Talk:QA Flagging: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(added a discussion about the debug output)
 
(5 intermediate revisions by 3 users not shown)
Line 14: Line 14:
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
<pre>
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/


/*
----
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>


#include <psl1ght/lv2/net.h>
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


#include <lv2_syscall.h>
----
#include <udp_printf.h>


#define UPDATE_MGR_PACKET_ID_READ_EPROM    0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM  0x600c
#define EPROM_QA_FLAG_OFFSET        0x48c0a
#define EPROM_QA_Token_OFFSET        0x48D3E


/*
button combo: L2+R2+L1+R1+L3+dpad_down
  * Set your encrypted token
  index0: 0x00
  * Calculated with Slynk Tokenator
  index1: 0x00
  */
  index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
static uint8_t qa_token[0x50] =
index3: 0x42 (L3 0x02 + dpad_down 0x40)
{
  0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
  0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
  0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
  0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
  0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
  0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
  0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
  0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)


/*
QA-Flag:
* main
* 0x01 : Minimum
*/
* 0x02 : Advanced
int main(int argc, char **argv)
* 0x03 : undocumented2
{
----
  uint8_t value;
  int result;
  int n;


  netInitialize();


  udp_printf_init();
vsh.self checks pad combo


  PRINTF("%s:%d: start\n", __func__, __LINE__);
sys_init_osd.self checks QA-seed/token


  result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
    EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
  if (result) {
    PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
      __func__, __LINE__, result);
    goto done;
  }


  PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);
----
another token generator (compile together with f0f tools)
<pre>#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>


  if (value == 0xff) {
#include "tools.h"
    /* enable */
#include "aes.h"
#include "sha1.h"


    PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);
static u8 *token_encrypted = NULL;


    value = 0x0;
static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};


    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  } else {
    /* disable */


    PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);
static FILE *out = NULL;


    value = 0xff;


    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  }


  PRINTF("%s:%d: end\n", __func__, __LINE__);
int main(int argc, char *argv[])
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");


  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
token_encrypted = mmap_file(argv[1]);
 
  /* Setting the QA token */
  for ( n=0 ; n<80 ; n++ )
  {
    PRINTF("Setting QA token bit\n");


    value = qa_token[n];
//decrypt
aes256cbc(key, iv, token_encrypted, 0x50, tmp);


    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
//set qa
      EPROM_QA_Token_OFFSET+n, value, 0, 0, 0, 0);
memset(tmp+0x2f,0x02,1);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
  }


  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
//recalc digest
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);


done:
//encrypt
aes256cbc_enc(key, iv, tmp, 0x50, tmp);


  udp_printf_deinit();
out = fopen(argv[2], "w+");
fwrite(tmp, 0x50, 1, out);


  netDeinitialize();
fclose(out);


  return 0;
return 0;
}
}
</pre>
</pre>


----
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]
----
button combo: L2+R2+L1+R1+L3+dpad_down
index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
index3: 0x42 (L3 0x02 + dpad_down 0x40)
Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
----
----
 
==changes in HV==
 
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br>
vsh.self checks pad combo
you can extract the processes in your hv dump with this python script:<br>
 
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py
sys_init_osd.self checks QA-seed/token

Latest revision as of 21:50, 27 June 2011

Debug output[edit source]

The qa flag has some options to enable some debug output.

Does anybody know or has an idea about:

  • In real life how does /sony/ retrieve the debug information? do they use proDG?
    • So does it open the required ports to connect using prodg?


if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo 


Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work. 
Tokenator.7z (26.42 KB)
Slynk


button combo: L2+R2+L1+R1+L3+dpad_down 

index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) 
index3: 0x42 (L3 0x02 + dpad_down 0x40)
  • Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
  • Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
  • undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)

QA-Flag:

  • 0x01 : Minimum
  • 0x02 : Advanced
  • 0x03 : undocumented2


vsh.self checks pad combo

sys_init_osd.self checks QA-seed/token


another token generator (compile together with f0f tools) 

#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>

#include "tools.h"
#include "aes.h"
#include "sha1.h"

static u8 *token_encrypted = NULL;

static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};

static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};

static FILE *out = NULL;



int main(int argc, char *argv[])
{
	u8 tmp[0x50];
	if (argc != 3)
		fail("usage: gen_qa encrypted_dummy_token.bin out.bin");

	token_encrypted = mmap_file(argv[1]);

	//decrypt
	aes256cbc(key, iv, token_encrypted, 0x50, tmp);

	//set qa
	memset(tmp+0x2f,0x02,1);

	//recalc digest
	sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);

	//encrypt
	aes256cbc_enc(key, iv, tmp, 0x50, tmp);

	out = fopen(argv[2], "w+");
	fwrite(tmp, 0x50, 1, out);

	fclose(out);

	return 0;
}

changes in HV[edit source]

sysmgr_ss.fself runs in process 10 instead of 9. its quite different compared to retail proc 9.
you can extract the processes in your hv dump with this python script:
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Talk:QA_Flagging&oldid=2403"