- Today Sony PlayStation 3 hacker Mathieulh
has posted a video demo showcasing the PS3 QA flag, which is the internal console flag used by Sony to enable hidden Firmware options and removes restrictions on Retail and Debug consoles.
This is done on official PS3 Retail/Debug firmware without any modification as the console itself is QA flagged (QA token is set through spu_token_processor), meaning the method will not work on unflagged consoles and using the advanced QA flag also enables PS3 Firmware downgrading.
From the video's caption: I just QA flagged my Metal Gear Solid 4 Limited Edition console and I thought I'd show you the hidden options for the sake of it (and because I was bored).
I am sorry for the unstable camera, I only have two hands and the options are hidden and require (along with the actual flag) a crazy button combo to pop up. (I kid you not)
Sorry I am not telling you how to do this, please do not ask. Yes, this video is real.
QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R&D Department, there are 2 levels of QA flags, Minimum and Advanced, this console has been set to the Advanced one.
From PS3 hacker rms
, to quote: Ever since Mathieulh released his video, some people just want to QA flag their consoles. Now, let me tell you one thing, it's so not easy.
Besides, if you want to use the QA flag, you have to have a valid QA token, and you have to be on a specific firmware range. Now, what's so special about the token is that it's generated in a funny way, I am not going to disclose that here. But, remember, PS3 hypervisor can also make tokens. But these tokens.. don't do /anything/ except just unlock the QA repository node.
Besides, the fancy menu requires a very weird key combo on the Sixaxis, and it only works on retails. On debugs, it just removes all restrictions. Remember, the QA flag in Syscon also requires a valid token.
The damn button combo isn't the token. The token is an array of bits that are located in syscon, and by default are set to 0xFF for not set! You can make a token from HV-UM, but it won't do anything.
And on IDPS: This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections.
0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01,
0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D0x00, 0x00, 0x00, 0x01, 0x00, 0x85, 0x00, 0x0A,
0x14, 0x05, 0x67, 0xA0, 0x79, 0x37, 0xDC, 0x1700000000 00 00 00 01
00 89 00 0B 14 00 EF DD CA 25 52 66
I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo's original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn't decrypted.
The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that's used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.
Here's a list of target IDs:
Value Console Type
81 Reference Tool (DECR)
82 Debug (DECH)
83 Retail Japanese
84 Retail America/Canada
85 Retail Europe
86 Retail South Korea
87 Retail United Kingdom
88 Retail Mexico
89 Retail Australia/New Zealand
8A Retail South Asia
8B Retail Taiwan
8C Retail Russia
8D Retail China (Never released)
A0 System Debugger (Sony Internal)
Finally, here is the method
to enable the QA flag by user
, a third video is posted from Felix Domke
) and some further details from IRC:
[03:45:37] Mathieulh: QA flag's a btch xD
[03:45:57] Mathieulh: they actually protected it better than EID0 itself
[03:46:09] Mathieulh: which is utterly stupid but that's sony
[03:46:12] PsHellcat: q': would access to a QA'ed DEH help? (I know someone who *might* get one - and no, not me)
[03:46:29] Mathieulh: npt ?
[03:46:34] PsHellcat: yop
[03:46:39] Mathieulh: yah it'd help
[03:46:43] PsHellcat: cewl
[03:46:46] Mathieulh: get me his token seed xD
[03:47:02] PsHellcat: 'cause he'd be glad to help out if it turned out it's QA'ed
[03:47:33] Mathieulh: the main problem with QA right now is that we dunno what value to set to the token seed
[03:47:59] Mathieulh: we have the keys and most of the algo
[03:48:19] PsHellcat: that sounds nice already
[03:48:27] Mathieulh: yah
[03:54:37] rms: god, this hexdump is huge
[04:43:25] Mathieulh: sorry for the highlight npt xD
[04:43:42] rms: im sure he doesnt mind
[04:44:02] rms: oh, Mathieulh
[04:44:03] rms: did those elfs work for you?
[04:44:37] Mathieulh: didn't try them yet
[04:44:43] rms: ok
[04:44:45] Mathieulh: but they have no reason to fail afaik
[04:45:00] Mathieulh: should be all set to dump metldr (again) Xd
[04:45:06] Mathieulh: xD *
[04:45:13] rms: unless they infinite loop by mistake
[04:45:14] rms: >_<
[04:45:14] rms: then again, it was anergistic
[04:45:31] Mathieulh: well, they work in anergistic
[04:45:38] rms: P
[04:45:38] rms: :P
[04:45:56] rms: how do you lead something into the anergistic spuls is my question
[04:46:01] Mathieulh: now we just have to load them and fetch the data from the shared LS or the mailbox
[04:46:05] rms: or how do you put things in memory
[04:46:06] Mathieulh: depending on the self we use
[04:46:06] rms: yeah
[04:46:21] Mathieulh: you mean how to dma ?
[04:46:24] rms: yeah
[04:46:31] rms: how do i put data initially into the spe
[04:46:31] Mathieulh: not sure anergistic emulates that
[04:46:36] Mathieulh: though I think it does
[04:46:46] rms: like
[04:46:52] Mathieulh: well data is sent to the mailbox or shared LS
[04:47:03] Mathieulh: it's the loader that asks the mmu to open the dma channel
[04:47:06] rms: data already in the isolated LS
[04:47:13] Mathieulh: yeah
[04:47:23] Mathieulh: well there is also the protocol to take into account
[04:47:42] Mathieulh: openning a dma channel requires more than a few instructions afaik
[04:47:43] rms: like, say i want to push over a decrypted elf in ls, it lies in isolated ls
[04:47:43] rms: how do i emulate that in anergistic
[04:47:54] rms: it's like 25
[04:48:13] rms: those elfs just have about 10 instructions
[04:48:27] Mathieulh: well, afaik you just run that elf in anergistic
[04:48:42] Mathieulh: it doesn't matter for the spu process wether the LS is isolated or not
[04:48:51] Mathieulh: the spu process is gonna access the LS as a whole
[04:48:54] rms: ok
[04:49:02] Mathieulh: just by supplying the proper address
[04:49:09] Mathieulh: it is the outside that cannot reach the isolated area
[04:49:10] rms: go tell me when you get those decrypted elfs
[04:49:15] rms: i'd love to take a look at them
[04:49:16] Mathieulh: by outside I mean anything not running on the spu
[04:49:37] Mathieulh: which ones?
[04:50:11] rms: whatever you can get into the isolated SPU
[04:50:22] npt: Mathieulh, no worry about the highlight
[04:50:27] Mathieulh: well, you just have to sign a loader, it'll run isolated
[04:50:31] Mathieulh: I mean on real hardware
[04:50:38] Mathieulh: ok npt
[04:50:49] Mathieulh: on anergistic the loader has to be in elf format
[04:51:01] Mathieulh: cause I doubt anergistic likes encrypted selfs xD
[04:51:15] Mathieulh: although you can run metldr in anergistic
[04:51:25] Mathieulh: and use its protocol to decrypt and load your loaders
[04:51:28] Mathieulh: just as it's done on ps3
[04:52:23] Mathieulh: rms ah! you mean using that bug we found ? (about the elfs)
[04:52:49] rms: yeah
[04:52:58] Mathieulh: yeah, certainly
[04:53:25] Mathieulh: we just grab metldr first though, just for the sake of it