​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[segashack]

Thanks so much for the information! I really appreciate it. I do have an old PC with an IDE DVD burner that I used in the dreamcast days, maybe I should try that one.

I tried my old IDE drive with a USB adapter on 1x.

Everything got stuck on "loading executable". Tried Jedi Power Battles, Klonoa, and Fighting Force. Have new discs showing up soon so will try those next.

 

[SideFFect]

Just a quick heads up, after the latest 1.2.1 version, Einhander now works!
Before this, it made it until the "Wait...." text appeared, and then froze there

 

[RandomGamerRiven]

Thanks to socram8888 this is a real game changer being able to bypass the region lock on PS1 using a PS1 and PS2 console. Fantasic work, really well done.

If possible adding an option to force games into 50Hz or 60Hz regardless of the region of the title that would be great.

Tested on a PAL base model 39003 and works without issue. On my PAL modded with a matrix infinity slim 77003, it said unsupported region Japan with the mod turned off and didn't go any further. On PS2 one YouTuber found out that if you use it with a program called PS1VModeNeg you can force the game into NTSC or PAL video mode. Which is great for unoptimised PAL games that only run at 50Hz

As I can't post a link yet having just signed up here, name of the video where he uses both programs to work together is "Tonyhax - How to enable 50/60hz video modes?" on YouTube.

Sadly I couldn't get it to work for me with the latest version of PS1VModeNeg v1.10 on my PS2, so might need to try an earlier version.

Also tested on a unmodded PAL slim PS1, only given, Wild Arms 2 NTSC/U, Mega Man X5 NTSC/U and Gamera 2000 NTSC/J, but all worked and were all put into 60Hz on a unmodded PAL unit. All were original retail discs.

I run a gaming blog and YouTube channel known as Randomised Gaming, happy to help test the NTSC retail games I have to see which do and don't work. Which games also go into 60Hz and which don't.

I managed to get the homebrew software ImportPlayer Light v2.1 to boot as well, this can be used to force games into 60Hz, but hasn't been updated since 2001 and the forcing on it is rather poor many games are also misaligned on screen badly. If a game crashes via Tonyhax at the moment, might want to try booting ImportPlayer Light v2.1 and then booting the game that might work as a short term fix. Until socram8888 can address the issue.

Great work again socram8888.

 

[DarthMotzkus]

I tried my old IDE drive with a USB adapter on 1x.

Everything got stuck on "loading executable". Tried Jedi Power Battles, Klonoa, and Fighting Force. Have new discs showing up soon so will try those next.

Apparently it's your ps1 cd driver, it's not reading backups porperly, since you're using good media and proper burning method. You can search about calibrate your driver, and see if anything changes. The "Loading executable" has nothing about the exploit, it's trying to read the .exe of the game in the backup disc.

 

[driverdis]

From v1.2.2, tonyhax will support patching some games with anti-modchip checks. So far Tomba 2 (US) and YuGiOh Forbidden Memories (US and SP) are both supported.

If you know any game that has the black screen of death please let me know.

Spyro 3 1.0 and 1.1 NTSC has this

 

[Leon11]

The Legend of Dragoon has anti-modchip protection, PAL version for sure.

 

[socram8888]

Spyro 3 1.0 and 1.1 NTSC has this

The Spyro 3 can of worms is one I don't want to open and probably can't fix. That game has multiple executable files and I can only patch the first one that boots.

The Legend of Dragoon has anti-modchip protection, PAL version for sure.

Will have a look at this one. What happens when it is triggered? Do you get that very same screen? I'm asking because I can't emulate that, so I generally have to reverse engineer it, blindly patch it without testing and praying it works.

 

[Leon11]

The Spyro 3 can of worms is one I don't want to open and probably can't fix. That game has multiple executable files and I can only patch the first one that boots.

Will have a look at this one. What happens when it is triggered? Do you get that very same screen? I'm asking because I can't emulate that, so I generally have to reverse engineer it, blindly patch it without testing and praying it works.

I'm sorry, i don't know because i played with a stealth modchip at the time so the screen wasn't triggered, but i know that it has an anti-modchip check for sure. I found an old reddit topic that confirms that: https://www.reddit.com/r/retrogaming/comments/5zvupu/legend_of_dragoon_wont_run_on_my_ps1/

 

[shock44]

you most likely forgot to also include the TonyHax SPL save file. look for "tonyhax.mcs" and add it to your memory card

Alright I had to copy over the RAW file of TonyHax actually since I'm using the FreeMcBoot method. Thanks for the help. However, now I'm having another problem. I'm happy the burnt game works, but when I get into a battle there is NO music playing. I read this has to do with CDDA and the only way to get it working would be to swap using a game that has the same amount of tracks as the game you want to play. I'm trying to play Tekken 3. Is there a certain game I could use to get the music tracks to play for this swap exploit?

 

[shock44]

Okay so now the music is playing during a battle somehow. I switched to my arcade stick controller and I had to hit reset to go back to the title screen. I started up arcade mode again and the music started playing during battles. So not sure if it was that one level I was in at first or what.
Edit: Yea it depends on the level. My guess is that certain songs are on the first track and then other ones are on other tracks cuz now I'm fighting Lei and there's no music again.

 

[RandomGamerRiven]

Will have a look at this one. What happens when it is triggered? Do you get that very same screen? I'm asking because I can't emulate that, so I generally have to reverse engineer it, blindly patch it without testing and praying it works.

Quite a few of Square Soft's later games use that copy protection. I just tried the Japanese version of Legend of Mana which has it and it triggers the message, just like a rubbish PS2 modchip we had years ago.

The game successfully boots via Tonyhax, then you get a screen of rabbits from the game appear, before the mod chip message plays. If needed I can do a quick video of it, but don't know how much it will help.

Just tried The Legend of Dragoon (NTSC/U) and (NTSC/J) so far no crash for me it got into game, I read a site that said the following gameshark code would get around the protection on Dragoon:

D01BF664 FF52
801BF66E 1000

Didn't need it in my case, could be early printings didn't have it? Unless it happens later in game or was was just added for the PAL version. I did find a site were people were talking about how to get round the protect, but I don't think I can't link to the site as it handles redumps of game images for preservation. If you search "The Legend of Dragoon mod chip" it will be one of listing on google. It shows the same message as the one in Legend of Mana.

I'll check Front Mission 1st and Front Mission 3 to see if they work with Tonyhax both games have crashes added for mod chip protection. 1st will crash when you enter the equipment area in the shop. 3 crashed after finishing the first mission in-game on bad mod-chips. Haven't tested them yet with Tonyhax.

[Edit: Tried Front Mission 1st and that looks like it is working correctly, could enter the shop buy and equip new weapons without issue.]

 

[shock44]

Okay so now the music is playing during a battle somehow. I switched to my arcade stick controller and I had to hit reset to go back to the title screen. I started up arcade mode again and the music started playing during battles. So not sure if it was that one level I was in at first or what.
Edit: Yea it depends on the level. My guess is that certain songs are on the first track and then other ones are on other tracks cuz now I'm fighting Lei and there's no music again.

Alright! I got the music to play in Lei's stage this time. So I had to burn the game in a different way. I found a tutorial online. Not sure if I'm allowed to discuss the info here so I won't. But if anyone wants to know they can DM me on this website.

 

[_47iscool]

Amazing that the drive can be unlocked, and then opened multiple times and continue reading the disc. Truly amazing.
Tried it on my SCPH-9001 (USA) with Silent Bomber and it worked flawless.

I would interested in knowing how it works and how it's possible.

 

[Baraksha1]

Amazing that the drive can be unlocked, and then opened multiple times and continue reading the disc. Truly amazing.
Tried it on my SCPH-9001 (USA) with Silent Bomber and it worked flawless.

I would interested in knowing how it works and how it's possible.

He talk quite a bit about how it works on his website's page about it at orca.pet

 

[driverdis]

I wonder if running the unlock command in PS2 mode (SCPH-3900X and under) will allow booting backup PS2 CD rom (blue disc) games. I don’t even know if it is possible to send this command in PS2 mode.

EDIT: even if this does not manage to boot backups, I wonder if it would at least allow for out of region discs.

the reason I am wondering about this is that PS2 CD games do have a wobble groove with the copy protection string like PS1 games. In fact I watched a video where someone used a PS2 CD game as a hotswap disc for PS1 to get backups to load. Why put the data on the disc of it is not used at all.

i doubt this will be very useful if it did work but some games like Crash Bandicoot: Wrath of Cortex that are on CD would play should this work.

 

[DarthMotzkus]

I wonder if running the unlock command in PS2 mode (SCPH-3900X and under) will allow booting backup PS2 CD rom (blue disc) games. I don’t even know if it is possible to send this command in PS2 mode.

EDIT: even if this does not manage to boot backups, I wonder if it would at least allow for out of region discs.

the reason I am wondering about this is that PS2 CD games do have a wobble groove with the copy protection string like PS1 games. In fact I watched a video where someone used a PS2 CD game as a hotswap disc for PS1 to get backups to load. Why put the data on the disc of it is not used at all.

i doubt this will be very useful if it did work but some games like Crash Bandicoot: Wrath of Cortex that are on CD would play should this work.

It's impossible man, because, like the GC mode of the Wii, the PS2 has a PSX chipped inside, and when a PS1 title starts, it can't go back to PS2 mode without a console power reset. So it's impossible acess PS2 games in PS1 mode, even then are CD like, because the PS2 stuff is inaccessible.

 

[driverdis]

It's impossible man, because, like the GC mode of the Wii, the PS2 has a PSX chipped inside, and when a PS1 title starts, it can't go back to PS2 mode without a console power reset. So it's impossible acess PS2 games in PS1 mode, even then are CD like, because the PS2 stuff is inaccessible.

With this, I am not referring to accessing PS1 games in PS2 mode, rather the MECHACON which should be accessible in both modes. The PS2 MECHACON of older models is able to be unlocked via the NoCash code but since the PS2 is in PS1 mode, it would not allow to reboot and try a PS2 CD game since the MECHACON would not be unlocked.

what I am describing would be using the NoCash code while in PS2 mode to boot PS2 CD (blue disc) games. Due to the way the PS2 verifies discs i think all this will accomplish would be to boot out of region PS2 CD games since the region wobble check should be bypassed. Unless I am wrong here and the license data on PS2 CD games is ignored and not used for verification.

 

[_47iscool]

He talk quite a bit about how it works on his website's page about it at orca.pet

I glanced over the article before posting here (found out about the exploit at gamehacking.org/vb) and skipped over that part apparently. I see now though, it's possible to run CD-R's without hot-swapping with CDROM unlock commands thanks to Martin Korth, author of the nocash emulators .
https://problemkaputt.de/psx-spx.htm#cdromsecretunlockcommands

 

[tech3475]

With this, I am not referring to accessing PS1 games in PS2 mode, rather the MECHACON which should be accessible in both modes. The PS2 MECHACON of older models is able to be unlocked via the NoCash code but since the PS2 is in PS1 mode, it would not allow to reboot and try a PS2 CD game since the MECHACON would not be unlocked.

what I am describing would be using the NoCash code while in PS2 mode to boot PS2 CD (blue disc) games. Due to the way the PS2 verifies discs i think all this will accomplish would be to boot out of region PS2 CD games since the region wobble check should be bypassed. Unless I am wrong here and the license data on PS2 CD games is ignored and not used for verification.

Since it’s only possible on older models, wouldn’t getting a HDD be better overall?

 

[segashack]

I found a burning method that worked thanks to peoples help.

I am using Data Life Discs and 24x speed and the games will boot and don't stutter.

I can't seem to get Fighting Force (rev 2) to work though, compared it to redump and it matched. Game stays at "loading executable". Converted from multibin to bin with CDMage and also tried Daemon Tools. Anyone have any luck with this title?