QA Flagging
QA Flag
A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
QA Token
A QA token is a 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the keys page.
Unencrypted Token Structure
0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA, 0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65, 0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1
| Address | Length | Value | Description |
|---|---|---|---|
| 0x00 | 0x4 | 0x01 | Unknown (Static) |
| 0x04 | 0x14 | 0x112233445566778899AABBCCDDEEFF | IDPS |
| 0x14 | 0x3C | 0x00 | Token Flags |
| 0x3C | 0x80 | 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 | digest |
Encrypted Token
The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E
Token Flags
The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
| Location | Value (Binary OR assigned) | Description |
|---|---|---|
| 0x27 byte(39) | 0x1 | QA_FLAG_FORCE_UPDATE |
| 0x27 byte(39) | 0x2 | QA_FLAG_QA_MODE_ENABLE |
| 0x2C byte(44) | ? | Advanced Token Flag? |
| 0x2F byte(47) | 0x1/0x2/0x3 | QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented) |
| 0x2F byte(47) | 0x4 | checked by lv2_kernel.self and sys_init_osd.self maybe allows sys_init_osd.self to run from /app_home |
| 0x33 byte(51) | 0x1 | QA_FLAG_ALLOW_NON_QA |
| 0x33 byte(51) | 0x2 | QA_FLAG_FORCE_UPDATE |
Setting QA Flag & Token with Linux
Prerequisites
- First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework
If you are using glevand´s kernel you will have to first enable the require module
modprobe ps3dmproxy
- Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim
and you will need Slynk tools
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). Type it into my app in the format I provided, click the button, and run that command. Should work. Tokenator.7z (26.42 KB) Slynk
Procedure
Getting the info
First you need your IDPS. Obtain this using ps3dm_aim.
# ./ps3dm_aim /dev/ps3dmproxy get_dev_id
Write it down and load it using Slynk's Tokenator app.
It will give you the command you should use in linux + your encrypted token. The tool should output something like this:
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Setting the flag
./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00
(you may skip this step, because UM set_token takes care of it)
Setting the token
Just copy paste the command you got from tokenator
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Congrats now you ps3 is QA flagged Reboot
Set your cursor on Network Settings and press the key combo:
L2+R2+L1+R1+L3(this means pressing you left analog stick)+dpad_down
You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.
Setting QA Flag & Token with Grafs Payload
You can follow this tutorial to set the flag and token and then get the menu with the combo needed GrafPayload
GameOS app to QA flag
Glevand's QA flagging tools
- Prebuild packages :
- qa_flag.pkg (basic QA flag)
- qa_flag_extra.pkg (extra QA flag, e.g. for downgrade in Recovery)
- reset_qa_flag.pkg (resets to non QA-flag)
- get_token_seed.pkg (debug prints the token seed)
- get_applicable_version.pkg (shows min/max FW)
Alternative
This is a work in progress, it should already work, but feel free to review the code and improve it
based on Product Mode Toogle
QA Flags Features
Token seed byte 48=0x02
Edy viewer
Payment service in japan more info Edy viewer
Debug Settings
| Setting | Value | Description |
|---|---|---|
| DTCP-IP | on-off | Digital Transmission Content Protection over Internet Protocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3. |
| ATRAC | on/off | Adaptive TRansform Acoustic Coding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system. |
| WMA | on/off | Windows Media Audio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system. |
| NP Enviroment | enviroment | Allows you to change which environment your PS3 connects. Known enviroments are: C1-NP, D2-NP, D2-PMGT, D2-PQA, D2-SPINT, D3-NP, D3-PMGT, D3-PQA, D3-SPINT, D-NP, D-PMGT, D-PQA, D-SPINT, EI-NP, EI-PMGT, EI-PQA, EI-SPINT, HF, HF-NP, HF-PMGT, HF-PQA, HF-SPINT, H-NP, H-PMGT, H-PQA, H-SPINT, MGMT (Management), NP (Retail), PMGT, PQA, PROD-QA (Quality Assurance), Q2, Q2-NP, Q2-PMGT, Q2-PQA, Q2-SPINT, Q-NP, Q-PMGT, Q-PQA, Q-SPINT, RC, RC-NP, R-NP, R-PMGT, R-PQA, R-SPINT, SP-INT (Developer). There might be even more of different environments. See Environments |
| Fake Free Space (for CEX) | on/off | Use with Fake Limit Size to artificially set the free space on the PS3. |
| Fake Limit Size | X MB | Amount of free space left (in MB). |
| NP Debug | on/off | |
| NPDRM Debug | on/off | |
| Edy Debug | on/off | Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer. |
| Nav-only NP | on/off | |
| Cdda Server | Production/Evaluation | |
| Crash Report | on/off | |
| Crash reporter Status | Ready/Busy/Never be called | |
| VSH Crash Dump Generator | on/off | |
| System Update Debug | on/off | Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager. |
| Information Board QA Server | on/off | |
| Format Marlin Personal Data | ? | This appears to be related to Marlin DRM possibly for multimedia use. |
| PlaystationRStore Ad Clock | on/off | |
| Geo Filtering for PlaystationRStore | Normal/Always Succeed/Always Fail | |
| Remove Game License | ? | |
| Home Debug | on/off | |
| Delete Trophy Personal Data | ? | |
| GameUpdate Impose Test | on/off | |
| Network Emulation Setting | on/off | |
| Auto-Off Debug | on/off | |
| WLAN Device | on/off | |
| NAT Traversal Information | on/off | |
| Internet Browser Debug | on/off | |
| SMSS Result Output | on/off | |
| Adhoc SSID Prefix | PSP/? | |
| Disc Auto-Start at System Startup | on/off | Allows you to start disc in-drive automatically when you start system on. |
| 3D Video Output | Automatic/On | Allows you to set 3D Video Output automatic or always on. |
| Fake NP SNS Throttle | Off (60 sec)/ On (0,10,120,3600,closed) | |
| Debug for HDD Exchange Utility | ||
| Fake Plus | on/off | |
| Push Console Binding | on/off | |
| Automatic Download | on/off | Set automatic download on or off. There's not info available what this does change. May be automatic system updates! |
| Motion Controller Calibration Result | on/off | Shows lastest results from motion controller calibration. |
| VideoEditor Delete Preset BGM |
Install Package Files
Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason. It will work only with properly signed packages. Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.
On 3.6x Firmwares
As we know Sony has taken QA Flag away changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.