Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
Okay So I've test this hax on my NTSC-U PSOne with a japanese game called mad panic coaster and PAL copy of Vib Ribbon.

Vib Ribbon works 100% both playing the the game disc AND music CDs, no security hangups or anything whatsoever. However, the Tony hax menu gets "stuck" at STARTING when I tried to load up Mad panic Coaster.
Mad Panic seems to be doing fishy things. In fact I can't even get it to boot reliably on the emulator, with or without tonyhax.
It executes the following BIOS calls:
  • A(39h): InitHeap(0x801F95AC, 0xFFFFEA58) -> init malloc heap with size 0xFFFFEA58, wtf
  • A(72h): CdRemove() (call bugged)
  • A(44h) - FlushCache()
Then crashes. This last call is called with Vsync and DMA interrupts enables, which according to documentation, is a mistake:
BUG: The FlushCache function contains a handful of opcodes that do use the k0 register without having IRQs disabled at that time, if an IRQ occurs during those opcodes, then the k0 value gets destroyed by the exception handler, causing FlushCache to get trapped in an endless loop.

This could explain why it is so temperamental, as it is a race condition. If this is the reason, there's little I can do from tonyhax.
 

Magnus87

Well-Known Member
Member
Joined
Apr 28, 2013
Messages
348
Trophies
0
XP
1,055
Country
Argentina
Ohh,nice.
It's always interesting to see old console's exploit being released.

Exactly, I also love these kinds of discoveries or creation of tools long after the "demise" of the console.

I wonder if in the not too distant future it could be used to boot PSIO since it needs a modchip
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,255
Trophies
1
Age
39
XP
3,048
Country
Argentina
This is amazing but both of my PS1 are chipped. Is that printer port some Playstations have on the back useful for anything?
 

ClancyDaEnlightened

GBAtemp Official Psychonaut
Member
Joined
Jan 29, 2008
Messages
1,886
Trophies
1
Location
somewhere within 4 dimensional space-time
XP
2,604
Country
United States
Exploit the cd player, to load code from the memory card

Or create a modded bios, that ignores copy protection


View attachment 251425

Kind of shocked nobody has attacked the bootrom yet, tbh...


I was thinking the same, either a bootrom exploit,or a custom bios replacement

You can swap bios between ps1 revisions, and will work, you can run a launch model ps1 bios on a psone slim, though with some simple patches (io port init)

I don't think the ps1 checks the bios, so you can just replace it with a flash chip,with a bios with no copy protection, using a flash chip, it can also be updated if need be

The only other way is to use in game exploits, since this is still the generation of consoles where game code is completely trusted,and can access and run anything


Plus with psnee I can just use a $3usd arduino

https://ebay.to/3bGi9Pj
 
Last edited by ClancyDaEnlightened,

ClancyDaEnlightened

GBAtemp Official Psychonaut
Member
Joined
Jan 29, 2008
Messages
1,886
Trophies
1
Location
somewhere within 4 dimensional space-time
XP
2,604
Country
United States
Last edited by ClancyDaEnlightened,

driverdis

I am Justice
Member
Joined
Sep 21, 2011
Messages
2,817
Trophies
1
Age
29
Location
1.048596β
XP
2,425
Country
United States
I did notice with THPS 3 while testing the exploit on a PS1 that needs a pot adjustment that frequent read errors due to the drive may cause the exploit to crash or not run. I do have a copy of THPS 2 on the way in better shape than my THPS 3 disc and will be using a different PS1 as well.

I used an SCPH-5501 for this test

disc rot or scratches may cause the crashes or loading errors on THPS 3 but 2 may be less demanding due to having a simpler menu that takes less data to load in.
 
Last edited by driverdis,
  • Like
Reactions: ClancyDaEnlightened

KentaZX

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
171
Trophies
0
XP
1,227
Country
Canada
Mad Panic seems to be doing fishy things. In fact I can't even get it to boot reliably on the emulator, with or without tonyhax.
It executes the following BIOS calls:
  • A(39h): InitHeap(0x801F95AC, 0xFFFFEA58) -> init malloc heap with size 0xFFFFEA58, wtf
  • A(72h): CdRemove() (call bugged)
  • A(44h) - FlushCache()
Then crashes. This last call is called with Vsync and DMA interrupts enables, which according to documentation, is a mistake:


This could explain why it is so temperamental, as it is a race condition. If this is the reason, there's little I can do from tonyhax.

thats weird. I DID do the swap trick on my ps1 to see if my copy of the game was screwed, but nope it works just fine.
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,255
Trophies
1
Age
39
XP
3,048
Country
Argentina
Yes, cheat devices use this, and the ps1 flash cartridge psio (https://ps-io.com/store/psio-cartridge/)

One of the reasons it was later removed

Cool, I guess is too slow to connect a hard disk and load games from it?

Actually is better to fo stuff like that on a PS2, all PS1 games work on it and avoiding using discs means the DVD laser doesn't ruin the CDs. And yes that was a problem back then.

What do you have to do to connect a Hard disc to a PS2 slim, use the Internet adapter?
 
Last edited by raxadian,

Retinal_FAILURE

Well-Known Member
Member
Joined
Jan 3, 2016
Messages
278
Trophies
0
Age
31
XP
694
Country
United States
Nice! Off to the process for my SCPH-900x and PSOne Models, the latter of which have difficulty in playing near any retail game. I'll never sell my gameshark for SCPH-1001 models I own though... It's just too good looking to stop using UniROM or maybe not, but time will tell.

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.



After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.



You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 
Last edited by Retinal_FAILURE, , Reason: ..

tech3475

Well-Known Member
Member
Joined
Jun 12, 2009
Messages
2,635
Trophies
1
XP
3,567
Country
Cool, I guess is too slow to connect a hard disk and load games from it?

Actually is better to fo stuff like that on a PS2, all PS1 games work on it and avoiding using discs means the DVD laser doesn't ruin the CDs. And yes that was a problem back then.

What do you have to do to connect a Hard disc to a PS2 slim, use the Internet adapter?

On the Slim, AFAIK smb is the only practical option. Although earlier models of the Slim did have the header for an IDE connection. Iirc at some point someone was making mods with special cases to hold a HDD.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
thats weird. I DID do the swap trick on my ps1 to see if my copy of the game was screwed, but nope it works just fine.
Interesting. No clue.

I reinitialize the kernel so it could be that I am leaving the console in a different state that the game expects, but I can't figure out exactly what changed.
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,255
Trophies
1
Age
39
XP
3,048
Country
Argentina
On the Slim, AFAIK smb is the only practical option. Although earlier models of the Slim did have the header for an IDE connection. Iirc at some point someone was making mods with special cases to hold a HDD.

Unfortunately the adapter is a bit pricey nowadays, but I have 90% of the games I wanna play burned on DVDs anyway.

ATM I am playing around with my rehacked Wii. A sore spot is how bad the N64 emulation for the Wii is. Thankfully there is both a method on injection into Wiiware and an exoerimental method to include the service pack for those sweet extra 4 mb of ram. Not all N64 games work that way but hey, is a work in progress.
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,512
Trophies
2
Age
43
Location
Engine room, learning
XP
14,755
Country
France
I wonder if the cd player functionality can be exploited, like freedvdboot
pretty sure there was some way to play backup games on really early ps1s involving the CD player
Yes, you could swap the disc from the CD player on first models.

Go to CD player, put a game, block the lid detector. The CD player check the disc's TOC and stop spinning. swap disc, exit disc player and the new game launches.
The only problem is it's using the original disc's TOC.
Read next quote below for proper way to swap with TOC reading.

On the original console I’m sure I used a pen lid and swapped after the boot message when it spins back up. :rofl2:
I used Pen lid for a very short while, but it wasn't stable :cry:
I switched to just small tape to keep the lid detector in place, and then I could close the lid itself for safety. no more "play with lid open". and I could properly "put the console on the side to help with the laser reading" too, without risking to lose the pen lid :P

Hmmm, are you talking about the "PS logo" screen ? when the disc get a slower spin and then spin faster ?
That swap method also had the TOC issue. Which could be enough for lot of games as long as you used a big disc as sources, with lot of tracks, or a disc one single data track, etc.

You had a very short window of few miliseconds to swap the disc between "original disc check" and "TOC reading".
It's checked very very early at console boot, or when the lid detector is pressed (you can do it with multi-disc games too).

I always do it with feeling and hearing, putting my fingers gently on the block reader and "feeling" the laser head moving, there's a "move" and a "tic tic tic" sound. you do it between them. if you heard the tic, it's too late. if you do it too soon, nothing happen, and you could try again.

Note:
There were silent updates of late SCPH1002 (probably also other 100x), which had the swap method disabled. I encountered that model once, and couldn't do the swap trick at all, neither of the 3 versions.

Oh crap, i don't own a tony hawk 2 or 3 original copy. Guess i will try to import one. Finnally this came out!
Be sure your "import" is from the same region than your console.
if not, it'll not boot, you need a way to boot imports first, which TonyHax allows you to.
 
Last edited by Cyan,
  • Like
Reactions: KiiWii

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
For your information, so you don't become paranoid about getting copies of THPS 2 and 3, tonyhax v1.1 will also add support for:
  • Tonyhawk's Pro Skater 4, in both European and American releases (apparently there are also French and Germany versions according to redump?)
  • Brunswick Circuit Bowling 1 (and maybe 2)
 
General chit-chat
Help Users
  • No one is chatting at the moment.
  • Veho @ Veho:
    I do use bash for my job though. It's useful.
    Gift
  • phalk @ phalk:
    Assembler is something I always wanted to learn
    Gift
  • phalk @ phalk:
    but.... nah
    Gift
  • Veho @ Veho:
    No point really.
    Gift
  • Veho @ Veho:
    Even the simplest device these days runs some sort of high level language.
    Gift
  • The Real Jdbye @ The Real Jdbye:
    @Veho all the IT stuff i've learned in school has been extremely basic... i knew most of it already
    Gift
  • The Real Jdbye @ The Real Jdbye:
    it's better to learn on your own, it goes much faster than the snail pace they teach you at in school
    Gift
  • Coto @ Coto:
    assembly is actually great, gets you to run everything about 80% faster than C massaged code
    Gift
  • Coto @ Coto:
    assembler syntax is dead easy, but "how to put pieces together" logic requires to have in mind the original idea, and the CPU layout, and that's like double the work of C stuff. It's best to write C first, add some unit tests, then go assembly, then run the unit tests
    Gift
  • The Real Jdbye @ The Real Jdbye:
    it can run faster than compiled code, but modern compilers are really good at optimization and you need to be even better at assembly to do a better job
    Gift
  • Coto @ Coto:
    with that all your assembler base will actually work
    Gift
  • Coto @ Coto:
    even on embedded systems, without a damned debugger
    Gift
  • The Real Jdbye @ The Real Jdbye:
    syntax is easy but the code is hard to read, you can't look at a piece of code and expect to understand it without looking at all the code around it to see how it all works together so it takes much longer to read the code, it takes longer to write it too because what might be 1 line of code in C might be 20 lines of assembly
    Gift
  • The Real Jdbye @ The Real Jdbye:
    the language is very simple to understand (because it's barely a language at all) understanding how all the instructions work together to form a whole is another matter, in general it's such a pain to work with that i would never recommend it unless you have a need for it. don't listen to this guy and learn assembly just because you want to make your code run faster, you are wasting your time, but if you run into a situation where your code isn't fast enough even after you enabled -Ofast and you NEED it to be faster, then you can consider assembly
    Gift
  • The Real Jdbye @ The Real Jdbye:
    @Coto have you tried -Ofast btw? ;)
    Gift
  • Gift
  • Psionic Roshambo @ Psionic Roshambo:
    I have o fast before but I suspect we are talking different Os lol
    Gift
  • Gift
  • Coto @ Coto:
    @The Real Jdbye quite idiotic and frankly, bu
    llshit points as usual you make. Not only because you have no idea what you're talking about, but also because there is proof (both i've seen and maintained) in regards to C and hand-written assembler code, and the speed gain is simply over half the framerate.
    Gift
  • Coto @ Coto:
    gbaemu4ds's C ARM and THUMB CPU emulator and GBARunner2's ARM and THUMB handcoded assembly. Just run Yoshi's Island GBA and compare it by yourself.
    Gift
  • Coto @ Coto:
    or SnemulDS's C CPU Core vs SnemulDS SnezziDS ARM core. The first running at about 45% (half the speed) vs ~105% (full speed)
    Gift
  • Coto @ Coto:
    yeah, keep believing -Ofast will make everything faster.
    Gift
  • mthrnite @ mthrnite:
    Must ambulate quickly! ~Sonic (a hedgehog)
    Gift
  • Gift
  • Psionic Roshambo @ Psionic Roshambo:
    Gotta Go Fast diarrhea makes a horrible sound, blue skin and super sick... Probably food poisoning from bad chili dogs.
    Gift
    Psionic Roshambo @ Psionic Roshambo: Gotta Go Fast diarrhea makes a horrible sound, blue skin and super sick... Probably food...