Editing Talk:QA Flagging

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= From Superslim DEX with Serial 1 =
----
 
 
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo
<pre>
<pre>
0x14 = 00 27
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/
 
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
 
#include <stdio.h>
#include <string.h>
#include <unistd.h>
 
#include <psl1ght/lv2/net.h>
 
#include <lv2_syscall.h>
#include <udp_printf.h>
 
#define UPDATE_MGR_PACKET_ID_READ_EPROM    0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM  0x600c
#define EPROM_QA_FLAG_OFFSET        0x48c0a
#define EPROM_QA_Token_OFFSET        0x48D3E
 
/*
* Set your encrypted token
* Calculated with Slynk Tokenator
*/
static uint8_t qa_token[0x50] =
{
  0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
  0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
  0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
  0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
  0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
  0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
  0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
  0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};
 
 
/*
* main
*/
int main(int argc, char **argv)
{
  uint8_t value;
  int result;
  int n;
 
  netInitialize();
 
  udp_printf_init();
 
  PRINTF("%s:%d: start\n", __func__, __LINE__);
 
  result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
    EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
  if (result) {
    PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
      __func__, __LINE__, result);
    goto done;
  }
 
  PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);


BDP CONTROL - Checked by appldr, isoldr.
  if (value == 0xff) {
    /* enable */


0x1 DEH_DEBUG_DISABLE +
    PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);
0x2 DEX_DEBUG_DISABLE +
0x4 ALL_DEBUG_DISABLE +
0x20 CEX_BOOT_ENABLE
= 0x27


0x16 = 00 3F
    value = 0x0;


CONNECT_CONTROL - Checked by appldr, isoldr.
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  } else {
    /* disable */


0x1 DEH_DEBUG_DISABLE +
    PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);
0x2 DEX_DEBUG_DISABLE +
0x4 ALL_DEBUG_DISABLE +
0x8 DEH_BOOT_ENABLE +
0x10 DEX_BOOT_ENABLE +
0x20 CEX_BOOT_ENABLE


= 0x3F
    value = 0xff;


0x33 = 03
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  }


0x33 byte(51) 0x1 QA_FLAG_ALLOW_NON_QA +
  PRINTF("%s:%d: end\n", __func__, __LINE__);
0x33 byte(51) 0x2 QA_FLAG_FORCE_UPDATE


= 0x03
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
</pre>
 
  /* Setting the QA token */
  for ( n=0 ; n<80 ; n++ )
  {
    PRINTF("Setting QA token bit\n");


----
    value = qa_token[n];


== Debug output ==
    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_Token_OFFSET+n, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
  }


The qa flag has some options to enable some debug output.
  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);


Does anybody know or has an idea about:
done:


*In real life how does /sony/ retrieve the debug information? do they use proDG?
  udp_printf_deinit();
**So does it open the required ports to connect using prodg?


  netDeinitialize();


  return 0;
}
</pre>


if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D
it "should" work.. but I havent tested it.. it is already too late for me :S  ~~PsiCoLeo


----
----
Line 66: Line 161:
  index3: 0x42 (L3 0x02 + dpad_down 0x40)  
  index3: 0x42 (L3 0x02 + dpad_down 0x40)  


* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)
 
QA-Flag:
* 0x01 : Minimum
* 0x02 : Advanced
* 0x03 : undocumented2
----
----


Line 81: Line 169:
sys_init_osd.self checks QA-seed/token
sys_init_osd.self checks QA-seed/token


== Debug output ==


----
The qa flag has some options to enable some debug output.
another token generator (compile together with f0f tools)
<pre>#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>


#include "tools.h"
Does anybody know or has an idea about:
#include "aes.h"
#include "sha1.h"


static u8 *token_encrypted = NULL;
*In real life how does /sony/ retrieve the debug information? do they use proDG?
 
**So does it open the required ports to connect using prodg?
static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};
 
static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
 
static FILE *out = NULL;
 
 
 
int main(int argc, char *argv[])
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");
 
token_encrypted = mmap_file(argv[1]);
 
//decrypt
aes256cbc(key, iv, token_encrypted, 0x50, tmp);
 
//set qa
memset(tmp+0x2f,0x02,1);
 
//recalc digest
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);
 
//encrypt
aes256cbc_enc(key, iv, tmp, 0x50, tmp);
 
out = fopen(argv[2], "w+");
fwrite(tmp, 0x50, 1, out);
 
fclose(out);
 
return 0;
}
</pre>
 
----
==changes in HV==
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br>
you can extract the processes in your hv dump with this python script:<br>
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)