​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[DaisyAge12]

Will be supported in the next version: https://github.com/socram8888/tonyhax/commit/a2b4e194714bd69ebf2125b4d9cb7303dab793b9

Amazing, truly great work you've done

 

[driverdis]

Will be supported in the next version: https://github.com/socram8888/tonyhax/commit/a2b4e194714bd69ebf2125b4d9cb7303dab793b9

Nice to hear, this also opens up the door for playing some alpha and beta games that only use psx.exe as well.

 

[smf]

I was looking to jump out of the CD player program with a kernal panic exploit using rough ROP to run his exploit, leading to a burned game only needing a hacked track 1. I won't even try if you want to explain it any further, go troll in another thread.

I'm not trolling, I just wanted to know what an "endian security issue" was.

The cd player just tells the drive what audio to stream. So good luck getting that to throw an exception.

--------------------- MERGED ---------------------------

works fine for imports. Be aware that you will have NTSC->PAL and PAL->NTSC conversion issues with this method as the console will output what the game wants and a PS1 by default is missing components to generate proper signals for out of region color standards. You can use RGB scart cables to get around this but the game will still be out of sync by around 1% speed wise.

The psx gpu can take inputs from two clocks, one for pal and one for ntsc. As the gpu starts up in ntsc, they tend to feed the pal clock to it and you get timing issues with some games. ntsc consoles have no need for a pal clock, so they don't always connect it & switching to pal mode loses video output entirely.

The black yaroze/world consoles have both ntsc & pal clocks fitted & will have the correct speed.

Some consoles switch the color burst when changing modes and will produce black and white on composite as your tv probably only handles one and some stick to the original region and are fine in composite. RGB is better though anyway.

 

[segashack]

Anyone have advice for burning backups of your ISOs?

I have a bluray burner and tried all sorts of speeds with no luck. I'm using Verbatim Discs. Am I better off getting a new disc burner?

Games crash when loading fmvs or music will stop in game.

Some games stop at "loading executable" on the Tonyhax screen.

edit: My blank discs are probably 15+ years old, ordered the "Verbatim Data Life Plus" just now based on reddit posts I saw and will let people know how those go.

 

[Leon11]

Verbatim are the best. You better find a simple old DVD burner and burn at lowest speed. Use CloneCD or Imgburn to burn. The problem with PS1 ISO is that are not ISO, usually are in cue and bin format but sometimes in mdf and mds or img ccd sub, depending of the program used to rip the game. Many games are multitrack, some have libcrypt so you have to patch the ISO just to be sure. If you have a multitrack game you need to convert to one bin and one cue. Usually i do this: mount the multiple track image with Daemon Tools and convert the image with CloneCD, then mount the converted image to Dameon Tools and burn with CloneCD with specified settings.

 

[socram8888]

New v1.2.1, solving the issues with at least three games: https://github.com/socram8888/tonyhax/releases/tag/v1.2.1

Changes since v1.2

• Support games lacking a SYSTEM.CNF file. Fixes Gunners Heaven (NTSC-J) (SCPS-10006) not booting.
• Support games with a SYSTEM.CNF lacking certain configuration entries. Fixes Tekken 3 (NTSC-U) (SLUS-00402) not booting.
• Clear some registers for bugged games. Fixes Pepsiman (NTSC-J) (SLPS-01762) not booting.

 

[Cake4all]

Can confirm Tekken 3 is working now, I've been getting an error with Crash Bash (SCES-02834) though. Message is "Loading Failed"

 

[socram8888]

Can confirm Tekken 3 is working now, I've been getting an error with Crash Bash (SCES-02834) though. Message is "Loading Failed"

Could you please share an screenshot copy the text on screen? That error message means the main executable couldn't get loaded, and one reason could be the SYSTEM.CNF isn't getting properly parsed.

 

[DarthMotzkus]

New v1.2.1, solving the issues with at least three games: https://github.com/socram8888/tonyhax/releases/tag/v1.2.1

Changes since v1.2

• Support games lacking a SYSTEM.CNF file. Fixes Gunners Heaven (NTSC-J) (SCPS-10006) not booting.
• Support games with a SYSTEM.CNF lacking certain configuration entries. Fixes Tekken 3 (NTSC-U) (SLUS-00402) not booting.
• Clear some registers for bugged games. Fixes Pepsiman (NTSC-J) (SLPS-01762) not booting.

When a new version is launched, do i need to re-copy the saves from games or just the Tonyhax exploit save?

 

[segashack]

Verbatim are the best. You better find a simple old DVD burner and burn at lowest speed. Use CloneCD or Imgburn to burn. The problem with PS1 ISO is that are not ISO, usually are in cue and bin format but sometimes in mdf and mds or img ccd sub, depending of the program used to rip the game. Many games are multitrack, some have libcrypt so you have to patch the ISO just to be sure. If you have a multitrack game you need to convert to one bin and one cue. Usually i do this: mount the multiple track image with Daemon Tools and convert the image with CloneCD, then mount the converted image to Dameon Tools and burn with CloneCD with specified settings.

Thanks so much for the information! I really appreciate it. I do have an old PC with an IDE DVD burner that I used in the dreamcast days, maybe I should try that one.

 

[Cake4all]

Could you please share an screenshot copy the text on screen? That error message means the main executable couldn't get loaded, and one reason could be the SYSTEM.CNF isn't getting properly parsed.

I was using 1.1.1 previously with the same issue

 

[rmorris003]

So they found a swap magic trick for the PS1. I see this as no different since you have to load it every time you power on.

 

[socram8888]

When a new version is launched, do i need to re-copy the saves from games or just the Tonyhax exploit save?

From now on, the first stage should be stable enough not to need any upgrades, so the tonyhax SPL (tonyhax.mcs/SLEM-99999TONYHAX) only.

I've made no changes to them since 1.1.2

 

[Baraksha1]

So, I do not have any of the games currently supported. so I decided to attempt understanding how this thing works myself and see if I can modify a save file for one of the games I actually own. that didn't work well since I honestly don't know what im doing so I think my best option is to put my best recomandation for a candidate and hope s0cram8888 could maybe add support to it.

the game in question that I own is Beyblade by Sunsoft, its the only game I have that I know allows you to write down your name on the save file which from my understanding seem to be a necesasity for this to work. I also test it out and you can edit the save file to have more characters then what is displayed on the save profile, not sure if that means much tho. hopefuly you can figure it out.

 

[driverdis]

So they found a swap magic trick for the PS1. I see this as no different since you have to load it every time you power on.

This is different than swap magic since the drive stays unlocked to read backup discs even after opening the tray.

In fact i used this on an SCPH-39001 PS2 and was able to skip the AntiMod protection on Spyro 3 NTSC via ejecting the game normally before the main menu and using my original disc to get to the load save menu. After I get to the save screen, I eject the game normally and load into Spyro just fine.

without this mod, you would need a flip top cover mod and hot swap the discs while the drive is running.

Basically I am using the original 1.0 disc to pass the AntiMod when it looks for the wobble then swapping back to my copy. Since the game is not modified, it should not trigger the AntiCrack protection although I have not played enough yet to find out.

why would I do this?
I have the original 1.0 Spyro 3 with the reused music tracks and other bugs and a burned copy of version 1.1 that has unique music tracks and bug fixes.

Problem is that Paradox and other groups did not bother to crack 1.1 so there is no way to burn a 100% functional version without a stealth modchip until now. If I am wrong about this, someone please tell me as I would love to not need to do this when I want to play.

 

[halfpricebuttes]

This is different than swap magic since the drive stays unlocked to read backup discs even after opening the tray.

[snip]

Problem is that Paradox and other groups did not bother to crack 1.1 so there is no way to burn a 100% functional version without a stealth modchip until now. If I am wrong about this, someone please tell me as I would love to not need to do this when I want to play.

If I'm understanding this correctly you shouldn't need to swap. Very few PS1 games actually seeked back to sector 4 to check to see if the wobble was still present there, instead preferring to check for a lack of wobble on later sectors to defeat cheaper modchips. By the time stealth modchips came out developers were more interested in binary protection mechanisms like libcrypt than repeated wobble checks.

If you burn a proper CloneCD copy of the game with the bad Q subchannel data libcrypt uses intact you shouldn't need to swap.

 

[driverdis]

If I'm understanding this correctly you shouldn't need to swap. Very few PS1 games actually seeked back to sector 4 to check to see if the wobble was still present there, instead preferring to check for a lack of wobble on later sectors to defeat cheaper modchips. By the time stealth modchips came out developers were more interested in binary protection mechanisms like libcrypt than repeated wobble checks.

If you burn a proper CloneCD copy of the game with the bad Q subchannel data libcrypt uses intact you shouldn't need to swap.

I will try that later as I have an original Spyro 3 1.1 disc arriving in the mail soon I will rip properly and test.

the 1.1 copy I have boots on my stealth PS1 and fails on my two older non stealth systems so I assumed the game data was fine.

from what I have read the NTSC versions don’t need sub channel data to work.

 

[shock44]

Hi, I'm having an issue trying out this exploit. I have a FAT PS2 with the model number SCPH-30001. I copied over the RAW save game file for Crash Bandicoot 3: Warped. I popped in my copy of the game and I loaded up the tonyhax save file and I get a red screen. I tried waiting for a while but nothing happens. Can anybody help me with this?

 

[Baraksha1]

Hi, I'm having an issue trying out this exploit. I have a FAT PS2 with the model number SCPH-30001. I copied over the RAW save game file for Crash Bandicoot 3: Warped. I popped in my copy of the game and I loaded up the tonyhax save file and I get a red screen. I tried waiting for a while but nothing happens. Can anybody help me with this?

you most likely forgot to also include the TonyHax SPL save file. look for "tonyhax.mcs" and add it to your memory card

 

[socram8888]

From v1.2.2, tonyhax will support patching some games with anti-modchip checks. So far Tomba 2 (US) and YuGiOh Forbidden Memories (US and SP) are both supported.

If you know any game that has the black screen of death please let me know.