Talk:QA Flagging

From PS3 Developer wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Debug output

The qa flag has some options to enable some debug output.

Does anybody know or has an idea about:

  • In real life how does /sony/ retrieve the debug information? do they use proDG?
    • So does it open the required ports to connect using prodg?

if someone is interested on a GameOS app to QA-flag : you can finish this one :D it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo

Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work. 
Tokenator.7z (26.42 KB)

button combo: L2+R2+L1+R1+L3+dpad_down

index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) 
index3: 0x42 (L3 0x02 + dpad_down 0x40) 
  • Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
  • Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
  • undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)


  • 0x01 : Minimum
  • 0x02 : Advanced
  • 0x03 : undocumented2

vsh.self checks pad combo

sys_init_osd.self checks QA-seed/token

another token generator (compile together with f0f tools)

#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>

#include "tools.h"
#include "aes.h"
#include "sha1.h"

static u8 *token_encrypted = NULL;

static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};

static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};

static FILE *out = NULL;

int main(int argc, char *argv[])
	u8 tmp[0x50];
	if (argc != 3)
		fail("usage: gen_qa encrypted_dummy_token.bin out.bin");

	token_encrypted = mmap_file(argv[1]);

	aes256cbc(key, iv, token_encrypted, 0x50, tmp);

	//set qa

	//recalc digest
	sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);

	aes256cbc_enc(key, iv, tmp, 0x50, tmp);

	out = fopen(argv[2], "w+");
	fwrite(tmp, 0x50, 1, out);


	return 0;

changes in HV

sysmgr_ss.fself runs in process 10 instead of 9. its quite different compared to retail proc 9.
you can extract the processes in your hv dump with this python script: