Front-page

Tonyhax is a new softmod backup loader for the PlayStation 1



Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.
Click to expand...

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.
Click to expand...

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 
  • Like
Reactions: Deleted User, Hoppy, _47iscool and 70 others
Click to expand...
KleinesSinchen

KleinesSinchen

GBAtemp's Backup Reminder + Fearless Testing Sina
Member
GBAtemp Patron
Level 24
Joined
Mar 28, 2018
Messages
4,430
Trophies
2
XP
14,871
Country
Germany
Baraksha1 said:
I tried looking this up but I couldn't find a solution, I recently burned Castlevania Symphony Of The Night and when I tried using TonyHax it returned a code error:

"disk error type d code 12 (x11)"

is it a problem with the disk I burned?
Click to expand...
No problem here.
Tonyhax 1.4.1 from the entrypoints "boot CD-R" and "Crash Bandicoot 3 Warped (PAL)" on PAL Consoles: SCPH-1002, SCPH-7502, SCPH-9002

Result: Symphony of the Night CD-R loads in any case from Tonyhax.

Process of elimination:
Make sure you have a good dump (emulators might be more forgiving than real hardware -- image working in emulator is not sufficient).
Try a different console and a different loading method: Modchip, FreePSXBoot (with Unirom), MechaPwn (on PlayStation 2, modification is your own risk, carefully read the README.md).
Try a different CD-R brand/burner/burning program.


Good luck and have fun!
 
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
KleinesSinchen said:
No problem here.
Tonyhax 1.4.1 from the entrypoints "boot CD-R" and "Crash Bandicoot 3 Warped (PAL)" on PAL Consoles: SCPH-1002, SCPH-7502, SCPH-9002

Result: Symphony of the Night CD-R loads in any case from Tonyhax.

Process of elimination:
Make sure you have a good dump (emulators might be more forgiving than real hardware -- image working in emulator is not sufficient).
Try a different console and a different loading method: Modchip, FreePSXBoot (with Unirom), MechaPwn (on PlayStation 2, modification is your own risk, carefully read the README.md).
Try a different CD-R brand/burner/burning program.


Good luck and have fun!
Click to expand...

well, I attempted to load TonyHax on my PS2 and then said my console is from Japan even though it's europeon and didn't proceed, so I can't really test it on that. I DID got my rom from Coolrom, so maybe that wasn't a bright idea. I thought maybe the problem was that the game was Multitracked so I combined the tracks with CDMage and it unfortunetly didn't work.

I highly doubt my DVD burned is not good, it has served me well through out multiple consoles and this is the kind of thing I feel like people only suggest because they can't give a solution and is a very unlikely situation in general (no offence) mostly because every time someone says it I try other burners and get the same results.

as for the CD brand, I am using official Sony CD's so I don't think it gets more High Quality then this. the only thing I can think of is that the Rip I used is bad, it definatly works on emulator, but my modded PS2 can't read it(also yes my PS2 is modded, but I only tested official PS1 games with it not burned so idk what should happen) so I think you have a point there, the only problem is that now im not sure where I can look for good High Quality rips and I know as hell I am not going to ask for it here considering the guide lines.
 
Last edited by Baraksha1,
  • Like
Reactions: KleinesSinchen
duwen

duwen

Old Man Toad
Member
Level 14
Joined
Sep 6, 2013
Messages
3,190
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,293
Country
United Kingdom
Baraksha1 said:
I thought maybe the problem was that the game was Multitracked so I combined the tracks with CDMage and it unfortunetly didn't work.
Click to expand...

Yeah... that dump is probably the issue. Track down the ReDump version, and use Imageburn to load the cue file - it won't matter if there's multiple tracks if the cue file is correct.
 
Last edited by duwen,
  • Like
Reactions: KleinesSinchen
KleinesSinchen

KleinesSinchen

GBAtemp's Backup Reminder + Fearless Testing Sina
Member
GBAtemp Patron
Level 24
Joined
Mar 28, 2018
Messages
4,430
Trophies
2
XP
14,871
Country
Germany
Baraksha1 said:
well, I attempted to load TonyHax on my PS2 and then said my console is from Japan even though it's europeon and didn't proceed, so I can't really test it on that. I DID got my rom from Coolrom, so maybe that wasn't a bright idea. I thought maybe the problem was that the game was Multitracked so I combined the tracks with CDMage and it unfortunetly didn't work.
Click to expand...
The Japanese region message comes on PS2 models newer than 3900x as nocash unlock isn't available on newer PS2 (and all Japanese PS1/2). The game has two tracks and you shouldn't combine them. That information is new. I agree with the above statement: Use ReDump verified version. Normally I would say: Simply buy the game on the used market and create a RAW clone copy. But hunting down Symphony of the Night nowadays is an insane task and sooooo expensive.

I highly doubt my DVD burned is not good, it has served me well through out multiple consoles and this is the kind of thing I feel like people only suggest because they can't give a solution and is a very unlikely situation in general (no offence) mostly because every time someone says it I try other burners and get the same results.

as for the CD brand, I am using official Sony CD's so I don't think it gets more High Quality then this. the only thing I can think of is that the Rip I used is bad, it definatly works on emulator, but my modded PS2 can't read it(also yes my PS2 is modded, but I only tested official PS1 games with it not burned so idk what should happen) so I think you have a point there, the only problem is that now im not sure where I can look for good High Quality rips and I know as hell I am not going to ask for it here considering the guide lines.
Click to expand...
No that is not a longshot or something I pulled out of the void. I often suggest things like this because it is a valid method of pinpointing the issue: Find out what is not the issue. I do it all the time myself. And I can't know what you already did. I have noticed subtle readability differences on the same CD-R media with different burners. Many PS1 drives/lasers are on their last leg. Some only work correctly when the console stands almost vertically. Really, I'm just trying to help and write down everything what could theoretically be an issue.
 
  • Like
Reactions: duwen
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
KleinesSinchen said:
The Japanese region message comes on PS2 models newer than 3900x as nocash unlock isn't available on newer PS2 (and all Japanese PS1/2). The game has two tracks and you shouldn't combine them. That information is new. I agree with the above statement: Use ReDump verified version. Normally I would say: Simply buy the game on the used market and create a RAW clone copy. But hunting down Symphony of the Night nowadays is an insane task and sooooo expensive.


No that is not a longshot or something I pulled out of the void. I often suggest things like this because it is a valid method of pinpointing the issue: Find out what is not the issue. I do it all the time myself. And I can't know what you already did. I have noticed subtle readability differences on the same CD-R media with different burners. Many PS1 drives/lasers are on their last leg. Some only work correctly when the console stands almost vertically. Really, I'm just trying to help and write down everything what could theoretically be an issue.
Click to expand...

yeah, I apologize if that came out as rude. im just curious because I don't commonly see that actualy being the problem. I know you're just trying to help, I just don't want to waste more CDs unecesaraly as I am getting short. also yeah as much as I love that game I can not afford to get a copy of it.
btw I was not aware of this Redump website, I don't seem to be good at tracking down the dump I need tho....
btw just to be clear, TonyHax DOES contain anti Region lock right?

EDIT: I was able to find a ReDump version, it looks similar to the first one I burned, but i'll give this a shot. if this doesn't work, then im not sure what else I can do.
 
Last edited by Baraksha1,
  • Like
Reactions: KleinesSinchen
duwen

duwen

Old Man Toad
Member
Level 14
Joined
Sep 6, 2013
Messages
3,190
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,293
Country
United Kingdom
The ReDump of it I have (think it came from the internet archive) looks like this;
Code: 
Castlevania - Symphony of the Night (USA) (Track 1).bin 
2016-11-26 20:29 538655040
Castlevania - Symphony of the Night (USA) (Track 2).bin 
2016-11-26 20:29 44676240
Castlevania - Symphony of the Night (USA).cue 
2016-11-26 20:29 252
Worked fine for me burned with Imageburn
 
  • Like
Reactions: KleinesSinchen
KleinesSinchen

KleinesSinchen

GBAtemp's Backup Reminder + Fearless Testing Sina
Member
GBAtemp Patron
Level 24
Joined
Mar 28, 2018
Messages
4,430
Trophies
2
XP
14,871
Country
Germany
Baraksha1 said:
yeah, I apologize if that came out as rude. im just curious because I don't commonly see that actualy being the problem. I know you're just trying to help, I just don't want to waste more CDs unecesaraly as I am getting short. also yeah as much as I love that game I can not afford to get a copy of it.
btw I was not aware of this Redump website, I don't seem to be good at tracking down the dump I need tho....
btw just to be clear, TonyHax DOES contain anti Region lock right?
Click to expand...
Nah, all good. Didn't come across rude.
PlayStation does like Sony blanks. CD-R quality does matter. No doubt about this. It is less important on PS1 than… let's say DVD-R on GameCube – those drives are picky beyond believe – but really. Not every PS1 likes every CD-R.
Supposedly the laser can be tuned to accept CD-RW to avoid the waste issues with coasters – but then it might not be able to read originals and CD-R and this procedure is risky (increased power on the aging lasers). I would rather buy a pack of CD-R than risk that.

The idea with the different burner is: The writer could be defective (and my PlayStations don't like my laptop burner). If you say the writer is good, then it is good.
The idea with the burning software: PS1 titles are Mode2 tracks – this may sometimes cause trouble with some software (I had some trouble with this but it was very, very long ago). Normally I just copy my discs with Alcohol 120% → not a single problem. With cue/bin files imgburn should be a safe bet.

Tonyhax loads region free. Seems it was a primary reason why socram8888 developed this.
https://orca.pet/tonyhax/
orca.pet/tonyhax/ said:
Also, as an owner of a SCPH-102 console, these are a pain in the ass when it comes to chipping - in addition to the generic SCEx wobble check performed by the CD controller that is easily patchable, the boot menu on these also checks for the region string, which involve installing even more wires and a full sized Arduino Pro Mini or AtMega328 chip to patch the CPU BIOS to play out of region games. Not cool.
Click to expand...
 
Last edited by KleinesSinchen,
  • Like
Reactions: duwen
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
duwen said:
The ReDump of it I have (think it came from the internet archive) looks like this;
Code: 
Castlevania - Symphony of the Night (USA) (Track 1).bin
2016-11-26 20:29 538655040
Castlevania - Symphony of the Night (USA) (Track 2).bin
2016-11-26 20:29 44676240
Castlevania - Symphony of the Night (USA).cue
2016-11-26 20:29 252
Worked fine for me burned with Imageburn
Click to expand...
I just burned it and it didn't work, I got mine from the Internet Archive aswell, tho I got the Europeon version just to be safe. the file dates are identical to the ones you posted still. I don't know what to do at this point, but I guess it's perhaps worth mentioning that I DO use ImgBurn and I burn the game on x1 speed. I am kind of curious tho because I DID saw a video that mentions that it might not be the best idea but im not sure.
KleinesSinchen said:
Nah, all good. Didn't come across rude.
PlayStation does like Sony blanks and the idea with the different burner is: The writer could be defective (and my PlayStations don't like my laptop burner). If you say the writer is good, then it is good. The idea with the burning software: PS1 titles are Mode2 tracks – this may sometimes cause trouble with some software. Normally I just copy my discs with Alcohol 120% → not a single problem. With cue/bin files imgburn should be a safe bet.

Tonyhax loads region free. Seems it was a primary reason why socram8888 developed this.
https://orca.pet/tonyhax/
Click to expand...
yeah, I recall seeing this on the website, just wanted to make absolute sure is all.

EDIT: I did some extra stuff for the heck of it. I was able to find a really old copy of Oddworld Abe's Oddysee I burned a long time ago, not in the best condition, but when I tested it with TonyHax it was detected and was booted, but it only loaded a blank screen and didn't load anything past that. so I guess this shows it DOES work with other games? I also decided to see what happens if I put a normal ps1 game and it did load it fine. so I guess that at the end of the day even if it won't fully work I can probably still use this to get passed region lock. (I would still love this to work tho)

EDIT 2: Ok, so I now decided to burn another game, Klonoa Door To Phantomile. it had the exact same problem. after considering the fact the other old disks I have were recognized fine I think that maybe, JUST maybe, what if the problem is suprisengly with the Sony CD's? I can't test this out atm since they all I have, but what if Sony CD's as Ironic as it may be just don't work on Sony's own system?

EDIT 3: I decided to put the Klonoa disk in my PS2 and it Eventualy actualy worked! im saying eventualy because it failed to read the first time , second time it loaded for a while but it actualy was able yo detect it. now I feel more convinced this has something to do with my CDs or how I burn them. if the PS2 BARELY boot it, then the PS1 is sure to have problems.
 
Last edited by Baraksha1,
socram8888

socram8888

Well-Known Member
Newcomer
Level 4
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
Baraksha1 said:
I tried looking this up but I couldn't find a solution, I recently burned Castlevania Symphony Of The Night and when I tried using TonyHax it returned a code error:

"disk error type d code 12 (x11)"

is it a problem with the disk I burned?
Click to expand...
For the record, type D stands for "disc", and it means a read error from the physical disc (as opposed to type B or "boot" which would be that the data could be read but made no sense). Code 12 means an error occured while reading the table of contents (the very first action performed when inserting a CD), and finally x11 means it retried for 11 times.
 
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
socram8888 said:
For the record, type D stands for "disc", and it means a read error from the physical disc (as opposed to type B or "boot" which would be that the data could be read but made no sense). Code 12 means an error occured while reading the table of contents (the very first action performed when inserting a CD), and finally x11 means it retried for 11 times.
Click to expand...
Thanks for the reply. honestly? I was thinking about this and making comparisons, im not sure how insane this sounds but, I theorize that maybe the Sony CD's inner area seem about a mm thicker, maybe the lazer just can not reach the TOC properly? Btw I forgot to ask, on very rare acations the program would write "code 22" rather then "code 12", not sure what type of error it is. Do you happen to have a code error list because I personaly couldnt find it

EDIT: I decided to go buy new CD-Rs, its the only brand anyone sells in my country this days called "Silver Line" , it is not to commonly talked about in English websites but I saw an old forum thread saying they recomand them. either way, I attempted to burn with them and had the same results. I even decided to eat my own words and attempted burning on a different laptop. still met the same results.
 
Last edited by Baraksha1,
Baraksha1

Baraksha1

Member
Newcomer
Level 2
Joined
Mar 23, 2021
Messages
10
Trophies
0
Age
26
XP
153
Country
Israel
socram8888 said:
You might wanna consider adjusting the trim pot on the CD laser:
Click to expand...

thanks for the sugestion, I did what he said including the Resistance number, unfortunetly, the results are still the same. I observed the disk with the lid on, always spins slowly for a bit before completely stoping. it probebly can't find the header like you said.
 
Last edited by Baraksha1,
Leon11

Leon11

Active Member
Newcomer
Level 5
Joined
Nov 13, 2019
Messages
41
Trophies
0
XP
630
Country
Italy
TONYHAX.jpg
I already have modchipped PS1 but i'm planning to buy an untouched PS1 only to use Tonyhax. I still prefer the Game Boot method because i still can save on the Memory Card and it's easier to update the exploit, and i don't need to be careful about the bios of the PS1, it works on every supported model, i just need to swap the Memory Card between consoles. Of course FreePSXboot is faster and doesn't need an original game (i think this is the main deal breaker for most of us). I would really want that Tonyhax search for exploit in Slot 2 too, but of course i don't know if it is already been answered and if it is possible (i'm talking about the original game boot method). Thanks for this awesome exploit!
 
KleinesSinchen

KleinesSinchen

GBAtemp's Backup Reminder + Fearless Testing Sina
Member
GBAtemp Patron
Level 24
Joined
Mar 28, 2018
Messages
4,430
Trophies
2
XP
14,871
Country
Germany
Leon11 said:
View attachment 266462
I already have modchipped PS1 but i'm planning to buy an untouched PS1 only to use Tonyhax. I still prefer the Game Boot method because i still can save on the Memory Card and it's easier to update the exploit, and i don't need to be careful about the bios of the PS1, it works on every supported model, i just need to swap the Memory Card between consoles. Of course FreePSXboot is faster and doesn't need an original game (i think this is the main deal breaker for most of us). I would really want that Tonyhax search for exploit in Slot 2 too, but of course i don't know if it is already been answered and if it is possible (i'm talking about the original game boot method). Thanks for this awesome exploit!
Click to expand...
How would needing an original game be a deal breaker? There are many games with an exploit. The Crash Bandicoot games sold pretty well.

The Slot 2 thing: I guess this is game depended. Most games only look at Slot 1, which means having an exploit in Slot 2 won't do anything. Is this so important for the game entry points? Most games take one or two blocks on Memory Card and Tonyhax itself two blocks. Enough space for some more games on the same MC.
Slot 2 would also be interesting for the FreePSXBoot method but I don't know if the nature of the exploit even allows this (the technical description requires more concentration than I'm currently able).
 
Q

qkwyx

Member
Newcomer
Level 1
Joined
Sep 11, 2015
Messages
7
Trophies
0
Age
48
XP
105
Country
@socram8888 Good day to you. Is it possible to make a tonyhax.exe file to a tonyhax.rom file so that I can use it to flash using X-Flash utility and flash it to a Cheat Cart (I have Gameshark v2). If not possible, its okay no worries. Thanks for your hardwork on Tonyhax.
 
socram8888

socram8888

Well-Known Member
Newcomer
Level 4
Joined
Apr 6, 2009
Messages
81
Trophies
1
Age
29
Location
Valencia, Spain
Website
orca.pet
XP
560
Country
Spain
qkwyx said:
@socram8888 Good day to you. Is it possible to make a tonyhax.exe file to a tonyhax.rom file so that I can use it to flash using X-Flash utility and flash it to a Cheat Cart (I have Gameshark v2). If not possible, its okay no worries. Thanks for your hardwork on Tonyhax.
Click to expand...
It's possible but I can't do it myself as I don't have any hardware that supports those devices to test it.
 
  • Like
Reactions: KleinesSinchen and qkwyx
DarthMotzkus

DarthMotzkus

Well-Known Member
Member
Level 5
Joined
Jul 10, 2020
Messages
176
Trophies
0
Age
27
Location
Florianópolis - SC, Brasil
XP
682
Country
Brazil
Hi @socram8888, how are you?
I opened an issue on the tonyhax git page, about "Mizzurna Falls". With the recent launch of translation of the game, i tried to play it using tonyhax but it get stuck on a black screen after the first FMV in New Game. Could you please look into it?

Thanks!

https://github.com/socram8888/tonyhax/issues/95
 
Last edited by DarthMotzkus,
duwen

duwen

Old Man Toad
Member
Level 14
Joined
Sep 6, 2013
Messages
3,190
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,293
Country
United Kingdom
DarthMotzkus said:
Hi @socram8888, how are you?
I opened an issue on the tonyhax git page, about "Mizzurna Falls". With the recent launch of translation of the game, i tried to play it using tonyhax but it get stuck on a black screen after the first FMV in New Game. Could you please look into it?

Thanks!

https://github.com/socram8888/tonyhax/issues/95
Click to expand...

I also tried this one on my PS2. Same thing. Black screen after opening 'credits' fmv.
I used a 'pre-patched' version of the game I downloaded from somewhere - when I get a chance I'll try with a version I patch myself (made a difference with the Resident Evil True Directors Cut patch).
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Nintendo Switch firmware 18.0.0 has been released

Atmosphere CFW for Switch updated to pre-release version 1.7.0, adds support for firmware 18.0.0

Wii U and 3DS online services shutting down today, but Pretendo is here to save the day

GBAtemp Exclusive  Introducing tempBOT AI - your new virtual GBAtemp companion and aide (April Fools)

Pokemon fangame hosting website "Relic Castle" taken down by The Pokemon Company

The first retro emulator hits Apple's App Store, but you should probably avoid it

MisterFPGA has been updated to include an official release for its Nintendo 64 core

Delta emulator now available on the App Store for iOS

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: @Psionic Roshambo, Thats pretty cool.