Last month we brought you word of tonyhax, a clever exploit for the original Sony PlayStation that leveraged a buffer overflow in several of the games from the Tony Hawk Pro Skater series to load arbitrary code from a specially prepared memory card. But now [Bradlin] has taken that idea a step further and developed a software exploit for Sony’s iconic console that doesn’t need to be triggered from a game.
The exploit is considerably more complex this time around, but [Bradlin] does an excellent job of breaking it down for those who want the gritty details. The short version is that missing boundary checks in the PlayStation’s built-in memory card handling routines mean a carefully formatted “block” on the memory card can get the console to execute a small 128 byte payload. That’s not a lot of room to work with, but it ends up being just enough to load up additional code stored elsewhere on the memory card and really kick things off.
Unlike tonyhax, which was designed specifically to allow the user to swap their retail Tony Hawk disc with a game burned to a CD-R, [Bradlin]’s FreePSXBoot is presented as more of a generic loader. As of right now, it doesn’t allow you to actually play burned games, although its inevitable that somebody will connect those last few dots soon.
If you want to check out the progress so far, all you need is wire a PlayStation memory card up to an Arduino, write the provided image to it, and stick it in the slot. [Bradlin] says the exploit doesn’t work 100% of the time (something else that will surely be addressed in future releases), but it shouldn’t take too many attempts before you’re greeted with the flashing screen that proves Sony’s 27 year old console has now truly been bested.
I think I called this in the comments to the original tonyhax.
FreeMcBoot was a revolution for PS2 home brew hopefully it has the same effect on PSX.
That and affordable harddisk adapters for the fat ps2 models.
Since the ps2 is more complex, it was a pain in the ass to burn a new disk because of a small bug in code.
But there’s SD card adapter thingies for the psx, granted it requires either models with the parallel port or ditching of the optical mechanism.
PS1 often streams music using Audio CD format. Afaik PlayStation PSIO while developing SD CD emulator ran into a problem with CD audio and in the end resigned from patching bios reading code, opting instead for feeding raw bytestream into original CD asic at normal speed (same as ESP32 based XStation which is nothing more than $4 ESP32 module and some custom connector, everything is done in software). TLDR: it will be impossible to patch PSX bios into reading from other sources than CD ASIC while maintaining game compatibility.
All you have to do to play burned games on ps1 is put something in the hole under the top cover and then you can boot it up with door open put in original playstation game then when boots to first loading screen take out game and swap burned game simple as that been doing it for over a decade.
Thank you, thank you, thank you! There were other ways like the game shark that did nearly the same thing, etc, but this was nearly the easiest way. Besides this is how we all played Thrill Kill which is still an amazing game concept that was destroyed with the Wu-Tang game.
This only works on the very first models, don’t fixed this shortly after it was discovered
I’ve done the disc swap trick on slim psone models without issue.
I just started wondering if you can’t vampire tap the optical read diode and the head stepper for positioning and feed the console anything you like from an SBC or some kind of uC/SDcard combo.
A couple of Optical Drive Emulators exist for the PS1 that do just this
What’s the difference from that and and ODE at that point?
About $100
$5 if you can cobble together ESP32 based XStation and obtain the firmware (might be secured from reading, esp has some secure enclave thing going on)
Having worked with burning raw CD data years ago, I believe this may be more difficult than you expect. We had dedicated hardware filling 4U in a rack to generate the analogue signals at 1x, and it was pretty temperamental. IIRC The timing was a bitch.
I worked on the digital side, and it was many years ago, so I’m not sure how simpler the reading is to writing or how much the relevant technology has improved since then, but I think this is well beyond your average HAD reader.
Things improved to the point ESP32 I2S block is all you need.
I hope this inspire some people to make DIY memory card clones.
Join the #psxdev discord. Someone is working on that
I started my relationship with play station 2 in good graphics gaming!