tonyhax - PS1 softmod backup loader thing using THPS2/3

Start a log and update it occasionally with your projects progress
User avatar
ShadowGeist
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 20, 2021
I am a: nobody

Post by ShadowGeist » March 20th, 2021, 10:11 am

Orion's save manager disc "PocketStation (Memory Card) Transfer Tool CD" supports .MCS files. viewtopic.php?t=227

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 21st, 2021, 4:32 am

ShadowGeist wrote: March 20th, 2021, 10:11 am Orion's save manager disc "PocketStation (Memory Card) Transfer Tool CD" supports .MCS files. viewtopic.php?t=227
that's pretty cool that he made a tool for this because i remember a very long time ago before i got into modding i was wondering how can i get ps1 saves from the pc to a real ps1 memory card and every answer i've seen was people saying dexdrive dexdrive dexdrive, dex drive or nothing and im like seriously? it took someone 15+ years to come up with a solution only as a afterthought when developing a pocketstation homebrew?

even more recently i've only heard people suggest ulaunchelf or dexdrive. well it's good knowing that there's more options available. That's why i want to create a homebrew that contains a large database of PS1 saves and pocketstation games because imagine people who were playing a RPG for many days then suddenly their save file gets corrupted and they want a easy way to return to a location in the game that's closest to where they left off. or maybe there's people who just want to relive their childhood memories and go to a particular scene or ending battle to record the footage.

or imagine all those RPG Maker games that people made, instead of having 8 memory cards to swap with they can download the games off the disc. Then there's some Music 2000/MTV music Generator tracks made on the PS1 that can be shared. And what about Fighter Maker saves? I can supply custom moves or fully generated fighters.

and of course there's Pocketstation games and homebrews. The other week i got Doom to run on pocketstation using ulaunchelf and it took some effort that i doubt the average person is willing to do. So imagine a simply way to download these homebrew games like how u normally would download Pocketstation games from a retail disc.

I would like to develop my own pocketstation homebrew too, maybe a flappy bird clone.

User avatar
ShadowGeist
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 20, 2021
I am a: nobody

Post by ShadowGeist » March 21st, 2021, 5:31 am

There are also the "10th Anniversary Memorial Save Data" NTSC-J Japanese and "Game Guru" series Russian/English discs which contain a large database of saves and data manager allowing transfer, formatting, recovery, ect...

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 21st, 2021, 5:55 am

i remember Orion_ showcasing these rare プレプレ Plus Playstation Club Demo discs from japan and thinking wow these demos contain a lot of save files. seems to be more popular in japan. I'm thinking about importing some of these demos.

i would like to build a homebrew with this idea from scratch, more so to teach myself programming and at the same time develop something useful and this idea seems simple enough.

i think the best way to learn to is work on things that u can actually feel proud of and find use out of it. because i've followed tutorials before and if my heart isn't in it, then i don't really retain the knowledge.

User avatar
socram
Curious PSXDEV User
Curious PSXDEV User
Posts: 11
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 21st, 2021, 10:21 am

Just a quick update. The title is a bit outdated. tonyhax since today (v1.2) works with all the following games:
  • Brunswick Circuit Pro Bowling (NTSC-U) (SLUS-00571)
  • Brunswick Circuit Pro Bowling (PAL-E) (SLES-01376)
  • Brunswick Circuit Pro Bowling 2 (NTSC-U) (SLUS-00856)
  • Brunswick Circuit Pro Bowling 2 (PAL-E) (SLES-02618)
  • Castrol Honda Superbike Racing (NTSC-U) (SLUS-00882)
  • Castrol Honda Superbike Racing (PAL-E) (SLES-01182)
  • Castrol Honda VTR (PAL-E) (SLES-02942)
  • Cool Boarders 4 (NTSC-U) (SCUS-94559)
  • Cool Boarders 4 (PAL-E) (SCES-02283)
  • Crash Bandicoot 2: Cortex Strikes Back (NTSC-U) (SCUS-94154)
  • Crash Bandicoot 2: Cortex Strikes Back (PAL-E) (SCES-00967)
  • Crash Bandicoot 3: Warped (NTSC-U) (SCUS-94244)
  • Crash Bandicoot 3: Warped (PAL-E) (SCES-01420)
  • Sports Superbike (PAL-E) (SLES-03057)
  • Sports Superbike 2 (PAL-E) (SLES-03827)
  • Tony Hawk's Pro Skater 2 (NTSC-U) (SLUS-01066)
  • Tony Hawk's Pro Skater 2 (PAL-E) (SLES-02908)
  • Tony Hawk's Pro Skater 2 (PAL-DE) (SLES-02910)
  • Tony Hawk's Pro Skater 2 (PAL-FR) (SLES-02909)
  • Tony Hawk's Pro Skater 3 (NTSC-U) (SLUS-01419)
  • Tony Hawk's Pro Skater 3 (PAL-E) (SLES-03645)
  • Tony Hawk's Pro Skater 3 (PAL-DE) (SLES-03647)
  • Tony Hawk's Pro Skater 3 (PAL-FR) (SLES-03646)
  • Tony Hawk's Pro Skater 4 (NTSC-U) (SLUS-01485)
  • Tony Hawk's Pro Skater 4 (PAL-E) (SLES-03954)
  • Tony Hawk's Pro Skater 4 (PAL-DE) (SLES-03955)
  • Tony Hawk's Pro Skater 4 (PAL-FR) (SLES-03956)
  • XS Moto (NTSC-U) (SLUS-01506)
  • XS Moto (PAL-E) (SLES-04095)

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 22nd, 2021, 1:22 am

socram wrote: March 21st, 2021, 10:21 am Just a quick update. The title is a bit outdated. tonyhax since today (v1.2) works with all the following games:
Great work (again), Socram. I have tested some more games over the weekend (using the instructions provided by ChampionLeake79 at: https://championleake.github.io/blog/PS1-StackSmashing/), and I have found a few other games that seem to freeze the game and/or no$psx emulator whenever an abnormally long string is loaded from the memory card, and some that will even overwrite some of the registers (see screenshot below) - but, as yet, I can't find one that overwrites the ra/r31 register (other than ones that you have already listed, such as Tony Hawk 2).

It's possible that I am not modifying the memory card files correctly, though, because I also tried modifying Cool Boarders 4 (which you've stated is exploitable) and I simply received an in-game error stating that the memory card save was corrupted, before the game continued normally.

For this reason, I haven't updated the 'PS1 Vulnerabilities' Wiki page (at https://playstationdev.wiki/ps1devwiki/ ... rabilities) with any of my failed attempts yet, because it's possible that some of the games that I've tried (and failed) are in fact vulnerable if patched correctly.

FYI - the screenshot below is the most success that I've had so far: I've managed to overwrite the R2/R8/R18 registers with my 0x12345678 value, but not the R31 register:-
r2_r18_01.png
You do not have the required permissions to view the files attached to this post.

User avatar
socram
Curious PSXDEV User
Curious PSXDEV User
Posts: 11
Joined: Mar 01, 2021
I am a: Programmer
PlayStation Model: SCPH-102
Location: Valencia, Spain
Contact:

Post by socram » March 22nd, 2021, 3:34 am

You went with one of the hard ones haha. Cool Boarders has a checksum over the entire save contents: https://github.com/socram8888/tonyhax/b ... hecksum.sh Crash Bandicoot 2/3 do too (https://github.com/socram8888/tonyhax/b ... hecksum.sh). The rest of the supported ones nope.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2558
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 22nd, 2021, 11:28 pm

As far as I know, Sony left those unlock strings in by accident and they weren't use by developers. Developers instead had to buy debugging stations which had a different mask ROM in the HC05.

Wow, you got quite a few games to overflow and boot from. "Tonyhax" isn't a good name for this exploit anymore. It should be called the "socram exploit" :P

By the way, in your file https://github.com/socram8888/tonyhax/b ... er/cdrom.c, you shouldn't delay the system by a simple for loop. Instead, use the VBLANK interrupt. NOTE: 30 may not be enough, so change the value as needed.

Code: Select all

bool cd_reset() {
	// Issue a reset
	cd_command(CD_CMD_RESET, NULL, 0);

	// Should succeed with 3
	if (cd_wait_int() != 3) {
		return false;
	}

	// Need to wait for some cycles before it springs back to life
	VSync(30);

	return true;
}
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
ShadowGeist
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 20, 2021
I am a: nobody

Post by ShadowGeist » March 23rd, 2021, 3:56 am

Shadow wrote: March 22nd, 2021, 11:28 pmWow, you got quite a few games to overflow and boot from. "Tonyhax" isn't a good name for this exploit anymore. It should be called the "socram exploit" :P
So cram it in, ram till it overflows...
Last edited by ShadowGeist on March 23rd, 2021, 12:48 pm, edited 1 time in total.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 23rd, 2021, 11:28 am

do you think there'll exist a game that can boot directly into the exploit bypassing all the menus and stuff? that'll be awesome. I'll buy a boot disc of that if someone press it

User avatar
brill
Verified
Active PSXDEV User
Active PSXDEV User
Posts: 46
Joined: Apr 30, 2013
PlayStation Model: SCPH-7502
Location: Ukraine, Odessa
Contact:

Post by brill » March 23rd, 2021, 11:40 am

Dev console: SCPH-7502 + Xplorer with CAETLA 0.37
Dev PC: Windows 98 SE, Celeron at 633MHz, 128MB RAM, 20GB HDD

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 23rd, 2021, 12:57 pm

you know what's crazy i was following this ebay listing of a user selling ps1 memory cards with tonyhax and just the other day i checked and it only had 1 sale and was being sold for less than $8. then that MVG video aired and then today all 30 of the guy's memory cards were sold today. He had to restock it.

And copies of THPS2 sales skyrocketed today thanks to that video. crazy how when something generates a lot of views, it suddenly increase the value or sales of a item. u could sell Bath water, if its generating a lot of traffic from blogs and news sites then it's almost guaranteed that it'll skyrocket in sales

User avatar
ShadowGeist
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Mar 20, 2021
I am a: nobody

Post by ShadowGeist » March 23rd, 2021, 1:31 pm

ponlork wrote: March 23rd, 2021, 12:57 pm sold
Pfft.

Funny if this thing hits those stacks of unwanted sports titles and wrastlin games. Think alot of them have create-a-player/team with text input.

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 24th, 2021, 12:41 am

ponlork wrote: March 23rd, 2021, 11:28 am do you think there'll exist a game that can boot directly into the exploit bypassing all the menus and stuff? that'll be awesome. I'll buy a boot disc of that if someone press it
Certain games (such as Dead or Alive and Tekken) automatically load data from the memory card as soon as the game boots, and so it’s possible that a game such as this would immediately launch the exploit without any further user input – although I believe that these particular titles only load data into memory, and don’t immediately attempt to display any text strings.

Speaking of Dead or Alive: I tried modifying the high-score table a few days ago in the hopes of discovering a potential buffer overflow exploit, but I received an in-game error message stating that the save file was corrupted :( Perhaps the game features a checksum, and/or I attempted to overwrite too much data.

I tried about 50 other games over the weekend as well, but I am yet to find any more vulnerable titles :(. The only ‘successes’ that I have had so far are with Actua Soccer and David Beckham Soccer, as it’s definitely possible to overwrite the R2/R8/R18 registers with Actua Soccer, and both titles will freeze no$psx with an ‘Undefined Opcode’ error after displaying abnormally long text strings (possibly because they have been redirected to another part of memory after a ‘jmp’ command?) – but I can’t seem to control the specific return address / program counter value in either game, and thus this ‘discovery’ is currently of little use.

(It doesn’t help that no$psx isn’t an open-source emulator, and so I can’t build my own custom debugging/logging tools; the emulator allows breakpoints on memory locations, but not registers. I normally use PCSXR for debugging et cetera because it’s open-source, but it seems to crash more often than no$psx whenever I attempt to discover buffer overflow exploits)

Hexen seems to crash no$psx whenever certain strings are overwritten, but I don’t believe that this is a buffer overflow exploit as it occurs even if the string length remains the same.

Street Fighter Ex Plus Alpha freezes the game (but not the emulator) if any of the high score table strings are overloaded, but – again – I’m not sure whether this is a buffer overflow exploit, as there seems to be other pieces of data between the strings that are also overwritten (and may be causing the crash).

Various other games will display long strings without crashing (such as Ridge Racer, Kurushi, et cetera).

Aladdin requests that users enter their name at the start of the game, but I can’t seem to find any ASCII name strings in the save files.
ponlork wrote: March 19th, 2021, 3:38 amSpeaking of RPG maker, maybe that game is exploitable. There is a lot of customization in that game.
I tried modifying one of the (many) strings within the RPG Maker save file, but – as with Dead or Alive – I received an in-game error message stating that the save file was corrupted, and so perhaps the game features a checksum, and/or I attempted to overwrite too much data.

I will try to continue searching for other titles if I can, although there are potentially thousands of games to search…

P.S. ChampionLeake79 stated on his websites a few years ago that Castlevania Chronicles is also possible to exploit.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 24th, 2021, 2:48 am

looks like there's going to be a lot of games to inspect. i don't fully grasp a lot of the concepts but maybe Super Puzzle Fighter II Turbo, Street Fighter Collection, Kof 99 or Capcom vs SNK pro is worth looking into.

Would it be possible for someone to say develop their own homebrew which will allow this on boot up and instead of fetching the data from a PS1 memory card, have it load the data from the CD-rom instead?

I know it wouldn't be practical to swap into the homebrew but if this is possible, couldn't someone press these discs with the wobble groove like how Breaker Pro and what Datel did? I think there's a sizable market for them considering it'll be able to fully unlock the cd drive.

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 24th, 2021, 4:23 am

ponlork wrote: March 24th, 2021, 2:48 am looks like there's going to be a lot of games to inspect. i don't fully grasp a lot of the concepts but maybe Super Puzzle Fighter II Turbo, Street Fighter Collection, Kof 99 or Capcom vs SNK pro is worth looking into.

Would it be possible for someone to say develop their own homebrew which will allow this on boot up and instead of fetching the data from a PS1 memory card, have it load the data from the CD-rom instead?

I know it wouldn't be practical to swap into the homebrew but if this is possible, couldn't someone press these discs with the wobble groove like how Breaker Pro and what Datel did? I think there's a sizable market for them considering it'll be able to fully unlock the cd drive.
I tried some of the Marvel/Street Fighter games, but I haven't had any success (yet). I also wanted to try Super Puzzle Fighter II Turbo, but I don't have a disc to hand... I generally tried to test some of the more obscure titles where possible, as I'm assuming that the more famous games have already been tested. According to Wikipedia, there are over 4,000 licensed PS1 games to test (gulp) - see: https://en.wikipedia.org/wiki/List_of_P ... E2%80%93L)

The Modern Vintage Gamer stated in his 2019 seminar that Datel actually physically cut the wobble grooves from official Crazy Taxi discs in order to produce their PS2 Action Replay discs, and I remember hearing similar stories regarding the Sega Saturn too (people allegedly cutting the outer ring from official discs and gluing them onto CD-R discs); I'm not sure if this was how Datel produced their PS1 Action Replay discs, or whether they used a manufacturing facility to produce the discs? I remember reading years ago that printing CDs is generally only profitable when a large number is produced at once (e.g. thousands), but I might be wrong.

Incidentally - there is a brief video of official PS1 discs being manufactured at the following link: https://www.youtube.com/watch?v=L6ek2bKW22A

The comments regarding the Crazy Taxi wobble groove can be found at the following link at the 22-minute mark: https://player.fm/series/the-real-mvp/t ... protection

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 24th, 2021, 5:18 am

wow i actually posed that question on discord once thinking it's the most asinine thing to ask but i was wondering if it's possible to do some sort of a Frankenstein thing where we physically cut the portion with the wobble data out and then stitch a CDR onto it lol and that's how i heard about Datel

most people are afraid to ask dumb questions but im not. and i think that's why a lot of people visit this site but are intimidated to ask anything in fear of sounding stupid. but man that sure would be a interesting project if someone was to document their work in cutting a retail PS1 disc and stitching a CDR backup onto it.

and yeah i've seen that manufacturing video before. Marilyn Manson actually reached out to Sony to press his album on PlayStation 1 discs in 2015 because he liked the black ink discs. So i'm guessing that Manufacturing Plant still exist.

I have dreams of developing my own PS1 game some day and I would like to get the disc pressed or do some crazy method that Datel did. personally i'm doing it more for art, to fulfill some childhood dream rather than profit lol but hey people are spending upwards to $100 for a PS1 memory card in 2021 so you never know. generate enough views and anything will sell

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 24th, 2021, 6:45 am

oh and speaking of potential exploitable games, can you check NBA Jam T.E? it was a PS1 launch title and it auto load at the very first screen but what's interesting about this game is it doesn't give users the ability to save or load. The only time it saves is if we input initials and complete a game and then it'll auto save.

But yeah if that game is exploitable then it'll be a super fast boot. And i imagine the early PS1 launch titles may be more susceptible to exploits

yaroze
Curious PSXDEV User
Curious PSXDEV User
Posts: 21
Joined: Jun 07, 2016

Post by yaroze » March 24th, 2021, 1:19 pm

ponlork wrote: March 24th, 2021, 6:45 am oh and speaking of potential exploitable games, can you check NBA Jam T.E? it was a PS1 launch title and it auto load at the very first screen but what's interesting about this game is it doesn't give users the ability to save or load. The only time it saves is if we input initials and complete a game and then it'll auto save.

But yeah if that game is exploitable then it'll be a super fast boot. And i imagine the early PS1 launch titles may be more susceptible to exploits
I tried overwriting the initials string in the NBA Jam: Tournament Edition save file, and I received an in-game "Checksum Error" message - see screenshot below. I was surprised to see this, as I'd assumed that checksums were only used in newer games in order to avoid cheating, but perhaps they were also used in older games and/or to verify that the data had been written correctly as well?

In order to successfully overwrite the initials string, the checksum value in the memory card would presumably need to be changed as well... I'm not 100% how to do this, as I'm not sure what algorithm is used (CRC32 ?) and/or where the checksum value is kept. I may need to use PCSXR in order to debug the checksum routine if I am unable to locate any information online.
nba_te_checksum_error01.png
You do not have the required permissions to view the files attached to this post.

ponlork
Curious PSXDEV User
Curious PSXDEV User
Posts: 26
Joined: Mar 16, 2020

Post by ponlork » March 24th, 2021, 6:54 pm

wow i've never seen that screen before. guess it'll only show up if there's a problem with the memory card. here's a interesting read about the hurdles in porting NBA Jam TE
https://www.usgamer.net/articles/portin ... on-excerpt

Chris Kirby was only 18 years old when he programmed it. He actually commented on a mod I was working on. I've been trying to reverse engineer the game to re-enable a certain effect. i got it working but it causes some unwanted effects. basically it's this falling effect when players get dunked on. The NBA made them remove it because i guess they thought it was too violent to have players getting posterized. The backboard shattering effect was also in the game at one point before the NBA made them remove it

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest