QA Flagging
Jump to navigation
Jump to search
QA Flags[edit | edit source]
flagged updater = qa_flags[0] & 0x1 force update = qa_flags[0] & 0x2 int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4 allow registry access = qa_flags[0] & 0x8 int dev for psm, allow psm debug = qa_flags[0] & 0x10 special i = qa_flags[0] & 0x40 allow ul debugger = qa_flags[1] & 0x1 allow sl debugger = qa_flags[1] & 0x2 beta update test = qa_flags[1] & 0x4 debug menu, debug menu for psm = qa_flags[2] & 0x1 allow ad clock = qa_flags[2] & 0x2 fake finalize = qa_flags[2] & 0x10 psn access trace log = qa_flags[2] & 0x40 debug menu mini = qa_flags[3] & 0x2 any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF
Utoken Flags[edit | edit source]
store mode = utoken_flags[0] & 0x1 data execution = utoken_flags[0] & 0x2 use weakened port restriction = utoken_flags[0] & 0x4 use softwagner = utoken_flags[0] & 0x8 flagged updater = utoken_flags[0] & 0x10 np env switching = utoken_flags[0] & 0x20 save data repair = utoken_flags[0] & 0x40 fake sharefactory = utoken_flags[0] & 0x80
Spoofing Flags[edit | edit source]
- Search for kernel magic in kernel dump
- Set all values before kernel magic (16 in total) to FF
- Set all values after kernel magic (16 in total) to FF
- Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
- Search for the string "rcmgr" in hex bytes (searching as text is slower)
- Find the xref to the first string (usually intdev)
- Rename All the functions to their respective names
- Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
- Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
- Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
- Launch payload
- You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)
|