Talk:QA Flagging

From PS3 Developer wiki
Revision as of 09:16, 25 June 2011 by Anonymous (Privacy policy) (deleted the gameOS app prototype// there is already a gameOS app that works)
Jump to navigation Jump to search

Debug output

The qa flag has some options to enable some debug output.

Does anybody know or has an idea about:

  • In real life how does /sony/ retrieve the debug information? do they use proDG?
    • So does it open the required ports to connect using prodg?


if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo



Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work. 
Tokenator.7z (26.42 KB)
Slynk


button combo: L2+R2+L1+R1+L3+dpad_down

index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) 
index3: 0x42 (L3 0x02 + dpad_down 0x40) 

Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.



vsh.self checks pad combo

sys_init_osd.self checks QA-seed/token



another token generator (compile together with f0f tools)

#include <sys/types.h>
#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <zlib.h>
#include <dirent.h>

#include "tools.h"
#include "aes.h"
#include "sha1.h"

static u8 *token_encrypted = NULL;

static u8 key[] = {0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED};
static u8 iv[] = {0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E};

static u8 hmac_key[] = {0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A};

static FILE *out = NULL;



int main(int argc, char *argv[])
{
	u8 tmp[0x50];
	if (argc != 3)
		fail("usage: gen_qa encrypted_dummy_token.bin out.bin");

	token_encrypted = mmap_file(argv[1]);

	//decrypt
	aes256cbc(key, iv, token_encrypted, 0x50, tmp);

	//set qa
	memset(tmp+0x2f,0x02,1);

	//recalc digest
	sha1_hmac(hmac_key, tmp, 0x3c, tmp+0x3c);

	//encrypt
	aes256cbc_enc(key, iv, tmp, 0x50, tmp);

	out = fopen(argv[2], "w+");
	fwrite(tmp, 0x50, 1, out);

	fclose(out);

	return 0;
}