diff --git a/.gitignore b/.gitignore
index 70a6543..f819816 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,5 @@ build/
 dist/
 tmp/
 *.spec
-.idea/
\ No newline at end of file
+.idea/
+certs/
\ No newline at end of file
diff --git a/README.md b/README.md
index 49cd88a..975ba2b 100644
--- a/README.md
+++ b/README.md
@@ -20,9 +20,54 @@ Due to the nature of this hack, you'll have to :
 - generate a new certificate authority (CA) for the proxy
 - trust or patch the CA on clients and/or apps that will connect to your Plex server
 
-### 1. Generate a new Certificate Authority (CA)
+### 1. Generate a new Certificate Authority (CA) and proxy certificate
 
-in writing...
+```bash
+# Generate a root CA
+openssl genrsa -out plexhackCA.key 4096
+# Create a self-signed root CA certificate
+openssl req -x509 -new -nodes -key plexhackCA.key -sha256 -days 3650 -out plexhackCA.crt -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/CN=PlexHackCA"
+  
+# Generate private key for proxy
+openssl genrsa -out plexhackproxy.key 2048
+  
+# Create a config file for the proxy certificate (SANs)
+cat > plexhacksan.cnf <<EOL
+[req]
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[req_distinguished_name]
+C  = US
+ST = Unknown
+L  = Unknown
+O  = Unknown
+CN = plex.tv
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = plex.tv
+DNS.2 = clients.plex.tv
+EOL
+
+# Create a certificate signing request (CSR) using the SAN config
+openssl req -new -key plexhackproxy.key -out plexhackproxy.csr -config plexhacksan.cnf
+
+# Sign the CSR with your root CA to create the proxy certificate
+openssl x509 -req -in plexhackproxy.csr -CA plexhackCA.crt -CAkey plexhackCA.key -CAcreateserial -out plexhackproxy.crt -days 825 -sha256 -extfile plexhacksan.cnf -extensions req_ext
+```
+
+Now you should have two files `plexhackproxy.crt` and `plexhackproxy.key` that you will use in your reverse proxy.
+You should also have the `plexhackCA.crt` file that you will need to trust on your clients.
+
+> [!IMPORTANT]
+> You will need to trust the `plexhackCA.crt` certificate on every device that
+> will connect to your Plex server (i.e. mobile, desktop, smart TV...).
+> How to do this depends on the device and OS, you will need to search for instructions
+> specific to your device.
 
 ### 2. Setup reverse proxy
 
@@ -32,8 +77,8 @@ In my case I'm using Traefik, so here is an example configuration :
 tls:
   certificates:
     # use certificates generated in step 1
-    - certFile: /etc/traefik/ssl/custom/plexfakeclients.crt
-      keyFile: /etc/traefik/ssl/custom/plexfakeclients.key
+    - certFile: /etc/traefik/ssl/custom/plexhackproxy.crt
+      keyFile: /etc/traefik/ssl/custom/plexhackproxy.key
 
 http:
   routers:
@@ -129,3 +174,65 @@ Now if you try to go to `https://clients.plex.tv/api/hack` you should see a JSON
 If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.
 
 ## Patch PlexAmp
+
+>[!IMPORTANT]
+> You'll need to have the official PlexAmp app installed on your device for this to work.
+
+You can use ADB to extract the APK from your device:
+```bash
+# Execute this from the root of the cloned repo
+# Also make sure you have adb installed and your device connected
+mkdir extracted_apks && cd extracted_apks
+for apk in $(adb shell pm path tv.plex.labs.plexamp | sed 's/package://'); do
+    adb pull "$apk" .
+done
+```
+>[!NOTE]
+> You might be able to download the APK from some websites but it's safer to extract it from your own device.
+
+You'll end up with something like this in the `extracted_apks` folder:
+```
+.
+├── base.apk
+├── split_config.arm64_v8a.apk
+├── split_config.de.apk
+├── split_config.fr.apk
+├── split_config.it.apk
+└── split_config.xxxhdpi.apk
+```
+
+Then you need to patch the `cacert.pem` file inside the `base.apk` to add the `plexhackCA.crt` certificate generated in step 1 and re-sign all the APKs.  
+_This might sound harder than it is, just follow these steps_:
+
+```bash
+# 1. Extract the existing cacert.pem from base.apk
+unzip base.apk assets/cacert.pem -d tmp/
+
+# 2. Append your custom CA cert
+cat ../certs/plexhackCA.crt >> tmp/assets/cacert.pem
+
+# 3. Replace the file inside base.apk (no compression)
+zip -r -0 base.apk tmp/assets/cacert.pem
+
+# 4. Remove existing signatures from ALL APKs (base + splits)
+for f in base.apk split_config.*.apk; do
+    zip -d "$f" 'META-INF/*'
+done
+
+# 5. Generate a keystore if you don’t already have one
+mkdir -p ../keystores
+# This will prompt you for some info, you can put whatever you want here and enter "yes" at the end
+# WARNING: Take note of the password you enter here as you'll need it to sign the APKs
+keytool -genkey -v -keystore ../keystores/plexamphack.keystore -alias plexamphack -keyalg RSA -keysize 2048 -validity 10000
+
+# 6. Sign ALL APKs with the same key
+for f in base.apk split_config.*.apk; do
+    apksigner sign --ks ../keystores/plexamphack.keystore "$f"
+done
+```
+
+You can now install the modified APK on your Android device.
+```bash
+# Make sure to uninstall the official PlexAmp app first
+adb install-multiple base.apk split_config.*.apk
+```
\ No newline at end of file