Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

Tom Bombadildo

Dick, With Balls
Editorial Team
Joined
Jul 11, 2009
Messages
14,376
Trophies
1
Age
27
Location
I forgot
Website
POCKET.LIKEITS
XP
17,843
Country
United States
This is super cool. I don't think I have any way to move a modded save to a PS1 memory card at this particular moment, but this is definitely something I'm 100% going to get around to doing at some point since I don't really want to install a modchip in my PS1 and the disc swap method is annoying :lol:
 

TwistedZeon

Well-Known Member
Member
Joined
May 15, 2014
Messages
177
Trophies
0
XP
1,885
Country
Canada
This is actually one of the coolest things in awhile! I wonder if this could lead to solderless methods for loading roms from an sd card since it seems like the only reason you need to solder for xstation and the like is for disc protection stuff or so I believe.
 

djpannda

GBAtemp's Pannda
Member
GBAtemp Patron
Joined
Sep 14, 2009
Messages
2,113
Trophies
2
XP
4,607
Country
United States
This is actually one of the coolest things in awhile! I wonder if this could lead to solderless methods for loading roms from an sd card since it seems like the only reason you need to solder for xstation and the like is for disc protection stuff or so I believe.
I just realized this....whoa I bet Tony Hawk is going to Sky Rocket
 
  • Like
Reactions: Julie_Pilgrim

smallissue

Well-Known Member
Newcomer
Joined
Nov 8, 2020
Messages
90
Trophies
0
Location
123 Street St. AZ Phoenix 56
Website
teddit.net
XP
461
Country
Antarctica
not sure if this is easier or harder than a modchip
but this is poggers either way
IJckWD.png
 
  • Like
Reactions: Julie_Pilgrim

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
This is actually one of the coolest things in awhile! I wonder if this could lead to solderless methods for loading roms from an sd card since it seems like the only reason you need to solder for xstation and the like is for disc protection stuff or so I believe.
tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
 

Tom Bombadildo

Dick, With Balls
Editorial Team
Joined
Jul 11, 2009
Messages
14,376
Trophies
1
Age
27
Location
I forgot
Website
POCKET.LIKEITS
XP
17,843
Country
United States
tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
Actually someone has made one very recently! https://8bitmods.com/memcard-pro-for-playstation-1/ < Still not released (and a little expensive, IMO) and it's just for making tons of virtual memory cards, but I assume someone could easily write a firmware to do exactly that :lol:
 

KokoseiJ

GBAtemp VOCALOID Enthusiast
Member
Joined
Jul 18, 2020
Messages
333
Trophies
0
Age
17
XP
574
Country
Korea, South
tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
Mad respect to you. That was some amazing work.
It would be really nice to get SD to Memory Card adapter- would really be handy for both PS1 and PS2 uses. either it happens or not, I respect your decisions and appreciate all your works.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
Actually someone has made one very recently! https://8bitmods.com/memcard-pro-for-playstation-1/ < Still not released (and a little expensive, IMO) and it's just for making tons of virtual memory cards, but I assume someone could easily write a firmware to do exactly that :lol:
The interesting bit is that you don't even need to make a custom firmware or use any fancy circuitry. If my memory serves me correctly, the PS1 on the memory card uses just standard SPI - that's exactly what SD cards use too.
You couldn't use it for saving in games since the commands are different, BUT you could indeed talk using custom software using nothing but a passive adapter.
I once did for fun a NetYaroze boot card using an Arduino. It just waited the console to emit a particular SPI command, and then replied with what the NetYaroze boot disc expected.
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,626
Trophies
2
Age
44
Location
Engine room, learning
XP
15,128
Country
France
Ohh,nice.
It's always interesting to see old console's exploit being released.

I thought I wouldn't need to swap games on my PS1 anymore (it's an original launch day SCPH 1002 with swap support), but from what I understand, it's a "swap-loader" method using an original game disc, for non boot swap-compatible consoles.
I thought it was something like PS2 FreeMcBoot directly loading the memory card's exploit, but it's not like that. You always need to play Tony hawk to unlock and "wait for lid", which means it's not compatible with multi-disc games, right ? (Chrono cross or Parasite eve requires disc swapping without saving first)

or is the unlock hack working with in-game swapp ? that's very great for everyone if it works :)


Thanks for releasing it :)
It'll be helpful to many users. It's always nice to have multiple choices !

edit:
Having SDCard adapter for memory card would be great too !
 
Last edited by Cyan,

TwistedZeon

Well-Known Member
Member
Joined
May 15, 2014
Messages
177
Trophies
0
XP
1,885
Country
Canada
tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
Hey! Wonderful work here man. That's a very intriguing idea and I honestly would love if something like this could happen. I want an sd method for my ps1 but I just cannot do the intricate soldering needed for most every option out there.
 
General chit-chat
Help Users
    Dark_Phoras @ Dark_Phoras: Beyblade for men is called curling