Front-page

Tonyhax is a new softmod backup loader for the PlayStation 1



Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.
Click to expand...

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.
Click to expand...

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 
  • Like
Reactions: Deleted User, Hoppy, _47iscool and 70 others
Click to expand...
DarthMotzkus

DarthMotzkus

Well-Known Member
Member
Level 5
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
682
Country
Brazil
socram8888 said:
I'm aware of this exploit. Looks like an interesting way to launch tonyhax, though given it requires specialized hardware I've not yet been able to use it on real hardware.

I've been considering trying something to ease its installation, but it's still in the early planning stages.
Click to expand...

Awesome, keep us updated!
 
Cake4all

Cake4all

Member
Newcomer
Level 6
Joined
Jul 13, 2017
Messages
21
Trophies
0
XP
742
Country
United Kingdom
Would it be possible just to download the tonyhax SPL file from GitHub instead of the entire folder in the future (for people who already have the game saves on their memory cards)?
 
Last edited by Cake4all,
socram8888

socram8888

Well-Known Member
Newcomer
Level 4
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Cake4all said:
Would it be possible just to download the tonyhax SPL file from GitHub instead of the entire folder in the future (for people who already have the game saves on their memory cards)?
Click to expand...
Even with all the files, it's just a 100kB ZIP.

Also I recommend installing the entrypoints also, as I tend to make some breaking changes from time to time (such as for 1.3, which will be totally incompatible with current entry point saves)
 
  • Like
Reactions: Cake4all
mistamontiel

mistamontiel

Member
Newcomer
Level 1
Joined
Apr 2, 2021
Messages
14
Trophies
0
Age
34
Location
Miami, FL, CUBA
Website
www.youtube.com
XP
62
Country
Cuba
RlsNo5X.jpg


This really cool for bootdisc! Funny that I haven't been able to load last UniROM update but this just did lol

Gunners' Heaven quite odd not having no attract mode
 
duwen

duwen

Old Man Toad
Member
Level 14
Joined
Sep 6, 2013
Messages
3,187
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,284
Country
United Kingdom
@socram8888
Sorry for posting an issue report here rather than on the git, but I don't have an account there.
I've worked my way through testing all my legit NTSC import disks (predominantly Japanese, but also several US) on my PAL PS2 (3900X model), using Cool Boarders 4 as the entrypoint. Pretty much everything works as expected - I've been using GSM to set screen resolution (without it image is forced to the top of the screen, with a 96 line black border at the bottom - the discrepancy between 480 and 576). The v1.3b version you supplied on github doesn't seem to fix the image position/border issue and there's still audio sync issues in fmv on some NTSC titles. That beta release also displays the Tonyhax screen incorrectly; header midway down the screen with all the useful info at the foot pushed out of view at the bottom.
Running PS1VModeNeg v1.01 before booting the Cool Boarders 4 disk does seem to fix all NTSC issues on a PAL machine, and negates the use of GSM.
I saw there was a freezing issue raised for the NTSC-U version of Einhander. I can confirm the exact same issue with the NTSC-J version. Tried with tonyhax v1.2.2, v1.2.3 and v1.3b.
Only found two titles in my collection that wouldn't boot at all using any versions of Tonyhax; Xenogears (NTSC-U) and Bust a Move (NTSC-J, aka Bust a Groove).
Looking forward to testing all these again with the next release, and I'm beyond grateful to you for finally having a way to natively play my PS1 imports on my PS2 so I don't need to dig out my modchipped PS1.

RandomGamerRiven said:
I've confirmed on PlayStation 2 software PS1VModeNeg v1.01 does indeed force PAL games into 60Hz as this video shows, however most games are misaligned on screen either too low or to high and not centred correctly resulting in screen cut off.
Click to expand...
Have you (anyone) got a link for PS1VModeNeg v1.01? I can't find a valid link for it anywhere, and v1.10 doesn't seem to work correctly at all.
It's okay, I found it via the Youtube video you mentioned in another of your posts.
The file's HERE if anyone else needs it.
 
Last edited by duwen,
duwen

duwen

Old Man Toad
Member
Level 14
Joined
Sep 6, 2013
Messages
3,187
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,284
Country
United Kingdom
socram8888 said:
@duwen I've uploaded several images to GitHub, a few of which were broken. Which is the one you tried?
Click to expand...
Thanks for responding. I tried the one you put up 5 days ago, but just noticed you put a new one up on #56 a few hours ago. I'll give it a try later.

edit

@socram8888

So, I've just been trying the new v1.3b that you issued today...
On the plus side, the tonyhax swap screen is fixed now, and looks great. Really like all the additional info that's displayed.
Issues I was having with certain games that switch resolutions between fmv and title screens now seem to work okay.
However, the image is still displaying as 480 'windowed' at the top of a 576 frame (PS2 outputting via component, and TV's still reporting 576i rather than 480). Audio sync issues are still there too.
All games that wouldn't load on previous versions still won't load.

Unfortunately, at present it's still better to be using v1.2.3 with PS1VModeNeg - NTSC titles run correctly with no audio sync issues, and are correctly outputting at 480 in fullscreen.
 
Last edited by duwen,
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
I already made a post here before that is somewhat related, but I don't know what to do so I guess its worth typing again.
in a nutshell I been attempting to see if I can really understand how this softmod works (despite being inexpirienced). you see, I would absolutely love to use this because I don't have many PS1 games and I wish to use my PS1 more. the problem is that I don't own any of the games currently listed for support. I was hoping I could get this to work with the ones I do own by tempering with their save files and try copying what the other save files in the GitHub do. that proved to be more complicated then I though. this got me to think, what tools and methods does one use to figure this stuff out? becuase I am currently trying to make this work with Beyblade by Sunsoft and I was able to overwrite text data with a long name, but im not sure if it really overwrites anything. im not sure what I can do to really tell weather the game is compatible or not. do I need to use a RAM viewer or something?
 
Last edited by Baraksha1,
socram8888

socram8888

Well-Known Member
Newcomer
Level 4
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
v1.3 has just been released after nearly two weeks improving it, and most importantly, ironing out bugs. Available at https://github.com/socram8888/tonyhax/releases/tag/v1.3

Changelog
  • tonyhax is now bootable using the FreePSXBoot exploit.
  • Added support for Castlevania Chronicles (U) (SLUS-01384) as entry point.
  • Added automatic switching between PAL and NTSC. tonyhax will detect the game's region and swap to the correct one before launching the game, ensuring it runs at the correct speed. Support is still spotty for the PS2, though.
  • Improved loading speed of every entry point to match that of Tony Hawk games - no more purple screens!
  • Increased the screen resolution. tonyhax now uses VGA video which allows more info on screen, making debugging easier.
  • Added antimodchip patch for Resident Evil Survivor (U) (SLUS-01087)
  • Added antimodchip patch for pop'n music 2 (J) (SLPM-86294)
  • Added antimodchip patch for pop'n music 6 (J) (SLPM-87089)
  • Fixed antimochip patch for Tetris with Card Captor Sakura - Eternal Heart (J) (SLPS-02886)
@mistamontiel could you please try with this one? It's got some extra debugging which would make figuring out why that game doesn't work much easier.
 
  • Like
Reactions: Baraksha1, Cake4all, Elbart and 2 others
manks

manks

Member
Newcomer
Level 5
Joined
Mar 2, 2021
Messages
23
Trophies
0
Age
34
XP
569
Country
United States
I had been using a DexDrive + Dexter to set my memory card up before before, was working perfectly for Tonyhax 1.2.2 and 1.2.3. However now trying to copy the 1.3 tonyhax.mcs fails every time in Dexter, it gets about halfway and then an "unknown error" every time. I've tried freshly formatting the card etc. Anything else I can try or info I can provide?
 
zfreeman

zfreeman

Well-Known Member
Member
Level 14
Joined
Mar 9, 2013
Messages
1,556
Trophies
2
Location
USA
XP
3,976
Country
United States
manks said:
I had been using a DexDrive + Dexter to set my memory card up before before, was working perfectly for Tonyhax 1.2.2 and 1.2.3. However now trying to copy the 1.3 tonyhax.mcs fails every time in Dexter, it gets about halfway and then an "unknown error" every time. I've tried freshly formatting the card etc. Anything else I can try or info I can provide?
Click to expand...
MemcardRex v1.9
MemcardRex v1.9.png
 

Attachments

  • upload_2021-4-18_1-30-30.png
    upload_2021-4-18_1-30-30.png
    41.2 KB · Views: 166
Last edited by zfreeman,
socram8888

socram8888

Well-Known Member
Newcomer
Level 4
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
mistamontiel said:
IjDX8U8.jpg


@socram8888 sorry for wait
Click to expand...
Hmmm all the info here seems to be correct. I was afraid it would have some sorta of weird antipiracy where it would screw up the loading point or size (as trying on an emulator that's what happened, I was getting garbled info on the "Loading executable (x @ y)" line).

I am gonna open an issue and investigate it. Is it an original import disc or a burned one?
 
Last edited by socram8888,
manks

manks

Member
Newcomer
Level 5
Joined
Mar 2, 2021
Messages
23
Trophies
0
Age
34
XP
569
Country
United States

Attachments

  • vlcsnap-2021-04-18-07h37m28s548.png
    vlcsnap-2021-04-18-07h37m28s548.png
    17.2 KB · Views: 139
  • MemcardRex_2021-04-18_07-43-32.png
    MemcardRex_2021-04-18_07-43-32.png
    17.4 KB · Views: 156
zfreeman

zfreeman

Well-Known Member
Member
Level 14
Joined
Mar 9, 2013
Messages
1,556
Trophies
2
Location
USA
XP
3,976
Country
United States
manks said:
Thanks so much for the help, brings me a step closer. Now the entrypoint and loader are on my memory card, and the save file successfully loads in Castrol, but tonyhax 1.3 gives me an "Integrity check failed" message every time. I'm using a SCPH-9001.
Click to expand...
I also had problems copying, especially with certain 3rd-party cards. I ended up copying the save from a 2nd, working card using the PS1's memory card manager.
 
mistamontiel

mistamontiel

Member
Newcomer
Level 1
Joined
Apr 2, 2021
Messages
14
Trophies
0
Age
34
Location
Miami, FL, CUBA
Website
www.youtube.com
XP
62
Country
Cuba
@socram8888 she's burnt, but able to play with earlier UniROM v8x version (current now hangs too)

Not protected

EDIT: @zfreeman there's a v1.9 MemcardRex!? Shendo's last blogspot post just says v1.8 all this lol time

EDIT 2: Well @socram8888 PAL version with PAL4u to make 60hz is working! Yusha Heaven's Gate SLES 00713
 
Last edited by mistamontiel,
manks

manks

Member
Newcomer
Level 5
Joined
Mar 2, 2021
Messages
23
Trophies
0
Age
34
XP
569
Country
United States
socram8888 said:
@manks can you try reading that file back from the memory card and attach it here? I wanna see if the file got copied successfully and thus is an error on my side, or if it's a problem with your setup
Click to expand...
Sure thing, thank you - here's the save exported back by MemcardRex. It does look like something is happening to the file along the way.
 

Attachments

  • BESLEM-99999TONYHAX.zip
    4.9 KB · Views: 121

Site & Scene News

Go to forum More news

Popular threads in this forum

Nintendo Switch firmware 18.0.0 has been released

GitLab has taken down the Suyu Nintendo Switch emulator

Atmosphere CFW for Switch updated to pre-release version 1.7.0, adds support for firmware 18.0.0

Wii U and 3DS online services shutting down today, but Pretendo is here to save the day

Denuvo unveils new technology "TraceMark" aimed to watermark and easily trace leaked games

GBAtemp Exclusive  Introducing tempBOT AI - your new virtual GBAtemp companion and aide (April Fools)

Pokemon fangame hosting website "Relic Castle" taken down by The Pokemon Company

MisterFPGA has been updated to include an official release for its Nintendo 64 core

General chit-chat
Help Users
    LeoTCK @ LeoTCK: butthurt aren't ya? can't stand the truth