​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[dominater01]

From v1.2.2, tonyhax will support patching some games with anti-modchip checks. So far Tomba 2 (US) and YuGiOh Forbidden Memories (US and SP) are both supported.

If you know any game that has the black screen of death please let me know.

tetris With Cardcaptor Sakura: Eternal Heart japan has this same screen it shows a loading screen then bam call bla bla bla

 

[Leon11]

My copy has just arrived

 

[RandomGamerRiven]

From v1.2.2, tonyhax will support patching some games with anti-modchip checks. So far Tomba 2 (US) and YuGiOh Forbidden Memories (US and SP) are both supported.

If you know any game that has the black screen of death please let me know.

Got a failed to load with Chrono Cross (Original North American version) [Disc 1 & 2] SLUS-01041

In Tonyhax 1.2.1

Gives the following message read out:
Loading System.CNF
TCB = 00000004
EVENT = 00000016
STACK = 801FE000
BOOT = =
Configuring kernel
Loading executable
Loading Failed
Swap CD now

If you swap cd after that I think the software has crashed as it does nothing,

Suspect this was one of the better protected games on PS1, along with the NTSC/J version of Legend of Mana.

Everything else I've tried has worked perfectly, including many games that failed on mod chips.

 

[socram8888]

Got a failed to load with Chrono Cross (Original North American version) [Disc 1 & 2] SLUS-01041

This is a known bug in v1.2.1 and is already solved. v1.2.2 will work with this game.

 

[dominater01]

v1.2.2 didnt fix tetris for me

 

[driverdis]

Since it’s only possible on older models, wouldn’t getting a HDD be better overall?

Technically, but some people like myself like playing off of the original disc at times and for imports would need a modchip to play original games.

unlocking the drive in while in PS2 mode (if even possible) may allow to boot different region and copied PS1 and PS2 (blue CD) games on a PS2 without needing to boot TonyHax via a PS1 game which only allows for playing PS1 games.

this scenario has limited uses since not many good PS2 games are on PS2 CD and it is a mild inconvenience at worst to boot TonyHax for playing PS1 games.

 

[tech3475]

Technically, but some people like myself like playing off of the original disc at times and for imports would need a modchip to play original games.

unlocking the drive in while in PS2 mode (if even possible) may allow to boot different region and copied PS1 and PS2 (blue CD) games on a PS2 without needing to boot TonyHax via a PS1 game which only allows for playing PS1 games.

this scenario has limited uses since not many good PS2 games are on PS2 CD and it is a mild inconvenience at worst to boot TonyHax for playing PS1 games.

I know there was a thread elsewhere about Mechacon's BIOS being dumped and potentially allowing for the DRM to be bypassed. But it's very early stages if at all possible.

 

[someMAUZ]

⠀

 

[RandomGamerRiven]

This is a known bug in v1.2.1 and is already solved. v1.2.2 will work with this game.

Thanks for taking the time to reply socram8888

I'll sign up to your github to report bugs there I find, I'm guessing you are already aware that Chrono Cross doesn't work with v.1.2.2 and NTSC/J Legend of Mana SLPS 02170 is still triggering copy protection also in the latest version.

I've confirmed on PlayStation 2 software PS1VModeNeg v1.01 does indeed force PAL games into 60Hz as this video shows, however most games are misaligned on screen either too low or to high and not centred correctly resulting in screen cut off.


Tonyhax might want to add screen alignment options like GSM has to raise or lower the screen. As by default using Tonyhax some games are aligned incorrect as well.

 

[HaloEffect17]

Any plans for an exploit using Cool boarders 3? I saw that Coolboarders 4 works.

 

[Tweaker_Modding]

ok so basically my ps1 (scph-102) has a fucked up sensor and always thinks the drive is closed. no matter what i do this little bastard doesn’t want to act normal and only think the drive is closed when its closed.

will tonyhax still work or am I fucked?

 

[driverdis]

ok so basically my ps1 (scph-102) has a fucked up sensor and always thinks the drive is closed. no matter what i do this little bastard doesn’t want to act normal and only think the drive is closed when its closed.

will tonyhax still work or am I fucked?

The current TonyHax build requires to open the tray so you are SOL unless a build is made where you can press a button to verify a disc swap vs opening the tray. I don’t know if the drive will read the new TOC this way since the lid close and open forces the drive to reinitialize and read the new disc’s TOC for maximum compatibility.

Use could use SwapMagic or a modchip to get around TonyHax not working but a modchip is the only way to read the new disc’s TOC first and works with AntiMod games like Spyro 3 NTSC.

 

[Tweaker_Modding]

The current TonyHax build requires to open the tray so you are SOL unless a build is made where you can press a button to verify a disc swap vs opening the tray. I don’t know if the drive will read the new TOC this way since the lid close and open forces the drive to reinitialize and read the new disc’s TOC for maximum compatibility.

Use could use SwapMagic or a modchip to get around TonyHax not working but a modchip is the only way to read the new disc’s TOC first and works with AntiMod games like Spyro 3 NTSC.

ok i’ll keep that in mind

but i was playing dancing stage party edition just now on my ps1 and mid song the disc stopped spinning and the sensor finally came to its senses and started working properly so i may not be at a loss with tonyhax unless its starts being a bastard again

 

[BilehBawb]

Can you use ntsc-U on Pal consoles?

 

[driverdis]

Can you use ntsc-U on Pal consoles?

You can with a modchip but TonyHax is not really needed on a modchipped system since it can already play backup and other region games.

 

[BilehBawb]

You can with a modchip but TonyHax is not really needed on a modchipped system since it can already play backup and other region games.

Is there any os on the system or is the tonyhax tricking the Ps1 to play backups.

 

[DarthMotzkus]

Is there any os on the system or is the tonyhax tricking the Ps1 to play backups.

Please, read about the hack/exploit before start asking basic questions. The first thing all newcomers have to do is read it. There's a section named How does this work in the site below.

TONYHAX

 

[driverdis]

Is there any os on the system or is the tonyhax tricking the Ps1 to play backups.

It is using previously undocumented commands on the disc drive controller to turn off the license check. This is similar to how older Wii DVD drives could be sent commands for regular dvd playback allowing to load backup Wii and GameCube games off of a disc.

 

[Lindaru]

Chrono Cross doesn't work on 1.2.2 ;w;

It gives this:

Loading System.CNF
TCB = 00000004
EVENT = 00000016
STACK = 801FE000
BOOT = =
Configuring kernel
Loading executable
Loading Failed
Swap CD now

it's the disc or does this happen with every version of the game?

EDIT: Tested with 1.2.3b "Beta?" found in github and Chrono Cross "at least disc 1 for now" works like a charm.
Maybe it had something to do with the loader?

 

[Tweaker_Modding]

my copy of pro skater 3 arrived today and magical drop 3 and magical drop +1 work perfectly over tonyhax

the nostalgia is real rn