PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

202w ago - Shortly after the PS3 QA Flag Method was revealed comes the QA Flagging Tools in PKG format alongisde a CFW355-OTHEROS++-SPECIAL.PUP which is confirmed working via QA Auto Flag with Flash, Run, and Reflash to PS3 CFW (Kmeaw, Waninkoko, etc) support coming soon.

Download: PS3 QA Flagging Tools / PS3 QA Flag Reset / PS3 QA Flag Extra (Advanced) / PS3 Get Applicable Version / PS3 Get Token Seed / PS3 CFW355-OTHEROS++-SPECIAL.PUP

For those curious, the PS3 QA Flag Extra (Advanced) has a few other flags / tokens set but it's not for general use.

Requirements:

What we have tested on so far:

  • 3.55
  • 3.41

Instructions:

Set QA Flag to Standard:

  • Run qa_flag.pkg if you hear a beep, it worked. If not dump your debug messages via udp_printf on linux and send to us to fix.
  • Reboot the ps3
  • Go to network settings (Do not enter it) and hit or hold
  • L1+L2+L3+R1+R2+down on the dpad
  • QA auto flagging is now done.

Reset QA Flag to Default:

  • Run reset_qa_flag.pkg
  • If you hear a beep it worked. If not dump your debug messages via udp_printf_client in linux and send it to us.
  • Reboot the ps3
  • QA Flag is now set to default (Off) Your PS3 is now normal again.

Git Repository:

git://git.gitbrew.org/ps3/otheros-utils/qa_flag.git
git://git.gitbrew.org/ps3/otheros-utils/reset_qa_flag.git
git://git.gitbrew.org/ps3/otheros-utils/get_token_seed.git

PS3 Downgrade:

Tools Needed:

  • CFW355-OTHEROS++-SPECIAL.PUP
  • qa_flag_extra.pkg
  • Firmware you want to downgrade to (3.41, 3.15).

Notes: These tools WILL format your PS3. Any and ALL PSN / downloaded data will be erased! The lowest firmware you can go to is what was originally on your PS3 originally!

If your ps3 came with 3.41 then that's the lowest it can go. If it came with 3.15 again thats as low as it can officially go! be warned if you go lower, you WILL brick!

Installation Process:

1. Install CFW355-OTHEROS++-SPECIAL.pup (Doesn't matter what version you are 3.41, 3.50 etc etc)
2. Install qa_flag_extra.pkg
3. Run qa_flag (It will show up as this, that is fine)
4. If you hear the beeps, continue. If you don't hear the beeps go to step 10
5. Reboot
6. Go into recovery menu and Update your ps3 with the firmware that you want (3.15, 3.41 etc)
7. Have it install and now you're done. You just successfully downgraded your PS3.

They have also stated via Twitter that they are working on a 3.56+ PS3 Firmware exploit, to quote:

Currently our main developers are working on 3.55 and below, I am working on a exploit for 3.56+ however. Anything key related and 3.56+ is currently not going to be answered. News will be released as we figure it out, If it works we will say so. It's still going to be rough to do anything though. We might save it for the new 3000 series of the ps3 though.

Finally, in related news varaques has made available what he calls Varaques 3.55 PS3 CFW based on PS3MFW Builder which features the following:

  • Other+OS Support
  • Q&A Flag Support
  • Custom Boot Logo
  • Custom Theme
  • 3.66 Spoofed
  • LV1 & LV2 Patched
  • Run Unsigned PKG's & More

Shortly following, he made available Kmeaw CFW with Other+OS and QA Flag Support via MFW Builder. Simply put it in the root of your PS3 storage device as follows : PS3/UPDATE/PS3UPDAT.PUP












PS3 QA Flagging Tools and CFW 3.55 OtherOS++ Special PUP

PS3 QA Flagging Tools and CFW 3.55 OtherOS++ Special PUP

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.


  • Sponsored Links




#55 - lele0o0o - 202w ago
lele0o0o's Avatar
please make video tutorial who do it please, doesn't work on my ps3 (3.55)

#54 - elser1 - 202w ago
elser1's Avatar
don't know i'd say together.. I can't get it going yet either.. i'll just wait a second, see what happens, instead of running in like an idiot as i usually do. LOL

#53 - lele0o0o - 202w ago
lele0o0o's Avatar
please help me, do this all at same time or what?

button all together or 1 by 1 ??

#52 - elser1 - 202w ago
elser1's Avatar
KOOL!!! ima try this button combo out. hard to do LOL this is mad.. we own ps3 now or what..

#51 - PS4 News - 202w ago
PS4 News's Avatar
Following up on the previous article, today the full PS3 QA Flagging Method has been revealed including the button combo and token alongisde a PS3 QA Tutorial from Slynk.

To quote: A few weeks ago, several steps were revealed in the process of unlocking a special Quality Assurance (QA) mode on your PS3 console. The mode unlocks a special mode, which is typically only meant for official Sony testers.

Unfortunately, the steps revealed were only part of the process. Developers were scrambling to figure out the button combo that unlocked the special QA mode. In addition, developers still needed to figure out what to change in the QA dummy token. These two mysteries prevented developers from unlocking the mode.

Today however, the Quality Assurance mystery comes to an end. An anonymous and reputable source exclusively revealed to us the two remaining steps. The secret button combination that unlocks the hidden QA mode was revealed to us as being L1+L2+L3+R1+R2+dpad down. Furthermore, the anonymous source told us that users need to change byte 48 of the token seed to 0x02.

Combining this new information with the previously released QA information, developers have everything they need to unlock the mode. Please note, this is not to be attempted by beginners. However, with all of the information revealed here, developers will be able to create an application or custom firmware that automates the QA process.

Information courtesy of anonymous source: Change byte 48 of the token seed to 0x02, hash it, encrypt it, write it to eeprom and flag yourself. Button combo is L1+L2+L3+R1+R2+dpad down. Only works on retail firmware.

By byte 48, I mean the 48th byte. Note that in programming the array of the token seed begins with index 0. So the 48th byte would be seed[47];

This info is more than enough to get someone to make an app.

Previously released information regarding QA Mode:

[Register or Login to view code]


*runs away before the lawsuits come flooding in*

HMAC to make the 20 byte digest at the end of the token and erk/iv to decrypt/encrypt it with aes256cbc.

2 more steps to go. Need the button combo and what to change in the dummy token.

Brief Guide on How to QA Flag your PS3:

  • Be on 3.55 OFW (not Kmeaw or Rebug CFW)
  • Move the PS3 cursor/select “Network Setting”
  • Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Down
  • That's it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.

Notes: Install Package is useless and can’t install homebrew at the moment – only signed PKGs (and the first one in root of USB only).

Finally, to quote from squarepusher2: So since this QA thing is worthless anyway - here is the button combo - you need to have the cursor on 'Network Settings' - (it needs to be 3.55 OFW BTW - Rebug won't work - I've already established that) - and do the following button combo - L2 + L1 + R1 + R2 + L3 + D-pad Down.

There's your button combo. 'Edy Viewer' will pop up - Debug Settings will pop up - Install Package will pop up (but it's kinda useless anyway since only retail packages will install, and only the first PKG on the root of the USB stick - yes - seriously). Now you only need to figure out the rest. Yes, this one works - don't worry about it - just go figure out the rest.

BTW - in case some people immediately start trying this out and telling me 'Hey Square - this doesn't bleepin* work' - remember - there are still some pieces of the puzzle missing - the 'community' needs to figure these out. But the button combo is in the bag - don't worry about it anymore, don't go fruitlessly reversing anymore looking for a possible sign of life of this 'button combo' - you've got it. Now figure out the rest.

More PlayStation 3 News...

#50 - lolwaow - 205w ago
lolwaow's Avatar
Wow! No problem by the way if you do move the posts, but that's awesome. I'm just trying to get my PS3-Ubuntu fix. Lets hope this package sees the light of day then. Cheers

I'd also like to note, I think that key I was talking about earlier is for the v3.6x models. I don't know anything about deving or code, but I know when I get a good feeling in my gut. Maybe some devs/modders out there could take a look at it.

#49 - PS4 News - 205w ago
PS4 News's Avatar
I moved these posts to the QA Flag Thread, also... last night on IRC _bubba mentioned the related files/guide may be released soon (Qa.Flag.Token.ComBo.READNFO.PS3-PS3MaTHiEulH) and posted the picture that can be found below.

#48 - lolwaow - 205w ago
lolwaow's Avatar
Also, kinda spaced it, but they were having a conversation on the topic of enabling QA mode. Maybe that helps with the context a bit. Mathieulh was involved in this conversation, he's the one who posted the last little bit past the edits in the final quote.

#47 - khalids19 - 205w ago
khalids19's Avatar
lets rejoice guys!!! Slynk is the master!

#46 - lolwaow - 205w ago
lolwaow's Avatar
I bring you (what I think) are the keys. I found these from a user named Slynk: psx-scene.com/forums/826118-post518.html

[Register or Login to view code]


*runs away before the lawsuits come flooding in*

hmac to make the 20 byte digest at the end of the token and erk/iv to decrypt/encrypt it with aes256cbc.

2 more steps to go. Need the button combo and what to change in the dummy token.

Also in the spirit of sharing, the dummy token decrypts to:

00 00 00 01
idps
... (all 00)
20 bytes of digest

It's 80 bytes long.

More about the key from that user Slynk, apparently this is the new dummy code, anyone care to verify?
EDIT: There's no ecdsa so there's no public private. The other key is the hmac. Man must I be tired >.<

Already decrypted it. And I know the token has 20 bytes of hmac-sha1 at the end before encryption. ^^

But I still need: "What to change to make an "advanced" token" and "The button combo to test it out". ^^

EDIT: btw it's aes256cbc, sames as self crypto for the curious. Yes, it's the hmac key.

The encryption is straight forward, very easy to figure out, and obviously not the hard part.

As to the dummy token, it's nothing more than the first few bytes of the EID0 followed by 00s (which I call flags array) and a hmac-sha1 of the actual token.

The hard part is knowing what values to change, and what to.