(adsbygoogle = window.adsbygoogle || []).push({}); QA Flag

A QA flag is a value set in SC EEPROM at address 0x48C0A. When this flag is set, the token is read from SYSCON and decrypted, this gets passed to various modules to unlock certain functionality.

QA Token

A QA token is a 80 byte value that determines amount of functionality on your console. It is signed with a 20 byte SHA1 key then encrypted using AES256CBC.

Unencrypted Token Structure

0x00, 0x00, 0x00, 0x01, 0x00, 0x11, 0x22, 0x33,
0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB,
0xCC, 0xDD, 0xEE, 0xFF, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x19, 0x4A, 0x4B, 0xBA,
0x15, 0x97, 0xAE, 0x71, 0x36, 0xCC, 0xB6, 0x65,
0x7F, 0xC3, 0xB5, 0x3F, 0x49, 0x22, 0x2F, 0xB1

Encrypted Token
The entire token is then encrypted with AES256CBC. You will find the keys on the keys page. This is then stored on SC EEPROM at 0x48D3E

Token Flags

The flags are a 40 byte value containing a set of flags that enable specific features on the PS3 console. These flags are largely unknown.

QA_FLAG_ALLOW_NON_QA = byte 0x33, bit 0
QA_FLAG_FORCE_UPDATE = byte 0x33, bit 1
QA_FLAG_EXAM_API_ENABLE = byte 0x27, bit 0
QA_FLAG_QA_MODE_ENABLE = byte 0x27, bit 2


Setting QA Flag & Token with Linux

First you need to have linux installed on your PS3, you can have grafs kernel or glevands rework

If you are using glevand´s kernel you will have to first enable the require module
modprobe ps3dmproxy

Then you will have to have the latest ps3dm-utils you can get from gitbrew or here you have a precompiled ps3dm_um ps3dm_aim

and you will need Slynk tools

Here's my app. I'd have a full tutorial but I'm having to deal with some bullshit right now. Sorry guys.
I'll make a better tutorial later but basically. Flag yourself. Dump your idps (that's the first 16 bytes of your eid0).
Type it into my app in the format I provided, click the button, and run that command. Should work.
You must login or register to view this content. KB)

Procedure

Getting the info

First you need you IDPS

the easyest way is using graf aim

./ps3dm_aim /dev/ps3dmproxy get_dev_id

Write it down and load it on the Tokenator app

It will give you the command you should use in linux + your encrypted token

something like this

./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...

Setting the flag

ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

Setting the token

Just copy paste the command you got from tokenator

./ps3dm_um /dev/ps3dmproxy set_token 0x7E 0xDA 0xE2 0x68...

Congrats now you ps3 is QA flagged Reboot


Getting the QA flag menu

Set yoursef on network settings and press the weired combo

L2+R2+L1+R1+L3(this means pressing you left analog stick)+dpad_down

Debug Settings


Setting !! Value !! Description

DTCP-IP || on-off|| ''''''igital '''T'''ransmission '''C'''ontent '''P'''rotection over '''I'''nternet '''P'''rotocol, a specification for copy protection of copyrighted content that is transferred over digital interfaces in home networks that adhere to IP. Allows you to turn it on or off for PS3.

ATRAC || on/off || '''A'''daptive '''TR'''ansform '''A'''coustic '''C'''oding is a family of proprietary audio compression algorithms developed by Sony. Allows you to enable or disable ATRAC playback for your PS3 system.

WMA || on/off || '''W'''indows '''M'''edia '''A'''udio is an audio data compression technology developed by Microsoft. Allows you to enable or disable WMA playback for your PS3 system.

NP Enviroment || enviroment|| Allows you to change which environment your PS3 connects. Known enviroments are: C1-NP, D2-NP, D2-PMGT, D2-PQA, D2-SPINT, D3-NP, D3-PMGT, D3-PQA, D3-SPINT, D-NP, D-PMGT, D-PQA, D-SPINT, EI-NP, EI-PMGT, EI-PQA, EI-SPINT, HF, HF-NP, HF-PMGT, HF-PQA, HF-SPINT, H-NP, H-PMGT, H-PQA, H-SPINT, MGMT (Management), NP (Retail), PMGT, PQA, PROD-QA (Quality Assurance), Q2, Q2-NP, Q2-PMGT, Q2-PQA, Q2-SPINT, Q-NP, Q-PMGT, Q-PQA, Q-SPINT, RC, RC-NP, R-NP, R-PMGT, R-PQA, R-SPINT, SP-INT (Developer). There might be even more of different environments.

Fake Free Space (for CEX)|| on/off || Use with Fake Limit Size to artificially set the free space on the PS3.

Fake Limit Size || X MB || Amount of free space left (in MB).

NP Debug || on/off ||

NPDRM Debug || on/off ||

Edy Debug || on/off || Edy is a payment service in Japan, allows you to enable or disable debugging for Edy Viewer.

Nav-only NP || on/off ||

Cdda Server || Production/? ||

Crash Report || on/off ||

Crash reporter Status || Ready/Busy/Never be calles ||

VSH Crash Dump Generator || on/off ||

System Update Debug || on/off || Allows you to enable or disable system update debug, which lets you to downgrade with official Sony update manager.

Information Board QA Server || on/off ||

Format Marlin Personal Data || ? ||

PlaystationRStore Ad Clock || on/off ||

Geo Filtering for PlaystationRStore || ? ||

Remove Game License || ? ||

Home Debug || on/off ||

Delete Trophy Personal Data || ? ||

GameUpdate Impose Test || on/off ||

Network Emulation Setting || on/off ||

Auto-Off Debug || on/off ||

NAT Traversal Information || on/off ||

Internet Browser Debug || on/off ||

SMSS REsult Output || on/off ||

Adhoc SSID Prefix || PSP/? ||

Disc Auto-Start at System Startup || on/off || Allows you to start disc in-drive automatically when you start system on.

3D Video Output || Automatic/On || Allows you to set 3D Video Output automatic or always on.
Fake NP SNS Throttle || Off (60 sec)/ On (0,10,120,2600,closed)||

Debug for HDD Exchange Utility || ||

Push Console Binding || on/off||
|-
| Automatic Download || on/off || Set automatic download on or off. There's not info available what this does change. '''May be automatic system updates.'''
|-
| Motion Controller Calibration Result || || Shows lastest results from motion controller calibration.


Install Package Files

Will install the first package it finds on the root of the USB stick