Editing Talk:QA Flagging

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
----
----


== Debug output ==


The qa flag has some options to enable some debug output.
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
<pre>
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/


Does anybody know or has an idea about:
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/


*In real life how does /sony/ retrieve the debug information? do they use proDG?
#include <stdio.h>
**So does it open the required ports to connect using prodg?
#include <string.h>
#include <unistd.h>


#include <psl1ght/lv2/net.h>


#include <lv2_syscall.h>
#include <udp_printf.h>
#define UPDATE_MGR_PACKET_ID_READ_EPROM    0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM  0x600c
#define EPROM_QA_FLAG_OFFSET        0x48c0a
#define EPROM_QA_Token_OFFSET        0x48D3E
/*
* Set your encrypted token
* Calculated with Slynk Tokenator
*/
static uint8_t qa_token[0x50] =
{
  0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
  0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
  0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
  0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
  0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
  0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
  0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
  0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo


----
/*
* main
*/
int main(int argc, char **argv)
{
  uint8_t value;
  int result;
  int n;


  netInitialize();


Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
  udp_printf_init();
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


----
  PRINTF("%s:%d: start\n", __func__, __LINE__);


  result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
    EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
  if (result) {
    PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
      __func__, __LINE__, result);
    goto done;
  }


button combo: L2+R2+L1+R1+L3+dpad_down
  PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);
index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
index3: 0x42 (L3 0x02 + dpad_down 0x40)  


* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
  if (value == 0xff) {
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
    /* enable */
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)


QA-Flag:
    PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);
* 0x01 : Minimum
* 0x02 : Advanced
* 0x03 : undocumented2
----


    value = 0x0;


vsh.self checks pad combo
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  } else {
    /* disable */


sys_init_osd.self checks QA-seed/token
    PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);


    value = 0xff;


----
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
another token generator (compile together with f0f tools)
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
<pre>#include <sys/types.h>
    if (result) {
#include <sys/mman.h>
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
#include <stdio.h>
        __func__, __LINE__, result);
#include <fcntl.h>
      goto done;
#include <unistd.h>
    }
#include <sys/stat.h>
  }
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>


#include "tools.h"
  PRINTF("%s:%d: end\n", __func__, __LINE__);
#include "aes.h"
#include "sha1.h"


static u8 *token_encrypted = NULL;
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
 
  /* Setting the QA token */
  for ( n=0 ; n<80 ; n++ )
  {
    PRINTF("Setting QA token bit\n");


static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
    value = qa_token[n];
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};


static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_Token_OFFSET+n, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
  }


static FILE *out = NULL;
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);


done:


  udp_printf_deinit();


int main(int argc, char *argv[])
  netDeinitialize();
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");


token_encrypted = mmap_file(argv[1]);
  return 0;
}
</pre>


//decrypt
aes256cbc(key, iv, token_encrypted, 0x50, tmp);


//set qa
----
memset(tmp+0x2f,0x02,1);


//recalc digest
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);


//encrypt
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
aes256cbc_enc(key, iv, tmp, 0x50, tmp);
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


out = fopen(argv[2], "w+");
----
fwrite(tmp, 0x50, 1, out);


fclose(out);


return 0;
button combo: L2+R2+L1+R1+L3+dpad_down
}
index0: 0x00
</pre>
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
index3: 0x42 (L3 0x02 + dpad_down 0x40)


Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
----
----
==changes in HV==
 
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br>
 
you can extract the processes in your hv dump with this python script:<br>
vsh.self checks pad combo
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py
 
sys_init_osd.self checks QA-seed/token
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps3/Talk:QA_Flagging"