​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[socram8888]

Alright. Also, maybe it was pointless to try, but just for the sake of confirmation, I've tested out ripping and burning the MPC game into a CD-R to see if it'll make a difference. It does not.

Oh yea, the game does load up on Retroarch on the PC with the PCSX rearmed core just fine. I didnt try doing the tonyhax on it though.

Alright, bug is fixed and upcoming v1.1 will support loading that game: https://github.com/socram8888/tonyhax/commit/d92ee7163f091b85f3ef38ff203541f42c2fe886

It turns out THPS was mangling somehow part of the kernel memory - a part of the kernel that apparently newer games (Tony Hawk's, Spyro, Hogs of War, Harry Potter...) don't use, but older (such as that one or F1 '97) do. I still need to check different BIOSes, to check if the place I am coping data from is identical to other regions and versions, but at least on my SCPH-102 works now.

 

[KentaZX]

Alright, bug is fixed and upcoming v1.1 will support loading that game: https://github.com/socram8888/tonyhax/commit/d92ee7163f091b85f3ef38ff203541f42c2fe886

It turns out THPS was mangling somehow part of the kernel memory - a part of the kernel that apparently newer games (Tony Hawk's, Spyro, Hogs of War, Harry Potter...) don't use, but older (such as that one or F1 '97) do. I still need to check different BIOSes, to check if the place I am coping data from is identical to other regions and versions, but at least on my SCPH-102 works now.

awsome! That was quick.

 

[raxadian]

Once more I gotta say this is fantastic.

 

[smf]

Me too, I'll take a look after work. Maybe there's obvious endian security issues I could attack.

What's an endian security issue?

This is amazing but both of my PS1 are chipped. Is that printer port some Playstations have on the back useful for anything?

It's not a printer port, it is the 16 bit cpu io bus that supports pio & dma. There is also a digital audio input that can be mixed with the spu and an interrupt (IIRC it's shared with the interrupt pin on the game controller ports used by konami guns).

Mostly it's used by cheat cartridges to hang an 8 bit rom off, but it can do much more than that. There is an official and very rare development tool ethernet adapter used for transferring art from SGI workstations for example.

You can swap bios between ps1 revisions, and will work

If you're going to solder in a new bios then why bother trying to exploit a game? It would be easier to solder in a chip.

 

[Deleted member 668561]

What's an endian security issue?



It's not a printer port, it is the 16 bit cpu io bus that supports pio & dma. There is also a digital audio input that can be mixed with the spu and an interrupt (IIRC it's shared with the interrupt pin on the game controller ports used by konami guns).

Mostly it's used by cheat cartridges to hang an 8 bit rom off, but it can do much more than that. There is an official and very rare development tool ethernet adapter used for transferring art from SGI workstations for example.



If you're going to solder in a new bios then why bother trying to exploit a game? It would be easier to solder in a chip.

Obviously I'm referring to the attacking or replacing the bios not a game, this would allow homebrew code at startup

 

[driverdis]

Why can't someone use the PS3's memory card adapter to copy the hack onto a memory card? Does it really require a hacked PS2 to absolutely copy it onto the card itself?

i tried this and was able to copy the main game save but not the exploit itself as the program I am using (PSX memory card manager) allows copying saves to and from the card but requires additional naming info for the exploit file and I can’t seem to get it to not end up renamed when copied to the card.
http://onorisoft.free.fr/retro.htm?psx/psx.htm

--------------------- MERGED ---------------------------

No, this hack tells the drive to tell lie to the console and say the protection check passed, while still reading the new TOC.

I'm amazed if this even beats anti-mod games.

this should as anti mod games are dumb and check if a modchip is reporting the license string over and over like the non stealth chips do. Of course some like Spyro 3 still needs to be patched as it checks wobble and other stuff while playing.

 

[raxadian]

If you're going to solder in a new bios then why bother trying to exploit a game? It would be easier to solder in a chip.

True.

The whole objective is a softmod aka not modding the hardware.

 

[socram8888]

Of course some like Spyro 3 still needs to be patched as it checks wobble and other stuff while playing.

I've tried Spyro 3 and it didn't trigger the antipiracy. In fact, to my knowledge Spyro 3 doesn't check for the presence of the SCEx string in the inner sectors, but rather the absence on outer sectors.

 

[smf]

I've tried Spyro 3 and it didn't trigger the antipiracy. In fact, to my knowledge Spyro 3 doesn't check for the presence of the SCEx string in the inner sectors, but rather the absence on outer sectors.

Anti piracy is basically checking for dodgy rips (libcrypt) and checking that SCEx is not being generated by a mod chip all over the disc.

 

[socram8888]

I have just released v1.1 with the following changelog:

• New supported games as entry points:
  • BASLUS-00571: Brunswick Circuit Pro Bowling (NTSC-US) (SLUS-00571)
  • BASLUS-00856: Brunswick Circuit Pro Bowling 2 (NTSC-US) (SLUS-00856)
  • BASLUS-01485TNHXG01: Tony Hawk's Pro Skater 4 (NTSC-US) (SLUS-01485)
  • BESLES-01376: Brunswick Circuit Pro Bowling (PAL-EU) (SLES-01376)
  • BESLES-02618: Brunswick Circuit Pro Bowling 2 (PAL-EU) (SLES-02618)
  • BESLES-02909TNHXG01: Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
  • BESLES-02910TNHXG01: Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
  • BESLES-03646TNHXG01: Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
  • BESLES-03647TNHXG01: Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
  • BESLES-03954TNHXG01: Tony Hawk's Pro Skater 4 (PAL-EU) (SLES-03954)
  • BESLES-03955TNHXG01: Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
  • BESLES-03956TNHXG01: Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
• Restore kernel RAM contents. Fixes booting of Mad Panic Coaster (NTSC-JP) (SLPS-00880) and Formula 1 Championship Edition (NTSC-US) (SLUS-00546)
• First stage will now display a red screen if it can't find the SPL, instead of crashing.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1

 

[limpbiz411]

I have just released v1.1 with the following changelog:

• New supported games as entry points:
  • BASLUS-00571: Brunswick Circuit Pro Bowling (NTSC-US) (SLUS-00571)
  • BASLUS-00856: Brunswick Circuit Pro Bowling 2 (NTSC-US) (SLUS-00856)
  • BASLUS-01485TNHXG01: Tony Hawk's Pro Skater 4 (NTSC-US) (SLUS-01485)
  • BESLES-01376: Brunswick Circuit Pro Bowling (PAL-EU) (SLES-01376)
  • BESLES-02618: Brunswick Circuit Pro Bowling 2 (PAL-EU) (SLES-02618)
  • BESLES-02909TNHXG01: Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
  • BESLES-02910TNHXG01: Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
  • BESLES-03646TNHXG01: Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
  • BESLES-03647TNHXG01: Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
  • BESLES-03954TNHXG01: Tony Hawk's Pro Skater 4 (PAL-EU) (SLES-03954)
  • BESLES-03955TNHXG01: Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
  • BESLES-03956TNHXG01: Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
• Restore kernel RAM contents. Fixes booting of Mad Panic Coaster (NTSC-JP) (SLPS-00880) and Formula 1 Championship Edition (NTSC-US) (SLUS-00546)
• First stage will now display a red screen if it can't find the SPL, instead of crashing.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1

sweet, thank you.

 

[caitsith2]

What I like about this soft mod, is that any game that is exploitable can be made to load the tonyhax memory card payload and run it.

 

[StrayGuitarist]

Woah, kickass. I've already got an I/O cheat device in mine that lets me play imports/backups, but I know some people who'd be very interested in this.. Now to find a copy of THPS2...

 

[DarthMotzkus]

I have just released v1.1 with the following changelog:

• New supported games as entry points:
  • BASLUS-00571: Brunswick Circuit Pro Bowling (NTSC-US) (SLUS-00571)
  • BASLUS-00856: Brunswick Circuit Pro Bowling 2 (NTSC-US) (SLUS-00856)
  • BASLUS-01485TNHXG01: Tony Hawk's Pro Skater 4 (NTSC-US) (SLUS-01485)
  • BESLES-01376: Brunswick Circuit Pro Bowling (PAL-EU) (SLES-01376)
  • BESLES-02618: Brunswick Circuit Pro Bowling 2 (PAL-EU) (SLES-02618)
  • BESLES-02909TNHXG01: Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
  • BESLES-02910TNHXG01: Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
  • BESLES-03646TNHXG01: Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
  • BESLES-03647TNHXG01: Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
  • BESLES-03954TNHXG01: Tony Hawk's Pro Skater 4 (PAL-EU) (SLES-03954)
  • BESLES-03955TNHXG01: Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
  • BESLES-03956TNHXG01: Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
• Restore kernel RAM contents. Fixes booting of Mad Panic Coaster (NTSC-JP) (SLPS-00880) and Formula 1 Championship Edition (NTSC-US) (SLUS-00546)
• First stage will now display a red screen if it can't find the SPL, instead of crashing.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1

WOW! That's nice, congratulations for this awesome work!
There will be more exploitable titles? Any spoiler about that? I really wish to any of my titles can do the trick. Unfortunately here in Brazil it's very rare to found original discs of psx, and import from ebay or else it's so much expensive due to the customs unbelievable tax tables. But i have some original copys, maybe they can be exploitable at some point. There's any standard at this hack you can point to us, so we can know which titles won't be exploitable ever? Or the possibilities is too big?

 

[driverdis]

I've tried Spyro 3 and it didn't trigger the antipiracy. In fact, to my knowledge Spyro 3 doesn't check for the presence of the SCEx string in the inner sectors, but rather the absence on outer sectors.

I was referring to patching the game if you play a backup copy. Spyro 3 should not trigger the console modified screen but should cause the lost gems,eggs and other anti-piracy measures to activate with a backup disc.

I do wonder if Spyro 3 on an original disc will fail the anti-piracy checks that are done while playing after the unlock commands are sent to the drive.

I put a push button modchip toggle on my scph-1001 to disable the modchip after booting and this is enough to pass the main antimod screen for Spyro 3 on both original and backup discs.

 

[CeeDee]

This is cool as shit. But... question... why do you need a PS1 soft mod if Tony Hawk's Pro Skater is the only PS1 game you really need in your life?

 

[KentaZX]

I have just released v1.1 with the following changelog:

• New supported games as entry points:
  • BASLUS-00571: Brunswick Circuit Pro Bowling (NTSC-US) (SLUS-00571)
  • BASLUS-00856: Brunswick Circuit Pro Bowling 2 (NTSC-US) (SLUS-00856)
  • BASLUS-01485TNHXG01: Tony Hawk's Pro Skater 4 (NTSC-US) (SLUS-01485)
  • BESLES-01376: Brunswick Circuit Pro Bowling (PAL-EU) (SLES-01376)
  • BESLES-02618: Brunswick Circuit Pro Bowling 2 (PAL-EU) (SLES-02618)
  • BESLES-02909TNHXG01: Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
  • BESLES-02910TNHXG01: Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
  • BESLES-03646TNHXG01: Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
  • BESLES-03647TNHXG01: Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
  • BESLES-03954TNHXG01: Tony Hawk's Pro Skater 4 (PAL-EU) (SLES-03954)
  • BESLES-03955TNHXG01: Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
  • BESLES-03956TNHXG01: Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
• Restore kernel RAM contents. Fixes booting of Mad Panic Coaster (NTSC-JP) (SLPS-00880) and Formula 1 Championship Edition (NTSC-US) (SLUS-00546)
• First stage will now display a red screen if it can't find the SPL, instead of crashing.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1

Damn you're fast! I've just tested Mad panic coaster again and I can confirm its working now. Thank you.

 

[nl255]

WOW! That's nice, congratulations for this awesome work!
There will be more exploitable titles? Any spoiler about that? I really wish to any of my titles can do the trick. Unfortunately here in Brazil it's very rare to found original discs of psx, and import from ebay or else it's so much expensive due to the customs unbelievable tax tables. But i have some original copys, maybe they can be exploitable at some point. There's any standard at this hack you can point to us, so we can know which titles won't be exploitable ever? Or the possibilities is too big?

Essentially you need a game that allows text input by the user and saves said text to the memory card but does not check the length of said text when loading a saved game before putting it in a buffer, in other words it is a classic buffer overrun exploit. There is a list of games that are known to be either not exploitable or unlikely to ever be exploitable on the main Tonyhax site at the "source" link. Since the PS1 is an older system without any of the modern stuff intended to prevent such exploits (ASLR/NX/stack canaries/etc) I would suggest taking a look at the classic paper, "Smashing the Stack for Fun and Profit" if you want to know more on how to find such exploits. Note that knowledge of assembly language is required to do so.

 

[Lunar]

I wonder if it's possible to make an iso that writes the exploit to the card, making it so you would use the disk-swap method for the first boot and not have to worry about it again. I don't have a ps2 available and the only USB adapters I'm finding for the ps1 card are >70 USD. At that point you could just buy and hack a ps2 for less money.

 

[socram8888]

I wonder if it's possible to make an iso that writes the exploit to the card, making it so you would use the disk-swap method for the first boot and not have to worry about it again. I don't have a ps2 available and the only USB adapters I'm finding for the ps1 card are >70 USD. At that point you could just buy and hack a ps2 for less money.

It's indeed a possibility and shouldn't be too hard. I plan on doing that at some point but that'd be an entirely different project.

Spyro 3 should not trigger the console modified screen but should cause the lost gems,eggs and other anti-piracy measures to activate with a backup disc.

Yeah I know. Those lost gems etc are caused not by an anti-piracy measure but by an anti-crack check - ie if you modify the executable. Since the executable isn't modified, it is not triggered.

I've tried with both my original Spyro 3 and a copy of it and again, I can confirm Zoe doesn't complain about me using a pirated copy.