QA Flagging

From PS4 Developer wiki
Jump to: navigation, search

QA Flags[edit]

flagged updater = qa_flags[0] & 0x1
force update = qa_flags[0] & 0x2
int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
allow registry access = qa_flags[0] & 0x8
int dev for psm, allow psm debug = qa_flags[0] & 0x10
special i = qa_flags[0] & 0x40

allow ul debugger = qa_flags[1] & 0x1
allow sl debugger = qa_flags[1] & 0x2
beta update test = qa_flags[1] & 0x4

debug menu, debug menu for psm = qa_flags[2] & 0x1
allow ad clock = qa_flags[2] & 0x2
fake finalize = qa_flags[2] & 0x10
psn access trace log = qa_flags[2] & 0x40

debug menu mini = qa_flags[3] & 0x2

any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF 

Utoken Flags[edit]

store mode = utoken_flags[0] & 0x1
data execution = utoken_flags[0] & 0x2
use weakened port restriction = utoken_flags[0] & 0x4
use softwagner = utoken_flags[0] & 0x8
flagged updater = utoken_flags[0] & 0x10
np env switching = utoken_flags[0] & 0x20
save data repair = utoken_flags[0] & 0x40
fake sharefactory = utoken_flags[0] & 0x80

Spoofing Flags[edit]

  • Search for kernel magic in kernel dump
  • Set all values before kernel magic (16 in total) to FF
  • Set all values after kernel magic (16 in total) to FF
  • Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
  • Search for the string "rcmgr" in hex bytes (searching as text is slower)
  • Find the xref to the first string (usually intdev)
  • Rename All the functions to their respective names
  • Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
  • Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
  • Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
  • Launch payload
  • You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)