Talk:QA Flagging

From PS3 Developer wiki
Revision as of 08:15, 23 June 2011 by PsiCoLeO (talk | contribs) (added a discussion about the debug output)
Jump to navigation Jump to search

Debug output

The qa flag has some options to enable some debug output.

Does anybody know or has an idea about:

  • In real life how does /sony/ retrieve the debug information? do they use proDG?
    • So does it open the required ports to connect using prodg?


if someone is interested on a GameOS app to QA-flag : http://www.pastie.org/2105541 you can finish this one :D it "should" work.. but I havent tested it.. it is already too late for me :S ~~PsiCoLeo

/*
 * Based on glevands product mode toogle
 * PsiCoLeO 2011
 */

/*
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#include <psl1ght/lv2/net.h>

#include <lv2_syscall.h>
#include <udp_printf.h>

#define UPDATE_MGR_PACKET_ID_READ_EPROM    0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM  0x600c
#define EPROM_QA_FLAG_OFFSET        0x48c0a
#define EPROM_QA_Token_OFFSET        0x48D3E

/*
 * Set your encrypted token
 * Calculated with Slynk Tokenator
 */
static uint8_t qa_token[0x50] =
{
  0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
  0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
  0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
  0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
  0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
  0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
  0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
  0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


/*
 * main
 */
int main(int argc, char **argv)
{
  uint8_t value;
  int result;
  int n;

  netInitialize();

  udp_printf_init();

  PRINTF("%s:%d: start\n", __func__, __LINE__);

  result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
    EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
  if (result) {
    PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
      __func__, __LINE__, result);
    goto done;
  }

  PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);

  if (value == 0xff) {
    /* enable */

    PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);

    value = 0x0;

    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  } else {
    /* disable */

    PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);

    value = 0xff;

    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
    }
  }

  PRINTF("%s:%d: end\n", __func__, __LINE__);

  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);
  
  /* Setting the QA token */
  for ( n=0 ; n<80 ; n++ )
  {
    PRINTF("Setting QA token bit\n");

    value = qa_token[n];

    result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
      EPROM_QA_Token_OFFSET+n, value, 0, 0, 0, 0);
    if (result) {
      PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
        __func__, __LINE__, result);
      goto done;
  }

  lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);

done:

  udp_printf_deinit();

  netDeinitialize();

  return 0;
}




Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work. 
Tokenator.7z (26.42 KB)
Slynk


button combo: L2+R2+L1+R1+L3+dpad_down

index0: 0x00
index1: 0x00
index2: 0x0F (L2 0x01 + R2 0x02 + L1 0x04 + R1 0x08) 
index3: 0x42 (L3 0x02 + dpad_down 0x40) 

Advanced token flag is at offset 0x2C (byte 44) within the decrypted token/flag array. Still don't know which bits to set.



vsh.self checks pad combo

sys_init_osd.self checks QA-seed/token