Editing PS2 Emulation

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 17: Line 17:
==PS2 emulators workload comparison==
==PS2 emulators workload comparison==
{{PS2 emulators workload comparison}}
{{PS2 emulators workload comparison}}
Note: Apparently ps2_gxemu SPU layout changed at some point (maybe ps2_emu too), and above table is not accurate for latest emu versions.<br>
0-6 layout for ps2_gxemu currently look like this: IOP, SPU2, IPU, VU1, EEDMA, GSGIF, UNK(probably isolation).


==PS2 Emulator Types and Revisions==
==PS2 Emulator Types and Revisions==
Line 135: Line 137:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares the only difference is the build label">every firmware version</abbr><br>
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares the only difference is the build label">every firmware version</abbr><br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''ps2ver:'''<br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''ps2ver:'''<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Revision''': unknown
{{widedot}}'''Revision''': unknown
</span>
</span>
</div>
</div>
Line 203: Line 205:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Revision''': unknown
{{widedot}}'''Revision''': unknown
</span>
</span>
</div><div style="float:left; width:24%;">
</div><div style="float:left; width:24%;">
Line 259: Line 261:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Revision''': unknown
{{widedot}}'''Revision''': unknown
</span>
</span>
</div><div style="float:left; width:24%;">
</div><div style="float:left; width:24%;">
Line 317: Line 319:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, without timestamp, search for '''build r'''<br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, without timestamp, search for '''build r'''<br>
{{dot}}'''Target Firmware''': included in the build label<br>
{{widedot}}'''Target Firmware''': included in the build label<br>
{{dot}}'''Revision''': yes, <abbr title="the location can be seen by comparing 4.23 (value 0x40DC) with 4.25 (value 0x4164) at offset 0x3E4BA in both">'''one''' time</abbr>, and included in the build label
{{widedot}}'''Revision''': yes, <abbr title="the location can be seen by comparing 4.23 (value 0x40DC) with 4.25 (value 0x4164) at offset 0x3E4BA in both">'''one''' time</abbr>, and included in the build label
</span>
</span>
</div>
</div>
Line 421: Line 423:


===LIMG Segment===
===LIMG Segment===
The ISO.BIN.ENC has a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor for the ISO structure
The ISO.BIN.ENC have a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor of the ISO structure


{| class="wikitable"
{| class="wikitable"
Line 480: Line 482:


===Video Modes===
===Video Modes===
'''Note:''' Real PS2 : https://web.archive.org/web/20180802152820/http://users.neoscientists.org/~blue/ps2videomodes.txt
'''Note:''' Real PS2 : http://users.neoscientists.org/~blue/ps2videomodes.txt


  Video Modes
  Video Modes
Line 942: Line 944:


===ps2_netemu.self===
===ps2_netemu.self===
Support for USB devices seems to be limited comparing to other available emulators. Although PS2 side of USB subsystem seems to be fully implemented. IOP emulator in SPU handle USB HW registers addresses and generate interrupt for PPU which later handle RW to mentioned registers in similar fashion to ps2_emu/ps2_gxemu. PS2 side of things can be disabled/enabled using one byte, when disabled USB writes are ignored, and USB reads return 0. Initial state is unknown. Emulator seems to accept HID controllers and use them as DS3.
<br/><br/>
Supported devices:
#BD Remote Control
#BD Remote Control
#PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),  
#PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),  
Line 954: Line 953:
#Vendor ID 0xF0D (Hori), Product ID 0x4A  
#Vendor ID 0xF0D (Hori), Product ID 0x4A  
#Vendor ID 0x54C (Sony), Product ID 0x5AF
#Vendor ID 0x54C (Sony), Product ID 0x5AF
<br/>
Few peripherals not listed above work fine or with issues.
#PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time.
#Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file.
#Retro-Bit Official SEGA Mega Drive USB 6-Button Controller. Mapped for PS3 already and also works with this emulator. Lacks analogue sticks and shoulder buttons.


==BIOS==
==BIOS==
Line 1,021: Line 1,015:
| ADDDRV || 0x85E960 || 0x3DF60 ||  Adds support for the DVD ROM (rom1:), via ROMDRV. || ELF
| ADDDRV || 0x85E960 || 0x3DF60 ||  Adds support for the DVD ROM (rom1:), via ROMDRV. || ELF
|-
|-
| STDIO || 0x85EDC0 || 0x3D3C0 || Standard I/O library. || ELF
| STDIO || 0x85DDC0 || 0x3D3C0 || Standard I/O library. || ELF
|-
|-
| SIFMAN || 0x85F9B0 || 0x3EFB0 || SIF manager. || ELF
| SIFMAN || 0x85F9B0 || 0x3EFB0 || SIF manager. || ELF
Line 1,051: Line 1,045:
| RDRAM || 0x861A00 || 0x41000  || Provides a RDRAM test for the EE at power-on. This is run from RESET. || BIN
| RDRAM || 0x861A00 || 0x41000  || Provides a RDRAM test for the EE at power-on. This is run from RESET. || BIN
|-
|-
| - || 0x864190 || 0x43A30 ||  || BIN
| EELOADCNF || 0x864750 || 0x43D50 || Contains the IOP boot configuration file for EELOAD. || BIN
|-
| EELOADCNF || 0x864200 || 0x43D50 || Contains the IOP boot configuration file for EELOAD. || BIN
|-
|-
| SIFCMD || 0x864900 || 0x43F00 || SIF command module. Contains the SIF command and SIF RPC functions. || ELF
| SIFCMD || 0x864900 || 0x43F00 || SIF command module. Contains the SIF command and SIF RPC functions. || ELF
Line 1,078: Line 1,070:
|-
|-
| - || 0x87FE20 || 0x5F420 ||  || BIN
| - || 0x87FE20 || 0x5F420 ||  || BIN
|-
| BNNETCNF || 0x881D00 || 0x61300 ||  Network configuration. Used by BB Navigator Network Configuration Library. || BIN
|-
|-
| MCSERV || 0x881D40 || 0x61340 ||  RPC server for MCMAN. || ELF
| MCSERV || 0x881D40 || 0x61340 ||  RPC server for MCMAN. || ELF
Line 1,089: Line 1,079:
| - || 0x8866C0 || 0x65CC0 ||  || BIN
| - || 0x8866C0 || 0x65CC0 ||  || BIN
|-
|-
| KROM || 0x886A30 || 0x66030 || Kanji ROM? Not sure where this is used. || BIN
| KROM || 0x886A00 || 0x66000 || Kanji ROM? Not sure where this is used. || BIN
|-
|-
| - || 0x8A0870 || 0x7FE70 ||  || BIN
| - || 0x8A0870 || 0x7FE70 ||  || BIN
Line 1,194: Line 1,184:
*Notes
*Notes
**List of PS2 disc games compatibles with PS3 HDD installation hardcoded in '''dev_flash/vsh/module/[[game_ext_plugin]].sprx'''
**List of PS2 disc games compatibles with PS3 HDD installation hardcoded in '''dev_flash/vsh/module/[[game_ext_plugin]].sprx'''
**Virtual PS2 HDD support module '''dev_flash/vsh/module/[[libps2hdd]].sprx''' ?
**Virtuall PS2 HDD support module '''dev_flash/vsh/module/[[libps2hdd]].sprx''' ?


===PS2 System Data (PSN HDD Tool package)===
===PS2 System Data (PSN HDD Tool package)===
Line 1,276: Line 1,266:


In PS2 Emulator same Title IDs are present with following information:  
In PS2 Emulator same Title IDs are present with following information:  
  SLPS25200 FINAL FANTASY XI          : 0x00000001
  SLPS25200 FINAL FANTASY XI          : 0x100000000 (4 GB?)
  SCUS97269 FINAL FANTASY XI          : 0x00000003
  SCUS97269 FINAL FANTASY XI          : 0x300000000 (12GB?)
  SLPM65981 Front Mission Online      : 0x00000001
  SLPM65981 Front Mission Online      : 0x100000000 (4 GB?)
  SLPM65197 Nobunagas Ambition Online : 0x00000002 (return different value in IOP SPEED 0x10000004 read (2 instead of default 3) )
  SLPM65197 Nobunagas Ambition Online : 0x200000000 (8 GB?)


==Emulators management from GameOS==
==Emulators management from GameOS==
Line 1,289: Line 1,279:
===ps2_netemu syscalls ===
===ps2_netemu syscalls ===
Vector at 0xC00 address.
Vector at 0xC00 address.
  0x00 -
  0x00 - 0 = exec smth,  
      0 = return ((unk from 0x1C30/0x1C38 << 56) | thread_number << 48 | ctrl_CT1 (in bit 30) | srr1_EE (in bit 15) | srr1_PS (in bit 14) | srr1_DR (in bit 4))
          Where 0x1C30/0x1C38 is selected depending on current HW thread.
          Thread number is current SW thread
          ctrl_CT1 is lower bit of CT (Current Thread) from PPC Control Register (0 for HW0, 1 for HW1)
          srr1_EE is MSR Enable External Interrupts bit from time when exception occurred (from before syscall was executed)
          srr1_PS is MSR Problem State bit from time when exception occurred (from before syscall was executed)
          srr1_DR is MSR Data Relocate bit from time when exception occurred (from before syscall was executed)
       1 = 0x132 lv1 panic
       1 = 0x132 lv1 panic
       2 = 0x133 lv1 panic
       2 = 0x133 lv1 panic
Line 1,302: Line 1,285:
       4 = 0x135 lv1 panic
       4 = 0x135 lv1 panic
       else = 0x136 lv1 panic
       else = 0x136 lv1 panic
  0x02 - Destroy init code and perform illegal instructions check. Memzero following addresses:
   
      CODE: 0x16000 - 0x20B80
  0x03 - Enable additional code related to VU0/COP2
      DATA: 0x930F80 - 0x933F80
      UNK:  0x3D016000 - 0x3D020B80
  0x03 - Enable additional code related to VU0/COP2.
       3 = Patch 0x186C10 to NOP
       3 = Patch 0x186C10 to NOP
       4 = Patch 0x186C40 to NOP
       4 = Patch 0x186C40 to NOP
       anything else = LV1 panic
       anything else = LV1 panic
  0x04 - Unknown. Available for HW0 only.
   
  0x05 - External interrupts disable (48 bit in MSR). Returns previous MSR state.
  0x05 - External interrupt disable (48 bit in MSR)
  0x06 - External interrupts enable (48 bit in MSR) if param & 0x8000 is not 0, otherwise disable them.
  0x06 - External interrupt enable (48 bit in MSR) with param 0x8000, otherwise do nothing.
      This sc is more like restore 48th bit of MSR, but many times emu use it to enable bit without using old state.
  0x0C - exec smth
      Also, emulator panic LV1 if syscall is called while external interrupts are already enabled.
  0x10 - lv1 panic
0x0A - IPU emulation related syscall
0x0B - IPU emulation related syscall
  0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15.
        Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it.
0x0E - PS2 counters/timers related (also used on vsync related functions).
0x0F - PS2 counters/timers related (also used on vsync related functions).
  0x10 - lv1 panic.
0x11 - Wrapper for lv1_read_virtual_uart(port_number, buffer, bytes) [HW0 only, only ports 0 and 2 available, else panic]
0x12 - Wrapper for lv1_storage_send_device_command(dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks)
      [HW0 only, Available only for threads: VRC, MECHA, HDD, else panic]
      params are rearranged:
      r3 = cmd_block (0x245E000 is added to this value internally)
      r4 = data_buffer (0x245E000 is added to this value internally)
      r5 = blocks
      dev_id is taken from 0x245D008 and it is 0(HDD) for my dump.
      cmd_id = 0x88 and cmd_size is 8.
0x13 - Set thread info unknown byte to 1 for respective thread and set unknown byte to 1 in USB thread.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x14 - Same as 0x13 but set all bits to 0 regardless which thread called it.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x1002 - Invalidate gpu hvcalls.
  0x800000XX - HV Syscall where XX is syscall nr.
  0x800000XX - HV Syscall where XX is syscall nr.
  else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0
  else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0
Line 1,470: Line 1,429:
===Config Commands===
===Config Commands===
  ps2_netemu.self fw4.50 sub_12D7D8, fw4.81 sub_12E050
  ps2_netemu.self fw4.50 sub_12D7D8, fw4.81 sub_12E050
params are uint32_t unless noted.


Below is a brief summary table with basic info about available config commands. <br>
At the time of writing this, most of the commands are completely or partially unknown.<br />
Detailed commands description can be found here: '''[[PS2_Emulation/PS2_Config_Commands|PS2 Config Commands]]'''. <br>
If you want to read some speculation and brainstorming about them, please join the {{talk}} page
If you want to read some speculation and brainstorming about them, please join the {{talk}} page. <br>


<div>
<div style="float:top; text-align:center;">'''PS2 Emulators Config Commands Overview'''</div>
<div style="float:left; width:50%;">
<div style="float:right; padding-right:5px;">
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
|+PS2 Emulators Config Commands Overview
|-
! rowspan="2" | Command Name !! colspan="3" | Command ID !! rowspan="2" style="padding:1px" | Max<br>Usage !! colspan="4" | Command Data
! rowspan="2" | Command Name !! rowspan="36" style="padding:0px" |  || colspan="3" | Command ID !! rowspan="36" style="padding:0px" |  || rowspan="2" style="padding:1px" | Max<br>Usage !! rowspan="36" style="padding:0px" |  || colspan="4" | Command Data
|-
|-
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
Line 1,489: Line 1,452:
| 0x00 || 0x00 || 0x01
| 0x00 || 0x00 || 0x01
| 3 ? || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 3 ? || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#555|#fff|center}} offset || colspan="2" {{cellcolors|#555|#fff|center}} functionid
| {{cellcolors|#555|#fff|center}} offset || {{cellcolors|#555|#fff|center}} functionid
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x01 || 0x01 || 0x02
| 0x01 || 0x01 || 0x02
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 1000=?<br>3000=?<br>6000=?
|-
|-
! {{cellcolors|#fff|#000}} Skip r5900 CACHE IXIN/IHIN opcodes
! {{cellcolors|#fff|#000}} Switch something
| 0x02 || 0x02 || 0x03
| 0x02 || 0x02 || 0x03
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
Line 1,504: Line 1,467:
| 0x03 || 0x03 || 0x04
| 0x03 || 0x03 || 0x04
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 8=?<br>0x10=?
|-
|-
! {{cellcolors|#bd5|#000}} Alternative VIF1 DIRECT/DIRECTHL handler
! {{cellcolors|#bd5|#000}} Set DIRECT/DIRECTHL VIF1 in SP3 EEDMA
| 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x05</abbr>
| 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x05</abbr>
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#fff|#000}} Alternative VIF1 OFFSET handler
! {{cellcolors|#fff|#000}} Switch something
| 0x05 || 0x05 || 0x06
| 0x05 || 0x05 || 0x06
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#c96|#000}} Delay VU1 xgkick by X cycles
! {{cellcolors|#c96|#000}} Delay VU xgkick by X cycles
| 0x06 || 0x06 || 0x07
| 0x06 || 0x06 || 0x07
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="2=2cycles, 4=4cycles, 8=8cycles">cycles</abbr>
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="2=2cycles, 4=4cycles, 8=8cycles">cycles</abbr>
|-
|-
! {{cellcolors|#c96|#000}} Patch VU1 memory by <abbr title="two bit masks for original and patched data">bitmask</abbr>
! {{cellcolors|#c96|#000}} Patch VU memory by <abbr title="two bit masks for original and patched data">bitmask</abbr>
| 0x07 || 0x07 || 0x08
| 0x07 || 0x07 || 0x08
| 3 || style="text-align:left" | 8&nbsp;*&nbsp;uint32_t
| 3 || style="text-align:left" | 8&nbsp;*&nbsp;uint32_t
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="read mask, read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode">MASK</abbr>
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="read mask, read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode">MASK</abbr>
|-
|-
! {{cellcolors|#9f9|#000}} Patch EE memory 64 bit
! {{cellcolors|#9f9|#000}} Patch EE memory with 2 opcodes
| 0x08 || 0x08 || 0x09
| 0x08 || 0x08 || 0x09
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
| {{cellcolors|#9f9|#000|center}} <abbr title="amount of patches in the LIST">count</abbr> || colspan="2" {{cellcolors|#9f9|#000|center}} <abbr title="offset, original opcode, original opcode, replace opcode, replace opcode">LIST</abbr>
| {{cellcolors|#9f9|#000|center}} <abbr title="amount of patches in the LIST">count</abbr> || colspan="2" {{cellcolors|#9f9|#000|center}} <abbr title="offset, original opcode, original opcode, replace opcode, replace opcode">LIST</abbr>
|-
|-
! {{cellcolors|#9f9|#000}} Patch EE memory 32 bit
! {{cellcolors|#9f9|#000}} Patch EE memory with 1 opcode
| {{NA}} || {{NA}} || 0x0A
| {{NA}} || {{NA}} || 0x0A
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
Line 1,544: Line 1,507:
| 0x0A || 0x0A || 0x0C
| 0x0A || 0x0A || 0x0C
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint16_t
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint16_t
| <abbr title="0=?, 1=?, 2=?">unk_mode</abbr> || colspan="2" | <abbr title="min 0x0, max 0xFFFF">unk_range</abbr>
| 0=?<br>1=?<br>2=? || colspan="2" | 0=?<br>0x180=?<br>0x400=?<br>0x800=?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x0B || 0x0B || 0x0D
| 0x0B || 0x0B || 0x0D
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | <abbr title="0=skip, 1=don't skip (default)">skip</abbr>
| colspan="3" | 0=?<br>1=?(default?)
|-
|-
! {{cellcolors|#f93|#000}} COP2 and FPU accurate ADD/SUB address
! {{cellcolors|#f93|#000}} COP2 and FPU accurate ADD/SUB address
Line 1,559: Line 1,522:
| 0x0D || 0x0D || 0x0F
| 0x0D || 0x0D || 0x0F
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} FPU accurate MUL/DIV range
! {{cellcolors|#f93|#000}} COP2 accurate MUL/DIV range
| 0x0E || 0x0E || 0x10
| 0x0E || 0x0E || 0x10
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} VU0 accurate ADD/SUB address
! {{cellcolors|#f93|#000}} VU0 accurate ADD/SUB address
Line 1,571: Line 1,534:
| colspan="3" {{cellcolors|#f93|#000|center}} <abbr title="min 0x000, max 0xFF8">offset</abbr>
| colspan="3" {{cellcolors|#f93|#000|center}} <abbr title="min 0x000, max 0xFF8">offset</abbr>
|-
|-
! {{cellcolors|#588|#fff}} VU0/COP2 multi cmd
! {{cellcolors|#588|#fff}} VU related ?
| 0x10 || 0x10 || 0x12
| 0x10 || 0x10 || 0x12
| <abbr title="command">1</abbr>→<abbr title="list">63</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
| <abbr title="command">1</abbr>→<abbr title="list">63</abbr> || style="text-align:left" | uint32_t&nbsp;+&nbsp;LIST
Line 1,581: Line 1,544:
| colspan="3" {{cellcolors|#dda|#000|center}} time ?
| colspan="3" {{cellcolors|#dda|#000|center}} time ?
|-
|-
! {{cellcolors|#f93|#000}} Alternative VU1 ADD/SUB
! {{cellcolors|#f93|#000}} VU1 transform ADD/SUB
| 0x12 || 0x12 || 0x14
| 0x12 || 0x12 || 0x14
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#fff|#000}} Patch IOP SPE program
! {{cellcolors|#fff|#000}} Set something with bit flags
| 0x13 || 0x13 || 0x15
| 0x13 || 0x13 || 0x15
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 2 or higher
| colspan="3" | 2=?<br>4=?<br>0x14=?
|-
|-
! {{cellcolors|#fff|#000}} Unknown
! {{cellcolors|#fff|#000}} Unknown
Line 1,596: Line 1,559:
| colspan="3" | ?
| colspan="3" | ?
|-
|-
! {{cellcolors|#9cf|#000}} Alternative COP0 MTC0/MFC0 Count ($9) handler
! {{cellcolors|#9cf|#000}} COP0 configure MTC0/MFC0
| 0x15 || 0x15 || 0x17
| 0x15 || 0x15 || 0x17
| 1 || style="text-align:left" | uint8_t ?
| 1 || style="text-align:left" | uint8_t ?
Line 1,611: Line 1,574:
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#fff|#000}} End fromIPU DMA transfer on BCLR command
! {{cellcolors|#fff|#000}} Switch something
| 0x17 || 0x18 || 0x1A
| 0x17 || 0x18 || 0x1A
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#fff|#000}} IPU IDEC Hack
! {{cellcolors|#fff|#000}} Switch something
| 0x18 || 0x19 || 0x1B
| 0x18 || 0x19 || 0x1B
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
Line 1,634: Line 1,597:
| 0x1B || {{NA}} || 0x1E
| 0x1B || {{NA}} || 0x1E
| 1 || style="text-align:left" | uint8_t
| 1 || style="text-align:left" | uint8_t
| colspan="3" | ?
| colspan="3" | 3=?
|-
|-
! {{cellcolors|#fff|#000}} Enable VIF0 cmds MSXXX/MPG/FLUSHE timings.
! {{cellcolors|#fff|#000}} Set something
| 0x1C || 0x1C || 0x1F
| 0x1C || 0x1C || 0x1F
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | Initial cycles to run
| colspan="3" | 200=?<br>1000=?(default)
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x1D || 0x1D || 0x20
| 0x1D || 0x1D || 0x20
| 1 || style="text-align:left" | uint64_t
| 1 || style="text-align:left" | uint64_t
| colspan="3" | ?
| colspan="3" | 10=?<br>60=?(default)<br>100=?<br>120=?<br>200=?<br>240=?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x1E || 0x1E || 0x21
| 0x1E || 0x1E || 0x21
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 0=?<br>1=?<br>2=?
|}
</div>
</div>
<div style="float:right; width:50%;">
<div style="float:left; padding-left:5px;">
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
|-
! rowspan="2" | Command Name !! rowspan="39" style="padding:0px" |  || colspan="3" | Command ID !! rowspan="39" style="padding:0px" |  || rowspan="2" style="padding:1px" | Max<br>Usage !! rowspan="39" style="padding:0px" |  || colspan="4" | Command Data
|-
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
Line 1,656: Line 1,629:
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#fff|#000}} Snowblind Engine hack
! {{cellcolors|#fff|#000}} Switch something
| 0x1F || 0x20 || 0x23
| 0x1F || 0x20 || 0x23
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#ddf|#000}} SIO2 Delay
! {{cellcolors|#ddf|#000}} Internal image aspect ratio ?
| 0x20 || 0x21 || 0x24
| 0x20 || 0x21 || 0x24
| 1 || style="text-align:left" | uint64_t
| 1 || style="text-align:left" | uint64_t
| colspan="3" | ?
| colspan="3" | 12000=?<br>48000=?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
Line 1,674: Line 1,647:
| 0x22 || 0x23 || 0x26
| 0x22 || 0x23 || 0x26
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} COP2 accurate ADD/SUB range
! {{cellcolors|#f93|#000}} COP2 accurate ADD/SUB range
| 0x23 || 0x24 || 0x27
| 0x23 || 0x24 || 0x27
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
|-
|-
! {{cellcolors|#aaf|#000}} Set something <abbr title="PS2 MECHACON related">(CDVD)</abbr>
! {{cellcolors|#aaf|#000}} Set something <abbr title="PS2 MECHACON related">(CDVD)</abbr>
| 0x24 || 0x25? || 0x28
| 0x24? || 0x25? || 0x28
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 0=?<br>1=?<br>2=?<br>3=?
|-
|-
! {{cellcolors|#aaf|#000}} CDVD seek timing
! {{cellcolors|#aaf|#000}} CDVD read/seek timings ?
| 0x25 || 0x26? || 0x29
| 0x25? || 0x26? || 0x29
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| ? || colspan="2" | ?
| ? || colspan="2" | ?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
| 0x26 || 0x27 || 0x2A
| 0x26? || 0x27 || 0x2A
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|-
|-
! {{cellcolors|#aaf|#000}} Enable CDDA hack <abbr title="PS2 MECHACON related">(CDVD)</abbr>
! {{cellcolors|#aaf|#000}} Switch something <abbr title="PS2 MECHACON related">(CDVD)</abbr>
| 0x27? || 0x28 || 0x2B
| 0x27? || 0x28 || 0x2B
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
Line 1,704: Line 1,677:
| 0x28 || 0x29 || 0x2C
| 0x28 || 0x29 || 0x2C
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 1=?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
Line 1,714: Line 1,687:
| 0x2A || 0x2B || 0x2E
| 0x2A || 0x2B || 0x2E
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 0x172=?
|-
|-
! {{cellcolors|#fff|#000}} SPU2 multi cmd.
! {{cellcolors|#fff|#000}} Set something
| 0x2B || {{NA}} || 0x2F
| 0x2B || {{NA}} || 0x2F
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 1=?
|-
|-
! {{cellcolors|#eee|#b44|left}} Reserved
! {{cellcolors|#eee|#b44|left}} Reserved
Line 1,769: Line 1,742:
| {{NA}} || {{NA}} || 0x43
| {{NA}} || {{NA}} || 0x43
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | ?
| colspan="3" | 0=?(default)<br>1=?
|-
|-
! {{cellcolors|#fcc|#000}} Disable smoothing filter
! {{cellcolors|#fcc|#000}} Disable smoothing filter
Line 1,836: Line 1,809:
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|}
|}
 
</div>
===Config file examples (for netemu)===
</div>
 
</div>
====Official PS2 Classic====
<br style="clear: both;" />
See: [[PS2 Official Configs]]
 
 
 
====Official GXEMU/SOFTEMU extracted====
<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->
See: [[PS2 Official Configs]]
 
 
 
==== Custom Configs ====
{{Boxcomm|id=0x00|name=Title ID Enforce|data=1x String in format: ABCD-12345}}
See: [[PS2 Custom Configs]]
Restricts the CONFIG to be used only by a specific [[Template:TITLE_ID_for_Physical_Media|Title ID]]<br>
 
The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG
===Config data examples (hardcoded)===
 
====Inside ps2_emu.self====
{{Boxcomm|id=0x01|name=EE_ADD_HOOK|data=2x uint32_t Params (addr, func_id 0-0x3B)}}
Embedded patches are based on Checksum/Hash of title. ps2_emu is only emulator version where patches are described inside self file in ascii. Known patch types described in ascii are: Patch data, new SPU2 params, and Setting mecha HACK to show GODZCD as GODZCDDA.
Most of the hooks availables in netemu command 0x01 are fixes for a specific game, or a game engine<br>
 
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.
{| class="wikitable sortable"
 
! PS2 Title !! Hash !! Game !! Patch Type !! Data
<div style="overflow-x:auto">
|-
{| class="wikitable" style="width:100%; font-size:0.9em; line-height:90%"
| SCUS_971.46|| 0x6B1ADE00D||Disney's Treasure Planet || Patch data - Fixes black screen at start, it apply to STREAM_D.IRX file in IOP folder. || 0x147C (sector) , 0x580 (offset) (- 0xC on disc)  
|-
  Replace opcodes
!Function ID!! Notes
  00 01 01 3C lui at,0x0100
|-
  80 BF 03 3C lui v1,0xBF80
|0x00|| FIFA 2000 use it as hook for EE kernel at 0x800017E8 (DMAC related). Command backup value from r5900 s0 register.
  C8 10 63 8C lw v1,0x10C8(v1)
|-
  24 18 61 00 and v1,at
|0x01|| FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related). Command restore previously backed up value to r5900 s0 register.
  FB FF 61 10 beq v1,at, -0x10
|-
  00 00 00 00 nop
|0x02||
   
Max Payne
  Original opcodes
Write 0 to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
  FF FF 01 24 li at,-0x1
|-
  04 00 61 14 bne at,v1, +0x14
|0x03||
Max Payne
Write 0xFFFFFFFF (0x10000, other bits are ignored anyway) to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
|-
|0x04|| Castle Shikigami II
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes. Same as 0x03 command, but applied of selected ee offset.
This is probably command from times when 0x03 was non existing, and while it apply on selected ee offset, command never recover default IXIN/IHIN handling.
Note: There is leftover in emulator from command that reenable default behavior, but is unused now, and is not accessible by current config commands.
|-
|0x05|| Force events test if D2_CHCR & 0x100 is true (if GIF dma is running). For more info check _cpuEventTest_Shared from pcsx2. Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
|-
|0x06|| Force events test if D1_CHCR & 0x100 is true (if VIF1 dma is running). For more info check _cpuEventTest_Shared from pcsx2.
|-
|0x07||
|-
|0x08|| Backup current unmodified COP0 status register state. Then disable EI bit, and notify emu that cmd 0x09 could be run. Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
|-
|0x09|| Restore COP0 status register state from previously created backup. Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
|-
|0x0A|| Fix for TriAce executable unpack function.
Games unpack data using VU0 microruntime (not COP2). Because unpack involve floating points operations result can be inaccurate. And it is,
exactly by 1 byte. Config add 1 to result of unpacked data. This can be confirmed also on pcsx2 with turned off TriAce hack, example for Radiata Stories US release.
Set breakpoint on 0x124D90, and then when it's hit, add 1 to lower 64 bits of vf03 reg (in vu0f tab) and hit run.
Game now work as it should. On PS3 this probably can be fixed also by 0x11 command, but since they had hook already done before 0x11 was a thing, it stayed as is.
|-
|0x0B|| Set lower 64 bits of mips $at register to 0
|-
|0x0C|| Piglet's Big Game
|-
|0x0D|| usleep(100)
|-
|0x0E|| Used 3 times in Need for Speed - Carbon [Collector's Edition] US.
Used in place where game load code overlays, and in place where game self modify code.
Config run the same function which is run when PS2 syscall 7 (ExecPS2) hook is triggered (0x1831A8 in latest emu memory).
Only difference is that 0x42 overlay is not reloaded, and check for "cdrom0" string is not performed.
Command could be potentially useful for games that like to change own code. Eg. Load "bin" files with code (HSG/HST), or modify own code by direct writes to memory (NFS Carbon CE...)
|-
|0x0F||
Grand Theft Auto 3 (SLUS-20062)
using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
0x348B40 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
|-
|0x10||
Grand Theft Auto 3 (SLES-50330), uses 0x349790, 0x10 (somewhat floats related)
using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base )
0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
|-
|0x11||
Grand Theft Auto 3 (SLES-50793)
using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
0x3495C0 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349948 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
|-
|0x12|| Disney/Pixar Finding Nemo (fixes the pause menu freeze)
if COP0 status EI and EXL bits are 0, and other condition related to DMAC is met...
store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory, and set lower 64 bits of mips $s0 register to 0.
|-
|0x13|| Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply. 
|-
|0x14|| Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the older version of Snowblind Engine (Dark Alliance duology, The Bard's Tale, Fallout).
|-
|0x15|| Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the newer version of Snowblind Engine (Champions duology, Justice League Heroes, Combat Elite).
|-
|0x16|| Champions of Norrath (SLUS-20565)
store 0x01114BA8 in [ 0x208EAB4C + 200000000 base]
store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
|-
|0x17||
condition r18 == 0x8000
setting:
  stores 0x40490FDA somewhere
Note: 0x40490FDA (3.14159250) is the highest float approximation to π in hexadecimal without going over the value.<br />
Probably can improve FPU accuracy for some games.
|-
|0x18|| Okami PAL specific hook.
Check if opcode at 0x183F04 of EE memory is jal 0x183CB0 (0x0C060F2C). This is used to run additional hook patcher only 1 time.
Later it will be nop here. so it means that new hooks are already applied. So function will just return early.
if opcode at 0x183F04 is still jal 0x183CB0 (0x0C060F2C),
then patch addresses 0x183F04 (jal 0x183CB0), 0x183F34 (jal 0x183CB0), 0x183F3C (jal 0x183D18) to nop.
Finally adds 3 additional EE hooks. Emu addresses for ps2_netemu 4.70+
EE address | EMU address
0x183F0C  | sub_46334
0x183F3C  | sub_45DA4
0x183D74  | sub_47B50
First hook is responsible for grabbing EE addresses from one of EE gpr register. Second hook perform few checks from data in EE gpr registers, and
eventually store data from EE gpr registers on previously grabbed addresses. Hook 3 store one of previosly grabbed EE address on unknown part of memory.
Whole thing looks like HLE version of noped functions.
|-
|0x19|| Set lower 64 bits of mips $a1 register to unknown value (value is grabbed dynamically from recompiled code)
|-
|0x1A||
store 0 in [ 0x209FD560 + 200000000 base]
store 0 in [ 0x209F9550 + 200000000 base]
store 0 in [ 0x20A01570 + 200000000 base]
store 0 in [ 0x209F9540 + 200000000 base]
store 0 in [ 0x209F5540 + 200000000 base]
store 0 in [ 0x209F1530 + 200000000 base]
|-
|0x1B||
store 0 in [ 0x20552168 + 200000000 base]
|-
|0x1C||
store 1 in [ 0x20552168 + 200000000 base]
|-
|0x1D||
store 0 in [ 0x20556C08 + 200000000 base]
|-
|0x1E||
store 1 in [ 0x20556C08 + 200000000 base]
|-
|0x1F||
store 0 in [ 0x205243D8 + 200000000 base]
|-
|0x20||
store 1 in [ 0x205243D8 + 200000000 base]
|-
|0x21||
store 0 in [ 0x20524F88 + 200000000 base]
|-
|0x22||
store 1 in [ 0x20524F88 + 200000000 base]
|-
|0x23||
store 0 in [ 0x2047E7F8 + 200000000 base]
|-
|0x24||
store 1 in [ 0x2047E7F8 + 200000000 base]
|-
|0x25||
store 0 in [ 0x204802B8 + 200000000 base]
|-
|0x26||
store 1 in [ 0x204802B8 + 200000000 base]
|-
|0x27||
store 0 in [ 0x20586348 + 200000000 base]
|-
|0x28||
store 1 in [ 0x20586348 + 200000000 base]
|-
|0x29||
store 0 in [ 0x205868A8 + 200000000 base]
|-
|0x2A||
store 1 in [ 0x205868A8 + 200000000 base]
|-
|0x2B||
|-
|0x2C|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - JPN/US release [https://github.com/PCSX2/pcsx2/issues/1141 bug]
|-
|0x2D|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - PAL release [https://github.com/PCSX2/pcsx2/issues/1141 bug]
|-
|0x2E|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - Unk release (SCKA-20086? SLPM-66275? Why it is unused? Why non PS2 Best JPN release is missing hook?)
|-
|0x2F||
if value at EE Mem 0x37B0C4 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x30||
if value at EE Mem 0x37B704 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x31||
if value at EE Mem 0x37630C == 0, set mips pc register (program counter) to 0x100BA8
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x32||
if value at EE Mem 0x37BB0C == 0, set mips pc register (program counter) to 0x100BA8.
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x33||
|-
|0x34|| not filled
|-
|0x35|| Ninkyouden: Toseinin Ichidaiki
|-
|0x36||
|-
|0x37||
|-
|0x38||
|-
|0x39|| Used silently in command 0x4B with first param from 0x4B as hook address.
|-
|0x3A|| Used silently in command 0x4C with first param from 0x4C as hook address.
|-
|0x3B|| Grand Theft Auto 3 (JP/AS) ? using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
|}
</div>
 
{{Boxcomm|id=0x02|name=Unknown|data=1x int32}}
Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.
*Valid values found:
**1000d
**3000d
**6000d
 
{{Boxcomm|id=0x03|name=Unknown|data=N/A}}
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.
 
{{Boxcomm|id=0x04|name=Unknown|data=1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)}}
Patch SPE 3 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80)
0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.
*Valid values found:
**0x08
**0x10
 
{{Boxcomm|id=0x05|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x06|name=Unknown|data=N/A}}
Change VIF1 command 02h OFFSET behavior by patching pointer to function which process it to different previously unused function.
 
{{Boxcomm|id=0x07|name=Delay VU xgkick by X cycles|data=1x uint32_t}}
Default 1
 
{{Boxcomm|id=0x08|name=Patch VU memory by mask |data=8x uint32_t (read mask,read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode)}}
Maximum Amount of Usage: 3 times
{{Boxcomm|id=0x09|name=EE_INSN_REPLACE64|data=uint32_t count, <list> (offset, original opcode, original opcode, replace opcode, replace opcode)}}
Maximum List Count: 32
*Valid values found
**1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]
 
{{Boxcomm|id=0x0A|name=EE_INSN_REPLACE32|data=uint32_t count, <List> (offset, original opcode, replace opcode)}}
Command present only in the ps2_netemu. Maximum List Count: 32
*Valid values found
**1 [Deadly Strike]
**2 [Dragon Force]
 
{{Boxcomm|id=0x0B|name=MECHA_SET_PATCH|data=1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)}}
Offset on the disc = sector id * sector size + offset + correction [see below]<br>
Offset correction is based on selected read mode (not on media type):<br><br>
CDRead requested block size (CD disc):
*2048 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
*2328 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
*2340 = Offset + 0x0C (skip only 12 bytes of sync data)
 
DVDRead requested block size (DVD Disc):
*2064 = Offset match, but only until the 349th sector. Otherwise is offset - 0x0C because that read mode see data as ID DATA (4) + ID DATA EDC (2) + Reserved bytes (6) + 2048 data + EDC (4).
 
"Offset + XX" for CD assume that you use Isobuster RAW mode. "Offset - XX" for DVD assume that you use Isobuster NON RAW mode<br>
Special case is DVD read on very low sector, here you need to use exact offset without substrating 0x0C. Highest confirmed sector that don't use correction for now is 349.
  [Dead Or Alive 2 Hardcore] uses 7
  [Gradius V] uses 1
  [Grand Theft Auto III] uses 1
  [Katamari Damacy] uses 1
  [Manhunt] uses 1
  [Odin Sphere] uses 2
  [Primal] uses 1
  [Psychonauts] uses 1
  [Syphon Filter The Omega Strain] uses 1
Maximum List Count: 47
 
{{Boxcomm|id=0x0C|name=Unknown|data=1x (uint16_t, uint16_t)}}
0/1/2,<0x63>
 
{{Boxcomm|id=0x0D|name=Unknown|data=1x int32}}
True/false. Default = 1
0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.
 
{{Boxcomm|id=0x0E|name=Improves ADD/SUB accuracy|data=1x int32}}
1 Param offset --- Improves ADD/SUB FPU/COP2 accuracy for selected offset. Work with opcodes from commands 0x26/0x27. Basically command like 0x0F just per offset, no per range.
  [Rygar] only has 0x147DA8 sub.s  $f12, $f20, $f12
Used in official configs: SCUS97501=0x3C458C, SCES53642=0x3C4854, SLUS21026=0x386864, SLUS20916=0x121F64, SLUS20437=0x11EDF0
Maximum Amount of Usage: 32 times
 
{{Boxcomm|id=0x0F|name=More accurate ADD/SUB memory range|data=List <uint32_t Param, uint32_t Param>}}
More accurate memory range. This command is combined 0x26, and 0x27 command.
  [Dark Cloud] uses 0x239334, 0x1FFFFFF
  [Grand Theft Auto SA] uses 0x1E46DC, 0x1E4AE8
Maximum Amount of Usage: 32 (if there is no additional 0x26/0x27 command)
 
{{Boxcomm|id=0x10|name=MULDIV Accurate range|data=List <uint32_t Param, uint32_t Param>}}
More accurate MUL/DIV handling on selected memory range for selected FPU opcodes. Effectively work only with:
MUL.s, DIV.s, MULA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s.
For ADD/SUB opcodes, command is active only on Multiply stage.
Maximum List Count: 32
 
{{Boxcomm|id=0x11|name=VU0 Accurate ADD/SUB|data=1x uint32_t Param}}
Param is VU0 (MICROPROGRAM) memory offset, correct param is in range of 0x000 to 0xFF8.
Lower pipeline fetch opcode from address, Upper from address + 4. So correct address for config needs to be 8 bytes aligned.
Used in official configs: SLUS21172=0x208, SLUS20878=0x140,0x368,0x570
Maximum Amount of Usage: 32 times
 
{{Boxcomm|id=0x12|name=Unknown|data=<List> (uint32_t count,}}
VU0/COP2 related multicommand.
First 8 bytes of that command are special flags. Not quite sure about bytes 5-8 yet,
because at some point they are used to "andc" with first 4 bytes.
Some examples for first 4 bytes:
0x100000  = Different code path for VU0 opcodes that do ADD/SUB with multiply (MSUB, MADDA, etc.).
0x200000  = Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.)
0x400000  = Skip emu syscall 3 (3)
0x800000  = Skip emu syscall 3 (4)
0x4000000  = Enable type 2 config from cmd 0x12.
0x8000000  = Accurate VU0 DIV opcode
0x30000000 = Different code path for VU0 MUL opcodes, include opcodes like MSUB for mul part. So 0x30100000 work for mul, and sub part.
0x10000000 and 0x20000000 also work for that purpose, emu just check for any active bits after applying 0x30000000 mask.
Keep in mind that you still need to use at least 8 bytes for cmd 0x12, just use 00 for bytes 5,6,7,8.
Later bits are dependent on which subcommand we want to run.
 
  [Primal] uses 0xD of type 2/3 subcommand (minus 0x2 for flags)
  [Rayman Arena] uses 0x11 of type 2/3 subcommand (minus 0x2 for flags)
  [Syphon Filter: The Omega Strain] uses 0x5 of type 1 subcommand (minus 0x2 for flags)
Maximum List Count: 63
 
{{Boxcomm|id=0x13|name=Memory card timing related delay|data=1x uint64_t Param}}
0x9bdc  (39900)  - Used by "Phantasy Star Universe" (official config for SLPM-66031), "WRC II Extreme", and "Burnout Dominator"
0xf960  (63840)  - Used by "Jak X: Combat Racing" (official config for SCUS-97429), and "Netsu Chu! Pro Yakyuu 2004"
0x1d394 (119700) - Used by "Jissen Pachi-Slot Hisshouhou! Kemono-Oh" (official config for SLPS-20131)
 
{{Boxcomm|id=0x14|name=VU1 transform ADD/SUB|data=N/A}}
When enabled ADD/SUB VU1 opcodes are processed differently on recompiling/translation stage. Seems to be very specific hack, most likely not usable outside of THPS 4+ engine games. <br>
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.
 
{{Boxcomm|id=0x15|name=Unknown|data=1 Param ( <1, >1 )}}
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch first branch that match to "bi r127". That weird approach was probably used because spe program differ little bit between emu versions, so they don't need to update command on every new emu revision. Currently (4.75+) this command patch branch at address 0x3A3A4 (bra sub_2E600). This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
[Aeon Flux] uses 2 (gxemu config)
[Bloodrayne 2] uses 4
[GRIMgRiMoiRe] uses 4
[Mana Khemia 2] uses 4
[Odin Sphere] uses 4
[SMT Persona 3 FES] uses 4
[Parappa the Rapper 2] uses 0x14 (softemu config) or 0x4 (gxemu config)
{{Boxcomm|id=0x16|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x17|name=COP0 configure MTC0/MFC0|data=1x int32 ?}}
True/false. Default 0.
<br>Command change behavior of MTC0/MFC0 operation of COP0 Count ($9) register. When enabled time base register is used as a base for calculation, when disabled decrementer register is used as a base for calculations (using emu syscall 12).
[Bully] uses 1
 
{{Boxcomm|id=0x18|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x19|name=Force analog controller mode|data=N/A}}
Skips check for analog/digital controller mode and returns forced analog mode
[Grand Theft Auto III]
[Grandia II]
[Red Faction 2]
[Siren]
 
{{Boxcomm|id=0x1A|name=Unknown|data=N/A}}
IPU hack to end fromIPU DMA transfer on BCLR command (store 0 on D3_QWC and D3_CHCR.STR). Not stopping that transfer is actually correct behavior..
 
{{Boxcomm|id=0x1B|name=Unknown|data=N/A}}
When IDEC command don't finish, probably due to bad timings. Hack clear D3_CHCR.STR bit when there is still QW left in D3_QWC reg , and IDEC finished already.
[Mana Khemia 2]
 
{{Boxcomm|id=0x1C|name=Emulate Multitap|data=read uint32_t (use uint8_t)}}
Enables/disables Multitap emulation. Default 3
0 = disable multitap emulation
1 = enable multitap in controller port 1 (when needed)
2 = enable multitap in controller port 2 (when needed)
3 = enable multitaps in both controller ports (when needed)
  [Medal of Honor: European Assault] uses 1
  [Twisted Metal: Black] uses 1
 
 
{{Boxcomm|id=0x1D|name=Set Multitap|data=read uint32_t (use uint8_t)}}
Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 0?
0 = no multitap set (only when needed)
    Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
1 = sets multitap in controller port 1 at all times
    Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
2 = sets multitap in controller port 2 at all times
    Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
3 = sets multitaps in both controller ports at all times
    Controller sync order: same as 0
  [Medal of Honor: European Assault] uses 1
  [Twisted Metal: Black] uses 1
  [Mystic Heroes] uses 2 (game does not detect multitap in controller port 1)
  [Sonic Riders] uses 2 (GX config, game may not detect multitap in controller port 1)
 
{{Boxcomm|id=0x1E|name=Multitap related|data=read uint32_t (use uint8_t)}}
[FIFA 2001] uses 3 (settings for both multitaps?)
 
{{Boxcomm|id=0x1F|name=Unknown|data=1x uint32_t}}
Default 1
Config value is added to another value, and stored later in negmem. For sure this is VIF0 related command, and can be VIF0 timing/cycle related.
 
{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
Default 0x3C
Config value is used as multiplier for some value, and result is used in vsync related runtimes.
Is worth to note that 0x3C is default multiplier even for PAL titles, so is not stricly related to framerate,
but to vsync counters (where 0x3C is still wrong anyway..). Result of multiply is also compared at some point to vsync delay value.
 
{{Boxcomm|id=0x21|name=Unknown|data=1x uint32_t}}
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. Additionally CACHE IXIN/IHIN opcodes use different code path.
More than that one of recompiler functions is skipped at all, and another one choose alternative code path.
Option two default value = 0, when set to 1: One of emulator r5900 recompiler functions select different code path, also skipping one of checks for option
one since it's placed in the same function that use option two.
0 = sets an option one from 1 to 0 and option two to 0
1 = sets an option one from 1 to 0 and option two to 1
2 = sets an option one from 1 to 1 and option two to 0
  [Fatal Frame II] uses 0
  [Grand Theft Auto Vice City] uses 1
  [Grand Theft Auto III (EU)] uses 1
  [SMT Persona 3 FES] uses 0
 
{{Boxcomm|id=0x22|name=Unknown|data=N/A}}
Sets something 1
 
{{Boxcomm|id=0x23|name=Unknown|data=N/A}}
Copy VIF1 command 01h STCYCL handler struct into unused 08h slot (slots are 100 bytes per command, include pointer to function that handle command, and other data). Then patch slot 08h function pointers to function at 0x14E00. 08h is normally unused, and handled as a NOP. This command is useful only with additional 0x01 (0x13-0x15) hooks, which inject 08h VIF1 command into game code when other conditions are met.
 
{{Boxcomm|id=0x24|name=Unknown|data=1x uint64_t}}
SIO2 related
{{Boxcomm|id=0x25|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x26|name=FPU Accurate ADD/SUB range|data=List <uint32_t Param,uint32_t Param>}}
Improves FPU accuracy for selected memory range. Efective only on:
ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s
For M(UL) opcodes, command is active only on ADD/SUB stage.
  [Bloodrayne 2] uses 0x340000, 0x350000
  [Gradius V] uses 0x3046E0, 0x0x305E44
Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
 
{{Boxcomm|id=0x27|name=VU0 macromode accurate range|data=List <uint32_t Param,uint32_t Param>}}
Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:
VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD
Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
Seems to affect only ADD/SUB part of opcode.
 
{{Boxcomm|id=0x28|name=Unknown|data=1x uint32_t}}
<=3
 
{{Boxcomm|id=0x29|name=Unknown|data=2x uint32_t}}
Seek/read time? Maybe seek/read delay? Full/fast seek? Default value is 0x1F40, 0xBB80 (8000, 48000)
 
{{Boxcomm|id=0x2A|name=Unknown|data=N/A}}
Sets something 1.
All-Star Baseball 2004
 
{{Boxcomm|id=0x2B|name=Unknown|data=N/A}}
When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD), confirmed in emu code/assembly. Ps2_emu do same thing in "Setting mecha HACK to show GODZCD as GODZCDDA", but due to real media support this is done in little bit different way (but still, 1F40200F is set to 0x13). During testing Dance Factory game, still no tracks are detected regardless of the command. Could be a netemu or Cobra issue (single, mixed mode .bin/.cue loaded).
Dance Factory
 
{{Boxcomm|id=0x2C|name=Unknown|data=1x uint32_t}}
Store (value | value << 32 | value << 64 | value << 96) on 0x2B4F0 of SPE 0 (IOP) LS.
In summoner config it will be 0x00000001000000010000000100000001 stored at 0x2B4F0.
Value is later used in clgt compare as rb register. Default seems to be 0x00000020000000200000002000000020.
Summoner uses 0x1
 
{{Boxcomm|id=0x2D|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x2E|name=Unknown|data=1x uint32_t}}
 
{{Boxcomm|id=0x2F|name=Unknown|data=1x uint32_t}}
Store value on 0x2E784 in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).
* Infamous Final Fantasy confirmation sound issue (in fact it does affect every sound effect using the reverb and only in the ps2_netemu) is fixed by 0x2 value.
Indigo Prophecy/Fahrenheit uses 0x1
Kengo 3 uses 0x2
 
{{Boxcomm|id=0x30|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x31|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x32|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x33|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x34|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x35|name=Enable Force Flip Field|data=N/A}}
Described in emu setting as "''Fix for [Hang] for soft-lock''"
 
{{Boxcomm|id=0x36|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x37|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x38|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x39|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x3A|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x3B|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x3C|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
 
{{Boxcomm|id=0x3D|name=Config revision|data=1x uint32_t}}
This command works as a restriction, the emulator loads the config contents '''only''' if the '''emulator revision''' is bigger than the '''config revision'''. See: [[PS2_Emulation#PS2 Emulator Types and Revisions|PS2 Emulator Types and Revisions]]<br>
The goal of this restriction is to prevent the emulator to load a config containing unsupported commands, as example netemu command 0x50 is only supported since netemu revision 17495 (shipped with PS3 firmware 4.78 or newer), otherway if you try to load a config with a revision higher than your netemu revision the contents of the config are going to be ignored (as example when trying to load a modern config using commands higher than 0x41 in a custom firmware 3.70)<br>
In general is better to use a low revision with this command to lower the restriction as most as posible (oldest netemu revision is 15686), but '''only''' if the commands inside the config are not higher than 0x41, for a reference when creating custom configs check the table below, those are the minimal '''config revisions''' required that depends of the config commands contents
 
{| class="wikitable" style="font-size:1em; line-height:1em"
|+Config commands supported by emulator revision
! Supported Commands !! ps2_netemu Revision !! PS3 Firmware
|-
| Up to 0x41 || 15686 || 3.70 or newer
|-
| Up to 0x43 || 16604 || 4.20 or newer
|-
| Up to 0x45 || 16808 || 4.30 or newer
|-
| Up to 0x46 || 16916 || 4.40 or newer
|-
| Up to 0x48 || 17041 || 4.45 or newer
|-
| Up to 0x4A || 17179 || 4.50 or newer
|-
| Up to 0x4D || 17277 || 4.55 or newer
|-
| Up to 0x50 || 17495 || 4.78 or newer
|}
 
*Problems:
**The [[PS2 Official Configs|official NET config]] for Gradius V (SLPM-62462) uses config revision = 17498 (is the highest value ever found in a official PS2 classic config), this value is higher than any retail ps2_netemu.self revision, and is breaking the logic of the [[Template:Ps2configrev]] (used to calculate the PS3 firmware version required by the config). So either... 1) the description of this command written above is not accurate enought, or 2) the config has been "faked" to an incorrect revision, or 3) the config is real but sony made a mistake with the revision and the emulator is not loading it
 
{{Boxcomm|id=0x3E|name=Unknown|data=N/A}}
Similar to 0x0D with param 0. Affect the same IOP related code path, but skips more code.
 
{{Boxcomm|id=0x3F|name=Unknown|data=1x uint32_t}}
Store value on 0x2B700 of SPE 0 (IOP) LS.
 
{{Boxcomm|id=0x40|name=Unknown|data=N/A}}
Command change GIF behavior by setting value to 1 at address 0x2F0 LS in SPU4.
Grand Theft Auto SA
Silent Hill Origins - unofficial fix
 
{{Boxcomm|id=0x41|name=Unknown|data=N/A}}
When enabled ignore D_ENABLEW (1000F590) writes from EE on SPE3 (EEDMA). D_ENABLER is updated regardless of cmd on PPE side. Enabling that command nullify 0x01 hooks for Max Payne!
Dragon Force
God Hand
Gradius V
Katamari Damacy
 
{{Boxcomm|id=0x42|name=EE Overlay patch|data=2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...}}
Applied on game start (more precisely while executing ps2 bios syscall 7 ExecPS2), if game overwrite selected part of memory, it will wipe 0x42 patch. See [[Special:Diff/67828/67858]]
Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
Opcodes will be placed on selected address, we use only patch code, no need for original opcode.
Next opcode addresses are auto calculated (+4..) so we need to specify only patch start address.
Remember we need to jump to our new code, best way is command 0x0A with j (jump) opcode.
Also is important to add return jump if required. That one need to be added in our 0x42 patch.
Maximum opcodes count seems to be 0x3FF (1023 opcodes).
 
{{Boxcomm|id=0x43|name=Unknown|data=1x int32}}
Equal to command 0x40, but with Parameter:
Command change GIF behavior by setting value at address 0x2F0 LS in SPU4, correct values are:
0 = Default
1 = More agressive changes (like 0x40)
anything other = less agressive changes
Code on SPU side check for non zero value, and in few places explicitly for 1 (ceqi rxx,rxx,1) without mask.
Config have weird behavior. When there is no param, and config end (no more bytes after 43 00 00 00), then param 0xFFFFFFFF is set automatically. 
Shin Sangoku Musou uses 0xFFFFFFFF
 
{{Boxcomm|id=0x44|name=Disables Smoothing and Smoothing option|data=N/A}}
 
{{Boxcomm|id=0x45|name=Unknown|data=N/A}}
Sets something 1
Prevent  display_mode 2 (CELL_GCM_DISPLAY_576_unk)        [640x576]
and      display_mode 0 (CELL_GCM_DISPLAY_480_unk) (60Hz?) [640x480]
from beign set.
Allow  display_mode 1 (CELL_GCM_DISPLAY_480_unk2) (59Hz?) [640x480]
and    display_mode 5 (CELL_GCM_DISPLAY_720P_59)          [1280x720]
depending on sys_info.video_mode & 0x200 is 0 or not.
Both 480 modes can be either I or P, so is something else, probably 59/60Hz.
This config possibly affect only in-emu UI, but this require testing.
Phantasy Star Complete Collection
 
{{Boxcomm|id=0x46|name=Enable L2H Improvement|data=N/A}}
Performance related setting for titles using L2H (Local to Host, so called GS download (from GS to  EE))
SMT Digital Devil Saga 1 - Crazy amount of GS downloads used to draw characters in-game
SMT Nocturne
Fatal Frame II
Other games affected (not in official config)
Soul Calibur 2 - When looking at the sun
GT4 - When looking at the sun
Valkyrie Profile 2 - Similar situation to SMT DDS1, in Solde game literally do thousands of 30QWC downloads all the time.
Tak and the Power of JuJu - Fix freeze during loading of the Burial Ground level in the NTSC version. This probably getting lucky with VIF1/GIF timing, normally command is not supposed to fix hang issues.
 
{{Boxcomm|id=0x47|name=Enables XOR CSR|data=N/A}}
Graphics related setting.<br>
XOR  bit 13 of GS CSR register (CSR.FIELD). Should fix fullscreen line corruption, maybe some interlacing issues. Long shot, but can possibly affect SCANMSK games.
 
{{Boxcomm|id=0x48|name=VSYNC Delay|data=2x uint32_t}}
*First param possible value are 1 = No IPU, 2 = IPU, 3 = Anytime.
*Second param is delay (in ms?), and can be also negative value.
**Emu has standard presets for second param.
***Agressive = 0x3D090 (250000 decimal),
***Normal = 0x186A0 (100000 decimal),
***Conservative = 0x4E20 (20000 decimal),
***But other values can be used.
[SMT Digital Devil Saga 1] uses 1, 0x3D090
[Fatal Frame II] uses 0x2, 0xFFFFE69C (-6500 decimal)
 
{{Boxcomm|id=0x49|name=Unknown|data=N/A}}
Sets something 0xB,0,0
Trapt
 
{{Boxcomm|id=0x4A|name=Unknown|data=N/A}}
Change VIF1 command 14h MSCAL behavior to use 15h MSCALF (VIF1) instead. MSCALF behavior is the same as MSCAL, but also waits for PATH1 and PATH2 to not be active before starting a microprogram. This is hack, and MSCAL should be fixed instead to wait in queue instead of triggering early.
Applies to the Snowblind Engine games. Fixes the rest of flickering textures.
Meant to be used in conjunction with the GX/SOFT Snowblind Engine's specific commands (double 0x01 and 0x23 combo).
 
{{Boxcomm|id=0x4B|name=Redirect SAVEDATA by ID|data=2x uint32_t + ID: offset, int, char[]}}
For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
First param is EE memory offset that when is hit enable/disable redirection.
Second param is partially unknown, seems to be size of next param to read * 4 (3 in known configs), or 0xFFFFFFFF for disable redirect command.
Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
Important note here is that config have own 00 00 00 00 terminator at the end.
So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
 
{{Boxcomm|id=0x4C|name=Unknown|data=2x uint32_t + ID: offset, int, char[]}}
Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is ID size * 4. Emulator do some checks here, safe value is 3 (3 * 4 bytes), third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to different MC. Currently is unknown that cobra patched emulators support that config properly.
 
{{Boxcomm|id=0x4D|name=Unknown|data=1x uint32_t}}
Param is MASK used in some conversion of Q value in RGBAQ writes. Default value 0.
tempQ = Q & 0x7FFFFFFF
tempQ = tempQ & MASK
Q = tempQ | unmasked Q
 
Wild Arms: The Fifth Vanguard uses 0x3F800000
 
{{Boxcomm|id=0x4E|name=Unknown|data=Unknown}}
 
{{Boxcomm|id=0x4F|name=Unknown|data=Unknown}}
 
{{Boxcomm|id=0x50|name=Enable pressure sensitive controls|data=N/A}}
 
===Config file examples (for netemu)===
 
====Official PS2 Classic====
See: [[PS2 Official Configs]]
 
====Official GXEMU/SOFTEMU extracted====
See: [[PS2 Official Configs]]
 
==== Custom Configs ====
See: [[PS2 Custom Configs]]
 
===Config data examples (hardcoded)===
====Inside ps2_emu.self====
Embedded patches are based on Checksum/Hash of title. ps2_emu is only emulator version where patches are described inside self file in ascii. Known patch types described in ascii are: Patch data, new SPU2 params, and Setting mecha HACK to show GODZCD as GODZCDDA.
 
{| class="wikitable sortable"
! PS2 Title !! Hash !! Game !! Patch Type !! Data
|-
| SCUS_971.46|| 0x6B1ADE00D||Disney's Treasure Planet || Patch data - Fixes black screen at start, it apply to STREAM_D.IRX file in IOP folder. || 0x147C (sector) , 0x580 (offset) (- 0xC on disc)  
  Replace opcodes
  00 01 01 3C lui at,0x0100
  80 BF 03 3C lui v1,0xBF80
  C8 10 63 8C lw v1,0x10C8(v1)
  24 18 61 00 and v1,at
  FB FF 61 10 beq v1,at, -0x10
  00 00 00 00 nop
   
  Original opcodes
  FF FF 01 24 li at,-0x1
  04 00 61 14 bne at,v1, +0x14
  00 80 01 3C lui at,0x8000
  00 80 01 3C lui at,0x8000
  02 00 41 14 bne at,v0, +0x0C
  02 00 41 14 bne at,v0, +0x0C
Line 1,931: Line 2,587:
| VU0 is not running in sync with EE core || VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging.|| 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit.  
| VU0 is not running in sync with EE core || VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging.|| 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit.  
|-
|-
| M-Bit not supported || Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands, or direct VU0/MIPS code rearranging. || Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more.
| M-Bit not supported || Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands. || Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more.
|-
| T-Bit not supported on VU0 || Emulator ignore VU0 T-Bit, that cause issues for games that need it to work. Note: T-Bit is correctly handled for VU1. || Spiderman 3 set T-Bit, then do cfc2 from TPC (address where VU0 stopped). Since T-Bit is ignored, TPC is wrong. Value is later copied to CMSAR0, and program continue at wrong address. Well that's what should happen, but T-Bit also not signalize correct bit in VPU-STAT. Causing another issue, also in Spiderman 3.  
|-
|-
| Emulator do not update correct flag instances for COP2 while ending VU0 program on Ebit || This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnecessary operations. || Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday.
| Emulator Fail to save correct flag instances while ending VU0 program on Ebit || This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnesessary operations. || Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday.
|-
|-
| Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 || Potential bad flag state can cause a lot of issues that are not related on first sight || Yanya Caballista (already patched by custom config)
| Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 || Potential bad flag state can cause a lot of issues that are not related on first sight || Yanya Caballista (already patched by custom config)
|-
|-
| In corner cases emu select wrong block flags pipeline state (both VU0/EEonBE and VU1/VRC affected). || This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. Issue seems to occur when branch/jump delay slot have opcode important for flags calculation. Theory is that cached microprogram don't include modified flags state from delay slot instruction. So when already recompiled program is fetched from pool, it will miss one cycle in fmac flags pipeline. This can be crucial in games that rely on it. || Tales of Legendia and Klonoa 2 set sticky flag bits to 0 and branch with sub.xyzw in delay slot (expecting that sub change status flag), Tamsoft engine games set sticky bits to 0 in branch delay slot, this was most ridiculous bug, because problematic branch was pointing to next opcode after delay slot, removing branch was enough. True Crime: NY is only known game where VU0 is affected by this bug. more..
| In corner cases emu select wrong block pipeline state while processing Flag VU opcodes. || This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. For now it was only confirmed that FSAND opcode don't ask for exact pipeline state, but looking at assembly of other opcode this rather affect all of them. || Tales of Legendia, more..
|-
|-
| CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. || Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [[https://github.com/PCSX2/pcsx2/pull/6611 more]]. || The one game that is known to be affected, and is already patched, is Musashi: Samurai Legend.
| CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. || Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [[https://github.com/PCSX2/pcsx2/pull/6611 more]]. || There is only one game that is known to be affected, and is already partially patched (patch still break fog), is Musashi Samurai Legend.
|-
|-
| CFC2 from R register should return only 23 lower bits. || CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team  [[https://github.com/PCSX2/pcsx2/pull/8409 more]] and later confirmed to affect ps2_netemu in emu assembly. || There is only one game that is known to be affected, Onimusha Dawn of Dreams.
| CFC2 from R register should return only 23 lower bits. || CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team  [[https://github.com/PCSX2/pcsx2/pull/8409 more]] and later confirmed to affect ps2_netemu in emu assembly. || There is only one game that is known to be affected, Onimusha Dawn of Dreams.
|-
|-
| Missing floating point result overflow/underflow detection (U/O flags not set) || Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. || Superman Returns.
| Missing floating point result overflow/underflow detection (U/O flags not set) || Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. || Superman Returns.
|-
| DMA between SPR and VU1 memory cause emulator panic. || Currently cause is unknown. It seems that functions responsible for transfer don't check that VU is running. Manual state that dma can be performed only when VU is not active, and pcsx2 wait until VU end. Games affected in emulators on ps3 display this warning in pcsx2 if mtvu is enabled: "MTVU: SPR Accessing VU1 Memory". Affected games are fixed by rearranging code to do lq/sq loop instead of DMA. || Summoner 2 (SPRfrom to VU1 data mem), Kaena (SPRto from VU1 data mem).
|-
| IOP SIF0/1 DMA IRQs can be disabled (masked), which is not true on real hardware. || IOP interrupts 0x2A and 0x2B should always trigger. Fixed by patches to IOP code. Ps2_emu seems to be unfacted, probably handled on real hw in CXD9208GP. || Knockout Kings 2001, DOA2: Hardcore.
|}
|}
===Software emulation bugs===
===Software emulation bugs===
Line 1,956: Line 2,606:
! Bug !! Description !! Known Affected Games
! Bug !! Description !! Known Affected Games
|-
|-
| No mipmapping support || Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. || Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more.
| No mipmapping support || Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing a garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. || Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more.
|-
| SCANMSK register ignored || Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. || Metal Gear Solid series (water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field effect)
|-
|-
| Missing PCRTC feedback write support || PCRTC feature that writes back the image to the frame buffer is not supported or broken. Additional RGB to YCbCr conversion could be performed there. || Xenosaga Episode I: Der Wille zur Macht (black and white cut scenes)
| SCANMSK register ignored || Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. || Metal Gear Solid series (heavy used in the MGS2 on the water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field/tonemapping effect)
|-
|-
|}
|}
Line 2,611: Line 3,259:
* http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games
* http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games


{{Reverse engineering}}<noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
[[Category:Main]]
</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)