Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

elBenyo

Wad of meat.
Member
Joined
Jan 2, 2016
Messages
479
Trophies
0
Age
31
XP
761
Country
United States
I've tried that already. The BIOS uses strncpy for the path name. If a save file looks fishy (name too long, too many blocks...) it gets nuked.
I'm starting to see how this works. I'm still reading about the kernel's panic handlers. A game seems to be the best entry point to the shell.
 
Last edited by elBenyo,
  • Like
Reactions: zfreeman

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain

Leon11

Active Member
Newcomer
Joined
Nov 13, 2019
Messages
35
Trophies
0
Age
37
XP
404
Country
Italy
Nice, so now we have all the editions covered.

These are all the possible editions.

1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
6.jpg
 
Last edited by Leon11,

KentaZX

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
171
Trophies
0
XP
1,228
Country
Canada
Interesting. No clue.

I reinitialize the kernel so it could be that I am leaving the console in a different state that the game expects, but I can't figure out exactly what changed.

sounds like to me there could be other games that can have this kind of a problem...Unless this is the only one and everything else works fine, so no need for a compatibility chart?

Also, so youre releasing a v1.1 soon? Do I have to replace the save file AND the exploit file when it comes out? or just the exploit file?
 

tech3475

Well-Known Member
Member
Joined
Jun 12, 2009
Messages
2,640
Trophies
1
XP
3,583
Country
If you watched the Youtube video in the opening post and read the opening post you would know ;).

Sorry, didn't watch the video, only saw the picture which used the 'phat' model so I just wanted to be sure it had been tested on it.

I'm thinking of now getting the LCD display for it, so another reason to verify in case I see one before I could test it myself.
 
Last edited by tech3475,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
26
Location
Valencia, Spain
Website
orca.pet
XP
486
Country
Spain
sounds like to me there could be other games that can have this kind of a problem...Unless this is the only one and everything else works fine, so no need for a compatibility chart?

Also, so youre releasing a v1.1 soon? Do I have to replace the save file AND the exploit file when it comes out? or just the exploit file?
I've just had myself an issue loading Formula 1 '97 NTSC, which crashed after displaying the copyright information. I will look further into it.

I omitted some stuff during the initialization, which was enough to get all the games I had at the moment running, but maybe these do need a perfect state during boot. I'll look into it.

v1.1 will be released as soon as I finish adding the games that I am aware are vulnerable, so it should be ready by week. Unless I figure out what is wrong with those games that crash and fix the SPL, there's would be very little reason to update, as I'd only be adding new supported games but no extra functionality.
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,263
Trophies
1
Age
39
XP
3,052
Country
Argentina
I bet, in like a month, we end up seeing some homebrew memory card that runs games from n sd card, and it'll be insanely easy. I can see it happening.

I wonder if any other games will be able to use this. Gonna have to check out the local charity shops for one of these games.

Unfortunately PS1 memory cards are too slow and don't have much space. Is technically possible to run an Atari emulator from one but is more of a "Because I can" thing.

A PS2 memory card could run Nes games and the PS2 not only has bigger memory cards but is much faster.

But really with the PS1 hacked you can just run the homebrew from a CD and save data, as long is not much data, on the memory card. If you have a PS1 with that port on the back you can do more like try running a very small Linux OS, but otherwise there is not much point. A PS1 is not a Dreamcast, so the options are limited. Wanna get online? Get a PS2 minimum.

Yeah sorry to keep saying this but the PS2 is better for any homebrew ideas you can have, can run games from a hard disk so no more disc scratching, can play a lot of video and audio files and can even be used as a (slow) media center.

Yes the PS1 is great, but is like comparing a PSP with a Vita. A Vita can do anything a PSP can do and do it better, thanks to mods and hacking. Sure there are a few games that don't work right but 100% compatibility is a rare thing.
 
Last edited by raxadian,

cashboxz01

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
144
Trophies
0
XP
918
Country
United States
Unfortunately PS1 memory cards are too slow and don't have much space. Is technically possible to run an Atari emulator from one but is more of a "Because I can" thing.

A PS2 memory card could run Nes games and the PS2 not only has bigger memory cards but is much faster.

But really with the PS1 hacked you can just run the homebrew from a CD and save data, as long is not much data, on the memory card. If you have a PS1 with that port on the back you can do more like try running a very small Linux OS, but otherwise there is not much point. A PS1 is not a Dreamcast, so the options are limited. Wanna get online? Get a PS2 minimum.

Yeah sorry to keep saying this but the PS2 is better for any homebrew ideas you can have, can run games from a hard disk so no more disc scratching, can play a lot of video and audio files and can even be used as a (slow) media center.

Yes the PS1 is great, but is like comparing a PSP with a Vita. A Vita can do anything a PSP can do and do it better, thanks to mods and hacking. Sure there are a few games that don't work right but 100% compatibility is a rare thing.
this. but in terms of ps2, it has ps1 hardware in it specifically for a 1:1 experience. it's not even emulating the games.
 

stranno

Well-Known Member
Member
Joined
Feb 17, 2013
Messages
667
Trophies
0
XP
1,901
Country
Spain
Unfortunately PS1 memory cards are too slow and don't have much space. Is technically possible to run an Atari emulator from one but is more of a "Because I can" thing.
Playstation 2 Memory Card ports (SIO2-Interface) to SD adapters have been already done, they're not public yet since they're polishing the hardware and the software (especially crafted Open PS2 Loader version).

It's waaay more slower than the DVD drive (like 3mbps less) but it gives an advantage of 200-300kbps over USB ports, still slower than the ethernet interface (samba server).

this. but in terms of ps2, it has ps1 hardware in it specifically for a 1:1 experience. it's not even emulating the games.
All PS2 models use some sort of emulation for PS1. Phat models has the main CPU (+ co-processors like the GTE, I guess) as IOP and the SPU is already inside the SPU2 (which is just 2 SPUs). The GPU is emulated inside the Graphics Synthesizer, infact, it has retro-compatibility mode that disables the z-buffer, perspective correction and texture filtering passes.
 
Last edited by stranno,
  • Like
Reactions: zfreeman

blindseer

Past Generation Gamer
Member
Joined
Jan 17, 2015
Messages
425
Trophies
0
Location
Earth
XP
402
Country
United States
It's not a common game but another game that allows you to name and create a profile is Einhander... No idea if its exploitable but I figured I'd mention it.
 
  • Like
Reactions: socram8888

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,263
Trophies
1
Age
39
XP
3,052
Country
Argentina
It's not a common game but another game that allows you to name and create a profile is Einhander... No idea if its exploitable but I figured I'd mention it.

The thing is not if the game allows you to add a name but if it checks the number of characters limit. As is something impossible to do without hacking the save file some games do not check if the name is over the limit and that's how this exploit works.
 

KentaZX

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
171
Trophies
0
XP
1,228
Country
Canada
I've just had myself an issue loading Formula 1 '97 NTSC, which crashed after displaying the copyright information. I will look further into it.

I omitted some stuff during the initialization, which was enough to get all the games I had at the moment running, but maybe these do need a perfect state during boot. I'll look into it.

v1.1 will be released as soon as I finish adding the games that I am aware are vulnerable, so it should be ready by week. Unless I figure out what is wrong with those games that crash and fix the SPL, there's would be very little reason to update, as I'd only be adding new supported games but no extra functionality.

Alright. Also, maybe it was pointless to try, but just for the sake of confirmation, I've tested out ripping and burning the MPC game into a CD-R to see if it'll make a difference. It does not.

Oh yea, the game does load up on Retroarch on the PC with the PCSX rearmed core just fine. I didnt try doing the tonyhax on it though.
 
Last edited by KentaZX,
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: I still sucked at it though since it's been a few years since I played it lol