Editing Talk:QA Flagging

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= From Superslim DEX with Serial 1 =
button combo: L1 L2 R1 R2 Dpad_down L3
<pre>
0x14 = 00 27
 
BDP CONTROL - Checked by appldr, isoldr.
 
0x1 DEH_DEBUG_DISABLE +
0x2 DEX_DEBUG_DISABLE +
0x4 ALL_DEBUG_DISABLE +
0x20 CEX_BOOT_ENABLE
= 0x27
 
0x16 = 00 3F
 
CONNECT_CONTROL - Checked by appldr, isoldr.
 
0x1 DEH_DEBUG_DISABLE +
0x2 DEX_DEBUG_DISABLE +
0x4 ALL_DEBUG_DISABLE +
0x8 DEH_BOOT_ENABLE +
0x10 DEX_BOOT_ENABLE +
0x20 CEX_BOOT_ENABLE
 
= 0x3F
 
0x33 = 03
 
0x33 byte(51) 0x1 QA_FLAG_ALLOW_NON_QA +
0x33 byte(51) 0x2 QA_FLAG_FORCE_UPDATE
 
= 0x03
</pre>
 
----
 
== Debug output ==
 
The qa flag has some options to enable some debug output.
 
Does anybody know or has an idea about:
 
*In real life how does /sony/ retrieve the debug information? do they use proDG?
**So does it open the required ports to connect using prodg?
 
 
 
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
 
----
 
 
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
[http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]
 
----
 
 
button combo: L2+R2+L1+R1+L3+dpad_down
index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08)
index3: 0x42 (L3 0x02 + dpad_down 0x40)
 
* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)
 
QA-Flag:
* 0x01 : Minimum
* 0x02 : Advanced
* 0x03 : undocumented2
----
 
 
vsh.self checks pad combo
 
sys_init_osd.self checks QA-seed/token




----
----
another token generator (compile together with f0f tools)
<pre>#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>
#include "tools.h"
#include "aes.h"
#include "sha1.h"
static u8 *token_encrypted = NULL;
static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};
static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
static FILE *out = NULL;
int main(int argc, char *argv[])
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");
token_encrypted = mmap_file(argv[1]);
//decrypt
aes256cbc(key, iv, token_encrypted, 0x50, tmp);
//set qa
memset(tmp+0x2f,0x02,1);
//recalc digest
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);
//encrypt
aes256cbc_enc(key, iv, tmp, 0x50, tmp);
out = fopen(argv[2], "w+");
fwrite(tmp, 0x50, 1, out);


fclose(out);


return 0;
sys_init_osd checks QA-seed/token
}
</pre>
 
----
==changes in HV==
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br>
you can extract the processes in your hv dump with this python script:<br>
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)