Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
Okay So I've test this hax on my NTSC-U PSOne with a japanese game called mad panic coaster and PAL copy of Vib Ribbon.

Vib Ribbon works 100% both playing the the game disc AND music CDs, no security hangups or anything whatsoever. However, the Tony hax menu gets "stuck" at STARTING when I tried to load up Mad panic Coaster.
Mad Panic seems to be doing fishy things. In fact I can't even get it to boot reliably on the emulator, with or without tonyhax.
It executes the following BIOS calls:
  • A(39h): InitHeap(0x801F95AC, 0xFFFFEA58) -> init malloc heap with size 0xFFFFEA58, wtf
  • A(72h): CdRemove() (call bugged)
  • A(44h) - FlushCache()
Then crashes. This last call is called with Vsync and DMA interrupts enables, which according to documentation, is a mistake:
BUG: The FlushCache function contains a handful of opcodes that do use the k0 register without having IRQs disabled at that time, if an IRQ occurs during those opcodes, then the k0 value gets destroyed by the exception handler, causing FlushCache to get trapped in an endless loop.

This could explain why it is so temperamental, as it is a race condition. If this is the reason, there's little I can do from tonyhax.
 

Magnus87

Well-Known Member
Member
Joined
Apr 28, 2013
Messages
367
Trophies
0
XP
1,148
Country
Argentina
Ohh,nice.
It's always interesting to see old console's exploit being released.

Exactly, I also love these kinds of discoveries or creation of tools long after the "demise" of the console.

I wonder if in the not too distant future it could be used to boot PSIO since it needs a modchip
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,472
Trophies
1
Age
39
XP
3,270
Country
Argentina
This is amazing but both of my PS1 are chipped. Is that printer port some Playstations have on the back useful for anything?
 

ClancyDaEnlightened

GBAtemp Official Psychonaut
Banned
Joined
Jan 29, 2008
Messages
1,875
Trophies
1
Location
somewhere within 4 dimensional space-time
XP
2,615
Country
United States
Exploit the cd player, to load code from the memory card

Or create a modded bios, that ignores copy protection


View attachment 251425

Kind of shocked nobody has attacked the bootrom yet, tbh...


I was thinking the same, either a bootrom exploit,or a custom bios replacement

You can swap bios between ps1 revisions, and will work, you can run a launch model ps1 bios on a psone slim, though with some simple patches (io port init)

I don't think the ps1 checks the bios, so you can just replace it with a flash chip,with a bios with no copy protection, using a flash chip, it can also be updated if need be

The only other way is to use in game exploits, since this is still the generation of consoles where game code is completely trusted,and can access and run anything


Plus with psnee I can just use a $3usd arduino

https://ebay.to/3bGi9Pj
 
Last edited by ClancyDaEnlightened,

ClancyDaEnlightened

GBAtemp Official Psychonaut
Banned
Joined
Jan 29, 2008
Messages
1,875
Trophies
1
Location
somewhere within 4 dimensional space-time
XP
2,615
Country
United States
Last edited by ClancyDaEnlightened,

driverdis

I am Justice
Member
Joined
Sep 21, 2011
Messages
2,835
Trophies
1
Age
29
Location
1.048596β
XP
2,514
Country
United States
I did notice with THPS 3 while testing the exploit on a PS1 that needs a pot adjustment that frequent read errors due to the drive may cause the exploit to crash or not run. I do have a copy of THPS 2 on the way in better shape than my THPS 3 disc and will be using a different PS1 as well.

I used an SCPH-5501 for this test

disc rot or scratches may cause the crashes or loading errors on THPS 3 but 2 may be less demanding due to having a simpler menu that takes less data to load in.
 
Last edited by driverdis,
  • Like
Reactions: ClancyDaEnlightened

KentaZX

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
171
Trophies
0
XP
1,317
Country
Canada
Mad Panic seems to be doing fishy things. In fact I can't even get it to boot reliably on the emulator, with or without tonyhax.
It executes the following BIOS calls:
  • A(39h): InitHeap(0x801F95AC, 0xFFFFEA58) -> init malloc heap with size 0xFFFFEA58, wtf
  • A(72h): CdRemove() (call bugged)
  • A(44h) - FlushCache()
Then crashes. This last call is called with Vsync and DMA interrupts enables, which according to documentation, is a mistake:


This could explain why it is so temperamental, as it is a race condition. If this is the reason, there's little I can do from tonyhax.

thats weird. I DID do the swap trick on my ps1 to see if my copy of the game was screwed, but nope it works just fine.
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,472
Trophies
1
Age
39
XP
3,270
Country
Argentina
Yes, cheat devices use this, and the ps1 flash cartridge psio (https://ps-io.com/store/psio-cartridge/)

One of the reasons it was later removed

Cool, I guess is too slow to connect a hard disk and load games from it?

Actually is better to fo stuff like that on a PS2, all PS1 games work on it and avoiding using discs means the DVD laser doesn't ruin the CDs. And yes that was a problem back then.

What do you have to do to connect a Hard disc to a PS2 slim, use the Internet adapter?
 
Last edited by raxadian,

Retinal_FAILURE

Well-Known Member
Member
Joined
Jan 3, 2016
Messages
278
Trophies
0
Age
32
XP
739
Country
United States
Nice! Off to the process for my SCPH-900x and PSOne Models, the latter of which have difficulty in playing near any retail game. I'll never sell my gameshark for SCPH-1001 models I own though... It's just too good looking to stop using UniROM or maybe not, but time will tell.

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.



After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.



You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 
Last edited by Retinal_FAILURE, , Reason: ..

tech3475

Well-Known Member
Member
Joined
Jun 12, 2009
Messages
2,816
Trophies
1
XP
3,878
Country
Cool, I guess is too slow to connect a hard disk and load games from it?

Actually is better to fo stuff like that on a PS2, all PS1 games work on it and avoiding using discs means the DVD laser doesn't ruin the CDs. And yes that was a problem back then.

What do you have to do to connect a Hard disc to a PS2 slim, use the Internet adapter?

On the Slim, AFAIK smb is the only practical option. Although earlier models of the Slim did have the header for an IDE connection. Iirc at some point someone was making mods with special cases to hold a HDD.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
thats weird. I DID do the swap trick on my ps1 to see if my copy of the game was screwed, but nope it works just fine.
Interesting. No clue.

I reinitialize the kernel so it could be that I am leaving the console in a different state that the game expects, but I can't figure out exactly what changed.
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,472
Trophies
1
Age
39
XP
3,270
Country
Argentina
On the Slim, AFAIK smb is the only practical option. Although earlier models of the Slim did have the header for an IDE connection. Iirc at some point someone was making mods with special cases to hold a HDD.

Unfortunately the adapter is a bit pricey nowadays, but I have 90% of the games I wanna play burned on DVDs anyway.

ATM I am playing around with my rehacked Wii. A sore spot is how bad the N64 emulation for the Wii is. Thankfully there is both a method on injection into Wiiware and an exoerimental method to include the service pack for those sweet extra 4 mb of ram. Not all N64 games work that way but hey, is a work in progress.
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,622
Trophies
2
Age
44
Location
Engine room, learning
XP
15,089
Country
France
I wonder if the cd player functionality can be exploited, like freedvdboot
pretty sure there was some way to play backup games on really early ps1s involving the CD player
Yes, you could swap the disc from the CD player on first models.

Go to CD player, put a game, block the lid detector. The CD player check the disc's TOC and stop spinning. swap disc, exit disc player and the new game launches.
The only problem is it's using the original disc's TOC.
Read next quote below for proper way to swap with TOC reading.

On the original console I’m sure I used a pen lid and swapped after the boot message when it spins back up. :rofl2:
I used Pen lid for a very short while, but it wasn't stable :cry:
I switched to just small tape to keep the lid detector in place, and then I could close the lid itself for safety. no more "play with lid open". and I could properly "put the console on the side to help with the laser reading" too, without risking to lose the pen lid :P

Hmmm, are you talking about the "PS logo" screen ? when the disc get a slower spin and then spin faster ?
That swap method also had the TOC issue. Which could be enough for lot of games as long as you used a big disc as sources, with lot of tracks, or a disc one single data track, etc.

You had a very short window of few miliseconds to swap the disc between "original disc check" and "TOC reading".
It's checked very very early at console boot, or when the lid detector is pressed (you can do it with multi-disc games too).

I always do it with feeling and hearing, putting my fingers gently on the block reader and "feeling" the laser head moving, there's a "move" and a "tic tic tic" sound. you do it between them. if you heard the tic, it's too late. if you do it too soon, nothing happen, and you could try again.

Note:
There were silent updates of late SCPH1002 (probably also other 100x), which had the swap method disabled. I encountered that model once, and couldn't do the swap trick at all, neither of the 3 versions.

Oh crap, i don't own a tony hawk 2 or 3 original copy. Guess i will try to import one. Finnally this came out!
Be sure your "import" is from the same region than your console.
if not, it'll not boot, you need a way to boot imports first, which TonyHax allows you to.
 
Last edited by Cyan,
  • Like
Reactions: KiiWii

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
For your information, so you don't become paranoid about getting copies of THPS 2 and 3, tonyhax v1.1 will also add support for:
  • Tonyhawk's Pro Skater 4, in both European and American releases (apparently there are also French and Germany versions according to redump?)
  • Brunswick Circuit Bowling 1 (and maybe 2)
 
General chit-chat
Help Users
    Dark_Phoras @ Dark_Phoras: People tried to take Playstation for fools