Talk:QA Flagging: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| (13 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
= From Superslim DEX with Serial 1 = | |||
<pre> | |||
0x14 = 00 27 | |||
BDP CONTROL - Checked by appldr, isoldr. | |||
0x1 DEH_DEBUG_DISABLE + | |||
0x2 DEX_DEBUG_DISABLE + | |||
0x4 ALL_DEBUG_DISABLE + | |||
0x20 CEX_BOOT_ENABLE | |||
= 0x27 | |||
0x16 = 00 3F | |||
CONNECT_CONTROL - Checked by appldr, isoldr. | |||
0x1 DEH_DEBUG_DISABLE + | |||
0x2 DEX_DEBUG_DISABLE + | |||
0x4 ALL_DEBUG_DISABLE + | |||
0x8 DEH_BOOT_ENABLE + | |||
0x10 DEX_BOOT_ENABLE + | |||
0x20 CEX_BOOT_ENABLE | |||
= 0x3F | |||
0x33 = 03 | |||
0x33 byte(51) 0x1 QA_FLAG_ALLOW_NON_QA + | |||
0x33 byte(51) 0x2 QA_FLAG_FORCE_UPDATE | |||
= 0x03 | |||
</pre> | |||
---- | |||
== Debug output == | |||
The qa flag has some options to enable some debug output. | |||
Does anybody know or has an idea about: | |||
*In real life how does /sony/ retrieve the debug information? do they use proDG? | |||
**So does it open the required ports to connect using prodg? | |||
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D | |||
it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo | |||
---- | |||
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. | Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. | ||
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). | I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). | ||
| Line 13: | Line 65: | ||
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) | index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) | ||
index3: 0x42 (L3 0x02 + dpad_down 0x40) | index3: 0x42 (L3 0x02 + dpad_down 0x40) | ||
* Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set. | |||
* Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade) | |||
* undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented) | |||
QA-Flag: | |||
* 0x01 : Minimum | |||
* 0x02 : Advanced | |||
* 0x03 : undocumented2 | |||
---- | |||
vsh.self checks pad combo | |||
sys_init_osd.self checks QA-seed/token | |||
---- | ---- | ||
another token generator (compile together with f0f tools) | |||
<pre>#include <sys/types.h> | |||
#include <sys/mman.h> | |||
#include <stdio.h> | |||
#include <fcntl.h> | |||
#include <unistd.h> | |||
#include <sys/stat.h> | |||
#include <string.h> | |||
#include <stdarg.h> | |||
#include <stdlib.h> | |||
#include <zlib.h> | |||
#include <dirent.h> | |||
#include "tools.h" | |||
#include "aes.h" | |||
#include "sha1.h" | |||
static u8 *token_encrypted = NULL; | |||
static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED}; | |||
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E}; | |||
static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A}; | |||
static FILE *out = NULL; | |||
int main(int argc, char *argv[]) | |||
{ | |||
u8 tmp[0x50]; | |||
if (argc != 3) | |||
fail("usage: gen_qa encrypted_dummy_token.bin out.bin"); | |||
token_encrypted = mmap_file(argv[1]); | |||
//decrypt | |||
aes256cbc(key, iv, token_encrypted, 0x50, tmp); | |||
//set qa | |||
memset(tmp+0x2f,0x02,1); | |||
//recalc digest | |||
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c); | |||
//encrypt | |||
aes256cbc_enc(key, iv, tmp, 0x50, tmp); | |||
out = fopen(argv[2], "w+"); | |||
fwrite(tmp, 0x50, 1, out); | |||
fclose(out); | |||
return 0; | |||
} | |||
</pre> | |||
---- | |||
==changes in HV== | |||
sysmgr_ss.fself runs in process 10 instead of 9. <s>its quite different compared to retail proc 9</s>.<br> | |||
you can extract the processes in your hv dump with this python script:<br> | |||
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py | |||
Latest revision as of 00:47, 15 May 2024
From Superslim DEX with Serial 1[edit source]
0x14 = 00 27 BDP CONTROL - Checked by appldr, isoldr. 0x1 DEH_DEBUG_DISABLE + 0x2 DEX_DEBUG_DISABLE + 0x4 ALL_DEBUG_DISABLE + 0x20 CEX_BOOT_ENABLE = 0x27 0x16 = 00 3F CONNECT_CONTROL - Checked by appldr, isoldr. 0x1 DEH_DEBUG_DISABLE + 0x2 DEX_DEBUG_DISABLE + 0x4 ALL_DEBUG_DISABLE + 0x8 DEH_BOOT_ENABLE + 0x10 DEX_BOOT_ENABLE + 0x20 CEX_BOOT_ENABLE = 0x3F 0x33 = 03 0x33 byte(51) 0x1 QA_FLAG_ALLOW_NON_QA + 0x33 byte(51) 0x2 QA_FLAG_FORCE_UPDATE = 0x03
Debug output[edit source]
The qa flag has some options to enable some debug output.
Does anybody know or has an idea about:
- In real life how does /sony/ retrieve the debug information? do they use proDG?
- So does it open the required ports to connect using prodg?
if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). Type it into my app in the format I provided, click the button, and run that command. Should work. Tokenator.7z (26.42 KB) Slynk
button combo: L2+R2+L1+R1+L3+dpad_down
index0: 0x00 index1: 0x00 index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) index3: 0x42 (L3 0x02 + dpad_down 0x40)
- Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.
- Special execution mode is at offset 0x33 within the decrypted token/flag array (0x01 : allows firmare downgrade)
- undocumented1 is at offset 0x27 within the decrypted token/flag array (0x02 : undocumented)
QA-Flag:
- 0x01 : Minimum
- 0x02 : Advanced
- 0x03 : undocumented2
vsh.self checks pad combo
sys_init_osd.self checks QA-seed/token
another token generator (compile together with f0f tools)
#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>
#include "tools.h"
#include "aes.h"
#include "sha1.h"
static u8 *token_encrypted = NULL;
static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};
static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};
static FILE *out = NULL;
int main(int argc, char *argv[])
{
u8 tmp[0x50];
if (argc != 3)
fail("usage: gen_qa encrypted_dummy_token.bin out.bin");
token_encrypted = mmap_file(argv[1]);
//decrypt
aes256cbc(key, iv, token_encrypted, 0x50, tmp);
//set qa
memset(tmp+0x2f,0x02,1);
//recalc digest
sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);
//encrypt
aes256cbc_enc(key, iv, tmp, 0x50, tmp);
out = fopen(argv[2], "w+");
fwrite(tmp, 0x50, 1, out);
fclose(out);
return 0;
}
changes in HV[edit source]
sysmgr_ss.fself runs in process 10 instead of 9. its quite different compared to retail proc 9.
you can extract the processes in your hv dump with this python script:
http://git.dashhacks.com/hvdev/hv-tools/blobs/master/hv_proc_extract.py