Videos - Secret Quality Assurance Menu Unlocked + QA Downgrading

Published on 05-14-2011 09:21 AM

66 Comments

Mathieulh, an underground hacker, has released two videos showcasing retail consoles which have been converted to special quality assurance consoles. He has managed to set a special QA flag in his console which unlocks a secret Quality Assurance menu. In the video he showcases some very unique options which typically are only available in Sony's QA Centers and their R&D Department. In one of the videos he also demonstrates how Sony officially downgrades their consoles using these QA options. Unfortunately, Mathieulh is infamous for not releasing his methods and has stayed true to form with this latest development.

Update - rms elaborates on why QA Flagging is difficult:

Ever since Mathieulh released his video, some people just want to QA flag their consoles. Now, let me tell you one thing, it’s so not easy.
Besides, if you want to use the QA flag, you have to have a valid QA token, and you have to be on a specific firmware range. Now, what’s so special about the token is that it’s generated in a funny way, I am not going to disclose that here. But, remember, PS3 hypervisor can also make tokens. But these tokens.. don’t do /anything/ except just unlock the QA repository node.
Besides, the fancy menu requires a very weird key combo on the Sixaxis, and it only works on retails. On debugs, it just removes all restrictions.
Remember, the QA flag in Syscon also requires a valid token. (reiterated again.)
So, in the end QA flagging = (Piracy*Warez)++;. Don’t do it.

What is a QA flag?

QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R&D Department, there are 2 levels of QA flags, Minimum and Advanced, this console has been set to the Advanced one.

Attachment 1199

Video Description:

I just QA flagged my Metal Gear Solid 4 Limited Edition console and I thought I’d show you the hidden options for the sake of it. (and because I was bored)
I am sorry for the unstable camera, I only have two hands and the options are hidden and require (along with the actual flag) a crazy button combo to pop up. (I kid you not)
Sorry I am not telling you how to do this, please do not ask.
Yes, this video is real

Relevant tweets:

Mathieulh:
@dantezteam It’s an UNMODIFIED RETAIL FIRMWARE.
@KaKaRoToKS For various reasons, one of them being that you can warez with this, and the flag stays even after updating.
@KaKaRoToKS The QA flag happens to remove a bunch of restrictions that have the side effect of preventing you to warez.
@dantezteam The console is QA flagged, The firmware checks for this flag and will enable special features when it finds it.
@dantezteam Basically it’s what Sony themselves use to allow special debugging on their consoles and loosen restrictions.

@KaKaRoToKS By the way, Advanced QA flag enables downgrading, just my 2 cents… xD

Downgrading Video Description:

This is what happens when downgrade gets enabled. This is the way Sony officially downgrade retails.

Source: PS3Hax

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

Categories:

61 Comments

badboyz80-PSG - 05-14-2011, 09:40 AM
- Reply
great work as always but i really dont see the point in showing all your work if you aint going to realease any of it

Zero95 - 05-14-2011, 09:42 AM
- Reply
One more thing that show us that Mathieulh is a arrogant ******* and will only fame.

Why show he us that when he does not release it that is nonsense and nothing else than arrogant.

grandy - 05-14-2011, 09:45 AM
- Reply
At the very least, the videos show other devs/hackers whats possible. Granted, a release would be much more appreciated.

ihaxgames-PSG - 05-14-2011, 09:50 AM
- Reply
Originally Posted by grandy

At the very least, the videos show other devs/hackers whats possible. Granted, a release would be much more appreciated.

I agree with you, however other Devs will likely look into this now. It's too bad though... If anyone would release this if they did it, it would've been Graf, hopefully he's doing alright

Thorn - 05-14-2011, 09:53 AM
- Reply
well what a ****** ****tease

reloaded231-PSG - 05-14-2011, 09:58 AM
- Reply
im sorry but i have to say bull SNOT well all know that the xmb can be changed i am sure with a little tinkering i think all this can be faked i mean hell my xmb is not like others i have changed almost everything in text so this can very well be fake

grandy - 05-14-2011, 09:59 AM
- Reply
Originally Posted by reloaded231

im sorry but i have to say bull SNOT well all know that the xmb can be changed i am sure with a little tinkering i think all this can be faked i mean hell my xmb is not like others i have changed almost everything in text so this can very well be fake

I can confirm this isn't fake.

hackbard23 - 05-14-2011, 10:03 AM
- Reply
looks like this "Controller Code" is something for my Logitech Harmony Remote :joystick1:

reloaded231-PSG - 05-14-2011, 10:04 AM
- Reply
and how is that you have been to this guys house and seen this yourself

CrimsonSoul - 05-14-2011, 10:11 AM
- Reply
Sooooo basically there's always been a "simple-ish" way to downgrade with/without modified .PUP aka CFW??

....wait for it

.........wait for it

Ok, open the flood gates of people moaning, *****ing, complaining and asking so they can downgrade their 3.60 FW!

Originally Posted by VikasNarula

Its not fake Mathieulh is most popular console hacker. Also he is the first one who get his hand on 3.60 encryption keys but he didn't release in public for some reason.

PS: You can google his name for proof.

Read the below statement.

Originally Posted by reloaded231

im sorry but i have to say bull SNOT well all know that the xmb can be changed i am sure with a little tinkering i think all this can be faked i mean hell my xmb is not like others i have changed almost everything in text so this can very well be fake

It was for comments like this that I knew eventually would pop up.

goblueguy11 - 05-14-2011, 10:12 AM
- Reply
It sucks that Mathieulh doesn't release anything!

Zero95 - 05-14-2011, 10:24 AM
- Reply
Originally Posted by grandy

At the very least, the videos show other devs/hackers whats possible. Granted, a release would be much more appreciated.

Jeah and for this Mathieulh has must make a video and release it to the public and twitter about it?

NO to show other Hackers what is possible he must not do this.

badkiller2-PSG - 05-14-2011, 10:53 AM
- Reply
Well, this is interesting news. Maybe we could finally go back and forth between Firmwares as we please, play online and use PSN for legit business, and CFW for our uhm "homebrew"... Only problem is, he doesn't give anything.

Maybe he shows it to make other devs know the possibility. IDK really, .

Also, I don't know if it's true, but someone posted on the videos a code that supposely unlocks the debug Mathieulh presented. Dunno if it's true, but figured I might as well repost it in case it is and Methieulh will delete the comment so no one would know:

write QA flags3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

OR

ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0xFF

Captain Obvious - 05-14-2011, 11:07 AM
- Reply
why can't these developers afford tripods?

pito ho - 05-14-2011, 11:21 AM
- Reply
Hey Yo Mathieulh,
You are useless and just shut the **** up. You don't need to show your **** to the public if it does not smell. Geohot is the best and always share to everyone.

role2682-PSG - 05-14-2011, 11:30 AM
- Reply
I know it sucks that he doesn't release his work but hopefully someone will be able to figure out how he did this from his hints.

I've seen this on other sites thought it should be posted here as well, this is originally form Mathieulh's twitter:

Here's 2 hints I'm gonna share with you guys;

update_mgr_qa_flag.c - graf_payloads in graf_payloads - git-hacks.com

Code: [Check Download Links]
http://git-hacks.com/graf_payloads/g..._mgr_qa_flag.c

update_mgr_set_token.c - graf_payloads in graf_payloads - git-hacks.com

Code: [Check Download Links]
http://git-hacks.com/graf_payloads/g...gr_set_token.c

EEPROM Offset Table
Here is the table of EEPROM offsets that can be accessed through Update Manager (3.15):

0x48C06 1 FSELF Control Flag
0x48C07 1 Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
0x48C0A 1 QA Flag
0x48C13 1 Device Type
0x48C42 1 HDD Copy Mode
0x48C50 0x10 Debug Support Flag
0x48C60 1 Update Status
0x48C61 1 Recover Mode Flag
0x48D3E 0x50 QA Token (UM doesn't allow access to this offset but SC Manager can read/write it)

VikasNarula-PSG - 05-14-2011, 12:48 PM
- Reply
Update from rms's crypt

Why QA flagging is difficult

Ever since Mathieulh released his video, some people just want to QA flag their consoles. Now, let me tell you one thing, it’s so not easy.

Besides, if you want to use the QA flag, you have to have a valid QA token, and you have to be on a specific firmware range. Now, what’s so special about the token is that it’s generated in a funny way, I am not going to disclose that here. But, remember, PS3 hypervisor can also make tokens. But these tokens.. don’t do /anything/ except just unlock the QA repository node.

Besides, the fancy menu requires a very weird key combo on the Sixaxis, and it only works on retails. On debugs, it just removes all restrictions.

Remember, the QA flag in Syscon also requires a valid token. (reiterated again.)

So, in the end QA flagging = (Piracy*Warez)++;. Don’t do it.

daxgr-PSG - 05-14-2011, 01:08 PM
- Reply
Kinda sucks

Sent from my X10mini using Tapatalk

mytsoutsou-PSG - 05-14-2011, 01:15 PM
- Reply
Having a PS3 dev kit and making videos showing the extra options it has,while trying to convince everyone of your imaginary accomplicements, is really sad, so s u c k my c o c k Mathieulh

vSaAmTp-PSG - 05-14-2011, 01:32 PM
- Reply
Pffffff... That Sucks. Mathieulh use this for his Ego.

Same like: I can walk on the Water. With a Secret Finger Combo i do this.