Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
485
Country
Spain
I also tried this one on my PS2. Same thing. Black screen after opening 'credits' fmv.
I used a 'pre-patched' version of the game I downloaded from somewhere - when I get a chance I'll try with a version I patch myself (made a difference with the Resident Evil True Directors Cut patch).
That game will just not work on a PS2, because of a dirty hack they used when translating the game. From issues 95 where I fixed this:
Please try this version: tonyhax-v1.4.2b.zip (built from 95a3ed9)

This crash was caused by an illegal opcode at 0x8000B104. This was odd and puzzled me because this is within the area of RAM reserved for the BIOS' heap, so the game had no business calling here. In fact, the original, Japanese version doesn't do this.

It turns this English translation is using a super hacky approach to gaining some extra space for their code.

The PSX-EXE headers are 2048 bytes but only 60-odd bytes of these are used, and the rest are zero. This translation team has decided to use this unused space for some extra code, and are exploiting the fact the BIOS loads this entire 2048-byte header to 0xA000B070 to insert some jumps scattered through the code to this fixed address.

Changing tonyhax to use this address as well for loading the executable header fixed this issue.
And issue 99 where I rolled back the previous change:
Okay thanks for the report. This issue has been apparently introduced while attempting to fix issue #95 (pinging @DarthMotzkus which was the reporter of the issue).

That English translation uses a terrible hack - it essentially expects the sectors read from the CD to be at a predefined address, and they assumed (and I believed that) it was fixed through all PS1 and PS2 consoles.

However it is not - all PS1 consoles I've seen use 0xA000B070, but PS2 consoles use 0xA000A8D0 instead. Hence their approach is totally flawed, and attempting to make tonyhax compatible with it is what caused this breakage.

I will thus be rolling back this change and leaving it as it was before, and releasing a new v1.4.3 in a couple minutes with the old behaviour.
 
  • Like
Reactions: duwen

SMVB64

Now your playing with power! Super power!
Member
Joined
Feb 13, 2013
Messages
228
Trophies
0
XP
698
Country
Canada
Hey guys, quick question - I have a NSTC PSone
Does it matter which bios version I use? 4.4 or 4.5

Edit - oops I posted this in the news section - apologies for the bump
 

KleinesSinchen

GBAtemp's Backup Reminder + Fearless Testing Sina
Member
GBAtemp Patron
Joined
Mar 28, 2018
Messages
2,588
Trophies
2
XP
5,874
Country
Germany
It matters, you need to figure wich version is you PSOne Bios, searching your model on google.
It matters only in theory. There is a distinction between 4.4/4.5 for FreePSXBoot images for the case that it is needed at some point. In practice all SCPH-101 and SCPH-102 images for 4.4/4.5 BIOS have the same checksum. Four times the same image for SLOT-1 and four times a different one for SLOT-2.
 
  • Like
Reactions: SMVB64

SMVB64

Now your playing with power! Super power!
Member
Joined
Feb 13, 2013
Messages
228
Trophies
0
XP
698
Country
Canada
It matters only in theory. There is a distinction between 4.4/4.5 for FreePSXBoot images for the case that it is needed at some point. In practice all SCPH-101 and SCPH-102 images for 4.4/4.5 BIOS have the same checksum. Four times the same image for SLOT-1 and four times a different one for SLOT-2.

Thanks, man - I took a gamble and ended up installing the wrong biso lol - I have 4.4 psone not 4.5. Your right - it did boot up but I'm getting Disc Error type D Code 12 - Gonna see if I can install the correct bios hopefully

Update: Man I hate burning games - burnt 5 disks on different 3 different DVD burners and PC's and still Disc Error type D Code 12 - ISO are Redump as well
 
Last edited by SMVB64,

CyberTails

Well-Known Member
Member
Joined
Feb 10, 2009
Messages
196
Trophies
0
XP
293
Country
United States
Has anyone tested the NTSC-U version of Sports Superbike 2 to launch the Payload? I have said version. But atm I have no way to get Tonyhax into my PS1 Memory Card
 

Leon11

Active Member
Newcomer
Joined
Nov 13, 2019
Messages
31
Trophies
0
Age
37
XP
351
Country
Italy
For Mizzurna Falls translated issue that freeze after the new game you can load Tonyhax, then load the Unirom Boot CD and then boot the game from there, it works! I have Tonyhax 1.4.3 both FreepSXBoot and Game boot but it freezes on that point. Castlevania Symphony of the Night can format a FreePSXBoot easily on the change name menu.
 
Last edited by Leon11,

Leon11

Active Member
Newcomer
Joined
Nov 13, 2019
Messages
31
Trophies
0
Age
37
XP
351
Country
Italy
Maybe i noticed something strange. Latest version of Tonyhax (1.4.3) in combination with FreePSXBoot on a PSOne SCPH-102B with a Dualshock 2 inserted the console freezes when clicking the memory card icon, all fine with an original Dualshock for PS1. With Unirom in combination with FreePSXBoot work fine with a Dualshock 2 too. I didn't test other console models or the Tonyhax with the Disc boot but this is the issue in my case.
 

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
144
Trophies
0
Age
25
Location
Florianópolis - SC, Brasil
XP
389
Country
Brazil
Maybe i noticed something strange. Latest version of Tonyhax (1.4.3) in combination with FreePSXBoot on a PSOne SCPH-102B with a Dualshock 2 inserted the console freezes when clicking the memory card icon, all fine with an original Dualshock for PS1. With Unirom in combination with FreePSXBoot work fine with a Dualshock 2 too. I didn't test other console models or the Tonyhax with the Disc boot but this is the issue in my case.
You should report it on the issues section, via GitHub of the project.
 
  • Like
Reactions: Leon11
General chit-chat
Help Users
    The Real Jdbye @ The Real Jdbye: that is a lot smaller i would say