Exploit allowing to load arbitrary code on the PSX (i.e. PlayStation 1) using only a memory card (no game needed).
In other words, it's a softmod which requires a memory card, and a way to write raw data to it.
To use it, you will need a way to copy full memory card images (not individual files) to a memory card. Some possibilities are:
- A PS2 and the software Memory Card Annihilator v2 (use "Restore MC image")
- Memcarduino. Requires soldering wires to the memory card.
- Using a Memcard Pro, which lets you create your own virtual memory cards on an sdcard. Simply drop the card image file you want to use as Memory Card 1, Channel 1.
- Using Unirom and NOTPSXserial with a serial/USB cable, using the command :
nops /fast /mcup 0 FILE.mcd COMPORTwhere
FILEis the mcd file corresponding to your model, and
COMPORTcorresponds to your computer serial port.
- Memcarduino with MemcardRex (success not guaranteed)
- A DexDrive with PSXGameEdit (success not guaranteed)
By flashing FreePSXBoot to your Memory Card, you need to be aware of the following:
The .mcd image files replace the whole contents of your card, meaning that your Memory Card will be ENTIRELY WIPED after flashing a .mcd image, so creating a backup of your saves is compulsory.
Because the exploit has corrupt Memory Card filesystem on purpose for it to run, your card will become unusable for normal operations. That is, you won't be able to use this card for saving and loading game saves and it will cause crashes on your PS1 or your PS2 console (if you have any).
Once installed, it may become difficult to uninstall, as the normal software to re-format a memory card won't work, due to the exploit itself. You could end up with no means to recover the memory card; if for example your installation method was Memory Card Annihilator v2, then it will also crash. Memcarduino, Unirom, or using the Memcard Pro would currently be safe bets.
- Copy the full memory card image corresponding to your model/BIOS to a memory card.
- Insert it in slot 1.
- If you have a SCPH-1002 with BIOS version 2.0: insert another memory card in slot 2 (its content doesn't matter).
- Power up your PlayStation with the lid open, and go to the memory card manager.
- After a few seconds, the screen will be filled with cyan. Wait ~30 seconds for the Unirom welcome screen to appear.
- If the cyan screen doesn't appear, you have either used a wrong memory card image, or the memory card image was not written properly (the mcd file must be written as raw data to the memory card), or something else went wrong. If you are 100% certain that the memory card image was written properly, and that you are using the correct image, please open an issue.
- Once Unirom is loaded, you can insert a CD, close the lid, and press R1 to load the game. Note: Japanese PlayStation cannot have their CD drive unlocked by Unirom, and thus cannot load backups.
- Don't forget to remove your memory card, as its exploit will trigger into games as well. This isn't an issue when using the Memcard Pro, as it will automatically change the virtual card to the game you're booting.
Restoring the memory card
- The most reliable way is to use Memcarduino and its FORMAT option.
- Some games that have a save file manager (shows the contents of the memory card before saving) built into them, like OddWorld: Abe's Oddysee and Cool Boarders 4 (suffers from a caveat that keeps the game from loading the memory card with certain exploit versions) for example, can be used to overwrite FreePSXBoot when saving progress.
- Some tools and games crash when attempting to format a memory card loaded with FreePSXBoot, but may be able to format it by first inserting a normal memory card, and switching it with the FreePSXBoot memory card just before the format operation starts.
- We plan to bundle a complete version of Unirom in the memory card images in the future, with the ability to format memory cards.
- All models are supported and tested on emulator or real hardware, except the debug models (DTL-H) and Net Yaroze.
- As of version 20210419, the exploit is 100% reliable on all supported models. Nevertheless, some exploit images were only tested on emulators and may not work on real hardware; feedback is welcome.
- See the table below for more details and download links.
- 2021-04-22: Added support for BIOS 2.0 (1995-05-07), 4.0 and 4.1 (1997-11-14)
- 2021-04-21: Added support for BIOS 1.1, and fixed BIOS 2.0 exploit (needs icache flush to work)
- 2021-04-21: Progress bar added in stage2 payload (thanks Nicolas Noble)
- 2021-04-20: Added support for BIOS 3.0 1996-09-09 (SCPH-5500) (thanks sickle)
- 2021-04-19: Added support for BIOS 1.0 and 4.3 (SCPH-1000 and SCPH-100 respectively)
- 2021-04-19: Exploit 100% reliable for every supported BIOS; now hooks an ISR (thanks sickle)
- 2021-04-19: Unirom version updated to 8.0.F
- 2021-04-14: Exploit uses fastload, which reads the memory card much faster than Sony's code (thanks Nicolas Noble)
- 2021-04-12: New version of Unirom, able to load games. Huge thanks to the psxdev contributors.
- 2021-04-11: 100% reliable exploit for the SCPH-7002, SCPH-7502 and SCPH-9002.
These images are pre-built with Unirom.
There are different downloads for different BIOS versions. Please download the correct ROM for your BIOS version. If a model or BIOS version is missing, it means it is not supported yet.
As more reliable or faster versions of the exploit are developed, the images are updated. Older versions can be found in the
|BIOS version/date||Models||100% reliable exploit?||Download Link|
|2.0 (1995-05-10)||SCPH-1002||Yes; see note below||20210421|
Note for BIOS 2.0 (SCPH-1002): the memory card containing FreePSXBoot must be inserted in slot 1, and another memory card must be present in slot 2. The memory card in slot 2 can have any content.
See the folder builder for a tool that can be used to generate your own payloads and memory cards.
Memory card images are raw data: your memory card must have the exact same content as the files. Use Memcarduino or something similar; don't use a memory card file manager, as it will try to correct the data we're altering.
If the exploit is successful, you will see the screen flashing orange. Otherwise, power cycle your PSX and try again after a minute or so. It may take a few tries.