Unicorngoulash
Forum Noob
I went on a journey to bring the legendary double-jump glitch from Spyro 2: Ripto's Rage back into Spyro 3: Year of the Dragon. Not on an emulator. On real PlayStation 1 hardware first.
Here's the problem.
Spyro 3 did not merely remove the glitch. It actively fights you if you try to restore it.
The game contains deliberate integrity checks designed to detect code modification and respond with punishment. Touch the executable and the game notices. This is not accidental behavior, this is intentional anti-tamper logic. The usual approach is brute force: hunt down every checksum across the main executable and overlays, then adjust them one by one. That method is fragile, and extremely easy to get wrong.
There had to be a better way.
So I stopped thinking like a modder.
Instead of hacking the game, I hacked the console and became the ghost in the machine...
When real hardware breaks emulator assumptions
The method sat so far outside normal PS1 usage that it exposed incorrect assumptions in emulation.
Pushed the PlayStation's COP0 debug logic in ways that, to my knowledge, hadn't been meaningfully exercised before. Not by games. Not by existing mods.
DuckStation's COP0 emulation got a reality check, real retail PS1 silicon exposed the gaps. Their commit "Inhibit debug dispatcher when COP0 BP is invalid" came from testing this edge case. I helped debug it with the main dev, contributing to the emulator's accuracy.
That is the tell.
Emulators usually define the ceiling of what people think is possible. This time, real hardware forced the emulator to catch up. For the record, pcsx-redux and no$psx were already closer to reality and reflected this behavior more accurately, that being said, most PS1 emulators don't even attempt to emulate the COP0 at all.
This was not just restoring a glitch. It was mapping undocumented silicon behavior on a retail console by force, and proving it by breaking assumptions in one of the most accurate PS1 emulators available.
The angle nobody takes
Deep inside the PS1 CPU is dormant debug circuitry. Its exception vector lives at 0x80000040. On retail systems, the handler is completely nopped out. Most people assume this means the feature does not exist.
That assumption is wrong. The R3000A dictates behavior, not a nop sitting in memory meant to discourage use. I restored that vector to jump into my own exception handler. Its job was simple: observe execution state in real time and redirect behavior when needed. Sony expected this pathway to be used only by official devkits. Never by consumers. Never by games. And certainly never against the game itself.
That was the opening.
The move
I revived a part of my old and dusty PlayStation that had not been meaningfully used for 31 years, because almost everyone assumed it was unused or impossible on retail hardware anyway.
The system could now:
From the console's point of view, everything changed.
A custom handler gets installed before the game boots. Execution is intercepted at runtime using COP0 execution breakpoints. The moment a point in execution of interest is reached, it goes to my own exception handler and behavior is redirected for a few cycles by adjusting the EPC; we're basically doing invisible jumps from anywhere, in this new space anything can be done, and then control is returned cleanly with JMP + RFE.
Spyro's protection logic runs normally and never sees modification. From the game's point of view, nothing changed; it still believes it owns the machine. The COP0_BPCM/COP_BPC/COP_DCIC system is re-armed through the standard exception vector at 0x80000080 whenever all matches in execution have been reached and altered.
Conclusion: the Spyro 2 double-jump restored in Spyro 3, on real PS1 hardware, checksum‑clean, fingerprint‑free. The CPU was no longer blindly executing instructions. It was being observed, intercepted, and momentarily redirected through its own dormant pathways. For a microscopic window of time, the PlayStation itself became the arbiter of execution flow. Not the game. Not the protection code. Not the assumptions baked into retail software.
The technique was rigorously tested on a real retail PlayStation 1 console. No emulators. No devkits. Just raw retail silicon. Full 117% Completion was achieved in Spyro 3: Year of the Dragon with the Spyro 2 double-jump fully functional. Every egg collected. Every gem grabbed. Every level unlocked. The checksums passed clean every single time, no detection. Spyro's anti-tamper logic never triggered across dozens of hours of playtesting. The invisible jumps worked flawlessly from any point in the game. It was a true rewrite at the silicon level.
The result
For a fraction of a frame, I slipped between the CPU and the game. Long enough to alter behavior. Short enough to leave no fingerprints.
The integrity checks passed.
The anti-tamper logic remained satisfied.
The engine believed it was still in control.
And the double-jump came back to life.
What this actually proves
This was never just about restoring a glitch.
It proves that Spyro 3's protection can be bypassed without touching the game itself.
It proves that retail PS1 hardware still contains dormant capabilities people wrote off decades ago.
It proves that real hardware can still outpace emulation when pushed beyond assumed limits.
A 31-year-old console still had something left to say.
The game thought it was in charge.
The emulator thought it knew the limits.
Neither one did.
— Unicorngoulash
[COLOR=oklch(0.9296 0.007 106.53)]
[/COLOR]
Here's the problem.
Spyro 3 did not merely remove the glitch. It actively fights you if you try to restore it.
The game contains deliberate integrity checks designed to detect code modification and respond with punishment. Touch the executable and the game notices. This is not accidental behavior, this is intentional anti-tamper logic. The usual approach is brute force: hunt down every checksum across the main executable and overlays, then adjust them one by one. That method is fragile, and extremely easy to get wrong.
There had to be a better way.
So I stopped thinking like a modder.
Instead of hacking the game, I hacked the console and became the ghost in the machine...
When real hardware breaks emulator assumptions
The method sat so far outside normal PS1 usage that it exposed incorrect assumptions in emulation.
Pushed the PlayStation's COP0 debug logic in ways that, to my knowledge, hadn't been meaningfully exercised before. Not by games. Not by existing mods.
DuckStation's COP0 emulation got a reality check, real retail PS1 silicon exposed the gaps. Their commit "Inhibit debug dispatcher when COP0 BP is invalid" came from testing this edge case. I helped debug it with the main dev, contributing to the emulator's accuracy.
That is the tell.
Emulators usually define the ceiling of what people think is possible. This time, real hardware forced the emulator to catch up. For the record, pcsx-redux and no$psx were already closer to reality and reflected this behavior more accurately, that being said, most PS1 emulators don't even attempt to emulate the COP0 at all.
This was not just restoring a glitch. It was mapping undocumented silicon behavior on a retail console by force, and proving it by breaking assumptions in one of the most accurate PS1 emulators available.
The angle nobody takes
Deep inside the PS1 CPU is dormant debug circuitry. Its exception vector lives at 0x80000040. On retail systems, the handler is completely nopped out. Most people assume this means the feature does not exist.
That assumption is wrong. The R3000A dictates behavior, not a nop sitting in memory meant to discourage use. I restored that vector to jump into my own exception handler. Its job was simple: observe execution state in real time and redirect behavior when needed. Sony expected this pathway to be used only by official devkits. Never by consumers. Never by games. And certainly never against the game itself.
That was the opening.
The move
I revived a part of my old and dusty PlayStation that had not been meaningfully used for 31 years, because almost everyone assumed it was unused or impossible on retail hardware anyway.
The system could now:
- Catch execution at an exact instruction
- Intercept it while it is running
- Redirect behavior without modifying code at rest
- Allow Spyro's protection systems to execute normally
- Step out again without the game detecting anything
From the console's point of view, everything changed.
A custom handler gets installed before the game boots. Execution is intercepted at runtime using COP0 execution breakpoints. The moment a point in execution of interest is reached, it goes to my own exception handler and behavior is redirected for a few cycles by adjusting the EPC; we're basically doing invisible jumps from anywhere, in this new space anything can be done, and then control is returned cleanly with JMP + RFE.
Spyro's protection logic runs normally and never sees modification. From the game's point of view, nothing changed; it still believes it owns the machine. The COP0_BPCM/COP_BPC/COP_DCIC system is re-armed through the standard exception vector at 0x80000080 whenever all matches in execution have been reached and altered.
Conclusion: the Spyro 2 double-jump restored in Spyro 3, on real PS1 hardware, checksum‑clean, fingerprint‑free. The CPU was no longer blindly executing instructions. It was being observed, intercepted, and momentarily redirected through its own dormant pathways. For a microscopic window of time, the PlayStation itself became the arbiter of execution flow. Not the game. Not the protection code. Not the assumptions baked into retail software.
The technique was rigorously tested on a real retail PlayStation 1 console. No emulators. No devkits. Just raw retail silicon. Full 117% Completion was achieved in Spyro 3: Year of the Dragon with the Spyro 2 double-jump fully functional. Every egg collected. Every gem grabbed. Every level unlocked. The checksums passed clean every single time, no detection. Spyro's anti-tamper logic never triggered across dozens of hours of playtesting. The invisible jumps worked flawlessly from any point in the game. It was a true rewrite at the silicon level.
The result
For a fraction of a frame, I slipped between the CPU and the game. Long enough to alter behavior. Short enough to leave no fingerprints.
The integrity checks passed.
The anti-tamper logic remained satisfied.
The engine believed it was still in control.
And the double-jump came back to life.
What this actually proves
This was never just about restoring a glitch.
It proves that Spyro 3's protection can be bypassed without touching the game itself.
It proves that retail PS1 hardware still contains dormant capabilities people wrote off decades ago.
It proves that real hardware can still outpace emulation when pushed beyond assumed limits.
A 31-year-old console still had something left to say.
The game thought it was in charge.
The emulator thought it knew the limits.
Neither one did.
— Unicorngoulash
[COLOR=oklch(0.9296 0.007 106.53)]
[/COLOR]
