[Update#3 at bottom] Remember a few weeks ago Mathieulh released a video of the QA flagged PS3? To refresh your memories; the QA flag is the internal console flag used by Sony, it enables hidden options and removes restrictions for both retail and debug consoles alike. It is used for QA centers and the R&D Department (there are 2 levels of QA flags, Minimum and Advanced). In short it could lead to a complete open PS3…and yes all the CFW, homebrew and backup manager your little heart desires.

Well the method of how to “QA flag” your PS3 was never posted/revealed but since then plenty of hints have been given in attempts for the “scene”, and one of the first steps was to figure out the secret button combo. Well after weeks of people trying and moaning, the man behind the emulators - squarepusher 2 has released/posted information on exactly what that button combo was. Noobs do not try this - the guide below is still a work in progress and QA flag button combo is the icing on the cake.
How to QA Flag your PS3, the button combo:
- Be on 3.55 OFW (no rebug), download here.
- Move the PS3 cursor/select “Network Setting“
- Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Down
- Thats it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.
Notes and disclaimers:
- Install Package is useless and can’t install homebrew at the moment - only signed PKGs (and the first one in root of USB only).
This is not all that is needed to QA flag your PS3, but its a big start for the community - we still need all the pieces to fully QA flag the PS3 and its the scenes job to “figure out the rest”.
Thanks to munky875821417 for news tip.
UPDATE 1:
And now within hours, more information is being leaked and it seems that now that developers have all the pieces of the missing puzzle to create an application to automate the QA Flagging process (courtesy to an anonymous tip from PSGroove for the following information):
Change byte 48 of the token seed to 0×02, hash it, encrypt it, write it to eeprom and flag yourself. Button combo is L1+L2+L3+R1+R2+dpad down. Only works on retail firmware.
By byte 48, I mean the 48th byte. Note that in programming the array of the token seed begins with index 0. So the 48th byte would be seed[47];
this info is more than enough to get someone to make an app.
Previously known information on QA:
erk: 0x34, 0x18, 0x12, 0x37, 0x62, 0x91, 0x37, 0x1C, 0x8B, 0xC7, 0x56, 0xFF, 0xFC, 0x61, 0x15, 0x25, 0x40, 0x3F, 0x95, 0xA8, 0xEF, 0x9D, 0x0C, 0x99, 0x64, 0x82, 0xEE, 0xC2, 0x16, 0xB5, 0x62, 0xED
iv: 0xE8, 0x66, 0x3A, 0x69, 0xCD, 0x1A, 0x5C, 0x45, 0x4A, 0x76, 0x1E, 0x72, 0x8C, 0x7C, 0x25, 0x4E
hmac: 0xCC, 0x30, 0xC4, 0x22, 0x91, 0x13, 0xDB, 0x25, 0x73, 0x35, 0x53, 0xAF, 0xD0, 0x6E, 0x87, 0x62, 0xB3, 0x72, 0x9D, 0x9E, 0xFA, 0xA6, 0xD5, 0xF3, 0x5A, 0x6F, 0x58, 0xBF, 0x38, 0xFF, 0x8B, 0x5F,0x58, 0xA2, 0x5B, 0xD9, 0xC9, 0xB5, 0x0B, 0x01, 0xD1, 0xAB, 0x40, 0x28, 0x67, 0x69, 0x68, 0xEA, 0xC7, 0xF8, 0x88, 0x33, 0xB6, 0x62, 0x93, 0x5D, 0x75, 0x06, 0xA6, 0xB5, 0xE0, 0xF9, 0xD9, 0x7A
And:
*runs away before the lawsuits come flooding in*
hmac to make the 20 byte digest at the end of the token and erk/iv to decrypt/encrypt it with aes256cbc.
2 more steps to go. Need the button combo and what to change in the dummy token.
Exciting times
Update 2 - The Tutorial (Linux):
Slynk has posted a tutorial on how to QA flag your PS3 via Linux. There are more than one ways to accomplish a QA flagged PS3, but this is just one of them.
To quote:
There are many methods to accomplish qa and I’m too lazy to document them all so I’ll tell you one way. Linux.
PS3
Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel.
Step 2) Download, and compile the ps3dm utils
PC
Step 3) Download my tokenator
PS3
Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0×0>dump
Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0×00
PC
Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator
PS3
Step 7) Run the script it spits out
PS3 Step
Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down
Have fun. It doesn’t work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.
Progress is still being made, so keep checking back for updates
. We will have a nice easy to follow tutorial once all the details are ironed out.
Update 3, Game OS App WIP, Debug setting details, QA Flag setup with Grafs Payload:
Even more updates for you guys. A GameOS solution is being worked on to QA Flag your PS3. It could use improvements and you can grab the source code HERE, and the makefile here.
Further information related to the debug settings can be found at the PS3 dev wiki located HERE.
How to setup QA Flag with Grafs Payload:
First you have to dump your Flash -> Extract EID -> Extract EID0 and EID4 -> put them on eid.c
- To do this you can use Hardware_flashing, Linux with graf_chokolo kernel with acces to /dev/ps3nflasha Links_to_precompiled_stuff or using this payload uncommenting dump_dev_flash()
Once you are set
Use the payloads in the following order uncommenting the required function
- Set the QA flag
- Calculate the token
- Verify token
- update_mgr_verify_token()
- Set the calculated and verified token in update_mgr_set_token.c
You should use wireshark or tcpdump to capture the responses
Thanks to manster for tip, more info as it comes in