Transcription

The original Sony PlayStation has had a lot of attention in recent times, thanks to devices like the XStation and the PSIO, and not to mention the very excellent PSone Digital, which is an HDMI modification that we've looked at on the channel, that delivers a crisp HDMI signal tapped directly from the video chip. But these modifications are enthusiast-level upgrades that require opening up the system and installing complex pieces of electronics. Most of them aren't for the beginner, and would require someone who's experienced with soldering. These modifications also don't run cheap. Even a simple standard modchip for a PlayStation 1, as popular as they were back in the day, requires some experience with soldering, and you still need to purchase a modchip. But what if you just wanted to play PlayStation 1 discs without a modchip? Maybe you own a big CD folder of backup games, and you wanted to play them on a PlayStation In the past, this would not be possible unless you had a modchip installed. But thanks to a savegame exploit recently found with Tony Hawk Pro Skater 2 and 3, this is now possible. Known as Tony Hacks, this makes running backup games a reality, and we'll explain more about the exploit shortly. But first, why is this a big deal? Modded PS1s are everywhere, and playing backups without a modchip has already been possible for years, thanks to swap tricks, and even some things like the GameShark that plugs into the parallel port that's been flushed with a custom ROM. There's even the PlayStation Classic that can easily be modded to play the entire PS1 catalog, and improve upon the original emulation. All simply because some people don't want to use emulation, and are not comfortable with opening up their hardware. Things like swap tricks can obviously cause unnecessary wear and tear on the hardware, and they don't always work. There's also issues with CD audio and multi-disc game swapping. And something like the GameShark will work, but if you own a PlayStation 1 Slim that doesn't have a parallel port, then you're out of luck. Tony Hacks works on all modded PlayStation 1s, and it works by utilizing a buffer overflow exploit in Tony Hawk's Pro Skater 2 and 3, for both PAL and NTSC regions, to load a custom backup loader, unlock a few CD drive commands, and ultimately run backups on an unmodded PS1. So rather than me just talking about it, let's take a closer look and see how this exploit actually works. Now I've got a backup copy here of Final Fantasy Tactics for the PS1, and I'm just gonna put it into my PlayStation 1, or my PS1 here, just to show you that the system is not modified in any way whatsoever. So if we go ahead and then reset this PS1, it should tell me to insert a PlayStation 1 disc. This is a completely unmodified PS1 that we're looking at here. And after probably just a couple of seconds here, it should tell me that this disc is not readable. Please insert a PlayStation format disc. Now on this particular memory card, I have saved games from both Tony Hawk 2 and Tony Hawk 3. So let's go ahead and insert our Tony Hawk 3 original disc for the PS1. So now we're resetting our PS1, and it should boot directly into Tony Hawk 3. And I'm just going to skip over the intros and the menus and all that stuff and just get into it here. The exploitable save games are on the memory card attached to the PS1 here, and we've got saved games for both Tony Hawk 2 and Tony Hawk 3. So let's go ahead and jump in. So what we want to do here is we basically load the game here, and then we want to select create a skater. And watch what happens here when I pick create skater. Now as you can see here, after a second or so, we're in Tony Hacks. And basically what we do now is get our backup copy of Final Fantasy Tactics that we tried to run previously, and we will swap it into our PS1. As you can see, it's basically letting us put a disc in here. And it's initializing CD. And after a short while, it will boot into our backup copy of the game. And it should only take about 10 or 15 seconds or so, but it does depend on the CD that you've made a backup of, of course. Some work better than others. But as you can see, it's boot into our introduction here, and we should be into Final Fantasy Tactics running on a completely unmodified original Sony PS1 that has not been tampered with, has not been opened with in any shape or form. And this is how Tony Hacks works. It's a very simple, very elegant, but a really awesome way to play PlayStation 1 backup games on your original PS1. It took 27 years, but the PlayStation now has a soft mod exploit utilizing a save game. Tony Hacks was developed by Marcos del Solvives. It's completely open source, and all documentation has been provided for the entire process. But in summary, this is very similar to how Splinter Cell soft mod works on the original Xbox, or say the Twilight hack works on the Nintendo Wii. According to Marcos, in layman's terms, this exploit uses an oversight from the programmers. The game does not check that text in the save file hasn't been tampered, and fits in the space the program allocated for it. If we externally change that text to something longer, we can overwrite other vital parts of the system's memory and run our own code. Simple enough, but there is an outstanding question regarding this hack. Even with a buffer overflow to boot into a piece of homebrew code, how does this allow us to run a backup CD on the PlayStation 1? For those not familiar, PlayStation 1 copy protection has been discussed on the channel before. But in summary, each original PlayStation 1 disc is burnt with what's known as a wobble groove, where the wobble would be detected in original discs. However, burnt CDs are not capable of replicating the wobble. So to work around this, mod chips were created that would send fake data to the CD microcontroller and cause the PS1 to believe that a backup disc was legitimate. And a swap trick would simply read the wobble data from the original disc, and once authenticated, would boot into the backup if you were fast enough to swap discs at the right time. For Tony Hacks, the exploit leverages secret CD commands found in the PlayStation that were discovered in 2013. By sending a string of commands to the CD controller, it will unlock the drive and effectively disable the wobble groove protection. And with the drive unlocked, it's possible to effectively boot from a backup CD-R. What's even easier is that opening and closing the tray won't disable or reset the unlocked state that the drive is in, which makes it possible, as we saw with Tony Hacks, to simply swap in a CD-R backup once the drive has been unlocked and closed the tray. These unlock commands were documented by Martin Korth, who you may know from the NoCache emulator line, and interestingly enough, are supported on every single PlayStation CD-ROM BIOS, from almost the very earliest model all the way to the late model PS1s. Incidentally, I also tested Tony Hacks on a NET YAROSE, and it worked just fine there as well. Now for those concerned that this might drive up the price of Tony Hawk Pro Skater 2 and 3 for the PlayStation 1, there's really nothing to be concerned about. Not only were there millions of copies of these games made, Marcos has already implemented Tony Hacks for more games, with many more on the way. His website outlines the list of all PS1 titles that can be exploited. To use Tony Hacks, you simply just need to get the relevant exploited save game and the Tony Hacks loader on a PS1 memory card and boot from that game. Now getting a custom save game on a memory card can be done a few different ways. The first method is to utilize the PlayStation 2 with free MC boot and the save game on a USB stick. You can then simply use the file manager to copy the files to your PS1 memory card. And there's also the new Memory Card Pro, which uses a micro SD card to store large amounts of save data on a single card. These are currently available for pre-order, but would be the perfect solution to utilize Tony Hacks without the need for a PS2. Of course, it's also possible just to buy pre-installed PS1 memory cards with save game exploits, and that's what I expect to see on eBay. But once you have the appropriate save game on your PS1 memory card, you're all set to go. I should also mention that save game exploit discoveries are not new for the Sony PS1. Back in 2018, there were some documented vulnerabilities discovered for original PS1 games, but these were never developed further into a working exploit, most likely because of no motivation. PS1 mod chips are common, as are optical drive emulators these days. But still, Tony Hacks is a very easily accessible entry point for all PlayStation consoles to run backups, without opening the system and performing a mod chip. And it does make you wonder how much of a game changer this would have been back in 1995, and what impact it would have had on the mod chip business back then. But either way, it's fascinating to witness the original PlayStation get exploited in this fashion. So there you go guys, that is Tony Hacks for the Sony PlayStation 1, a really cool and interesting exploit for the original PlayStation. I will leave links to all the different sources that I had quoted in this video in the description below, so check those out if you're interested in performing the soft mod yourself, it's very easy to do. But we are going to leave it here for this episode guys, thank you so much for watching if you liked it, don't forget to leave me a thumbs up, and I'll catch you guys in the next video. Bye for now.