​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[socram8888]

Yeah this game is rigged with antipiracy everywhere. There's no way this can be patched from within tonyhax.

 

[duwen]

Can you please try with this beta version of tonyhax? https://github.com/socram8888/tonyhax/files/6519361/tonyhax-v1.3.5b.zip

I've made three different improvements that are directly related to compatibility on the PS2. Hopefully one of them fixes the issue you're experiencing.

Just finished checking all the games I previously had issues with and they now all work perfectly!
To clarify; I'm using Cool Boarders 4 entrypoint on a PAL 39003 PS2, th1. 3.5b. The legit (not burned) disks that were previously not booting but now work great are NTSC-U Xenogears, and 3 NTSC-J titles, Bust-a-Move, Einhander, and Tobal 2.
I also tried a couple of burned disks that previously wouldn't boot and they both work fine now too; NTSC-U Colony Wars and the "True Directors Cut" patched Resident Evil (I saw that someone else had raised an issue on github about vanilla Resident Evil Directors Cut only booting via Game shark, so I guess this latest build fixes that one too).

Great work! I'm beyond grateful for all your work on tonyhax @socram8888 !

 

[DarthMotzkus]

View attachment 263833
Yeah this game is rigged with antipiracy everywhere. There's no way this can be patched from within tonyhax.

It's outside of .exe too? Or in other addresses inside the .exe?

 

[socram8888]

It's outside of .exe too? Or in other addresses inside the .exe?

Multiple addresses in a lot of files. Heck, that .XA file is an audio file that has the antipiracy hidden at the end!

Anyhow I am working on v1.4. Instead of booting from the second memory card slot (which I depend of FreePSXBoot to achieve) as I wanted to implement for this version, I am working on something new: automatic anti-anti-modchip patching!

Hopefully this code I am writing would be able to defuse literally every game out there with antimodchip.

 

[NerdGamer35]

Hi all.Firstly a big thank you for @socram8888 and all the people that help get this software working. For me it allows getting my old collection back with out breaking the bank. So far I managed to have all my backups working except 2. I’m on a PSone 102, TonyHax version 1.3.3. The offenders are Tekken 3 and RidgeRacer 4 both USA. The games run ok but I can’t get the controller to register any input on the games.I’ve tried 2 different ones and those games are the only ones that this happens. Has anyone got the same issue as me or is it just a flucke of the CD burning process, or something else? Thank you for the help. Cheers

 

[duwen]

@socram8888
#61 Einhänder (US) fails to pass first loading screen on PS2
pretty sure you can close this one - it definitely works for me now where it didn't previously.

#24 SYSTEM.CNF loading issue on PS2 consoles
I'd tentatively say this one is fixed now too. I believe that the last comments on there (EDIT : Still not working, gets stuck a bit reading the system.cnf then says Reinitializing kernel swap cd now. Thanks tho!
EDIT 2 : Another game that didn't work for me was Parasite EVE i just tried it and it said Bios won't fit or w/e and then loaded lol) are down to poor burns - Parasite Eve has worked for me on ALL previous releases of tonyhax, albeit with the same bios error.

 

[socram8888]

@duwen thanks for the reports! I've closed the first one. The second one is probably still a pending issue that might not be even fixable, as I think it might depend on the settings used by PS1DRV.

For everyone, I went to bed at like 3am but managed to finish a beta version of v1.4, which includes the automatic antipiracy patching. Can be downloaded at https://github.com/socram8888/tonyhax/files/6529197/tonyhax-v1.4b.zip

This one features even more BIOS patches, so if you find any game that behaves funny or the antipiracy is triggered let me know so I can look into it.

 

[NerdGamer35]

@socram8888
Thx for the updates and hard work. I can confirm that both games RR4 and Tekken 3, still don't recognize any controller input with build 1.4b.
I have reburned the games with the lowest speed possible, using a Verbatim cd-r, previous attempts where with a TDK cd-r.
Both games boot up fine and intro video runs smoothly. The only issue is the controller not working.
Tested on a PSone 102, original mc, both original and 3rd party controllers tested. RE3 and Front Mission 3 games work fine with same setup. Curious that only those Namco games don´t work.
Entry point Crash 3.

PS - Tried Metal Gear Solid Integral NTSC version also the same issue with the controller.

 

[socram8888]

Just released v1.4! It's been just two days since the last release, but this one comes with very fancy and juicy improvements!

Changelog

• Added automatic patching against anti-mochip. Fixes #37, #74 and #76, plus probably every game out there that hadn't been reported yet.
• Added an option to launch tonyhax as a boot CD, so you can benefit from the automatic game patching if your console does not have a stealth modchip. Thanks @alex-free!
• Mute all audio channels before launching a game, which fixes the launching game's loops from playing in launched games, fixing two games of #35
• Reinitialize the entire console's RAM, so the game launches in a predictable state. Fixes the last game of #35.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.4.

 

[KleinesSinchen]

Just released v1.4! It's been just two days since the last release, but this one comes with very fancy and juicy improvements!

Changelog

• Added automatic patching against anti-mochip. Fixes #37, #74 and #76, plus probably every game out there that hadn't been reported yet.
• Added an option to launch tonyhax as a boot CD, so you can benefit from the automatic game patching if your console does not have a stealth modchip. Thanks @alex-free!
• Mute all audio channels before launching a game, which fixes the launching game's loops from playing in launched games, fixing two games of #35
• Reinitialize the entire console's RAM, so the game launches in a predictable state. Fixes the last game of #35.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.4.

Tonyhax and FreePSXBoot make the most of any PlayStation 1.

Can't give you more than my usual "Thank you!" for the good work. Modchips would never have been needed if this existed back then. No reason to ever touch the original discs again.

 

[DarthMotzkus]

Just released v1.4! It's been just two days since the last release, but this one comes with very fancy and juicy improvements!

Changelog

• Added automatic patching against anti-mochip. Fixes #37, #74 and #76, plus probably every game out there that hadn't been reported yet.
• Added an option to launch tonyhax as a boot CD, so you can benefit from the automatic game patching if your console does not have a stealth modchip. Thanks @alex-free!
• Mute all audio channels before launching a game, which fixes the launching game's loops from playing in launched games, fixing two games of #35
• Reinitialize the entire console's RAM, so the game launches in a predictable state. Fixes the last game of #35.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.4.

Amazing work man, congratulations! Did the next step will be the "slot 2" boot btw?

 

[Lindaru]

@socram8888 "added an option to launch tonyhax as a boot CD"? this is only for the FreeMCBoot or? :o

 

[duwen]

@socram8888 "added an option to launch tonyhax as a boot CD"? this is only for the FreeMCBoot or? :o

It's for modchipped PS1's that need to utilise the AP patching.

 

[Lindaru]

It's for modchipped PS1's that need to utilise the AP patching.

aww :<

 

[duwen]

@socram8888
The latest official build (1.4) seems to take a lot longer to boot than the previous (1.4b) - it hangs on a yellow screen for a good few seconds... is this due to the anti-modchip patching?

Also, now I'm able to load up all my official import disks I've begun troubleshooting some of the burned titles others are having issues with...
Firstly, Megaman X4 (as it seems to be one mentioned several times within the system.cnf issues thread), but it works fine for me.
I've said before, but I'm using a PAL 39003 PS2 with Cool Boarders 4 entrypoint. From the evidence so far it seems that different entrypoints have different compatability, with the Brunswick games having the poorest and Cool Boarders 4 and the Tony Hawks games having the best.
I'll continue checking other games that have been flagged as problematic, but so far everything is working great on my set up.

 

[socram8888]

@duwen ... yellow screen? Do you mean the green one? If so that's indeed expected, as in order to fix a bugged game (Test Drive 6) I clean the entire console's RAM using the super slow on-ROM bcopy method, which takes its sweet time to finish.

In v1.4.1 it will still do it, but it'll be less noticeable as the clean RAM process will be done later in the boot process (right before loading the game's executable, when the display has been already initialized).

 

[duwen]

@duwen ... yellow screen? Do you mean the green one? If so that's indeed expected, as in order to fix a bugged game (Test Drive 6) I clean the entire console's RAM using the super slow on-ROM bcopy method, which takes its sweet time to finish.

In v1.4.1 it will still do it, but it'll be less noticeable as the clean RAM process will be done later in the boot process (right before loading the game's executable, when the display has been already initialized).

Yeah, probably green... after the blue (probably causes some sort of optical illusion with my eyes so I see yellow)

 

[socram8888]

Just finished with v1.4.1, available at https://github.com/socram8888/tonyhax/releases/tag/v1.4.1

Changelog

• Improved entrypoint stability, which fixes random red screens in the bowling games (issues #89, #90)
• Reduced BIOS initialization time, spending less time in the green screen of death.
• Made CD initialization errors non-fatal.
• Improved logging to remove duplicated messages.

IMO the most important change is the third one: inserting a damaged disc, or no disc at all, will no longer cause tonyhax to freeze. It will instead just be handled gracefully and will allow the user to enter another disc.

 

[duwen]

Booting with 1.4.1 is a significant improvement over the last version. Just a flash of the green screen, after the blue, before getting to the TH info screen.
I've been testing some more of the problematic system.cnf titles on PS2 and so far every single one of them has worked fine for me.
I'm going to deduce that the issue is specific to either a certain entrypoint or PS2 model or combination of the two.
As mentioned previously, my PAL 39003 PS2 with Cool Boarders 4 entrypoint is loading everything I'm throwing at it using TH1.4.1.

 

[Baraksha1]

I tried looking this up but I couldn't find a solution, I recently burned Castlevania Symphony Of The Night and when I tried using TonyHax it returned a code error:

"disk error type d code 12 (x11)"

is it a problem with the disk I burned?