PS1 tonyhax - A Software backup loader exploit for the PS1 (leverages save game exploit)

Looks like those Classic PlayStation Consoles are still making waves in the homebrew scene. We have seen vibrant development on the PS2 with just recent things like OpenTuna and also recent MechaCon Firmware dumped which can potentially bring various possibilities discussed here. However the PS2 is not alone as its daddy the original OG the PlayStation 1 now has a Software Backup Loader Exploit that leverages saves game exploits from Tony Hawk Pro Skater 2 & 3 from developer socram8888 . The developer has titled the project "tonyhax" and will work with both the PAL and NTSC versions of the game

The developer has provided a technical write up and easy to follow explanation as well as a YouTube video we have also attached below. Checkout the latest exploit to hit the PS1.

About How does it work? Installation / Usage Compatibility

• 
  
  tonyhax
  Presenting tonyhax - a softmod backup loader for the Sony PlayStation 1. This is a backup loader that leverages a save game exploit present on Tony Hawk's Pro Skater 2 and 3, in both the European PAL and American NTSC-U versions. For more information, see https://orca.pet/tonyhax.​
  
  
  ​
  Why?
  
  • The first question that might pop up on your mind regarding this project is "why the F%$# didn't you just install a modchip?".
    • The answer is simple: I didn't want to mod my mint, boxed PSone, but I didn't want to leave it rotting on a shelf either.
  • Also, as an owner of a SCPH-102 console, these are a pain in the ass when it comes to chipping - in addition to the generic SCEx wobble check performed by the CD controller that is easily patchable, the boot menu on these also checks for the region string, which involve installing even more wires and a full sized Arduino Pro Mini or AtMega328 chip to patch the CPU BIOS to play out of region games. Not cool.
  
  
  ​
  
  
• 
  How does this works?
  
  • In layman terms, this exploit uses an oversight from the programmers: the game does not check that the skater name in the save file hasn't been tampered and fits in the space the program allocated for it. If we externally change the username to something longer, we can overwrite other vital parts of the memory and run our own code.
  
  
  • In more technical terms, this exploit consists of a specially crafted save game with:
    • Highscores replaced with a first-stage payload of 144 bytes.
    • An abnormally long skater name, with the memory address of the first-stage payload inserted.
  
  
  When entering the skater customization menu, the menu is dinamically generated to include the saved skater names in a way like:
  

  void trim_string(char * buffer, int len) {
  char trimmed[x];
  
  // Copy to our local buffer
  strcpy(trimmed, buffer);
  
  // Trim it
  trimmed[len - 4] = '.';
  trimmed[len - 3] = '.';
  trimmed[len - 2] = '.';
  trimmed[len - 1] = 0;
  
  // Copy back to the original buffer
  strcpy(buffer, trimmed);
  }
  
  void create_skater_entry(int id) {
  char menutext[x];
  int textlen;
  
  sprintf(menutext, "Skater %c: %s", 'A' + id, custom_skater_data[id].name);
  while ((textlen = strlen(menutext)) > MAX_LEN) {
  trim_string(menutext, textlen);
  }
  
  // ...
  }

  Essentially, if a string that's too long to overflow the buffer is specified, the buffer overflows and overwrites part of the stack as we want to, but then it gets hammered with periods.
  
  However, as trim_string is a a subcall and has a local buffer, if we specify a character name with the right length (165 characters, exactly), the null terminator in the trimmed buffer overlaps the first character of menutext, resulting in a menu entry with length of 0, thus sparing the rest of the stack contents.
  
  After some more menu-related stuff, the return address is finally pulled from the stack and the code jumps to it. This return address points to the beginning of the high scores menu, whose contents are also loaded with no checks from the memory card, and where we have the first-stage payload.
  
  
  
  This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.
  
  As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.
  After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.
  
  With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.
  
  After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.
  After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game's main executable.
  
• 
  Installation
  
  • To install this exploit, you'd need a means of copying the save file to a PS1 memory card. Personally, I've used a PS2 with Free McBoot and uLaunchELF.
  • All you have to do is copy the game's crafted save file and the TONYHAX-SPL file into the card. That's it.
  • Once installed, you can freely copy it to other cards using the PS1 and the memory card management menu, and distribute it freely amongst friends.
  
  Usage
  
  • Once installed, all you have to do is boot the game like you'd normally do.
  • Once you get to the main menu, it'll load the save game (it should say "Loading TONYHAX"). After it's done, go to the "CREATE SKATER" function and press X. After a couple seconds, tonyhax should boot.
  
  Save games
  
  • BASLUS-01066TNHXG01: Tony Hawk's Pro Skater 2 (NTSC-U) (SLUS-01066)
  • BESLES-02908TNHXG01: Tony Hawk's Pro Skater 2 (PAL-E) (SLES-02908)
  • BASLUS-01419TNHXG01: Tony Hawk's Pro Skater 3 (NTSC-U) (SLUS-01419)
  • BESLES-03645TNHXG01: Tony Hawk's Pro Skater 3 (PAL-E) (SLES-03645)
  • TONYHAX: tonyhax's secondary program loader (SPL)
• 
  Compatibility
  
  I've personally only attempted this with a PAL SCPH-102 PSone, but according to Martin Korth's documentation this should work with:
  
  • Every PAL console.
  • Every NTSC-U console except the very early SCPH-1000.
  • NetYaroze consoles.
  However, this will not work with:
  
  • Japanese NTSC-J consoles (stubbed/bugged CD unlock).
  • NTSC-U SCPH-1000 consoles (BIOS predates the introduction of the CD unlock command).
  
  

Download

• Releases are available at the GitHub releases page.
• Source code is also fully available under the WTFPL license at GitHub.
• Website maintained by Marcos Del Sol Vives. Built using GitHub, Jekyll and Porkbun.

Source: https://orca.pet/tonyhax/

---

.Thanks to psx-place member @HWNJ for the heads up!!​

 

As I understand, @laukinming asking about entry point, not game on CD-R. And this one must follow the firmware restrictions (be in specific region or else will not launch).

I was referring to just playing Japanese games in general. Can I play Japanese games (CD-Rs and otherwise) with this hack is actually what I'm asking.

Sorry for disturbing the harmony of this thread. Will find another one to pester.

 

I guess I might have a better chance here than where I originally posted


Trying out the new PS1 memory card hack and I'm not sure if it's my current PS1 or my CD burner or what

burner - TSSTcorp CDDVDW SH-S243N SCSI CdRom Device
CDs- verbatim CD-R
ps1- 9001
programs used- imgburn, clone CD, and achohol 120
It just won't start the backup when using tonyhax
any help would be appreciated

 

Nice, but 20 years late

 

Thanks alot but no way to play ISO format with this ?

 

Thanks alot but no way to play ISO format with this ?

How would want play "ISO format" on PSX without ODDE?

This is save data exploit. You running game, crashing it by exploit, loader is loading and then You can put CD-R with anything matched to console region (game backups or homebrew apps).

And BTW: ISO doesn't contains CDDA and subchannels, so it is a bad idea to use it in case of PSX games in the first place.

 

Version v1.3.1 is out.

Changelog (v1.3.1):

• Fix entrypoint for PS2 consoles, fixing #63 reported by @faissaloo.

Changelog (for v1.3)

• tonyhax is now bootable using the FreePSXBoot exploit.
• Added support for Castlevania Chronicles (U) (SLUS-01384) as entry point, by @G4Vi.
• Added automatic switching between PAL and NTSC. tonyhax will detect the game's region and swap to the correct one before launching the game, ensuring it runs at the correct speed. Support is still spotty for the PS2, though.
• Improved loading speed of every entry point to match that of Tony Hawk games - no more purple screens!
• Increased the screen resolution. tonyhax now uses VGA video which allows more info on screen, making debugging easier.
• Added antimodchip patch for Resident Evil Survivor (U) (SLUS-01087), fixing #46 requested by @AbdomenFella
• Added antimodchip patch for pop'n music 2 (J) (SLPM-86294), partially fixing #37 requested by @PARTYMANX
• Added antimodchip patch for pop'n music 6 (J) (SLPM-87089), also from issue #37
• Fixed antimochip patch for Tetris with Card Captor Sakura - Eternal Heart (J) (SLPS-02886), fixing issue #29 requested by @dominater01

https://github.com/socram8888/tonyhax/releases.

 

Changelog (for v1.3)

• tonyhax is now bootable using the FreePSXBoot exploit.

What's the purpose of booting tonyhax if you already have FreePSXBoot?

It's like using a windows emulator on a windows PC. Something escapes me?

 

Maybe as an alternative for UNIROM...
but I'm not sure...

 

@Peppe90

• FreePSXBoot makes card unusable for saving (it based on broken index which showing card as ~400MiB media).
• FreePSXBoot doesn't boot every time on half of models.
  
• TonyHAX is earlier by one month exploit yet works everytime.

 

• FreePSXBoot doesn't boot every time on half of models

I didn't knew about it.

Then I see actually, if you don't have any of the tonyhax compatible games, but you have a MC to waste, then it makes sense to use FPSXB for booting tonyhax.

Btw you don't have the tonyhax portability this way (since FPSXB patched MC will work only on one PS1 model type).

 

I didn't knew about it.

It is enough to read readme file.

then it makes sense to use FPSXB for booting tonyhax.

What?

FreePSXBoot is exploit of PSX firmware targeting build-in internal memory card handling. At least it is how I understand. You do not need anything else to boot homebrew than FPSXB.

TonyHAX is save data exploit which takes target at first a game save parsing. It needs only this specific game for which is designed to boot homebrew.

Both solution have not any connection between each other. So no, You don't need FPSXB for booting TonyHAX.

 

What?

FreePSXBoot is exploit of PSX firmware targeting build-in internal memory card handling. At least it is how I understand. You do not need anything else to boot homebrew than FPSXB.

TonyHAX is save data exploit which takes target at first a game save parsing. It needs only this specific game for which is designed to boot homebrew.

Both solution have not any connection between each other. So no, You don't need FPSXB for booting TonyHAX.

I never said that you need FPSXB for booting tonyhax.

I was just wondering what's the purpose on adding the possibility to launch tonyhax from FPSXB, since if you have FPSXB you already have an exploit for playing backups.

You made me notice that FPSXB doesn't boot every time. It also came to my mind that you may not have one of the tonyhax compatible games (like tony hawk, Crash 2/3, etc...).
In this case FPSXB could be a good way to boot tonyhax (that have better compatility, right?)

 

I never said that you need FPSXB for booting tonyhax.

>>

then it makes sense to use FPSXB for booting tonyhax.

In this case FPSXB could be a good way to boot tonyhax (that have better compatility, right?)

Wrong.
If You cannot boot FPSXB each time but randomly (on some spectrum of models) then what is a sense to trying boot randomly FPSXB to boot exploitable game to boot another game?

But anyway, I see now in readme for src repo (instead to v1.0) that all models are 100% reliable. So problem solved. ;]
https://github.com/brad-lin/FreePSXBoot/blob/master/README.md

 

The part I think you might be missing is that by my understanding, without having tested, that you're using FreePSXBoot to boot the tonyhax second stage loader, not to boot the exploited games. You don't use the exploited game saves in that scenario. So if you have none of the exploitable games, but like tonyhax's loader this is another way to trigger it.

By the old default with tonyhax you're using a save exploit to load the tonyhax second stage loader, with FreePSXBoot you're using a memory card exploit to load Unirom. When you use tonyhax with FreePSXBoot you're just using the FreePSXBoot exploit to load the tonyhax loader instead of the Unirom used in FreePSXBoot by default.

I haven't tested that, so I could be wrong, but that's my understanding from reading readmes. If I'm right, the point is if you prefer the tonyhax loader to Unirom then it does serve a purpose. It'll all depend on which one ends up being better, tonyhax loader, or Unirom.

It doesn't help that the exploit and the loader are both basically just lumped together and called tonyhax. Leads to some confusion. Whereas with FreePSXBoot there's a clearer distinction since the loader is Unirom.

 

>>




Wrong.
If You cannot boot FPSXB each time but randomly (on some spectrum of models) then what is a sense to trying boot randomly FPSXB to boot exploitable game to boot another game?

But anyway, I see now in readme for src repo (instead to v1.0) that all models are 100% reliable. So problem solved. ;]
https://github.com/brad-lin/FreePSXBoot/blob/master/README.md

I think you must have missed this line from the changelog of v1.3 tonyhax. That is why peppe asked the question.

• tonyhax is now bootable using the FreePSXBoot exploit.

This line must be there for a reason.

 

Yeah, I missed that. This damn PS4 ODD makes me nervous. ;p

The part I think you might be missing is that by my understanding, without having tested, that you're using FreePSXBoot to boot the tonyhax second stage loader, not to boot the exploited games. You don't use the exploited game saves in that scenario. So if you have none of the exploitable games, but like tonyhax's loader this is another way to trigger it.

By default with tonyhax you're using a save exploit to load the tonyhax second stage loader, with FreePSXBoot you're using a memory card exploit to load Unirom. When you use tonyhax with FreePSXBoot you're just using the FreePSXBoot exploit to load the tonyhax loader instead of the Unirom used in FreePSXBoot by default.

I haven't tested that, so I could be wrong, but that's my understanding from reading readmes. If I'm right, the point is if you prefer the tonyhax loader to Unirom then it does serve a purpose. It'll all depend on which one ends up being better, tonyhax loader, or Unirom.

It doesn't help that the exploit and the loader are both basically just lumped together and called tonyhax. Leads to some confusion. Whereas with FreePSXBoot there's a clearer distinction since the loader is Unirom.

No, it is me who is wrong. Sorry @Peppe90.

 

My only guess is that Tonyhax must be better in some way, if not it would be like using CFW to enable HEN or something.

 

Yeah, I missed that. This damn PS4 ODD makes me nervous. ;p



No, it is me who is wrong. Sorry @Peppe90.

Things that happen. All is well that ends well

I think I'll test it soon. See the last post here, about FPSXB: SCPH-5502, SCPH-7500, neither working with 20210419 · Issue #31 · brad-lin/FreePSXBoot (github.com)

He seems pretty sure that disc works for re-formatting the MC. If that's the case I'll install FPSXB and also use it for test tonyhax (I had Crash 2 and 3 but lent them to a friend time ago).

 

I think somewhere on the tonyhax site they also said that you can use MCA v2 to format and go back to a normal usable card as long as you put the card in after loading MCA v2. I can't guarantee that'll work though since I haven't done it. I also can't find that statement anymore. So it might not have always worked, or something.

 

I think somewhere on the tonyhax site they also said that you can use MCA v2 to format and go back to a normal usable card as long as you put the card in after loading MCA v2. I can't guarantee that'll work though since I haven't done it. I also can't find that statement anymore. So it might not have always worked, or something.

Most reports I read said that method didn't works.

There are also differences depending on the console model and explot version used. Se here: Not working on a SCPH-102 (with modchip) - 5502 works fine ! · Issue #15 · brad-lin/FreePSXBoot (github.com)

It seems he found a reliable recovery solution with Wipeout, read the 7th post.