​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[Mike_D]

Spent a few hours browsing the site (though technically, I'm "working" from home).
And I come across freePSXboot.
All that bother of buying THPS3 from ebay (twice, because the 1st one didn't show up) and
now it turns out I didn't even need it!

 

[duwen]

Spent a few hours browsing the site (though technically, I'm "working" from home).
And I come across freePSXboot.
All that bother of buying THPS3 from ebay (twice, because the 1st one didn't show up) and
now it turns out I didn't even need it!

Sucks, but with freePSXboot you have to give up an entire memory card for it.

I'm running tonyhax on my PS2 (don't need it for my ps1 as that's modchipped), so freePSXboot isn't an option for me... but I know that I got my disk of Cool Boarders 4 (the entrypoint I use for tonyhax) for a lot less than a pre-owned official memory card or a brand new 3rd party one would cost.

 

[Mike_D]

I had about 6 memory cards lying about so i was happy to use one for the convenience of not having to disc swap.
Both fantastic options though.

 

[Lindaru]

Tested Version 1.3.3 FreePSXBoot and I couldn't remove it from my memory card any other way then using Crash 1's memory card management thing, it crashed on PS2 (on boot and MCAnnihilator), so you have to dedicate an spare memory card for it. ;w;

EDIT: I couldn't get backups / out of region games to work, so I prefer using THPS2 method of TonyHax

 

[DarthMotzkus]

Hello @socram8888, i noticed you launched the 1.3.3 revision of the TonyHax+FreePSXBoot with that idea implemented about blocking the FreePSXBoot so the game could carry on without issues/crashing.
Any news about loading the TonyHax+FreePSXBoot exploit via slot-2, with other MC inserted in slot-1 (the main MC with saves) as well? So there's no need to swap the MCs. When i tried, it's freezes after choosing MC menu.

 

[socram8888]

Tested Version 1.3.3 FreePSXBoot and I couldn't remove it from my memory card any other way then using Crash 1's memory card management thing, it crashed on PS2 (on boot and MCAnnihilator), so you have to dedicate an spare memory card for it. ;w;

EDIT: I couldn't get backups / out of region games to work, so I prefer using THPS2 method of TonyHax

Mmmm I've had no problem using MCA to install new updates over the old one. Could you please try connecting the memory card after launching MCA?

Hello @socram8888, i noticed you launched the 1.3.3 revision of the TonyHax+FreePSXBoot with that idea implemented about blocking the FreePSXBoot so the game could carry on without issues/crashing.
Any news about loading the TonyHax+FreePSXBoot exploit via slot-2, with other MC inserted in slot-1 (the main MC with saves) as well? So there's no need to swap the MCs. When i tried, it's freezes after choosing MC menu.

Yeah that patch is in preparation of booting from the second memory card, so you can leave the memory card permanently connected.

So far all I can get is the system to crash if launching via the second memory card, same as you.

If I can't get booting from the second memory card, I've found there's a flag on the BIOS that allows swapping the ports, so games thinking reading from the first port would be really really accessing the second port, and vice-versa. You could leave the exploit card on the first port and save on the second one.

That'll be the really last option I'd prefer to use since it's a pretty confusing thing to do for the end user, though.

 

[DarthMotzkus]

Mmmm I've had no problem using MCA to install new updates over the old one. Could you please try connecting the memory card after launching MCA?


Yeah that patch is in preparation of booting from the second memory card, so you can leave the memory card permanently connected.

So far all I can get is the system to crash if launching via the second memory card, same as you.

If I can't get booting from the second memory card, I've found there's a flag on the BIOS that allows swapping the ports, so games thinking reading from the first port would be really really accessing the second port, and vice-versa. You could leave the exploit card on the first port and save on the second one.

That'll be the really last option I'd prefer to use since it's a pretty confusing thing to do for the end user, though.

Amazing! I Look foward to it.

 

[Elbart]

If I can't get booting from the second memory card, I've found there's a flag on the BIOS that allows swapping the ports, so games thinking reading from the first port would be really really accessing the second port, and vice-versa. You could leave the exploit card on the first port and save on the second one.

Tonyhax - Psycho Mantis Edition

 

[Lindaru]

Mmmm I've had no problem using MCA to install new updates over the old one. Could you please try connecting the memory card after launching MCA?

Connecting PS1 memory card that has 1.3.3 (4.1 bios) to MCA after launching freezes my PS2.
The only way I can remove the file is using games that allow seeing your memory card's contents (Crash 1, Abe's Oddysey etc).

I could try to get another PS1 memory card because I only have one atm. D:

 

[socram8888]

Connecting PS1 memory card that has 1.3.3 (4.1 bios) to MCA after launching freezes my PS2.
The only way I can remove the file is using games that allow seeing your memory card's contents (Crash 1, Abe's Oddysey etc).

I could try to get another PS1 memory card because I only have one atm. D:

I've been thinking about this.

Out of curiosity, which model is your PS2? I am wondering if this bug also affects the PS2 under a certain revision, because my slim PS2 (I am not sure about the model at the moment) is totally cool with these hacked memory cards.

In fact I can open uLaunchElf with the memory card connected and browse them to get files with absurdly large file sizes, but no crash at all.

 

[Lindaru]

I've been thinking about this.

Out of curiosity, which model is your PS2? I am wondering if this bug also affects the PS2 under a certain revision, because my slim PS2 (I am not sure about the model at the moment) is totally cool with these hacked memory cards.

In fact I can open uLaunchElf with the memory card connected and browse them to get files with absurdly large file sizes, but no crash at all.

My PS2 is 90004 Slim

 

[Mike_D]

Just tried this out on my PSone (with integrated screen).
I tried Castlevania SotN (NTSC) first but all I got was a rolling picture.
Tried ISS Pro Evo 2 (EURO) and it played fine.

An update on my previous post...........
Since I switched from using TonyHax to freepsxboot, I can now actually play the NTSC version of Castlevania SotN on the PSOne screen by selecting NTSC--->PAL.

 

[DarthMotzkus]

Hi @socram8888, today i was testing a backup of The Legend of Dragoon (U) (SCUS-94491) on my psone 4.5v BIOS with the FreePSXBoot+Tonyhax 1.3.3 (lastest) and it got stucked on antipiracy screen. My console isn't modchipped. Can you provide a new release with a patch for antipiracy screen for this game?
Thanks mate, btw, the latest release is a way faster than the previous i was using (1.3.1), took only 2 seconds to boot tonyhax after the MC Menu Screen, before it's almost 10 seconds then the colors, then tonyhax... congratulations for that, superb work!

 

[duwen]

@socram8888
I discovered another game that won't boot on PS2 - probably related to the other system.cnf issues... legit disk of Tobal 2 (SCPS-45025) black screens after disk swap.
Is there any way of solving these system.cnf issues on PS2?
I already have multiple ways I can run pirated PS1 content, but only my modded PS1 is capable of running all region legit disks.
It's such a shame that tonyhax comes along and provides a way of finally running legit import PS1 disks on the PS2 hardware but a significant amount of games won't run. Possibly a PS2 fork of tonyhax that can patch the system.cnf? Obviously I don't know what's required in coding terms, but if it's possible it would be great.

 

[DarthMotzkus]

I've been thinking about this.

Out of curiosity, which model is your PS2? I am wondering if this bug also affects the PS2 under a certain revision, because my slim PS2 (I am not sure about the model at the moment) is totally cool with these hacked memory cards.

In fact I can open uLaunchElf with the memory card connected and browse them to get files with absurdly large file sizes, but no crash at all.

Hi @socram8888, i got this issue too, today when i tried to re-image the MC with the latest 1.3.5b to test The Legend of Dragoon anti-mod patch you sended me, and the hacked MC with 1.3.3 freezes my ps2 slim too. It can't boot the ps2 at all if i turn it on with the MC inserted, in any slot. It's odd because i've already installed previously FPSXBoot+TonyHax image on it, and used the same console to do so... but it was other version, and then sometime after i updated to the 1.3.3 a couple weeks ago with no problem. Apparently the 1.3.3 after installed on MC freezes the ps2.
My model is: SCPH-77003 (PAL), and it's the only console i had to start ulaunch.elf to hack the PSX MCs with the FPSXB+Tonyhax images.
Gonna try access the MC via Crash 1 like the buddy said in this page and try to delete all the contents. Gonna tell if anything changes.|

EDIT 1: I can't find any option to delete the "corrupted block" on Crash bandicoot 1 save manager, only load. How do you manage to delete it @Lindaru ?

EDIT 2: Any PSX game a try to save, after insert the hacked MC, it freezes the console. I cannot even overwrite with any save, or delete in the game MC Save Manager. If i insert it on PSX Memory Card Save manager, after the menu already opened, it doesn't show any save on it. But i can see the save on LOAD GAME screen of Crash 1, it's a bandage icon with "Corrupt block" name, but no option to delet it. I guess i've lost this PSX MC for good.

EDIT 3: If anyone knows a good memory card save manager inside a PSX title please inform me, so i can try delete the corrupted save and maybe the MC can stop freezing my ps2.

EDIT 4: I found on google the "Psx Hacker KIT", burned it and formatted the MC with the MC Manager on it. If anyone happens to corrupted MC because of those images, use it, it can boot via tonyhax too. The my MC stopped to freezes the ps2 or else.

 

[socram8888]

@socram8888
I discovered another game that won't boot on PS2 - probably related to the other system.cnf issues... legit disk of Tobal 2 (SCPS-45025) black screens after disk swap.
Is there any way of solving these system.cnf issues on PS2?
I already have multiple ways I can run pirated PS1 content, but only my modded PS1 is capable of running all region legit disks.
It's such a shame that tonyhax comes along and provides a way of finally running legit import PS1 disks on the PS2 hardware but a significant amount of games won't run. Possibly a PS2 fork of tonyhax that can patch the system.cnf? Obviously I don't know what's required in coding terms, but if it's possible it would be great.

Can you please try with this beta version of tonyhax? https://github.com/socram8888/tonyhax/files/6519361/tonyhax-v1.3.5b.zip

I've made three different improvements that are directly related to compatibility on the PS2. Hopefully one of them fixes the issue you're experiencing.

 

[duwen]

Can you please try with this beta version of tonyhax? https://github.com/socram8888/tonyhax/files/6519361/tonyhax-v1.3.5b.zip

I've made three different improvements that are directly related to compatibility on the PS2. Hopefully one of them fixes the issue you're experiencing.

Thanks! I'll try it with all the titles I've had issues with over this weekend and let you know my results.

 

[DarthMotzkus]

Can you please try with this beta version of tonyhax? https://github.com/socram8888/tonyhax/files/6519361/tonyhax-v1.3.5b.zip

I've made three different improvements that are directly related to compatibility on the PS2. Hopefully one of them fixes the issue you're experiencing.

Hi again @socram8888, did you patched the anti-mod screen after the "disc swap screen" for tonyhax on Legend of Dragoon? It's another place the anti-mod screen shows up in this game. Can you provide me wich offset and hex line i need to edit to get rid of it after the swap disc screen too? I want to edit the .exe directly like i did with the modded Dragoon image. If you didn't patch it for tonyhax yet for the clean version of the game, you can trigger the screen booting the disc 2 and select to start a new game, the swap to disc 1 screen will shows up and after you change to disc 1, the anti-mod screen shows up after the disc 1 load.
For that i think each disc has it place for that because the swap disc screen will appears after finishing a disc, starting in disc 2.

 

[socram8888]

@DarthMotzkus I think that's also working. The antipiracy is in the main executable which I think stays resident even if you swap discs.

 

[DarthMotzkus]

@DarthMotzkus I think that's also working. The antipiracy is in the main executable which I think stays resident even if you swap discs.

I edited the .exe permanently in that adress you gave me, editing the .bin directly via hexeditor and saved, burned the image into disc, ok, it works, with fmv sound too. So the first anti-mod screen is fixed, but when the disc is swapped the anti-mod screen shows up. Apparently there's another adress with the anti-mod check. It's happening with the clean version too, using tonyhax thou. Damn, i thought we're done with it .
You can test by yourself, even without a save of a "change to disc X" step of the game. Just booting a clean version of dragoon disc 2 on tonyhax 1.3.5b, select new game, when it ask, swap to disc 1, and the anti-mod shows up. It will appear in other discs swap screen too, in normal progression.
I readed about it yesterday when i was searching about dragoon anti-mod screen. Playing dragoon backups get the screen in disc swap too if you don't have a mod-chip with stealth mode or something. So, there's another adress with anti-mod screen the game checks your copy and console, in disc swap screen.
Could you please look on it? Let me know, pls, if you find the other address with the anti-mod screen, so i can edit my .exe from the modded version too.
Thanks.