​

Those wanting to take their original PlayStation to the next level usually needed to open up the system and install a modchip; that's been common knowledge since even the '90s. However, a user named Socram, previously known for creating amiitool, has released an exploit that makes modding your PS1 easier than ever before. Called "tonyhax", because it utilizes Tony Hawk's Pro Skater 2 or 3, it loads specific data off of the PS1's memory card that "unlocks" the system's disc drive, which then lets you run other region games or even backups.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After "extensive testing", Socram has decided to release their exploit to the public, source code and all. The full project is available on GitHub, while a writeup and documentation as to how tonyhax works is available on their website. The creator says that the exploit is possible because in either Tony Hawk's Pro Skater 2 or Tony Hawk's Pro Skater 3 (NTSC or PAL), the game doesn't check if a skater profile name has been edited or messed with in any way. Should you edit the skater name in a dramatic way, it overwrites the memory of the system, which in turn allows custom code to be run.

This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.

As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.

After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.

With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.

After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.

After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game’s main executable.

You'll need a PS1 memory card with tonyhax on it, to which Socram recommends using a PS2 and Free MCBoot to copy it. After loading the profile in-game, the exploit will boot up, and your CD drive will then accept games, even if they're burned CD-R backups, or games from other regions. Tonyhax works on all PAL PlayStation consoles, NetYaroze, and all NTSC-U systems except the original SCPH-1000.

Source
Download Link

 

[socram8888]

I'm wating for my copy of Brunswick Circuit Pro Bowling 2 to arrive and gonna test it on my PSOne. Meanwhile i can test it on my other modded Fat PS1 with a backup. Do you think the modchip will confuse the process or it's fine?

It should be fine. If you are gonna try on your console with Brunswick, I'll send you on PM a custom testing version that should fix the issue other users were having.

 

[smf]

Is there any chance that we can load games on the memory card like the GC Gecko device as the recently made (Memcard Pro) via 8bitmods site allows upto 1TB sized Msd cards

AFAIK memcard pro just gives you lots if 128k (ps1 memcard) sized slots, you would need something that gives direct access to the sd card and if you're unlucky that might prevent you using a controller in the same socket. You can run the port quite fast, but the cpu might struggle keeping up. Especially if the game is running other code while loading.

You also wouldn't have streaming audio. You need something like psio to do that, it would be nice if there was a raspberry pi based optical disc emulator.

 

[Lv44ES_Burner]

Socram, you're an amazing fellow. Mad props to you for figuring out how to leverage exploits like this to allow for loading backups, man. Hope your work on the project to produce a memory card adapter comes to a success as well, 'cause I'd definitely snap one up in a heartbeat!

 

[XDel]

Meanwhile the old crappy Classic is about to be able to pull off HD!!!

 

[socram8888]

Thanks to @DarthMotzkus and @Shardnax for the debugging on their machines, I have just released v1.1.2. If you were trying to use Brunswick Pro Circuit 2 NTSC-U and couldn't get it to work, this release is for you.

Changes since v1.1.1

• Fixed Brunswick Pro Circuit 2 (NTSC-U) (SLUS-00571) entry point, which was causing the SPL to fail loading.
• Loading steps in the entry points are now color coded for easier debugging:
  • Purple (Brunswick only) indicates the memory cards are being reinitialized.
  • Blue indicates the SPL is being read from the memory card into memory.
  • Green indicates that the SPL is about to launch. This shouldn flash very very briefly.
  • Red indicates the SPL couldn't be found or loaded.
  The console should spend no more than a couple seconds with each color. If it spends more time, it's probably crashed. Please report it.
• Added an integrity. Shall the SPL load in a corrupted state into the main memory (for instance, if the memory card is damaged, the file is corrupted, or some other process caused the load process to fail), it'll now report so during the boot on the screen.
• The SPL will now report your system BIOS. If you are experiencing any issue, please remember to tell me the BIOS version.

Essentially this version has just been released to fix the Brunswick 2 bug, which was causing me a serious headache as the payload was booting just fine on the emulator, but failing on real hardware during the phase in which the SPL was loading into main memory, with all the previous steps (card initialization, file open...) executing just fine.

The FileRead call was executing instantaneously, as if it wasn't reading anything, despite me explicitelly checking the return value. Instead of getting to the red screen of dead, it was just turning black, something I don't have implemented anywhere on the code.

After adding all those logging features, it turned out that the issue was simply that the save file had a wrong address, and it was causing the stack pointer to never get reinitialized. FileRead apparently has enough nested functions to cause the call stack to grow larger than what the fast RAM - where Brunswick helds the stack - could hold and it just crashed into a black screen.

Just like v1.1.1, this is just a bugfix release - if previous versions were working fine for you and you don't mind missing the cool seizure-inducing loading screens, just skip it.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1.2

 

[driverdis]

PS2 SCPH-39001 Date Code 2C works
BIOS Version V5.0 02/07/02 A

my other 2 PS2 Slims (SCPH-77001) don’t work and my 3 fat SCPH-50001 systems don’t work either.

seems some earlier US NTSC models used the American firmware rather than the Japanese firmware and support the unlock command.

I did test an SCPH-70012 but it had a loose ribbon cable and literally put a circle ring on THPS 3 and ruined it so I have another from eBay on the way.

good thing I picked up Brunswick Bowling 1 and 2 as I had to test other systems with that after the incident

I find it interesting that newer consoles that can work with with the PSXLoader homebrew are the ones that don’t work with this hack since the drives are a different region.

I did try some AntiMod games including the notorious Spyro 3 NTSC and booting a real disc on a same region console via this exploit works and does not throw the console modified error. This is good as I was not sure if the unlock commands issued would mess with games checking for the license string.

I do not have a PAL or NTSC-J system to check if a legit Spyro 3 game will pass it’s check on a different region system but it should since the drive will still report the SCEA string each time it checks since the disc is legit.

booting a clean copy however will throw a hardware modified message which does not happen with stealth modchips since the modchips will inject the string each time the game requests it.

 

[Deleted User]

I also think ps1 has got to be the most popular mod chipped console of all time. its like a coin flip a used ps1 you buy will already have one installed

If you live in Latin America it's guaranteed to have a modchip kek

 

[blindseer]

PS2 SCPH-39001 Date Code 2C works
BIOS Version V5.0 02/07/02 A

my other 2 PS2 Slims (SCPH-77001) don’t work and my 3 fat SCPH-50001 systems don’t work either.

seems some earlier US NTSC models used the American firmware rather than the Japanese firmware and support the unlock command.

I did test an SCPH-70012 but it had a loose ribbon cable and literally put a circle ring on THPS 3 and ruined it so I have another from eBay on the way.

good thing I picked up Brunswick Bowling 1 and 2 as I had to test other systems with that after the incident

I find it interesting that newer consoles that can work with with the PSXLoader homebrew are the ones that don’t work with this hack since the drives are a different region.

I did try some AntiMod games including the notorious Spyro 3 NTSC and booting a real disc on a same region console via this exploit works and does not throw the console modified error. This is good as I was not sure if the unlock commands issued would mess with games checking for the license string.

I do not have a PAL or NTSC-J system to check if a legit Spyro 3 game will pass it’s check on a different region system but it should since the drive will still report the SCEA string each time it checks since the disc is legit.

booting a clean copy however will throw a hardware modified message which does not happen with stealth modchips since the modchips will inject the string each time the game requests it.

Well I'll be, it does work on the SCPH 39001 with a date code of 3B also...

 

[caitsith2]

It is kind of a miracle that no developer thought to randomly decide which part of the disc it was reading for checking the protection, in order to defeat the true-stealth chips. You have to be right 100% of the time to remain stealth. the random check only has to ever see the chip get it wrong just once.

 

[DarthMotzkus]

Thanks to @DarthMotzkus and @Shardnax for the debugging on their machines, I have just released v1.1.2. If you were trying to use Brunswick Pro Circuit 2 NTSC-U and couldn't get it to work, this release is for you.

Anytime man, happy to help, glad it works now.
Thank you for your time and efforts. This is an amazing exploit, i'll put in very good use.

 

[smf]

It is kind of a miracle that no developer thought to randomly decide which part of the disc it was reading for checking the protection, in order to defeat the true-stealth chips.

You've got a deadline to get the game out, anything random you do is going to be a risk during QA and anyone running the game on an emulator can see exactly what your code is doing.

Some people will buy the game regardless, some people will wait for the crack regardless.

 

[Acid_Snake]

Thanks to @DarthMotzkus and @Shardnax for the debugging on their machines, I have just released v1.1.2. If you were trying to use Brunswick Pro Circuit 2 NTSC-U and couldn't get it to work, this release is for you.

Changes since v1.1.1

• Fixed Brunswick Pro Circuit 2 (NTSC-U) (SLUS-00571) entry point, which was causing the SPL to fail loading.
• Loading steps in the entry points are now color coded for easier debugging:
  • Purple (Brunswick only) indicates the memory cards are being reinitialized.
  • Blue indicates the SPL is being read from the memory card into memory.
  • Green indicates that the SPL is about to launch. This shouldn flash very very briefly.
  • Red indicates the SPL couldn't be found or loaded.
  The console should spend no more than a couple seconds with each color. If it spends more time, it's probably crashed. Please report it.
• Added an integrity. Shall the SPL load in a corrupted state into the main memory (for instance, if the memory card is damaged, the file is corrupted, or some other process caused the load process to fail), it'll now report so during the boot on the screen.
• The SPL will now report your system BIOS. If you are experiencing any issue, please remember to tell me the BIOS version.

Essentially this version has just been released to fix the Brunswick 2 bug, which was causing me a serious headache as the payload was booting just fine on the emulator, but failing on real hardware during the phase in which the SPL was loading into main memory, with all the previous steps (card initialization, file open...) executing just fine.

The FileRead call was executing instantaneously, as if it wasn't reading anything, despite me explicitelly checking the return value. Instead of getting to the red screen of dead, it was just turning black, something I don't have implemented anywhere on the code.

After adding all those logging features, it turned out that the issue was simply that the save file had a wrong address, and it was causing the stack pointer to never get reinitialized. FileRead apparently has enough nested functions to cause the call stack to grow larger than what the fast RAM - where Brunswick helds the stack - could hold and it just crashed into a black screen.

Just like v1.1.1, this is just a bugfix release - if previous versions were working fine for you and you don't mind missing the cool seizure-inducing loading screens, just skip it.

Available at https://github.com/socram8888/tonyhax/releases/tag/v1.1.2

Hey if you need any development hand let me know. i'm gonna try to recreat the buffer overflow on the PSP's memory card manager, hopefully we can also trigger it on the real console.

 

[Spectremint]

I finally have an excuse to get a Tony Hawk game! lol
I don't have a PS1 (I do have a PS2 though) and I wanna get more import titles but I don't wanna modchip my console because it's hard and I have no soldering experience or skill. This should be great if it works well on a PS2.

 

[elBenyo]

Well of course you need to store your addresses in the correct endian, but that doesn't explain why it's an "endian security issue" that you can "attack".

If you use the wrong endian in your exploit, then your exploit is broken. Using x86 opcodes instead of MIPS would also not work, but that doesn't make it a "cpu security issue".

Have you ever heard of buffer overflow prevention techniques? For example RELRO, NoExecute, Stack Canaries, Address Space Layout Randomization, or Position Independent Executables? Learn to ROP and then you might understand

 

[smf]

Have you ever heard of buffer overflow prevention techniques? For example RELRO, NoExecute, Stack Canaries, Address Space Layout Randomization, or Position Independent Executables? Learn to ROP and then you might understand

Yes, I have heard of those. I haven't heard of "endian security issues" that you can "attack".

I'm not sure how RELNO, NoExecute & ASLR are relevant to PS1 & I'm not sure ROP would be my first choice on a platform where everything runs in kernel mode & has rwx access to all of ram.

 

[elBenyo]

Yes, I have heard of those. I haven't heard of "endian security issues" that you can "attack".

I'm not sure how RELNO, NoExecute & ASLR are relevant to PS1 & I'm not sure ROP would be my first choice on a platform where everything runs in kernel mode & has rwx access to all of ram.

I was looking to jump out of the CD player program with a kernal panic exploit using rough ROP to run his exploit, leading to a burned game only needing a hacked track 1. I won't even try if you want to explain it any further, go troll in another thread.

 

[limpbiz411]

this works great in my playstation 2 as well

 

[DarthMotzkus]

this works great in my playstation 2 as well

Wich model is yours?

 

[limpbiz411]

Wich model is yours?

scph-39001

 

[driverdis]

scph-39001

3900X must be the cutoff for systems. Other people including me have reported success on 3900X and 3000X consoles meanwhile 5000X and newer consoles are using the Japanese drive controller and don’t work.

what I really like about this exploit is that it is the first method to load backups without a modchip,slide tool, or flip top on PS2 3900X and lower since you can eject the tray normally.