QA Flagging: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 207: | Line 207: | ||
Will install the first (only the first) package it finds on the root of the USB stick, it will work only with properly signed packages. | Will install the first (only the first) package it finds on the root of the USB stick, it will work only with properly signed packages. | ||
='''On 3. | ='''On 3.6x Firmwares'''= | ||
As we know Sony has taken QA Flag away on 3. | As we know Sony has <strike>taken QA Flag away</strike> changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x. |
Revision as of 19:37, 25 June 2011
QA Flag
A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.
QA Token
A QA token is a 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC. Please see the keys page.
Unencrypted Token Structure
0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA, 0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65, 0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1
Address | Length | Value | Description |
---|---|---|---|
0x00 | 0x4 | 0x01 | Unknown (Static) |
0x04 | 0x14 | 0x112233445566778899AABBCCDDEEFF | IDPS |
0x14 | 0x3C | 0x00 | Token Flags |
0x3C | 0x80 | 0x194A4BBA1597Ae7136CCB6657FC33F49222FB1 | digest |
Encrypted Token
The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E
Token Flags
The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.
QA_FLAG_ALLOW_NON_QA = byte 0x33, bit 0 QA_FLAG_FORCE_UPDATE = byte 0x33, bit 1 QA_FLAG_EXAM_API_ENABLE = byte 0x27, bit 0 QA_FLAG_QA_MODE_ENABLE = byte 0x27, bit 2
Setting QA Flag & Token with Linux
Prerequisites
- First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework
If you are using glevand´s kernel you will have to first enable the require module
modprobe ps3dmproxy
- Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim
and you will need Slynk tools
Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys. I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0). Type it into my app in the format I provided, click the button, and run that command. Should work. Tokenator.7z (26.42 KB) Slynk
Procedure
Getting the info
First you need you IDPS
the easyest way is using graf aim
./ps3dm_aim /dev/ps3dmproxy get_dev_id
Write it down and load it on the Tokenator app
It will give you the command you should use in linux + your encrypted token
something like this
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Setting the token
Just copy paste the command you got from tokenator
./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...
Congrats now you ps3 is QA flagged Reboot
Set yourself on network settings and press the weird combo
L2+R2+L1+R1+L3(this means pressing you left analog stick)+dpad_down
Setting QA Flag & Token with Grafs Payload
You can follow this tutorial to set the flag and token and then get the menu with the combo needed GrafPayload
GameOS app to QA flag
Glevand's QA flagging tools Alternative:
- Prebuild package : qa_flag.pkg
QA Flags Features
Token seed byte 48=0x02
Edy viewer
Payment service in japan more info Edy viewer
Debug Settings
Setting | Value | Description |
---|---|---|
DTCP-IP | on-off | Digital Transmission Content Protection over Internet Protocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3. |
ATRAC | on/off | Adaptive TRansform Acoustic Coding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system. |
WMA | on/off | Windows Media Audio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system. |
NP Enviroment | enviroment | Allows you to change which environment your PS3 connects. Known enviroments are: C1-NP, D2-NP, D2-PMGT, D2-PQA, D2-SPINT, D3-NP, D3-PMGT, D3-PQA, D3-SPINT, D-NP, D-PMGT, D-PQA, D-SPINT, EI-NP, EI-PMGT, EI-PQA, EI-SPINT, HF, HF-NP, HF-PMGT, HF-PQA, HF-SPINT, H-NP, H-PMGT, H-PQA, H-SPINT, MGMT (Management), NP (Retail), PMGT, PQA, PROD-QA (Quality Assurance), Q2, Q2-NP, Q2-PMGT, Q2-PQA, Q2-SPINT, Q-NP, Q-PMGT, Q-PQA, Q-SPINT, RC, RC-NP, R-NP, R-PMGT, R-PQA, R-SPINT, SP-INT (Developer). There might be even more of different environments. See Environments |
Fake Free Space (for CEX) | on/off | Use with Fake Limit Size to artificially set the free space on the PS3. |
Fake Limit Size | X MB | Amount of free space left (in MB). |
NP Debug | on/off | |
NPDRM Debug | on/off | |
Edy Debug | on/off | Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer. |
Nav-only NP | on/off | |
Cdda Server | Production/Evaluation | |
Crash Report | on/off | |
Crash reporter Status | Ready/Busy/Never be called | |
VSH Crash Dump Generator | on/off | |
System Update Debug | on/off | Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager. |
Information Board QA Server | on/off | |
Format Marlin Personal Data | ? | |
PlaystationRStore Ad Clock | on/off | |
Geo Filtering for PlaystationRStore | Normal/Always Succeed/Always Fail | |
Remove Game License | ? | |
Home Debug | on/off | |
Delete Trophy Personal Data | ? | |
GameUpdate Impose Test | on/off | |
Network Emulation Setting | on/off | |
Auto-Off Debug | on/off | |
WLAN Device | on/off | |
NAT Traversal Information | on/off | |
Internet Browser Debug | on/off | |
SMSS Result Output | on/off | |
Adhoc SSID Prefix | PSP/? | |
Disc Auto-Start at System Startup | on/off | Allows you to start disc in-drive automatically when you start system on. |
3D Video Output | Automatic/On | Allows you to set 3D Video Output automatic or always on. |
Fake NP SNS Throttle | Off (60 sec)/ On (0,10,120,3600,closed) | |
Debug for HDD Exchange Utility | ||
Fake Plus | on/off | |
Push Console Binding | on/off | |
Automatic Download | on/off | Set automatic download on or off. There's not info available what this does change. May be automatic system updates! |
Motion Controller Calibration Result | on/off | Shows lastest results from motion controller calibration. |
VideoEditor Delete Preset BGM |
Install Package Files
Will install the first (only the first) package it finds on the root of the USB stick, it will work only with properly signed packages.
On 3.6x Firmwares
As we know Sony has taken QA Flag away changed the Auth for QA-flag on 3.6x Firmwares. Until someone changes it to work with the new method (which doesnt work on the old), your QA Flag will not work on 3.6x.