Editing Talk:QA Flagging

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 14: Line 14:
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
<pre>
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/


----
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>


Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
#include <psl1ght/lv2/net.h>
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


----
#include <lv2_syscall.h>
#include <udp_printf.h>


#define UPDATE_MGR_PACKET_ID_READ_EPROM    0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM  0x600c
#define EPROM_QA_FLAG_OFFSET        0x48c0a
#define EPROM_QA_Token_OFFSET        0x48D3E


button combo: L2+R2+L1+R1+L3+dpad_down
/*
  index0: 0x00
  * Set your encrypted token
  index1: 0x00
  * Calculated with Slynk Tokenator
  index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
  */
index3: 0x42 (L3 0x02 + dpad_down 0x40)
static uint8_t qa_token[0x50] =
{
  0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
  0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
  0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
  0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
  0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
  0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
  0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
  0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)


QA-Flag:
/*
* 0x01 : Minimum
* main
* 0x02 : Advanced
*/
* 0x03 : undocumented2
int main(int argc, char **argv)
----
{
  uint8_t value;
  int result;
  int n;


  netInitialize();


vsh.self checks pad combo
  udp_printf_init();


sys_init_osd.self checks QA-seed/token
  PRINTF("%s:%d: start\n", __func__, __LINE__);


  result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
    EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
  if (result) {
    PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
      __func__, __LINE__, result);
    goto done;
  }


----
  PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);
another token generator (compile together with f0f tools)
<pre>#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>


#include "tools.h"
  if (value == 0xff) {
#include "aes.h"
    /* enable */
#include "sha1.h"


static u8 *token_encrypted = NULL;
    PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);


static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
    value = 0x0;
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};


static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  } else {
    /* disable */


static FILE *out = NULL;
    PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);


    value = 0xff;


    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  }


int main(int argc, char *argv[])
  PRINTF("%s:%d: end\n", __func__, __LINE__);
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");


token_encrypted = mmap_file(argv[1]);
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
 
  /* Setting the QA token */
  for ( n=0 ; n<80 ; n++ )
  {
    PRINTF("Setting QA token bit\n");


//decrypt
    value = qa_token[n];
aes256cbc(key, iv, token_encrypted, 0x50, tmp);


//set qa
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
memset(tmp+0x2f,0x02,1);
      EPROM_QA_Token_OFFSET+n, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
  }


//recalc digest
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);


//encrypt
done:
aes256cbc_enc(key, iv, tmp, 0x50, tmp);


out = fopen(argv[2], "w+");
  udp_printf_deinit();
fwrite(tmp, 0x50, 1, out);


fclose(out);
  netDeinitialize();


return 0;
  return 0;
}
}
</pre>
</pre>


----
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]
----
button combo: L2+R2+L1+R1+L3+dpad_down
index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
index3: 0x42 (L3 0x02 + dpad_down 0x40)
Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
----
----
==changes in HV==
 
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br>
 
you can extract the processes in your hv dump with this python script:<br>
vsh.self checks pad combo
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py
 
sys_init_osd.self checks QA-seed/token
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps3/Talk:QA_Flagging"