QA Flags[edit | edit source]

flagged updater = qa_flags[0] & 0x1
force update = qa_flags[0] & 0x2
int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
allow registry access = qa_flags[0] & 0x8
int dev for psm, allow psm debug = qa_flags[0] & 0x10
special i = qa_flags[0] & 0x40

allow ul debugger = qa_flags[1] & 0x1
allow sl debugger = qa_flags[1] & 0x2
beta update test = qa_flags[1] & 0x4

debug menu, debug menu for psm = qa_flags[2] & 0x1
allow ad clock = qa_flags[2] & 0x2
fake finalize = qa_flags[2] & 0x10
psn access trace log = qa_flags[2] & 0x40

debug menu mini = qa_flags[3] & 0x2

any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF 

Utoken Flags[edit | edit source]

store mode = utoken_flags[0] & 0x1
data execution = utoken_flags[0] & 0x2
use weakened port restriction = utoken_flags[0] & 0x4
use softwagner = utoken_flags[0] & 0x8
flagged updater = utoken_flags[0] & 0x10
np env switching = utoken_flags[0] & 0x20
save data repair = utoken_flags[0] & 0x40
fake sharefactory = utoken_flags[0] & 0x80

Spoofing Flags[edit | edit source]

• Search for kernel magic in kernel dump
• Set all values before kernel magic (16 in total) to FF
• Set all values after kernel magic (16 in total) to FF
• Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
• Search for the string "rcmgr" in hex bytes (searching as text is slower)
• Find the xref to the first string (usually intdev)
• Rename All the functions to their respective names
• Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
• Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
• Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
• Launch payload
• You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)

v e Reverse Engineering Reverse Engineering Bootprocess  ·  BootLogo  ·  DataBases  ·  Disc Identification/Serialization Data  ·  Files on the PS4  ·  IOCTL  ·  Libraries  ·  Partitions  ·  Syscalls  ·  Kernel Patches  ·  sealedkey / pfsSKKey  ·  VTRM  ·  Bugs & Vulnerabilities  ·  Vulnerabilities  ·  SBL Kernel module  ·  Kernel Devices  ·  Registry  ·  Build Strings  ·  QA Flagging  ·  Strings Dumps & Strings Dumps Flash-Bridge  ·  Flash-Hub  ·  Flash-Main Strings Flash-Bridge/strings  ·  Flash-Hub/strings  ·  Flash-Main/strings Communication USB PS4cam-USB  ·  DS4-USB Bluetooth DS4-BT  ·  Audio-BT Wifi/LAN Online Connections Keys, Commands & Digests Activation AFV  ·  Activation ACF  ·  Bruteforcing  ·  Crypto / DRM  ·  Keys  ·  Fail Keys   ·  Digests  ·  Magics  ·  SMU Hashes  ·  --ee-hook  ·  SoftWareUpdater  ·  DualShock 4 HID Commands Emulation PS1 Emulation  ·  PS1 Classics Emulator Compatibility List  ·  PS2 Emulation  ·  PS2 Classics Emulator Compatibility List  ·  PSP Emulation  ·  PSP Emulator Compatibility List  ·  PS3 Emulation  ·  PS3 Emulator Compatibility List  ·  Sega Saturn Emulation  ·  Sega Saturn Emulator Compatibility List System Modules Dipsw libSceDipsw  ·  libSceLibcInternal  ·  libkernel  ·  libSceNpTrophy  ·  libSceRegMgr  ·  libSceRemoteplay  ·  libSceRtc  ·  libSceSaveData