PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

205w ago - Shortly after the PS3 QA Flag Method was revealed comes the QA Flagging Tools in PKG format alongisde a CFW355-OTHEROS++-SPECIAL.PUP which is confirmed working via QA Auto Flag with Flash, Run, and Reflash to PS3 CFW (Kmeaw, Waninkoko, etc) support coming soon.

Download: PS3 QA Flagging Tools / PS3 QA Flag Reset / PS3 QA Flag Extra (Advanced) / PS3 Get Applicable Version / PS3 Get Token Seed / PS3 CFW355-OTHEROS++-SPECIAL.PUP

For those curious, the PS3 QA Flag Extra (Advanced) has a few other flags / tokens set but it's not for general use.

Requirements:

What we have tested on so far:

  • 3.55
  • 3.41

Instructions:

Set QA Flag to Standard:

  • Run qa_flag.pkg if you hear a beep, it worked. If not dump your debug messages via udp_printf on linux and send to us to fix.
  • Reboot the ps3
  • Go to network settings (Do not enter it) and hit or hold
  • L1+L2+L3+R1+R2+down on the dpad
  • QA auto flagging is now done.

Reset QA Flag to Default:

  • Run reset_qa_flag.pkg
  • If you hear a beep it worked. If not dump your debug messages via udp_printf_client in linux and send it to us.
  • Reboot the ps3
  • QA Flag is now set to default (Off) Your PS3 is now normal again.

Git Repository:

git://git.gitbrew.org/ps3/otheros-utils/qa_flag.git
git://git.gitbrew.org/ps3/otheros-utils/reset_qa_flag.git
git://git.gitbrew.org/ps3/otheros-utils/get_token_seed.git

PS3 Downgrade:

Tools Needed:

  • CFW355-OTHEROS++-SPECIAL.PUP
  • qa_flag_extra.pkg
  • Firmware you want to downgrade to (3.41, 3.15).

Notes: These tools WILL format your PS3. Any and ALL PSN / downloaded data will be erased! The lowest firmware you can go to is what was originally on your PS3 originally!

If your ps3 came with 3.41 then that's the lowest it can go. If it came with 3.15 again thats as low as it can officially go! be warned if you go lower, you WILL brick!

Installation Process:

1. Install CFW355-OTHEROS++-SPECIAL.pup (Doesn't matter what version you are 3.41, 3.50 etc etc)
2. Install qa_flag_extra.pkg
3. Run qa_flag (It will show up as this, that is fine)
4. If you hear the beeps, continue. If you don't hear the beeps go to step 10
5. Reboot
6. Go into recovery menu and Update your ps3 with the firmware that you want (3.15, 3.41 etc)
7. Have it install and now you're done. You just successfully downgraded your PS3.

They have also stated via Twitter that they are working on a 3.56+ PS3 Firmware exploit, to quote:

Currently our main developers are working on 3.55 and below, I am working on a exploit for 3.56+ however. Anything key related and 3.56+ is currently not going to be answered. News will be released as we figure it out, If it works we will say so. It's still going to be rough to do anything though. We might save it for the new 3000 series of the ps3 though.

Finally, in related news varaques has made available what he calls Varaques 3.55 PS3 CFW based on PS3MFW Builder which features the following:

  • Other+OS Support
  • Q&A Flag Support
  • Custom Boot Logo
  • Custom Theme
  • 3.66 Spoofed
  • LV1 & LV2 Patched
  • Run Unsigned PKG's & More

Shortly following, he made available Kmeaw CFW with Other+OS and QA Flag Support via MFW Builder. Simply put it in the root of your PS3 storage device as follows : PS3/UPDATE/PS3UPDAT.PUP












PS3 QA Flagging Tools and CFW 3.55 OtherOS++ Special PUP

PS3 QA Flagging Tools and CFW 3.55 OtherOS++ Special PUP

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.




#65 - PS4 News - 205w ago
PS4 News's Avatar
Here is a PS3 QA Tutorial by Slynk for those following: coderslynk.blogspot.com/2011/06/qa-tutorial.html

There are many methods to accomplish qa and I'm too lazy to document them all so I'll tell you one way. Linux.

PS3
Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel. (http://git.gitbrew.org/ps3/?p=otheros-utils/doc.git;a=blob_plain;f=DEBOOTSTRAP;hb=HEAD)


Debootstrap HOWTO by glevand

Links:

http://www.debian.org/releases/stable/i386/apds03.html.en
https://help.ubuntu.com/6.10/ubuntu/installation-guide/i386/linux-upgrade.html

Installing Debian Squeeze with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh2
2. mkdir /mnt/debian
3. mount /dev/ps3vflashh2 /mnt/debian
4. rm -rf /mnt/debian/*
5. debootstrap --arch powerpc squeeze /mnt/debian http:/ftp.us.debian.org/debian
6. mount -t proc none /mnt/debian/proc
7. mount --rbind /dev /mnt/debian/dev
8. LANG=C chroot /mnt/debian /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh2 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "debian-vflash" > /etc/hostname

File /etc/network/interface

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://ftp.us.debian.org/debian squeeze main
deb-src http://ftp.us.debian.org/debian squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

1. aptitude update

- Configuring locales and keyboard

1. aptitude install locales
2. dpkg-reconfigure locales
3. aptitude install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. tasksel install standard
2. aptitude clean
3. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

debian_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2
debian_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"

Installing Ubuntu Natty with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh3
2. mkdir /mnt/ubuntu
3. mount /dev/ps3vflashh3 /mnt/ubuntu
4. rm -rf /mnt/ubuntu/*
5. debootstrap --arch powerpc natty /mnt/ubuntu http://ports.ubuntu.com
6. mount -t proc none /mnt/ubuntu/proc
7. mount --rbind /dev /mnt/ubuntu/dev
8. LANG=C chroot /mnt/ubuntu /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh3 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "ubuntu-vflash" > /etc/hostname

File /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu/ natty main restricted
deb-src http://archive.ubuntu.com/ubuntu/ natty main restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-updates restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates universe

deb http://ports.ubuntu.com/ubuntu-ports/ natty multiverse
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates multiverse

deb http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse

1. apt-get update

- Configuring locales and keyboard

1. apt-get install locales
2. dpkg-reconfigure locales
3. apt-get install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. apt-get update
2. apt-get upgrade
3. apt-get clean
4. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

ubuntu_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3
ubuntu_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"


Step 2) Download, and compile the ps3dm utils (http://git.gitbrew.org/ps3/?p=ps3linux/ps3dm-utils.git;a=summary)

Download: ps3dm_um (Compiled) / ps3dm_aim (Compliled)

PC
Step 3) Download my tokenator (Tokenator (SRC) / Tokenator (Compiled))

PS3
Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0x0>dump

Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

PC
Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator

PS3
Step 7) Run the script it spits out

PS3
Step 8) Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down

Have fun. It doesn't work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.

How to setup QA Flag with Grafs Payload:

First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha or using this payload uncommenting dump_dev_flash()

Once you are set - Use the payloads in the following order uncommenting the required function

Set the QA flag: update_mgr_qa_flag()

Calculate the token: update_mgr_calc_token()

Verify token: update_mgr_verify_token()

Set the calculated and verified token in update_mgr_set_token.c: update_mgr_set_token()

You should use wireshark or tcpdump to capture the responses.

GameOS app SRC to QA-flag: pastie.org/2105541 / Makefile: pastie.org/2105567
[code]
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/

/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#include
#include
#include

#include

#include
#include

#define UPDATE_MGR_PACKET_ID_READ_EPROM 0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM 0x600c
#define EPROM_QA_FLAG_OFFSET 0x48c0a
#define EPROM_QA_Token_OFFSET 0x48D3E

/*
* Set your encrypted token
* Calculated with Slynk Tokenator
*/
static uint8_t qa_token[0x50] =
{
0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


/*
* main
*/
int main(int argc, char **argv)
{
uint8_t value;
int result;
int n;

netInitialize();

udp_printf_init();

PRINTF("%s:%d: start\n", __func__, __LINE__);

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}

PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);

if (value == 0xff) {
/* enable */

PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);

value = 0x0;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
} else {
/* disable */

PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);

value = 0xff;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
}

PRINTF("%s:%d: end\n", __func__, __LINE__);

lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);

/* Setting the QA token */
for ( n=0 ; n

#64 - anon777 - 205w ago
anon777's Avatar
that's what i'm talking about

#63 - B4rtj4h - 205w ago
B4rtj4h's Avatar
Oh boy... i see another opportunity here! USB dongles that push button combos...

#62 - Brenza - 205w ago
Brenza's Avatar
They doesn't need to change the combo, if you don't flag the token combo will not work.

If you don't own the keys to decrypt the token you can't flag it, but if you had the keys you no longer need the QA Flag! LOOL

#61 - d3adliner - 205w ago
d3adliner's Avatar
Button combo will be changed in the next FW update.

#60 - Brenza - 205w ago
Brenza's Avatar
No, it won't work on 3.6x firmware since we can't decrypt the vsh.

Probably the 3.55 payload will come soon, just wait.

#59 - Dominator7 - 205w ago
Dominator7's Avatar
two questions: does this work on 3.65 and will this come in a payload for usb dongles?

#58 - Tidusnake666 - 205w ago
Tidusnake666's Avatar
Guys, it's not the button combo itself, that will do miracles, you additionaly have to change, hash, reencrypt and write token to eeprom.

#57 - jedaking - 205w ago
jedaking's Avatar
I know that we can't have people uploading fake youtube all the time, but this looks sweet!



#56 - elser1 - 205w ago
elser1's Avatar
anyone confirm this works.. got it going yet?