QA Flagging
This article is marked for rewrite/restructuring in proper wiki format. You can help PS3 Developer wiki by editing it. |
QA Flag
A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
QA Token
A QA token is an 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the keys page.
Unencrypted Token Structure
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 00 00 01 00 11 22 33 44 55 66 77 88 99 AA BB 00000010 CC DD EE FF 00 00 00 00 00 00 00 00 00 00 00 00 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 19 4A 4B BA 00000040 15 97 AE 71 36 CC B6 65 7F C3 B5 3F 49 22 2F B1
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x4 | 0x01 | QA-Flag Version |
0x04 | 0x14 | 0x112233445566778899AABBCCDDEEFF | IDPS |
0x14 | 0x20 | 0x00 | Token Flags |
0x34 | 0x8 | 0x00 | padding |
0x3C | 0x50 | 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 | digest |
Encrypted Token
The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E
Token Flags
The flags are a 32 (0x20) bytes value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
Location | Value (Binary OR assigned) | Description |
---|---|---|
0x24 byte(36) | 0x1 / 0x4 | |
0x27 byte(39) | 0x1 | QA_FLAG_EXAM_API_ENABLE |
0x27 byte(39) | 0x2 | QA_FLAG_QA_MODE_ENABLE |
0x2C byte(44) | 0x9 | Advanced Token Flag!! |
0x2F byte(47) | 0x1 / 0x2 / 0x3 | QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented) |
0x2F byte(47) | 0x4 | checked by lv2_kernel.self and sys_init_osd.self maybe allows sys_init_osd.self to run from /app_home |
0x2F byte(47) | flag 0x4 | if ((byte0x2F & 0x4) != 0) internal mode(QA flag minimum or advanced) allows sys_init_osd.self to run vsh.self from /app_home |
0x33 byte(51) | !0 | special execution mode |
0x33 byte(51) | 0x1 | QA_FLAG_ALLOW_NON_QA |
0x33 byte(51) | 0x2 | QA_FLAG_FORCE_UPDATE |
Setting QA Flag & Token with Linux
Prerequisites
- First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework
If you are using glevand´s kernel you will have to first enable the require module
modprobe ps3dmproxy
- Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim
and you will need Slynk tools
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). Type it into my app in the format I provided, click the button, and run that command. Should work. Tokenator.7z (26.42 KB) Tokenator mirror(with src included) Slynk
Procedure
Getting the info
First you need your IDPS. Obtain this using ps3dm_aim.
# ./ps3dm_aim /dev/ps3dmproxy get_dev_id
Write it down and load it using Slynk's Tokenator app.
It will give you the command you should use in linux + your encrypted token. The tool should output something like this:
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Setting the flag
./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00
(you may skip this step, because UM set_token takes care of it)
Setting the token
Just copy paste the command you got from tokenator
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Congrats now you ps3 is QA flagged Reboot
Set your cursor on (not in) Network Settings and press the key combo (all at the same time): + + + + +
You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.
Setting QA Flag & Token with Grafs Payload
You can follow this tutorial to set the flag and token and then get the menu with the combo needed GrafPayload
GameOS app to QA flag
Glevand's QA flagging tools
- Prebuild packages :
http://store.brewology.com/ahomebrew.php?brewid=214
- qa_flag.pkg // (mirror:qa_flag.pkg (69.92 KB)) (to enable QA)
- qa_flag_extra.pkg // (mirror:qa_flag_extra.pkg (69.98 KB)) (to enable QA with downgrade)
- reset_qa_flag.pkg // (mirrors: [1] [2]) (to reset the QA flags back to default - virtually never needed, there is no benefit removing it)
- get_token_seed.pkg // (mirror:get_token_seed.pkg (59.73 KB))
- get_applicable_version.pkg // (mirror:get_applicable_version.pkg (69.3 KB)) (to get the low/high version lock via Debug UDP)
Alternative
This is a work in progress, it should already work, but feel free to review the code and improve it
based on Product Mode Toogle
Toggle QA - rebug.me
qa-toggle.pkg
CRC-16: 032F CRC-32 (Ethernet and PKZIP): D0DC4C0F SHA-1: 9B5C215E50B4DEC02E6171B0252A977DD599E3BA SHA-256: 845BCE0134A6DF6CF1966F2D4D4F8380DEF121ACA7AB1FA022B73A8F5E9FEEA3 SHA-384: A791A022F879C972CDBD85A26AF32FDAEF25D32FA28CA47F55AFFAA471EACD1EC6D2761CD4E0E92D93F11A7002AAC281 SHA-512: D3CA8DC93019181B0FD30B9618264F5C5CB8559F7AF1A4C2353AB5DBFD8B2FD4AD0EA63E2140E73F63D57E2252FB7DEAC53FA2B36919B703A477540D08C13EF9 MD-2: 5262E62B55CE972F5E58A13657B4143E MD-4: D6C9A681F0605C6AACBC61EDB7D43DD5 MD-5: FB11BEC5A0DDE6600BAEE0CC36742D54
Needs mmap114 lv1 patch + lv2 peek&poke MFW 3.41 or 3.55 (all other patches are done on the fly, when needed) - 3.15 will NOT work (blackscreen lock)
This is compatible with Kmeaw CFW and Rogero V3.7 (mirror / MD5:8f8166b25d6bed891f292c77de5c4b28)
for noFSM, use 9.99 downgrader instead: MD5:b67747f529d047d63151786544a58b50 .
http://rebug.me/?p=1358 / backup/mirror : toggle_qa.pkg (94.22 KB)
other mirrors:
QA Flags Features
Edy viewer
Payment service in japan
more info Edy viewer
Option not present in FW 1.02/1.10/1.11/1.30/1.31/1.32, only added since FW 1.50 and higher.
Debug Settings (CEX/DEX)
There are different Debug Settings (in English) for different firmware versions. For example: FW 3.55 has more options than FW 3.41 & 3.15, below versions have even less. Some Debug settings are only available in older versions.
Setting | Product Code | Description | 3.50 - 3.55 |
3.40 - 3.42 |
3.21 - 3.30 |
3.10 - 3.15 |
3.00 - 3.01 |
2.80 | 2.70 - 2.76 |
2.60 | 2.50 - 2.53 |
2.40 - 2.43 |
2.30 - 2.36 |
2.20 | 2.10 - 2.17 |
1.92 - 1.94 |
1.90 | 1.80 - 1.82 |
1.60 - 1.70 |
1.50 - 1.54 |
1.02 - 1.32 |
Remarks |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DTCP-IP | CEX | Digital Transmission Content Protection over Internet Protocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3.
|
Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | OFF only? |
ATRAC | CEX | Adaptive TRansform Acoustic Coding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | - |
WMA | CEX | Windows Media Audio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | - |
Analog Output Expansion Feature | CEX |
|
N | N | N | N | N | N | N | Y | Y | N | N | N | N | N | N | N | N | N | N | - |
NP Environment | CEX DEX | Allows you to change which environment your PS3 connects. See Environments
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | - |
Fake Free Space (for CEX) | CEX DEX | Fake the amount of free space on the HDD, in "Fake Limit Size" function.
|
Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Fake Limit Size | CEX DEX | Set the amount of free space on the HDD in MB when the "Fake Free Space" function is activated.
|
Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
NP Debug | CEX DEX | When an application is started, Playstation Network information related to that application is displayed.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | - |
NPDRM Debug | CEX DEX | Set and test the access rights to an application that use drm protection.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | - |
Edy Debug | CEX | Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | - |
Nav-only NP | CEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | - |
Cdda Server | CEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | - |
Auto download | CEX |
|
N | N | N | N | N | N | N | N | N | Y | Y | Y | Y | Y | N | N | N | N | N | - |
SSMSS Server | CEX |
|
N | N | N | N | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | - |
Crash Report | CEX DEX | When the console crashes, a report can be sent to Sony servers.
|
Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Crash reporter Status | CEX |
|
Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
VSH Crash Dump Generator | CEX |
|
Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
System Update Debug | CEX | Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager. Also allows easy firmware switching by storing a PS3UPDAT.PUP (can be renamed) in /dev_hdd0/updater/01, then another in /dev_hdd0/updater/02 etc. Then go to "System Update" > "Update via Hard Disk" and select the update to install. Maximum is 20 versions to be listed in XMB, even when more are stored by using e.g. ftp. Lowest version that can be copied to updaterfolder on harddisk is 2.70 (no limit when using e.g. ftp, although versions below 2.70 cannot be used for reinstallment).
|
Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | - |
Information Board QA Server | CEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | - |
Format Marlin Personal Data | CEX | This appears to be related to Marlin DRM possibly for multimedia use. -> (Format : Yes / No) |
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | - |
PlayStation Store Ad Clock | CEX DEX | Change the clock time of the ★ Title Store Preview (Store).
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | - |
Geo Filtering for PlayStation Store | CEX DEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | - |
Remove Game License | CEX | -> (Remove : Yes / No) | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | - |
Home Debug | CEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | - |
Delete Trophy Personal Data | CEX | Allows you to delete all your PS3 trophies personal data. -> (Delete : Yes / No) |
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | - |
GameUpdate Impose Test | CEX DEX | The application will simulate a fake patch in order to test how the application will react when a patch is found.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | - |
Network Emulation Setting | CEX DEX | Emulate the network in order to test how the application will react with networks troubles.
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | - |
Network Emulation Status | CEX DEX | Show information of the Network Emulation Setting function. This information is also showed when selecting an option in Network Emulation Setting function. -> (Outputs status screen) Option number : Off Packet loss : (% send), (% receive) Packet loss duration (ms) Packet pass duration (ms) Packet delay time (ms) Packet delay jitter (ms) Packet out of order (%) Packet out of order delay (ms) Packet duplication (%) Bandwidth limitation (bps) Packet size limitation (min bytes) Packet size limitation (max bytes) Policy pattern (0x0000000000000000) |
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | - |
Auto-Off Debug | CEX |
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | - |
WLAN Device | CEX DEX | Activate/deactivate the wireless LAN device.
|
Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
NAT Traversal Information | CEX DEX | NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments. -> (Outputs status screen) UPnP Status : Unavailable / Available UPnP Port Number : - UPnP External Address : - Stun Status : Unsucceeded / Succeeded NAT Type : Type1 / Type2 / Type3 Mapped Address : (Internet IP Address) Mapping Policy : Endpoint Independant Port Preservation : true / false Delta: 0 Port Opened : true / false |
Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | - |
Internet Browser Debug | CEX | When on is selected press triangle over the internet browser icon for extra options. (the WebKit option causes the console to reboot)
|
Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | - |
SMSS Result Output | CEX |
|
Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Adhoc SSID Prefix | CEX DEX | Set the prefix name of the Ad-hoc SSID’s. The default value is set for PSP devices.
|
Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Disc Auto-Start at System Startup | CEX DEX | Start the disc automatically when the system is turned on.
|
Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
3D Video Output | CEX DEX | Set the video output to 3D.
|
Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Fake NP SNS Throttle | CEX DEX | Fake a throttling (a delay between information sends) into the social network service.
|
Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Debug for HDD Exchange Utility | CEX | Clone your HDD straight to USB HDD, NO QA Token needed -> (HDD Exchange Utility) |
Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Fake Plus | CEX DEX | Fake the activation of PlayStation Plus.
|
Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Push Console Binding | CEX |
|
Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Automatic Download | CEX | Set automatic download on or off, on scheduled time (game updates, system software updates, and selected movies).
|
Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Motion Controller Calibration Result | CEX | Shows lastest results from motion controller calibration.
|
Y | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
VideoEditor Delete Preset BGM | CEX | -> (Delete : Yes / No) | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | - |
Setting | Product Code | Description | 3.50 - 3.55 |
3.40 - 3.42 |
3.21 - 3.30 |
3.10 - 3.15 |
3.00 - 3.01 |
2.80 | 2.70 - 2.76 |
2.60 | 2.50 - 2.53 |
2.40 - 2.43 |
2.30 - 2.36 |
2.20 | 2.10 - 2.17 |
1.92 - 1.94 |
1.90 | 1.80 - 1.82 |
1.60 - 1.70 |
1.50 - 1.54 |
1.02 - 1.32 |
Remarks |
Note: In older firmware versions (e.g. 1.02) it is not in a seperate debug menu, but rendered in XMB menu as System Settings extra options.
Debug Menu settings not in Retail/CEX QA
Setting | Product Code | Description | Remarks |
---|---|---|---|
O Button Behavior | DEX | Switch the assignment of the “O” button to “X” button (like for japans games/region settings).
|
- |
Game Type (Debugger) | DEX | Set the game type of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
|
- |
Game Output Resolution (Debugger) | DEX | Set the game output resolution of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
|
- |
Game Output Sound (Debugger) | DEX | Set game output sound of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
|
- |
BGM Player (Debugger) | DEX | Set the activation of BGM playback when an application is started from the debugger (usually, this information is read from PARAM.SFO).
|
- |
GameContentUtil Boot Path (Debugger) | DEX | Change the game content boot path when an application is started from the debugger.
|
- |
GameContentUtil dirName (Debugger) | DEX | Change the game content directory when an application is started from the debugger in release mode. | - |
GameContentUtil Boot Path (/app_home/PS3_GAME/) | DEX | Change the game content boot path when an application is started from /app_home/PS3_GAME/.
|
- |
Region Settings | DEX | Change the console settings (system language, time, date, etc…) depending on which region are selected.
|
- |
Fake Other Region | DEX | Fake the license area of the console (SCEE for Europe, SCEA for America, etc…) to Other.
|
- |
HDCP | DEX | High-bandwidth Digital Content Protection (HDCP) is a form of digital copy protection developed by Intel Corporation to prevent copying of digital audio and video content as it travels across High-Definition Multimedia Interface
|
- |
Display HDD Free Space | DEX | Display the hard drive free space on the menu screen while an application is running. | - |
Fake Save Data Owner | DEX | Allows use of save data from other users and displays a warning message at every load/save during the game. Once a save data has been saved with this features activated, that save couldn’t be read with this function deactivated.
|
- |
Format System Cache | DEX | Format the system cache area.
|
- |
Release Check Mode | DEX | Check if /app_home is used in the application.
|
- |
Exception Handler | DEX | Handle PPU exceptions in order to debug an application.
|
- |
NPDRM Clock Debug | DEX | Activate/deactivate the validity period of an application that use drm protection.
|
- |
Service ID | DEX | Edit the Service ID of the content to access it on the Store. Example : AB0000-ABCD12345_00 |
- |
MsgDialogUtil Display Errorcode | DEX | Display the error code of an application that uses the cellMsgDialogOpenErrorCode function in the notification window.
|
- |
Format BD Emulator HDD | DEX | Format the external usb device (FAT32) for use it with the BD Emulator Function.
|
- |
Disable ExitGame Timeout | DEX | Disable the forced termination of an application due to a time out.
|
- |
Core Dump | DEX | The Core Dump functions save and configure the output exceptions of applications in order to debug them.
|
- |
PowerOnReset | DEX | The console is automatically turned on when the main power button is turned on.
|
- |
Boot Mode | DEX | Choose which mode to boot the console.
|
- |
Blu-ray Disc Access | DEX | Choose the Blu-ray disc type of access.
|
- |
Transfer Rate Pacing for BD Emulator | DEX | When the BD Emulator function is activated, the transfer rate can be choose between two options.
|
- |
Network Settings for Debug | DEX | Choose different network settings for the debugging than the settings used in usual settings.
|
- |
Connection Status List for Debug | DEX | Show the network information for the debugging. | - |
Connection Settings for Debug (Dual Settings) | DEX | Choose network settings for the debugging. Note : the Network Settings for Debug function have to be set on Dual Settings. |
- |
Pad Auto Detect | DEX | This function allows the console to automatically detect a paddle connected by USB.
|
- |
Initialize Boot Parameters | DEX | Reset boot parameters to their default value.
|
- |
Update Server URL | DEX | Choose the server of firmware updates when selecting [Settings] > [System Update]. Example : http://www.myexampleserver.com/ps3updat.txt Ps3updat.txt example: Dest=82;ImageVersion=FFFFFFFF;SystemVersion=1.0000;CDN_Timeout=30;CDN=http://www.myexampleserver.com/PS3UPDAT.PUP.100.001; |
ps3-updatelist.txt |
Video Upload Debug | DEX | When a video is uploaded on YouTube with the video upload function, the uploaded video is set to private.
|
- |
Wake On LAN | DEX | Wake-on-LAN is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message. The message is usually sent by a program executed on another computer on the same local area network.
|
- |
Dummy XMB (in game) Debug | DEX | This function checks how applications react while the XMB in game is used. If the resources debits are not enough, a message will be display in the notification window.
|
- |
Dummy BGM Player Debug | DEX | This function checks how applications react while the BGM Player is used. If the resources debits are not enough, a message will be display in the notification window.
|
- |
MediatedServices: Mediator URL | DEX | Set the mediator URL of Mediated Services. | - |
MediatedServices: Provider Data | DEX | Set the provider data of Mediated Services. | - |
MediatedServices: Notifications | DEX | Activate/deactivate the Mediated Services notifications.
|
- |
Note: credit to DrEB
Install Package Files
Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason. It will work only with properly signed packages. Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.
Option present in FW 1.02 and above.
As on DEX/DECH Stations is already a "Install Package Files" function, no new icon is added, but the ability to install retail packages via the "game column" "Install Package Files".
On 3.6x Firmwares
As we know Sony has taken QA Flag away changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.
From 3.60 Sony added a new step in the authentication process in the Iso module "spu_token_processor.self". This new step is a digital signature verification using ECDSA ("Elliptic Curve Digital Signature Algorithm"). The old token, the IDPS taked from the machine, the version of the Token (1), the array of flags, and the HMAC hash of the previous parts, remains valid as such. No key (AES, HMAC) were changed in the new module. However, after the decryption of the token, IDPS and verification of the machine with which it has the token performs a digital signature verification of all encrypted token (0x50 bytes). This performs a SHA-1 hash of the entire token (like Sony performed at the time of the digital signature) and passes to check the signature, if it validates the token is considered authentic and returned both encrypted as decrypted (this with the hash hmac set to 0), as happened in 3.56 and lower. In the event that the digital signature fails, consider that the token is not valid, as would happen if the token decryption fails, or any of your previous checks (HMAC computed with token bearing the token, the IDPS , ...). In this case it will return an empty buffer (instead of the decrypted token) and one with a token prepared but without any active flag, or indeed with any digital signature, as happened in 3.56 and lower. In short it is not possible to put a machine QA in firmware 3.60 and higher unless you are patching the module (thus only work in that customized firmware), or getting a whole token and a valid digital signature for. Given that the token varies by the IDPS to prevent universal token exists, only the IDPS should know that token, and change the IDPS of section one of EID0 (which is what the Iso module checks), but this could have unintended consequences in some cases.
QA Downgrading
Crossreference: gitbrew.org PS3:Downgrade
Notes
These tools COULD format your ps3. (which means Any and ALL psn / downloaded data could be erased)
note: several people noted that they did not suffer from dataloss even after several downgrades, but its good measure to backup before downgrading (esp. ACT.DAT which DO get erased)
Tools Needed
- CFW355-OTHEROS++-SPECIAL.PUP // (mirror:CFW355-OTHEROS++-SPECIAL.PUP (170.64 MB) / http://www.mirrorcreator.com/files/TTL1FPNF/CFW355-OTHEROS__-SPECIAL.PUP_links) - QA Flag CFW with SS patches, Can be used to downgrade your ps3 from 3.55 to lower firmwares.
- qa_flag_extra.pkg // (mirror:qa_flag_extra.pkg (69.98 KB)) (to enable QA with downgrade)
- Firmware you want to downgrade to. (3.41, 3.15)
Installation Process
1. Install CFW355-OTHEROS++-SPECIAL.pup (Doesn't matter what version you are. 3.55 and lower ONLY.) 2. Install qa_flag_extra.pkg 3. Run qa_flag (It will show up as this, that is fine) 4. If you hear the beeps, continue. If you do not hear beeping, come to irc. 5. Reboot 6. Go into recovery menu and Update your ps3 with the firmware that you want (3.15, 3.41 etc) 7. have it install
And now you're done. You just successfully downgraded your ps3.
User Submitted Videos
http://www.youtube.com/watch?v=ZLk3dq944-s - QA Downgrade
Known Issues with QA flag / QA downgrades
Act.dat (PSN activation) gets deleted
Make sure you backup the file before enabling QA-extra flag and downgrade. There have been reports of ACT.DAT ("home/000000XX/exdata/act.dat") get's deleted. So make sure to backup that entire folder before flagging/downgrading.
- http://rebug.me/xreg-plus-v1-0/
- http://www.maxconsole.com/maxcon_forums/threads/270400-Restore-act-dat-Homebrew-to-help-with-copying-your-PSN-activation-files!