Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

uyjulian

Homebrewer
Member
Joined
Nov 26, 2012
Messages
2,555
Trophies
1
Location
United States
Website
sites.google.com
XP
3,021
Country
United States
tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
See mx4sio, which is a similar solution for the PS2. https://www.psx-place.com/threads/m...d-sd-driver-for-the-ps2-sio2-interface.29210/
 

Leon11

Active Member
Newcomer
Joined
Nov 13, 2019
Messages
35
Trophies
0
Age
37
XP
410
Country
Italy
This thing is really really good. If you have the original game of course, you don't need to modchip a console, you can buy an used PS1 and that's it. If multiple disc games work without problems this exploit replaces the modchip entirely. If in the future there is the possibility to load the exploit to load games from sd card without solder is a dream come true. The xstation and the the PSIO are good products but they require soldering and they are very pricey.
 

cvskid

Well-Known Member
Member
Joined
Apr 13, 2014
Messages
2,672
Trophies
1
XP
2,387
Country
United States
This thing is really really good. If you have the original game of course, you don't need to modchip a console, you can buy an used PS1 and that's it. If multiple disc games work without problems this exploit replaces the modchip entirely. If in the future there is the possibility to load the exploit to load games from sd card without solder is a dream come true. The xstation and the the PSIO are good products but they require soldering and they are very pricey.
If i remember right for now the soldering can't be helped since that bypasses some security checks in ps1 systems. For anyone with a PS1 Slim this is probably the best method to use now since the PS1 Slim does not have a ODE/Optical Disc Emulator option.

As for the price think of it this way, for a 1 time payment you can have every ps1 game ever made all at once on the system.
 
Last edited by cvskid,

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
5,410
Trophies
1
XP
4,046
Country
United Kingdom
I once did for fun a NetYaroze boot card using an Arduino.

The net yaroze boot card behaves like a standard memory card, it uses a different ID and read & write commands fail. The yaroze disk uses a command that memory cards support, but no software uses. I assume there are lines jumpered to ground differently between the two but haven't investigated.

memcard to usb/ethernet would be kinda cool for development on psone (or full size that don't have parallel ports). hooking up a cheap esp to the memcard port can be done much cheaper than that memcard pro.

technically it's not spi as the standard protocol uses dtr to select the device and dsr as a handshake. You'd need to keep an sdcard off the bus unless that port is selected and make sure the first byte sent to the sd card wasn't an 01 or the controller above it will interfere. There are some other id's that are good to avoid as the first byte after dtr goes low as well, especially if you want to use the same adapter on a ps2. You can avoid the dsr to ack each byte, but it will probably then be incompatible with multitap.
 
Last edited by smf,
  • Like
Reactions: zfreeman

0000ff

Spase Peepole
Member
Joined
Mar 3, 2018
Messages
158
Trophies
0
Location
Spase
XP
596
Country
United States
This will be quite helpful.

Snagged one on the cheap from ebay before the price goes through the roof. Now to wait 4 weeks for delivery, thanks USPS.
 

gbazone

Well-Known Member
Member
Joined
Jun 6, 2014
Messages
210
Trophies
0
XP
672
Country
On the original console I’m sure I used a pen lid and swapped after the boot message when it spins back up. :rofl2:

Same, before I eventually got a modchip. It was damn near impossible. Only worked like 1 out of 20 tries. And if I remember correctly the disc drive was really picky about which CD-R brands it would take. Memorex was always a safe bet.
 

KentaZX

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
171
Trophies
0
XP
1,231
Country
Canada
Okay So I've test this hax on my NTSC-U PSOne with a japanese game called mad panic coaster and PAL copy of Vib Ribbon.

Vib Ribbon works 100% both playing the the game disc AND music CDs, no security hangups or anything whatsoever. However, the Tony hax menu gets "stuck" at STARTING when I tried to load up Mad panic Coaster.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
Okay So I've test this hax on my NTSC-U PSOne with a japanese game called mad panic coaster and PAL copy of Vib Ribbon.

Vib Ribbon works 100% both playing the the game disc AND music CDs, no security hangups or anything whatsoever. However, the Tony hax menu gets "stuck" at STARTING when I tried to load up Mad panic Coaster.
Thanks for the report, I'll look into it.
 

elBenyo

Wad of meat.
Member
Joined
Jan 2, 2016
Messages
479
Trophies
0
Age
31
XP
761
Country
United States
If only this had a Bios entry point to pair with so we could coldboot. i.e. an overflow in the save title or loaded through the CD player program (like 3DS's music player's parsing glitch).
 
Last edited by elBenyo,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
If only this had a Bios entry point to pair with so we could coldboot. i.e. an overflow in the save title or loaded through the CD player program (like 3DS's music player's parsing glitch).
I've tried that already. The BIOS uses strncpy for the path name. If a save file looks fishy (name too long, too many blocks...) it gets nuked.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://youtu.be/xoBNc4WtlSw