​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[socram8888]

I thought I wouldn't need to swap games on my PS1 anymore (it's an original launch day SCPH 1002 with swap support), but to my understanding, it's a "swap-loader" method using an original game disc, for non boot swap-compatible consoles.
I thought it was something like PS2 FreeMcBoot directly loading the memory card's exploit, but it's not like that. You always need to play Tony hawk to unlock and "wait for lid", which means it's not compatible with multi-disc games, right ? (No chrono cross, or Parasite eve, which requires disc swapping without saving first)

According to the documentation I based this on, it should work also for games that use multiple discs, unless they reset the CD BIOS:

In the unlocked state, ReadN/ReadS are working for unlicensed CD-Rs, and for imported CDROMs from other regions (both without needing modchips). However there are some cases which may still cause problems: The GetID command (1Ah) does still identify the disc as being unlicensed, same for the Get SCEx Counters test command (19h,05h). And, if a game should happen to send the Reset command (1Ch) for some weird reason, then the BIOS would forget the unlocking, same for games that set the "HCRISD" I/O port bit. On the contrary, opening/closing the drive door does not affect the unlocking state.

Thus, if those multi-CD games limit themselves to use standard BIOS calls and don't do any nasty things, they should work.

 

[playstays_shun]

tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.

Does the ps1 memory card slot have enough bandwidth to handle something @ passable speeds? i.e. like serial part on DC, or GC memory card?

Wouldn't it require a lot of Swiss like witchcraft?

What's more epic about these hax is the popularity of THPS1+2 remake and the timing

Well the cheap copies have gone quick on ebay.

you think this will really happen? maybe temporarily, but game save exploitable GC games aren't much to boot into Swiss, the cost will drop after some hype.

I also think ps1 has got to be the most popular mod chipped console of all time. its like a coin flip a used ps1 you buy will already have one installed

thats cool no mod chip needed! but still love on psio as don't need a working cd Drive or back up disc.. just SD files. Never the less more ways are always better

PSIO is alright it seems, especially if you want to keep the same model for discs, and I guess MODE having PS1 compatibility now with a QSB, but all in all I think the recent Xstation is still king for the features, its price point, performance + compatibility, and support.

 

[Silent_Gunner]

I got excited for a second, thinking this was a way to get a sort of "soft ODE" for the PS1.

Still neat that there's a method out that doesn't require one to get an art eraser, a spring, and a finger that was said to be taken from King Midas' corpse!

--------------------- MERGED ---------------------------

tonyhax author here.

I've had some crazy ideas about maybe creating a custom SD to memory card adapter, since both SD cards and memory cards use standard SPI. It wouldn't be even necessary to open the console or touch anything inside, just an adapter much like on a GC.

For now I'm gonna focus on trying to port this exploit to other games.

Would it be possible to have this adapter replace the need for the disc drive and the memory card in one fell swoop? To make it act as both an ODE and a memory card that, ideally, could be swapped out in software to have "multiple" memory cards all in Slot 1 as most games prefer it to be?

 

[Alexander1970]

Congratulations,very good Work.


As some already mentioned....
Not only the Exploit will be "skyrocket"..

....also the Prices for the needed original Games......"Collectors Item"....pff........

 

[Silent_Gunner]

Congratulations,very good Work.


As some already mentioned....
Not only the Exploit will be "skyrocket"..

....also the Prices for the needed original Games......"Collectors Item"....pff........

Both of the Lunar games, Persona 2 EP, Tales of Destiny, Tales of Destiny 2 (which is actually Tales of Eternia), the first print run of Dragon Ball Grand Turd: Final Bleh, Valkyrie Profile, etc., all in SEALED MINT CONDITION 100% NEVER OPENED BRAND NEW at the price of selling your soul to AlphaOmegaSin's and Maximilian Dood's collection!

 

[zoogie]

Thank you Mr. Socram. I feel less insecure about hacking a dead system now.

 

[WiiHomebrew+Snes]

Wonder if this would work on a PS2 in ps1 mode? simply because there is still no way to play CD-R backups or different region PS1 games on it without a modchip. Might try after picking up a copy of tony hawk.

 

[cvskid]

This is great but at the same time relies on booting up the original game in order to load the exploit and also don't know how many multi disc games work with this method. Have to take the ps1 laser itself into consideration with it eventually going to stop working and i don't know how easy it is to replace a ps1 laser.

Anyone serious about ps1 or any disc based consoles will most likely want a ODE/optical drive emulator for systems that have one like the Terraonion MODE or The X-Station to futureproof yourself.

 

[WiiHomebrew+Snes]

I don't know how easy it is to replace a ps1 laser.

very easy all things considered. Just the replacements are usually shite

 

[sloppycrap]

Stuff like this is really cool, and I'm glad people work on it.

It's great that people who want to maintain their old hardware have a method to utilize it fully, I just don't want to maintain old hardware myself. I'd much rather just emulate.

 

[leon315]

BUT WHY???????

 

[socram8888]

BUT WHY???????

Why not?

 

[Deleted member 668561]

I wonder if the cd player functionality can be exploited, like freedvdboot

 

[WiiHomebrew+Snes]

I wonder if the cd player functionality can be exploited, like freedvdboot

pretty sure there was some way to play backup games on really early ps1s involving the CD player

 

[MikaDubbz]

BUT WHY???????

It's pretty cool to see an old system suddenly becoming softmoddable having never been so until now. If you happen to have an old PS1 and TH2 or 3 laying around, now suddenly the entire console's library becomes open to you to play natively on the actual hardware. I think that's really awesome.

 

[cvskid]

Better get a copies of THPS2 and THPS3 while you can. Prices are gonna spike up for the games now.

 

[Deleted member 668561]

pretty sure there was some way to play backup games on really
early ps1s involving the CD player

Exploit the cd player, to load code from the memory card

Or create a modded bios, that ignores copy protection

 

[Julie_Pilgrim]

Thps2 and thps3 boutta become the next cubic ninja

 

[Deleted member 194275]

People saying that the Tony Hawk game prices would go up, and that's may happen in short term, but I remind you that the code went open source just now, so more people will start to mess with it and more games should be discovered as exploitable (I think PS1 has like 8000 games).

Also, this is not the definitive solution for the so-called ultimate PS1. Ultimate PS1 should have an ODE, period. (I really mean that, discs die fast, unlike flash memory).

 

[freestile]

Inredible!! I remember getting into swap magic and the little port thing you would plug into the back serial port.
Never actually installed a real mod chip to say, but this is super dope. I have like 4 still and I have the mini one too,
so actually I think I have about 5 original psx's to try this with. Hehe....