tonyhax - PS1 softmod backup loader thing using THPS2/3

Start a work log and update it occasionally with your projects progress
User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

tonyhax - PS1 softmod backup loader thing using THPS2/3

Post by socram » March 12th, 2021, 8:10 am

Hello! Socram here. It's my first time doing any development on the PS1, but I've done some work on other consoles, such as breaking the amiibo's cryptography. I'm here to present you all a small project I've been working for the past month.

I have a boxed, nearly mint PSone SCPH-102 that I really didn't want to chip, but I really didn't want to leave on a shelf unused either. After seeing there were no alternatives that didn't involve either swapping the spinning disc and risking damaging the mechanism, or physically modding the console, I decided to take matters into my own hands.

After reading on no$psx' documentation about "possible save game exploits", I looked for the cheapest PS1 game I could locally get, and decided to implement one.

Thus tonyhax was born.

tonyhax is a save game exploit that uses a specially crafted save game for the Tony Hawk's Pro Skater 2 and 3, in both PAL and NTSC-U versions, to load a custom backup loader that uses no$psx' secret CD unlock commands to enable loading backups on a totally unmodded and stock PS1.

After extensive testing on real hardware and emulator, I've decided today to release the first v1.0 of the exploit to the public. Its source code, as well as pre-compiled binary files, are available at its GitHub page at https://github.com/socram8888/tonyhax, under a WTFPL license.

The source code is coded fully from scratch, and makes use of no pre-made or proprietary libraries - everything is self-contained, and building the entire project only needs a working GCC MIPS compiler.

A short video demoing it it's available at: https://www.youtube.com/watch?v=TO6msoWZa2I.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 13th, 2021, 3:47 pm

Nicely little exploit! Unfortunately it won't run all games though. You will run into some problems when you re-setup the kernel as some are very picky about how it's configured. In theory, there should be heaps of other games which can run the exploit too (not just Tony Hawk 2 and 3) which widens the potential for users to run them. Should aim to get it running on the top 5 most popular games on the console so users have a large choice :)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 14th, 2021, 11:17 am

this is awesome. do you know if games with CDDA audio will work with this method? I went ahead and purchased THPS2 on ebay and will test it.

User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 14th, 2021, 9:39 pm

Shadow wrote: March 13th, 2021, 3:47 pm Nicely little exploit! Unfortunately it won't run all games though. You will run into some problems when you re-setup the kernel as some are very picky about how it's configured. In theory, there should be heaps of other games which can run the exploit too (not just Tony Hawk 2 and 3) which widens the potential for users to run them. Should aim to get it running on the top 5 most popular games on the console so users have a large choice :)
I've in fact already encountered two, but managed to patch them. It seems older games that rely more on the BIOS calls are more sensitive to the kernel status, while newer that have apparently more abstraction are less so.
ponlork wrote: March 14th, 2021, 11:17 am this is awesome. do you know if games with CDDA audio will work with this method? I went ahead and purchased THPS2 on ebay and will test it.
Yes, CD-DA works perfectly fine. I've tried it with the Spanish version of Hogs of War, which has one data track with libcrypt and two audio tracks, and it worked flawlessly.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 15th, 2021, 3:12 am

socram wrote: March 14th, 2021, 9:39 pm Yes, CD-DA works perfectly fine. I've tried it with the Spanish version of Hogs of War, which has one data track with libcrypt and two audio tracks, and it worked flawlessly.
that's incredible because as far as i'm aware of there's never been a way to get backups with CDDA audio working previously other than to use a modchip, PSIO type device or to swap with the original disc that has the same TOC.

I've been working on a PSX mod titled NBA Jam 21 and I ran into the problem of getting redbook audio working on real hardware: https://www.youtube.com/watch?v=dus_VhX1p4A

I wasn't aware of this limitation before and I was doing all types of research reading articles dating back to 15+ years ago and couldn't find a solution. So i went ahead and purchased a modchip, I haven't installed it yet though and if this method works without modding then I won't have to install it and I can show my viewers a simple way to get CDDA audio working on real hardware.

Do you think we can run this exploit using backup THPS2 disc by booting it with Breaker Pro or doing the swap method? While I wait on my THPS2 game to arrive, I'm going to give this a try.

I take it this exploit wont run on a fat PS2, but I'll give that a try too. Thank you very much for this.

User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 15th, 2021, 4:13 am

ponlork wrote: March 15th, 2021, 3:12 am ...
It should run totally fine with swapping. Though with how cheap they are I'd probably just get one of the supported games (THPS2, 3 or 4, or Brunswick Circuit Pro Bowling 1/2).

Regarding the PS2, the documentation from no$psx says it's not compatible, but I've got three reports saying it works with a NTSC-U SCPH-39001 and a SCPH-30001 ( and another unknown fat PS2 on YouTube.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 15th, 2021, 7:22 pm

I've tested it earlier today and CDDA audio tracks work. I also got it to work on my fat PS2


I imagine the prices for THPS2/3 will increase once more people are aware of this exploit. I believe this little feature to play CDDA audio games is very useful for those who may already have a method to play backup games using a Action Replay or Breaker Pro swap disc.

Since games with CDDA audio isn't all that common, it's great to know that there's now a way to play them without a modchip. The only difficult part is maybe getting those memory card blocks onto a real Memory card. Some may not have a softmod PS2 or they may not be willing to put in the effort to buy a dexdrive or a PS3 Memory Card Adaptor.

Is it okay if I create a burnable PSX disc that contain your Tonyhax files? My idea is to modify one of those PlayStation Underground demo CDs and bundle your Tonyhax files. There's a section on those discs called "Download Station" which lets users download memory card saves to a PS1 memory card.

I also plan on learning C and PSX development soon and for my first project I'll like to create a homebrew that contains a large database of PS1 save files for games like RPG Maker, Fighter Maker, and more. the idea sounds simple, hopefully it won't be too difficult to create. It sure beats making a Hello World program.

User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 16th, 2021, 12:55 am

ponlork wrote: March 15th, 2021, 7:22 pm Is it okay if I create a burnable PSX disc that contain your Tonyhax files? My idea is to modify one of those PlayStation Underground demo CDs and bundle your Tonyhax files. There's a section on those discs called "Download Station" which lets users download memory card saves to a PS1 memory card.

I also plan on learning C and PSX development soon and for my first project I'll like to create a homebrew that contains a large database of PS1 save files for games like RPG Maker, Fighter Maker, and more. the idea sounds simple, hopefully it won't be too difficult to create. It sure beats making a Hello World program.
Absolutely, that'll be really perfect.

If you plan on doing it from scratch, please note the amount of saves now that it also supports THPS4 exceeds the amount of saves that can fit on a memory card, so you'd probably need to make a menu to choose which save games to install.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 16th, 2021, 1:59 pm

socram wrote: March 16th, 2021, 12:55 am Absolutely, that'll be really perfect.

If you plan on doing it from scratch, please note the amount of saves now that it also supports THPS4 exceeds the amount of saves that can fit on a memory card, so you'd probably need to make a menu to choose which save games to install.
I've successfully modded a PlayStation Underground disc to bundle Tonyhax on there.


I even swapped out the intro video to include your little demonstration video. The Download Station app had 7 available slots so I included THPS 2,3,4 both in NTSC and PAL.

you know i was thinking, wouldn't this exploit work with games like Monster Rancher? There's a feature in the game that let's us generate monsters by inserting random CDs. We couldn't do that before with a swap methods but i assume this exploit will work. I haven't tried it yet though.

User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 17th, 2021, 12:57 am

That's pretty damn cool. I wonder if it'd be feasible to alter the game code to include more slots. I'll check it.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 17th, 2021, 4:03 am

That'll be great if it can. I only have experience with modding PSX games and one of the limitations is that the filesizes need to be equal or less than the orignal file we're replacing. So even for the intro video i had to trim your video and speed it up a bit to match the video on the disc.

I heard there are ways to expand the size and rebuild the LBA or something but i'm really not familiar with these things. And reverse engineering is possible, it just takes a lot of time. I'm merely a hobbyist but i got a taste of that when working on my NBA Jam 2K21 mod where i used Ghidra to analyze ASM and C code i couldn't understand, then i was blindly wiping out large sections of code with no$psx until it produce some interesting effects, then i pinpoint the areas of interest and start tinkering around with the values until i did the effect i want.

that's what motivated me to learn C because i want to understand what i'm doing better and I also want to try creating some simple homebrew games. I hear it's much easier to start from scratch than trying to reverse engineer a game without the source code.

I was wondering, couldn't we just simply modify one of these PlayStation Underground discs to swap out the demo games with our own homebrews? i know Lameguy64 made Meido Menu v1.2 which can create compiliation discs, but i was wondering if we can simply modify a PlayStation Underground disc to replace games.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 18th, 2021, 3:12 am

I can make a small program which will write the save game data to a Memory Card. I'll try and do it when I have some spare time. I'll have it read the save from the disc as a separate file and not from within the PS-EXE as a machine code so updates can be overwritten by using a program such as CDMage :)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 18th, 2021, 3:52 am

@Socram I kicked myself when I heard about the tonyhax exploit yesterday, as I had tried to discover potential buffer overflow exploits in PS1 save games a few years ago (after hearing about the 007 / MechAssault exploits on the Original Xbox), but I gave up after a few games because I couldn’t find any!

The only 'minor' success I had was with Ridge Racer, as I recall that it was possible to enter (and display) high-score names beyond the standard three characters, and that doing so would also affect the handling of the car during the game – but the game itself would not crash, and thus could presumably not be used to launch other executables? I only tried it within the PCSXR emulator, though, and not on real hardware.

Anyway – good work, Socram :)

P.S. Your modified save files work correctly on the no$psx emulator, but they don’t seem to work on the PCSXR emulator, as the games simply remain frozen on the main screen.

Also: extending the Tony Hawk 2 Player Name string to fill the entire memory card causes the entire PCSXR emulator to crash!

P.P.S. I’m especially impressed by the fact that your boot disc also unlocks the PS1 CD drive, as I didn’t even know that this was possible (AFAIK, all of the old Action Replay / boot disc methods required the lid button to remain closed). I assume that this will enable multi-disc games to work, and will also solve the problem of CD-DA audio not playing correctly.

I remember hearing in the 2016 debuglive video that the Sega Saturn allegedly also contains a hidden CD drive unlock code which enables developers to run CD-R discs, but – as yet – I don’t think that anybody has discovered it (see: https://youtu.be/jOyfZex7B3E?t=293 at the 4:53 mark)

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 19th, 2021, 3:38 am

now i'm no expert on programming or anything so y'all might have to excuse my noobish questions but i've been working on a RPG Maker PS1 project and I was wondering if it's possible to use a exploit like tonyhax to change the function of a game similar to what a gameshark does.

my idea was to modify the game iso but would it be possible to have the mods run from a memory card instead so that my game hacks will run on a vanilla PS1 with the unmodded game?

for instance, the game's engine places a 1px spacer in between character sprites, i would like to somehow modify the game's code to remove that spacer so that i can merge multiple character sprites to create a much bigger sprite.

so would something like this be feasible if i create a custom memory card file that will inject or modify new code into the game so that it'll affect the behavior of the game?

Speaking of RPG maker, maybe that game is exploitable. There is a lot of customization in that game.

User avatar
socram
Verified
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 19th, 2021, 4:37 am

Shadow wrote: March 18th, 2021, 3:12 am I can make a small program which will write the save game data to a Memory Card. I'll try and do it when I have some spare time. I'll have it read the save from the disc as a separate file and not from within the PS-EXE as a machine code so updates can be overwritten by using a program such as CDMage :)
Perfect, that'd be really cool! A PSX-EXE with some sorta of binary/text configuration file where I can just type in the save file names stored on the CD and game name in a human-readable fashion would be really awesome.
yaroze wrote: March 18th, 2021, 3:52 am @Socram I kicked myself when I heard about the tonyhax exploit yesterday, as I had tried to discover potential buffer overflow exploits in PS1 save games a few years ago (after hearing about the 007 / MechAssault exploits on the Original Xbox), but I gave up after a few games because I couldn’t find any!
Fun fact is - I didn't have any games with text input at home so I took at bet and bought THPS3 straight away when I wanted to test this out even before trying to exploit it on an emulator, just because it was the cheapest one I could find and worst case I'd have a THPS game to play, which are games I've always had fun playing. I guess I got lucky haha.
ponlork wrote: March 19th, 2021, 3:38 am ...
Well I guess that'd __could__ be possible but certainly doesn't sound too userfriendly.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 20th, 2021, 12:06 am

yaroze wrote: March 18th, 2021, 3:52 am I’m especially impressed by the fact that your boot disc also unlocks the PS1 CD drive, as I didn’t even know that this was possible (AFAIK, all of the old Action Replay / boot disc methods required the lid button to remain closed). I assume that this will enable multi-disc games to work, and will also solve the problem of CD-DA audio not playing correctly.

I remember hearing in the 2016 debuglive video that the Sega Saturn allegedly also contains a hidden CD drive unlock code which enables developers to run CD-R discs, but – as yet – I don’t think that anybody has discovered it (see: https://youtu.be/jOyfZex7B3E?t=293 at the 4:53 mark)
It's called the "NO$CASH Unlock" and it was founded by Martin Korth by dumping the Motorola HC05 Mask ROM and disassembling the machine code to find it. Someone else would have found it eventually, but dumping Mask ROM is not easy. Luckily, the HC05 had a test mode which would dump the ROM and Martin managed to find that which was very clever on his behalf as it had not been done before to any of our knowledge in the history of the PlayStation. With that said, the "NO$CASH Unlock" is not perfect. It does have flaws but this is due to way the security on the PlayStation works from Sony in general.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

x7502x
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: Nov 14, 2017

Post by x7502x » March 20th, 2021, 5:14 am

Is there any more info on the NO$CASH unlock? How the feature was left in the firmware? Does it disable the PS1 from looking for the security string?

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 20th, 2021, 8:33 am

x7502x wrote: March 20th, 2021, 5:14 am Is there any more info on the NO$CASH unlock? How the feature was left in the firmware? Does it disable the PS1 from looking for the security string?
I don't know much about the no$psx CD unlock procedure (I'm sure that Socram and Shadow are both far more knowledgeable about this topic than me), but there is some information regarding the CD unlock codes on the no$psx website at the following location: http://www.problemkaputt.de/psx-spx.htm ... ckcommands (Socram also references this documentation on his website: https://orca.pet/tonyhax/)
x7502x wrote: March 20th, 2021, 5:14 am How the feature was left in the firmware?
I might be totally wrong here, but did Sony leave this hidden code in deliberately (rather than by mistake) in order to enable developers to potentially boot CD-R discs on a stock PS1 (perhaps using an official Sony 'boot disc' of some sort) during development? It's true that leaving this code in the firmware creates the risk of it being exploited by the general public (as proven by Socram's exploit), but - theoretically - anybody hoping to trigger the hidden codes in order to boot CD-R or imported discs would have already had to have discovered a method to load custom code in the first place (e.g. via a modchip, Action Replay, disc-swapping, memory card exploits, et cetera), and thus the mere existence of the unlock codes by themselves would not have enabled piracy / region-bypassing?

As mentioned in my previous post, I believe that the Sega Saturn also contained hidden CD unlock codes, which were perhaps used by developers (see: https://youtu.be/jOyfZex7B3E?t=293 at the 4:53 mark)

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 20th, 2021, 8:50 am

ponlork wrote: March 15th, 2021, 7:22 pm The only difficult part is maybe getting those memory card blocks onto a real Memory card. Some may not have a softmod PS2 or they may not be willing to put in the effort to buy a dexdrive or a PS3 Memory Card Adaptor.
If you have a spare PS2 lying around, then I believe that it is now possible to launch regular burned discs on an unmodified machine (for most models): https://cturt.github.io/freedvdboot.html Theoretically, it should be possible from there to load custom data onto a PS1 memory card?

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Mar 16, 2020

Post by ponlork » March 20th, 2021, 9:57 am

yaroze wrote: March 20th, 2021, 8:50 am If you have a spare PS2 lying around, then I believe that it is now possible to launch regular burned discs on an unmodified machine (for most models): https://cturt.github.io/freedvdboot.html Theoretically, it should be possible from there to load custom data onto a PS1 memory card?
i saw Modern Vintage Gamer video on that, though i haven't tried it myself. I believe it exploits something with the DVD-Video where you gotta construct a blank DVD that has those Video_TS folders to trick the PS2 into thinking it's a DVD video and then it launches the game or something.

I recall it depends on which DVD driver a PS2 has. and I'm not sure if it's possible to save PS1 data from a PS2 game but i have no idea. Would be cool if it works.

Edit: looking at this video of it, it appears we can run ulaunchelf on there. if that's the case then one could burn FreeDVDBoot on a blank DVD and transfer the save files via USB to the memory card:
https://www.youtube.com/watch?v=lyFNHGmbBsU

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests