PS1 tonyhax - A Software backup loader exploit for the PS1 (leverages save game exploit)

Looks like those Classic PlayStation Consoles are still making waves in the homebrew scene. We have seen vibrant development on the PS2 with just recent things like OpenTuna and also recent MechaCon Firmware dumped which can potentially bring various possibilities discussed here. However the PS2 is not alone as its daddy the original OG the PlayStation 1 now has a Software Backup Loader Exploit that leverages saves game exploits from Tony Hawk Pro Skater 2 & 3 from developer socram8888 . The developer has titled the project "tonyhax" and will work with both the PAL and NTSC versions of the game

The developer has provided a technical write up and easy to follow explanation as well as a YouTube video we have also attached below. Checkout the latest exploit to hit the PS1.

About How does it work? Installation / Usage Compatibility

• 
  
  tonyhax
  Presenting tonyhax - a softmod backup loader for the Sony PlayStation 1. This is a backup loader that leverages a save game exploit present on Tony Hawk's Pro Skater 2 and 3, in both the European PAL and American NTSC-U versions. For more information, see https://orca.pet/tonyhax.​
  
  
  ​
  Why?
  
  • The first question that might pop up on your mind regarding this project is "why the F%$# didn't you just install a modchip?".
    • The answer is simple: I didn't want to mod my mint, boxed PSone, but I didn't want to leave it rotting on a shelf either.
  • Also, as an owner of a SCPH-102 console, these are a pain in the ass when it comes to chipping - in addition to the generic SCEx wobble check performed by the CD controller that is easily patchable, the boot menu on these also checks for the region string, which involve installing even more wires and a full sized Arduino Pro Mini or AtMega328 chip to patch the CPU BIOS to play out of region games. Not cool.
  
  
  ​
  
  
• 
  How does this works?
  
  • In layman terms, this exploit uses an oversight from the programmers: the game does not check that the skater name in the save file hasn't been tampered and fits in the space the program allocated for it. If we externally change the username to something longer, we can overwrite other vital parts of the memory and run our own code.
  
  
  • In more technical terms, this exploit consists of a specially crafted save game with:
    • Highscores replaced with a first-stage payload of 144 bytes.
    • An abnormally long skater name, with the memory address of the first-stage payload inserted.
  
  
  When entering the skater customization menu, the menu is dinamically generated to include the saved skater names in a way like:
  

  void trim_string(char * buffer, int len) {
  char trimmed[x];
  
  // Copy to our local buffer
  strcpy(trimmed, buffer);
  
  // Trim it
  trimmed[len - 4] = '.';
  trimmed[len - 3] = '.';
  trimmed[len - 2] = '.';
  trimmed[len - 1] = 0;
  
  // Copy back to the original buffer
  strcpy(buffer, trimmed);
  }
  
  void create_skater_entry(int id) {
  char menutext[x];
  int textlen;
  
  sprintf(menutext, "Skater %c: %s", 'A' + id, custom_skater_data[id].name);
  while ((textlen = strlen(menutext)) > MAX_LEN) {
  trim_string(menutext, textlen);
  }
  
  // ...
  }

  Essentially, if a string that's too long to overflow the buffer is specified, the buffer overflows and overwrites part of the stack as we want to, but then it gets hammered with periods.
  
  However, as trim_string is a a subcall and has a local buffer, if we specify a character name with the right length (165 characters, exactly), the null terminator in the trimmed buffer overlaps the first character of menutext, resulting in a menu entry with length of 0, thus sparing the rest of the stack contents.
  
  After some more menu-related stuff, the return address is finally pulled from the stack and the code jumps to it. This return address points to the beginning of the high scores menu, whose contents are also loaded with no checks from the memory card, and where we have the first-stage payload.
  
  
  
  This first stage payload is about 144 bytes, and its sole purpose is to load the secondary program loader (or SPL for short) from an additional save file in the memory card using the PS1 BIOS calls. Once loaded, it jumps straight to it.
  
  As the console is left in an inconsistent state, the SPL first reinitializes the system kernel (RAM, devices…), by using the very same calls the ROM executes during the booting of the console.
  After that, the GPU is reset. Once the GPU is ready again, the sets up the video to a resolution of 320x240, unpacks the 1bpp font from the BIOS ROM into VRAM, and draws the basic border and program name to know everything is working fine until this point.
  
  With a fully working screen, it then proceeds to unlocks the CD drive to accept discs missing the SCEx signature, leveraging the CD BIOS unlock commands found by Martin Korth. These unlock commands are a sort of backdoor, and the drive, probably in order to keep them secret, returns an error instead of a success message. The SPL is coded to expect a particular error to be returned, and will actually abort if the drive returns that it succeeded or if it returns another unexpected error code.
  
  After unlocking it, it waits for the lid to be opened and closed, allowing the user to insert a new CD.
  After that, the CD filesystem is reinitialized. It proceeds to read the SYSTEM.CNF configuration file, reinitializes the kernel with the parameters the game needs, and finally loads and runs the game's main executable.
  
• 
  Installation
  
  • To install this exploit, you'd need a means of copying the save file to a PS1 memory card. Personally, I've used a PS2 with Free McBoot and uLaunchELF.
  • All you have to do is copy the game's crafted save file and the TONYHAX-SPL file into the card. That's it.
  • Once installed, you can freely copy it to other cards using the PS1 and the memory card management menu, and distribute it freely amongst friends.
  
  Usage
  
  • Once installed, all you have to do is boot the game like you'd normally do.
  • Once you get to the main menu, it'll load the save game (it should say "Loading TONYHAX"). After it's done, go to the "CREATE SKATER" function and press X. After a couple seconds, tonyhax should boot.
  
  Save games
  
  • BASLUS-01066TNHXG01: Tony Hawk's Pro Skater 2 (NTSC-U) (SLUS-01066)
  • BESLES-02908TNHXG01: Tony Hawk's Pro Skater 2 (PAL-E) (SLES-02908)
  • BASLUS-01419TNHXG01: Tony Hawk's Pro Skater 3 (NTSC-U) (SLUS-01419)
  • BESLES-03645TNHXG01: Tony Hawk's Pro Skater 3 (PAL-E) (SLES-03645)
  • TONYHAX: tonyhax's secondary program loader (SPL)
• 
  Compatibility
  
  I've personally only attempted this with a PAL SCPH-102 PSone, but according to Martin Korth's documentation this should work with:
  
  • Every PAL console.
  • Every NTSC-U console except the very early SCPH-1000.
  • NetYaroze consoles.
  However, this will not work with:
  
  • Japanese NTSC-J consoles (stubbed/bugged CD unlock).
  • NTSC-U SCPH-1000 consoles (BIOS predates the introduction of the CD unlock command).
  
  

Download

• Releases are available at the GitHub releases page.
• Source code is also fully available under the WTFPL license at GitHub.
• Website maintained by Marcos Del Sol Vives. Built using GitHub, Jekyll and Porkbun.

Source: https://orca.pet/tonyhax/

---

.Thanks to psx-place member @HWNJ for the heads up!!​

 

The FreePSXBoot site/readme just got an update. This might make the MCA v2 formatting to recover a little more reliable.

Some tools and games crash when attempting to format a memory card loaded with FreePSXBoot, but may be able to format it by first inserting a normal memory card, and switching it with the FreePSXBoot memory card just before the format operation starts.

 

Or just use CLI version of MCA v1.0. ;p

 

I tried FPSXB. It worked perfectly (tested with many backups of different region. The exploit always starts and it boots much faster than 30 secs.).

I then recover the MC with PSX Hacker Kit PSX Hacker Kit (18 in 1) : Free Download, Borrow, and Streaming : Internet Archive

I booted the disk on the same PSone using the FPSXB MC I was going to format.

 

@Peppe90 Sorry for been salty but this should be called Lamer Kit. It contains cheat engines (commercial ;]) + Memory Card Renamer + Memory Card Manager + modified DemoMenu to not reads "PROGRAMS.TXT" but "PROGRAMY.TXT".

Could You be more precise? What application have You used? One of those cheat engines or one of those two homebrew?

 

@Peppe90 Sorry for been salty but this should be called Lamer Kit. It contains cheat engines (commercial ;]) + Memory Card Renamer + Memory Card Manager + modified DemoMenu to not reads "PROGRAMS.TXT" but "PROGRAMY.TXT".

Could You be more precise? What application have You used? One of those cheat engines or one of those two homebrew?

Memory Card manager.

Pratically I normally started FPSXB. After it readed the disc I removed the FPSXB MC as usual.
Once on disc main menu I entered Memory Card Manager.

Then I re-inserted the FPSXB MC (after a couple seconds it appears the write that the MC is being recognized in the upper screen), I chose format, pressed start.

It perfectly formatted the MC without problems.

Then I re-installed FPSXB on it.

 

My only guess is that Tonyhax must be better in some way, if not it would be like using CFW to enable HEN or something.

Tonyhax on FPSXB · Issue #70 · socram8888/tonyhax (github.com)

 

Another thing tonyhax is good for is letting you know your BIOS version:

So also for installing FPSXB, in case of a PSone (101/102 or, even worse, a fat 1002), if you have a tonyhax compatible game, you can save the trouble of disk swapping to the BIOS dump disc.

 

Finally. A little late in the game the Playstation came out almost 20 years ago. Most people were using mod chips, game swap trick, or game sharks to play burned games

 

BRUH... Get your dates right! The PS1 came out ~29 years ago............ The PS2 itself came out OVER 20 years ago!

 

@TnA Alright, thanks sir.
I almost got a used PS1 I saw the other day just to try this memory card trick. Still cheaper than a Playstation classic

 

I've got them all... Lol

 

Actually, I just saw that my PS2 model is SCPH-30001 so it's too old for the PSX Launcher/MechaPwn exploit, but can run this TonyHax exploit for ps1 backups. I saw a video online using the game exploit installation method and ps1 memory card.

Do you know are you only able to run the exploit from games off their list of 'tested games' or will any original ps1 game run the exploit? And do I need to run the game exploit each time I want to play a backup? Or just once.

Thank you

 

Every time you want to boot a backup... How else should that software do it's job?

 

@TnA, doesn't the PS1 version install directly to the firmware, or read from the memory card and boot before loading a disk (kind of like FreeMcboot)?

I got a disk off their list, should arrive in the mail soon. I'm excited to check it out. I guess swapping disks will be a small hassle but not too big a deal. Maybe in 5 years some hacker will figure out a better way, or those mini-PC's/ raspberry pi's will be the standard

 

How do you intend to boot into Tonyhax - a PS1-Exploit - without a PS1-Game in the PS2 which triggers PS1-Mode?

 

@TnA, When I first heard about the hack I thought it was like freemcboot, that the ps2/ps1 would read from the memory card and boot into the exploit before loading the ps2 menu

I just ended up getting one of the games off the list (for $5 s&h) and got the thing to work the other day so I understand how it works.

Actually I'm surprised no one has written a script where the ps2 thinks it's loading an authentic ps1 game, so people can bypass the copyright protection and load ps1 backups without having to swap disks, but probably in the future that will happen.