The Quality Assurance (QA) mode in the PS3 which every has been buzzing about in the scene for a while has now been discovered by an Anonymous source. More information below.

Change byte 48 of the token seed to 0×02, hash it, encrypt it, write it to eeprom and flag yourself. Button combo is L1+L2+L3+R1+R2+dpad down. Only works on retail firmware.

By byte 48, I mean the 48th byte. Note that in programming the array of the token seed begins with index 0. So the 48th byte would be seed[47];

The information above is enough to get a kick start on a full working app for the PS3.

Previously, the scene had this information regarding the QA flags:

erk: 0×34, 0×18, 0×12, 0×37, 0×62, 0×91, 0×37, 0x1C, 0x8B, 0xC7, 0×56, 0xFF, 0xFC, 0×61, 0×15, 0×25, 0×40, 0x3F, 0×95, 0xA8, 0xEF, 0x9D, 0x0C, 0×99, 0×64, 0×82, 0xEE, 0xC2, 0×16, 0xB5, 0×62, 0xED

iv: 0xE8, 0×66, 0x3A, 0×69, 0xCD, 0x1A, 0x5C, 0×45, 0x4A, 0×76, 0x1E, 0×72, 0x8C, 0x7C, 0×25, 0x4E

hmac: 0xCC, 0×30, 0xC4, 0×22, 0×91, 0×13, 0xDB, 0×25, 0×73, 0×35, 0×53, 0xAF, 0xD

So, how to QA flag your PS3? Squarepusher has posted the combo but still, it wouldn’t be advisable for beginners to try this yet because it certainly asked you to go back into an official firmware. This is a guide taken from PS3Hax:

How to QA Flag your PS3, the button combo:

• Be on 3.55 OFW (no rebug), download here.
• Move the PS3 cursor/select “Network Setting“
• Punch the following button combo with your PS3 controller: L2 + L1 + R1 + R2 + L3 + D-pad Down
• Thats it, the “Edy Viewer”, “Debug Settings”, “Install Package” Menu will now appear.

Notes and disclaimers:

Install Package is useless and can’t install homebrew at the moment – only signed PKGs (and the first one in root of USB only).

This is not all that is needed to QA flag your PS3, but its a big start for the community – we still need all the pieces to fully QA flag the PS3 and its the scenes job to “figure out the rest”.

Last month, Mathieulh has surprised everyone with his video that first demonstrates the QA flagging method in action. The video basically shows the instances where he converted his retail console to a QA console which can only be found in Sony’s Quality Assurance centers and their R&D department.

With a QA console, several restrictions will be unlocked and according to Mathieulh himself, it could only lead to more piracy. To quote from Mathieulh before:

The QA flag happens to remove a bunch of restrictions that have the side effect of preventing you to warez.

The original video by Mathieulh has been set to “private” but IddyHacks has the backup.

One interesting notion to note with the QA flags method is the fact that it will stays even after the PS3 console itself has been updated. Now, with the recent discoveries of the method’s code, it will just be a matter of time before we’ll see a new CFW up and running to automate all the process involved.

Developers could also take this as an ingredient for a fully working 3.61 CFW. Whatever it is, we should just wait and see more of the updates that surrounding this kind of jailbreak, soon.

UPDATE: Apparently, it would not work with the newer firmwares other than 3.55 because from what i have read, it has been changed. So, unless someone come up with a new idea, we’re stuck with 3.55 CFW. Thanks to TLDK for the tip!

To be frank, i have no idea what C++ version of metldr by Mathieulh going to bring to the end users. I mean, i know the role of metldr as one of the key component in the security architecture of PS3, but i definitely have no clues what he’s going to do with it. Perhaps, new type of hacks for the PS3?

Mathieulh is back!

Nevertheless, it’s good to know that Mathieulh is still investigating stuff on the PS3 which would have been appreciated by the community. Recently, he also helped people who still trying to find his exploit, namely the QA flagging method, although he do said that he is not interested on that now. Here are the chat logs taken from an IRC channel that Mathieulh involved with.

[MajorPSP1] sup Mathieulh
[Mathieulh] not much
[Mathieulh] rewrote metldr in c++
[MajorPSP1] we meet again
[Mathieulh] other than that, nothing new
[MajorPSP1] oh
[MajorPSP1] anything qa flag findings lately?
[Mathieulh] not really, I don’t care much about that stuff now

Mathieulh And His Exploit

3 months ago, he found an exploit that could facilitate in the process of creating 3.60+ (Yes, should be 3.61 and 3.65 too) CFW. Until now, no one (except Mathieulh’s close contacts) seems to discover what he has tip to found despite several clues he has given. Now, if Sony wouldn’t go crazy with suing people over the hacks, Mathieulh could perhaps have the same level of fame achieved by Dark-AleX from the PSP scene. Note that, Mathieulh is one of the member of Dark-AleX’s M33 team back in the PSP days.

This is a rather long post–which I wasn’t really up for but I felt it was necessary. It’s broken into four (4) sections. The first section is about everyone’s favorite guy, graf_chokolo. The second will give you some insight into how Mathieulh feels about the Rebug custom firmware, and the last two sections talks about exploitation and firmware v3.60+.

If you need a summary of how graf_chokolo got himself into hot water with Sony, the conversation below kind of sum it all up for you:

[X] what is pissing me off is that honest developers like graf_chokolo are getting sued. I dont care about saving pirates, let them have it

[Mathieulh] yeah, graf didn’t deserve this

[Mathieulh] then people wonder why I am not sharing keys… xD

[X] his goal ultimately afaik was to even /remove/ GameOS, get Linux/BSD on it and make it a devbox without even possible piracy

[X] if graf gets sued for upping ‘coolstuff.rar’, I can only imaging what they like to do with a Sony PUP that enables piracy/PSN contentrobbing/debug-PSN

(more…)

There has been a lot of commotion in the PS3 scene ever since the PS3 was jailbreaked. Wired Kuwait has recently had an interview with Mathieulh about the PS3 scene. There is not much in this interview, but he does share his point of views about the PS3 and explains why he wanted to jailbreak the PS3. He also states that he will be getting an NGP once it is released. Hacking the NGP? It is a possibility, although jailbreaking does take away a lot of his free time.  Feel free to leave your thoughts on if you agree or disagree with Mathieulh.

Wired Kuwait interviews Mathieulh:

WiredKuwait: “What was your main reason to jailbreak the PS3, was it just for a sense of accomplishment, or you had something else in mind?”

Mathieulh: “My main reason was mostly because it was challenging, the playstation3 wasn’t documented and was pretty much unknown territory to everyone, that’s what’s motivated me.”

WiredKuwait: “Many people expected similar homebrew to the PSP scene, but were limited to backup managers, do you think this is a step in the wrong direction for the PS3 jailbreaking scene?”

Mathieulh: “There were some nice homebrews such as FBANext on the playstation3, but I do still believe that a majority of people seem to care more about running playstation 3 backups than playing homebrews and emulators or running Linux on the playstation 3, That’s sad because this wasn’t what the jailbreaks were intented for as they were released. Of course we (developers in general) had little doubts about our work being abused for piracy sooner or later, that’s a sad fact that could have been avoided if sony had led us run our own code on our legally purchased playstation 3 hardware. (And I am not talking about gameos applications, Linux was fine to us)”

(more…)

Thanks to Austin from ithinkdiff.com (iTD), who had an exclusive interview with the well known Mathieu (Mathieulh). The French PS3 jailbreaker has been in the PS3 scene for quite some time now. As many of you who have been following news about Mathieu, he had left a message that he was leaving the PS3 scene. This caused some attacks from the PS3 scene. However, as many of you know, Mathieu had posted a tweet stating that he had found an exploit that could be used to jailbreak PS3 firmware 3.60. Mathieu did not release a jailbreak for multiple reasons. Mathieu does give his great insight about the PS3 jailbreaking scene in this interview. He mentions that he wants to help people who are in need rather than doing all the work for them. As to those who are interested in writing homebrews or jailbreaks for the PS3, Mathieu recommends them to look at psl1ight and ps2dev sdks. The interview is basically about the PS3 jailbreaking scene in general.

Q: “You’ve been on the PS3 jailbreaking “scene” for some time. What led you to the PS3 as opposed to other devices like the iPhone?”

A: “I would say circumstances led me to it, by the time the iphone scene started, I didn’t own an iphone, I was also focused on the playstation portable and didn’t have much time to spend on other plateforms, later on the iphone and other plateforms such as the xbox 360 were already fully documented whereas the Playstation 3 was pretty much unknown territory at this point, this made things a lot more challenging to me.”

(more…)

Remember on the 15th of March, we posted some news about Mathieulh’s running code on firmware v3.60–and how he said he has no plans to release the exploit? Well, that’s still the case–however, he did posted some additional information about the undisclosed PS3 exploit:

Actually the revocation list exploit doesn’t allow you to exploit isoldr, you could however sign a revoke list if you had the revocation list keys and knew the sign fail, and use that to dump isoldr. Metldr does not load revocation lists.

@jarmster
Ya well without a disassembly i guess its all speculation isn’t it math

This has been tested, how do you think I could release the lv2ldr and appldr keys ? (about 24hrs before Geohot showed up with metldr keys)

You can also dump any loader using a signed metadata (including metldr) though that means you need to have the keys for it in the first place (kinda kills the purpose)

Your entire purpose is to get the isolated process (the code running inside the spu) to jump to your instructions

(more…)

A well respected developer who goes by the name drizzt, just tweeted a chat log belonging to Mathieulh. In the log, assuming that it’s true (or genuine), Mathieulh says that he has codes running on firmware v3.60; but added that he’ll keep it to himself. Ouch!

Update #3: Video should be fixed… again.

Update #2: Video should be fixed now.

Update #1: Mathieulh just tweeted a video of custom firmware v3.60 running on the PS3. This video was made by winocm, which he says, “here’s that 3.60 jailbreak that’ll never be released.”

(Credit goes to ClutchLikeMelo of Nextgenupdate.com for video)

What doe you guys think? Should Mathieulh just ignore those who are insulting him and release the jailbreak for firmware v3.60?

source @Mathieulh (Twitter)
source @drizzt (Twitter)
via ps3crunch.com

Developer Mathieulh has released a handy tool called PS3/PSP Retail PKG Decrypter & Extractor for Windows. This tool can be used to extract “extract Playstation 3, Playstation Portable and mixed GAME PACKAGES”.

Read more & discuss in forum »

According to developer Mathieulh, all of the known PS3 keys are now available on the PS3 key list spreadsheet (see below).

PS3 key list spreadsheet HERE.

Discuss in forum »

Mathieulh just informed everyone that the PS3 key list has been updated. Some of the keys that were missing a couple of days ago are now added to the spreadsheet.

Read more & discuss in forum »