QA Flagging: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(→‎Token Flags: -> this flag is confirmed existing on a token dumped from a proto ps3 DECH-H2000)
 
(77 intermediate revisions by 16 users not shown)
Line 1: Line 1:
[[Category:Software]]
{{Wikify}}
= QA Flag =
= QA Flag =
A QA flag is a value set in [[SC EEPROM]] at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
A QA flag is a value set in [[SC EEPROM]] at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
Line 10: Line 10:


<pre>
<pre>
0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33,
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB,
 
0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00,
00000000  00 00 00 01 00 11 22 33 44 55 66 77 88 99 AA BB
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000010  CC DD EE FF 00 00 00 00 00 00 00 00 00 00 00 00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000030  00 00 00 00 00 00 00 00 00 00 00 00 19 4A 4B BA
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00000040  15 97 AE 71 36 CC B6 65 7F C3 B5 3F 49 22 2F B1
0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA,
0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65,
0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1
</pre>
</pre>


Line 26: Line 23:
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || 0x01 || Unknown (Static)
| 0x00 || 0x4 || 0x01 || QA-Flag Version
|-
|-
| 0x04 || 0x14 || 0x112233445566778899AABBCCDDEEFF || [[IDPS]]
| 0x04 || 0x10 || 0x00112233445566778899AABBCCDDEEFF || [[IDPS]]
|-
|-
| 0x14 || 0x3C || 0x00 || [[#Token Flags|Token Flags]]
| 0x14 || 0x20 || 0x00 || [[#Token Flags|Token Flags]]
|-
|-
| 0x3C || 0x80 || 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 || digest
| 0x34 || 0x8 || 0x00 || padding
|-
| 0x3C || 0x14 || 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 || digest
|}
|}


Line 40: Line 39:


== Token Flags ==
== Token Flags ==
The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
The flags are a 32 (0x20) bytes value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.


{|class="wikitable"
{|class="wikitable"
|-
|-
! Location !! Value (Binary OR assigned) !! Description
! Location !! Value (Binary OR assigned) !! Description
|-
| 0x14 byte(21) || 2 bytes || BDP CONTROL - Checked by appldr, isoldr.
0x1 DEH_DEBUG_DISABLE<br>
0x2 DEX_DEBUG_DISABLE<br>
0x4 ALL_DEBUG_DISABLE<br>
0x8 DEH_BOOT_ENABLE<br>
0x10 DEX_BOOT_ENABLE<br>
0x20 CEX_BOOT_ENABLE<br>
0x40 ARCADE_BOOT_ENABLE
|-
| 0x16 byte(23) || 2 bytes || CONNECT_CONTROL - Checked by appldr, isoldr.
0x1 DEH_DEBUG_DISABLE<br>
0x2 DEX_DEBUG_DISABLE <br>
0x4 ALL_DEBUG_DISABLE<br>
0x8 DEH_BOOT_ENABLE <br>
0x10 DEX_BOOT_ENABLE <br>
0x20 CEX_BOOT_ENABLE <br>
0x40 ARCADE_BOOT_ENABLE<br>
|-
| 0x24 byte(36) || 0x1 / 0x2 / 0x4 / 0x8 || QA_FLAG_RESERVED_FOR_VSH
|-
| 0x24 byte(36) || 0x1 || QA_FLAG_RESERVED_FOR_VSH0
|-
| 0x24 byte(36) || 0x2 || QA_FLAG_RESERVED_FOR_VSH1
|-
| 0x24 byte(36) || 0x4 || QA_FLAG_RESERVED_FOR_VSH2
|-
| 0x24 byte(36) || 0x8 || QA_FLAG_RESERVED_FOR_VSH3
|-
|-
| 0x27 byte(39) || 0x1 ||  QA_FLAG_EXAM_API_ENABLE
| 0x27 byte(39) || 0x1 ||  QA_FLAG_EXAM_API_ENABLE
|-
|-
| 0x27 byte(39) || 0x2 ||  QA_FLAG_QA_MODE_ENABLE
| 0x27 byte(39) || 0x2 ||  QA_FLAG_QA_MODE_ENABLE
|-
| 0x2B byte(43) || 0x1 || System Debug (lv1ldr decrypts token and send it to lv0, lv0 sets sys.ac.sd repo node)
|-
| 0x2B byte(43) || 0x2 || LV2 System App Debug
|-
|-
| 0x2C byte(44) || 0x9 || Advanced Token Flag!!
| 0x2C byte(44) || 0x9 || Advanced Token Flag!!
|-
|-
| 0x2F byte(47) || 0x1/0x2/0x3 ||  QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented)  
| 0x2F byte(47) || 0x1 / 0x2 / 0x3 / 0x4 ||  QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented)  
|-
|-
| 0x2F byte(47) || 0x4 || checked by lv2_kernel.self and sys_init_osd.self maybe allows sys_init_osd.self to run from /app_home
| 0x2F byte(47) || 0x1 || QA_FLAG_SPECIAL_I
it allows isoldr(and may be other loaders) to use second key_table
|-
|-
| 0x33 byte(51) || 0x1 || QA_FLAG_ALLOW_NON_QA
| 0x2F byte(47) || 0x2 || QA_FLAG_ALLOW_TEST_APP
|-
| 0x2F byte(47) || 0x4 || QA_FLAG_ALLOW_REMOTE_SPAWN
internal mode(QA flag minimum or advanced): Allows lv2_kernel.self to run sys_init_osd.self, liblv2.sprx and sys_init_osd.self to run vsh.self and sys_audio.self from /app_home/
|-
| 0x33 byte(51) || 0x1 || QA_FLAG_ALLOW_NON_QA  
special execution mode: Allows sys_init_osd.self to run either 2nd_image_writer.self or cellftp.self (copy_script.txt), setmonitor.self (monitor.conf) and lv2diag2.self to run from /dev_usb000/
<!-- there's also a 2nd way to launch lv2diag2.self and a way to launch /app_home/uinit_app.elf instead of sys_agent.self ???-->
|-
|-
| 0x33 byte(51) || 0x2 || QA_FLAG_FORCE_UPDATE
| 0x33 byte(51) || 0x2 || QA_FLAG_FORCE_UPDATE
updates to any firmware, ignoring version checks
|}
|}


Line 78: Line 118:
  Type it into my app in the format I provided, click the button, and run that command. Should work.  
  Type it into my app in the format I provided, click the button, and run that command. Should work.  
  [http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
  [http://www.multiupload.com/N3365C67ZT Tokenator.7z (26.42 KB)]
[https://mega.co.nz/#!ogMSUADB!WF274UWZDKIszA-5hwkTPgfVL5FOq8KuZ_k52o82564 Tokenator mirror(with src included)]
  [http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]
  [http://psx-scene.com/forums/f149/qa-flags-discussion-86504/index92.html#post842118 Slynk]


Line 112: Line 153:


=== Getting the QA flag menu ===
=== Getting the QA flag menu ===
Set your cursor on Network Settings and press the key combo:
Set your cursor '''on''' (not ''in'') Network Settings and press the key combo (all at the same time): {{dpadd}} + {{padl1}} + {{padl2}} + {{padr1}} + {{padr2}} + {{padl3}}
<pre>
L1+L2+L3+R1+R2 + dpad_down
</pre>


You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.
You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.
Line 132: Line 170:
*Prebuild packages :
*Prebuild packages :
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag.pkg qa_flag.pkg] (basic QA flag)
http://store.brewology.com/ahomebrew.php?brewid=214
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag_extra.pkg qa_flag_extra.pkg] (extra QA flag, e.g. for downgrade in Recovery)
 
**[http://gitbrew.org/~glevand/ps3/pkgs/reset_qa_flag.pkg reset_qa_flag.pkg] (resets to non QA-flag)
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag.pkg qa_flag.pkg] // (mirror:[http://www.multiupload.com/P5Q2R5R1YG qa_flag.pkg (69.92 KB)]) (to enable QA)
**[http://gitbrew.org/~glevand/ps3/pkgs/get_token_seed.pkg get_token_seed.pkg] (debug prints the token seed)
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag_extra.pkg qa_flag_extra.pkg] // (mirror:[http://psx-scene.com/forums/attachments/f177/37188d1345489767-help-finding-qa-flag-extra-qa_flag_extra.pkg qa_flag_extra.pkg (69.98 KB)]) (to enable QA with downgrade)
**[http://gitbrew.org/~glevand/ps3/pkgs/get_applicable_version.pkg get_applicable_version.pkg] (sends min/max FW over UDP)
**[http://gitbrew.org/~glevand/ps3/pkgs/reset_qa_flag.pkg reset_qa_flag.pkg] // (mirrors: [http://www.multiupload.com/VEUMEDINGU] [http://www.multiupload.nl/QGB1Z6W5U9]) (to reset the QA flags back to default - virtually ''never'' needed, there is '''''no benefit removing it''''')
**[http://gitbrew.org/~glevand/ps3/pkgs/get_token_seed.pkg get_token_seed.pkg] // (mirror:[http://www.multiupload.com/G8GBEIABKT get_token_seed.pkg (59.73 KB)])
**[http://gitbrew.org/~glevand/ps3/pkgs/get_applicable_version.pkg get_applicable_version.pkg] // (mirror:[http://www.multiupload.com/GXERV38F5A get_applicable_version.pkg (69.3 KB)])  (to get the low/high version lock via Debug UDP)


== Alternative ==
== Alternative ==
Line 147: Line 187:
based on [http://git.gitbrew.org/ps3/?p=otheros-utils/product_mode_toggle.git;a=tree;hb=312c21d8ee297e0225ca2495aeefef5cd07d034b Product Mode Toogle]
based on [http://git.gitbrew.org/ps3/?p=otheros-utils/product_mode_toggle.git;a=tree;hb=312c21d8ee297e0225ca2495aeefef5cd07d034b Product Mode Toogle]


== Toggle QA - rebug.me ==
qa-toggle.pkg
CRC-16: 032F
CRC-32 (Ethernet and PKZIP): D0DC4C0F
SHA-1: 9B5C215E50B4DEC02E6171B0252A977DD599E3BA
SHA-256: 845BCE0134A6DF6CF1966F2D4D4F8380DEF121ACA7AB1FA022B73A8F5E9FEEA3
SHA-384: A791A022F879C972CDBD85A26AF32FDAEF25D32FA28CA47F55AFFAA471EACD1EC6D2761CD4E0E92D93F11A7002AAC281
SHA-512:  D3CA8DC93019181B0FD30B9618264F5C5CB8559F7AF1A4C2353AB5DBFD8B2FD4AD0EA63E2140E73F63D57E2252FB7DEAC53FA2B36919B703A477540D08C13EF9
MD-2: 5262E62B55CE972F5E58A13657B4143E
MD-4: D6C9A681F0605C6AACBC61EDB7D43DD5
MD-5: FB11BEC5A0DDE6600BAEE0CC36742D54
Needs mmap114 lv1 patch + lv2 peek&poke MFW 3.41 or 3.55 (all other patches are done on the fly, when needed) - 3.15 will NOT work (blackscreen lock)
This is compatible with Kmeaw CFW and {{RogeroFirmware}}.
http://rebug.me/?p=1358 / backup/mirror : [http://www.mediafire.com/download/jjb74lyoe4irzn8/toggle_qa.pkg toggle_qa.pkg (94.22 KB)]
other mirrors:
* {{google|FB11BEC5A0DDE6600BAEE0CC36742D54}}


=QA Flags Features=
=QA Flags Features=
{{QA Flag Features}}


==Token seed byte 48=0x02==
===Debug Menu settings not in Retail/CEX QA===
===Edy viewer===
{{Debug Menu settings not in Retail/CEX QA}}
Payment service in japan
more info [http://manuals.playstation.net/document/en/ps3/current/settings/edyviewer.html Edy viewer]
===Debug Settings===


It seems that there are different Debug Settings for different Versions.  
==Install Package Files==
For example: FW 3.55 seems to have other/more Options than FW 3.41
Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason.  It will work only with properly signed packages. Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.


{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable sortable" style="border:1px solid #999; border-collapse: collapse;"
Option present in FW 1.02 and above.
|- bgcolor="#cccccc"
! Setting !! Value !! Description
|-
| DTCP-IP || on-off|| '''D'''igital '''T'''ransmission '''C'''ontent '''P'''rotection over '''I'''nternet '''P'''rotocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3.
|-
| ATRAC || on/off || '''A'''daptive '''TR'''ansform '''A'''coustic '''C'''oding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system.
|-
| WMA || on/off || '''W'''indows '''M'''edia '''A'''udio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system.
|-
| NP Enviroment || enviroment|| Allows you to change which environment your PS3 connects. Known enviroments are: C1-NP, D2-NP, D2-PMGT, D2-PQA, D2-SPINT, D3-NP, D3-PMGT, D3-PQA, D3-SPINT, D-NP, D-PMGT, D-PQA, D-SPINT, EI-NP, EI-PMGT, EI-PQA, EI-SPINT, HF, HF-NP, HF-PMGT, HF-PQA, HF-SPINT, H-NP, H-PMGT, H-PQA, H-SPINT, MGMT (Management), NP (Retail), PMGT, PQA, PROD-QA (Quality Assurance), Q2, Q2-NP, Q2-PMGT, Q2-PQA, Q2-SPINT, Q-NP, Q-PMGT, Q-PQA, Q-SPINT, RC, RC-NP, R-NP, R-PMGT, R-PQA, R-SPINT, SP-INT (Developer). There might be even more of different environments. See [[Environments]]
|-
| Fake Free Space (for CEX)|| on/off || Use with Fake Limit Size to artificially set the free space on the PS3.
|-
| Fake Limit Size || X MB || Amount of free space left (in MB).
|-
| NP Debug || on/off ||
|-
| NPDRM Debug || off/No Entitlement(80029513)/ Deactivated(80029514)/ Unexpected Error ||
|-
| Edy Debug || on/off || Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer.
|-
| Nav-only NP || on/off ||
|-
| Cdda Server || Production/Evaluation ||
|-
| Crash Report || on/off ||
|-
| Crash reporter Status || Ready/Busy/Never be called ||
|-
| VSH Crash Dump Generator || on/off ||
|-
| System Update Debug || on/off || Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager.
|-
| Information Board QA Server || on/off ||
|-
| Format Marlin Personal Data || ? || This appears to be related to Marlin DRM possibly for multimedia use.
|-
| PlayStation(R)Store Ad Clock || on/off ||
|-
| Geo Filtering for PlayStation(R)Store || Normal/Always Succeed/Always Fail ||
|-
| Remove Game License || ? ||
|-
| Home Debug || on/off ||
|-
| Delete Trophy Personal Data || ? ||
|-
| GameUpdate Impose Test || on/off ||
|-
| Network Emulation Setting || off/Option 1/Option 2/Option 3 ||
|-
| Network Emulation Status || ? ||
|-
| Auto-Off Debug || on/off ||
|-
| WLAN Device || on/off ||
|-
| NAT Traversal Information || ? ||
|-
| Internet Browser Debug || on/off ||
|-
| SMSS Result Output || on/off ||
|-
| Adhoc SSID Prefix || PSP/? ||
|-
| Disc Auto-Start at System Startup || on/off || Allows you to start disc in-drive automatically when you start system on.
|-
| 3D Video Output || Automatic/On || Allows you to set 3D Video Output automatic or always on.
|-
| Fake NP SNS Throttle || Off (60 sec)/ On (0,10,120,3600,closed)||
|-
| Debug for HDD Exchange Utility || ||
|-
| Fake Plus || on/off ||
|-
| Push Console Binding || on/off||
|-
| Automatic Download || on/off || Set automatic download on or off. There's not info available what this does change. '''May be automatic system updates!'''
|-
| Motion Controller Calibration Result || on/off || Shows lastest results from motion controller calibration.
|-
| VideoEditor Delete Preset BGM ||  ||
|}


===Install Package Files===
As on DEX/DECH Stations is already a "Install Package Files" function, no new icon is added, but the ability to install retail packages via the "game column" "Install Package Files".
Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason.  It will work only with properly signed packages.  Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.


=On 3.6x Firmwares=
=On 3.6x Firmwares=
As we know Sony has <strike>taken QA Flag away</strike> changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.
As we know Sony has <strike>taken QA Flag away</strike> changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.
From 3.60 Sony added a new step in the authentication process in the [[Iso module]]  "spu_token_processor.self".
This new step is a digital signature verification using ECDSA ("Elliptic Curve Digital Signature Algorithm").
The old token, the IDPS taked from the machine, the version of the Token (1), the array of flags, and the HMAC hash of the previous parts, remains valid as such.
No key (AES, HMAC) were changed in the new module.
However, after the decryption of the token, [[IDPS]] and verification of the machine with which it has the token performs a digital signature verification of all encrypted token (0x50 bytes).
This performs a SHA-1 hash of the entire token (like Sony performed at the time of the digital signature) and passes to check the signature, if it validates the token is considered authentic and returned both encrypted as decrypted (this with the hash hmac set to 0), as happened in 3.56 and lower.
In the event that the digital signature fails, consider that the token is not valid, as would happen if the token decryption fails, or any of your previous checks (HMAC computed with token bearing the token, the [[IDPS]] , ...).
In this case it will return an empty buffer (instead of the decrypted token) and one with a token prepared but without any active flag, or indeed with any digital signature, as happened in 3.56 and lower.
In short it is not possible to put a machine QA in firmware 3.60 and higher unless you are patching the module (thus only work in that customized firmware), or getting a whole token and a valid digital signature for.
Given that the token varies by the [[IDPS]] to prevent universal token exists, only the IDPS should know that token, and change the [[IDPS]] of section one of [[Flash#EID0_-_Section_0|EID0]] (which is what the [[Iso module]] checks), but this could have unintended consequences in some cases.


= QA Downgrading =
= QA Downgrading =
Crossreference: [http://portal.gitbrew.org/wikibrew/PS3:Downgrade gitbrew.org PS3:Downgrade] <br />


== Notes ==
== Notes ==
These tools COULD format your ps3. (which means Any and ALL psn / downloaded data could be erased)
These tools COULD format your ps3. (which means Any and ALL psn / downloaded data could be erased)


note: several people noted that they did not suffer from dataloss even after several downgrades, but its good measure to backup before downgrading {esp. ACT.DAT which DO get erased)
note: several people noted that they did not suffer from dataloss even after several downgrades, but its good measure to backup before downgrading (esp. ACT.DAT which DO get erased)


== Tools Needed ==
== Tools Needed ==
*http://git.gitbrew.org/~glevand/public/CFW355-OTHEROS++-SPECIAL.PUP
*[http://git.gitbrew.org/~glevand/public/CFW355-OTHEROS++-SPECIAL.PUP CFW355-OTHEROS++-SPECIAL.PUP] // (mirror:[http://www.multiupload.com/UITB9EY84F CFW355-OTHEROS++-SPECIAL.PUP (170.64 MB)] / http://www.mirrorcreator.com/files/TTL1FPNF/CFW355-OTHEROS__-SPECIAL.PUP_links) - QA Flag CFW with SS patches, Can be used to downgrade your ps3 from 3.55 to lower firmwares.
*http://git.gitbrew.org/~glevand/public/qa_flag_extra.pkg
**[http://gitbrew.org/~glevand/ps3/pkgs/qa_flag_extra.pkg qa_flag_extra.pkg] // (mirror:[http://www.multiupload.com/KAGDSQ9QG9 qa_flag_extra.pkg (69.98 KB)]) (to enable QA with downgrade)
 
*Firmware you want to downgrade to. (3.41, 3.15)
*Firmware you want to downgrade to. (3.41, 3.15)


Line 277: Line 264:
== Known Issues with QA flag / QA downgrades ==
== Known Issues with QA flag / QA downgrades ==


=== Act.dat (PSN activation) gets deleted ===
=== act.dat (PSN activation) gets deleted ===
Make sure you backup the file before enabling QA-extra flag and downgrade. There have been reports of ACT.DAT ("home/000000XX/exdata/act.dat") get's deleted. So make sure to backup that entire folder before flagging/downgrading.
Make sure you backup the file before enabling QA-extra flag and downgrade. There have been reports of ACT.DAT ("home/000000XX/exdata/act.dat") get's deleted. So make sure to backup that entire folder before flagging/downgrading.
* http://rebug.me/xreg-plus-v1-0/
* http://www.maxconsole.com/maxcon_forums/threads/270400-Restore-act-dat-Homebrew-to-help-with-copying-your-PSN-activation-files!
= Useful links =
* https://rmscrypt.wordpress.com/
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 15:48, 19 January 2023

QA Flag[edit | edit source]

A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.

QA Token[edit | edit source]

A QA token is an 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the keys page.

Unencrypted Token Structure[edit | edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 00 01 00 11 22 33 44 55 66 77 88 99 AA BB
00000010  CC DD EE FF 00 00 00 00 00 00 00 00 00 00 00 00
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030  00 00 00 00 00 00 00 00 00 00 00 00 19 4A 4B BA
00000040  15 97 AE 71 36 CC B6 65 7F C3 B5 3F 49 22 2F B1
Address Length Value Description
0x00 0x4 0x01 QA-Flag Version
0x04 0x10 0x00112233445566778899AABBCCDDEEFF IDPS
0x14 0x20 0x00 Token Flags
0x34 0x8 0x00 padding
0x3C 0x14 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 digest

Encrypted Token[edit | edit source]

The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E

Token Flags[edit | edit source]

The flags are a 32 (0x20) bytes value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.

Location Value (Binary OR assigned) Description
0x14 byte(21) 2 bytes BDP CONTROL - Checked by appldr, isoldr.

0x1 DEH_DEBUG_DISABLE
0x2 DEX_DEBUG_DISABLE
0x4 ALL_DEBUG_DISABLE
0x8 DEH_BOOT_ENABLE
0x10 DEX_BOOT_ENABLE
0x20 CEX_BOOT_ENABLE
0x40 ARCADE_BOOT_ENABLE

0x16 byte(23) 2 bytes CONNECT_CONTROL - Checked by appldr, isoldr.

0x1 DEH_DEBUG_DISABLE
0x2 DEX_DEBUG_DISABLE
0x4 ALL_DEBUG_DISABLE
0x8 DEH_BOOT_ENABLE
0x10 DEX_BOOT_ENABLE
0x20 CEX_BOOT_ENABLE
0x40 ARCADE_BOOT_ENABLE

0x24 byte(36) 0x1 / 0x2 / 0x4 / 0x8 QA_FLAG_RESERVED_FOR_VSH
0x24 byte(36) 0x1 QA_FLAG_RESERVED_FOR_VSH0
0x24 byte(36) 0x2 QA_FLAG_RESERVED_FOR_VSH1
0x24 byte(36) 0x4 QA_FLAG_RESERVED_FOR_VSH2
0x24 byte(36) 0x8 QA_FLAG_RESERVED_FOR_VSH3
0x27 byte(39) 0x1 QA_FLAG_EXAM_API_ENABLE
0x27 byte(39) 0x2 QA_FLAG_QA_MODE_ENABLE
0x2B byte(43) 0x1 System Debug (lv1ldr decrypts token and send it to lv0, lv0 sets sys.ac.sd repo node)
0x2B byte(43) 0x2 LV2 System App Debug
0x2C byte(44) 0x9 Advanced Token Flag!!
0x2F byte(47) 0x1 / 0x2 / 0x3 / 0x4 QA-Token-Flag: (0x01 : Minimum) (0x02 : Advanced) (0x03 : undocumented)
0x2F byte(47) 0x1 QA_FLAG_SPECIAL_I

it allows isoldr(and may be other loaders) to use second key_table

0x2F byte(47) 0x2 QA_FLAG_ALLOW_TEST_APP
0x2F byte(47) 0x4 QA_FLAG_ALLOW_REMOTE_SPAWN

internal mode(QA flag minimum or advanced): Allows lv2_kernel.self to run sys_init_osd.self, liblv2.sprx and sys_init_osd.self to run vsh.self and sys_audio.self from /app_home/

0x33 byte(51) 0x1 QA_FLAG_ALLOW_NON_QA

special execution mode: Allows sys_init_osd.self to run either 2nd_image_writer.self or cellftp.self (copy_script.txt), setmonitor.self (monitor.conf) and lv2diag2.self to run from /dev_usb000/

0x33 byte(51) 0x2 QA_FLAG_FORCE_UPDATE

updates to any firmware, ignoring version checks

Setting QA Flag & Token with Linux[edit | edit source]

Prerequisites[edit | edit source]

  • First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework

If you are using glevand´s kernel you will have to first enable the require module

modprobe ps3dmproxy
  • Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim

and you will need Slynk tools

Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work. 
Tokenator.7z (26.42 KB)
Tokenator mirror(with src included)
Slynk

Procedure[edit | edit source]

Getting the info[edit | edit source]

First you need your IDPS. Obtain this using ps3dm_aim.

# ./ps3dm_aim /dev/ps3dmproxy get_dev_id

Write it down and load it using Slynk's Tokenator app.

It will give you the command you should use in linux + your encrypted token. The tool should output something like this:

./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...

Setting the flag[edit | edit source]

./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

(you may skip this step, because UM set_token takes care of it)

Setting the token[edit | edit source]

Just copy paste the command you got from tokenator

./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...

Congrats now you ps3 is QA flagged Reboot

Getting the QA flag menu[edit | edit source]

Set your cursor on (not in) Network Settings and press the key combo (all at the same time): D-Pad DOWN Button + Dualshock L1 button + Dualshock L2 button + Dualshock R1 button + Dualshock R2 button + Dualshock L3 button

You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.

Setting QA Flag & Token with Grafs Payload[edit | edit source]

You can follow this tutorial to set the flag and token and then get the menu with the combo needed GrafPayload

GameOS app to QA flag[edit | edit source]

Glevand's QA flagging tools[edit | edit source]

QA_Flagging_Tools:

  • Prebuild packages :

http://store.brewology.com/ahomebrew.php?brewid=214

Alternative[edit | edit source]

This is a work in progress, it should already work, but feel free to review the code and improve it

source Makefile

based on Product Mode Toogle

Toggle QA - rebug.me[edit | edit source]

qa-toggle.pkg

CRC-16: 032F
CRC-32 (Ethernet and PKZIP): D0DC4C0F
SHA-1: 9B5C215E50B4DEC02E6171B0252A977DD599E3BA
SHA-256: 845BCE0134A6DF6CF1966F2D4D4F8380DEF121ACA7AB1FA022B73A8F5E9FEEA3
SHA-384: A791A022F879C972CDBD85A26AF32FDAEF25D32FA28CA47F55AFFAA471EACD1EC6D2761CD4E0E92D93F11A7002AAC281
SHA-512:  D3CA8DC93019181B0FD30B9618264F5C5CB8559F7AF1A4C2353AB5DBFD8B2FD4AD0EA63E2140E73F63D57E2252FB7DEAC53FA2B36919B703A477540D08C13EF9
MD-2: 5262E62B55CE972F5E58A13657B4143E
MD-4: D6C9A681F0605C6AACBC61EDB7D43DD5
MD-5: FB11BEC5A0DDE6600BAEE0CC36742D54

Needs mmap114 lv1 patch + lv2 peek&poke MFW 3.41 or 3.55 (all other patches are done on the fly, when needed) - 3.15 will NOT work (blackscreen lock)

This is compatible with Kmeaw CFW and Rogero V3.7 (mirror / MD5:8f8166b25d6bed891f292c77de5c4b28)

for noFSM, use 9.99 downgrader instead: MD5:b67747f529d047d63151786544a58b50 .

http://rebug.me/?p=1358 / backup/mirror : toggle_qa.pkg (94.22 KB)

other mirrors:

QA Flags Features[edit | edit source]

Edy viewer[edit source]

Payment service in japan
more info Edy viewer

Option not present in FW 1.02/1.10/1.11/1.30/1.31/1.32, only added since FW 1.50 and higher.

Debug Settings (CEX/DEX)[edit source]

There are different Debug Settings (in English) for different firmware versions. For example: FW 3.55 has more options than FW 3.41 & 3.15, below versions have even less. Some Debug settings are only available in older versions.

Setting Product Code Description 3.50
-
3.55
3.40
-
3.42
3.21
-
3.30
3.10
-
3.15
3.00
-
3.01
2.80 2.70
-
2.76
2.60 2.50
-
2.53
2.40
-
2.43
2.30
-
2.36
2.20 2.10
-
2.17
1.92
-
1.94
1.90 1.80
-
1.82
1.60
-
1.70
1.50
-
1.54
1.02
-
1.32
Remarks
DTCP-IP  CEX  Digital Transmission Content Protection over Internet Protocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3.
  • Off :
  • On :
Y Y Y Y Y N N N N N N N N N N N N N N OFF only?
ATRAC  CEX  Adaptive TRansform Acoustic Coding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system.
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N -
WMA  CEX  Windows Media Audio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system.
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N -
Analog Output Expansion Feature  CEX 
  • Menu Off :
  • Off :
  • On :
N N N N N N N Y Y N N N N N N N N N N -
NP Environment  CEX   DEX  Allows you to change which environment your PS3 connects. See Environments
  • NP
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y -
Fake Free Space (for CEX)  CEX   DEX  Fake the amount of free space on the HDD, in "Fake Limit Size" function.
  • Off : deactivate Fake Free Space function.
  • On : activate Fake Free Space function.
  • On (Ignored in NP Trophy): activate Fake Free Space function except for trophy functions.
Y Y Y Y Y Y N N N N N N N N N N N N N -
Fake Limit Size  CEX   DEX  Set the amount of free space on the HDD in MB when the "Fake Free Space" function is activated.
  • _ MB
Y Y Y Y Y Y N N N N N N N N N N N N N -
NP Debug  CEX   DEX  When an application is started, Playstation Network information related to that application is displayed.
  • Off : deactivate the NP Debug function.
  • On : activate the NP Debug function.
Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N N N -
NPDRM Debug  CEX   DEX  Set and test the access rights to an application that use drm protection.
  • Off : deactivate the NPDRM Debug function.
  • No Entitlement (80029513) : return 80029513 error.
  • Deactivated (80029514) : return 80029514 error.
  • Unexpected Error : return unexpected error.
Y Y Y Y Y Y Y Y Y Y N N N N N N N N N -
Edy Debug  CEX  Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer.
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N -
Nav-only NP  CEX 
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N -
Cdda Server  CEX 
  • Production :
  • Evaluation :
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N N -
Auto download  CEX 
  • Off :
  • On :
May be automatic system updates!
N N N N N N N N N Y Y Y Y Y N N N N N -
SSMSS Server  CEX 
  • Production Server :
  • Test Server :
  • Development Server :
N N N N Y Y Y Y N N N N N N N N N N N -
Crash Report  CEX   DEX  When the console crashes, a report can be sent to Sony servers.
  • Off : deactivate the Crash Report function.
  • On : activate the Crash Report function.
Y Y Y Y N N N N N N N N N N N N N N N -
Crash reporter Status  CEX 
  • Ready :
  • Busy :
  • Never be called :
Y Y Y Y N N N N N N N N N N N N N N N -
VSH Crash Dump Generator  CEX 
  • Off :
  • On :
Y Y Y Y N N N N N N N N N N N N N N N -
System Update Debug  CEX  Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager. Also allows easy firmware switching by storing a PS3UPDAT.PUP (can be renamed) in /dev_hdd0/updater/01, then another in /dev_hdd0/updater/02 etc. Then go to "System Update" > "Update via Hard Disk" and select the update to install.
Maximum is 20 versions to be listed in XMB, even when more are stored by using e.g. ftp.
Lowest version that can be copied to updaterfolder on harddisk is 2.70 (no limit when using e.g. ftp, although versions below 2.70 cannot be used for reinstallment).
  • Off :
  • On :
Y Y Y Y Y Y Y N N N N N N N N N N N N -
Information Board QA Server  CEX 
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N N N -
Format Marlin Personal Data  CEX  This appears to be related to Marlin DRM possibly for multimedia use.
-> (Format : Yes / No)
Y Y Y Y Y Y Y Y Y Y N N N N N N N N N -
PlayStation Store Ad Clock  CEX   DEX  Change the clock time of the ★ Title Store Preview (Store).
  • Off : the PlayStation Store Ad Clock function is deactivated.
  • On : the PlayStation Store Ad Clock function is activated.
Y Y Y Y Y Y Y Y Y Y Y N N N N N N N N -
Geo Filtering for PlayStation Store  CEX   DEX 
  • Normal :
  • Always Succeed :
  • Always Fail :
Y Y Y Y Y Y Y Y Y Y N N N N N N N N N -
Remove Game License  CEX  -> (Remove : Yes / No) Y Y Y Y Y Y Y Y Y Y Y N N N N N N N N -
Home Debug  CEX 
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y Y Y Y N N N N N N N -
Delete Trophy Personal Data  CEX  Allows you to delete all your PS3 trophies personal data.
-> (Delete : Yes / No)
Y Y Y Y Y Y Y Y Y Y N N N N N N N N N -
GameUpdate Impose Test  CEX   DEX  The application will simulate a fake patch in order to test how the application will react when a patch is found.
  • Off : deactivate the GameUpdate Impose Test function.
  • On : activate the GameUpdate Impose Test function.
Y Y Y Y Y Y Y Y Y N N N N N N N N N N -
Network Emulation Setting  CEX   DEX  Emulate the network in order to test how the application will react with networks troubles.
  • Off : the Network Emulation Setting function is deactivated.
  • Option 1 : the Network Emulation Setting function is activated (packet delay time : 100ms).
  • Option 2 : the Network Emulation Setting function is activated (bandwitch limitation : 132072 bps).
  • Option 3 : the Network Emulation Setting function is activated (send packet loss : 5%).
Y Y Y Y Y Y Y Y Y N N N N N N N N N N -
Network Emulation Status  CEX   DEX  Show information of the Network Emulation Setting function. This information is also showed when selecting an option in Network Emulation Setting function.
-> (Outputs status screen)
Option number : Off
Packet loss : (% send), (% receive)
Packet loss duration (ms)
Packet pass duration (ms)
Packet delay time (ms)
Packet delay jitter (ms)
Packet out of order (%)
Packet out of order delay (ms)
Packet duplication  (%)
Bandwidth limitation (bps)
Packet size limitation (min bytes)
Packet size limitation (max bytes)
Policy pattern (0x0000000000000000)
Y Y Y Y Y Y Y Y Y N N N N N N N N N N -
Auto-Off Debug  CEX 
  • Off :
  • On :
Y Y Y Y Y Y Y Y Y N N N N N N N N N N -
WLAN Device  CEX   DEX  Activate/deactivate the wireless LAN device.
  • Off : deactivate the wireless LAN device.
  • On : activate the wireless LAN device.
Note : the wireless LAN device have to be not in use to deactivate it.
Y N N N N N N N N N N N N N N N N N N -
NAT Traversal Information  CEX   DEX  NAT traversal techniques are typically required for client-to-client networking applications, especially peer-to-peer and Voice-over-IP (VoIP) deployments.
-> (Outputs status screen)
UPnP Status : Unavailable / Available
UPnP Port Number : -
UPnP External Address : -
Stun Status : Unsucceeded / Succeeded
NAT Type : Type1 / Type2 / Type3
Mapped Address : (Internet IP Address)
Mapping Policy : Endpoint Independant
Port Preservation : true / false
Delta: 0
Port Opened : true / false
Y Y Y Y Y Y Y N N N N N N N N N N N N -
Internet Browser Debug  CEX  When on is selected press triangle over the internet browser icon for extra options. (the WebKit option causes the console to reboot)
  • Off :
  • On :
Y Y Y Y Y Y Y N N N N N N N N N N N N -
SMSS Result Output  CEX 
  • Off :
  • On :
Y Y Y Y Y N N N N N N N N N N N N N N -
Adhoc SSID Prefix  CEX   DEX  Set the prefix name of the Ad-hoc SSID’s. The default value is set for PSP devices.
  • PSP :
3 chars (Latin) max?
Y Y Y Y Y N N N N N N N N N N N N N N -
Disc Auto-Start at System Startup  CEX   DEX  Start the disc automatically when the system is turned on.
  • Off : deactivate the Disc Auto-Start at System Startup function.
  • On : activate the Disc Auto-Start at System Startup function.
Note : [System Settings] > [Disc Auto-Start] have to be turned on too.
Y Y Y Y Y N N N N N N N N N N N N N N -
3D Video Output  CEX   DEX  Set the video output to 3D.
  • Automatic : video output settings are automatically set.
  • On : force the 3D video output.
Y Y Y N N N N N N N N N N N N N N N N -
Fake NP SNS Throttle  CEX   DEX  Fake a throttling (a delay between information sends) into the social network service.
  • Off (60 sec) : the Fake NP SNS Throttle function is deactivated, the throttling is set to 60 seconds.
  • On (0 sec) : the Fake NP SNS Throttle function is activated, the throttling is set to 0 seconds.
  • On (10 sec) : the Fake NP SNS Throttle function is activated, the throttling is set to 10 seconds.
  • On (120 sec) : the Fake NP SNS Throttle function is activated, the throttling is set to 120 seconds.
  • On (3600 sec) : the Fake NP SNS Throttle function is activated, the throttling is set to 3600 seconds.
  • On (Throttle Closed) : the Fake NP SNS Throttle function is activated, the throttling is deactivated.
Y Y Y N N N N N N N N N N N N N N N N -
Debug for HDD Exchange Utility  CEX  Clone your HDD straight to USB HDD, NO QA Token needed
-> (HDD Exchange Utility)
Y Y Y N N N N N N N N N N N N N N N N -
Fake Plus  CEX   DEX  Fake the activation of PlayStation Plus.
  • Off : the Fake Plus function is deactivated.
  • On : the Fake Plus function is activated.
Y N N N N N N N N N N N N N N N N N N -
Push Console Binding  CEX 
  • Off :
  • On :
Y Y N N N N N N N N N N N N N N N N N -
Automatic Download  CEX  Set automatic download on or off, on scheduled time (game updates, system software updates, and selected movies).
  • Off :
  • On :
May be automatic system updates!
Y Y N N N N N N N N N N N N N N N N N -
Motion Controller Calibration Result  CEX  Shows lastest results from motion controller calibration.
  • Off :
  • On :
Y Y N N N N N N N N N N N N N N N N N -
VideoEditor Delete Preset BGM  CEX  -> (Delete : Yes / No) Y N N N N N N N N N N N N N N N N N N -
Setting Product Code Description 3.50
-
3.55
3.40
-
3.42
3.21
-
3.30
3.10
-
3.15
3.00
-
3.01
2.80 2.70
-
2.76
2.60 2.50
-
2.53
2.40
-
2.43
2.30
-
2.36
2.20 2.10
-
2.17
1.92
-
1.94
1.90 1.80
-
1.82
1.60
-
1.70
1.50
-
1.54
1.02
-
1.32
Remarks

Note: In older firmware versions (e.g. 1.02) it is not in a seperate debug menu, but rendered in XMB menu as System Settings extra options.

Debug Menu settings not in Retail/CEX QA[edit | edit source]

Setting Product Code Description Remarks
O Button Behavior  DEX  Switch the assignment of the “O” button to “X” button (like for japans games/region settings).
  • Enter : assign the “Enter” function to “O” button
  • Back : assign the “Enter” function to “X” button.
-
Game Type (Debugger)  DEX  Set the game type of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
  • Disc Boot Game : use application like a game disc.
  • HDD Boot Game : use application like a HDD boot game.
  • Patch : use application installed as a game patch.
  • PARAM.SFO : use the param.sfo directly from the application.
-
Game Output Resolution (Debugger)  DEX  Set the game output resolution of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
  • 480 (4:3)
  • 480 (16:9)
  • 576 (4:3)
  • 576 (16:9)
  • 720
  • 960 x 1080
  • 1280 x 1080
  • 1440 x 1080
  • 1600 x 1080
  • 1920 x 1080
-
Game Output Sound (Debugger)  DEX  Set game output sound of an application when this one is started from the debugger (usually, this information is read from PARAM.SFO).
  • Maximum Number of Channels Set on [ Sound Settings ] > [ Audio Output Settings ]
  • 2 ch
  • 2 ch (Downmix: 5.1 ch -> 2 ch)
  • 2 ch (Downmix: 7.1 ch -> 2 ch)
  • 5.1 ch
  • 5.1 ch (Downmix: 7.1 ch -> 5.1 ch)
  • 7.1 ch
  • Dolby Digital
  • Dolby Digital (Downmix: 7.1 ch -> 5.1 ch)
  • DTS
  • DTS (Downmix: 7.1 ch -> 5.1 ch)
-
BGM Player (Debugger)  DEX  Set the activation of BGM playback when an application is started from the debugger (usually, this information is read from PARAM.SFO).
  • Off : deactivate the BGM Player.
  • On : activate the BGM Player.
-
GameContentUtil Boot Path (Debugger)  DEX  Change the game content boot path when an application is started from the debugger.
  • For Development : return the real path where the application is started.
  • For Release : return the path from GameContentUtil dirName (Debugger) setting.
-
GameContentUtil dirName (Debugger)  DEX  Change the game content directory when an application is started from the debugger in release mode. -
GameContentUtil Boot Path (/app_home/PS3_GAME/)  DEX  Change the game content boot path when an application is started from /app_home/PS3_GAME/.
  • For Development : return the real path where the application is started.
  • For Release : return the path from the PARAM.SFO settings.
-
Region Settings  DEX  Change the console settings (system language, time, date, etc…) depending on which region are selected.
  • Japan
  • North America
  • Oceania
  • UK
  • Europe
  • Korea
  • Southeast Asia
  • Taiwan
  • Russia
  • China
  • Mexico
  • Hong Kong
-
Fake Other Region  DEX  Fake the license area of the console (SCEE for Europe, SCEA for America, etc…) to Other.
  • Off : the Fake Other Region setting is deactivated.
  • On : the license area is set to Other.
Note : Setting on that option is not saved after a console reboot.
-
HDCP  DEX  High-bandwidth Digital Content Protection (HDCP) is a form of digital copy protection developed by Intel Corporation to prevent copying of digital audio and video content as it travels across High-Definition Multimedia Interface
  • Off : the HDCP protection is deactivated.
  • On : the HDCP protection is activated
-
Display HDD Free Space  DEX  Display the hard drive free space on the menu screen while an application is running. -
Fake Save Data Owner  DEX  Allows use of save data from other users and displays a warning message at every load/save during the game. Once a save data has been saved with this features activated, that save couldn’t be read with this function deactivated.
  • Off : deactivate the Fake Save Data Owner function.
  • On : activate the Fake Save Data Owner function.
-
Format System Cache  DEX  Format the system cache area.
  • Yes : format the system cache.
  • No : cancel the system cache format.
-
Release Check Mode  DEX  Check if /app_home is used in the application.
  • Development Mode : the application can used /app_home.
  • Release Mode : the application can’t use /app_home.
-
Exception Handler  DEX  Handle PPU exceptions in order to debug an application.
  • Off : deactivate the exception handling.
  • On : activate the exception handling.
-
NPDRM Clock Debug  DEX  Activate/deactivate the validity period of an application that use drm protection.
  • Off : deactivate the NPDRM Clock Debug function.
  • On : activate the NPDRM Clock Debug function.
-
Service ID  DEX  Edit the Service ID of the content to access it on the Store.
Example : AB0000-ABCD12345_00
-
MsgDialogUtil Display Errorcode  DEX  Display the error code of an application that uses the cellMsgDialogOpenErrorCode function in the notification window.
  • Off : deactivate the MsgDialogUtil Display Errorcode function.
  • On : activate the MsgDialogUtil Display Errorcode function.
-
Format BD Emulator HDD  DEX  Format the external usb device (FAT32) for use it with the BD Emulator Function.
  • Quick Format : Make a quick device format.
  • Full Format : Make a full device format.
-
Disable ExitGame Timeout  DEX  Disable the forced termination of an application due to a time out.
  • Off : do not disable the ExitGame Timeout function.
  • On : disable the ExitGame Timeout function.
-
Core Dump  DEX  The Core Dump functions save and configure the output exceptions of applications in order to debug them.
  • Copy : Copy a core file.
  • Delete : Delete a core file.
  • Option :
    • [Option] > [★ Trigger Option]
      • Disable PPU exception detection : PPU exception are not includes in the core file.
      • Disable SPU exception detection : SPU exception are not includes in the core file.
      • Disable RSX exception detection : RSX exception are not includes in the core file.
      • Disable Foot Switch detection : the foot switch detection is deactivated.
    • [★ Corefile Generation Option]
      • Disable Memory Dump : the memory dump is not include in the core file.
    • [★ Execution Control Option]
      • Enable restart process and core dump function after core dumped : After a core file dumped, the process will restart and the core dump function activated.
      • Off : deactivate the core dump function.
      • On (Save to /app_home) : activate the core dump function and save the core file to /app_home.
      • On (Save to /dev_ms) : activate the core dump function and save the core file to /dev_ms.
      • On (Save to /dev_usb) : activate the core dump function and save the core file to /dev_usb.
      • On (Save to /dev_hdd0) : activate the core dump function and save the core file to /dev_hdd0.
-
PowerOnReset  DEX  The console is automatically turned on when the main power button is turned on.
  • Off : deactivate the PowerOnReset function.
  • On : activate the PowerOnReset function.
-
Boot Mode  DEX  Choose which mode to boot the console.
  • Debugger Mode : boot on the debugger, for debugging purpose.
  • System Software Mode : boot on system software mode, for developing purpose.
  • Release Mode : boot on release mode, the same than retail console, for finals tests purpose.
-
Blu-ray Disc Access  DEX  Choose the Blu-ray disc type of access.
  • BD Emulator (DEV) : Use the internal hdd for the BD-Emulator. (Reference Tools only)
  • BD Emulator (USB) : use an usb hdd formatted for the BD-Emulator.
  • BD Drive : use the Blu-Ray Disc drive.
-
Transfer Rate Pacing for BD Emulator  DEX  When the BD Emulator function is activated, the transfer rate can be choose between two options.
  • HDD Native : maximum transfer rate.
  • Equiv. to BD Drive : same transfer rate than the BD Drive.
-
Network Settings for Debug  DEX  Choose different network settings for the debugging than the settings used in usual settings.
  • Single Settings : use the same network settings for debugging than settings used in [Settings] > [Network Settings].
  • Dual Settings : use two different network settings.
-
Connection Status List for Debug  DEX  Show the network information for the debugging. -
Connection Settings for Debug (Dual Settings)  DEX  Choose network settings for the debugging.
Note : the Network Settings for Debug function have to be set on Dual Settings.
-
Pad Auto Detect  DEX  This function allows the console to automatically detect a paddle connected by USB.
  • Off : deactivate the Pad Auto Detect function.
  • On : activate the Pad Auto Detect function.
-
Initialize Boot Parameters  DEX  Reset boot parameters to their default value.
  • Yes : reset boot parameters.
  • No : do not reset boot parameters.
-
Update Server URL  DEX  Choose the server of firmware updates when selecting [Settings] > [System Update].
Example : http://www.myexampleserver.com/ps3updat.txt
Ps3updat.txt example:
Dest=82;ImageVersion=FFFFFFFF;SystemVersion=1.0000;CDN_Timeout=30;CDN=http://www.myexampleserver.com/PS3UPDAT.PUP.100.001;
Dest=82;ImageVersion=FFFFFFFF;SystemVersion=2.0000;CDN_Timeout=30;CDN=http://www.myexampleserver.com/PS3UPDAT.PUP.200.001;
ps3-updatelist.txt
Video Upload Debug  DEX  When a video is uploaded on YouTube with the video upload function, the uploaded video is set to private.
  • Off : the Video Upload Debug function is deactivated.
  • On : the Video Upload Debug function is activated.
-
Wake On LAN  DEX  Wake-on-LAN is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message. The message is usually sent by a program executed on another computer on the same local area network.
  • Off : deactivate the Wake On Lan function.
  • On : activate the Wake On Lan function, the console can be turned on by a network message.
-
Dummy XMB (in game) Debug  DEX  This function checks how applications react while the XMB in game is used. If the resources debits are not enough, a message will be display in the notification window.
  • Off : the Dummy XMB (in game) Debug function is deactivated.
  • On : the Dummy XMB (in game) Debug function is activated.
-
Dummy BGM Player Debug  DEX  This function checks how applications react while the BGM Player is used. If the resources debits are not enough, a message will be display in the notification window.
  • Off : the Dummy BGM Player Debug function is deactivated.
  • On : the Dummy BGM Player) Debug function is activated.
-
MediatedServices: Mediator URL  DEX  Set the mediator URL of Mediated Services. -
MediatedServices: Provider Data  DEX  Set the provider data of Mediated Services. -
MediatedServices: Notifications  DEX  Activate/deactivate the Mediated Services notifications.
  • Off : the MediatedServices Notifications function is deactivated.
  • On : the MediatedServices Notifications function is activated.
-

Note: credit to DrEB

Install Package Files[edit | edit source]

Will install all package files found on the root of the USB stick sequentially in alphabetical order until an installation of a package is aborted or fails for any reason. It will work only with properly signed packages. Unlike the Install Package File function in the Game menu the .pkg extension name is not case sensitive.

Option present in FW 1.02 and above.

As on DEX/DECH Stations is already a "Install Package Files" function, no new icon is added, but the ability to install retail packages via the "game column" "Install Package Files".

On 3.6x Firmwares[edit | edit source]

As we know Sony has taken QA Flag away changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.

From 3.60 Sony added a new step in the authentication process in the Iso module "spu_token_processor.self". This new step is a digital signature verification using ECDSA ("Elliptic Curve Digital Signature Algorithm"). The old token, the IDPS taked from the machine, the version of the Token (1), the array of flags, and the HMAC hash of the previous parts, remains valid as such. No key (AES, HMAC) were changed in the new module. However, after the decryption of the token, IDPS and verification of the machine with which it has the token performs a digital signature verification of all encrypted token (0x50 bytes). This performs a SHA-1 hash of the entire token (like Sony performed at the time of the digital signature) and passes to check the signature, if it validates the token is considered authentic and returned both encrypted as decrypted (this with the hash hmac set to 0), as happened in 3.56 and lower. In the event that the digital signature fails, consider that the token is not valid, as would happen if the token decryption fails, or any of your previous checks (HMAC computed with token bearing the token, the IDPS , ...). In this case it will return an empty buffer (instead of the decrypted token) and one with a token prepared but without any active flag, or indeed with any digital signature, as happened in 3.56 and lower. In short it is not possible to put a machine QA in firmware 3.60 and higher unless you are patching the module (thus only work in that customized firmware), or getting a whole token and a valid digital signature for. Given that the token varies by the IDPS to prevent universal token exists, only the IDPS should know that token, and change the IDPS of section one of EID0 (which is what the Iso module checks), but this could have unintended consequences in some cases.

QA Downgrading[edit | edit source]

Crossreference: gitbrew.org PS3:Downgrade

Notes[edit | edit source]

These tools COULD format your ps3. (which means Any and ALL psn / downloaded data could be erased)

note: several people noted that they did not suffer from dataloss even after several downgrades, but its good measure to backup before downgrading (esp. ACT.DAT which DO get erased)

Tools Needed[edit | edit source]

  • Firmware you want to downgrade to. (3.41, 3.15)

Installation Process[edit | edit source]

1. Install CFW355-OTHEROS++-SPECIAL.pup (Doesn't matter what version you are. 3.55 and lower ONLY.)
2. Install qa_flag_extra.pkg 
3. Run qa_flag (It will show up as this, that is fine)
4. If you hear the beeps, continue. If you do not hear beeping, come to irc.
5. Reboot
6. Go into recovery menu and Update your ps3 with the firmware that you want (3.15, 3.41 etc)
7. have it install

And now you're done. You just successfully downgraded your ps3.

User Submitted Videos[edit | edit source]

http://www.youtube.com/watch?v=ZLk3dq944-s - QA Downgrade

Known Issues with QA flag / QA downgrades[edit | edit source]

act.dat (PSN activation) gets deleted[edit | edit source]

Make sure you backup the file before enabling QA-extra flag and downgrade. There have been reports of ACT.DAT ("home/000000XX/exdata/act.dat") get's deleted. So make sure to backup that entire folder before flagging/downgrading.

Useful links[edit | edit source]