Welcome to my site! Please Login to start posting!

QA Flag Mega-Thread Updated Daily » What Is QA Flagging

Go down

QA Flag Mega-Thread Updated Daily » What Is QA Flagging

Post by Admin on June 23rd 2011, 8:21 pm

-QA flag is the internal console flag used by Sony, it enables hidden options for retail consoles and debug consoles. It is used for QA centers and the R&D Department, there are 2 levels of QA flags, Minimum and Advanced.

-A QA flag removes all restrictions in your PS3, sort of like a Jailbreak but with developer options, such as the expected downgrade.

-You need to have a QA token, which is randomly generated, and it's specualted that it is generated by the hypervisor. This tolken unlocks the QA menu, but doesn't actually install it. You have to enter a combination on the Sixaxis controller.

Well the method of how to “QA flag” your PS3 was never posted/revealed but since then plenty of hints have been given in attempts for the “scene”, and one of the first steps was to figure out the secret button combo. Well after weeks of people trying and moaning, the man behind the emulators – squarepusher 2 has released/posted information on exactly what that button combo was. Noobs do not try this – the guide below is still a work in progress and QA flag button combo is the icing on the cake.

How to QA Flag your PS3, the button combo:
1. Be on 3.55 OFW (no rebug),
2. Move the PS3 cursor/select “Network Setting“
3. Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Down
4.Thats it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.
Notes and disclaimers:

Install Package is useless and can’t install homebrew at the moment – only signed PKGs (and the first one in root of USB only).
This is not all that is needed to QA flag your PS3, but its a big start for the community – we still need all the pieces to fully QA flag the PS3 and its the scenes job to “figure out the rest”.

Change byte 48 of the token seed to 0×02, hash it, encrypt it, write it to eeprom and flag yourself. Button combo is L1+L2+L3+R1+R2+dpad down. Only works on retail firmware.

By byte 48, I mean the 48th byte. Note that in programming the array of the token seed begins with index 0. So the 48th byte would be seed[47];

this info is more than enough to get someone to make an app.

erk: 0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED
iv: 0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E
hmac: 0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E

*runs away before the lawsuits come flooding in*

hmac to make the 20 byte digest at the end of the token and erk/iv to decrypt/encrypt it with aes256cbc.

2 more steps to go. Need the button combo and what to change in the dummy token.

Linux Tutorial

Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel.

Step 2) Download, and compile the ps3dm utils

Step 3) Download my tokenator

Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0×0>dump

Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0×00

Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator

Step 7) Run the script it spits out

PS3 Step Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down

Have fun. It doesn’t work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.

QA Flag setup with Grafs Payload
First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha Links_to_precompiled_stuff or using this payload uncommenting dump_dev_flash()
More info in Flash
Once you are set

Use the payloads in the following order uncommenting the required function
Set the QA flag
Calculate the token
Verify token
Set the calculated and verified token in update_mgr_set_token.c
You should use wireshark or tcpdump to capture the responses

QA Flag Features
-Edy Viewer

-install pkg files.

-debug settings are as followed

-NP Environment
-Fake Free Space (for CEX)
-Fake Limit Size
-NP Debug

-NPDRM Debug

-Edy Debug
-Nav-only NP

-Cdda Server

-Crash Report

-Crash reporter Status

-VSH Crash Dump Generator

-System Update Debug
-Information Board QA Server

-Format Marlin Personal Data

-PlaystationRStore Ad Clock

-Geo Filtering for PlaystationRStore

-Remove Game License

-Home Debug

-Delete Trophy Personal Data

-GameUpdate Impose Test

-Network Emulation Setting

-Auto-Off Debug

-WLAN Device

-NAT Traversal Information

-Internet Browser Debug

-SMSS Result Output

-Adhoc SSID Prefix

-Disc Auto-Start at System Startup

-3D Video Output

-Fake NP SNS Throttle

-Debug for HDD Exchange Utility

-Fake Plus

-Push Console Binding

-Automatic Download

-Motion Controller Calibration Result

-VideoEditor Delete Preset BGM

Posts : 394
Points : 55868
Reputation : 8159
Join date : 2011-02-02
Age : 28
Location : Earth

View user profile

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum