(adsbygoogle = window.adsbygoogle || []).push({}); member a few weeks ago Mathieulh released a video of the QA flagged PS3? To refresh your memories; the QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R& Department (there are 2 levels of QA flags, Minimum and Advanced). In short it could lead to a complete open PS3…and yes all the CFW, homebrew and backup manager your little heart desires.

You must login or register to view this content.

Well the method of how to “QA flag” your PS3 was never posted/revealed but since then plenty of hints have been given in attempts for the “scene”, and one of the first steps was to figure out the secret button combo. Well after weeks of people trying and moaning, the man behind the emulators – squarepusher 2 has released/posted information on exactly what that button combo was. Noobs do not try this – the guide below is still a work in progress and QA flag button combo is the icing on the cake.
How to QA Flag your PS3, the button combo:

1. Be on 3.55 OFW (no rebug): You must login or register to view this content.
2.Move the PS3 cursor/select “Network Setting“
3.Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Dow
4. Thats it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.
Notes and disclaimers:

Install Package is useless and can’t install homebrew at the moment – only signed PKGs (and the first one in root of USB only).
This is not all that is needed to QA flag your PS3, but its a big start for the community – we still need all the pieces to fully QA flag the PS3 and its the scenes job to “figure out the rest”.

Thanks to munky875821417 for news tip.

enjoy source ps3hax.com

Well that's the thing. Right now we're trying to make an advanced token. This will allow the functions that will disable several security checks. HOWEVER to check that the token is in fact advanced we'd need to enter the key code to enable access to those functions. Kinda a catch 22. Can't test the combo without the token and can't test the token without the combo.

Such a tease, like I'm hard, but have a feeling I'm not going to jizz lol

LOL, liking the... the errr... I forget the word, but you know what I mean, very nicely done haha

---------- Post added at 04:03 PM ---------- Previous post was at 04:03 PM ----------



Not if nobody has figured it out yet lol

nice guys keep up the good work!

Triangle, circle, up, left, and the home button? Possible, but found it in a wierd post. Probably won't work, but worth a shot, right? Here's the original bs posted: You must login or register to view this content.

You must login or register to view this content. hope this helps. if it was posted, idk i didnt wanted to read all pages.


[00:37:37] <Mathieulh> the token is also stored in syscon
[00:37:44] <Mathieulh> it's 0x50 bytes long
[00:37:49] <Mathieulh> and of course it's encrypted
[00:37:55] <Mathieulh> the token is tied to the EID0
[00:38:52] <Mathieulh> Graf's stuff contain some of the update manager protocol for the token and spu_token_processor protocol
[00:38:57] <Mathieulh> but it's nowhere near enough
[00:39:00] <Mathieulh> to QA flag the box
[00:39:06] <Mathieulh> the tokens you get from UM are no good
[00:39:23] <Mathieulh> they are what I would call "dummy tokens"
[00:39:28] <Mathieulh> with no privileges whatsoever
[00:39:38] <dospiedra> we will not have piracy
[00:39:47] <Mathieulh> the token itself has a series of flags which control various aspects of the console


<Mathieulh> I can do it with a signed app as far as I am concerned
<ODD29> have u a hint for me?? or have u wrote the signed app yourself ?
<Mathieulh> I went through graf's bootstrap at first
<Mathieulh> then I wrote an app
<ODD29> ohh ok.. this is not easy for us :-( damn..
<ODD29> did rms and adrianc created the qa token using ur signed app.. ??
<Mathieulh> they used graf's bootstrap and a special payload



<Mathieulh> ok, I'll help you a LOT
<emizE> Those I lack
<Mathieulh> instead of looking for the combo
<Mathieulh> look for whatever checks the token
<Mathieulh> it'd also give you what value you need to set
<emizE> Hmmm......
<_bubba> getting closer
<Mathieulh> the function that enables the combo in vsh.self also happens to check the token value
<Slynk> spu_token_processer? I'm not sure if it handles verification or just encryption/decryption
<emizE> Ahhh......
<Mathieulh> the decrypted token is stored in ram
<Mathieulh> somewhere
<Slynk> Woo, was going to ask that XD
<emizE> lol
<Mathieulh> and I REALLY helped you there
<_bubba> clues are coming
<Mathieulh> but the rest you'll have to figure it out on your own
<Mathieulh> I already said way too much


sys_init_osd.sprx = encrypted
sys_init_osd.ELF = decrypted

button combo located in sys_init_osd.sprx

decrypted sys_init_osd.sprx You must login or register to view this content.

Search the button combo with IDA

This is needed :

left -> 32768 ,1<<7, 31 3C 3C 37
down -> 16384 ,1<<6, 31 3C 3C 36
right -> 8192 ,1<<5 , 31 3C 3C 35
up -> 4096 ,1<<4, 31 3C 3C 34
Start -> 2048 ,1<<3, 31 3C 3C 33
R3 -> 1024 ,1<<2, 31 3C 3C 32
L3 -> 512 ,1<<1, 31 3C 3C 31
Select -> 256 ,1<<0,31 3C 3C 30
square -> 128 ,1<<15, 31 3C 3C 31 35
X -> 64 ,1<<14, 31 3C 3C 31 34
circle -> 32 ,1<<13, 31 3C 3C 31 33
triangle -> 16 ,1<<12, 31 3C 3C 31 32
R1 -> 8 ,1<<11,31 3C 3C 31 31
L1 -> 4 ,1<<10, 31 3C 3C 31 30
R2 -> 2 ,1<<9, 31 3C 3C 39
L2 -> 1 ,1<<8, 31 3C 3C 38

sys_init_osd.elf is from 3.55

R1 example : can stand as 8 or 1<<11 or as 31 3C 3C 31 31

Everything is copy-pasted from a thread and translated by me.

I really wanna get in on this and help out. So, we got the coding I assume? All we are looking for now is the button combo, right? We already know how to activate it once we get the button combo? Well...we know where the button combo is stored, so what are we working on / trying to figure out? I downloaded the sys_init_osd.elf and opened it with HEX, just don't know where to look for button combo. What do we need?

Okay i figured out how to get the button combo...simple acutely....1st find a descent looking girl..then take her on a date...then make out with her...finally have sex or get your dick sucked and she will give us the button combo....i know this impossible for all you nerds so ill do it for you and report back haha

Please excuse the noob question............what do you mean by IDA... =D ? I opened the file with HxD