Comment by jbreckmckye

This is also how the memory card bootloader works.

There is a faulty array iterator in the BIOS code that can copy arbitrary data to locations higher up in the memory map than the base pointer. Normally that wouldn't let you overwrite any executable code because the base pointer is very high up (might be a stack pointer?). But because of the memory aliasing, if you set the right value the write "wraps around" and lets you clobber the BIOS.

This means you can boot a custom BIOS, effectively, by just going into the memory card screen. From there you can execute a PSX.EXE without going through the mechacon checks, bypassing copy protection

---

I wouldn't mind learning more about the MGS port. Do you remember much about it?

It uses TCL for most of the scripting, IIRC. In fact I think MGS 1-4 use the same lineage of scripting languages.

MGS2 source code was leaked recently, but my guess would be that was a complete rewrite and shared very little from the PSX codebase.