>
+<string name="nimble_api_secret_stage">76ec9d8a-fbb1-448d-99d0-27f5ddcd664a</string>
+```
+
+**These authenticate with EA's Nimble SDK backend.**
+
+---
+
+#### 3. Native Code Integration
+
+**Java HTTP wrapper:** `com/firemint/realracing/Http.smali`
+
+**Native callback methods (Lines 119-129):**
+```smali
+.method private native completeCallback(J)V
+.end method
+
+.method private native dataCallback(J[BI)V
+.end method
+
+.method private native errorCallback(J)V
+.end method
+
+.method private native headerCallback(JI)V
+.end method
+```
+
+**Key Point:** 
+- Java code makes HTTP requests
+- Results are passed to **native C++ code** via JNI callbacks
+- Native code (`libRealRacing3.so`) processes responses
+
+**This means:**
+- URL comes from Java (we can change)
+- SSL verification happens in Java (already bypassed)
+- **BUT** native code validates responses and might check domain/data format
+
+---
+
+## 🛠️ How to Redirect to Custom Server
+
+### Method 1: Change Hardcoded URL (Recommended)
+
+**Modify:** `smali_classes2/com/ea/nimble/SynergyEnvironmentImpl.smali`
+
+**Original (Line 21):**
+```smali
+.field private static final SYNERGY_LIVE_SERVER_URL:Ljava/lang/String; = "https://syn-dir.sn.eamobile.com"
+```
+
+**Modified:**
+```smali
+.field private static final SYNERGY_LIVE_SERVER_URL:Ljava/lang/String; = "https://your-custom-server.com:5555"
+```
+
+**Also change Line 19 (int) and Line 23 (stage) to the same URL for consistency.**
+
+---
+
+### Method 2: Add Custom Environment Option
+
+**Option A: Add to strings.xml**
+
+**File:** `res/values/strings.xml`
+
+**Add new entry:**
+```xml
+<string name="cc_server_env">custom</string>
+<string name="cc_custom_server_url">https://your-server.com:5555</string>
+```
+
+**Then modify SynergyEnvironmentImpl to read custom URL.**
+
+**Option B: Use existing "int" environment**
+
+**Simpler approach - just change the "int" URL:**
+
+```smali
+# Change line 19
+.field private static final SYNERGY_INT_SERVER_URL:Ljava/lang/String; = "https://your-server.com:5555"
+```
+
+**Then in strings.xml:**
+```xml
+<string name="cc_server_env">int</string>
+```
+
+---
+
+### Method 3: Network Injection (Advanced)
+
+**If you can't modify APK bytecode**, intercept at OS level:
+
+#### DNS Spoofing
+```bash
+# /etc/hosts on rooted Android
+127.0.0.1 syn-dir.sn.eamobile.com
+127.0.0.1 director-int.sn.eamobile.com
+127.0.0.1 director-stage.sn.eamobile.com
+```
+
+**Run local proxy on 127.0.0.1 to forward to your server.**
+
+#### VPN Tunnel
+```bash
+# Use VPN app to redirect EA domains to custom server
+# Tools: Packet Tunnel, NetGuard, AdGuard (with custom DNS rules)
+```
+
+**Note:** This still requires SSL bypass since certificate won't match!
+
+---
+
+## 🔒 SSL Certificate Reality Check
+
+### What I Got Wrong Before
+
+**My previous doc said:**
+> "SSL validation is disabled, custom servers work out-of-the-box"
+
+**What I SHOULD have said:**
+> "SSL validation bypasses certificate expiry checks, BUT you still need to handle domain mismatches and native code expectations"
+
+### The Truth About SSL in RR3
+
+#### Java Layer SSL (What We Analyzed)
+
+**Http.smali Line 179:**
+```smali
+sget-object v0, Lorg/apache/http/conn/ssl/SSLSocketFactory;->ALLOW_ALL_HOSTNAME_VERIFIER:Lorg/apache/http/conn/ssl/X509HostnameVerifier;
+invoke-static {v0}, Ljavax/net/ssl/HttpsURLConnection;->setDefaultHostnameVerifier(Ljavax/net/ssl/HostnameVerifier;)V
+```
+
+**This line is CRITICAL:**
+- `ALLOW_ALL_HOSTNAME_VERIFIER` - Disables hostname verification!
+- This means Java layer accepts ANY domain (e.g., your-server.com instead of ea.com)
+- ✅ **Good news for custom servers!**
+
+**Http$1.smali (TrustManager):**
+```smali
+.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
+    return-void  # Does nothing = accepts all certificates
+.end method
+```
+
+**Result:**
+- ✅ Java layer accepts self-signed certificates
+- ✅ Java layer accepts wrong domain names
+- ✅ Java layer doesn't pin certificates
+
+---
+
+#### Native Layer SSL (Unknown Territory)
+
+**What we DON'T know:**
+- Does `libRealRacing3.so` perform additional SSL validation?
+- Does native code check response signatures?
+- Does native code validate server responses format?
+
+**What we CAN'T easily check:**
+- Native library is compiled C++ (not decompilable to readable code)
+- Would need reverse engineering tools (IDA Pro, Ghidra)
+- Or runtime testing with custom server
+
+---
+
+## 🧪 Testing Strategy
+
+### Phase 1: Java Layer Only
+
+**Goal:** Confirm URL redirection works
+
+**Steps:**
+1. Modify `SYNERGY_LIVE_SERVER_URL` to point to your server
+2. Rebuild APK, sign, install
+3. Monitor network traffic: `adb logcat | grep -i "http"`
+4. Check if game connects to your server
+
+**Expected Result:**
+- ✅ Game makes HTTP requests to your server
+- ❓ Native code might reject responses
+
+---
+
+### Phase 2: Response Validation
+
+**Goal:** Determine what responses native code expects
+
+**Steps:**
+1. Set up proxy (mitmproxy, Charles, Burp Suite)
+2. Intercept EA's server responses (if still accessible)
+3. Document response format, headers, JSON structure
+4. Replicate exact format on custom server
+
+**Key Things Native Code Might Check:**
+- Response HTTP status codes
+- JSON structure/schema
+- Cryptographic signatures (HMAC, JWT)
+- Response headers (X-EA-*, EAM-*)
+- Timing/sequence of responses
+
+---
+
+### Phase 3: Native Code Validation
+
+**Goal:** Bypass/understand native checks
+
+**Options:**
+
+#### A. Frida Hooking (Advanced)
+```javascript
+// Hook native callback functions
+Interceptor.attach(Module.findExportByName("libRealRacing3.so", "Java_com_firemint_realracing_Http_dataCallback"), {
+    onEnter: function(args) {
+        console.log("Native callback called with data:", args[2]);
+    }
+});
+```
+
+#### B. Runtime Analysis
+```bash
+# Use strace to monitor native system calls
+adb shell
+strace -f -p $(pidof com.ea.games.r3_row) -e trace=network
+```
+
+#### C. Library Patching (Nuclear Option)
+- Decompile `libRealRacing3.so` with Ghidra
+- Find SSL validation functions
+- Patch to always return success
+- Recompile library
+
+**Warning:** This is VERY complex and error-prone!
+
+---
+
+## 📋 Complete Modification Checklist
+
+### Required Changes for Custom Server
+
+#### 1. Server URL Redirection
+
+**Files to modify:**
+
+```
+✅ smali_classes2/com/ea/nimble/SynergyEnvironmentImpl.smali
+   - Line 19: SYNERGY_INT_SERVER_URL
+   - Line 21: SYNERGY_LIVE_SERVER_URL
+   - Line 23: SYNERGY_STAGE_SERVER_URL
+   
+❓ res/values/strings.xml
+   - Line 137: cc_server_env (set to "live" or "custom")
+```
+
+---
+
+#### 2. SSL/TLS Configuration
+
+**Already bypassed by default:**
+
+```
+✅ smali_classes2/com/firemint/realracing/Http.smali
+   - Line 179: ALLOW_ALL_HOSTNAME_VERIFIER (already set)
+   
+✅ smali_classes2/com/firemint/realracing/Http$1.smali
+   - Line 38-40: checkServerTrusted (empty method)
+   
+✅ smali_classes2/com/firemonkeys/cloudcellapi/HttpRequest.smali
+   - Line 47: m_bSSLCheck = false (disabled)
+```
+
+**No changes needed here!** ✅
+
+---
+
+#### 3. API Key Configuration (Optional)
+
+**If your server validates Nimble API keys:**
+
+```
+❓ res/values/strings.xml
+   - Line 350: nimble_api_key_live (change to your key)
+   - Line 352: nimble_api_secret_live (change to your secret)
+```
+
+**If your server ignores API keys, skip this.**
+
+---
+
+## 🎯 Simplified Build Script
+
+```powershell
+# RR3-Custom-Server.ps1 - Automated URL replacement
+
+param(
+    [string]$ServerURL = "https://your-server.com:5555"
+)
+
+# Decompile APK
+apktool d realracing3.apk -o rr3-custom
+
+# Replace server URLs
+$smaliFile = "rr3-custom\smali_classes2\com\ea\nimble\SynergyEnvironmentImpl.smali"
+(Get-Content $smaliFile) `
+    -replace 'https://syn-dir\.sn\.eamobile\.com', $ServerURL `
+    -replace 'https://director-int\.sn\.eamobile\.com', $ServerURL `
+    -replace 'https://director-stage\.sn\.eamobile\.com', $ServerURL `
+    | Set-Content $smaliFile
+
+Write-Host "✅ Server URLs updated to: $ServerURL"
+
+# Rebuild APK
+apktool b rr3-custom -o rr3-custom-server.apk
+
+# Align & Sign
+zipalign -f -P 16 -v 16 rr3-custom-server.apk rr3-aligned.apk
+java -jar uber-apk-signer.jar --apks rr3-aligned.apk
+
+Write-Host "✅ APK built: rr3-aligned-signed.apk"
+```
+
+**Usage:**
+```bash
+.\RR3-Custom-Server.ps1 -ServerURL "https://rr3.mydomain.com:5555"
+```
+
+---
+
+## 🧩 What Your Custom Server Needs
+
+### Minimum Requirements
+
+#### 1. Match EA's API Endpoints
+
+**Director API (Primary):**
+```
+GET  /director/api/android/getDirectionByPackage
+POST /synergy/api/user/login
+POST /synergy/api/user/register
+GET  /synergy/api/game/config
+POST /synergy/api/game/saveProgress
+```
+
+**Content API (Assets):**
+```
+GET /content/api/manifest
+GET /content/api/assets/{path}
+```
+
+---
+
+#### 2. Replicate Response Format
+
+**Example: getDirectionByPackage response:**
+```json
+{
+  "appUpgrade": 0,
+  "serverURL": {
+    "synergy.product": "https://your-server.com:5555",
+    "synergy.user": "https://your-server.com:5555",
+    "synergy.tracking": "https://your-server.com:5555"
+  },
+  "version": "14.0.1",
+  "minimumVersion": "14.0.0"
+}
+```
+
+**Key Points:**
+- `appUpgrade: 0` - Bypass killswitch
+- `serverURL` object contains secondary endpoints
+- If native code validates JSON structure, match it exactly!
+
+---
+
+#### 3. Handle Authentication Headers
+
+**RR3 sends these headers:**
+```http
+EAM-SESSION: <session-token>
+EAM-USER-ID: <user-id>
+EA-SELL-ID: <device-id>
+SDK-VERSION: <nimble-version>
+X-EA-GAME: RealRacing3
+X-EA-PLATFORM: Android
+```
+
+**Your server should:**
+1. Accept these headers (don't reject unknown headers)
+2. Validate session tokens if implementing auth
+3. Return appropriate JSON responses
+
+---
+
+## ⚠️ Known Challenges
+
+### Challenge 1: Native Code Validation
+
+**Risk:** Native code rejects responses from custom server
+
+**Symptoms:**
+- APK connects to your server (visible in logs)
+- No error messages
+- Game stuck at loading screen
+- Native code silently fails
+
+**Solution:**
+- Test with exact EA response format
+- Monitor native callbacks with Frida
+- May require native library patching
+
+---
+
+### Challenge 2: Cryptographic Signatures
+
+**Risk:** Responses might be signed with EA's private key
+
+**Evidence:**
+- Nimble SDK has crypto capabilities
+- API keys/secrets exist in config
+- Native code could validate HMAC signatures
+
+**Solution:**
+- Try without signatures first (might not be enforced)
+- If required, remove signature validation from native code
+- Or generate valid signatures (if algorithm is known)
+
+---
+
+### Challenge 3: Asset Downloads
+
+**Risk:** Assets have MD5 checksums that must match
+
+**File:** `AssetsController.cs` already handles this:
+```csharp
+// Calculate MD5 on upload
+using var md5 = MD5.Create();
+var hash = md5.ComputeHash(fileStream);
+asset.MD5Hash = BitConverter.ToString(hash).Replace("-", "").ToLower();
+```
+
+**Your manifest MUST return matching MD5s or game rejects files!** ✅
+
+---
+
+## 🎓 Learning from Discord Community
+
+### What We Know Works (Community Reports)
+
+**From Discord "airplane mode trick":**
+1. Users start game normally
+2. Enable airplane mode during loading screen
+3. Game switches to "offline mode"
+4. Progression works locally
+
+**This proves:**
+- ✅ Game has offline capability
+- ✅ Native code doesn't REQUIRE server validation for gameplay
+- ✅ Server is primarily for cloud saves and multiplayer
+
+---
+
+### What Needs Testing
+
+**Questions for community:**
+1. Has anyone successfully redirected to custom server?
+2. What responses does native code expect?
+3. Are there signature validations?
+4. Does changing URL work without native code changes?
+
+---
+
+## 📚 Related Documentation
+
+- **KILLSWITCH-REMOVAL-TECHNICAL.md** - Bypass appUpgrade check
+- **SSL-CERTIFICATE-BYPASS.md** - Java layer SSL bypass (INCOMPLETE, read this doc instead)
+- **GETTING-STARTED.md** - General APK building guide
+- **RR3-ULTIMATE-EDITION-COMPLETE.md** - Complete v14 build process
+
+---
+
+## 🙏 Credits & Corrections
+
+**Original Analysis:** Copilot CLI (me)  
+**Correction Provided By:** Discord community member (thank you!)  
+**Finding:** Part 3 of SSL analysis was incomplete - native code and hardcoded URLs are the real challenge
+
+**This document supersedes SSL-CERTIFICATE-BYPASS.md for custom server setup.**
+
+---
+
+## 🚀 Next Steps
+
+### For Community Members
+
+**If you're testing custom servers:**
+
+1. ✅ **Easy:** Change hardcoded URLs in Smali
+2. ✅ **Easy:** Build and sign APK
+3. ✅ **Easy:** Install and test connection
+4. ❓ **Unknown:** Test if native code accepts responses
+5. ❓ **Unknown:** Debug response format issues
+6. ❓ **Hard:** Patch native code if validation fails
+
+**Share your findings on Discord!**
+
+---
+
+### For Server Developers
+
+**Your server should:**
+
+1. ✅ **Must:** Match EA's endpoint paths
+2. ✅ **Must:** Return valid JSON with correct structure
+3. ✅ **Must:** Calculate MD5 hashes for assets
+4. ❓ **Maybe:** Handle authentication headers
+5. ❓ **Maybe:** Sign responses (if native code checks)
+
+**ASP.NET Core server template already implements 1-3!** ✅
+
+---
+
+## 📞 Community Support
+
+**Questions? Testing results?**
+
+Share on Discord: Project-Real-Resurrection-3
+
+**Found what responses work?**
+- Document JSON structure
+- Share HTTP traffic captures
+- Test different response formats
+
+**Got custom server working?**
+- Write detailed steps
+- Share server code
+- Help others replicate
+
+---
+
+**Last Updated:** February 20, 2026  
+**Status:** ⚠️ Theoretical - Requires community testing  
+**Priority:** High - This is the real challenge for custom servers!
+
+🏎️💨 **Let's figure this out together!**