Editing Talk:PS1 Emulation

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 14: Line 14:
Offset in emu memory (ps1_netemu 4.86) | name | info
Offset in emu memory (ps1_netemu 4.86) | name | info


001B39D0 GP0_commands_table {ParamsCount, OPD}
0x10C5E4 GP1_reset_gpu
0x10C5E4 GP1_reset_gpu
0x10C88C GP1_reset_command_buffer
0x10C88C GP1_reset_command_buffer
Line 140: Line 139:
</pre>
</pre>


== Experimental Patches ==
== Command IDs mapping ==
This patches are intended to be applyed to the PS1 emulators
 
==== Disable Dithering ====
Always set bit 9 in GP0 E1 command to 0. Patches apply to SPE PS1 GPU emulation program. Based on 4.86, but should be valid for all firmwares since 4.6x<br><br>
For ps1_emu.elf
<pre>
search for: 23 EC A4 04 23 E3 3B 85  33 7E 26 00 32 05 86 00 0F 3D C6 11
replace to: 23 EC A4 04 23 E3 3B 85  33 7E 26 00 32 05 86 00 40 80 00 11
</pre>
 
For ps1_netemu.elf
<pre>
search for: 7C 38 41 94 20 7F F4 94 0F 3D C6 3C 12 7F F3 8A
replace to: 7C 38 41 94 20 7F F4 94 40 80 00 3C 12 7F F3 8A
</pre>
 
For ps1_newemu.elf
<pre>
search for: 20 7F FD 4C 23 9D C5 85  32 05 B2 80 12 05 B2 0B 0F 3D C6 58
replace to: 20 7F FD 4C 23 9D C5 85  32 05 B2 80 12 05 B2 0B 40 80 00 58
</pre>
 
Patch for rpcs3 (newemu only) for testing purpose.
<pre>
Version: 1.2
 
SPU-f3d8be702bf4cb8545656e37c29fcc6201a57991:
  "Disable Dithering":
    Games:
      All:
        All: [ All ]
    Author: "kozarovv"
    Patch Version: 1.0
    Patch:
      - [ be32, 0xFB0, 0x40800058 ]
</pre>
 
==== Allow non encrypted ISO.BIN.EDAT and skip signature check (RPCS3 only) ====
For easier config testing. Patch allow to use unencrypted ISO.BIN.EDAT so we don't need to mess with klic. Also ECDSA signature at the end of file is no longer required. So we can ftp configs as is, for faster testing. Warning! This patch break official ps1_classics.
<br><br>
ps1_netemu.elf 4.86-4.90 offset in raw hex (for Hxd, etc.)
0xDDD6C replace 48 07 14 21 to 38 60 00 00
0xE13C4 replace 60 00 00 00 to 38 60 00 00
 
==== GTE Automatic Widescreen Hack ====
Automatic widescreen without per game patches. Work only for 3D elements (like 95% of available widescreen patches).<br>
Tested on both RPCS3 and real PS3 (CFW only, but can be added to hen).<br>
ps1_netemu.elf 4.86 - 4.91 offsets in raw hex (for Hxd, etc.)
0x2BDA4 original code:
    7C 69 1B 78 3C 60 80 54 2F 89 00 00 60 63 00 10
    40 9E 00 14 3C 60 80 54 60 63 00 02 7C 63 07 B4
    4E 80 00 20 A0 09 00 02 2F 80 00 00 41 9E FF F0
    C0 02 A3 D8 FF 81 00 00 41 9D FF DC C0 02 A3 DC
    38 60 00 00 FF 81 00 00 41 9C FF CC D0 29 00 6C
    4B FF FF CC
replace to:
    78 C0 F8 42 78 C6 F0 82 7C C6 02 14 7D 08 32 14
    48 0C 47 7E 78 E9 F8 42 78 E7 F0 82 7C E9 3A 14
    7C C6 3A 14 48 0C 65 66 79 00 F8 42 79 08 F0 82
    7D 08 02 14 7C C6 42 14 48 0C 69 0A 79 00 F8 42
    79 08 F0 82 7D 08 02 14 7C C6 42 14 48 0C 6C 6A
    60 00 00 00
0xB4778  original code: 7D 08 32 14 replace to: 48 03 BD A6
0xB6560  original code: 7C C6 3A 14 replace to: 48 03 BD BA
0xB6904  original code: 7C C6 42 14 replace to: 48 03 BD CE
0xB6C64  original code: 7C C6 42 14 replace to: 48 03 BD E2
 
== Ps1_netemu Commands Info ==
 
=== External Configs ===
 
Loading external commands is be possible in ps1_netemu. From this we can also figure out that sony call those configs "ad hoc params" which can be little bit misleading. Emulator expect them inside ISO.BIN.EDAT file. Offset depend if "optional header" exist or not. Values are little endian.
The offsets below are the offsets from the start of the PSISOIMG section. This data starts at absolute file offset 0x424 for single disk games that do not use a PSTITLEIMG section. For games that do have a PSTITLEIMG section, the absolute offset will be shifted by 0x400 bytes, i.e. to offset 0x824 and similar.
* Offset 0x424 Config revision in bcd format, that need to be higher than DB from emu (11624 for 4.86). Safe to use 0x200000.
* Offset 0x42C first config command
* Offset 0x430 param for first command
* This repeats 8 times as only 8 commands is supported.
* Command 2 is unsupported.
* Command 0 is unsupported because $ony made mistake in parser.
* Command 0x17 is supported, but there is different official way to inject it, and it is libcrypt key so there is no point to do it this way.
This probably repeats for multidiscs, but for now let's figure out single discs first.
<br>Function that search for configs look like this:
case 9:
  if ( *(&0x161FD80) ) 1570FA0(base) + AEDE0(offset in ISO.BIN.DAT or PSISOIMG? ) = 161FD80 in 4.86 ps1_netemu
  {
    cfg_rev = get_cfg_rev_from_PSIMG();
    db_rev = get_titledb_rev();
    decimal_16 = ret_32() >> 1;
    tty_print("ad hoc param: %x <%x>\n", cfg_rev, db_rev);
    if ( decimal_16 )
    {
      low_rev = cfg_rev < db_rev;          // Check is opposite to ps2_netemu, only config version higher than included db will pass.
                                            // Which mean config need to be higher version than emu database.
      for ( i = 0; i < decimal_16; i += 2 ) // up to 8 configs supported (8 commands + 8 values)
      {
        cfg_command = read_cfg_from_PSIMG(i);
        _cfg_value = read_cfg_from_PSIMG(i + 1);
        if ( cfg_command - 1 <= 0x3B )      // max cfg nr 0x3C
        {
          v245 = cfg_command >> 28;        // Most likely check for wrong endianess. Configs are LE and are byte reversed before we end up here.
          if ( low_rev || v245 || cfg_command == 2 )// cfg 2 unsupported (replaced in later PSIMG rev with subchannel data), or old config rev, or v245.
          {
            tty_print("%x: %2d=0x%08x ***\n", v245 & 0xF, cfg_command, _cfg_value); // Ignore cfg
          }
          else
          {
            cfg_value = _cfg_value;
            tty_print("%x: %2d=0x%08x\n", 0LL, cfg_command, _cfg_value);
            WriteInternalConfigValue(cfg_command, cfg_value);
          }
        }
      }
    }
  }
 
=== Command IDs mapping ===
The command IDs differs in between the PS1 emulator types and versions because are an indirect ID, it seems every command ID is mapped to a static ID in a separated table<br>
The command IDs differs in between the PS1 emulator types and versions because are an indirect ID, it seems every command ID is mapped to a static ID in a separated table<br>
The command ID's varies in between firmware versions, most probably because new functions was added every few versions, reorganized, etc... and this changes created a "displacement" of the old commands that causes them to increase his ID<br>
The command ID's varies in between firmware versions, most probably because new functions was added every few versions, reorganized, etc... and this changes created a "displacement" of the old commands that causes them to increase his ID<br>
At the time of writing this we dont know how to map that variable ID's to an static ID (that could be valid for all firmware versions), so by now in this list is needed to indicate the firmware version where the command ID was found<br>
At the time of writing this we dont know how to map that variable ID's to an static ID (that could be valid for all firmware versions), so by now in this list is needed to indicate the firmware version where the command ID was found<br>
Coincidentially there are a few commands that preserves his ID in between emulator types and revisions, most probably is because are the first commands implemented and the variable ID given to them is a very low value, so always was kept at a low position in the commands list and was not disturbed by the modifications made to the other commands.
Coincidentially there are a few commands that preserves his ID in between emulator types and revisions, most probably is because are the first commands implemented and the variable ID given to them is a very low value, so always was kept at a low position in the commands list and was not disturbed by the modifications made to the other commands.
== Commands Info ==
=== Other orphan commands info ===
* 0xE param is divider for 0x204CC00 (psx cpu speed), result is stored on fixed address and used by many functions. <!-- we need to move this note to the new page sections and delete this one originally named "Known ps1emu.self commands" -->


=== Command 0x00 (netemu 3.40 up to 4.88) ===
=== Command 0x00 (netemu 3.40 up to 4.88) ===
Line 267: Line 154:
**0 = ? (used by SCPS-18011 Um Jammer Lammy, and SLPS-01818 Langrisser IV & V Final Edition [Disc1of2])
**0 = ? (used by SCPS-18011 Um Jammer Lammy, and SLPS-01818 Langrisser IV & V Final Edition [Disc1of2])
In Um Jammer Lammy is used together with command 0x13, so it was a bit doubtful if it was a mistake. But Langrisser IV & V Final Edition [Disc1of2] uses it too and is the only command used by this disc, so it "should" do something. Um Jammer Lammy in netemu 3.40 was fixed only with command 0x0/0x0 (id/data)
In Um Jammer Lammy is used together with command 0x13, so it was a bit doubtful if it was a mistake. But Langrisser IV & V Final Edition [Disc1of2] uses it too and is the only command used by this disc, so it "should" do something. Um Jammer Lammy in netemu 3.40 was fixed only with command 0x0/0x0 (id/data)
*Um Jammer Lammy (SCPS-18011) uses somewhat new external config revision (11580) in official classic's external config, but only uses command 0x13. Keep in mind the game was released Febuary 27, 2008, so package was possibly updated with new config at some point, and then in internal table, so maybe it once had a different config command in config table and 0x00 nullified it. Langrisser IV (SLPS-01818) has old config revision (5713) and uses command 0x03 set to 0x3E8, so just default. Maybe internal config for Langrisser IV is empty config just to also nullify external config? --[[User:Mrjaredbeta|Mrjaredbeta]] ([[User talk:Mrjaredbeta|talk]]) 03:32, 1 September 2023 (CEST)


=== Command 0x01 (netemu 3.40 up to 4.88) ===
=== Command 0x01 (netemu 3.40 up to 4.88) ===
Line 636: Line 522:
Value is integer that is later converted to double float using fcfid, and truncated to single precision by frsp.<br>
Value is integer that is later converted to double float using fcfid, and truncated to single precision by frsp.<br>
I'm not familiar with CELL floating point unit quirks, but value could be just single precision float from the start, why complicate that so much?<br>
I'm not familiar with CELL floating point unit quirks, but value could be just single precision float from the start, why complicate that so much?<br>
*Possible disc read speed delay or adjustment. Larger value results in slower loading times. --[[User:Mrjaredbeta|Mrjaredbeta]] ([[User talk:Mrjaredbeta|talk]]) 03:21, 1 September 2023 (CEST)
_xcdrom_thread related.
'''Custom Usage:'''
*Param 0x384 (900d) fixes Vampire Hunter D (SLUS-01138) hanging issues.
*Param 0x1F4 (500d) fixes Medievil 2 audio and hanging issues.


=== Command 0x04 (netemu 3.40 up to 4.88) ===
=== Command 0x04 (netemu 3.40 up to 4.88) ===
*Valid values found: 0x4, 0x7, 0x14 (20d), 0x46 (70d), 0x64 (100d), 0xC8 (200d), 0xFFFFFF38 (-200d)
*Valid values found: 0x4, 0x7, 0x14 (20d), 0x46 (70d), 0x64 (100d), 0xC8 (200d), 0xFFFFFF38 (????????)
*Default value: 0
*Default value: 0
*_xcdrom_thread related.
*_xcdrom_thread related.
Possible seek delay/adjustment.<br>
'''Custom Usage:'''
*Param 0x64 and above fixes Transformers: Beast Wars Transmetals (SLUS-01160). 0x14 also gets past initial main menu screen, but hangs when loading into a stage. Param 0xC8 is probably safest.


=== Command 0x05 (netemu 3.40 up to 4.88) ===
=== Command 0x05 (netemu 3.40 up to 4.88) ===
Line 657: Line 537:
*Default value: 0
*Default value: 0
*_xcdrom_thread related.
*_xcdrom_thread related.
'''Custom Usage:'''
*Param 0x01 fixes Shrek Treasure Hunt (SLUS-01463) minigame loading screen hangs.
*Param 0x01 fixes Fear Effect (SLUS-00920) hang when pressing START at menu screen.


=== Command 0x07 (netemu 4.83 up to 4.88) ===
=== Command 0x07 (netemu 4.83 up to 4.88) ===
*Default value: 0
*Default value: 0
*_xcdrom_thread related.
*_xcdrom_thread related.
'''Custom Usage:'''
*Param 0x01 fixes Fear Effect (SLUS-00920) other issues in main menu, such as graphical corruption in options screens, and returning to options screen after viewing credits.


=== Command 0x08 (netemu 3.40 up to 4.88) ===
=== Command 0x08 (netemu 3.40 up to 4.88) ===
Line 697: Line 572:
=== Command 0x12 (netemu 4.83 up to 4.88) ===
=== Command 0x12 (netemu 4.83 up to 4.88) ===
*Or command 0x10 (netemu 3.40)
*Or command 0x10 (netemu 3.40)
Command value are flags/settings to alter cdrom behavior.
*0x800 = Different code path for MotorOn/Pause/SetSession cdrom commands. // Need more work, flag affect more than that.


=== Command 0x13 (netemu 4.83 up to 4.88) ===
=== Command 0x13 (netemu 4.83 up to 4.88) ===
*Default value: 0
*Default value: 0
*MDEC related?
'''Custom Usage:'''
*Param 0x01 fixes Roland Garros French Open 2001 (SLES-03449) hang when loading into a match.
*Param 0x01 fixes Fear Effect (SLUS-00920) hang when pressing START at menu screen (sometimes).


=== Command 0x14 (netemu 4.83 up to 4.88) ===
=== Command 0x14 (netemu 4.83 up to 4.88) ===
Line 715: Line 584:
=== Command 0x16 (netemu 4.83 up to 4.88) ===
=== Command 0x16 (netemu 4.83 up to 4.88) ===
*Default value: 0
*Default value: 0
*DMA timing related.
'''Custom Usage:'''
*Param 0x32 is enough to fix International Superstar Soccer (SLES-02550) black screen after PlayStation logo.
*Param 0x08 is enough to fix Vampire Hunter D’s main menu flashing.


=== Command 0x17 (netemu 4.83 up to 4.88) ===
=== Command 0x17 (netemu 4.83 up to 4.88) ===
Line 728: Line 593:
*Or command 0x0A (newemu 3.40 up to 4.88)
*Or command 0x0A (newemu 3.40 up to 4.88)
This is the libcrypt magic word. This command is used only in 3 games (SCES_016.95, SLES_019.07, SLES_013.01). see: [[PS1 Custom Patches]]
This is the libcrypt magic word. This command is used only in 3 games (SCES_016.95, SLES_019.07, SLES_013.01). see: [[PS1 Custom Patches]]
In ps1_netemu there is possibility to setup that command from one of ps1 classic files (PSISOIMG0000 / PSTITLEIMG000000 related).
In ps1_netemu there is possbility to setup that command from one of ps1 classic files (PSISOIMG0000 / PSTITLEIMG000000 related).
 
When value is not zero is returned by emulator when game try to read cop0r3 (BPC) register. When value is 0 (default), emulator return real BPC content.
 
* It seems there is a problem with LC games using the third scheme mentioned [https://problemkaputt.de/psx-spx.htm#cdromprotectionlibcrypt here]. After reading the data contents of subchannel Q, the CRC-16 value is not read at all, but calculated on its own by the driver instead. It does break LC games using this particular scheme (web-found confirmed issues with Ape Escape and Final Fantasy VIII). All three games that are meant to work with this command does use these LC sectors. I think this command was meant to resolve this issue, just a guess.--[[User:Agrippa|Agrippa]] ([[User talk:Agrippa|talk]]) 20:06, 12 June 2022 (UTC)


=== Command 0x18 (netemu 4.83 up to 4.88) ===
=== Command 0x18 (netemu 4.83 up to 4.88) ===
Substrat cycles from mdec_block_copy_out_callback delta. When mdec is decoding blocks, copy out happen on every completed 6th block. This is hardcoded to take 0xB00 (2816) cycles in ps1_netemu. By using this config we can make this value less than default, which in turn "overclock" mdec decoding as every 6xblock will be decoded faster. Duckstation by default use value 0xA80 (2688 (448 x 6 blocks)). So to make config that will replicate this behavior we need set config value to 0x80 (0xB00 - 0x80 = 0xA80).
*Default value: 0
*Default value: 0
*Valid values range: 0x000 - 0xB00
*Higher values are ignored and 0 is set (just like when you use 0xB00 value), making MDEC instant.


=== Command 0x19 (netemu 4.83 up to 4.88) ===
=== Command 0x19 (netemu 4.83 up to 4.88) ===
Line 750: Line 608:
=== Command 0x1B (netemu 4.83 up to 4.88) ===
=== Command 0x1B (netemu 4.83 up to 4.88) ===
*Default value: 0x3E8
*Default value: 0x3E8
Multiplier for GTE commands cycles. Value from config is multiplied by 256, and then divided by 1000.
For example Battle Arena Toshinden use 0xC8 which result in 0x33(51) as value that is later used.
Default value 0x3E8 end as 0x100(256).


=== Command 0x1C (netemu 4.83 up to 4.88) ===
=== Command 0x1C (netemu 4.83 up to 4.88) ===
*Or command 0x18 (netemu 3.40)
*Or command 0x18 (netemu 3.40)
*Or command 0x1A (netemu 3.55 ?)
*Or command 0x1A (netemu 3.55 ?)
*Or command 0x02 (netemu 1.70) - possibly different command
*Or command 0x02 (netemu 1.70)
 
Destruction Derby (SCUS-94302) was fixed in netemu 1.70 by using 0x02/0x02 (id/data), and in netemu 4.88 with 0x38/0x02 (id/data). Netemu 1.70 command 0x02 was remapped to netemu 4.88 command 0x1C but are 2 different commands. What happened is sony decided to change the old command by the new command 0x32 (didnt existed in netemu 1.70) at some intermediate revision. The interesting detail of this story is this change in the destruction derby config seems to indicate netemu 4.88 command ids 0x1C and 0x38 with data value 0x2 can be used to solve the same problem. Netemu 4.88 command 0x38 reloads the game with ps1_newemu.self 4.88 that contains another config with the command 0x3/0x2 (id/data)<br>
Param flags:
Old command 0x02 is related to new 0x1C. But it seems that sony decided to split/extend that little bit. Instead of 0x02 there is now 0x1C, 0x1D, 0x1E, so config is now more flexible. All that is "JOY" PSX HW IO related, but "JOY" handle also memory card, so this is no 100% clear which one it helps without more reversing. --kozarovv.
*1 = unk.
*2 = Set Vibration to Off (menu to set it to On is still accessible, but command seems to also skip initializing of vibration internal struct/settings).
 
=== Command 0x1D (netemu 4.83 up to 4.88) ===
*Default value: 0
*Correct values 0 / 1 / 2
Config seems to setup default gamepads layout for multitap.
*0 = <0, 2, 4, 6, 1, 3, 5, 7>
*1 = <0, 2, 3, 4, 1, 5, 6, 7>
*2 = <0, 1, 2, 3, 4, 5, 6, 7>
 
Sync order of controllers is always the same regardless of parameter set (1/1-A, 2/2-A, 1-B, 2-B, 1-C, 2-C, 1-D). Therefore, change is only reflected internally in emulated game. For example, Crash Bash needs parameter 2 for controllers to be set properly in game, but order in which controllers physically connect is not changed.


=== Command 0x1E (netemu 4.83 up to 4.88) ===
=== Command 0x1E (netemu 4.83 up to 4.88) ===
*Default value: 0x7D0
*Default value: 0x7D0
*xPadThread related.
*xPadThread related.
=== Command 0x20 (netemu 4.83 up to 4.88) ===
GPU multi command (bifield)
*Default value: 0
*0x08 = Always set Vertical Interlace bit in GPUSTAT to 0 on GP1 (08h) command.
*0x40 = Is not exactly known what happen under the hood, but this command allow to play 50Hz titles in 60Hz with correct speed.


=== Command 0x21 (netemu 4.83 up to 4.88) ===
=== Command 0x21 (netemu 4.83 up to 4.88) ===
Line 790: Line 627:
*Default value: 0x3E8
*Default value: 0x3E8
*PS1 GPU related.
*PS1 GPU related.
Seems to fix slowdown in Rapid Racer (SCPS-10060) with value 0x320.


=== Command 0x23 (netemu 4.83 up to 4.88) ===
=== Command 0x23 (netemu 4.83 up to 4.88) ===
Line 808: Line 644:
*PS1 GPU related.
*PS1 GPU related.


=== Command 0x2B (netemu 4.83 up to 4.88) ===
=== Command 0x2B(netemu 4.83 up to 4.88) ===
*Default value: 0
*Default value: 0
*PS1 GPU related.
*PS1 GPU related.
Line 819: Line 655:
*Default value: 0
*Default value: 0
*PS1 GPU related.
*PS1 GPU related.
=== Command 0x31 (netemu 4.83 up to 4.88) ===
GPU multi command (bitfield)
*0x02 = Enable Vertical Interlace bit in GP1 (08h) command in SPE writes (in renderer only). Emulator by default use hack where VI bit is ALWAYS disabled in spe.
Note from nocash docs about Vertical Interlace: ''"'''Interlace must be enabled to see all lines in 480-lines mode''' (interlace is causing ugly flickering, so a non-interlaced low resolution image is typically having better quality than a high resolution interlaced image, a pretty bad example are the intro screens shown by the BIOS).''"<br>
This suggest that games which eventually need 0x31, 0x02 will be ones that send GP1 commands with active bit 2(Vertical Resolution 1=480) and 5(Vertical Interlace) at the same time. Otherwise image will be cropped, or badly interlaced. FF8 use this on "Published by..." screen, you can notice weird interlacing when subtitles fade-in without command.


=== Command 0x32 (netemu 4.83 up to 4.88) ===
=== Command 0x32 (netemu 4.83 up to 4.88) ===
Line 852: Line 682:
*Or command 0x2C in ps1_netemu.self 3.40
*Or command 0x2C in ps1_netemu.self 3.40
*Or command 0x2E in ps1_netemu.self 3.55 ?
*Or command 0x2E in ps1_netemu.self 3.55 ?
*Or command 0x15 in ps1_emu.self 4.88 ?
*Valid values found:
*Valid values found:
**0/1/2/3
**1 = relaunch the game with ps1_emu.self
**2 = relaunch the game with ps1_newemu.self
**3 = relaunch the game with ps1_netemu.self (value 3 found inside ps1_emu.self)
If the value is different than 0 relaunch the game with a different emu.


if (cfg == 0)
==Patches==
    stay_netemu
====Disable Dithering====
Always set bit 9 in GP0 E1 command to 0. Patches apply to SPE PS1 GPU emulation program. Based on 4.86, but should be valid for all firmwares since 4.6x<br><br>
if (boot_not_from_disc_drive)
For ps1_emu.elf
    if (cfg & 2)
<pre>
        boot_newemu
search for: 23 EC A4 04 23 E3 3B 85 33 7E 26 00 32 05 86 00 0F 3D C6 11
   
replace to: 23 EC A4 04 23 E3 3B 85 33 7E 26 00 32 05 86 00 40 80 00 11
  if (boot_from_disc_drive)
</pre>
    if (cfg & 1)
        boot_ps1emu
    else
        stay_netemu
// Boot is considered to be from disc if argv with game path is empty. Which make 0x38 with param 0x01 inaccessible, because there is no way to start disc game with netemu in official way (excluding games that ps1_emu launch with 0x15 cmd to ps1_netemu).


=== Command 0x3B (netemu 4.83 up to 4.88) ===
For ps1_netemu.elf
PS1 SPU DMA related config. Seems to change some cycles calculation.
<pre>
*Default value: 0
search for: 7C 38 41 94 20 7F F4 94 0F 3D C6 3C 12 7F F3 8A
*Valid values: 0/1
replace to: 7C 38 41 94 20 7F F4 94 40 80 00 3C 12 7F F3 8A
</pre>


== Ps1_emu Commands Info ==
For ps1_newemu.elf
 
=== Command 0x15 (ps1emu 4.83 up to 4.88) ===
*Valid values found:
**3 (launch game using ps1_netemu)
**Different values are ignored
 
== Ps1_newemu Commands Info ==
 
=== Command 0x18 (ps1newemu 4.83 up to 4.88) ===
Supposed to launch game using different emulator, but all paths do nothing.
*Valid values found:
**3 (Do nothing, but with print! [https://imgflip.com/i/7x4j2p 1])
**Different values do nothing
 
== Known bugs ==
 
=== ps1_netemu.elf ===
==== Cdr int reads with nonstandard index ====
Emulator ignore interrupt flag register and interrupt enable register reads if cdrom index is 2, or 3. Reads like that are undocummented behavior, but confirmed to be successful on real hardware. Also Nocash docs, and Duckstation source handle that correctly, and i remember there are games which used that.
 
0xD81F0 read_0x1F801803:
0xD81F0  lwz      r0, (.1F801800 - 0x2E8480)(r8)
0xD81F4  clrlwi    r0, r0, 30        # cdrom.index & 3
0xD81F8  cmpwi    cr7, r0, 0        # cdrom.index = 0
0xD81FC  beq      cr7, read_interrupt_enable_register
0xD8200  cmpwi    cr7, r0, 1        # cdrom.index = 1
0xD8204  beq      cr7, read_interrupt_flag_register
0xD8208  li        r3, 0            # return 0 if index was 2 or 3
0xD820C  lwz      r7, off_1BC0D4
0xD8210  clrldi    r3, r3, 32
0xD8214  dcbt      0, r7
0xD8218  blr
 
This can be fixed by simple patch from
0xD81F4  clrlwi    r0, r0, 30  #hex 54 00 07 BE
0xD8264  clrlwi    r0, r0, 30  #hex 54 00 07 BE
to
0xD81F4  clrlwi    r0, r0, 31  #hex 54 00 07 FE
0xD8264  clrlwi    r0, r0, 31  #hex 54 00 07 FE
This change cdrom.index & 3, into cdrom.index & 1. This way index 2, and 3 will be respected as 0, and 1. Sadly there is no easy hex pattern, so patch need to be done manually. Memory offsets for 4.86.
 
==== Bad encoding of malformed conditional branch 0 ====
Emulator don't ignore few bits, and expect they are 0. While real hardware seems to don't care about them.
<pre>
<pre>
  31..26 |25..21|20..16|15..11|10..6 | 5..0  |
search for: 20 7F FD 4C 23 9D C5 85 32 05 B2 80 12 05 B2 0B 0F 3D C6 58
  6bit | 5bit | 5bit | 5bit | 5bit |  6bit  |
replace to: 20 7F FD 4C 23 9D C5 85 32 05 B2 80 12 05 B2 0B 40 80 00 58
  -------+------+------+------+------+--------+------------
  000001 | rs  | 0XXX0| <--immediate16bit--> | bltz
  000001 | rs  | 0XXX1| <--immediate16bit--> | bgez
  000001 | rs  | 1XXX0| <--immediate16bit--> | bltzal
  000001 | rs  | 1XXX1| <--immediate16bit--> | bgezal
</pre>
</pre>


Problem start when bits 17,18,19 are not zero. Emulator don't clear those bits, and explicitly check only for 0x0,0x1,0x10,0x11.
Patch for rpcs3 (newemu only) for testing purpose.
<pre>
<pre>
r24 hold 20..16 bits extracted from opcode.
Version: 1.2


0x107958 bcondz_107958:                         # CODE XREF: r3000_opcode_table+12C↑j
SPU-f3d8be702bf4cb8545656e37c29fcc6201a57991:
0x107958                cmpwi     cr7, r24, 1  # jumptable 001067D4 case BcondZ
  "Disable Dithering":
0x10795C                beq       cr7, loc_107E98
     Games:
0x107960                cmplwi    cr7, r24, 1
       All:
0x107964                blt      cr7, loc_107E78
        All: [ All ]
0x107968                cmpwi     cr7, r24, 0x10
    Author: "kozarovv"
0x10796C                beq      cr7, loc_1082A4
     Patch Version: 1.0
0x107970                cmpwi     cr7, r24, 0x11
     Patch:
0x107974                beq       cr7, loc_10821C
       - [ be32, 0xFB0, 0x40800058 ]
</pre>
</pre>
Correct solution here will be patch to AND r24 with 0x11 first, to clear meaningless bits before comparison.
This is reason why emulator fail this "Branch Advance" CPU test: https://emulation.gametechwiki.com/index.php/PS1_Tests#CPU . Possibly standard "Branch" test is failed for the same reason.


== GTE commands ==
==Psxtract==
I updated psxtract to support proper subchannel data extraction for single, and multi discs.
Based on most feature rich version from https://github.com/DeadlySystem/psxtract-2 github. Since i don't have github anymore, i think this is good place to share it.
Only Windows version is updated! Linux code is not touched (i have no way to test).
Please mirror or even make pr on github if that's prefered.


List of GTE commands is available at 0x001B345C in ps1_netemu 4.86. List include following data {CommandFunctionOPD, Cycles}.
* Download (source plus exe): https://www.mediafire.com/file/ytg875p1a6ph89f/psxtract-2-master.zip/file
Emulator handle only commands listed below (CMD, addr in emu).


<pre>
== ps1_rom.bin ==
.GTE_RTPS 0xC4500
 
.GTE_MVMVA 0xC4C00
This file can be replaced by any ps1 rom image (incl. DTL models), and by most of PS2 rom images (maybe by all, deckard models untested). Replacing to bios from PS1 restore Sony logo at start up. That also should allow to run ps1 menu alone, but that's untested. Props to Jabu, iirc he figured out running Sony startup screen ages ago.  
.GTE_SQR_sf 0xC5168
Emulator have bug (netemu at least), that load whole 4MB file. They probably not changed that after stripping file from 4MB to 512KB. So any PS1/PS2(no deckard) bios image can be used unless is 4MB or less. All of that load games just fine.
.GTE_NCLIP 0xC527C
 
.GTE_AVSZ3 0xC5338
=== Possible Cobra implementation issues ===
.GTE_AVSZ4 0xC5420
Every CFW which use cobra module potentially can be affected by nasty bug that is there probably even before 7.00.<br>
.GTE_OP_sf 0xC5518
So the deal is patch in cobra that allow skip region check, example based on ps1_emu.  
.GTE_GPF_sf 0xC5678
 
.GTE_GPL_sf 0xC58C8
<pre>SprxPatch ps1_emu_patches[] =
.GTE_RTPT 0xC6288
{
.GTE_NCT 0xC7710
{ ps1_emu_get_region_offset, LI(R29, 0x82), &condition_true }, /* regions 0x80-0x82 bypass region check. */
.GTE_NCS 0xC8AD8
{ 0 }
.GTE_CC 0xC91E8
};
.GTE_NCCT 0xC9748
.GTE_NCCS 0xCADF8
.GTE_DCPL 0xCB5F8
.GTE_DPCS 0xCBAD8
.GTE_CDP 0xCBF80
.GTE_NCDT 0xCC760
.GTE_NCDS 0xCE5F8
.GTE_INTPL 0xCF078
.GTE_DPCT 0xCF540
</pre>
</pre>


== CD Drive Commands ==
While patch actually skip region check, is also skipping part of code where region of ps3 is stored for future usage. And probably set whole emulation to JPN<br>
This can be important because function that cobra patch, probably is responsible for selecting region of ps1_rom. <br>
There is a string in emulator JJJJAEJEAEJJEJJA which seems to be selector for bios/rom region based on target ID ([[Product_Code]]).
<pre>J    J    J    J    A    E    J    E    A    E    J    J    E    J    J    A
0x80 0x81 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8A 0x8B 0x8C 0x8D 0x8E 0x8F</pre>


List of CD commands is available at 001B365C in ps1_netemu 4.86. List include following data {Respond INT count (minus INT3), CMD_nr, Function OPD}. Emulator handle only commands listed below (CMD, addr in emu).
Hard patch to 0x82 potentially lead to known PAL games frame pacing issues, and to desynced audio, and maybe more. While i can't test that i'm 100% sure that better solution here will be read third character of Title ID from SYSTEM.CNF file of disc/iso, and then patching same place with<br> ps1_emu_get_region_offset, LI(R29, title_id_based_region), &condition_true . <br>
Generally if title have E then patch to ANY EU target ID, similar for US, for titles where U or E isn't found just use default J target ID.
Above is based on static elf analyse, so i can't tell 100% that is an issue, but it looks like it in emu code.


<pre>
* Is that patch being applied every time, even on the PAL region console? I have never noticed any issues and I was playing the PAL games mostly. The only thing I noticed is the slowed and pitched down licence screen when the PAL game is launched through the ps1_netemu. --[[User:Agrippa|Agrippa]] ([[User talk:Agrippa|talk]]) 17:40, 6 January 2022 (UTC)
.cdr_cmd_Sync 0xD8290
* Ok, I have tested the Ape Escape PAL menu theme. There is neither any slowdown, nor pitch difference using either ps1_emu or ps1_netemu. As far as I know, no games are affected, because there are no multi region PS1 games ever released. As the video mode is set before the boot, everything seems to be ok. The cracktros are affected though, because they read that 0xBFC7FF52 offset to determine the video mode, causing the audio to be slower indeed. And it seems the ps1_netemu has got an internal audio pitch compensation, as the licence screen is pitched down (and every cracktro too). The proper patch is needed for the sake of completeness. --[[User:Agrippa|Agrippa]] ([[User talk:Agrippa|talk]]) 18:51, 1 February 2022 (UTC)
.cdr_cmd_Reset 0xD8368
.cdr_cmd_Test 0xD8478
.cdr_cmd_Getparam 0xD8798
.cdr_cmd_Setmode 0xD8918
.cdr_cmd_Init 0xDBC48
.cdr_cmd_MotorOn 0xDD0C0
.cdr_cmd_SeekP 0xDD3D0
.cdr_cmd_Play 0xDD67C
.cdr_cmd_ReadS 0xDD8E8
.cdr_cmd_Backward 0xDDBD0
.cdr_cmd_Pause 0xDDF58
.cdr_cmd_GetTD 0xDE1F8
.cdr_cmd_Getstat 0xDE598
.cdr_cmd_GetlocP 0xDE728
.cdr_cmd_ReadN 0xDEDD0
.cdr_cmd_SetSession 0xDF130
.cdr_cmd_Mute 0xDF970
.cdr_cmd_SeekL 0xDFBAC
.cdr_cmd_Setloc 0xDFE58
.cdr_cmd_Demute 0xE03E0
.cdr_cmd_Setfilter 0xE0618
.cdr_cmd_Forward 0xE0878
.cdr_cmd_GetlocL 0xE0B98
.cdr_cmd_Stop 0xE0FF0
.cdr_cmd_GetTN 0xE1298
.cdr_cmd_GetID 0xE1544
.cdr_cmd_ReadTOC 0xE1C58
 
Commands 0x17, 0x18, 0x1D are handled as cmd_Sync. Commands above 0x1E seems to be not supported.
</pre>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)