PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

206w ago - Today Sony PlayStation 3 hacker Mathieulh has posted a video demo showcasing the PS3 QA flag, which is the internal console flag used by Sony to enable hidden Firmware options and removes restrictions on Retail and Debug consoles.

This is done on official PS3 Retail/Debug firmware without any modification as the console itself is QA flagged (QA token is set through spu_token_processor), meaning the method will not work on unflagged consoles and using the advanced QA flag also enables PS3 Firmware downgrading.

From the video's caption: I just QA flagged my Metal Gear Solid 4 Limited Edition console and I thought I'd show you the hidden options for the sake of it (and because I was bored).

I am sorry for the unstable camera, I only have two hands and the options are hidden and require (along with the actual flag) a crazy button combo to pop up. (I kid you not)

Sorry I am not telling you how to do this, please do not ask. Yes, this video is real.

QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R&D Department, there are 2 levels of QA flags, Minimum and Advanced, this console has been set to the Advanced one.






















From PS3 hacker rms, to quote: Ever since Mathieulh released his video, some people just want to QA flag their consoles. Now, let me tell you one thing, it's so not easy.

Besides, if you want to use the QA flag, you have to have a valid QA token, and you have to be on a specific firmware range. Now, what's so special about the token is that it's generated in a funny way, I am not going to disclose that here. But, remember, PS3 hypervisor can also make tokens. But these tokens.. don't do /anything/ except just unlock the QA repository node.

Besides, the fancy menu requires a very weird key combo on the Sixaxis, and it only works on retails. On debugs, it just removes all restrictions. Remember, the QA flag in Syscon also requires a valid token.

The damn button combo isn't the token. The token is an array of bits that are located in syscon, and by default are set to 0xFF for not set! You can make a token from HV-UM, but it won't do anything.

And on IDPS: This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections.

0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01,
0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D0x00, 0x00, 0x00, 0x01, 0x00, 0x85, 0x00, 0x0A,
0x14, 0x05, 0x67, 0xA0, 0x79, 0x37, 0xDC, 0x1700000000 00 00 00 01

00 89 00 0B 14 00 EF DD CA 25 52 66

I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo's original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn't decrypted.

The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that's used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.

Here's a list of target IDs:

Value Console Type
81 Reference Tool (DECR)
82 Debug (DECH)
83 Retail Japanese
84 Retail America/Canada
85 Retail Europe
86 Retail South Korea
87 Retail United Kingdom
88 Retail Mexico
89 Retail Australia/New Zealand
8A Retail South Asia
8B Retail Taiwan
8C Retail Russia
8D Retail China (Never released)
A0 System Debugger (Sony Internal)






Finally, here is the method to enable the QA flag by user, a third video is posted from Felix Domke (aka adrianc/tmbinc) and some further details from IRC:

[03:45:37] Mathieulh: QA flag's a btch xD
[03:45:57] Mathieulh: they actually protected it better than EID0 itself
[03:46:09] Mathieulh: which is utterly stupid but that's sony
[03:46:12] PsHellcat: q': would access to a QA'ed DEH help? (I know someone who *might* get one - and no, not me)
[03:46:29] Mathieulh: npt ?
[03:46:34] PsHellcat: yop
[03:46:39] Mathieulh: yah it'd help
[03:46:43] PsHellcat: cewl
[03:46:46] Mathieulh: get me his token seed xD
[03:47:02] PsHellcat: 'cause he'd be glad to help out if it turned out it's QA'ed
[03:47:33] Mathieulh: the main problem with QA right now is that we dunno what value to set to the token seed
[03:47:59] Mathieulh: we have the keys and most of the algo
[03:48:19] PsHellcat: that sounds nice already
[03:48:27] Mathieulh: yah
[03:54:37] rms: god, this hexdump is huge
[04:43:25] Mathieulh: sorry for the highlight npt xD
[04:43:42] rms: im sure he doesnt mind
[04:44:02] rms: oh, Mathieulh
[04:44:03] rms: did those elfs work for you?
[04:44:37] Mathieulh: didn't try them yet
[04:44:43] rms: ok
[04:44:45] Mathieulh: but they have no reason to fail afaik
[04:45:00] Mathieulh: should be all set to dump metldr (again) Xd
[04:45:06] Mathieulh: xD *
[04:45:13] rms: unless they infinite loop by mistake
[04:45:14] rms: >_<
[04:45:14] rms: then again, it was anergistic
[04:45:31] Mathieulh: well, they work in anergistic
[04:45:38] rms: P
[04:45:38] rms: :P
[04:45:56] rms: how do you lead something into the anergistic spuls is my question
[04:46:01] Mathieulh: now we just have to load them and fetch the data from the shared LS or the mailbox
[04:46:05] rms: or how do you put things in memory
[04:46:06] Mathieulh: depending on the self we use
[04:46:06] rms: yeah
[04:46:21] Mathieulh: you mean how to dma ?
[04:46:24] rms: yeah
[04:46:31] rms: how do i put data initially into the spe
[04:46:31] Mathieulh: not sure anergistic emulates that
[04:46:36] Mathieulh: though I think it does
[04:46:46] rms: like
[04:46:52] Mathieulh: well data is sent to the mailbox or shared LS
[04:47:03] Mathieulh: it's the loader that asks the mmu to open the dma channel
[04:47:06] rms: data already in the isolated LS
[04:47:13] Mathieulh: yeah
[04:47:23] Mathieulh: well there is also the protocol to take into account
[04:47:42] Mathieulh: openning a dma channel requires more than a few instructions afaik
[04:47:43] rms: like, say i want to push over a decrypted elf in ls, it lies in isolated ls
[04:47:43] rms: how do i emulate that in anergistic
[04:47:54] rms: it's like 25
[04:48:13] rms: those elfs just have about 10 instructions
[04:48:27] Mathieulh: well, afaik you just run that elf in anergistic
[04:48:42] Mathieulh: it doesn't matter for the spu process wether the LS is isolated or not
[04:48:51] Mathieulh: the spu process is gonna access the LS as a whole
[04:48:54] rms: ok
[04:49:02] Mathieulh: just by supplying the proper address
[04:49:09] Mathieulh: it is the outside that cannot reach the isolated area
[04:49:10] rms: go tell me when you get those decrypted elfs
[04:49:15] rms: i'd love to take a look at them
[04:49:16] Mathieulh: by outside I mean anything not running on the spu
[04:49:37] Mathieulh: which ones?
[04:50:11] rms: whatever you can get into the isolated SPU
[04:50:22] npt: Mathieulh, no worry about the highlight
[04:50:27] Mathieulh: well, you just have to sign a loader, it'll run isolated
[04:50:31] Mathieulh: I mean on real hardware
[04:50:38] Mathieulh: ok npt
[04:50:49] Mathieulh: on anergistic the loader has to be in elf format
[04:51:01] Mathieulh: cause I doubt anergistic likes encrypted selfs xD
[04:51:15] Mathieulh: although you can run metldr in anergistic
[04:51:25] Mathieulh: and use its protocol to decrypt and load your loaders
[04:51:28] Mathieulh: just as it's done on ps3
[04:52:23] Mathieulh: rms ah! you mean using that bug we found ? (about the elfs)
[04:52:49] rms: yeah
[04:52:58] Mathieulh: yeah, certainly
[04:53:25] Mathieulh: we just grab metldr first though, just for the sake of it

Video: PS3 QA Flag Demo, Enables Hidden Firmware Options

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#65 - TUHTA - 200w ago
TUHTA's Avatar
Guys who already gone thru the Linux installation tutorial above??

Send me PM i need your help please... i'm very close to finish... but can't install some things.

#64 - PS4 News - 200w ago
PS4 News's Avatar
Here is a PS3 QA Tutorial by Slynk for those following: coderslynk.blogspot.com/2011/06/qa-tutorial.html

There are many methods to accomplish qa and I'm too lazy to document them all so I'll tell you one way. Linux.

PS3
Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel. (http://git.gitbrew.org/ps3/?p=otheros-utils/doc.git;a=blob_plain;f=DEBOOTSTRAP;hb=HEAD)


Debootstrap HOWTO by glevand

Links:

http://www.debian.org/releases/stable/i386/apds03.html.en
https://help.ubuntu.com/6.10/ubuntu/installation-guide/i386/linux-upgrade.html

Installing Debian Squeeze with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh2
2. mkdir /mnt/debian
3. mount /dev/ps3vflashh2 /mnt/debian
4. rm -rf /mnt/debian/*
5. debootstrap --arch powerpc squeeze /mnt/debian http:/ftp.us.debian.org/debian
6. mount -t proc none /mnt/debian/proc
7. mount --rbind /dev /mnt/debian/dev
8. LANG=C chroot /mnt/debian /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh2 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "debian-vflash" > /etc/hostname

File /etc/network/interface

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://ftp.us.debian.org/debian squeeze main
deb-src http://ftp.us.debian.org/debian squeeze main

deb http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main

1. aptitude update

- Configuring locales and keyboard

1. aptitude install locales
2. dpkg-reconfigure locales
3. aptitude install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. tasksel install standard
2. aptitude clean
3. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

debian_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2
debian_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh2 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"

Installing Ubuntu Natty with debootstrap on petitboot

- Configuring the base system

1. umount /dev/ps3vflashh3
2. mkdir /mnt/ubuntu
3. mount /dev/ps3vflashh3 /mnt/ubuntu
4. rm -rf /mnt/ubuntu/*
5. debootstrap --arch powerpc natty /mnt/ubuntu http://ports.ubuntu.com
6. mount -t proc none /mnt/ubuntu/proc
7. mount --rbind /dev /mnt/ubuntu/dev
8. LANG=C chroot /mnt/ubuntu /bin/bash
9. export TERM=xterm-color

- Mounting partitions

File /etc/fstab

/dev/ps3vflashh3 / ext3 defaults 0 1
/dev/ps3vram none swap sw 0 0
/dev/ps3vflashh1 none swap sw 0 0
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

- Setting timezone

1. vi /etc/default/rcS
2. dpkg-reconfigure tzdata

- Configuring networking

1. echo "ubuntu-vflash" > /etc/hostname

File /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

File /etc/resolv.conf

nameserver 192.168.1.1

- Configuring apt

File /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu/ natty main restricted
deb-src http://archive.ubuntu.com/ubuntu/ natty main restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-updates restricted

deb http://ports.ubuntu.com/ubuntu-ports/ natty universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates universe

deb http://ports.ubuntu.com/ubuntu-ports/ natty multiverse
deb http://ports.ubuntu.com/ubuntu-ports/ natty-updates multiverse

deb http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security main restricted
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security universe
deb http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse
deb-src http://ports.ubuntu.com/ubuntu-ports/ natty-security multiverse

1. apt-get update

- Configuring locales and keyboard

1. apt-get install locales
2. dpkg-reconfigure locales
3. apt-get install console-data
4. dpkg-reconfigure console-data

- Finishing touches

1. apt-get update
2. apt-get upgrade
3. apt-get clean
4. passwd

- Installing kernel

1. cd /usr/src
2. git clone git://git.gitbrew.org/ps3/ps3linux/linux-2.6.git
3. ln -sf linux-2.6 linux
4. cd linux
5. cp ps3_linux_config .config
6. make menuconfig
7. make
8. make install
9. make modules_install

If you compile your kernel on PS3 then make sure you activate swap because
compiling kernel needs much RAM. I used /dev/ps3vflashh1 as swap which
you have to create with fdisk first of course or some other program.

1. mkswap /dev/ps3vflashh1
2. swapon /dev/ps3vflashh1

- Creating kboot.conf

File /etc/kboot.conf

ubuntu_vflash=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3
ubuntu_vflash_hugepages=/boot/vmlinux-2.6.38-gf77c53d root=/dev/ps3vflashh3 hugepages=1

- Creating /dev/ps3flash device (needed for ps3-utils)

File /etc/udev/rules.d/70-persistent-ps3flash.rules

KERNEL=="ps3vflashf", SYMLINK+="ps3flash"


Step 2) Download, and compile the ps3dm utils (http://git.gitbrew.org/ps3/?p=ps3linux/ps3dm-utils.git;a=summary)

Download: ps3dm_um (Compiled) / ps3dm_aim (Compliled)

PC
Step 3) Download my tokenator (Tokenator (SRC) / Tokenator (Compiled))

PS3
Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0x0>dump

Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

PC
Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator

PS3
Step 7) Run the script it spits out

PS3
Step 8) Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down

Have fun. It doesn't work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.

How to setup QA Flag with Grafs Payload:

First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c

To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha or using this payload uncommenting dump_dev_flash()

Once you are set - Use the payloads in the following order uncommenting the required function

Set the QA flag: update_mgr_qa_flag()

Calculate the token: update_mgr_calc_token()

Verify token: update_mgr_verify_token()

Set the calculated and verified token in update_mgr_set_token.c: update_mgr_set_token()

You should use wireshark or tcpdump to capture the responses.

GameOS app SRC to QA-flag: pastie.org/2105541 / Makefile: pastie.org/2105567
[code]
/*
* Based on glevands product mode toogle
* PsiCoLeO 2011
*/

/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/

#include
#include
#include

#include

#include
#include

#define UPDATE_MGR_PACKET_ID_READ_EPROM 0x600b
#define UPDATE_MGR_PACKET_ID_WRITE_EPROM 0x600c
#define EPROM_QA_FLAG_OFFSET 0x48c0a
#define EPROM_QA_Token_OFFSET 0x48D3E

/*
* Set your encrypted token
* Calculated with Slynk Tokenator
*/
static uint8_t qa_token[0x50] =
{
0xF6, 0x58, 0xDB, 0xAC, 0x63, 0xEB, 0x47, 0x99, 0xE2, 0x63,
0xC0, 0x10, 0x66, 0x42, 0x3D, 0xF7, 0x34, 0x29, 0x90, 0x61,
0x23, 0xED, 0x89, 0xEC, 0x21, 0x9E, 0xE2, 0x8B, 0x83, 0xF9,
0x87, 0x2F, 0x32, 0x50, 0xEC, 0xC3, 0xD0, 0x3D, 0xEA, 0x6E,
0x14, 0xE0, 0x81, 0xA2, 0x67, 0xCE, 0x86, 0xF7, 0x7A, 0xFE,
0xDF, 0x11, 0xAB, 0x39, 0xE1, 0xCE, 0x57, 0x06, 0x42, 0xC0,
0x2B, 0xB2, 0x3F, 0x49, 0x04, 0xC7, 0xE7, 0x58, 0x70, 0x19,
0x6A, 0xF1, 0xE4, 0x94, 0x32, 0x36, 0x61, 0xB0, 0xA6, 0xB5,
};


/*
* main
*/
int main(int argc, char **argv)
{
uint8_t value;
int result;
int n;

netInitialize();

udp_printf_init();

PRINTF("%s:%d: start\n", __func__, __LINE__);

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_READ_EPROM,
EPROM_QA_FLAG_OFFSET, (uint64_t) &value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv1_ss_update_mgr_if(READ_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}

PRINTF("%s:%d: current qa flag mode 0x%02x\n", __func__, __LINE__, value);

if (value == 0xff) {
/* enable */

PRINTF("%s:%d: enabling qa flag mode\n", __func__, __LINE__);

value = 0x0;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
} else {
/* disable */

PRINTF("%s:%d: disabling qa flag mode\n", __func__, __LINE__);

value = 0xff;

result = lv2_ss_update_mgr_if(UPDATE_MGR_PACKET_ID_WRITE_EPROM,
EPROM_QA_FLAG_OFFSET, value, 0, 0, 0, 0);
if (result) {
PRINTF("%s:%d: lv2_ss_update_mgr_if(WRITE_EPROM) failed (0x%08x)\n",
__func__, __LINE__, result);
goto done;
}
}

PRINTF("%s:%d: end\n", __func__, __LINE__);

lv2_sm_ring_buzzer(0x1004, 0xa, 0x1b6);

/* Setting the QA token */
for ( n=0 ; n

#63 - anon777 - 200w ago
anon777's Avatar
that's what i'm talking about

#62 - B4rtj4h - 200w ago
B4rtj4h's Avatar
Oh boy... i see another opportunity here! USB dongles that push button combos...

#61 - Brenza - 201w ago
Brenza's Avatar
They doesn't need to change the combo, if you don't flag the token combo will not work.

If you don't own the keys to decrypt the token you can't flag it, but if you had the keys you no longer need the QA Flag! LOOL

#60 - d3adliner - 201w ago
d3adliner's Avatar
Button combo will be changed in the next FW update.

#59 - Brenza - 201w ago
Brenza's Avatar
No, it won't work on 3.6x firmware since we can't decrypt the vsh.

Probably the 3.55 payload will come soon, just wait.

#58 - Dominator7 - 201w ago
Dominator7's Avatar
two questions: does this work on 3.65 and will this come in a payload for usb dongles?

#57 - Tidusnake666 - 201w ago
Tidusnake666's Avatar
Guys, it's not the button combo itself, that will do miracles, you additionaly have to change, hash, reencrypt and write token to eeprom.

#56 - jedaking - 201w ago
jedaking's Avatar
I know that we can't have people uploading fake youtube all the time, but this looks sweet!