Editing QA Flagging

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
{{Wikify}}
= QA Flag =
= QA Flag =
A QA flag is a value set in [[SC EEPROM]] at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
A QA flag is a value set in [[SC EEPROM]] at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.


= QA Token =
= QA Token =
A QA token is an 80 byte value that determines amount of functionality on your console.
A QA token is a 80 byte value that determines amount of functionality on your console.
It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the [[keys]] page.
It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the [[keys]] page.


Line 10: Line 9:


<pre>
<pre>
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33,
 
0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB,
00000000  00 00 00 01 00 11 22 33 44 55 66 77 88 99 AA BB
0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00,
00000010  CC DD EE FF 00 00 00 00 00 00 00 00 00 00 00 00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000030  00 00 00 00 00 00 00 00 00 00 00 00 19 4A 4B BA
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000040  15 97 AE 71 36 CC B6 65 7F C3 B5 3F 49 22 2F B1
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA,
0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65,
0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1
</pre>
</pre>


Line 23: Line 25:
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || 0x01 || QA-Flag Version
| 0x00 || 0x4 || 0x01 || Unknown (Static)
|-
| 0x04 || 0x10 || 0x00112233445566778899AABBCCDDEEFF || [[IDPS]]
|-
|-
| 0x14 || 0x20 || 0x00 || [[#Token Flags|Token Flags]]
| 0x04 || 0x14 || 0x112233445566778899AABBCCDDEEFF || [[IDPS]]
|-
|-
| 0x34 || 0x8 || 0x00 || padding
| 0x14 || 0x3C || 0x00 || [[#Token Flags|Token Flags]]
|-
|-
| 0x3C || 0x14 || 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 || digest
| 0x3C || 0x80 || 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 || digest
|}
|}


Line 39: Line 39:


== Token Flags ==
== Token Flags ==
The flags are a 32 (0x20) bytes value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
 
<pre>
{|class="wikitable"
QA_FLAG_ALLOW_NON_QA = byte 0x33, bit 0
|-
QA_FLAG_FORCE_UPDATE = byte 0x33, bit 1
! Location !! Value (Binary OR assigned) !! Description
QA_FLAG_EXAM_API_ENABLE = byte 0x27, bit 0
|-
QA_FLAG_QA_MODE_ENABLE = byte 0x27, bit 2
| 0x14 byte(21) || 2 bytes || BDP CONTROL - Checked by appldr, isoldr.
</pre>
0x1 DEH_DEBUG_DISABLE<br>
0x2 DEX_DEBUG_DISABLE<br>
0x4 ALL_DEBUG_DISABLE<br>
0x8 DEH_BOOT_ENABLE<br>
0x10 DEX_BOOT_ENABLE<br>
0x20 CEX_BOOT_ENABLE<br>
0x40 ARCADE_BOOT_ENABLE
|-
| 0x16 byte(23) || 2 bytes || CONNECT_CONTROL - Checked by appldr, isoldr.
0x1 DEH_DEBUG_DISABLE<br>
0x2 DEX_DEBUG_DISABLE <br>
0x4 ALL_DEBUG_DISABLE<br>
0x8 DEH_BOOT_ENABLE <br>
0x10 DEX_BOOT_ENABLE <br>
0x20 CEX_BOOT_ENABLE <br>
0x40 ARCADE_BOOT_ENABLE<br>
|-
| 0x24 byte(36) || 0x1 / 0x2 / 0x4 / 0x8 || QA_FLAG_RESERVED_FOR_VSH
|-
| 0x24 byte(36) || 0x1 || QA_FLAG_RESERVED_FOR_VSH0
|-
| 0x24 byte(36) || 0x2 || QA_FLAG_RESERVED_FOR_VSH1
|-
| 0x24 byte(36) || 0x4 || QA_FLAG_RESERVED_FOR_VSH2
|-
| 0x24 byte(36) || 0x8 || QA_FLAG_RESERVED_FOR_VSH3
|-
| 0x27 byte(39) || 0x1 ||  QA_FLAG_EXAM_API_ENABLE
|-
| 0x27 byte(39) || 0x2 ||  QA_FLAG_QA_MODE_ENABLE
|-
| 0x2B byte(43) || 0x1 || System Debug (lv1ldr decrypts token and send it to lv0, lv0 sets sys.ac.sd repo node)
|-
| 0x2B byte(43) || 0x2 || LV2 System App Debug
|-
| 0x2C byte(44) || 0x9 || Advanced Token Flag!!
|-
| 0x2F byte(47) || 0x1 / 0x2 / 0x3 / 0x4 ||  QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented)
|-
| 0x2F byte(47) || 0x1 || QA_FLAG_SPECIAL_I
it allows isoldr(and may be other loaders) to use second key_table
|-
| 0x2F byte(47) || 0x2 || QA_FLAG_ALLOW_TEST_APP
|-
| 0x2F byte(47) || 0x4 || QA_FLAG_ALLOW_REMOTE_SPAWN
internal mode(QA flag minimum or advanced): Allows lv2_kernel.self to run sys_init_osd.self, liblv2.sprx and sys_init_osd.self to run vsh.self and sys_audio.self from /app_home/
|-
| 0x33 byte(51) || 0x1 || QA_FLAG_ALLOW_NON_QA
special execution mode: Allows sys_init_osd.self to run either 2nd_image_writer.self or cellftp.self (copy_script.txt), setmonitor.self (monitor.conf) and lv2diag2.self to run from /dev_usb000/
<!-- there's also a 2nd way to launch lv2diag2.self and a way to launch /app_home/uinit_app.elf instead of sys_agent.self ???-->
|-
| 0x33 byte(51) || 0x2 || QA_FLAG_FORCE_UPDATE
updates to any firmware, ignoring version checks
|}


= Setting QA Flag & Token with Linux =
= Setting QA Flag & Token =


== Prerequisites ==
==Prerequisites==
*First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework
*First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework


Line 118: Line 64:
  Type it into my app in the format I provided, click the button, and run that command. Should work.  
  Type it into my app in the format I provided, click the button, and run that command. Should work.  
  [http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
  [http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[https://mega.co.nz/#!ogMSUADB!WF274UWZDKIszA-5hwkTPgfVL5FOq8KuZ_k52o82564 Tokenator mirror(with src included)]
  [http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]
  [http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


== Procedure ==
==Procedure==


=== Getting the info ===
===Getting the info===
First you need your IDPS. Obtain this using ps3dm_aim.
First you need you IDPS
 
the easyest way is using graf aim


<pre>
<pre>
# ./ps3dm_aim /dev/ps3dmproxy get_dev_id
./ps3dm_aim /dev/ps3dmproxy get_dev_id
</pre>
</pre>


Write it down and load it using Slynk's Tokenator app.
Write it down and load it on the Tokenator app
 
It will give you the command you should use in linux + your encrypted token
 
something like this


It will give you the command you should use in linux + your encrypted token. The tool should output something like this:
<pre>
<pre>
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
</pre>
</pre>


=== Setting the flag ===
===Setting the flag===


<pre>
<pre>
./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00
ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00
</pre>
</pre>
(you may skip this step, because UM set_token takes care of it)


=== Setting the token ===
===Setting the token===
Just copy paste the command you got from tokenator
Just copy paste the command you got from tokenator
<pre>
<pre>
Line 151: Line 100:
'''Congrats now you ps3 is QA flagged'''
'''Congrats now you ps3 is QA flagged'''
'''Reboot'''
'''Reboot'''
===Getting the QA flag menu===
Set yoursef on network settings and press the weired combo
<pre>
L2+R2+L1+R1+L3(this means pressing you left analog stick)+dpad_down
</pre>


=== Getting the QA flag menu ===
Now you will be able to see the QA menu
Set your cursor '''on''' (not ''in'') Network Settings and press the key combo (all at the same time): {{dpadd}} + {{padl1}} + {{padl2}} + {{padr1}} + {{padr2}} + {{padl3}}


You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.
This token allow
 
= Setting QA Flag & Token with Grafs Payload =
You can follow this tutorial to set the flag and token and then get the menu with the combo needed
[http://www.ps3devwiki.com/index.php?title=Graf%27s_PSGroove_Payload#Setting_QA_Mode GrafPayload]
 
= GameOS app to QA flag =
 
== Glevand's QA flagging tools ==
 
[http://wiki.gitbrew.org/index.php/QA_Flagging_Tools QA_Flagging_Tools]:
*Source : git://git.gitbrew.org/ps3/otheros-utils/qa_flag.git
*Prebuild packages :
http://store.brewology.com/ahomebrew.php?brewid=214
 
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag.pkg qa_flag.pkg] // (mirror:[http://www.multiupload.com/P5Q2R5R1YG qa_flag.pkg (69.92 KB)]) (to enable QA)
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag_extra.pkg qa_flag_extra.pkg] // (mirror:[http://psx-scene.com/forums/attachments/f177/37188d1345489767-help-finding-qa-flag-extra-qa_flag_extra.pkg qa_flag_extra.pkg (69.98 KB)]) (to enable QA with downgrade)
**[http://gitbrew.org/~glevand/ps3/pkgs/reset_qa_flag.pkg reset_qa_flag.pkg] // (mirrors: [http://www.multiupload.com/VEUMEDINGU] [http://www.multiupload.nl/QGB1Z6W5U9]) (to reset the QA flags back to default - virtually ''never'' needed, there is '''''no benefit removing it''''')
**[http://gitbrew.org/~glevand/ps3/pkgs/get_token_seed.pkg get_token_seed.pkg] // (mirror:[http://www.multiupload.com/G8GBEIABKT get_token_seed.pkg (59.73 KB)])
**[http://gitbrew.org/~glevand/ps3/pkgs/get_applicable_version.pkg get_applicable_version.pkg] // (mirror:[http://www.multiupload.com/GXERV38F5A get_applicable_version.pkg (69.3 KB)])  (to get the low/high version lock via Debug UDP)
 
== Alternative ==
 
This is a work in progress, it should already work, but feel free to review the code and improve it
 
[http://pastie.org/2105541 source]
[http://pastie.org/2105567 Makefile]
 
based on [http://git.gitbrew.org/ps3/?p=otheros-utils/product_mode_toggle.git;a=tree;hb=312c21d8ee297e0225ca2495aeefef5cd07d034b Product Mode Toogle]
 
== Toggle QA - rebug.me ==
qa-toggle.pkg
CRC-16: 032F
CRC-32 (Ethernet and PKZIP): D0DC4C0F
SHA-1: 9B5C215E50B4DEC02E6171B0252A977DD599E3BA
SHA-256: 845BCE0134A6DF6CF1966F2D4D4F8380DEF121ACA7AB1FA022B73A8F5E9FEEA3
SHA-384: A791A022F879C972CDBD85A26AF32FDAEF25D32FA28CA47F55AFFAA471EACD1EC6D2761CD4E0E92D93F11A7002AAC281
SHA-512:  D3CA8DC93019181B0FD30B9618264F5C5CB8559F7AF1A4C2353AB5DBFD8B2FD4AD0EA63E2140E73F63D57E2252FB7DEAC53FA2B36919B703A477540D08C13EF9
MD-2: 5262E62B55CE972F5E58A13657B4143E
MD-4: D6C9A681F0605C6AACBC61EDB7D43DD5
MD-5: FB11BEC5A0DDE6600BAEE0CC36742D54
 
Needs mmap114 lv1 patch + lv2 peek&poke MFW 3.41 or 3.55 (all other patches are done on the fly, when needed) - 3.15 will NOT work (blackscreen lock)
 
This is compatible with Kmeaw CFW and {{RogeroFirmware}}.
 
http://rebug.me/?p=1358 / backup/mirror : [http://www.mediafire.com/download/jjb74lyoe4irzn8/toggle_qa.pkg toggle_qa.pkg (94.22 KB)]
 
other mirrors:
* {{google|FB11BEC5A0DDE6600BAEE0CC36742D54}}


=QA Flags Features=
=QA Flags Features=
{{QA Flag Features}}
===Debug Menu settings not in Retail/CEX QA===
{{Debug Menu settings not in Retail/CEX QA}}
==Install Package Files==
Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason.  It will work only with properly signed packages.  Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.
Option present in FW 1.02 and above.
As on DEX/DECH Stations is already a "Install Package Files" function, no new icon is added, but the ability to install retail packages via the "game column" "Install Package Files".
=On 3.6x Firmwares=
As we know Sony has <strike>taken QA Flag away</strike> changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.
From 3.60 Sony added a new step in the authentication process in the [[Iso module]]  "spu_token_processor.self".
This new step is a digital signature verification using ECDSA ("Elliptic Curve Digital Signature Algorithm").
The old token, the IDPS taked from the machine, the version of the Token (1), the array of flags, and the HMAC hash of the previous parts, remains valid as such.
No key (AES, HMAC) were changed in the new module.
However, after the decryption of the token, [[IDPS]] and verification of the machine with which it has the token performs a digital signature verification of all encrypted token (0x50 bytes).
This performs a SHA-1 hash of the entire token (like Sony performed at the time of the digital signature) and passes to check the signature, if it validates the token is considered authentic and returned both encrypted as decrypted (this with the hash hmac set to 0), as happened in 3.56 and lower.
In the event that the digital signature fails, consider that the token is not valid, as would happen if the token decryption fails, or any of your previous checks (HMAC computed with token bearing the token, the [[IDPS]] , ...).
In this case it will return an empty buffer (instead of the decrypted token) and one with a token prepared but without any active flag, or indeed with any digital signature, as happened in 3.56 and lower.
In short it is not possible to put a machine QA in firmware 3.60 and higher unless you are patching the module (thus only work in that customized firmware), or getting a whole token and a valid digital signature for.
Given that the token varies by the [[IDPS]] to prevent universal token exists, only the IDPS should know that token, and change the [[IDPS]] of section one of [[Flash#EID0_-_Section_0|EID0]] (which is what the [[Iso module]] checks), but this could have unintended consequences in some cases.
= QA Downgrading =
Crossreference: [http://portal.gitbrew.org/wikibrew/PS3:Downgrade gitbrew.org PS3:Downgrade] <br />
== Notes ==
These tools COULD format your ps3. (which means Any and ALL psn / downloaded data could be erased)
note: several people noted that they did not suffer from dataloss even after several downgrades, but its good measure to backup before downgrading (esp. ACT.DAT which DO get erased)
== Tools Needed ==
*[http://git.gitbrew.org/~glevand/public/CFW355-OTHEROS++-SPECIAL.PUP CFW355-OTHEROS++-SPECIAL.PUP] // (mirror:[http://www.multiupload.com/UITB9EY84F CFW355-OTHEROS++-SPECIAL.PUP (170.64 MB)] / http://www.mirrorcreator.com/files/TTL1FPNF/CFW355-OTHEROS__-SPECIAL.PUP_links) - QA Flag CFW with SS patches, Can be used to downgrade your ps3 from 3.55 to lower firmwares.
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag_extra.pkg qa_flag_extra.pkg] // (mirror:[http://www.multiupload.com/KAGDSQ9QG9 qa_flag_extra.pkg (69.98 KB)]) (to enable QA with downgrade)
*Firmware you want to downgrade to. (3.41, 3.15)
== Installation Process ==
1. Install CFW355-OTHEROS++-SPECIAL.pup (Doesn't matter what version you are. 3.55 and lower ONLY.)
2. Install qa_flag_extra.pkg
3. Run qa_flag (It will show up as this, that is fine)
4. If you hear the beeps, continue. If you do not hear beeping, come to irc.
5. Reboot
6. Go into recovery menu and Update your ps3 with the firmware that you want (3.15, 3.41 etc)
7. have it install
And now you're done. You just successfully downgraded your ps3.
==User Submitted Videos==
http://www.youtube.com/watch?v=ZLk3dq944-s - QA Downgrade
== Known Issues with QA flag / QA downgrades ==
=== act.dat (PSN activation) gets deleted ===
Make sure you backup the file before enabling QA-extra flag and downgrade. There have been reports of ACT.DAT ("home/000000XX/exdata/act.dat") get's deleted. So make sure to backup that entire folder before flagging/downgrading.
* http://rebug.me/xreg-plus-v1-0/
* http://www.maxconsole.com/maxcon_forums/threads/270400-Restore-act-dat-Homebrew-to-help-with-copying-your-PSN-activation-files!
= Useful links =
* https://rmscrypt.wordpress.com/


==Token seed byte 48=0x02==
===Edy viewer===
Payment service in japan
more info [http://manuals.playstation.net/document/en/ps3/current/settings/edyviewer.html Edy viewer]
===Debug Settings===
{|class="wikitable"
|-
! Setting !! Value !! Description
|-
| DTCP-IP || on-off||
|-
| ATRAC || on/off ||
|-
| WMA || on/off ||
|-
| NP Enviroment || enviroment||
|-
| Fake Free Space (for CEX)|| on/off ||
|-
| Fake Limit Size || X MB ||
|-
| NP Debug || on/off ||
|-
| NPDRM Debug || on/off ||
|-
| Edy Debug || on/off ||
|-
| Nav-only NP || on/off ||
|-
| Cdda Server || Production/? ||
|-
| Crash Report || on/off ||
|-
| Crash reporter Status || Ready/Busy/Never be calles ||
|-
| VSH Crash Dump Generator || on/off ||
|-
| System Update Debug || on/off ||
|-
| Information Board QA Server || on/off ||
|-
| Format Marlin Personal Data || ? ||
|-
| PlaystationRStore Ad Clock || on/off ||
|-
| Geo Filtering for PlaystationRStore || ? ||
|-
| Remove Game License || ? ||
|-
| Home Debug || on/off ||
|-
| Delete Trophy Personal Data || ? ||
|-
| GameUpdate Impose Test || on/off ||
|-
| Network Emulation Setting || on/off ||
|-
| Auto-Off Debug || on/off ||
|-
| NAT Traversal Information || on/off ||
|-
| Internet Browser Debug || on/off ||
|-
| SMSS REsult Output || on/off ||
|-
| Adhoc SSID Prefix || PSP/? ||
|-
| Disc Auto-Start at System Startup || ||
|-
| 3D Video Output || Automatic/On ||
|-
| Fake NP SNS Throttle || Off (60 sec)/ On (0,10,120,2600,closed)||
|-
| Debug for HDD Exchange Utility || ||
|-
| Push Console Binding || on/off||
|-
| Automatic Download || on/off ||
|-
| Motion Controller Calibration Result || ||
|}


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
===Install Package Files===
Will install the first package it finds on the root of the USB stick
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/QA_Flagging"