PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

May 13, 2011 // 5:58 pm - Today Sony PlayStation 3 hacker Mathieulh has posted a video demo showcasing the PS3 QA flag, which is the internal console flag used by Sony to enable hidden Firmware options and removes restrictions on Retail and Debug consoles.

This is done on official PS3 Retail/Debug firmware without any modification as the console itself is QA flagged (QA token is set through spu_token_processor), meaning the method will not work on unflagged consoles and using the advanced QA flag also enables PS3 Firmware downgrading.

From the video's caption: I just QA flagged my Metal Gear Solid 4 Limited Edition console and I thought I'd show you the hidden options for the sake of it (and because I was bored).

I am sorry for the unstable camera, I only have two hands and the options are hidden and require (along with the actual flag) a crazy button combo to pop up. (I kid you not)

Sorry I am not telling you how to do this, please do not ask. Yes, this video is real.

QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R&D Department, there are 2 levels of QA flags, Minimum and Advanced, this console has been set to the Advanced one.

From PS3 hacker rms, to quote: Ever since Mathieulh released his video, some people just want to QA flag their consoles. Now, let me tell you one thing, it's so not easy.

Besides, if you want to use the QA flag, you have to have a valid QA token, and you have to be on a specific firmware range. Now, what's so special about the token is that it's generated in a funny way, I am not going to disclose that here. But, remember, PS3 hypervisor can also make tokens. But these tokens.. don't do /anything/ except just unlock the QA repository node.

Besides, the fancy menu requires a very weird key combo on the Sixaxis, and it only works on retails. On debugs, it just removes all restrictions. Remember, the QA flag in Syscon also requires a valid token.

The damn button combo isn't the token. The token is an array of bits that are located in syscon, and by default are set to 0xFF for not set! You can make a token from HV-UM, but it won't do anything.

And on IDPS: This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections.

0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01,
0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D0x00, 0x00, 0x00, 0x01, 0x00, 0x85, 0x00, 0x0A,
0x14, 0x05, 0x67, 0xA0, 0x79, 0x37, 0xDC, 0x1700000000 00 00 00 01

00 89 00 0B 14 00 EF DD CA 25 52 66

I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo's original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn't decrypted.

The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that's used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.

Here's a list of target IDs:

Value Console Type
81 Reference Tool (DECR)
82 Debug (DECH)
83 Retail Japanese
84 Retail America/Canada
85 Retail Europe
86 Retail South Korea
87 Retail United Kingdom
88 Retail Mexico
89 Retail Australia/New Zealand
8A Retail South Asia
8B Retail Taiwan
8C Retail Russia
8D Retail China (Never released)
A0 System Debugger (Sony Internal)

Finally, here is the method to enable the QA flag by user, a third video is posted from Felix Domke (aka adrianc/tmbinc) and some further details from IRC:

[03:45:37] Mathieulh: QA flag's a btch xD
[03:45:57] Mathieulh: they actually protected it better than EID0 itself
[03:46:09] Mathieulh: which is utterly stupid but that's sony
[03:46:12] PsHellcat: q': would access to a QA'ed DEH help? (I know someone who *might* get one - and no, not me)
[03:46:29] Mathieulh: npt ?
[03:46:34] PsHellcat: yop
[03:46:39] Mathieulh: yah it'd help
[03:46:43] PsHellcat: cewl
[03:46:46] Mathieulh: get me his token seed xD
[03:47:02] PsHellcat: 'cause he'd be glad to help out if it turned out it's QA'ed
[03:47:33] Mathieulh: the main problem with QA right now is that we dunno what value to set to the token seed
[03:47:59] Mathieulh: we have the keys and most of the algo
[03:48:19] PsHellcat: that sounds nice already
[03:48:27] Mathieulh: yah
[03:54:37] rms: god, this hexdump is huge
[04:43:25] Mathieulh: sorry for the highlight npt xD
[04:43:42] rms: im sure he doesnt mind
[04:44:02] rms: oh, Mathieulh
[04:44:03] rms: did those elfs work for you?
[04:44:37] Mathieulh: didn't try them yet
[04:44:43] rms: ok
[04:44:45] Mathieulh: but they have no reason to fail afaik
[04:45:00] Mathieulh: should be all set to dump metldr (again) Xd
[04:45:06] Mathieulh: xD *
[04:45:13] rms: unless they infinite loop by mistake
[04:45:14] rms: >_<
[04:45:14] rms: then again, it was anergistic
[04:45:31] Mathieulh: well, they work in anergistic
[04:45:38] rms: P
[04:45:38] rms: :P
[04:45:56] rms: how do you lead something into the anergistic spuls is my question
[04:46:01] Mathieulh: now we just have to load them and fetch the data from the shared LS or the mailbox
[04:46:05] rms: or how do you put things in memory
[04:46:06] Mathieulh: depending on the self we use
[04:46:06] rms: yeah
[04:46:21] Mathieulh: you mean how to dma ?
[04:46:24] rms: yeah
[04:46:31] rms: how do i put data initially into the spe
[04:46:31] Mathieulh: not sure anergistic emulates that
[04:46:36] Mathieulh: though I think it does
[04:46:46] rms: like
[04:46:52] Mathieulh: well data is sent to the mailbox or shared LS
[04:47:03] Mathieulh: it's the loader that asks the mmu to open the dma channel
[04:47:06] rms: data already in the isolated LS
[04:47:13] Mathieulh: yeah
[04:47:23] Mathieulh: well there is also the protocol to take into account
[04:47:42] Mathieulh: openning a dma channel requires more than a few instructions afaik
[04:47:43] rms: like, say i want to push over a decrypted elf in ls, it lies in isolated ls
[04:47:43] rms: how do i emulate that in anergistic
[04:47:54] rms: it's like 25
[04:48:13] rms: those elfs just have about 10 instructions
[04:48:27] Mathieulh: well, afaik you just run that elf in anergistic
[04:48:42] Mathieulh: it doesn't matter for the spu process wether the LS is isolated or not
[04:48:51] Mathieulh: the spu process is gonna access the LS as a whole
[04:48:54] rms: ok
[04:49:02] Mathieulh: just by supplying the proper address
[04:49:09] Mathieulh: it is the outside that cannot reach the isolated area
[04:49:10] rms: go tell me when you get those decrypted elfs
[04:49:15] rms: i'd love to take a look at them
[04:49:16] Mathieulh: by outside I mean anything not running on the spu
[04:49:37] Mathieulh: which ones?
[04:50:11] rms: whatever you can get into the isolated SPU
[04:50:22] npt: Mathieulh, no worry about the highlight
[04:50:27] Mathieulh: well, you just have to sign a loader, it'll run isolated
[04:50:31] Mathieulh: I mean on real hardware
[04:50:38] Mathieulh: ok npt
[04:50:49] Mathieulh: on anergistic the loader has to be in elf format
[04:51:01] Mathieulh: cause I doubt anergistic likes encrypted selfs xD
[04:51:15] Mathieulh: although you can run metldr in anergistic
[04:51:25] Mathieulh: and use its protocol to decrypt and load your loaders
[04:51:28] Mathieulh: just as it's done on ps3
[04:52:23] Mathieulh: rms ah! you mean using that bug we found ? (about the elfs)
[04:52:49] rms: yeah
[04:52:58] Mathieulh: yeah, certainly
[04:53:25] Mathieulh: we just grab metldr first though, just for the sake of it

Video: PS3 QA Flag Demo, Enables Hidden Firmware Options

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#85 - The5Venomz - June 25, 2011 // 2:41 pm
The5Venomz's Avatar
So there's no way to use this to downgrade a FW3.65 PS3 down to 3.55? System Upgrade Debug is the only feature that looks interesting to me...

#84 - jd200 - June 25, 2011 // 10:03 am
jd200's Avatar
thanks for that ps3news

#83 - PS4 News - June 25, 2011 // 9:03 am
PS4 News's Avatar
Some PS3 Debug setting descriptions are detailed in HERE and also below from the wiki page:

Setting - Value - Description

DTCP-IP - on-off - Digital Transmission Content Protection over Internet Protocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3.

ATRAC - on/off - Adaptive TRansform Acoustic Coding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system.

WMA - on/off - Windows Media Audio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system.

NP Enviroment - enviroment - Allows you to change which environment your PS3 connects. Known enviroments are: C1-NP, D2-NP, D2-PMGT, D2-PQA, D2-SPINT, D3-NP, D3-PMGT, D3-PQA, D3-SPINT, D-NP, D-PMGT, D-PQA, D-SPINT, EI-NP, EI-PMGT, EI-PQA, EI-SPINT, HF, HF-NP, HF-PMGT, HF-PQA, HF-SPINT, H-NP, H-PMGT, H-PQA, H-SPINT, MGMT (Management), NP (Retail), PMGT, PQA, PROD-QA (Quality Assurance), Q2, Q2-NP, Q2-PMGT, Q2-PQA, Q2-SPINT, Q-NP, Q-PMGT, Q-PQA, Q-SPINT, RC, RC-NP, R-NP, R-PMGT, R-PQA, R-SPINT, SP-INT (Developer). There might be even more of different environments.

Fake Free Space (for CEX) - on/off - Use with Fake Limit Size to artificially set the free space on the PS3.

Fake Limit Size - X MB - Amount of free space left (in MB).

NP Debug - on/off

NPDRM Debug - on/off

Edy Debug - on/off - Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer.

Nav-only NP - on/off

Cdda Server - Production/Evaluation

Crash Report - on/off

Crash reporter Status - Ready/Busy/Never be called

VSH Crash Dump Generator - on/off

System Update Debug - on/off - Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager.

Information Board QA Server - on/off

Format Marlin Personal Data - ?

PlaystationRStore Ad Clock - on/off

Geo Filtering for PlaystationRStore - Normal/Always Succeed/Always Fail

Remove Game License - ?

Home Debug - on/off

Delete Trophy Personal Data - ?

GameUpdate Impose Test - on/off

Network Emulation Setting - on/off

Auto-Off Debug - on/off

WLAN Device - on/off

NAT Traversal Information - on/off

Internet Browser Debug - on/off

SMSS Result Output - on/off

Adhoc SSID Prefix - PSP/?

Disc Auto-Start at System Startup - on/off - Allows you to start disc in-drive automatically when you start system on.

3D Video Output - Automatic/On - Allows you to set 3D Video Output automatic or always on.

Fake NP SNS Throttle - Off (60 sec)/ On (0,10,120,3600,closed)

Debug for HDD Exchange Utility

Fake Plus - on/off

Push Console Binding - on/off

Automatic Download - on/off - Set automatic download on or off. There's not info available what this does change. May be automatic system updates!

Motion Controller Calibration Result - on/off - Shows lastest results from motion controller calibration.

VideoEditor Delete Preset BGM - ?

Edy viewer - Payment service in Japan (

Install Package Files - Will install the first (only the first) package it finds on the root of the USB stick, it will work only with properly signed packages.

#82 - jd200 - June 25, 2011 // 8:17 am
jd200's Avatar
is there a list somewhere of a detail what each setting does?

#81 - ih8Jelsoft - June 25, 2011 // 8:17 am
ih8Jelsoft's Avatar
It's interesting as a POC, but why use this instead of ReBug? It has less options, and doesn't work on 3.56+.

#80 - PS4 News - June 25, 2011 // 7:13 am
PS4 News's Avatar
Thanks and +Rep kloops, I have added your video guide to the main page article now as well.

#79 - kloops - June 25, 2011 // 7:09 am
kloops's Avatar

#78 - Kyosuke21 - June 25, 2011 // 6:50 am
Kyosuke21's Avatar
don't work on my slim

#77 - shummyr - June 25, 2011 // 3:56 am
shummyr's Avatar
Quote Originally Posted by TUHTA View Post
According to the wiki System Update Debug on/off Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager.

But wait, it doesn't work! when i try to install 3.41 firmware or 3.50 or any other below 3.55 it gives 80029C9C.

I believe after 3.55 sony no longer allows downgrading below 3.55, so that one can not downgrade to whatever firmware they want and have complete control of the system

#76 - TUHTA - June 25, 2011 // 2:07 am
TUHTA's Avatar
According to the wiki System Update Debug on/off Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager.

But wait, it doesn't work! when i try to install 3.41 firmware or 3.50 or any other below 3.55 it gives 80029C9C.