Tonyhax is a new softmod backup loader for the PlayStation 1



Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

zfreeman

Well-Known Member
Member
Joined
Mar 9, 2013
Messages
1,554
Trophies
2
Location
USA
XP
3,955
Country
United States
Last edited by zfreeman,
  • Like
Reactions: manks

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Sure thing, thank you - here's the save exported back by MemcardRex. It does look like something is happening to the file along the way.
Thanks!

So your copy has exactly three bytes different to the version released on GitHub:
- First and second changes are on the MCS file header, and are are totally benign and expected: one is a difference in the "next sector pointer" (ie where the second block of data is stored, and this is expected to change depending on which blocks are used and which are free on the memory card), and the second is a checksum over this header (which changes because the data has changed too).
- The third change is the one that trashes the data, and it's a change from 0x00 to 0xB0 at offset 0x1E40, which I think it's part of the tiny orca logo. The reason why this happens is beyond me, as this is just a normal byte inside the save file data that the manager should treat as opaque binary data and not mess with it.
 

manks

Member
Newcomer
Joined
Mar 2, 2021
Messages
23
Trophies
0
Age
34
XP
569
Country
United States
@zfreeman wow, I must extend my wholehearted thanks yet again. I had not been using the power adapter for the DexDrive and the previous versions worked fine that way - but it seems to be making the difference for 1.3!

@socram8888 thanks so much for your time, seems like I'm sorted now. Absolutely love this exploit, it's breathed new life into my PS1.
 

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
679
Country
Brazil
Anyone could teach me how to prepare a memory card to run the tonyhax via FreePSX? Can't find a guide for that, using uLaunch.elf on ps2 for it.

EDIT: Hey @socram8888 how you doing man? Well, i found something about Memory Card Annihilator, wich does ovewrite the memory card with the FreePSXBoot MC image. But, if i want to update the tony hax version, can i re-flash the Memory Card with this program? Did the new versions ahead will be added to the MC FreePSXBoot image? Or will be another form to update the tonyhax exploit?
I'm asking because i read the Memory Card Annihilator flash method can't be undone, and i don't know how to update the upcome tonyhax version with that, will be safe to reflash?

Thanks, if anyone could enlight it for me, i'll be much appreciated, for now I'll stick with save exploit method via Brunswick 2.
 
Last edited by DarthMotzkus,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Anyone could teach me how to prepare a memory card to run the tonyhax via FreePSX? Can't find a guide for that, using uLaunch.elf on ps2 for it.

EDIT: Hey @socram8888 how you doing man? Well, i found something about Memory Card Annihilator, wich does ovewrite the memory card with the FreePSXBoot MC image. But, if i want to update the tony hax version, can i re-flash the Memory Card with this program? Did the new versions ahead will be added to the MC FreePSXBoot image? Or will be another form to update the tonyhax exploit?
I'm asking because i read the Memory Card Annihilator flash method can't be undone, and i don't know how to update the upcome tonyhax version with that, will be safe to reflash?

Thanks, if anyone could enlight it for me, i'll be much appreciated, for now I'll stick with save exploit method via Brunswick 2.
I've had no issue updating the memory card image or even formatting it back to defaults using MC Annihilator while testing, so you shouldn't have any either.
 
  • Like
Reactions: DarthMotzkus

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
679
Country
Brazil
I've had no issue updating the memory card image or even formatting it back to defaults using MC Annihilator while testing, so you shouldn't have any either.
Thanks for the quickly reply.
I've managed to get it work, booted Grandia NTSC already on my PsOne 4.5 Bios, and it's more quickly to run the backup disc in this way, mainly because i can keep the disc and don't need to swap.
So if i want to update the .mcd image to a newest version should i restore the MC Image with the new one, do i need to restore the original MC image and then flash it?
Oh, and one last thing, the MC Annihilator only reads .mcr image files, i just renamed the .mcd extension of your file and it works. Maybe you should post the upcoming revisions on .mcr format already, to use on "Annihilator" or write that in the wiki page/readme.

Thank you again!
 
Last edited by DarthMotzkus,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Thanks for the quickly reply.
I've managed to get it work, booted Grandia NTSC already on my PsOne 4.5 Bios, and it's a way more quickly run the backup disc, mainly because i can keep the disc and don't need to swap.
So if i want to update the .mcd image to a newest version should i restore the MC Image with the new one, do i need to restore the original MC image and then flash it?
Oh, and one last thing, the MC Annihilator only reads .mcr image files, i just renamed the .mcd extension of your file and it works. Maybe you should post the upcoming revisions on .mcr format already, to use on "Annihilator" or write that in the wiki page/readme.

Thank you again!
You don't need to format it or anything, just flash a new image over the old one and that's it.

I'll add a note regarding the file extension. I am using .mcd instead of .mcr because that's what everybody but Annihilator (no$psx, PS1 MC Manager) uses.
 
  • Like
Reactions: DarthMotzkus

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
679
Country
Brazil
You don't need to format it or anything, just flash a new image over the old one and that's it.

I'll add a note regarding the file extension. I am using .mcd instead of .mcr because that's what everybody but Annihilator (no$psx, PS1 MC Manager) uses.
Cool!
Will be any future improvement regarding loading the FPSXB+TONYHAX exploit in Memory Card Slot-2 and with no issues for letting the exploited MC inserted on it? So i can keep my main memory card on slot-1 all the time. Or is it impossible?
 
Last edited by DarthMotzkus,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Cool!
Will be any future improvement regarding loading the FPSXB+TONYHAX exploit in Memory Card Slot-2 and with no issues for letting the exploited MC inserted on it? So i can keep my main memory card on slot-1 all the time. Or is it impossible?
You game me a good idea. I could technically patch the BIOS to disable accesses to memory cards where FreePSXBoot is connected, effectively making as if there was no card connected to the port.

Also regarding the slot 2, I honestly haven't tried launching tonyhax with the card on the second slot. Could you try it?
 

Elbart

Well-Known Member
Newcomer
Joined
Apr 12, 2007
Messages
60
Trophies
0
XP
72
Country
Austria
FPSXB'd Tonyhax-MC in Slot 2 would be awesome and could be used just like FMCB in slot 2 for PS2.

Normal savegames-MC in Slot 1, and hacked MC in Slot 2, which games hardly ever check or even support, afaik. No more swapping.
 

ButThouMust

Member
Newcomer
Joined
Jan 16, 2021
Messages
7
Trophies
0
Age
26
XP
213
Country
United States
Hello, I want to report a bug with the Coolboarders 4 entry point on version 1.3.1. I'm following the format in some of the issues on Github:

tonyhax version: 1.3.1
Installation method: FreeDVDBoot + uLaunchElf
Entry point game: Coolboarders 4 (SCUS-94559)
Console version: SCPH-39001
Integrity check: none, exploit doesn't boot
BIOS version: v5.0 02/07/02
Target game: not relevant for this report, but Dragon Quest IV

Bug explanation: Coolboarders 4 says that the records and settings have been automatically loaded. However, when I select "single player" to load the exploit, the game instead proceeds as normal to the name entry menu. The screen doesn't flash any solid color, not even red.

Other tonyhax versions I tried:
1.2.3: works with Coolboarders 4, Tony Hawk 2 (SLUS-01066)
1.3.1: works with Tony Hawk 2
1.3: didn't use (I don't own a PS1)
("works" = I can boot DQ IV with the exploit) I made sure not to mix versions when copying files to the memory card.

Thanks for your work on this! I greatly appreciate the ability to play PS1 DQ IV on an actual console instead of on a PS1 emulator.
 

duwen

Old Man Toad
Member
Joined
Sep 6, 2013
Messages
3,176
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,257
Country
United Kingdom
Hello, I want to report a bug with the Coolboarders 4 entry point on version 1.3.1. I'm following the format in some of the issues on Github:

tonyhax version: 1.3.1
Installation method: FreeDVDBoot + uLaunchElf
Entry point game: Coolboarders 4 (SCUS-94559)
Console version: SCPH-39001
Integrity check: none, exploit doesn't boot
BIOS version: v5.0 02/07/02
Target game: not relevant for this report, but Dragon Quest IV

Bug explanation: Coolboarders 4 says that the records and settings have been automatically loaded. However, when I select "single player" to load the exploit, the game instead proceeds as normal to the name entry menu. The screen doesn't flash any solid color, not even red.

Other tonyhax versions I tried:
1.2.3: works with Coolboarders 4, Tony Hawk 2 (SLUS-01066)
1.3.1: works with Tony Hawk 2
1.3: didn't use (I don't own a PS1)
("works" = I can boot DQ IV with the exploit) I made sure not to mix versions when copying files to the memory card.

Thanks for your work on this! I greatly appreciate the ability to play PS1 DQ IV on an actual console instead of on a PS1 emulator.

Did you update the Coolboarders save file as well as the Tonyhax one?
I've had no problem with Cool Boarders 4 on my 39003 console and TH1.3.1 ...only difference being I'm using PAL Coolboarders on my PAL PS2.
 

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
679
Country
Brazil
You game me a good idea. I could technically patch the BIOS to disable accesses to memory cards where FreePSXBoot is connected, effectively making as if there was no card connected to the port.

Also regarding the slot 2, I honestly haven't tried launching tonyhax with the card on the second slot. Could you try it?

Hey. Let's report my tests. I'm on a NTSC/US SCPH-101 PsOne with 4.5v BIOS.
Well, i tested tonyhax exploit with brunswick 2 save exploit on slot-2, and the tonyhax save on my main memory card on slot-1. When Brunswick boot, the first screen is the auto load. It found my save on slot-2 memory card and auto-load it. After i load the game on menu and select Slot-2 the game still load the Tonyhax save wich is on slot-1. I figured it's reading the slot-1 exploit, because the tonyhax save is on my slot-2 MC either, and with no MC on slot-1 tonyhax gave me a red screen. I've been using in this way for weeks, since yesterday.
I tested what could happen if i left the MC with the FPSXB+Tonyhax on slot-2 and nothing on slot-1. It doesn't work. When i select the memory card on PS menu, the memory card image turns dark and the boot color screens doesn't appears, no matter how much time it takes, normally gets 15/20 seconds for tonyhax to load. Even with any MC on slot-1 and the exploited FPSXB+Tonyhax MC on slot-2 still stuck on the dark picture of the MC. No deal.
Another thing i noticed. If i don't remove the MC with FPSXB+Tonyhax on slot-1 or, even if i put it on slot-2 and insert my main MC on slot-1, tonyhax became very slow to read the disc after i close the lid and the reader took almost 1 minute to show the first screen of the game i've tested (Grandia show Sony Computer Entertainment splash screen).
It turns out ever i load the exploit via Memory card menu, right after tonyhax load on screen, i need to remove the exploit MC and insert my main MC, or tonyhax won't work correctly or work too slow.

Glad to help.
 
Last edited by DarthMotzkus,

ButThouMust

Member
Newcomer
Joined
Jan 16, 2021
Messages
7
Trophies
0
Age
26
XP
213
Country
United States
Did you update the Coolboarders save file as well as the Tonyhax one?
I've had no problem with Cool Boarders 4 on my 39003 console and TH1.3.1 ...only difference being I'm using PAL Coolboarders on my PAL PS2.
Yes, whenever I updated the entrypoint and loader files on my memory card, I would delete all existing tonyhax files on it before copying the new files over. I made sure not to mix versions together, such as a 1.2.3 entrypoint file with the 1.3.1 loader file.

Just to make sure I wasn't going crazy, I redownloaded the 1.3.1 release, deleted all the tonyhax files on my memory card, and copied the redownloaded files to my memory card. Same results as before with Coolboarders and Tony Hawk 2.
 

Mike_D

Member
Newcomer
Joined
Apr 30, 2021
Messages
10
Trophies
0
Age
52
XP
43
Country
United Kingdom
Just tried this out on my PSone (with integrated screen).
I tried Castlevania SotN (NTSC) first but all I got was a rolling picture.
Tried ISS Pro Evo 2 (EURO) and it played fine.

Is the problem due to using an NTSC iso or limits with the PS screen

Is the rolling picture "fixable" with an RGB scart.
 

duwen

Old Man Toad
Member
Joined
Sep 6, 2013
Messages
3,176
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,257
Country
United Kingdom
Is the rolling picture "fixable" with an RGB scart.

I'd tentatively say yes, but it would depend on the quality of the scart cable and the tv it's attached to.
I've never had problems running NTSC titles on my PAL PS1's using the scart cable I have now, but I originally had a cheaper one that would only display NTSC games in black and white and sometimes (depending on the resolution of the game) roll the image.

Check out the info at RetroRGB for details of what may work best for your set up.
 

Mike_D

Member
Newcomer
Joined
Apr 30, 2021
Messages
10
Trophies
0
Age
52
XP
43
Country
United Kingdom
Thanks duwen.
I do have a scart somewhere!!!!
I have a vague memory (many years ago) of having a scart cable that displayed a black & white image on some back-ups. But I definitely bought another (maybe a proper rgb scart) that fixed it.
Will have to trawl through the attic! :)
 

duwen

Old Man Toad
Member
Joined
Sep 6, 2013
Messages
3,176
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,257
Country
United Kingdom
Thanks duwen.
I do have a scart somewhere!!!!
I have a vague memory (many years ago) of having a scart cable that displayed a black & white image on some back-ups. But I definitely bought another (maybe a proper rgb scart) that fixed it.
Will have to trawl through the attic! :)
I don't know what signal the integrated screen uses, but it sounds like it may just hook into the composite line (although it's strange that a 'flat panel' screen from that period wouldn't accommodate NTSC & PAL signals) - if so, outputting via scart to a monitor/tv would almost certainly improve things.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    We just question @AncientBoi
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    BigOnYa @ BigOnYa: Yup, by the weird smelly green bushy looking plants.