QA Flagging: Difference between revisions
(Added list of features for the "known" token) |
m (→Prerequisites) |
||
Line 54: | Line 54: | ||
If you are using glevand´s kernel you will have to first enable the require module | If you are using glevand´s kernel you will have to first enable the require module | ||
modprobe ps3dmproxy | |||
modprobe ps3dmproxy | |||
*Then you will have to have the latest ps3dm-utils you can get from [http://git.gitbrew.org/ps3/ gitbrew] or here you have a precompiled [http://www.multiupload.com/CVN3Y9QBQX ps3dm_um] [http://www.multiupload.com/FQNWIBBIOB ps3dm_aim] | *Then you will have to have the latest ps3dm-utils you can get from [http://git.gitbrew.org/ps3/ gitbrew] or here you have a precompiled [http://www.multiupload.com/CVN3Y9QBQX ps3dm_um] [http://www.multiupload.com/FQNWIBBIOB ps3dm_aim] | ||
Line 62: | Line 60: | ||
and you will need Slynk tools | and you will need Slynk tools | ||
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. | Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. | ||
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). | I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). | ||
Type it into my app in the format I provided, click the button, and run that command. Should work. | Type it into my app in the format I provided, click the button, and run that command. Should work. | ||
Tokenator.7z (26.42 KB) | [http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)] | ||
Slynk | [http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk] | ||
==Procedure== | ==Procedure== |
Revision as of 08:51, 22 June 2011
QA Flag
A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
QA Token
A QA token is a 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the keys page.
Unencrypted Token Structure
0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA, 0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65, 0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x4 | 0x01 | Unknown (Static) |
0x04 | 0x14 | 0x112233445566778899AABBCCDDEEFF | IDPS |
0x14 | 0x3C | 0x00 | Token Flags |
0x3C | 0x80 | 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 | digest |
Encrypted Token
The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E
Token Flags
The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
QA_FLAG_ALLOW_NON_QA = byte 0x33, bit 0 QA_FLAG_FORCE_UPDATE = byte 0x33, bit 1 QA_FLAG_EXAM_API_ENABLE = byte 0x27, bit 0 QA_FLAG_QA_MODE_ENABLE = byte 0x27, bit 2
Setting QA Flag & Token
Prerequisites
- First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework
If you are using glevand´s kernel you will have to first enable the require module
modprobe ps3dmproxy
- Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim
and you will need Slynk tools
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). Type it into my app in the format I provided, click the button, and run that command. Should work. Tokenator.7z (26.42 KB) Slynk
Procedure
Getting the info
First you need you IDPS
the easyest way is using graf aim
./ps3dm_aim /dev/ps3dmproxy get_dev_id
Write it down and load it on the Tokenator app
It will give you the command you should use in linux + your encrypted token
something like this
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Setting the flag
ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00
Setting the token
Just copy paste the command you got from tokenator
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Congrats now you ps3 is QA flagged Reboot
Set yoursef on network settings and press the weired combo
L2+R2+L1+R1+L3(this means pressing you left analog stick)+dpad_down
Now you will be able to see the QA menu
This token allow
QA Flags Features
Token seed byte 48=0x02
Edy viewer
Payment service in japan more info Edy viewer
Debug Settings
Setting | Value | Description |
---|---|---|
DTCP-IP | on-off | |
ATRAC | on/off | |
WMA | on/off | |
NP Enviroment | enviroment | |
Fake Free Space (for CEX) | on/off | |
Fake Limit Size | X MB | |
NP Debug | on/off | |
NPDRM Debug | on/off | |
Edy Debug | on/off | |
Nav-only NP | on/off | |
Cdda Server | Production/? | |
Crash Report | on/off | |
Crash reporter Status | Ready/Busy/Never be calles | |
VSH Crash Dump Generator | on/off | |
System Update Debug | on/off | |
Information Board QA Server | on/off | |
Format Marlin Personal Data | ? | |
PlaystationRStore Ad Clock | on/off | |
Geo Filtering for PlaystationRStore | ? | |
Remove Game License | ? | |
Home Debug | on/off | |
Delete Trophy Personal Data | ? | |
GameUpdate Impose Test | on/off | |
Network Emulation Setting | on/off | |
Auto-Off Debug | on/off | |
NAT Traversal Information | on/off | |
Internet Browser Debug | on/off | |
SMSS REsult Output | on/off | |
Adhoc SSID Prefix | PSP/? | |
Disc Auto-Start at System Startup | ||
3D Video Output | Automatic/On | |
Fake NP SNS Throttle | Off (60 sec)/ On (0,10,120,2600,closed) | |
Debug for HDD Exchange Utility | ||
Push Console Binding | on/off | |
Automatic Download | on/off | |
Motion Controller Calibration Result |
Install Package Files
Will install the first package it finds on the root of the USB stick