PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

June 21, 2011 // 9:22 pm - Following up on the previous article, today the full PS3 QA Flagging Method has been revealed including the button combo and token alongisde a PS3 QA Tutorial from Slynk.

To quote: A few weeks ago, several steps were revealed in the process of unlocking a special Quality Assurance (QA) mode on your PS3 console. The mode unlocks a special mode, which is typically only meant for official Sony testers.

Unfortunately, the steps revealed were only part of the process. Developers were scrambling to figure out the button combo that unlocked the special QA mode. In addition, developers still needed to figure out what to change in the QA dummy token. These two mysteries prevented developers from unlocking the mode.

Today however, the Quality Assurance mystery comes to an end. An anonymous and reputable source exclusively revealed to us the two remaining steps. The secret button combination that unlocks the hidden QA mode was revealed to us as being L1+L2+L3+R1+R2+dpad down. Furthermore, the anonymous source told us that users need to change byte 48 of the token seed to 0x02.

Combining this new information with the previously released QA information, developers have everything they need to unlock the mode. Please note, this is not to be attempted by beginners. However, with all of the information revealed here, developers will be able to create an application or custom firmware that automates the QA process.

Information courtesy of anonymous source: Change byte 48 of the token seed to 0x02, hash it, encrypt it, write it to eeprom and flag yourself. Button combo is L1+L2+L3+R1+R2+dpad down. Only works on retail firmware.

By byte 48, I mean the 48th byte. Note that in programming the array of the token seed begins with index 0. So the 48th byte would be seed[47];

This info is more than enough to get someone to make an app.

Previously released information regarding QA Mode:

[Register or Login to view code]


*runs away before the lawsuits come flooding in*

HMAC to make the 20 byte digest at the end of the token and erk/iv to decrypt/encrypt it with aes256cbc.

2 more steps to go. Need the button combo and what to change in the dummy token.

Brief Guide on How to QA Flag your PS3:

  • Be on 3.55 OFW (not Kmeaw or Rebug CFW)
  • Move the PS3 cursor/select “Network Setting”
  • Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Down
  • That's it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.

Notes: Install Package is useless and can’t install homebrew at the moment – only signed PKGs (and the first one in root of USB only).

Finally, to quote from squarepusher2: So since this QA thing is worthless anyway - here is the button combo - you need to have the cursor on 'Network Settings' - (it needs to be 3.55 OFW BTW - Rebug won't work - I've already established that) - and do the following button combo - L2 + L1 + R1 + R2 + L3 + D-pad Down.

There's your button combo. 'Edy Viewer' will pop up - Debug Settings will pop up - Install Package will pop up (but it's kinda useless anyway since only retail packages will install, and only the first PKG on the root of the USB stick - yes - seriously). Now you only need to figure out the rest. Yes, this one works - don't worry about it - just go figure out the rest.

BTW - in case some people immediately start trying this out and telling me 'Hey Square - this doesn't bleepin* work' - remember - there are still some pieces of the puzzle missing - the 'community' needs to figure these out. But the button combo is in the bag - don't worry about it anymore, don't go fruitlessly reversing anymore looking for a possible sign of life of this 'button combo' - you've got it. Now figure out the rest.


Full PS3 QA Flagging Method Revealed - Button Combo and Token

Full PS3 QA Flagging Method Revealed - Button Combo and Token

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.



#65 - TUHTA - June 23, 2011 // 10:32 am
TUHTA's Avatar
Guys who already gone thru the Linux installation tutorial above??

Send me PM i need your help please... i'm very close to finish... but can't install some things.

#64 - PS4 News - June 22, 2011 // 5:03 pm
PS4 News's Avatar
Here is a PS3 QA Tutorial by Slynk for those following: coderslynk.blogspot.com/2011/06/qa-tutorial.html

There are many methods to accomplish qa and I'm too lazy to document them all so I'll tell you one way. Linux.

PS3
Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel. (http://git.gitbrew.org/ps3/?p=otheros-utils/doc.git;a=blob_plain;f=DEBOOTSTRAP;hb=HEAD)


Debootstrap HOWTO by glevand

Links:

http://www.debian.org/releases/stable/i386/apds03.html.en
https://help.ubuntu.com/6.10/ubuntu/installation-guide/i386/linux-upgrade.html

Installing Debian Squeeze with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh2
2. mkdir /mnt/debian
3. mount /dev/ps3vflashh2 /mnt/debian
4. rm -rf /mnt/debian/*
5. debootstrap --arch powerpc squeeze /mnt/debian http:/ftp.us.debian.org/debian
6. mount -t proc none /mnt/debian/proc
7. mount --rbind /dev /mnt/debian/dev
8. LANG=C chroot /mnt/debian /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh2 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "debian-vflash" > /etc/hostname

File /etc/network/interface

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://ftp.us.debian.org/debian squeeze main
deb-src http://ftp.us.debian.org/debian squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

1. aptitude update

- Configuring locales and keyboard

1. aptitude install locales
2. dpkg-reconfigure locales
3. aptitude install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. tasksel install standard
2. aptitude clean
3. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

debian_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2
debian_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"

Installing Ubuntu Natty with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh3
2. mkdir /mnt/ubuntu
3. mount /dev/ps3vflashh3 /mnt/ubuntu
4. rm -rf /mnt/ubuntu/*
5. debootstrap --arch powerpc natty /mnt/ubuntu http://ports.ubuntu.com
6. mount -t proc none /mnt/ubuntu/proc
7. mount --rbind /dev /mnt/ubuntu/dev
8. LANG=C chroot /mnt/ubuntu /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh3 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "ubuntu-vflash" > /etc/hostname

File /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu/ natty main restricted
deb-src http://archive.ubuntu.com/ubuntu/ natty main restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-updates restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates universe

deb http://ports.ubuntu.com/ubuntu-ports/ natty multiverse
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates multiverse

deb http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse

1. apt-get update

- Configuring locales and keyboard

1. apt-get install locales
2. dpkg-reconfigure locales
3. apt-get install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. apt-get update
2. apt-get upgrade
3. apt-get clean
4. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

ubuntu_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3
ubuntu_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"


Step 2) Download, and compile the ps3dm utils (http://git.gitbrew.org/ps3/?p=ps3linux/ps3dm-utils.git;a=summary)

Download: ps3dm_um (Compiled) / ps3dm_aim (Compliled)

PC
Step 3) Download my tokenator (Tokenator (SRC) / Tokenator (Compiled))

PS3
Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0x0>dump

Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

PC
Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator

PS3
Step 7) Run the script it spits out

PS3
Step 8) Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down

Have fun. It doesn't work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.

How to setup QA Flag with Grafs Payload:

First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha or using this payload uncommenting dump_dev_flash()

Once you are set - Use the payloads in the following order uncommenting the required function

Set the QA flag: update_mgr_qa_flag()

Calculate the token: update_mgr_calc_token()

Verify token: update_mgr_verify_token()

Set the calculated and verified token in update_mgr_set_token.c: update_mgr_set_token()

You should use wireshark or tcpdump to capture the responses.

GameOS app SRC to QA-flag: pastie.org/2105541 / Makefile: pastie.org/2105567
[code]
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/

/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#include
#include
#include

#include

#include
#include

#define UPDATE_MGR_PACKET_ID_READ_EPROM 0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM 0x600c
#define EPROM_QA_FLAG_OFFSET 0x48c0a
#define EPROM_QA_Token_OFFSET 0x48D3E

/*
* Set your encrypted token
* Calculated with Slynk Tokenator
*/
static uint8_t qa_token[0x50] =
{
0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


/*
* main
*/
int main(int argc, char **argv)
{
uint8_t value;
int result;
int n;

netInitialize();

udp_printf_init();

PRINTF("%s:%d: start\n", __func__, __LINE__);

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}

PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);

if (value == 0xff) {
/* enable */

PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);

value = 0x0;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
} else {
/* disable */

PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);

value = 0xff;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
}

PRINTF("%s:%d: end\n", __func__, __LINE__);

lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);

/* Setting the QA token */
for ( n=0 ; n

#63 - anon777 - June 22, 2011 // 3:56 pm
anon777's Avatar
that's what i'm talking about

#62 - B4rtj4h - June 22, 2011 // 2:04 pm
B4rtj4h's Avatar
Oh boy... i see another opportunity here! USB dongles that push button combos...

#61 - Brenza - June 22, 2011 // 9:44 am
Brenza's Avatar
They doesn't need to change the combo, if you don't flag the token combo will not work.

If you don't own the keys to decrypt the token you can't flag it, but if you had the keys you no longer need the QA Flag! LOOL

#60 - d3adliner - June 22, 2011 // 9:06 am
d3adliner's Avatar
Button combo will be changed in the next FW update.

#59 - Brenza - June 22, 2011 // 5:25 am
Brenza's Avatar
No, it won't work on 3.6x firmware since we can't decrypt the vsh.

Probably the 3.55 payload will come soon, just wait.

#58 - Dominator7 - June 22, 2011 // 3:23 am
Dominator7's Avatar
two questions: does this work on 3.65 and will this come in a payload for usb dongles?

#57 - Tidusnake666 - June 22, 2011 // 1:10 am
Tidusnake666's Avatar
Guys, it's not the button combo itself, that will do miracles, you additionaly have to change, hash, reencrypt and write token to eeprom.

#56 - jedaking - June 22, 2011 // 1:03 am
jedaking's Avatar
I know that we can't have people uploading fake youtube all the time, but this looks sweet!