QA Flags
flagged updater = qa_flags[0] & 0x1
force update = qa_flags[0] & 0x2
int dev, int dev for internal libc, allow init vtrm = qa_flags[0] & 0x4
allow registry access = qa_flags[0] & 0x8
int dev for psm, allow psm debug = qa_flags[0] & 0x10
special i = qa_flags[0] & 0x40
allow ul debugger = qa_flags[1] & 0x1
allow sl debugger = qa_flags[1] & 0x2
beta update test = qa_flags[1] & 0x4
debug menu, debug menu for psm = qa_flags[2] & 0x1
allow ad clock = qa_flags[2] & 0x2
fake finalize = qa_flags[2] & 0x10
psn access trace log = qa_flags[2] & 0x40
debug menu mini = qa_flags[3] & 0x2
any_qaf = qa_flags[0] qa_flags[1] qa_flags[2] qa_flags[3] qa_flags[4] qa_flags[5] qa_flags[6] qa_flags[7] qa_flags[8] qa_flags[9] qa_flags[0xA] qa_flags[0xB] qa_flags[0xC] qa_flags[0xD] qa_flags[0xE] qa_flags[0xF] = 0xFF
Utoken Flags
store mode = utoken_flags[0] & 0x1
data execution = utoken_flags[0] & 0x2
use weakened port restriction = utoken_flags[0] & 0x4
use softwagner = utoken_flags[0] & 0x8
flagged updater = utoken_flags[0] & 0x10
np env switching = utoken_flags[0] & 0x20
save data repair = utoken_flags[0] & 0x40
fake sharefactory = utoken_flags[0] & 0x80
Spoofing Flags
- Search for kernel magic in kernel dump
- Set all values before kernel magic (16 in total) to FF
- Set all values after kernel magic (16 in total) to FF
- Open kernel dump in ida pro (use SocraticBliss's kernel loader for this)
- Search for the string "rcmgr" in hex bytes (searching as text is slower)
- Find the xref to the first string (usually intdev)
- Rename All the functions to their respective names
- Patch each function where the condition (word_FFFFFFFFXXXXXXXX & 54) != 0) applies in pseudocode (if the first jump is a jnz, it's the second jz, if the first jump is a jz, it's the second jz as well)
- Note down the patches and spoofs, as well as the name of the rcmgr flags (for example rcmgr_intdev)
- Create a code that escalates privileges, spoofs qa flags and utoken flags and calls sysctl by name of machdep.<name of rcmgr flag>
- Launch payload
- You should have everything unlocked (to use only the ones you want comment or uncomment the sysctlbyname funcs)