Tonyhax is a new softmod backup loader for the PlayStation 1


Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

:arrow: Source
:download: Download Link
 

Acid_Snake

Well-Known Member
Member
Joined
Aug 20, 2019
Messages
348
Trophies
0
Age
28
XP
969
Country
Spain
I have just released v1.1 with the following changelog:
  • New supported games as entry points:
    • BASLUS-00571: Brunswick Circuit Pro Bowling (NTSC-US) (SLUS-00571)
    • BASLUS-00856: Brunswick Circuit Pro Bowling 2 (NTSC-US) (SLUS-00856)
    • BASLUS-01485TNHXG01: Tony Hawk's Pro Skater 4 (NTSC-US) (SLUS-01485)
    • BESLES-01376: Brunswick Circuit Pro Bowling (PAL-EU) (SLES-01376)
    • BESLES-02618: Brunswick Circuit Pro Bowling 2 (PAL-EU) (SLES-02618)
    • BESLES-02909TNHXG01: Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
    • BESLES-02910TNHXG01: Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
    • BESLES-03646TNHXG01: Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
    • BESLES-03647TNHXG01: Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
    • BESLES-03954TNHXG01: Tony Hawk's Pro Skater 4 (PAL-EU) (SLES-03954)
    • BESLES-03955TNHXG01: Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
    • BESLES-03956TNHXG01: Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
  • Restore kernel RAM contents. Fixes booting of Mad Panic Coaster (NTSC-JP) (SLPS-00880) and Formula 1 Championship Edition (NTSC-US) (SLUS-00546)
  • First stage will now display a red screen if it can't find the SPL, instead of crashing.
Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1
You can probably also use Tekken 2 and 3 as well as Sports Superbike 2 (or XS Moto).
We used a buffer overflow in these games to escape the PS1 emulator on PSP/PS Vita.
Here's some writeups:
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/
https://wololo.net/2015/09/22/exploit-psx-games-psp-vita/

Edit: It might also be possible to exploit the memory card reader in the bios with a crafted icon, I remember being able to break the one on PSP (so the one on PS1 should be weak too).
 
Last edited by Acid_Snake,

HaloEffect17

Hiya!
Member
Joined
Jul 1, 2015
Messages
1,306
Trophies
1
XP
2,433
Country
Canada
So you have to load up Tony Hawk 2 each time then, right?

--------------------- MERGED ---------------------------

tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.
Would be great to have Gran Turimo 2 added one day! I don't have the Hawks.
 

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,524
Trophies
0
Age
31
XP
1,375
Country
Hi, I would like to know how does it behave with multidisc games. Can one backup load the next or the softmod should be reapplied every time? Thank you.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
v1.1.1 has been released: https://github.com/socram8888/tonyhax/releases/tag/v1.1.1

Changes since v1.1
  • The SPL file has been renamed from "TONYHAX-SPL" to "BESLEM99999-TONYHAX" so it follows the standard naming conventions.
  • Added MCS save files for easier usage on visual, desktop memory card editors.
The reason behind this small release is that an user on Reddit was having issues importing the SPL file on Dexdrive because of the non-standard name. Thus this release changes the name to stick to the standard format every other PS1 game used for game saves.

This release otherwise doesn't change anything in the code. If v1.1 works well for you, there's no need to update - this version adds no new games nor improves compatibility.

You can probably also use Tekken 2 and 3 as well as Sports Superbike 2 (or XS Moto).
We used a buffer overflow in these games to escape the PS1 emulator on PSP/PS Vita.
Here's some writeups:
https://wololo.net/2015/09/16/playstation-20th-anniversary-psx-exploits-work/
https://wololo.net/2015/09/22/exploit-psx-games-psp-vita/

Edit: It might also be possible to exploit the memory card reader in the bios with a crafted icon, I remember being able to break the one on PSP (so the one on PS1 should be weak too).
Will have a look for v1.2, thanks!

So you have to load up Tony Hawk 2 each time then, right?

Would be great to have Gran Turimo 2 added one day! I don't have the Hawks.
Yes, that is correct. THPSx have to be loaded each time. This is not a persistent hack.

Hi, I would like to know how does it behave with multidisc games. Can one backup load the next or the softmod should be reapplied every time? Thank you.
You can load the next disc just fine mid-game without having to reboot the console.
 

mmz16x

Member
Newcomer
Joined
Jun 5, 2008
Messages
10
Trophies
0
XP
372
Country
United States
Is there any chance that we can load games on the memory card like the GC Gecko device as the recently made (Memcard Pro) via 8bitmods site allows upto 1TB sized Msd cards, or is the Memorycard BUS not fast enough for this? it would be a cool feature to make this maybe boot to the AR device then from there load to the (memcard Pro) device in tandom just theorizing here :P
 

Shardnax

Well-Known Member
Member
Joined
Aug 23, 2008
Messages
199
Trophies
0
Website
Visit site
XP
310
Country
United States
v1.1.1 has been released: https://github.com/socram8888/tonyhax/releases/tag/v1.1.1

Changes since v1.1
  • The SPL file has been renamed from "TONYHAX-SPL" to "BESLEM99999-TONYHAX" so it follows the standard naming conventions.
  • Added MCS save files for easier usage on visual, desktop memory card editors.
The reason behind this small release is that an user on Reddit was having issues importing the SPL file on Dexdrive because of the non-standard name. Thus this release changes the name to stick to the standard format every other PS1 game used for game saves.

This release otherwise doesn't change anything in the code. If v1.1 works well for you, there's no need to update - this version adds no new games nor improves compatibility.
I'm unable to get the exploit to run with Brunswick Circuit Pro Bowling (US). I tested it on SCPH-1001 x2, SCPH-9001, and SCPH-101. It hangs on the load screen with the music still playing whenever I try to load the save. I don't have any other compatible games to test with at the moment.

Both versions ran without issue with a PS2.

Edit: I transferred the files from USB with uLaunch.
 
Last edited by Shardnax,

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
I'm unable to get the exploit to run with Brunswick Circuit Pro Bowling (US). I tested it on SCPH-1001 x2, SCPH-9001, and SCPH-101. It hangs on the load screen with the music still playing whenever I try to load the save. I don't have any other compatible games to test with at the moment.

Both versions ran without issue with a PS2.

Edit: I transferred the files from USB with uLaunch.
I've tried it on an emulator to rule out I had broken anything with the v1.1.1 and it's working fine here. Can you please try to remove the tonyhax SPL file and see if you get at least the red screen? That would indicate the first stage is working but it's failing when loading the SPL.
 

ShadowGeist

New Member
Newbie
Joined
Mar 15, 2021
Messages
1
Trophies
0
XP
15
Country
United States
Nice hack. It interests me, the creativity and problem solving associated with these types of exploits.

I assume one could build a disc image of Orion's save manager "PocketStation (Memory Card) Transfer Tool CD" for easy installation of .MCS files through swaptrick. onorisoft.free.fr/psx/psloader.zip
 
Last edited by ShadowGeist,
  • Like
Reactions: Lunar

driverdis

I am Justice
Member
Joined
Sep 21, 2011
Messages
2,845
Trophies
1
Age
29
Location
1.048596β
XP
2,571
Country
United States
  • The SPL file has been renamed from "TONYHAX-SPL" to "BESLEM99999-TONYHAX" so it follows the standard naming conventions.
  • Added MCS save files for easier usage on visual, desktop memory card editors.
Great, now I can use a PC with the PS3 memory card adapter to add the save since it follows normal naming conventions
 

Zaphod77

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
661
Trophies
0
Age
47
XP
580
Country
United States
There are multiple versions of the anti-mod check. the first anti-mod check simply tried to read the protection wobble without actually moving the laser to the proper spot. if this PASSED, the anti-mod check failed. The auto disabling mod chip beat this one.

This unlock code shouldn't affect that. the check will fail like it should.

Later ones do TWO checks. one where they DON'T seek the protection area, and one where it does. this is the one that is likely to cause trouble with the exploit, and may need to be sharked past. This is the one the true stealth chip was made for, that reactivates when the drive is requested to do another protection check.

There is ALSO libcrypt, but that's not affected by this at all. A proper burn with subchannel data passes, and burns missing the data fail.
 

Shardnax

Well-Known Member
Member
Joined
Aug 23, 2008
Messages
199
Trophies
0
Website
Visit site
XP
310
Country
United States
I've tried it on an emulator to rule out I had broken anything with the v1.1.1 and it's working fine here. Can you please try to remove the tonyhax SPL file and see if you get at least the red screen? That would indicate the first stage is working but it's failing when loading the SPL.
Same problem testing with the SCPH-101, it does red screen on the PS2.
 
Last edited by Shardnax,

blindseer

Past Generation Gamer
Member
Joined
Jan 17, 2015
Messages
426
Trophies
0
Location
Earth
XP
423
Country
United States
Same issue with Brunswick pro. Bowling 2 on scph 101 freezes at load from memory card with music playing or sometimes a black screen, no red screen without the tonyhax file though.
 
Last edited by blindseer,

Zaphod77

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
661
Trophies
0
Age
47
XP
580
Country
United States
if anyone wants games to test, dance dance revolution 1st mix (jp) has the simple anti-mod check that you don't need to swap to beat, and 3rd mix has the more complicated check that normally requires swapping or a gameshark to beat unless you have a stealth chip.
 

mmz16x

Member
Newcomer
Joined
Jun 5, 2008
Messages
10
Trophies
0
XP
372
Country
United States
Is there any chance that we can load games on the memory card like the GC Gecko device as the recently made (Memcard Pro) via 8bitmods site allows upto 1TB sized Msd cards, or is the Memorycard BUS not fast enough for this? it would be a cool feature to make this maybe boot to the AR device then from there load to the (memcard Pro) device in tandom just theorizing here :P
 

elBenyo

Wad of meat.
Member
Joined
Jan 2, 2016
Messages
483
Trophies
0
Age
31
XP
803
Country
United States
What's an endian security issue?



It's not a printer port, it is the 16 bit cpu io bus that supports pio & dma. There is also a digital audio input that can be mixed with the spu and an interrupt (IIRC it's shared with the interrupt pin on the game controller ports used by konami guns).

Mostly it's used by cheat cartridges to hang an 8 bit rom off, but it can do much more than that. There is an official and very rare development tool ethernet adapter used for transferring art from SGI workstations for example.



If you're going to solder in a new bios then why bother trying to exploit a game? It would be easier to solder in a chip.

When you are exploiting a buffer overflow and, for example, overwrite the return pointer to jump to a memory address that you control, you need to specify this address in the proper endian because the overflowing data begins at the lower end of that stack. Duh.
 

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
Same problem testing with the SCPH-101, it does red screen on the PS2.

Same issue with Brunswick pro. Bowling 2 on scph 101 freezes at load from memory card with music playing or sometimes a black screen, no red screen without the tonyhax file though.
Now that's odd. Those two exploits worked fine on an emulator, and my SCPH-102 also ran the Brunswick 2 PAL-E version exploit just fine. But you are right that the console chokes with the very same exploit on NTSC-U.

This is going to be hard to fix, since there's nothing I can do other than blindly run stuff on the console until it works, given no$psx works fine with the exploit.
 
D

Deleted User

Guest
Now that's odd. Those two exploits worked fine on an emulator, and my SCPH-102 also ran the Brunswick 2 PAL-E version exploit just fine. But you are right that the console chokes with the very same exploit on NTSC-U.

This is going to be hard to fix, since there's nothing I can do other than blindly run stuff on the console until it works, given no$psx works fine with the exploit.
Could the problem be they're running it on a ps2?
 

smf

Well-Known Member
Member
Joined
Feb 23, 2009
Messages
6,049
Trophies
1
XP
4,825
Country
United Kingdom
When you are exploiting a buffer overflow and, for example, overwrite the return pointer to jump to a memory address that you control, you need to specify this address in the proper endian because the overflowing data begins at the lower end of that stack. Duh.

Well of course you need to store your addresses in the correct endian, but that doesn't explain why it's an "endian security issue" that you can "attack".

If you use the wrong endian in your exploit, then your exploit is broken. Using x86 opcodes instead of MIPS would also not work, but that doesn't make it a "cpu security issue".
 
Last edited by smf,
  • Like
Reactions: socram8888

socram8888

Well-Known Member
Newcomer
Joined
Apr 6, 2009
Messages
81
Trophies
0
Age
27
Location
Valencia, Spain
Website
orca.pet
XP
498
Country
Spain
Could the problem be they're running it on a ps2?
I don't think so, they said it worked fine on a PS2, but failed on a PS1.

The interesting bit is that the buffer allocated for the memory card is a static one. This means it's a fixed address, not something that will vary from between consoles as a dynamically allocated one could do between BIOS revisions. Yet still it's failing to work on a real machine. Hm.
disasm.png
 
  • Like
Reactions: Deleted User

DarthMotzkus

Well-Known Member
Member
Joined
Jul 10, 2020
Messages
155
Trophies
0
Age
25
Location
Florianópolis - SC, Brasil
XP
491
Country
Brazil
I don't think so, they said it worked fine on a PS2, but failed on a PS1.

The interesting bit is that the buffer allocated for the memory card is a static one. This means it's a fixed address, not something that will vary from between consoles as a dynamically allocated one could do between BIOS revisions. Yet still it's failing to work on a real machine. Hm.
View attachment 252173
I'm wating for my copy of Brunswick Circuit Pro Bowling 2 to arrive and gonna test it on my PSOne. Meanwhile i can test it on my other modded Fat PS1 with a backup. Do you think the modchip will confuse the process or it's fine?
 
General chit-chat
Help Users
    KenniesNewName @ KenniesNewName: Patch up my salty wounds