PS2 Emulation: Difference between revisions
(32 intermediate revisions by 6 users not shown) | |||
Line 17: | Line 17: | ||
==PS2 emulators workload comparison== | ==PS2 emulators workload comparison== | ||
{{PS2 emulators workload comparison}} | {{PS2 emulators workload comparison}} | ||
==PS2 Emulator Types and Revisions== | ==PS2 Emulator Types and Revisions== | ||
Line 482: | Line 480: | ||
===Video Modes=== | ===Video Modes=== | ||
'''Note:''' Real PS2 : http://users.neoscientists.org/~blue/ps2videomodes.txt | '''Note:''' Real PS2 : https://web.archive.org/web/20180802152820/http://users.neoscientists.org/~blue/ps2videomodes.txt | ||
Video Modes | Video Modes | ||
Line 944: | Line 942: | ||
===ps2_netemu.self=== | ===ps2_netemu.self=== | ||
Support for USB devices seems to be limited comparing to other available emulators. Although PS2 side of USB subsystem seems to be fully implemented. IOP emulator in SPU handle USB HW registers addresses and generate interrupt for PPU which later handle RW to mentioned registers in similar fashion to ps2_emu/ps2_gxemu. PS2 side of things can be disabled/enabled using one byte, when disabled USB writes are ignored, and USB reads return 0. Initial state is unknown. Emulator seems to accept HID controllers and use them as DS3. | |||
<br/><br/> | |||
Supported devices: | |||
#BD Remote Control | #BD Remote Control | ||
#PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268), | #PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268), | ||
Line 957: | Line 958: | ||
#PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time. | #PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time. | ||
#Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file. | #Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file. | ||
#Retro-Bit Official SEGA Mega Drive USB 6-Button Controller. Mapped for PS3 already and also works with this emulator. Lacks analogue sticks and shoulder buttons. | |||
==BIOS== | ==BIOS== | ||
Line 1,274: | Line 1,276: | ||
In PS2 Emulator same Title IDs are present with following information: | In PS2 Emulator same Title IDs are present with following information: | ||
SLPS25200 FINAL FANTASY XI : | SLPS25200 FINAL FANTASY XI : 0x00000001 | ||
SCUS97269 FINAL FANTASY XI : | SCUS97269 FINAL FANTASY XI : 0x00000003 | ||
SLPM65981 Front Mission Online : | SLPM65981 Front Mission Online : 0x00000001 | ||
SLPM65197 Nobunagas Ambition Online : | SLPM65197 Nobunagas Ambition Online : 0x00000002 (return different value in IOP SPEED 0x10000004 read (2 instead of default 3) ) | ||
==Emulators management from GameOS== | ==Emulators management from GameOS== | ||
Line 1,288: | Line 1,290: | ||
Vector at 0xC00 address. | Vector at 0xC00 address. | ||
0x00 - | 0x00 - | ||
0 = | 0 = return ((unk from 0x1C30/0x1C38 << 56) | thread_number << 48 | ctrl_CT1 (in bit 30) | srr1_EE (in bit 15) | srr1_PS (in bit 14) | srr1_DR (in bit 4)) | ||
Where 0x1C30/0x1C38 is selected depending on current HW thread. | |||
Thread number is current SW thread | |||
ctrl_CT1 is lower bit of CT (Current Thread) from PPC Control Register (0 for HW0, 1 for HW1) | |||
srr1_EE is MSR Enable External Interrupts bit from time when exception occurred (from before syscall was executed) | |||
srr1_PS is MSR Problem State bit from time when exception occurred (from before syscall was executed) | |||
srr1_DR is MSR Data Relocate bit from time when exception occurred (from before syscall was executed) | |||
1 = 0x132 lv1 panic | 1 = 0x132 lv1 panic | ||
2 = 0x133 lv1 panic | 2 = 0x133 lv1 panic | ||
Line 1,294: | Line 1,302: | ||
4 = 0x135 lv1 panic | 4 = 0x135 lv1 panic | ||
else = 0x136 lv1 panic | else = 0x136 lv1 panic | ||
0x02 - Destroy init code and perform illegal instructions check. Memzero following addresses: | |||
CODE: 0x16000 - 0x20B80 | |||
DATA: 0x930F80 - 0x933F80 | |||
UNK: 0x3D016000 - 0x3D020B80 | |||
0x03 - Enable additional code related to VU0/COP2. | 0x03 - Enable additional code related to VU0/COP2. | ||
3 = Patch 0x186C10 to NOP | 3 = Patch 0x186C10 to NOP | ||
Line 1,300: | Line 1,311: | ||
anything else = LV1 panic | anything else = LV1 panic | ||
0x04 - Unknown. Available for HW0 only. | 0x04 - Unknown. Available for HW0 only. | ||
0x05 - External | 0x05 - External interrupts disable (48 bit in MSR). Returns previous MSR state. | ||
0x06 - External | 0x06 - External interrupts enable (48 bit in MSR) if param & 0x8000 is not 0, otherwise disable them. | ||
This sc is more like restore 48th bit of MSR, but many times emu use it to enable bit without using old state. | |||
Also, emulator panic LV1 if syscall is called while external interrupts are already enabled. | |||
0x0A - IPU emulation related syscall | 0x0A - IPU emulation related syscall | ||
0x0B - IPU emulation related syscall | 0x0B - IPU emulation related syscall | ||
0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15. | 0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15. | ||
Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it. | Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it. | ||
0x0E - PS2 counters/timers related (also used on vsync related functions). | |||
0x0F - PS2 counters/timers related (also used on vsync related functions). | |||
0x10 - lv1 panic. | 0x10 - lv1 panic. | ||
0x11 - Wrapper for lv1_read_virtual_uart(port_number, buffer, bytes) [HW0 only, only ports 0 and 2 available, else panic] | |||
0x12 - Wrapper for lv1_storage_send_device_command(dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks) | |||
[HW0 only, Available only for threads: VRC, MECHA, HDD, else panic] | |||
params are rearranged: | |||
r3 = cmd_block (0x245E000 is added to this value internally) | |||
r4 = data_buffer (0x245E000 is added to this value internally) | |||
r5 = blocks | |||
dev_id is taken from 0x245D008 and it is 0(HDD) for my dump. | |||
cmd_id = 0x88 and cmd_size is 8. | |||
0x13 - Set thread info unknown byte to 1 for respective thread and set unknown byte to 1 in USB thread. | |||
[HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler] | |||
0x14 - Same as 0x13 but set all bits to 0 regardless which thread called it. | |||
[HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler] | |||
0x1002 - Invalidate gpu hvcalls. | 0x1002 - Invalidate gpu hvcalls. | ||
0x800000XX - HV Syscall where XX is syscall nr. | 0x800000XX - HV Syscall where XX is syscall nr. | ||
Line 1,392: | Line 1,420: | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Name !! Auth ID !! Self<br />(/dev_flash/ps2emu) !! Notes | ! Name !! Auth ID !! Self<br />(/dev_flash/ps2emu) !! SM Ability Mask !! Notes | ||
|- | |- | ||
| PS2_LPAR || 0x1020000003000001 || rowspan="2" | ps2_emu.self || | | PS2_LPAR || 0x1020000003000001 || rowspan="2" | ps2_emu.self || rowspan="2" | 0x201226D || rowspan="2" | | ||
|- | |- | ||
| *SCE_CELLOS_SYSTEM_MGR_PS2 || 0x107000001D000001 | | *SCE_CELLOS_SYSTEM_MGR_PS2 || 0x107000001D000001 | ||
|- | |- | ||
| PS2_GX_LPAR || 0x1020000003000001 || rowspan="2" | ps2_gxemu.self || | | PS2_GX_LPAR || 0x1020000003000001 || rowspan="2" | ps2_gxemu.self || rowspan="2" | 0x201226D || rowspan="2" | | ||
|- | |- | ||
| *SCE_CELLOS_SYSTEM_MGR_PS2_GX || 0x107000001D000001 | | *SCE_CELLOS_SYSTEM_MGR_PS2_GX || 0x107000001D000001 | ||
|- | |- | ||
| PS2_SW_LPAR || 0x1020000003000001 || rowspan="2" | ps2_softemu.self || | | PS2_SW_LPAR || 0x1020000003000001 || rowspan="2" | ps2_softemu.self || rowspan="2" | 0x201226D || rowspan="2" | | ||
|- | |- | ||
| *SCE_CELLOS_SYSTEM_MGR_PS2_SW || 0x107000001D000001 | | *SCE_CELLOS_SYSTEM_MGR_PS2_SW || 0x107000001D000001 | ||
|- | |- | ||
| PS2_NE_LPAR || 0x1020000003000001 || rowspan="2" | ps2_netemu.self || | | PS2_NE_LPAR || 0x1020000003000001 || rowspan="2" | ps2_netemu.self || rowspan="2" | 0x412265 || rowspan="2" | Netemu additional SM abilities: | ||
* 0x00400000 = Reboot into netemu LPAR (using opcode 0x8204). | |||
Missing SM abilities when compared to other ps2 emus: | |||
* 0x00000008 = Reboot into PS2/GX/SOFT LPAR (using opcode 0x8202). | |||
* 0x02000000 = Unknown, seems to be unused by current system manager. | |||
|- | |- | ||
| *SCE_CELLOS_SYSTEM_MGR_PS2_NE || 0x107000001D000001 | | *SCE_CELLOS_SYSTEM_MGR_PS2_NE || 0x107000001D000001 | ||
|- | |- | ||
|} | |} | ||
Note: All PS2 emulator lack 0x00000100 ability, thus can't get/set fan speed without LV1 patch. | |||
===Getting compatibility hardware info=== | ===Getting compatibility hardware info=== | ||
Line 1,433: | Line 1,466: | ||
In short, the "game configs" can modify the game image (by patching it) and can be used to configure the virtual PS2 (the emulated machine). And can be loaded from hardcoded data (inside the .self) or from an external file (this feature is supported only by ps2_netemu.self). Maximum CONFIG size for ps2_netemu is 16384 bytes. | In short, the "game configs" can modify the game image (by patching it) and can be used to configure the virtual PS2 (the emulated machine). And can be loaded from hardcoded data (inside the .self) or from an external file (this feature is supported only by ps2_netemu.self). Maximum CONFIG size for ps2_netemu is 16384 bytes. | ||
===Config Commands=== | ===Config Commands=== | ||
Below is a brief summary table with basic info about available config commands. <br> | |||
Detailed commands description can be found here: '''[[PS2_Emulation/PS2_Config_Commands|PS2 Config Commands]]'''. <br> | |||
If you want to read some speculation and brainstorming about them, please join the {{talk}} page. <br> | |||
If you want to read some speculation and brainstorming about them, please join the {{talk}} page | |||
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center" | {| class="wikitable" style="font-size:85%; line-height:100%; text-align:center" | ||
Line 1,468: | Line 1,493: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} Skip r5900 CACHE IXIN/IHIN opcodes | ||
| 0x02 || 0x02 || 0x03 | | 0x02 || 0x02 || 0x03 | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
Line 1,478: | Line 1,503: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#bd5|#000}} | ! {{cellcolors|#bd5|#000}} Alternative VIF1 DIRECT/DIRECTHL handler | ||
| 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x05</abbr> | | 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x05</abbr> | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} Alternative VIF1 OFFSET handler | ||
| 0x05 || 0x05 || 0x06 | | 0x05 || 0x05 || 0x06 | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#c96|#000}} Delay | ! {{cellcolors|#c96|#000}} Delay VU1 xgkick by X cycles | ||
| 0x06 || 0x06 || 0x07 | | 0x06 || 0x06 || 0x07 | ||
| 1 || style="text-align:left" | uint32_t | | 1 || style="text-align:left" | uint32_t | ||
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="2=2cycles, 4=4cycles, 8=8cycles">cycles</abbr> | | colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="2=2cycles, 4=4cycles, 8=8cycles">cycles</abbr> | ||
|- | |- | ||
! {{cellcolors|#c96|#000}} Patch | ! {{cellcolors|#c96|#000}} Patch VU1 memory by <abbr title="two bit masks for original and patched data">bitmask</abbr> | ||
| 0x07 || 0x07 || 0x08 | | 0x07 || 0x07 || 0x08 | ||
| 3 || style="text-align:left" | 8 * uint32_t | | 3 || style="text-align:left" | 8 * uint32_t | ||
| colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="read mask, read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode">MASK</abbr> | | colspan="3" {{cellcolors|#c96|#000|center}} <abbr title="read mask, read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode">MASK</abbr> | ||
|- | |- | ||
! {{cellcolors|#9f9|#000}} Patch EE memory | ! {{cellcolors|#9f9|#000}} Patch EE memory 64 bit | ||
| 0x08 || 0x08 || 0x09 | | 0x08 || 0x08 || 0x09 | ||
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t + LIST | | <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t + LIST | ||
| {{cellcolors|#9f9|#000|center}} <abbr title="amount of patches in the LIST">count</abbr> || colspan="2" {{cellcolors|#9f9|#000|center}} <abbr title="offset, original opcode, original opcode, replace opcode, replace opcode">LIST</abbr> | | {{cellcolors|#9f9|#000|center}} <abbr title="amount of patches in the LIST">count</abbr> || colspan="2" {{cellcolors|#9f9|#000|center}} <abbr title="offset, original opcode, original opcode, replace opcode, replace opcode">LIST</abbr> | ||
|- | |- | ||
! {{cellcolors|#9f9|#000}} Patch EE memory | ! {{cellcolors|#9f9|#000}} Patch EE memory 32 bit | ||
| {{NA}} || {{NA}} || 0x0A | | {{NA}} || {{NA}} || 0x0A | ||
| <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t + LIST | | <abbr title="command">1</abbr>→<abbr title="list">32</abbr> || style="text-align:left" | uint32_t + LIST | ||
Line 1,533: | Line 1,558: | ||
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr> | | {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr> | ||
|- | |- | ||
! {{cellcolors|#f93|#000}} | ! {{cellcolors|#f93|#000}} FPU accurate MUL/DIV range | ||
| 0x0E || 0x0E || 0x10 | | 0x0E || 0x0E || 0x10 | ||
| 32 || style="text-align:left" | 2 * uint32_t | | 32 || style="text-align:left" | 2 * uint32_t | ||
Line 1,543: | Line 1,568: | ||
| colspan="3" {{cellcolors|#f93|#000|center}} <abbr title="min 0x000, max 0xFF8">offset</abbr> | | colspan="3" {{cellcolors|#f93|#000|center}} <abbr title="min 0x000, max 0xFF8">offset</abbr> | ||
|- | |- | ||
! {{cellcolors|#588|#fff}} | ! {{cellcolors|#588|#fff}} VU0/COP2 multi cmd | ||
| 0x10 || 0x10 || 0x12 | | 0x10 || 0x10 || 0x12 | ||
| <abbr title="command">1</abbr>→<abbr title="list">63</abbr> || style="text-align:left" | uint32_t + LIST | | <abbr title="command">1</abbr>→<abbr title="list">63</abbr> || style="text-align:left" | uint32_t + LIST | ||
Line 1,553: | Line 1,578: | ||
| colspan="3" {{cellcolors|#dda|#000|center}} time ? | | colspan="3" {{cellcolors|#dda|#000|center}} time ? | ||
|- | |- | ||
! {{cellcolors|#f93|#000}} VU1 | ! {{cellcolors|#f93|#000}} Alternative VU1 ADD/SUB | ||
| 0x12 || 0x12 || 0x14 | | 0x12 || 0x12 || 0x14 | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} Patch IOP SPE program | ||
| 0x13 || 0x13 || 0x15 | | 0x13 || 0x13 || 0x15 | ||
| 1 || style="text-align:left" | uint32_t | | 1 || style="text-align:left" | uint32_t | ||
| colspan="3" | | | colspan="3" | 2 or higher | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} Unknown | ! {{cellcolors|#fff|#000}} Unknown | ||
Line 1,568: | Line 1,593: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#9cf|#000}} COP0 | ! {{cellcolors|#9cf|#000}} Alternative COP0 MTC0/MFC0 Count ($9) handler | ||
| 0x15 || 0x15 || 0x17 | | 0x15 || 0x15 || 0x17 | ||
| 1 || style="text-align:left" | uint8_t ? | | 1 || style="text-align:left" | uint8_t ? | ||
Line 1,583: | Line 1,608: | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} End fromIPU DMA transfer on BCLR command | ||
| 0x17 || 0x18 || 0x1A | | 0x17 || 0x18 || 0x1A | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} IPU IDEC Hack | ||
| 0x18 || 0x19 || 0x1B | | 0x18 || 0x19 || 0x1B | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
Line 1,608: | Line 1,633: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} Enable VIF0 cmds MSXXX/MPG/FLUSHE timings. | ||
| 0x1C || 0x1C || 0x1F | | 0x1C || 0x1C || 0x1F | ||
| 1 || style="text-align:left" | uint32_t | | 1 || style="text-align:left" | uint32_t | ||
| colspan="3" | | | colspan="3" | Initial cycles to run | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} Set something | ! {{cellcolors|#fff|#000}} Set something | ||
Line 1,628: | Line 1,653: | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} Snowblind Engine hack | ||
| 0x1F || 0x20 || 0x23 | | 0x1F || 0x20 || 0x23 | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#ddf|#000}} | ! {{cellcolors|#ddf|#000}} SIO2 Delay | ||
| 0x20 || 0x21 || 0x24 | | 0x20 || 0x21 || 0x24 | ||
| 1 || style="text-align:left" | uint64_t | | 1 || style="text-align:left" | uint64_t | ||
Line 1,658: | Line 1,683: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#aaf|#000}} CDVD | ! {{cellcolors|#aaf|#000}} CDVD seek timing | ||
| 0x25 || 0x26? || 0x29 | | 0x25 || 0x26? || 0x29 | ||
| 1 || style="text-align:left" | 2 * uint32_t | | 1 || style="text-align:left" | 2 * uint32_t | ||
Line 1,668: | Line 1,693: | ||
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | | colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing'' | ||
|- | |- | ||
! {{cellcolors|#aaf|#000}} | ! {{cellcolors|#aaf|#000}} Enable CDDA hack <abbr title="PS2 MECHACON related">(CDVD)</abbr> | ||
| 0x27? || 0x28 || 0x2B | | 0x27? || 0x28 || 0x2B | ||
| 1 || style="text-align:left" | 0 | | 1 || style="text-align:left" | 0 | ||
Line 1,688: | Line 1,713: | ||
| colspan="3" | ? | | colspan="3" | ? | ||
|- | |- | ||
! {{cellcolors|#fff|#000}} | ! {{cellcolors|#fff|#000}} SPU2 multi cmd. | ||
| 0x2B || {{NA}} || 0x2F | | 0x2B || {{NA}} || 0x2F | ||
| 1 || style="text-align:left" | uint32_t | | 1 || style="text-align:left" | uint32_t | ||
Line 1,809: | Line 1,834: | ||
|} | |} | ||
===Config file examples (for netemu)=== | |||
====Official PS2 Classic==== | |||
See: [[PS2 Official Configs]] | |||
====Official GXEMU/SOFTEMU extracted==== | |||
See: [[PS2 Official Configs]] | |||
==== Custom Configs ==== | |||
See: [[PS2 Custom Configs]] | |||
===Config data examples (hardcoded)=== | |||
====Inside ps2_emu.self==== | |||
Embedded patches are based on Checksum/Hash of title. ps2_emu is only emulator version where patches are described inside self file in ascii. Known patch types described in ascii are: Patch data, new SPU2 params, and Setting mecha HACK to show GODZCD as GODZCDDA. | |||
{| class="wikitable sortable" | |||
{| class="wikitable" | ! PS2 Title !! Hash !! Game !! Patch Type !! Data | ||
|- | |- | ||
| SCUS_971.46|| 0x6B1ADE00D||Disney's Treasure Planet || Patch data - Fixes black screen at start, it apply to STREAM_D.IRX file in IOP folder. || 0x147C (sector) , 0x580 (offset) (- 0xC on disc) | |||
| | Replace opcodes | ||
00 01 01 3C lui at,0x0100 | |||
| | 80 BF 03 3C lui v1,0xBF80 | ||
| | C8 10 63 8C lw v1,0x10C8(v1) | ||
24 18 61 00 and v1,at | |||
| | FB FF 61 10 beq v1,at, -0x10 | ||
00 00 00 00 nop | |||
|- | |||
| | |||
| | |||
Original opcodes | |||
FF FF 01 24 li at,-0x1 | |||
04 00 61 14 bne at,v1, +0x14 | |||
00 80 01 3C lui at,0x8000 | |||
02 00 41 14 bne at,v0, +0x0C | |||
00 00 00 00 nop | |||
0D 00 06 00 break | |||
|- | |- | ||
| | |SLUS_201.74 ||0x23D92589C5|| Rumble Racing || Patch data - fixes black screen after Playstation 2 logo. Patch apply to AUDIO.IRX file in MODULES folder || 0x3AEDA (sector), 0x120 (offset) | ||
Replace opcodes | |||
06 00 80 14 bnez a0, +0x1C | |||
21 20 43 00 addu a0,v0,v1 | |||
21 10 A0 00 move v0,a1 | |||
02 00 A0 14 bnez a1, +0x0C | |||
00 00 00 00 nop | |||
01 00 05 24 li a1,0x1 | |||
EB FF 40 10 beqz v0, -0x50 | |||
04 00 84 24 addiu a0,0x4 | |||
FC FF 90 24 addiu s0,a0,-0x4 | |||
Original opcodes | |||
07 00 80 14 bnez a0, +0x20 | |||
21 80 43 00 addu s0,v0,v1 | |||
21 10 A0 00 move v0,a1 | |||
02 00 A0 14 bnez a1, +0x0C | |||
00 00 00 00 nop | |||
01 00 05 24 li a1,0x1 | |||
FC FF 40 10 beqz v0, -0x0C | |||
00 00 00 00 nop | |||
04 00 04 26 addiu a0,s0,0x4 | |||
|- | |- | ||
| | |SLUS_211.96||0x24D92589D5|| Indigo Prophecy || new SPU2 params || 1 | ||
|- | |- | ||
| | |SLPM_661.93||0x608634992D|| <abbr title="https://www.gamefaqs.com/ps2/544598-indigo-prophecy/data">Fahrenheit (NTSC-J)</abbr> || new SPU2 params || 1 | ||
|- | |- | ||
| | |SLUS_212.96||0x5CA15DF14D|| Dance Factory ||Setting mecha HACK to show GODZCD as GODZCDDA || | ||
|} | |||
====Inside ps2_gxemu.self/ps2_softemu.self==== | |||
There are hundreds of configs hidden in ps2_gxemu, and ps2_softemu self files. Internal config structure is basing on custom hash based on Title ID, internal memory offset pointing to place where true patch instruction is, and count of used commands. When disc/iso is started emulator search for configs, and if config for selected ID exist, then emulator apply it by itself. Is not perfect way of applying patches, because some games use the same ID, but different content. Good example here is Star Wars Battlefront II SLUS-21240, where some versions of game can refuse to work because it apply bad patch. | |||
{| class="wikitable sortable" | |||
! PS2 Title !! Hash !! Game !! Patch Type !! Data | |||
|- | |- | ||
| | | || || || || | ||
|} | |||
| | |||
| | ==Known Emulation Bugs== | ||
This list known bugs inside emulator code that make emulation inaccurate. Since those are only EE side bugs for now, ps2_gxemu/ps2_netemu/ps_softemu share the same issues. | |||
{| class="wikitable sortable" | |||
! Bug !! Description !! Known Affected Games | |||
|- | |- | ||
| | | Missing Emotion Engine Data Cache emulation || Emulating that is literally not possible without making games run at 3 fps. Fixed by patches to game image, or EE code. Instruction Cache (not Data) seems to be implemented, at least partially. || Ice Age 2, DOA2: Extreme, Nascar 2009. | ||
|- | |- | ||
| | | Branch delay slot violation not supported on EE || Some games have Branch instruction inside Branch delay slots, this is not emulated correctly on EE (VU have proper emulation of that). This is patched in configs by rearangging MIPS code. || WRC 3,4,Rally Evolved, one of Action Replay discs. | ||
|- | |- | ||
| | | Unmapped write only EE memory (confirmed only for SIF) || Reads/Writes to 0x2000000+ shouldn't throw bus error on dma transfers. Write should be performed as successful, memory should stay unchanged. Reads should return 0. || Games developed by In Utero, while creating initial save file, send DMA where address is EE stack pointer. At the time of transfer start $sp is too high, and requested transfer size make MADR overflow above 0x2000000 at some point. This is game bug, and happen also on real hardware. Fixed by config. | ||
|- | |- | ||
| | | VIF bugs || There is no correct timing, and queuing for some VIF commands like MSCAL. || Snowblind Engine games. Probably more. | ||
|- | |- | ||
| | | XGKick is instant || Some games expect to XGKick happen few cycles in future, on PS3 is done instant. Fixed by config 0x07 which delay XGKick by selected value || WRC series, Wakeboarding Unleashed, TriAce games, World of Outlaws - Sprint Cars, Ty - The Tazmanian Tiger, dot Hack - G.U. series, and more | ||
|- | |- | ||
| | | COP2 instructions are instant || Some games rely on fact that COP2 operations can take some time, on PS3 emulators they are done instantly due to lack of correctly emulated pipeline Patched by rearranging mips code || FFX, FFX-2, Ghost in The Shell SAC, Ace Combat series, Sprint Cars 1/2, Black, Run Like Hell, Everblue 2, Dragon Quest - Shounen Yangus no Fushigi na Daibouken, and many more | ||
|- | |- | ||
| | | VU0 is not running in sync with EE core || VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging.|| 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit. | ||
|- | |- | ||
| | | M-Bit not supported || Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands, or direct VU0/MIPS code rearranging. || Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more. | ||
|- | |- | ||
| | | T-Bit not supported on VU0 || Emulator ignore VU0 T-Bit, that cause issues for games that need it to work. Note: T-Bit is correctly handled for VU1. || Spiderman 3 set T-Bit, then do cfc2 from TPC (address where VU0 stopped). Since T-Bit is ignored, TPC is wrong. Value is later copied to CMSAR0, and program continue at wrong address. Well that's what should happen, but T-Bit also not signalize correct bit in VPU-STAT. Causing another issue, also in Spiderman 3. | ||
|- | |- | ||
| | | Emulator do not update correct flag instances for COP2 while ending VU0 program on Ebit || This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnecessary operations. || Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday. | ||
|- | |- | ||
| | | Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 || Potential bad flag state can cause a lot of issues that are not related on first sight || Yanya Caballista (already patched by custom config) | ||
|- | |- | ||
| | | In corner cases emu select wrong block flags pipeline state (both VU0/EEonBE and VU1/VRC affected). || This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. Issue seems to occur when branch/jump delay slot have opcode important for flags calculation. Theory is that cached microprogram don't include modified flags state from delay slot instruction. So when already recompiled program is fetched from pool, it will miss one cycle in fmac flags pipeline. This can be crucial in games that rely on it. || Tales of Legendia and Klonoa 2 set sticky flag bits to 0 and branch with sub.xyzw in delay slot (expecting that sub change status flag), Tamsoft engine games set sticky bits to 0 in branch delay slot, this was most ridiculous bug, because problematic branch was pointing to next opcode after delay slot, removing branch was enough. True Crime: NY is only known game where VU0 is affected by this bug. more.. | ||
|- | |- | ||
| | | CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. || Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [[https://github.com/PCSX2/pcsx2/pull/6611 more]]. || The one game that is known to be affected, and is already patched, is Musashi: Samurai Legend. | ||
|- | |- | ||
| | | CFC2 from R register should return only 23 lower bits. || CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team [[https://github.com/PCSX2/pcsx2/pull/8409 more]] and later confirmed to affect ps2_netemu in emu assembly. || There is only one game that is known to be affected, Onimusha Dawn of Dreams. | ||
|- | |- | ||
| | | Missing floating point result overflow/underflow detection (U/O flags not set) || Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. || Superman Returns. | ||
|- | |- | ||
| | | DMA between SPR and VU1 memory cause emulator panic. || Currently cause is unknown. It seems that functions responsible for transfer don't check that VU is running. Manual state that dma can be performed only when VU is not active, and pcsx2 wait until VU end. Games affected in emulators on ps3 display this warning in pcsx2 if mtvu is enabled: "MTVU: SPR Accessing VU1 Memory". Affected games are fixed by rearranging code to do lq/sq loop instead of DMA. || Summoner 2 (SPRfrom to VU1 data mem), Kaena (SPRto from VU1 data mem). | ||
|- | |- | ||
| | | IOP SIF0/1 DMA IRQs can be disabled (masked), which is not true on real hardware. || IOP interrupts 0x2A and 0x2B should always trigger. Fixed by patches to IOP code. Ps2_emu seems to be unfacted, probably handled on real hw in CXD9208GP. || Knockout Kings 2001, DOA2: Hardcore. | ||
|} | |||
===Software emulation bugs=== | |||
Related to the GS emulation issues mostly. Apply to the ps2_netemu especially. | |||
| | {| class="wikitable sortable" | ||
! Bug !! Description !! Known Affected Games | |||
| | |||
| | |||
|- | |- | ||
| | | No mipmapping support || Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. || Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more. | ||
| | |||
| | |||
|- | |- | ||
| | | SCANMSK register ignored || Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. || Metal Gear Solid series (water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field effect) | ||
|- | |- | ||
| | | Missing PCRTC feedback write support || PCRTC feature that writes back the image to the frame buffer is not supported or broken. Additional RGB to YCbCr conversion could be performed there. || Xenosaga Episode I: Der Wille zur Macht (black and white cut scenes) | ||
|- | |- | ||
|} | |} | ||
Line 3,294: | Line 2,608: | ||
* http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games | * http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude> | ||
[[Category:Main]] | |||
</noinclude> |
Latest revision as of 18:26, 20 November 2024
Description[edit | edit source]
Emulation of Playstation 2 is currently handled by 3 kind of emulators. CECH-A/B models use ps2_emu.self able to use built-in PS2 hardware (EE/GS/Rambus memory), and have best compatibility. CECH-C/E use ps2_gxemu, this emulator use physical Graphic Synthesizer found in this ps3 model, but Emotion Engine is fully emulated here, also there is no Rambus memory. All other models emulate PS2 thru fully software based ps2_netemu used for ps2 classics, and hacked now to use decrypted ISO files. Earlier before Sony provided ps2 classics on PS Store there was another soft only emulator strongly based on ps2_gxemu. It was called ps2_softemu, and had support for original PS2 CDVD. Only emulator not able to run physical discs is ps2_netemu.
Emulators are self files, but not typical one. Emulators are not truly PS3 Game OS elf executables, but Guest OS'es running on LV1 of PS3. This mean that LV2, or more friendly Game OS is unloaded before emulator is loaded. This also mean that while emulators are running we can't call any LV2 function. Also LV1 syscalls are limited to call from all emulators, but can be fully unlocked.
All emulators use built-in stripped developement version of PS2 BIOS with disabled debug functions that can affect some games. This is done because some games print debug info on screen when found that are run on dev bios. Bios between ps2_emu, and ps2_gxemu/ps2_netemu are different. Ps2_emu BIOS is able to run only on ps2emu version of emulator due to RDRAM check.
PS3 models without Emotion Engine unit use "SPE-compatible SIMD graphics-rounding mode for VMX/Altivec Instructions" for FPU, and VU0 emulated floats calculations. This is set on emulator init by HV call 97 with param 1. VU1 actually run at SPE core so no compatibility mode need (or can) to be set. SPE compatible mode for PPE mean that rounding mode is set as round to zero, denormals are treated as zero, and there are no infinities or NaNs. So theoretically what PS2 FPU/VU was originally. Although SPE and PPE SPE compatibility mode is still inaccurate comparing to PS2, because Sony decided to cut off 2 guard bits from calculations on PS2. Probably because there was no need for round and sticky bits (no Nan/Inf, one round mode, etc.). Additionally float divide algorithm is custom and not fully understood up to this day. Good example here are TriAce games, or Castlevania COD where SPE calculation is wrong by 1 bit making games unplayable without patch. This are PS2 math algo specific inaccuracies in FPU/VU implementation that are not present on any other hardware.
Note:
- not available in early Tool/DECR and Debug/DEX firmwares. But available in AV TOOL firmware since 1.00
- Emulation is based on a SCPH-50000/SCPH-20401 Playstation 2 Model.
- Introduction to PlayStation2 Architecture.pdf
- ps2tek docs - https://psi-rockin.github.io/ps2tek/
PS2 emulators workload comparison[edit | edit source]
PS2 (GS+EE) | |||
---|---|---|---|
Core | Job | Source | Notes |
SPU0 | Spu2 | SPU Assembly | Spu2 emulator |
SPU1 | Sif | SPU Assembly | Some kind of bridge to IOP, since SIF is part of EE hardware. |
SPU2 | Timer | SPU Assembly | IOP timers. |
SPU3-6 | - | - | Unknown, emulator seems to not use them |
SPU7 | - | - | Unavailable: Factory disabled SPU |
PPU:0 | PS2-Devices | C++ and PPU ASM | |
PPU:1 | IOP | PPU ASM | Interpreter, dmas, iop hw regs, etc. |
PS2-EE | Emotion Engine | Hardware CXD2953AGB | Only in CECHAxx and CECHBxx PS3 models with COK-001 motherboard |
PS2-GS | Graphic Synthesizer | ||
PS2_GX | |||
Core | Job | Source | Notes |
SPU0 | IOP | SPU ASM | I/O Processor (originally PS1 main processor) |
SPU1 | PS2-SPU2 | SPU ASM | Sound processing unit 2 |
SPU2 | IPU | SPU ASM | Image Processing Unit |
SPU3 | VU1 | SPU ASM | Vector Unit 1 |
SPU4 | EEDMA | SPU ASM | EE DMA plus VIF1 handler |
SPU5 | GSGIF | SPU ASM | GIF (GS Interface, very limited since GS is on board) |
SPU6 | ? | ? | Emulator never access it directly but can be possibly used for MagicGate. Emulator sends/receives MG data thru virtual uart port 10. |
SPU7 | - | - | Unavailable: Factory disabled SPU |
PPU:0 | PS2-Devices | C++ and PPU ASM | |
PPU:1 | Emotion Engine | C++ and PPU ASM | |
PS2-GS | Graphic Synthesizer | Hardware CXD2972GB | Only in CECHCxx PS3 models with COK-002 motherboard |
PS2 Software | |||
Core | Job | Source | Notes |
SPU0 | IOP | SPU ASM | I/O Processor (originally PS1 main processor) |
SPU1 | SPU2 | SPU ASM | Sound Processing Unit 2 |
SPU2 | VU1 | SPU ASM | Vector Unit 1 |
SPU3 | EEDMA | SPU ASM | Emotion Engine DMA Controller |
SPU4 | GSEGIF | SPU ASM | GIF |
SPU5 | GSE | SPU ASM | |
SPU6 | IPU | SPU ASM | Image Processing Unit |
SPU7 | - | - | Unavailable: Factory disabled SPU |
PPU:0 | PS2-Devices | C++ and PPU ASM | |
PPU:1 | Emotion Engine | C++ and PPU ASM | |
PS2 Netemu | |||
Core | Job | Source | Notes |
SPU0 | IOP | SPU ASM | I/O Processor (originally PS1 main processor) |
SPU1 | SPU2 | SPU ASM | Sound processing unit 2 (originally SPU from PS1) |
SPU2 | VU1 | SPU ASM | Running VU1 code translated previously on PPU side. |
SPU3 | EEDMA | SPU ASM | Partial DMAC, mostly channels 1/2, and VU1 CODE r/w. Also process VIF1 commands (incl. Unpacks). |
SPU4 | FE | SPU ASM | GIF unit, processing GIF tags, handling GS internal registers, etc. |
SPU5 | BE | SPU ASM | |
SPU6 | IPU | SPU ASM | EE Image Processing Unit |
SPU7 | BE | PPU/SPU ASM | Factory disabled SPU. Emulator set name for JOB, but never try to start/set it as active. Although a lot of code in emulator is ready to use it. |
PPU:0 | - | - | |
PPU:1 | Emotion Engine | C++ and PPU ASM |
PS2 Emulator Types and Revisions[edit | edit source]
Firmware | Bytes | MD5 | Timestamp | Rev | Comm |
---|---|---|---|---|---|
1.00 AV | 8 258 328 | 19DC714F1109FF772BEF5B00C4AF2CF7 | 06/10/04/12:15 | ? | ? |
1.02 | 8.258.504 | FF9C1C465DF6F501E418602A488CBD40 | 06/10/21/00:01 | ? | ? |
1.10 | 8.254.568 | 72EFF1FB3E9A175253687634B698CC91 | 06/11/09/06:08 | ? | ? |
1.11 | 8.255.192 | 98BCC06ACA07971DFE57A126000B6DEE | 06/11/21/17:54 | ? | ? |
1.30 | 8.787.800 | 3F1E943139329E8AD5461FA43DB4DD0E | 06/12/05/05:33 | same | ? |
1.30 AV | 8.787.800 | F2CE2D8CF41FF38E586AE7A91A13980C | 06/12/05/07:15 | ||
1.31 | 8.790.440 | CF13D31F202DA3C55009C06B6A2B27A0 | 06/12/12/18:47 | ? | ? |
1.32 | 8.794.664 | 6DD631EEDE321AC7F59C85BC6AC0DCA9 | 06/12/18/05:54 | ? | ? |
1.50 | 8.805.912 | 81B38EE824E460385B44FADE78CAA5DC | 07/01/18/22:52 | ? | ? |
? | ? | ? | ? | ? | ? |
1.70 | 8.854.680 | CEACBB22EB450C5CC587C193CE7BBE91 | 07/04/16/16:11 | ? | ? |
? | ? | ? | ? | ? | ? |
1.90 | 5.190.280 | 88B26FDC910B8633613BC366D39F439D | 07/07/21/06:44 | ? | ? |
? | ? | ? | ? | ? | ? |
2.10 | 5.223.112 | CB1924E7163F01EA2DD3965918BACCE4 | 07/12/15/05:29 | ? | ? |
? | ? | ? | ? | ? | ? |
3.40 | 5.267.128 | 916603300F798139456FCF1A40384A97 | 10/06/23/15:44 | ? | ? |
? | ? | ? | ? | ? | ? |
3.66 | 5.267.112 | BE20230D091F5C8AB8364607D49A6992 | 11/06/16/03:51 | same | ? |
~ | Any | ||||
3.74 | 5B2CA12EE08298094177667C681BC75F | 11/10/25/00:30 | |||
4.00 | 5.272.152 | 08516640BE636F3E633C0416F09EF941 | 11/11/22/03:10 | same | ? |
4.01 | 61ECD51036247547736274EEB52FA4C4 | 11/12/23/01:02 | |||
4.10 | 5.272.008 | 88CFD465D2F412C075C69531278BB3A9 | 12/02/05/23:08 | same | ? |
4.11 | 2B45F72675B844C08E1735059F9826E3 | 12/02/11/07:05 | |||
4.20 | 5.272.264 | 23D3F9909EBA3F1AB0D757850C5D6809 | 12/06/15/02:01 | same | ? |
4.21 | 110F0D01B39193F1A2031BBC7ADBBC2F | 12/06/30/01:06 | |||
4.23 S | 5.271.912 | 783201F2541117E545B8E01B3A0B1955 | 12/07/31/00:17 | ? | ? |
4.25 | 5.272.264 | C895EAA3F79BA2040D6C828A5B811139 | 12/09/07/06:55 | ? | ? |
? | ? | ? | ? | ? | ? |
? | ? | ? | ? | ? | ? |
? | ? | ? | ? | ? | ? |
Abandoned (last revision) | |||||
4.78 | 5.274.984 | ABC9228FCEA0E779E3157CA546A1FD02 | 15/12/17/01:14 | same | ? |
~ | Any | ||||
4.89 | 7523DE6D38B13B9C4B9F72419C50D4A7 | 22/02/04/14:35 |
· Decrypted (elf): changes every firmware version
· Build label: yes, with timestamp, search for ps2ver:
· Target Firmware: no/unknown
· Revision: unknown
Firmware | Bytes | MD5 | Rev | Comm | |
---|---|---|---|---|---|
1.00 ~ 1.32 | No | ||||
1.50 | 6.106.040 | BACC208C8A793F82D71F85B02DD2D318 | ? | ? | |
? | ? | ? | ? | ? | |
1.70 | 6.763.336 | B70A15512EF9FA74B798A5E9241FE571 | ? | ? | |
? | ? | ? | ? | ? | |
1.90 | 6.802.720 | B9E2CC8D72779650D9B500B75AE552EB | ? | ? | |
? | ? | ? | ? | ? | |
2.10 | 6.822.576 | E34C4EB587CCE44AB4B92D848DC391A7 | ? | ? | |
? | ? | ? | ? | ? | |
3.40 | 6.866.424 | 80091C68E2F8D2385A2125AB38085A3C | ? | ? | |
? | ? | ? | ? | ? | |
3.66 ~ 3.74 | 6.867.024 | E04FA0FE63A968C53AE366B3AAD0141A | ? | ? | |
4.00 ~ 4.11 | 6.871.848 | D5E97019132848203970213FF96F2AAB | ? | ? | |
4.20 ~ 4.25 | 6.872.128 | 678F16283CAA8CFBC03A5FBCB6ABA41E | ? | ? | |
? | ? | ? | ? | ? | |
? | ? | ? | ? | ? | |
? | ? | ? | ? | ? | |
Abandoned (last revision) | |||||
4.78 ~ 4.89 | 6.874.848 | C7681420A7B3A2A6E3BF89F4A12A3DD6 | ? | 0x2B ? |
· Decrypted (elf): changes every emu revision
· Build label: no/unknown
· Target Firmware: no/unknown
· Revision: unknown
Firmware | Bytes | MD5 | Rev | Comm |
---|---|---|---|---|
1.00 ~ 1.82 | No | |||
1.90 ~ 1.94 | 6.142.080 | 812330515D01291488315BBE7E0F339E | 11065 | ? |
1.97 | ? | ? | ? | ? |
2.00 ~ 2.10 | 6.143.048 | C0964350E3E8EA80EB5C7CB34901E9DE | 11830 | ? |
2.16 | ? | ? | ? | ? |
? ~ ? | ? | ? | ? | ? |
3.10 | ? | ? | ? | ? |
3.15 | ? | ? | 12840 | ? |
3.16 | ? | ? | ? | ? |
? ~ ? | ? | ? | ? | ? |
3.40 | 6.146.424 | 97C33E83E14399EED1BD4F5351443E1C | ? | ? |
3.41 ~ 3.65 | ? | ? | 13474 | ? |
3.66 ~ 3.71 | 6.147.120 | 513B9160AD8C199CAEFC82C1B7D9D794 | 15435 | ? |
3.72 ~ 4.01 | 6.146.992 | 1232D3EEB48F301CBB61D76EB3046111 | 15529 | ? |
4.10 ~ 4.91 | No |
· Decrypted (elf): changes every emu revision
· Build label: no/unknown
· Target Firmware: no/unknown
· Revision: unknown
Firmware | Bytes | MD5 | Rev | Comm | |
---|---|---|---|---|---|
1.00 ~ 3.66 | No | ||||
3.70 ~ 3.71 | 11.036.504 | 0D021D18CC63DDBDA530A93C41ABF865 | 15686 | 0x41 | |
3.72 | 11.036.504 | 38EABD7E5F998BC04922CA3B70211208 | 15842 | ||
3.73 ~ 3.74 | 11.036.504 | F21110A93BBEA416749283E6BF3D3C6B | 15936 | ||
4.00 ~ 4.01 | 11.033.048 | F770442DFA626282B01FEBE3DDFFC477 | 16195 | ||
4.10 ~ 4.11 | 11.033.216 | 8F0885BCC80A3617E654BB6151F4F718 | 16361 | ||
4.20 ~ 4.23 | 11.033.728 | 8EB5492E453C50B6D728E7999A57A689 | 16604 | 0x43 | |
4.25 ~ 4.26 | 11.033.728 | E38059300E31432A62967770C3E99EF6 | 16740 | ||
4.30 ~ 4.31 | ? | ? | 16808 | 0x45 | |
4.40 ~ 4.41 | ? | ? | 16916 | 0x46 | |
4.45 ~ 4.46 | ? | ? | 17041 | 0x48 | |
4.50 | ? | ? | 17179 | 0x4A | |
4.55 | ? | ? | 17277 | 0x4D | |
4.60 ~ 4.76 | ? | ? | 17314 | ||
Abandoned (last revision) | |||||
4.78 ~ 4.89 | 10.442.536 | 8B2DBD1AAD22A0EDCF9C867A1A1FB94D | 17495 | 0x50 |
· Decrypted (elf): changes every emu revision
· Build label: yes, without timestamp, search for build r
· Target Firmware: included in the build label
· Revision: yes, one time, and included in the build label
- Alternative tables
FW version | TOC | Notes |
---|---|---|
1.00 AV | 0x7C3150 | |
1.02 | 0x7C31F0 | |
1.10 | 0x7C2168 | |
1.11 | 0x7C23C8 | |
1.30 | 0x8442E8 | |
1.30 AV | 0x8442E8 | |
1.31 | 0x844C98 | |
1.32 | 0x845CA0 | |
1.50 | 0x848728 | |
1.90 | 0x4D7ED8 | |
3.66 - 3.74 | 0x4E9A20 | |
4.00 - 4.01 | 0x4EADB8 | |
4.10 - 4.11 | 0x4EAD28 | |
4.20 - 4.21 | 0x4EAE30 | |
4.23 | 0x4EACE0 | |
4.25 | 0x4EAE30 | Reverted to 4.20 - 4.21 version? |
4.78 - 4.82 | 0x4EB8C0 |
FW version | TOC | Notes |
---|---|---|
1.50 | 0x5BDFC8 | |
1.90 | 0x666C78 | |
3.66 - 3.74 | 0x6766B8 | |
4.00 - 4.11 | 0x677990 | |
3.66 - 3.74 | 0x677AA8 | |
4.78 - 4.82 | 0x678548 |
FW version | TOC | Notes |
---|---|---|
1.90 | 0x5C7B10 | |
2.50 | 0x5C7ED8 | |
3.41 | 0x5C8C00 | |
3.66 - 3.71 | 0x5C8EC0 | |
3.72 - 4.01 | 0x5C8E40 |
FW version | TOC | Notes |
---|---|---|
3.73 - 3.74 | 0x7D8B00 | |
4.00 - 4.01 | 0x7DA200 | |
4.10 - 4.11 | 0x7DA180 | |
4.20 - 4.25 | 0x7DA500 | |
4.78 - 4.83 | 0x751280 |
General observations regarding PS2 Classics emulator (ps2_netemu)[edit | edit source]
- Virtual memory cards are per title based, but apparently run through the current memory card system. The module used to manage memory cards is: vmc_savedata_plugin.sprx - Using a regular memory card that has been renamed result in a "The save data is corrupt (8XXXXXXX) error"
- Loads an epilepsy warning before PS2 logo (PS button menu appears during epilepsy warning if controller is synced)
- Does not support online functionality of PS2 titles (network configuration utility inside Full Spectrum Warrior claims no network adaptor has been found, same with Syphon Filter: The Omega Strain).
- Only file that is needed in the folder for PS2 Classics is "iso.bin.enc". Removing the manuals/DXT files will cause the game to boot IMMEDIATELY to the PS2 logo upon switching to 720p/starting PS2 LPAR.
LIMG Segment[edit | edit source]
The ISO.BIN.ENC has a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor for the ISO structure
Offset | Length | Name | Example | Description |
---|---|---|---|---|
0x00 | 0x4 | magic | LIMG | Logical IMaGe (layout) ? |
0x04 | 0x4 | img_type | 0x00000001 | 1=DVD 2=CD |
0x08 | 0x4 | sector_count | 0x00279890 | sector_count = img_size / sector_size |
0x0C | 0x4 | sector_size | 0x0000800 | sector_size = img_size / sector_count 0x800=DVD (Mode1/2048) 0x930=CD (Mode2/2352) |
0x10 | 0x3FF0 | padding | 0x00000000... |
folder/file layout[edit | edit source]
(in this example GTA San Andreas Classic)
[NPUD20946] [USRDIR] [CONTENT] 001.dxt 002.dxt 003.dxt 004.dxt 005.dxt 006.dxt 007.dxt 008.dxt 009.dxt 010.dxt 011.dxt 012.dxt 013.dxt 014.dxt 015.dxt 016.dxt 017.dxt Others.dxt Manual.idx [SAVEDATA] SCEVMC0.VME SCEVMC1.VME CONFIG ISO.BIN.EDAT ISO.BIN.ENC PS3LOGO.DAT PARAM.SFO ICON0.PNG PIC0.PNG PIC1.PNG PIC2.PNG
Virtual PS2 (emulated machine) usage and features[edit | edit source]
Video Modes[edit | edit source]
Note: Real PS2 : https://web.archive.org/web/20180802152820/http://users.neoscientists.org/~blue/ps2videomodes.txt
Video Modes ----.-----------.---------------.-----------.-----------. No | Name | Resolution | fV(Hz) | fH(kHz) | ----+-----------+---------------+-----------+-----------| 0 | NTSC-NI | 640x240(224) | 59.940 | 15.734 | 1 | NTSC-I | 640x480(448) | 59.820 | 15.734 | 2 | PAL-NI | 640x288(256) | 50.000 | 15.625 | 3 | PAL-I | 640x576(512) | 49.760 | 15.625 | 4 | VESA-1A | 640x480 | 59.940 | 31.469 | 5 | VESA-1C | 640x480 | 75.000 | 37.500 | 6 | VESA-2B | 800x600 | 60.317 | 37.879 | 7 | VESA-2D | 800x600 | 75.000 | 46.875 | 8 | VESA-3B | 1024x768 | 60.004 | 48.363 | 9 | VESA-3D | 1024x768 | 75.029 | 60.023 | 10 | VESA-4A | 1280x1024 | 60.020 | 63.981 | 11 | VESA-4B | 1280x1024 | 75.025 | 79.976 | 12 | DTV-480P | 720x480 | 59.940 | 31.469 | 13 | DTV-1080I | 1920x1080 | 60.000 | 33.750 | 14 | DTV-720P | 1280x720 | ?? | ?? | ----^-----------^---------------^-----------^-----------'
Memory Mapping[edit | edit source]
ps2netemu[edit | edit source]
Name | ea | lpar2(netemu 4.81) | size | flags | lpar1(lv1 4.81) |
---|---|---|---|---|---|
text | 0x0 | 0x3D00000 | 0x300000( 3 MB) | 0x8000000000000003 0000000000000003 | 0x7D00000 |
ro_work | 0x300000 | 0x300000 | 0x500000( 5 MB) | 0x0000000000000003 0000000000000003 | 0x4300000 |
rw_work | 0x800000 | 0x800000 | 0x2A00000( 42 MB) | 0x0000000000000001 0000000000000003 | 0x4800000 |
negmem | 0x1FFF0000 | 0x3210000 | 0x10000( 64 KB) | 0x0000000000000001 0000000000000000 | 0x7210000 |
ee_ram | 0x100000000 | 0x64000E000000 | 0x2000000( 32 MB) | 0x0000000000000001 0000000000000000 | 0x3C00000 - 0x3F00000, 0x8000000 - 0x9B00000 |
ee_jit_code | 0xD00000000 | 0x680024000000 | 0x3000000( 48 MB) | 0x8000000000000001 0000000000000003 | 0xBC00000 - 0xEB00000 |
vu0_jit_code | 0xD08000000 | 0x580000800000 | 0x400000( 4 MB) | 0x8000000000000001 0000000000000003 | 0x900000 - 0xC00000 |
vu0_jit_data | 0xD0C000000 | 0x3700000 | 0x400000( 4 MB) | 0x0000000000000002 0000000000000003 | 0x7700000 |
eeram_jit_lut | 0xE00000000 | 0x640010000000 | 0x2000000( 32 MB) | 0x0000000000000001 0000000000000003 | 0x9C00000 - 0xBB00000 |
eerom_jit_lut | 0xE0FC00000 | 0x580000C00000 | 0x400000( 4 MB) | 0x0000000000000001 0000000000000003 | 0xD00000 - 0x1000000 |
ee_dbg_ram | 0x90FFF8000 | 0x64000E078000 | 0x8000( 32 KB) | 0x0000000000000001 0000000000000000 | |
iop_ram | 0x400000000 | 0x3300000 | 0x200000( 2 MB) | 0x0000000000000001 0000000000000000 | 0x7300000 |
iop_rom | 0x50FC00000 | 0x580001000000 | 0x400000( 4 MB) | 0x0000000000000001 0000000000000002 | 0x1100000 - 0x1400000 |
iop_spad | 0x50F800000 | 0x3220000 | 0x10000( 64 KB) | 0x0000000000000001 0000000000000002 | 0x7220000 |
spu2_ram | 0x600000000 | 0x3500000 | 0x200000( 2 MB) | 0x0000000000000001 0000000000000000 | 0x7500000 |
spu2_ram2 | 0x600200000 | 0x3500000 | 0x200000( 2 MB) | 0x0000000000000001 0000000000000000 | 0x7500000 |
spu2_pcm | 0x1000000000 | 0x3230000 | 0x10000( 64 KB) | 0x0000000000000001 0000000000000000 | 0x7230000 |
ee_spr_lo | 0x700000000 | 0x3201000 | 0x2000( 8 KB) | 0x0000000000000001 0000000000000000 | 0x7201000 |
ee_spr | 0x800000000 | 0x3203000 | 0x6000( 24 KB) | 0x0000000000000001 0000000000000000 | 0x7203000 |
ee_vu0_dmem0 | 0x301004000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
ee_vu0_dmem1 | 0x301005000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
ee_vu0_dmem2 | 0x301006000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
ee_vu0_dmem3 | 0x301007000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
ee_rom | 0x30FC00000 | 0x580001000000 | 0x400000( 4 MB) | 0x0000000000000001 0000000000000001 | 0x1100000 - 0x1400000 |
vrc | 0xC00000000 | 0x600005000000 | 0x1000000( 16 MB) | 0x0000000000000001 0000000000000000 | 0x1500000 - 0x2400000 |
/dev/zero | 0x4000000000 | 0x3240000 | 0x10000( 64 KB) | 0x0000000000000001 0000000000000001 | 0x7240000 |
dma_vu0_dmem0 | 0x4001004000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
dma_vu0_dmem1 | 0x4001005000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
dma_vu0_dmem2 | 0x4001006000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
dma_vu0_dmem3 | 0x4001007000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
imm_vu0_dmem0 | 0x30000000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
imm_vu0_dmem1 | 0x30001000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
imm_vu0_dmem2 | 0x30002000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
imm_vu0_dmem3 | 0x30003000 | 0x3200000 | 0x1000( 4 KB) | 0x0000000000000001 0000000000000001 | 0x7200000 |
SGSXdr | 0x1904000000 | 0x64000C000000 | 0x1700000( 23 MB) | 0x0000000000000001 0000000000000000 | 0x2500000 - 0x3B00000 |
iopTrace | 0x1400000000 | 0x3250000 | 0x10000( 64 KB) | 0x0000000000000001 0000000000000000 | 0x7250000 |
SPE local storage[edit | edit source]
Emulator access SPE LS by accessing special addresses. Mapping as follows:
SPE Num. | SPE task | Address in netemu | address in SPE |
---|---|---|---|
0 | IOP | 0x40000000 - 0x4003FFFF | 0x0 - 3FFFF |
1 | SPU2 | 0x40080000 - 0x400BFFFF | 0x0 - 3FFFF |
2 | VU1 | 0x40100000 - 0x4013FFFF | 0x0 - 3FFFF |
3 | EEDMA | 0x40180000 - 0x401BFFFF | 0x0 - 3FFFF |
4 | FE | 0x40200000 - 0x4023FFFF | 0x0 - 3FFFF |
5 | BE | 0x40280000 - 0x402BFFFF | 0x0 - 3FFFF |
6 | IPU | 0x40300000 - 0x4033FFFF | 0x0 - 3FFFF |
Additionally, emulator access SPU directly with those addresses.
Address | Channel | Channel description | Access type | Notes |
---|---|---|---|---|
0x44004 | SPU_Out_Mbox | SPU Outbound Mailbox Register | Read only | Used to read 32 bits of data from the corresponding SPU outbound mailbox queue. Outbound Mailbox Register has a corresponding SPU Write Outbound Mailbox Channel for writing data into outbound mailbox queue. |
0x4400C | SPU_In_Mbox | SPU Inbound Mailbox Register | Write only | Used to write 32 bits of data into the corresponding SPU inbound mailbox queue. Inbound mailbox queue has a corresponding SPU Read Inbound Mailbox Channel for reading data from the queue. |
0x44014 | SPU_Mbox_Stat | SPU Mailbox Status Register | Read only | Contains the current In_Mbox/Out_Mbox/Out_Intr_Mbox count of the mailbox queues in the corresponding SPE. |
0x4401C | SPU_RunCntl | SPU Run Control Register | Read/Write | Used to start and stop the execution of instructions in the SPU.
The SPU can dynamically change the state of the Run Status bit (that is, SPU_Status[R]). |
0x44024 | SPU_Status | SPU Status Register | Read only | Used to report the status (state) of an SPU. Emulator use it mostly to check if SPU is running (bit31). |
0x44034 | SPU_NPC | SPU Next Program Counter Register | Read/Write | Contains the address from which an SPU starts executing when the Run Control bit is set in the SPU Run Control Register.
Used in function that start SPU programs, and in interrupts handlers, plus in few other places. |
0x5400C | SPU_Sig_Notify_1 | SPU Signal Notification 1 Register | Read/Write | Used to write data that can be read in SPU_RdSigNotify1 channel corresponding SPE. |
0x5C00C | SPU_Sig_Notify_2 | SPU Signal Notification 2 Register | Read/Write | Used to write data that can be read in SPU_RdSigNotify2 channel corresponding SPE. |
Address = SPU base + Address. For example, IPU SPU is mapped to 0x40300000 so accessing SPU_Sig_Notify1 will be done by read/write to 0x4035400C.
PS2 Memory and Hardware Mapped Registers Layout[edit | edit source]
EE Virtual/Physical Memory Map KUSEG: 00000000h-7FFFFFFFh User segment KSEG0: 80000000h-9FFFFFFFh Kernel segment 0 KSEG1: A0000000h-BFFFFFFFh Kernel segment 1 KSSEG: C0000000h-DFFFFFFFh Supervisor segment KSEG3: E0000000h-FFFFFFFFh Kernel segment 3 Virtual Physical 00000000h 00000000h 32 MB Main RAM (first 1 MB reserved for kernel) 20000000h 00000000h 32 MB Main RAM, uncached 30100000h 00100000h 31 MB Main RAM, uncached and accelerated 10000000h 10000000h 64 KB I/O registers 11000000h 11000000h 4 KB VU0 code memory 11004000h 11004000h 4 KB VU0 data memory 11008000h 11008000h 16 KB VU1 code memory 1100C000h 1100C000h 16 KB VU1 data memory 12000000h 12000000h 8 KB GS privileged registers 1C000000h 1C000000h 2 MB IOP RAM 1FC00000h 1FC00000h 4 MB BIOS, uncached (rom0) 9FC00000h 1FC00000h 4 MB BIOS, cached (rom09) BFC00000h 1FC00000h 4 MB BIOS, uncached (rom0b) 70000000h --------- 16 KB Scratchpad RAM (only accessible via virtual addressing) IOP Physical Memory Map KUSEG: 00000000h-7FFFFFFFh User segment KSEG0: 80000000h-9FFFFFFFh Kernel segment 0 KSEG1: A0000000h-BFFFFFFFh Kernel segment 1 Physical 00000000h 2 MB Main RAM (same as on PSX) 1D000000h SIF registers 1F800000h 64 KB Various I/O registers 1F900000h 1 KB SPU2 registers 1FC00000h 4 MB BIOS (rom0) - Same as EE BIOS FFFE0000h (KSEG2) Cache control Additional Memory 4 MB GS VRAM (used for framebuffer, textures, zbuffer, etc) 2 MB SPU2 work RAM - quadrupled from PSX's SPU 8 MB Memory card Hardware Mapped Registers EE Map EE Timers 100000xxh Timer 0 100008xxh Timer 1 100010xxh Timer 2 100018xxh Timer 3 Image Processing Unit (IPU) 10002000h 8h IPU Command 10002010h 4h IPU Control 10002020h 4h IPU bit pointer control 10002030h 8h Top of bitstream 10007000h 10h Out FIFO (read) 10007010h 10h In FIFO (write) Graphics Interface (GIF) 10003000h 4h GIF_CTRL - Control register 10003010h 4h GIF_MODE - Mode setting 10003020h 4h GIF_STAT - Status 10003040h 4h GIF_TAG0 - Bits 0-31 of tag before 10003050h 4h GIF_TAG1 - Bits 32-63 of tag before 10003060h 4h GIF_TAG2 - Bits 64-95 of tag before 10003070h 4h GIF_TAG3 - Bits 96-127 of tag before 10003080h 4h GIF_CNT - Transfer status counter 10003090h 4h GIF_P3CNT - PATH3 transfer status counter 100030A0h 4h GIF_P3TAG - Bits 0-31 of PATH3 tag when interrupted 10006000h 10h GIF FIFO DMA Controller (DMAC) 100080xxh VIF0 - channel 0 100090xxh VIF1 - channel 1 1000A0xxh GIF - channel 2 1000B0xxh IPU_FROM - channel 3 1000B4xxh IPU_TO - channel 4 1000C0xxh SIF0 - channel 5 1000C4xxh SIF1 - channel 6 1000C8xxh SIF2 - channel 7 1000D0xxh SPR_FROM - channel 8 1000D4xxh SPR_TO - channel 9 1000E000h 4h D_CTRL - DMAC control 1000E010h 4h D_STAT - DMAC interrupt status 1000E020h 4h D_PCR - DMAC priority control 1000E030h 4h D_SQWC - DMAC skip quadword 1000E040h 4h D_RBSR - DMAC ringbuffer size 1000E050h 4h D_RBOR - DMAC ringbuffer offset 1000E060h 4h D_STADR - DMAC stall address 1000F520h 4h D_ENABLER - DMAC disabled status 1000F590h 4h D_ENABLEW - DMAC disable Interrupt Controller (INTC) 1000F000h 4h INTC_STAT - Interrupt status 1000F010h 4h INTC_MASK - Interrupt mask Subsystem Interface (SIF) 1000F200h 4h MSCOM - EE->IOP communication 1000F210h 4h SMCOM - IOP->EE communication 1000F220h 4h MSFLAG - EE->IOP flags 1000F230h 4h SMFLAG - IOP->EE flags 1000F240h 4h Control register Privileged GS registers 12000000h 8h PMODE - various PCRTC controls 12000010h 8h SMODE1 12000020h 8h SMODE2 12000030h 8h SRFSH 12000040h 8h SYNCH1 12000050h 8h SYNCH2 12000060h 8h SYNCV 12000070h 8h DISPFB1 - display buffer for output circuit 1 12000080h 8h DISPLAY1 - output circuit 1 control 12000090h 8h DISPFB2 - display buffer for output circuit 2 120000A0h 8h DISPLAY2 - output circuit 2 control 120000B0h 8h EXTBUF 120000C0h 8h EXTDATA 120000D0h 8h EXTWRITE 120000E0h 8h BGCOLOR - background color 12001000h 8h GS_CSR - control register 12001010h 8h GS_IMR - GS interrupt control 12001040h 8h BUSDIR - transfer direction 12001080h 8h SIGLBLID - signal IOP Map Subsystem Interface (SIF) 1D000000h 4h MSCOM - EE->IOP communication 1D000010h 4h SMCOM - IOP->EE communication 1D000020h 4h MSFLAG - EE->IOP flags 1D000030h 4h SMFLAG - IOP->EE flags 1D000040h 4h Control register CDVD Drive 1F402004h 1h Current N command 1F402005h 1h N command status (R) 1F402005h 1h N command params (W) 1F402006h 1h Error 1F402007h 1h Send BREAK command 1F402008h 1h CDVD I_STAT - interrupt register 1F40200Ah 1h Drive status 1F40200Fh 1h Disk type 1F402016h 1h Current S command 1F402017h 1h S command status 1F402018h 1h S command params Interrupt Control 1F801070h 4h I_STAT - Interrupt status 1F801074h 4h I_MASK - Interrupt mask 1F801078h 1h I_CTRL - Global interrupt disable DMA registers 1F80108xh MDECin - channel 0 1F80109xh MDECout - channel 1 1F8010Axh SIF2 (GPU) - channel 2 1F8010Bxh CDVD - channel 3 1F8010Cxh SPU2 Core0 - channel 4 1F8010Dxh PIO - channel 5 1F8010Exh OTC - channel 6 1F80150xh SPU2 Core1 - channel 8 1F80151xh ??? - channel 9 1F80152xh SIF0 - channel 10 1F80153xh SIF1 - channel 11 1F80154xh SIO2in - channel 12 1F80155xh SIO2out - channel 13 1F8010F0h 4h DPCR - DMA priority control 1F8010F4h 4h DICR - DMA interrupt control 1F801570h 4h DPCR2 - DMA priority control 2 1F801574h 4h DICR2 - DMA priority control 2 IOP Timers 1F80110xh Timer 0 1F80111xh Timer 1 1F80112xh Timer 2 1F80148xh Timer 3 1F80149xh Timer 4 1F8014Axh Timer 5 Serial Interface (SIO2) 1F808200h 40h SEND3 buffer 1F808240h 20h SEND1/2 buffers 1F808260h 1h In FIFO 1F808264h 1h Out FIFO 1F808268h 4h SIO2 control 1F80826Ch 4h RECV1 1F808270h 4h RECV2 1F808274h 4h RECV3 Sound Processing Unit (SPU2) 1F900000h 180h Core0 Voice 0-23 registers 1F900190h 4h Key ON 0/1 1F900194h 4h Key OFF 0/1 1F90019Ah 2h Core attributes 1F90019Ch 4h Interrupt address H/L 1F9001A8h 4h DMA transfer address H/L 1F9001ACh 2h Internal transfer FIFO 1F9001B0h 2h AutoDMA status 1F9001C0h 120h Core0 Voice 0-23 start/loop/next addresses 1F900340h 4h ENDX 0/1 1F900344h 2h Status register ... above addresses repeat for Core1 starting at 1F900400h ... 1F900760h 2h Master Volume Left 1F900762h 2h Master Volume Right 1F900764h 2h Effect Volume Left 1F900766h 2h Effect Volume Right 1F900768h 2h Core1 External Input Volume Left 1F90076Ah 2h Core1 External Input Volume Right
Memory Allocation[edit | edit source]
ps2_netemu[edit | edit source]
Name | Size | page_log2 | lpar2(netemu 4.81) | lpar1(lv1 4.81) |
---|---|---|---|---|
ra_vu0_dmem | 0x1000 (4 KB) | 12 (4 KB) | 0x3200000 | 0x7200000 |
ra_ee_spr_lo | 0x2000 (8 KB) | 12 (4 KB) | 0x3201000 | 0x7201000 |
ra_ee_sprx | 0x6000 (24 KB) | 12 (4 KB) | 0x3203000 | 0x7203000 |
ra_negmem | 0x10000 (64 KB) | 16 (64 KB) | 0x3210000 | 0x7210000 |
ra_iop_spad | 0x10000 (64 KB) | 16 (64 KB) | 0x3220000 | 0x7220000 |
ra_spu2_pcm | 0x10000 (64 KB) | 16 (64 KB) | 0x3230000 | 0x7230000 |
ra_nulls | 0x10000 (64 KB) | 16 (64 KB) | 0x3240000 | 0x7240000 |
ra_itrace | 0x10000 (64 KB) | 16 (64 KB) | 0x3250000 | 0x7250000 |
ra_iop_ram | 0x200000 (2 MB) | 20 (1 MB) | 0x3300000 | 0x7300000 |
ra_spu2_ram | 0x200000 (2 MB) | 20 (1 MB) | 0x3500000 | 0x7500000 |
ra_vu0_code | 0x400000 (4 MB) | 20 (1 MB) | 0x580000800000 | 0x900000 - 0xC00000 |
ra_vu0_data | 0x400000 (4 MB) | 20 (1 MB) | 0x3700000 | 0x7700000 |
ra_ee_rom_pc | 0x400000 (4 MB) | 20 (1 MB) | 0x580000C00000 | 0xD00000 - 0x1000000 |
ra_ps2_rom | 0x400000 (4 MB) | 20 (1 MB) | 0x580001000000 | 0x1100000 - 0x1400000 |
ra_vrc_mem | 0x1000000 (16 MB) | 20 (1 MB) | 0x600005000000 | 0x1500000 - 0x2400000 |
ra_sgs_xdr | 0x1700000 (23 MB) | 20 (1 MB) | 0x64000C000000 | 0x2500000 - 0x3B00000 |
ra_ee_ram | 0x2000000 (32 MB) | 20 (1 MB) | 0x64000E000000 | 0x3C00000 - 0x3F00000, 0x8000000 - 0x9B00000 |
ra_ee_ram_pc | 0x2000000 (32 MB) | 20 (1 MB) | 0x640010000000 | 0x9C00000 - 0xBB00000 |
ra_trans_code | 0x3000000 (48 MB) | 20 (1 MB) | 0x680024000000 | 0xBC00000 - 0xEB00000 |
Controller[edit | edit source]
ID | Controller #Number | Note |
---|---|---|
1 (1-A) | 1 | |
2 (2-A) | 2 | |
3 (1-B) | 3 | |
4 (2-B) | 4 | |
5 (1-C) | 5 | Gamepad LED #1 + #4 |
6 (2-C) | 6 | Gamepad LED #2 + #4 |
7 (1-D) | 7 | Gamepad LED #3 + #4 |
Peripheral support[edit | edit source]
ps2_emu.self / ps2_gxemu.self[edit | edit source]
- Hub
- Mouse
- Keyboard
- EyeToy
- Head Mount Display
- Mic
- Ascii Mic
- Socom USB Headset
- Usb Headset
- Sea Mic Controller
- Force Feedback device
- GT Force
- Momo Force
- Driving Force Pro
- G25/G27
- Momo Racing
- Flight Force
- Force 3D Pro
- Modem
- Guncon2
- Densya de GO! controller type 2
- Densya de GO! Sincansen senyou controller
- Capture Eye
- Flight Stick
- Flight Stick 2
- Pop Egg
- Trance Vibrator
- PSP
- Compact Flight Controller
- Flash Memory
- Buzz!
- Pachi-Slot Controller Kurouto
- Usb Adapter
- Guncon3
- Multi Train Controller
- Para Para Paradise controller
ps2_netemu.self[edit | edit source]
Support for USB devices seems to be limited comparing to other available emulators. Although PS2 side of USB subsystem seems to be fully implemented. IOP emulator in SPU handle USB HW registers addresses and generate interrupt for PPU which later handle RW to mentioned registers in similar fashion to ps2_emu/ps2_gxemu. PS2 side of things can be disabled/enabled using one byte, when disabled USB writes are ignored, and USB reads return 0. Initial state is unknown. Emulator seems to accept HID controllers and use them as DS3.
Supported devices:
- BD Remote Control
- PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),
- Motion Controller - Move (Vendor ID 0x54C, Product ID 0x3D5),
- Navigation Controller (Vendor ID 0x54C, Product ID 0x42F)
- "guncon3"
Unknown:
- Vendor ID 0xF0D (Hori), Product ID 0x4A
- Vendor ID 0x54C (Sony), Product ID 0x5AF
Few peripherals not listed above work fine or with issues.
- PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time.
- Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file.
- Retro-Bit Official SEGA Mega Drive USB 6-Button Controller. Mapped for PS3 already and also works with this emulator. Lacks analogue sticks and shoulder buttons.
BIOS[edit | edit source]
ps2_netemu.self[edit | edit source]
Ps2_netemu use integrated PS2 bios included in ps2netemu.elf, not additional file like in ps1_emu. In 4.81 firmware BIOS is located from 0x820A00 to 0x9F09FF (0x820900 to 0x9F08FF in fw4.50). Bios version is Developement v2.20 (22/01/2007).
Notable thing is that ps2_netemu use the same bios as ps2_gxemu, and ps2onps4. ps2_netemu not boot using ps2_emu bios because of failing RDRAM check.
Content[edit | edit source]
Files included in ps2_netemu/ps2_gxemu bios.
File | Offset in fw4.81 ps2_netemu | Offset in exported bin | Description | File type (exportable) |
---|---|---|---|---|
RESET | 0x820A00 | 0x00 | Bootstrap code for the EE and IOP. | BIN |
ROMDIR | 0x823180 | 0x2780 | The ROMDIR part of the ROM image, which provides information on the location and name of files contained in the image. | BIN |
EXTINFO | 0x8236C0 | 0x2CC0 | Contains the "EXTINFO" for all files in the ROM image. | BIN |
SBIN | 0x823D30 | 0x3330 | Seems to be the pad controller library for the PS1 monitor. | BIN |
LOGO | 0x82ACD0 | 0xA2D0 | PS1 logo? | BIN |
IOPBTCONF | 0x83F420 | 0x1EA20 | Boot configuration file for the IOP, during the final phase of the IOP reset. If no UDNL module is specified, the IOP will only have a single IOP reset in the reboot process, with the modules listed in IOPBTCONF. | BIN |
IOPBTCON2 | 0x83F510 | 0x1EB10 | Boot configuration file for the IOP, for the first phase of the IOP reset (before UDNL is loaded). | BIN |
SYSMEM | 0x83F5E0 | 0x1EBE0 | System Memory Manager. | ELF |
LOADCORE | 0x840800 | 0x1FE00 | The core of IOP module loading. Provides the lowest level of IOP module loading functions. Also handles the startup of the IOP. | ELF |
EXCEPMAN | 0x842D80 | 0x22380 | Exception manager. | ELF |
INTRMANP | 0x843960 | 0x22F60 | Interrupt Manager. According to wisi, it is for PS mode. | ELF |
INTRMANI | 0x845370 | 0x24970 | Interrupt Manager. According to wisi, it is for IOP mode. | ELF |
SSBUSC | 0x8471B0 | 0x267B0 | SSBUS Controller library. The SSBUS seems to be the bus that all peripherals get connected to. It seems to have the power to control the mapping of the device registers, as well as access timing. | ELF |
TIMEMANP | 0x847920 | 0x26F20 | Timer Manager (PS mode) | ELF |
TIMEMANI | 0x848500 | 0x27B00 | Timer Manager (IOP mode) | ELF |
DMACMAN | 0x849130 | 0x28730 | DMA Controller Manager. | ELF |
SYSCLIB | 0x84C830 | 0x2BE30 | System C Library. | ELF |
HEAPLIB | 0x84EF90 | 0x2E590 | Memory HEAP LIBrary (i.e. thvpool, thfpool) | ELF |
THREADLIB | 0x84FC90 | 0x2F290 | Multi_Thread_Manager | ELF |
VBLANK | 0x858A20 | 0x38020 | V-Blank management | ELF |
IOMAN | 0x8597B0 | 0x38DB0 | IO Manager | ELF |
MODLOAD | 0x85B720 | 0x3AD20 | IOP module loader. | ELF |
ROMDRV | 0x85DA70 | 0x3D070 | ROM driver. Provides access to the boot ROM (rom0). | ELF |
ADDDRV | 0x85E960 | 0x3DF60 | Adds support for the DVD ROM (rom1:), via ROMDRV. | ELF |
STDIO | 0x85EDC0 | 0x3D3C0 | Standard I/O library. | ELF |
SIFMAN | 0x85F9B0 | 0x3EFB0 | SIF manager. | ELF |
SIFINIT | 0x860F50 | 0x40550 | Initializes the SIF. | ELF |
EESYNC | 0x861370 | 0x40970 | For synchronizing with the EE, at the end of IOP resets. EESYNC from DNAS images are evil; they also perform a memory wipe of the region from 0x00084000 to .0x00100000. | ELF |
EENULL | 0x861810 | 0x40E10 | The idle thread (id #0) module, in ps2 loaded to 0x00081FC0. | BIN |
PS1ID | 0x861850 | 0x40E50 | Only found in newer boot ROMs | BIN |
LIBFI | 0x861860 | 0x40E60 | Not present in the boot ROM of the SCPH-10000 and SCPH-15000. | BIN |
PS1VERJ | 0x861950 | 0x40F50 | BIN | |
PS1VERA | 0x861960 | 0x40F60 | BIN | |
PS1VERE | 0x861970 | 0x40F70 | BIN | |
PS1VERC | 0x861980 | 0x40F80 | BIN | |
PS1VERH | 0x861990 | 0x40F90 | BIN | |
OSDSYS | 0x8619A0 | 0x40FA0 | The browser | BIN |
- | 0x8619B0 | 0x40FB0 | BIN | |
RDRAM | 0x861A00 | 0x41000 | Provides a RDRAM test for the EE at power-on. This is run from RESET. | BIN |
- | 0x864190 | 0x43A30 | BIN | |
EELOADCNF | 0x864200 | 0x43D50 | Contains the IOP boot configuration file for EELOAD. | BIN |
SIFCMD | 0x864900 | 0x43F00 | SIF command module. Contains the SIF command and SIF RPC functions. | ELF |
REBOOT | 0x866B40 | 0x46140 | The reboot service. Receives IOP reset packets from the EE, from across the SIF. | ELF |
LOADFILE | 0x867310 | 0x46910 | The RPC server for MODLOAD | ELF |
EECONF | 0x869A70 | 0x49070 | Loads part of the system configuration from the MECHACON EEPROM. Also configures and resets some peripherals, depending on the model version. In slimlines, and possibly on PS3 EECONF will also load the MAC address. | ELF |
- | 0x86A9F0 | 0x49FF0 | BIN | |
IOPBOOT | 0x86AA00 | 0x4A000 | IOP bootup program | BIN |
- | 0x86BB60 | 0x4B160 | BIN | |
TBIN | 0x86C200 | 0x4B800 | The PS1 monitor program. Seems to be the PS1 BIOS. This is started by RESET, when the IOP is in PS1 mode. | BIN |
XSHA1 | 0x87A170 | 0x59770 | sha1 - this only present in PS3. It is used as additional antipiracy check. It seems that it calculate disc main elf checksum and compares it with some database. Config related? | ELF |
XLOADFILE | 0x87B140 | 0x5A740 | Updated module | ELF |
SIO2MAN | 0x87E1F0 | 0x5D7F0 | SIO2 manager. Provides access to the SIO2 interface. | ELF |
- | 0x87FE20 | 0x5F420 | BIN | |
BNNETCNF | 0x881D00 | 0x61300 | Network configuration. Used by BB Navigator Network Configuration Library. | BIN |
MCSERV | 0x881D40 | 0x61340 | RPC server for MCMAN. | ELF |
- | 0x883A40 | 0x63040 | BIN | |
KROMG | 0x884A00 | 0x64000 | BIN | |
- | 0x8866C0 | 0x65CC0 | BIN | |
KROM | 0x886A30 | 0x66030 | Kanji ROM? Not sure where this is used. | BIN |
- | 0x8A0870 | 0x7FE70 | BIN | |
ROMVER | 0x8A0900 | 0x7FF00 | ROM version. | BIN |
- | 0x8A0910 | 0x7FF10 | BIN | |
VERSTR | 0x8A0930 | 0x7FF30 | Version string. Probably PS1 ROM will use this because that this string is also present in PlayStation consoles. | BIN |
- | 0x8A0990 | 0x7FF90 | BIN | |
ROMGSCRT | 0x8A0A00 | 0x80000 | BIN | |
NCDVDMAN | 0x8A3730 | 0x82D30 | It seems to be a heavily stripped-down CDVDMAN module, with no support for some S-command functions like sceCdRI. | ELF |
SECRMAN | 0x8B0170 | 0x8F770 | Security Manager. Signing is NOT done with the one in ROM, but with a special version that comes with the utility discs. Looks like PS3 units have a different SECRMAN module from retail sets, similar to PS2 TOOL one. | ELF |
MCMAN | 0x8B4630 | 0x93C30 | Memory Card Manager. | ELF |
PADMAN | 0x8C3AC0 | 0xA30C0 | Pad manager. | ELF |
CDVDMAN | 0x8CD210 | 0xAC810 | The CD/DVD manager. | ELF |
CDVDFSV | 0x8D55C0 | 0xB4BC0 | The RPC server for CDVDMAN. | ELF |
FILEIO | 0x8DD980 | 0xBCF80 | RPC server for IOMAN. Sony has greatly changed the semantics and design of FILEIO after some point. Connecting an old FILEIO EE RPC client to a newer server will result in a severe IOP crash. | ELF |
CLEARSPU | 0x8DFA80 | 0xBF080 | Seems to clear/reset the SPU, but is known to cause crashes under some conditions. Not sure if it's buggy or not. Only used by the OSDSYS of the SCPH-10000 and SCPH-15000, probably retained for backward-compatibility. | ELF |
UDNL | 0x8E16C0 | 0xC0CC0 | It is responsible for selecting the modules and starting the IOP, during the final phase of the IOP reset where the desired modules are to be loaded into the IOP. | ELF |
IGREETING | 0x8E35C0 | 0xC2BC0 | Displays boot information (i.e. IOP boot type, EBOOTP, IBOOTP, switch positions for DSW602 and the type of DSW602 board installed | ELF |
EELOAD | 0x8E4620 | 0xC3C20 | The EE ELF loader, which is loaded by LoadExecPS2() to 0x00082000 in PS2 for loading ELFs. | BIN |
XCDVDMAN | 0x8F37A0 | 0xD2DA0 | cdvd_driver - Updated module | ELF |
XCDVDFSV | 0x902530 | 0xE1B30 | cdvd_ee_driver - Updated module | ELF |
OSDSND | 0x910960 | 0xEFF60 | OSD sound library. This is actually the tentative sound driver, which is called "librspu2" in the Sony SDK. | ELF |
PS2LOGO | 0x93B5B0 | 0x11ABB0 | Displays the PlayStation 2 logo from the inserted disc. For newer consoles, if the logo cannot be decrypted properly, it will fall back to the browser. Not actually required to boot games, but the Sony OSDSYS boots PS2 games through this program. | ELF |
XPARAM2 | 0x957F00 | 0x137500 | Store IOP emulation settings/flags | ELF |
OSDSYS | 0x95A400 | 0x139A00 | The browser, in ps3 is stripped to parse xparam2. No real browser here. | BIN |
PIOPRP | 0x998280 | 0x177880 | Present in the PS3 ps2_(gx/soft/net)emu; contains version 3.1.0 of the IOP software (compared to version 1.3.4 on the root). | BIN |
KERNEL | 0x9DC1E0 | 0x1BB7E0 | The EE kernel | BIN |
Description source: https://gist.github.com/uyjulian/25291080f083987d3f3c134f593483c5
Bios region patch[edit | edit source]
Emulator patch loaded bios image to set proper region based on target_id, and string (separated for readability):
JJjpnJJ AAengAUU EEengEEE EEengEOA HHengJAG ERengERD CCschJCC HKkorJAG HHtchJAG AAspaAMM
Note: Additional space after first set is intentional and exist also in full string.
Target id to region pairing:
* JJjpnJJ for 0x83 * AAengAUU for 0x84 , others (DECR, etc.) * EEengEEE for 0x85 , 0x87 (also forced if game id from SYSTEM.CNF is xxEx_yy.zzz) * HHengJAG for 0x86 , 0x8A , 0x8E * AAspaAMM for 0x88 , 0x8F * EEengEOA for 0x89 * HHtchJAG for 0x8B * ERengERD for 0x8C * CCschJCC for 0x8D (unreleased PS3 Chinese model) * HKkorJAG unused
Bios is patched using EE memory mapping addresses, so offset in file + 0x1FC00000. Using HKkorJAG example, addresses below are set to:
* 0x1FC7FF04 = H (x in "0220xD20121227" string) * 0x1FC7FF14 = K * 0x1FC7FF15 = k * 0x1FC7FF16 = o * 0x1FC7FF17 = r * 0x1FC7FF52 = J (x in "System ROM Version 5.0 12/27/12 x" string) * 0x1FC7FF20 = A * 0x1FC7FF90 = G
Virtual PS2 HDD[edit | edit source]
There are 2 different "PS2 game" contents that can be installed in PS3 HDD (CATEGORY's 2P and 2G ). 2P are games released from PSN as "PS2 Classic" in .PKG format, and 2G are a few real "PS2 DVD discs" that can be installed in the PS3 HDD, this installation is managed by the PS2_system_data.pkg.
This games can be installed in real PS2 (in the internall HDD of a PS2 fat)... later this same installation was used in the PSX... and when implemented in PS3 there was needed to use a virtual PS2 HDD image file keeping the same format than the original HDD used in PS2.
Game files (extracted from the real PS2 disc) are installed in a IMAGE.DAT file, this file is a 1:1 "raw copy" of a PS2 HDD.
This IMAGE.DAT is placed in the "install folder" (inside USRDIR folder) and his size can vary up to 10+GB
There are 2 different installations: the most common is used to store "game expansions" (e.g: used by additional content in SOCOM games)... the other type of installation is a "full install" and it seems the only game that uses it is "Final Fantasy XI" (main game installation when the game boots for first time + game expansions added later when needed in the same IMAGE.DAT)
PS2_system_data.pkg itself uses an IMAGE.DAT file (6.43 MB)
The structure of this "virtual PS2 HDD" uses an "APA header" and a "APA MBR" + several "APA partitions", some of them containing "PFS filesystems".
Error message trying to boot a CATEGORY "2G" game with hand-made SFO's and invalid IMAGE.DAT file: The game partition for this game cannot be created because the installed game is corrupted. To perform this operation, delete the game, and then reinstall the game using the disc.
- Notes
- List of PS2 disc games compatibles with PS3 HDD installation hardcoded in dev_flash/vsh/module/game_ext_plugin.sprx
- Virtual PS2 HDD support module dev_flash/vsh/module/libps2hdd.sprx ?
PS2 System Data (PSN HDD Tool package)[edit | edit source]
A direct link to the package can be found in NoPayStation database in DLCs
Content ID: IP9100-NPIA00001_00-PS2HDDSYSDAT0001 QA Digest: 2A876715D42678BB7A6E00C030C0121B HASH: E1B0DBE46FC44190DC7A140681D8B9D4
http://manuals.playstation.net/document/en/ps3/current/game/hddinstall.html
Titles supporting HDD installation
- Nobunaga's Ambition Online and Expansion Packs
- Final Fantasy XI (disc1=SCUS97266 disc2=SCUS97269)and Expansion Discs
- SOCOM II: U.S. NAVY SEALs and Related discs included with OPM Issue 87, OPM Issue 88, OPM Issue 89, OPM Issue 90
- SOCOM 3: U.S. NAVY SEALs
- SOCOM: U.S. NAVY SEALs Combined Assault
- Front Mission Online
- Official PlayStation Magazine Issue 87, 88, 89, 90 Discs
( non-official ps2hdd gameslist )
TitleID/DiscID in game_ext_plugin.sprx[edit | edit source]
Mainly Final Fantasy 11, Nobunaga Ambition Online, Socom IDs and the required HDD Gigabyte amount for install onto the internal hdd.
Speculation: flags are AND' with 0,1,2 (selected from sys_sm_get_hw_config according to ps2emu hardware flags? 0 = no hw?, 1 = gxemu?, 2=full hw? )
Flags | DiscID | Alternative? DiscID | GigaByte | Title | 0 = VMC 1 = IMAGE.DAT |
Internal Name? | GigaByte |
---|---|---|---|---|---|---|---|
0xFFFF | SLPS20200 | SLPS25200 | 0x15 | FINAL FANTASY XI | 1 | PP.SLPM-25200.MAGIC.APPLICATION | 0x15 |
SLPM65705 | |||||||
SLPM65706 | |||||||
SLPM65953 | |||||||
SLPM66393 | |||||||
SLPM66394 | |||||||
SLPM66893 | |||||||
SLPM66894 | |||||||
SLPM55229 | |||||||
0x0001 | SLPM65197 | SLPM65197 | 0x07 | 信長の野望 Online | 1 | PP.SLPM-65197.MAGIC.APPLICATION | 0x07 |
SLPM65783 | |||||||
SLPM66539 | |||||||
SLPM66954 | |||||||
0xFFFF | SCUS97269 | SCUS97269 | 0x15 | FINAL FANTASY XI | 1 | PP.SCUS-97266.MAGIC.APPLICATION | 0x15 |
SLUS21070 | |||||||
SLUS21404 | |||||||
SLUS21694 | |||||||
SLUS21704 | |||||||
0xFFFF | SCUS97275 | SCUS97275 | 0x02 | SOCOM | 0 | PP.SCUS-97275..SOCOM_II | 0x02 |
SCUS97474 | |||||||
SCUS97340 | |||||||
SCUS97341 | |||||||
SCUS97342 | |||||||
SCUS97442 | |||||||
SCUS97545 |
In PS2 Emulator same Title IDs are present with following information:
SLPS25200 FINAL FANTASY XI : 0x00000001 SCUS97269 FINAL FANTASY XI : 0x00000003 SLPM65981 Front Mission Online : 0x00000001 SLPM65197 Nobunagas Ambition Online : 0x00000002 (return different value in IOP SPEED 0x10000004 read (2 instead of default 3) )
Emulators management from GameOS[edit | edit source]
Mountpoints[edit | edit source]
dev_ps2disc dev_ps2disc1
ps2_netemu syscalls[edit | edit source]
Vector at 0xC00 address.
0x00 - 0 = return ((unk from 0x1C30/0x1C38 << 56) | thread_number << 48 | ctrl_CT1 (in bit 30) | srr1_EE (in bit 15) | srr1_PS (in bit 14) | srr1_DR (in bit 4)) Where 0x1C30/0x1C38 is selected depending on current HW thread. Thread number is current SW thread ctrl_CT1 is lower bit of CT (Current Thread) from PPC Control Register (0 for HW0, 1 for HW1) srr1_EE is MSR Enable External Interrupts bit from time when exception occurred (from before syscall was executed) srr1_PS is MSR Problem State bit from time when exception occurred (from before syscall was executed) srr1_DR is MSR Data Relocate bit from time when exception occurred (from before syscall was executed) 1 = 0x132 lv1 panic 2 = 0x133 lv1 panic 3 = 0x134 lv1 panic 4 = 0x135 lv1 panic else = 0x136 lv1 panic 0x02 - Destroy init code and perform illegal instructions check. Memzero following addresses: CODE: 0x16000 - 0x20B80 DATA: 0x930F80 - 0x933F80 UNK: 0x3D016000 - 0x3D020B80 0x03 - Enable additional code related to VU0/COP2. 3 = Patch 0x186C10 to NOP 4 = Patch 0x186C40 to NOP anything else = LV1 panic 0x04 - Unknown. Available for HW0 only. 0x05 - External interrupts disable (48 bit in MSR). Returns previous MSR state. 0x06 - External interrupts enable (48 bit in MSR) if param & 0x8000 is not 0, otherwise disable them. This sc is more like restore 48th bit of MSR, but many times emu use it to enable bit without using old state. Also, emulator panic LV1 if syscall is called while external interrupts are already enabled. 0x0A - IPU emulation related syscall 0x0B - IPU emulation related syscall 0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15. Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it. 0x0E - PS2 counters/timers related (also used on vsync related functions). 0x0F - PS2 counters/timers related (also used on vsync related functions). 0x10 - lv1 panic. 0x11 - Wrapper for lv1_read_virtual_uart(port_number, buffer, bytes) [HW0 only, only ports 0 and 2 available, else panic] 0x12 - Wrapper for lv1_storage_send_device_command(dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks) [HW0 only, Available only for threads: VRC, MECHA, HDD, else panic] params are rearranged: r3 = cmd_block (0x245E000 is added to this value internally) r4 = data_buffer (0x245E000 is added to this value internally) r5 = blocks dev_id is taken from 0x245D008 and it is 0(HDD) for my dump. cmd_id = 0x88 and cmd_size is 8. 0x13 - Set thread info unknown byte to 1 for respective thread and set unknown byte to 1 in USB thread. [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler] 0x14 - Same as 0x13 but set all bits to 0 regardless which thread called it. [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler] 0x1002 - Invalidate gpu hvcalls. 0x800000XX - HV Syscall where XX is syscall nr. else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0 jump to 0x12050 (FW4.78 - current) for HW_1
List of used HV syscalls:
0x80000000 - HV_Syscall_Reference#lv1_allocate_memory 0x80000001 - HV_Syscall_Reference#lv1_write_htab_entry 0x80000002 - HV_Syscall_Reference#lv1_construct_virtual_address_space 0x80000007 - HV_Syscall_Reference#lv1_select_virtual_address_space 0x80000009 - HV_Syscall_Reference#lv1_pause 0x8000000F - HV_Syscall_Reference#lv1_put_iopte 0x80000012 - HV_Syscall_Reference#lv1_construct_event_receive_port 0x8000001A - HV_Syscall_Reference#lv1_detect_pending_interrupts 0x8000001B - HV_Syscall_Reference#lv1_end_of_interrupt 0x8000001C - HV_Syscall_Reference#lv1_connect_irq_plug 0x80000039 - HV_Syscall_Reference#lv1_construct_logical_spe 0x8000003D - HV_Syscall_Reference#lv1_set_spe_interrupt_mask 0x80000042 - HV_Syscall_Reference#lv1_clear_spe_interrupt_status 0x80000043 - HV_Syscall_Reference#lv1_get_spe_interrupt_status 0x80000045 - HV_Syscall_Reference#lv1_get_logical_ppe_id 0x80000049 - HV_Syscall_Reference#lv1_set_interrupt_mask 0x8000004A - HV_Syscall_Reference#lv1_get_logical_partition_id 0x8000004E - HV_Syscall_Reference#lv1_get_spe_irq_outlet 0x8000005B - HV_Syscall_Reference#lv1_get_repository_node_value 0x8000005F - HV_Syscall_Reference#lv1_read_htab_entries 0x80000061 - HV_Syscall_Reference#lv1_set_vmx_graphics_mode 0x80000062 - HV_Syscall_Reference#lv1_set_thread_switch_control_register 0x80000074 - HV_Syscall_Reference#lv1_allocate_io_segment 0x80000076 - HV_Syscall_Reference#lv1_allocate_ioid 0x80000078 - HV_Syscall_Reference#lv1_construct_io_irq_outlet 0x8000007C - HV_Syscall_Reference#lv1_undocumented_function_124 0x8000007D - HV_Syscall_Reference#lv1_undocumented_function_125 0x8000007E - HV_Syscall_Reference#lv1_undocumented_function_126 0x80000088 - HV_Syscall_Reference#lv1_undocumented_function_136 0x8000008C - HV_Syscall_Reference#lv1_construct_lpm 0x8000008D - HV_Syscall_Reference#lv1_destruct_lpm 0x8000008E - HV_Syscall_Reference#lv1_start_lpm 0x8000008F - HV_Syscall_Reference#lv1_stop_lpm 0x80000090 - HV_Syscall_Reference#lv1_copy_lpm_trace_buffer 0x80000091 - HV_Syscall_Reference#lv1_add_lpm_event_bookmark 0x80000092 - HV_Syscall_Reference#lv1_delete_lpm_event_bookmark 0x80000093 - HV_Syscall_Reference#lv1_set_lpm_interrupt_mask 0x80000094 - HV_Syscall_Reference#lv1_get_lpm_interrupt_status 0x80000095 - HV_Syscall_Reference#lv1_set_lpm_general_control 0x80000096 - HV_Syscall_Reference#lv1_set_lpm_interval 0x80000097 - HV_Syscall_Reference#lv1_set_lpm_trigger_control 0x80000098 - HV_Syscall_Reference#lv1_set_lpm_counter_control 0x80000099 - HV_Syscall_Reference#lv1_set_lpm_group_control 0x8000009A - HV_Syscall_Reference#lv1_set_lpm_debug_bus_control 0x8000009B - HV_Syscall_Reference#lv1_set_lpm_counter 0x8000009C - HV_Syscall_Reference#lv1_set_lpm_signal 0x8000009D - HV_Syscall_Reference#lv1_set_lpm_spr_trigger 0x800000A3 - HV_Syscall_Reference#lv1_write_virtual_uart 0x800000A4 - HV_Syscall_Reference#lv1_set_virtual_uart_param 0x800000A5 - HV_Syscall_Reference#lv1_get_virtual_uart_param 0x800000A6 - HV_Syscall_Reference#lv1_configure_virtual_uart_irq 0x800000AA - HV_Syscall_Reference#lv1_open_device 0x800000AB - HV_Syscall_Reference#lv1_close_device 0x800000AC - HV_Syscall_Reference#lv1_map_device_mmio_region 0x800000AE - HV_Syscall_Reference#lv1_allocate_device_dma_region 0x800000AF - HV_Syscall_Reference#lv1_free_device_dma_region 0x800000B0 - HV_Syscall_Reference#lv1_map_device_dma_region 0x800000B1 - HV_Syscall_Reference#lv1_unmap_device_dma_region 0x800000B2 - HV_Syscall_Reference#lv1_read_pci_config 0x800000B3 - HV_Syscall_Reference#lv1_write_pci_config 0x800000C5 - HV_Syscall_Reference#lv1_connect_interrupt_event_receive_port 0x800000CF - HV_Syscall_Reference#lv1_enable_logical_spe 0x800000D2 - HV_Syscall_Reference#lv1_gpu_open 0x800000D4 - HV_Syscall_Reference#lv1_gpu_device_map 0x800000D6 - HV_Syscall_Reference#lv1_gpu_memory_allocate 0x800000D9 - HV_Syscall_Reference#lv1_gpu_context_allocate 0x800000DD - HV_Syscall_Reference#lv1_gpu_context_iomap 0x800000E1 - HV_Syscall_Reference#lv1_gpu_context_attribute 0x800000E3 - HV_Syscall_Reference#lv1_gpu_context_intr 0x800000E4 - HV_Syscall_Reference#lv1_gpu_attribute 0x800000F5 - HV_Syscall_Reference#lv1_storage_read 0x800000F6 - HV_Syscall_Reference#lv1_storage_write 0x800000F9 - HV_Syscall_Reference#lv1_storage_get_async_status 0x800000FF - HV_Syscall_Reference#lv1_panic
LPAR / AUTH ID's[edit | edit source]
Name | Auth ID | Self (/dev_flash/ps2emu) |
SM Ability Mask | Notes |
---|---|---|---|---|
PS2_LPAR | 0x1020000003000001 | ps2_emu.self | 0x201226D | |
*SCE_CELLOS_SYSTEM_MGR_PS2 | 0x107000001D000001 | |||
PS2_GX_LPAR | 0x1020000003000001 | ps2_gxemu.self | 0x201226D | |
*SCE_CELLOS_SYSTEM_MGR_PS2_GX | 0x107000001D000001 | |||
PS2_SW_LPAR | 0x1020000003000001 | ps2_softemu.self | 0x201226D | |
*SCE_CELLOS_SYSTEM_MGR_PS2_SW | 0x107000001D000001 | |||
PS2_NE_LPAR | 0x1020000003000001 | ps2_netemu.self | 0x412265 | Netemu additional SM abilities:
Missing SM abilities when compared to other ps2 emus:
|
*SCE_CELLOS_SYSTEM_MGR_PS2_NE | 0x107000001D000001 |
Note: All PS2 emulator lack 0x00000100 ability, thus can't get/set fan speed without LV1 patch.
Getting compatibility hardware info[edit | edit source]
See: PS2_Compatibility#Software
ps2bootparam.dat[edit | edit source]
A file created at path: dev_hdd0/tmp/game/ps2bootparam.dat
- See: ps2bootparam.dat
Cobra core[edit | edit source]
taken from storage_ext.c
patch_ps2emu_entry(ps2emu_type);
- sets proper ps2_(gx/soft)emu.self path for reboot
- patches ss_storage service 0x5004 disc checks on ss_server3.self inside lv1
(Change from Parameter li r3, 2 and li r3, 1E (Drive Authentification) to li r3, 0x29 (Reset Drive))
- and the usual either replace read/ioctl for iso etc.
Game CONFIG[edit | edit source]
Some of the PS2 emulator types (such ps2_gxemu.self, ps2netemu.self) are able to load config commands that are applyed "by game ID". The concept of "game patches" is not technically correct because some of the commands does patching functions but others does other things (not patching), and other commands works as switches or sets a value that are enviromental settings for the emulator (not for the game) but because are applyed "by game" should be considered enviromental settings for that specific game, so for simplification purposes you can think in all this data as "game configs"
This "game config" data seems to work in the same way for all the PS2 emulator types but can be located in different places, some are hardcoded inside the emulators itself (inside the .self), and at the time the "PS2 classics" emulator (ps2_netemu.self) was developed this config can be loaded from an external file
In short, the "game configs" can modify the game image (by patching it) and can be used to configure the virtual PS2 (the emulated machine). And can be loaded from hardcoded data (inside the .self) or from an external file (this feature is supported only by ps2_netemu.self). Maximum CONFIG size for ps2_netemu is 16384 bytes.
Config Commands[edit | edit source]
Below is a brief summary table with basic info about available config commands.
Detailed commands description can be found here: PS2 Config Commands.
If you want to read some speculation and brainstorming about them, please join the Discussion page.
Command Name | Command ID | Max Usage |
Command Data | |||||
---|---|---|---|---|---|---|---|---|
gxemu | softemu | netemu | Length | Params | ||||
TitleID enforce | N / A | N / A | 0x00 | 1 | char[10] | titleid | ||
Hook EE memory offset with emu function ID | 0x00 | 0x00 | 0x01 | 3 ? | 2 * uint32_t | offset | functionid | |
Set something | 0x01 | 0x01 | 0x02 | 1 | uint32_t | ? | ||
Skip r5900 CACHE IXIN/IHIN opcodes | 0x02 | 0x02 | 0x03 | 1 | 0 | Nothing | ||
Patch something in SP3 EEDMA | 0x03 | 0x03 | 0x04 | 1 | uint32_t | ? | ||
Alternative VIF1 DIRECT/DIRECTHL handler | 0x04 | 0x04 | 0x05 | 1 | 0 | Nothing | ||
Alternative VIF1 OFFSET handler | 0x05 | 0x05 | 0x06 | 1 | 0 | Nothing | ||
Delay VU1 xgkick by X cycles | 0x06 | 0x06 | 0x07 | 1 | uint32_t | cycles | ||
Patch VU1 memory by bitmask | 0x07 | 0x07 | 0x08 | 3 | 8 * uint32_t | MASK | ||
Patch EE memory 64 bit | 0x08 | 0x08 | 0x09 | 1→32 | uint32_t + LIST | count | LIST | |
Patch EE memory 32 bit | N / A | N / A | 0x0A | 1→32 | uint32_t + LIST | count | LIST | |
Patch game disc by sector & offset | 0x09 | 0x09 | 0x0B | 1→47 | uint32_t + LIST | count | LIST | |
Set something | 0x0A | 0x0A | 0x0C | 1 | 2 * uint16_t | unk_mode | unk_range | |
Set something | 0x0B | 0x0B | 0x0D | 1 | uint32_t | skip | ||
COP2 and FPU accurate ADD/SUB address | 0x0C | 0x0C | 0x0E | 32 | uint32_t | offset | ||
COP2 and FPU accurate ADD/SUB range | 0x0D | 0x0D | 0x0F | 32 | 2 * uint32_t | start offset | end offset | |
FPU accurate MUL/DIV range | 0x0E | 0x0E | 0x10 | 32 | 2 * uint32_t | start offset | end offset | |
VU0 accurate ADD/SUB address | 0x0F | 0x0F | 0x11 | 32 | uint32_t | offset | ||
VU0/COP2 multi cmd | 0x10 | 0x10 | 0x12 | 1→63 | uint32_t + LIST | flags ? | LIST | |
Memory Card Delay | 0x11 | 0x11 | 0x13 | 1 | uint64_t | time ? | ||
Alternative VU1 ADD/SUB | 0x12 | 0x12 | 0x14 | 1 | 0 | Nothing | ||
Patch IOP SPE program | 0x13 | 0x13 | 0x15 | 1 | uint32_t | 2 or higher | ||
Unknown | 0x14? | 0x14? | 0x16 | ? | ? | ? | ||
Alternative COP0 MTC0/MFC0 Count ($9) handler | 0x15 | 0x15 | 0x17 | 1 | uint8_t ? | status | ||
Switch something | 0x16 | 0x16 | 0x18 | 1 | 0 | Nothing | ||
Force analog controller mode | N / A | 0x17 | 0x19 | 1 | 0 | Nothing | ||
End fromIPU DMA transfer on BCLR command | 0x17 | 0x18 | 0x1A | 1 | 0 | Nothing | ||
IPU IDEC Hack | 0x18 | 0x19 | 0x1B | 1 | 0 | Nothing | ||
Emulate Multitap | 0x19? | 0x1A? | 0x1C | 1 | uint8_t | port | ||
Set Multitap | 0x1A | 0x1B | 0x1D | 1 | uint8_t | order | ||
Multitap related | 0x1B | N / A | 0x1E | 1 | uint8_t | ? | ||
Enable VIF0 cmds MSXXX/MPG/FLUSHE timings. | 0x1C | 0x1C | 0x1F | 1 | uint32_t | Initial cycles to run | ||
Set something | 0x1D | 0x1D | 0x20 | 1 | uint64_t | ? | ||
Set something | 0x1E | 0x1E | 0x21 | 1 | uint32_t | ? | ||
Switch something | N / A | 0x1F | 0x22 | 1 | 0 | Nothing | ||
Snowblind Engine hack | 0x1F | 0x20 | 0x23 | 1 | 0 | Nothing | ||
SIO2 Delay | 0x20 | 0x21 | 0x24 | 1 | uint64_t | ? | ||
Switch something | 0x21 | 0x22 | 0x25 | 1 | 0 | Nothing | ||
FPU accurate ADD/SUB range | 0x22 | 0x23 | 0x26 | 32 | 2 * uint32_t | start offset | end offset | |
COP2 accurate ADD/SUB range | 0x23 | 0x24 | 0x27 | 32 | 2 * uint32_t | start offset | end offset | |
Set something (CDVD) | 0x24 | 0x25? | 0x28 | 1 | uint32_t | ? | ||
CDVD seek timing | 0x25 | 0x26? | 0x29 | 1 | 2 * uint32_t | ? | ? | |
Switch something | 0x26 | 0x27 | 0x2A | 1 | 0 | Nothing | ||
Enable CDDA hack (CDVD) | 0x27? | 0x28 | 0x2B | 1 | 0 | Nothing | ||
Set something | 0x28 | 0x29 | 0x2C | 1 | uint32_t | ? | ||
Switch something | 0x29? | 0x2A | 0x2D | 1 | 0 | Nothing | ||
Set something | 0x2A | 0x2B | 0x2E | 1 | uint32_t | ? | ||
SPU2 multi cmd. | 0x2B | N / A | 0x2F | 1 | uint32_t | ? | ||
Reserved | N / A N / A N / A N / A N / A |
N / A N / A N / A N / A N / A |
0x30 0x31 0x32 0x33 0x34 |
0 | 0 | Nothing | ||
Enable Force Flip Field | N / A | N / A | 0x35 | 1 | 0 | Nothing | ||
Reserved | N / A N / A N / A N / A N / A N / A N / A |
N / A N / A N / A N / A N / A N / A N / A |
0x36 0x37 0x38 0x39 0x3A 0x3B 0x3C |
0 | 0 | Nothing | ||
Config revision | N / A | N / A | 0x3D | 1 | uint32_t | revision | ||
Switch something | N / A | N / A | 0x3E | 1 | 0 | Nothing | ||
Set something | N / A | N / A | 0x3F | 1 | uint32_t | ? | ||
Switch something | N / A | N / A | 0x40 | 1 | 0 | Nothing | ||
Switch something | N / A | N / A | 0x41 | 1 | 0 | Nothing | ||
Patch EE memory by overlay | N / A | N / A | 0x42 | 1→1023 | 2 * uint32_t + LIST | offset | count | LIST |
Set something | N / A | N / A | 0x43 | 1 | uint32_t | ? | ||
Disable smoothing filter | N / A | N / A | 0x44 | 1 | 0 | Nothing | ||
Switch something | N / A | N / A | 0x45 | 1 | 0 | Nothing | ||
Enable L2H Improvement | N / A | N / A | 0x46 | 1 | 0 | Nothing | ||
Enable XOR CSR | N / A | N / A | 0x47 | 1 | 0 | Nothing | ||
Set VSYNC IPU & Delay | N / A | N / A | 0x48 | 1 | 2 * uint32_t | ipu | delay | |
Switch something | N / A | N / A | 0x49 | 1 | 0 | Nothing | ||
Switch something | N / A | N / A | 0x4A | 1 | 0 | Nothing | ||
Set something | N / A | N / A | 0x4B | 1 | 2 * uint32_t | ? | ? | |
Set something | N / A | N / A | 0x4C | 1 | 2 * uint32_t | ? | ? | |
Set something | N / A | N / A | 0x4D | 1 | uint32_t | ? | ||
Unknown | N / A | N / A | 0x4E | 1 | ? | ? | ||
Unknown | N / A | N / A | 0x4F | 1 | ? | ? | ||
Enable pressure sensitive controls | N / A | N / A | 0x50 | 1 | 0 | Nothing |
Config file examples (for netemu)[edit | edit source]
Official PS2 Classic[edit | edit source]
See: PS2 Official Configs
Official GXEMU/SOFTEMU extracted[edit | edit source]
See: PS2 Official Configs
Custom Configs[edit | edit source]
See: PS2 Custom Configs
Config data examples (hardcoded)[edit | edit source]
Inside ps2_emu.self[edit | edit source]
Embedded patches are based on Checksum/Hash of title. ps2_emu is only emulator version where patches are described inside self file in ascii. Known patch types described in ascii are: Patch data, new SPU2 params, and Setting mecha HACK to show GODZCD as GODZCDDA.
PS2 Title | Hash | Game | Patch Type | Data |
---|---|---|---|---|
SCUS_971.46 | 0x6B1ADE00D | Disney's Treasure Planet | Patch data - Fixes black screen at start, it apply to STREAM_D.IRX file in IOP folder. | 0x147C (sector) , 0x580 (offset) (- 0xC on disc)
Replace opcodes 00 01 01 3C lui at,0x0100 80 BF 03 3C lui v1,0xBF80 C8 10 63 8C lw v1,0x10C8(v1) 24 18 61 00 and v1,at FB FF 61 10 beq v1,at, -0x10 00 00 00 00 nop Original opcodes FF FF 01 24 li at,-0x1 04 00 61 14 bne at,v1, +0x14 00 80 01 3C lui at,0x8000 02 00 41 14 bne at,v0, +0x0C 00 00 00 00 nop 0D 00 06 00 break |
SLUS_201.74 | 0x23D92589C5 | Rumble Racing | Patch data - fixes black screen after Playstation 2 logo. Patch apply to AUDIO.IRX file in MODULES folder | 0x3AEDA (sector), 0x120 (offset)
Replace opcodes 06 00 80 14 bnez a0, +0x1C 21 20 43 00 addu a0,v0,v1 21 10 A0 00 move v0,a1 02 00 A0 14 bnez a1, +0x0C 00 00 00 00 nop 01 00 05 24 li a1,0x1 EB FF 40 10 beqz v0, -0x50 04 00 84 24 addiu a0,0x4 FC FF 90 24 addiu s0,a0,-0x4 Original opcodes 07 00 80 14 bnez a0, +0x20 21 80 43 00 addu s0,v0,v1 21 10 A0 00 move v0,a1 02 00 A0 14 bnez a1, +0x0C 00 00 00 00 nop 01 00 05 24 li a1,0x1 FC FF 40 10 beqz v0, -0x0C 00 00 00 00 nop 04 00 04 26 addiu a0,s0,0x4 |
SLUS_211.96 | 0x24D92589D5 | Indigo Prophecy | new SPU2 params | 1 |
SLPM_661.93 | 0x608634992D | Fahrenheit (NTSC-J) | new SPU2 params | 1 |
SLUS_212.96 | 0x5CA15DF14D | Dance Factory | Setting mecha HACK to show GODZCD as GODZCDDA |
Inside ps2_gxemu.self/ps2_softemu.self[edit | edit source]
There are hundreds of configs hidden in ps2_gxemu, and ps2_softemu self files. Internal config structure is basing on custom hash based on Title ID, internal memory offset pointing to place where true patch instruction is, and count of used commands. When disc/iso is started emulator search for configs, and if config for selected ID exist, then emulator apply it by itself. Is not perfect way of applying patches, because some games use the same ID, but different content. Good example here is Star Wars Battlefront II SLUS-21240, where some versions of game can refuse to work because it apply bad patch.
PS2 Title | Hash | Game | Patch Type | Data |
---|---|---|---|---|
Known Emulation Bugs[edit | edit source]
This list known bugs inside emulator code that make emulation inaccurate. Since those are only EE side bugs for now, ps2_gxemu/ps2_netemu/ps_softemu share the same issues.
Bug | Description | Known Affected Games |
---|---|---|
Missing Emotion Engine Data Cache emulation | Emulating that is literally not possible without making games run at 3 fps. Fixed by patches to game image, or EE code. Instruction Cache (not Data) seems to be implemented, at least partially. | Ice Age 2, DOA2: Extreme, Nascar 2009. |
Branch delay slot violation not supported on EE | Some games have Branch instruction inside Branch delay slots, this is not emulated correctly on EE (VU have proper emulation of that). This is patched in configs by rearangging MIPS code. | WRC 3,4,Rally Evolved, one of Action Replay discs. |
Unmapped write only EE memory (confirmed only for SIF) | Reads/Writes to 0x2000000+ shouldn't throw bus error on dma transfers. Write should be performed as successful, memory should stay unchanged. Reads should return 0. | Games developed by In Utero, while creating initial save file, send DMA where address is EE stack pointer. At the time of transfer start $sp is too high, and requested transfer size make MADR overflow above 0x2000000 at some point. This is game bug, and happen also on real hardware. Fixed by config. |
VIF bugs | There is no correct timing, and queuing for some VIF commands like MSCAL. | Snowblind Engine games. Probably more. |
XGKick is instant | Some games expect to XGKick happen few cycles in future, on PS3 is done instant. Fixed by config 0x07 which delay XGKick by selected value | WRC series, Wakeboarding Unleashed, TriAce games, World of Outlaws - Sprint Cars, Ty - The Tazmanian Tiger, dot Hack - G.U. series, and more |
COP2 instructions are instant | Some games rely on fact that COP2 operations can take some time, on PS3 emulators they are done instantly due to lack of correctly emulated pipeline Patched by rearranging mips code | FFX, FFX-2, Ghost in The Shell SAC, Ace Combat series, Sprint Cars 1/2, Black, Run Like Hell, Everblue 2, Dragon Quest - Shounen Yangus no Fushigi na Daibouken, and many more |
VU0 is not running in sync with EE core | VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging. | 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit. |
M-Bit not supported | Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands, or direct VU0/MIPS code rearranging. | Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more. |
T-Bit not supported on VU0 | Emulator ignore VU0 T-Bit, that cause issues for games that need it to work. Note: T-Bit is correctly handled for VU1. | Spiderman 3 set T-Bit, then do cfc2 from TPC (address where VU0 stopped). Since T-Bit is ignored, TPC is wrong. Value is later copied to CMSAR0, and program continue at wrong address. Well that's what should happen, but T-Bit also not signalize correct bit in VPU-STAT. Causing another issue, also in Spiderman 3. |
Emulator do not update correct flag instances for COP2 while ending VU0 program on Ebit | This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnecessary operations. | Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday. |
Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 | Potential bad flag state can cause a lot of issues that are not related on first sight | Yanya Caballista (already patched by custom config) |
In corner cases emu select wrong block flags pipeline state (both VU0/EEonBE and VU1/VRC affected). | This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. Issue seems to occur when branch/jump delay slot have opcode important for flags calculation. Theory is that cached microprogram don't include modified flags state from delay slot instruction. So when already recompiled program is fetched from pool, it will miss one cycle in fmac flags pipeline. This can be crucial in games that rely on it. | Tales of Legendia and Klonoa 2 set sticky flag bits to 0 and branch with sub.xyzw in delay slot (expecting that sub change status flag), Tamsoft engine games set sticky bits to 0 in branch delay slot, this was most ridiculous bug, because problematic branch was pointing to next opcode after delay slot, removing branch was enough. True Crime: NY is only known game where VU0 is affected by this bug. more.. |
CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. | Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [more]. | The one game that is known to be affected, and is already patched, is Musashi: Samurai Legend. |
CFC2 from R register should return only 23 lower bits. | CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team [more] and later confirmed to affect ps2_netemu in emu assembly. | There is only one game that is known to be affected, Onimusha Dawn of Dreams. |
Missing floating point result overflow/underflow detection (U/O flags not set) | Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. | Superman Returns. |
DMA between SPR and VU1 memory cause emulator panic. | Currently cause is unknown. It seems that functions responsible for transfer don't check that VU is running. Manual state that dma can be performed only when VU is not active, and pcsx2 wait until VU end. Games affected in emulators on ps3 display this warning in pcsx2 if mtvu is enabled: "MTVU: SPR Accessing VU1 Memory". Affected games are fixed by rearranging code to do lq/sq loop instead of DMA. | Summoner 2 (SPRfrom to VU1 data mem), Kaena (SPRto from VU1 data mem). |
IOP SIF0/1 DMA IRQs can be disabled (masked), which is not true on real hardware. | IOP interrupts 0x2A and 0x2B should always trigger. Fixed by patches to IOP code. Ps2_emu seems to be unfacted, probably handled on real hw in CXD9208GP. | Knockout Kings 2001, DOA2: Hardcore. |
Software emulation bugs[edit | edit source]
Related to the GS emulation issues mostly. Apply to the ps2_netemu especially.
Bug | Description | Known Affected Games |
---|---|---|
No mipmapping support | Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. | Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more. |
SCANMSK register ignored | Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. | Metal Gear Solid series (water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field effect) |
Missing PCRTC feedback write support | PCRTC feature that writes back the image to the frame buffer is not supported or broken. Additional RGB to YCbCr conversion could be performed there. | Xenosaga Episode I: Der Wille zur Macht (black and white cut scenes) |
TitleID/DiscID in ps2_netemu.self[edit | edit source]
There are 193 titleIDs listed inside ps2_netemu.self. More precisely, into XPARAM2.ELF file of PS2 Bios included in ps2_netemu.self. XPARAM2.ELF is called by OSDSYS, then ID check is performed. If title ID match to one of included in the table, different IOP emulation settings are applied. There are internal flags related to every title ID included inside file, still unknown what they do. Also some arguments, in plain text. File in real ps2 is introduced in SCPH-750XX models so exactly when DECKARD Power PC chip exchanged original IOP chip. This can explain why it is still in PS3 netemu bios. Because PS3 it is ppc that can need the same/similar flags.
Original PS2 bios include similar list file called XPARAM.ELF, but Title IDs there are not the same, although some of them exist on both lists.
Command | Name |
---|---|
0x00 | TITLE_MASK |
0x01 | SIO2_MASK |
0x02 | DEV9_MASK |
0x03 | USB_MASK |
0x04 | SIF_DMA_SYNC |
0x05 | SIF_DMA_LOAD |
0x06 | DMAC_CH10_INT_DELAY |
0x07 | MECHA_RECOGTIME |
0x08 | CPU_DELAY |
0x09 | DEV5_INT_SPEED |
0x0A | CDVD_READ_DELAY |
0x0B | SPU2_BEHAVIOR |
ID | Title | Command | Value | Remarks |
---|---|---|---|---|
PBPX_952.01 | DVD Utility Disc Version 1.00 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.02 | DVD Utility Disc Version 1.01 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.03 | DVD Utility Disc Version 1.01 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.06 | DVD Player (Version 2.01) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.07 | DVD Player (Version 2.10) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.08 | DVD Player (Version 2.10) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.09 | DVD Player (Version 2.10) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.10 | DVD Utility Disc Version 2.10 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.11 | DVD Utility Disc Version 1.00 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.21 | DVD Player (Version 2.12) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.22 | DVD Player (Version 2.14) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.24 | DVD Player (Version 2.16) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_952.28 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag | |
PBPX_952.35 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag | |
PBPX_952.39 | Online Start Up Disc v3.0 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_955.01 | Linux for PS2 Beta Release 1 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_955.07 | Playstation 2 Linux Runtime Environment v1.0 (Disc 1) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_955.09 | Linux for PS2 Release 1.0 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PBPX_955.18 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag | |
PDPX_991.09 | DVD Player (Version 3.04) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PSXC_002.01 | PSX Update Disc 1.10 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PSXC_002.02 | PSX Update Disc 1.20 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PSXC_002.03 | PSX Update Disc 1.31 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
PTPX_970.38 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag | |
SCAJ_201.25 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SCAJ_201.26 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SCES_532.02 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SCKA_200.49 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SCPM_621.15 | 0x00 | 0x1000000 | TITLE_MASK | |
SCPM_621.16 | 0x00 | 0x1000000 | TITLE_MASK | |
SCPN_601.01 | PlayStation BB Navigator (Version 0.10) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPN_601.30 | PlayStation BB Navigator (Version 0.20) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPN_601.40 | PlayStation BB Navigator (Version 0.30) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPN_601.50 | PlayStation BB Navigator (Version 0.31) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPN_601.60 | PlayStation BB Navigator (Version 0.32) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPS_110.01 | I.Q. Remix | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPS_110.10 | Yoake no Mariko (Performance Pack Edition) | 0x01 | 0x1800 | SIO2_MASK |
SCPS_110.18 | Yoake no Mariko | 0x01 | 0x1800 | SIO2_MASK |
SCPS_110.21 | Yoake no Mariko 2nd Act (Limited Edition) | 0x01 | 0x1800 | SIO2_MASK |
SCPS_110.22 | Yoake no Mariko 2nd Act | 0x01 | 0x1800 | SIO2_MASK |
SCPS_150.38 | Lifeline | 0x0A | 0x80300 | CDVD_READ_DELAY |
SCPS_150.39 | Lifeline | 0x0A | 0x80300 | CDVD_READ_DELAY |
SCPS_170.01 | Gran Turismo 4 | 0x0B | 0x10000000 | SPU2_BEHAVIOR |
SCPS_175.01 | Linux (for PlayStation2) Release 1.0 | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SCPS_200.39 | 0x00 | 0x4000000 | TITLE_MASK | |
SCUS_971.67 | PaRappa the Rapper 2 | 0x04 | 0x2000 | SIF_DMA_SYNC |
SCUS_972.69 | Final Fantasy XI [Disc 2] | 0x02 | 0xB | DEV9_MASK |
SLES_500.48 | Donald Duck: Quack Attack | 0x01 | 0x800 | SIO2_MASK |
SLES_500.62 | Orphen: Scion of Sorcery | 0x08 | 0xC1C | CPU_DELAY |
SLES_503.64 | City Crisis | 0x0A | 0x80BB8 | CDVD_READ_DELAY |
SLES_504.46 | Shadow Man 2: The Second Coming | 0x0A | 0x80600 | CDVD_READ_DELAY |
SLES_505.40 | Simpsons: Road Rage | 0x01 | 0x800 | SIO2_MASK |
SLES_506.08 | Shadow Man 2: The Second Coming | 0x0A | 0x80600 | CDVD_READ_DELAY |
SLES_506.28 | Simpsons: Road Rage | 0x01 | 0x800 | SIO2_MASK |
SLES_507.28 | Tiger Woods PGA Tour 2002 | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLES_507.29 | 0x0A | 0x803E8 | CDVD_READ_DELAY | |
SLES_512.82 | Tiger Woods PGA Tour 2003 | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLES_514.79 | Def Jam Vendetta | 0x01 | 0x802 | SIO2_MASK |
SLES_518.41 | SpyHunter 2 | 0x01 | 0x800 | SIO2_MASK |
SLES_518.44 | Time Crisis 3 | 0x01 | 0x800 | SIO2_MASK |
SLES_519.97 | SWAT: Global Strike Team | 0x01 | 0x800 | SIO2_MASK |
SLES_520.97 | SWAT: Global Strike Force | 0x01 | 0x800 | SIO2_MASK |
SLES_530.37 | Super Monkey Ball Deluxe | 0x01 | 0x802 | SIO2_MASK |
SLES_536.68 | Micro Machines v4 | 0x01 | 0x801 | SIO2_MASK |
SLES_537.55 | Castlevania: Curse of Darkness | 0x04 | 0x10 | SIF_DMA_SYNC |
SLES_537.96 | FIFA Street 2 | 0x01 | 0x1800 | SIO2_MASK |
SLPM_620.42 | Kurogane no Houkou: Warship Commander | 0x01 | 0x3000 | SIO2_MASK |
SLPM_620.62 | Gitaroo Man One | 0x0A | 0x80540 | CDVD_READ_DELAY |
SLPM_621.05 | Taikou Risshiden IV | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPM_621.24 | Ready 2 Rumble Boxing: Round 2 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_621.25 | Gauntlet: Dark Legacy | 0x08 | 0xC1C | CPU_DELAY |
SLPM_621.25 | Gauntlet: Dark Legacy | 0x09 | 0x2B470005 | DEV5_INT_SPEED |
SLPM_621.35 | Final Fantasy: XI (Beta Version) | 0x00 | 0xA0000000 | TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag |
SLPM_621.54 | DDRMAX Dance Dance Revolution 6thMix | 0x08 | 0x1A5E | CPU_DELAY |
SLPM_622.39 | Supercar Street Challenge | 0x0A | 0x80300 | CDVD_READ_DELAY |
SLPM_623.69 | Karaoke Revolution: J-Pop Vol.1 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_623.79 | Karaoke Revolution: J-Pop Vol.2 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_623.80 | Karaoke Revolution: J-Pop Vol.3 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_623.81 | Karaoke Revolution: J-Pop Vol.4 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_623.82 | Karaoke Revolution: Love & Ballad | 0x08 | 0x1388 | CPU_DELAY |
SLPM_623.83 | Karaoke Revolution: Night Selection 2003 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.14 | Karaoke Revolution: Dreams & Memories | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.37 | Suisui Sweet: Amai Ai no Mitsukekata | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLPM_624.50 | Karaoke Revolution: Anime Song Selection | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.51 | Karaoke Revolution: J-Pop Vol.5 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.54 | Karaoke Revolution: J-Pop Vol.6 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.55 | Karaoke Revolution: J-Pop Vol.7 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.56 | Karaoke Revolution: J-Pop Vol.8 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.57 | Karaoke Revolution: Snow & Party | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.64 | Pop'n Taisen Pazurudame Online | 0x08 | 0x1F40 | CPU_DELAY |
SLPM_624.79 | Karaoke Revolution: J-Pop Vol.9 | 0x08 | 0x1388 | CPU_DELAY |
SLPM_624.91 | Mega Man: The Power Battle | 0x04 | 0x2000 | SIF_DMA_SYNC |
SLPM_624.92 | Karaoke Revolution: Kids Song Selection | 0x08 | 0x1388 | CPU_DELAY |
SLPM_625.28 | Karaoke Revolution: Kazoku Idol Sengen (Bundle Edition) | 0x08 | 0x1388 | CPU_DELAY |
SLPM_625.29 | Karaoke Revolution: Kazoku Idol Sengen | 0x08 | 0x1388 | CPU_DELAY |
SLPM_650.86 | A Visual Mix: Ayumi Hamasaki Dome Tour 2001 (Disc 1) | 0x08 | 0x1450 | CPU_DELAY |
SLPM_650.87 | A Visual Mix: Ayumi Hamasaki Dome Tour 2001 (Disc 2) | 0x08 | 0x1450 | CPU_DELAY |
SLPM_650.90 | Spy Hunter | 0x01 | 0x1800 | SIO2_MASK |
SLPM_651.97 | Nobunaga's Ambition Online | 0x02 | 0xB | DEV9_MASK |
SLPM_652.09 | Star Ocean: Till the End of Time | 0x0B | 0x20014 | SPU2_BEHAVIOR |
SLPM_654.38 | Star Ocean: Till the End of Time (Director's Cut) (Disc 1) | 0x0B | 0x20014 | SPU2_BEHAVIOR |
SLPM_654.39 | Star Ocean: Till the End of Time (Director's Cut) (Disc 2) | 0x0B | 0x20014 | SPU2_BEHAVIOR |
SLPM_654.88 | Grand Theft Auto: Vice City | 0x0A | 0x300 | CDVD_READ_DELAY |
SLPM_654.88 | Grand Theft Auto: Vice City | 0x09 | 0x36000200 | DEV5_INT_SPEED |
SLPM_656.33 | I Love Baseball: Pro Yakyu wo Koyonaku | 0x08 | 0xFA0 | CPU_DELAY |
SLPM_656.98 | Love Songs: ADV Futaba Riho 14-sai Natsu | 0x0A | 0x80380 | CDVD_READ_DELAY |
SLPM_657.05 | Final Fantasy XI: Chains of Promathia (Expansion Disc) | 0x02 | 0xB | DEV9_MASK |
SLPM_657.06 | Final Fantasy XI: Chains of Promathia (All-In-One Edition) | 0x02 | 0xB | DEV9_MASK |
SLPM_657.19 | Burnout 3: Takedown | 0x01 | 0x1C00 | SIO2_MASK |
SLPM_657.83 | Nobunaga no Yabou Online: Tappi no Shou | 0x02 | 0xB | DEV9_MASK |
SLPM_658.94 | Winning Post 6: 2005 Version | 0x01 | 0x2400 | SIO2_MASK |
SLPM_659.34 | Maple Colors | 0x0A | 0x80300 | CDVD_READ_DELAY |
SLPM_659.53 | Final Fantasy: XI (Entry Disc 2005) | 0x02 | 0xB | DEV9_MASK |
SLPM_659.84 | Grand Theft Auto: San Andreas | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPM_660.33 | The Sword of Etheria | 0x08 | 0xC1C | CPU_DELAY |
SLPM_660.33 | The Sword of Etheria | 0x00 | 0x2000000 | TITLE_MASK |
SLPM_660.48 | The Sword of Etheria | 0x08 | 0xC1C | CPU_DELAY |
SLPM_660.48 | The Sword of Etheria | 0x00 | 0x2000000 | TITLE_MASK |
SLPM_660.57 | Taito Memories Vol.1 | 0x08 | 0xCE4 | CPU_DELAY |
SLPM_661.56 | Marheaven: Arm Fight Dream | 0x01 | 0x1800 | SIO2_MASK |
SLPM_661.75 | Akumajo Dracula: Yami no Juin | 0x08 | 0x60 | CPU_DELAY |
SLPM_661.75 | Akumajo Dracula: Yami no Juin | 0x0B | 0x2001C | SPU2_BEHAVIOR |
SLPM_663.93 | Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPM_663.93 | Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPM_663.93 | Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) | 0x02 | 0xB | DEV9_MASK |
SLPM_663.94 | Final Fantasy XI: Treasures of Aht Urhgan | 0x02 | 0xB | DEV9_MASK |
SLPM_664.36 | Aria the Natural | 0x01 | 0x1800 | SIO2_MASK |
SLPM_664.36 | Aria the Natural | 0x00 | 0xA000000 | TITLE_MASK |
SLPM_665.39 | Nobunaga no Yabou Online: Haten no Shou | 0x02 | 0xB | DEV9_MASK |
SLPM_665.58 | Tomb Raider: Legend | 0x08 | 0x3E8 | CPU_DELAY |
SLPM_665.74 | Detective Evangelion | 0x00 | 0x2000000 | TITLE_MASK |
SLPM_680.07 | Karaoke Revolution (Trial) | 0x08 | 0x1388 | CPU_DELAY |
SLPM_680.10 | 0x08 | 0x1388 | CPU_DELAY | |
SLPS_200.08 | Morita Shogi | 0x08 | 0x1388 | CPU_DELAY |
SLPS_200.20 | FIFA 2000 World Championship | 0x04 | 0x2001 | SIF_DMA_SYNC |
SLPS_200.37 | Go Go Golf | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPS_200.38 | Grappler Baki: Baki Saidai no Tournament | 0x08 | 0x1194 | CPU_DELAY |
SLPS_200.53 | Tenshi no Present: Marle Oukoku Monogatari (Limited Edition) | 0x0B | 0x20000000 | SPU2_BEHAVIOR |
SLPS_200.66 | Tenshi no Present: Marle Oukoku Monogatari | 0x0B | 0x20000000 | SPU2_BEHAVIOR |
SLPS_201.01 | City Crisis | 0x0A | 0x80BB8 | CDVD_READ_DELAY |
SLPS_201.11 | Magical Sports Pro Baseball 2001 | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPS_201.72 | Koushien: Konpeki no Sora | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPS_201.73 | Hard Hitter 2 | 0x0A | 0x80300 | CDVD_READ_DELAY |
SLPS_201.97 | Surfing Air Show with RatBoy | 0x09 | 0x2B47000A | DEV5_INT_SPEED |
SLPS_201.99 | F1 2002 | 0x0B | 0x20005 | SPU2_BEHAVIOR |
SLPS_202.00 | Final Fantasy XI | 0x02 | 0xB | DEV9_MASK |
SLPS_204.04 | Rakushou! Pachi-Slot Sengen 2 | 0x0A | 0x80300 | CDVD_READ_DELAY |
SLPS_204.29 | Hissatsu Pachi-Slot Evolution: Ninja Hattori-Kun V | 0x08 | 0x1B58 | CPU_DELAY |
SLPS_204.55 | Simple 2000 Series Vol.94: The Aka-Champion - Come on Baby | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLPS_250.08 | Sorcerous Stabber Orphen | 0x08 | 0xC1C | CPU_DELAY |
SLPS_250.71 | A Visual Mix: Ayumi Hamasaki Dome Tour 2001 | 0x08 | 0x1450 | CPU_DELAY |
SLPS_250.72 | A Visual Mix: Ayumi Hamasaki Dome Tour 2001 | 0x08 | 0x1450 | CPU_DELAY |
SLPS_250.81 | Saishuu Densha | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_251.36 | Kuon no Kizuna Sairin Mikotonori | 0x0A | 0x805DC | CDVD_READ_DELAY |
SLPS_251.42 | Tiger Woods PGA Tour 2002 | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_251.50 | Only You | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLPS_252.37 | Only You | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLPS_252.75 | Def Jam: Vendetta | 0x01 | 0x802 | SIO2_MASK |
SLPS_252.78 | Memories Off: Mix | 0x0A | 0x80300 | CDVD_READ_DELAY |
SLPS_252.90 | Time Crisis 3 | 0x01 | 0x800 | SIO2_MASK |
SLPS_253.15 | One Piece: Grand Battle 3 | 0x01 | 0x1800 | SIO2_MASK |
SLPS_253.57 | 3-Nen B-Gumi Kinpachi Sensei: Densetsu no Kyoudan ni Tate! | 0x01 | 0x1800 | SIO2_MASK |
SLPS_253.79 | Tokyo Majin Gakuen: Kaihoujyou Kefurokou | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_254.06 | Hitman: Contracts | 0x08 | 0xDAC | CPU_DELAY |
SLPS_254.18 | Ace Combat 5: The Unsung War | 0x0A | 0x500000 | CDVD_READ_DELAY |
SLPS_255.10 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLPS_255.85 | Monster Farm 5: Circus Caravan | 0x07 | 5 | MECHA_RECOGTIME |
SLPS_255.86 | Tales of the Abyss | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_256.04 | Ar tonelico Qoga: Knell of Ar Ciel | 0x00 | 0xA000000 | TITLE_MASK |
SLPS_256.67 | Daito Giken Premium Pachi-Slot Collection: Yoshimune | 0x01 | 0x1800 | SIO2_MASK |
SLPS_256.98 | Fatal Fury Battle Archives Volume 2 | 0x00 | 0xA000000 | TITLE_MASK |
SLPS_257.08 | The Familiar of Zero (Limited Edition) | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_257.09 | The Familiar of Zero | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLPS_257.21 | HimeHibi - Princess Days | 0x0B | 0x8000000 | SPU2_BEHAVIOR |
SLPS_257.22 | Routes PE (Limited Edition) | 0x08 | 0x3E8 | CPU_DELAY |
SLPS_257.27 | Routes PE | 0x08 | 0x3E8 | CPU_DELAY |
SLPS_732.49 | Ar tonelico Qoga: Knell of Ar Ciel (Platinum) | 0x00 | 0xA000000 | TITLE_MASK |
SLUS_200.11 | Orphen: Ocion of Sorcery | 0x08 | 0x1388 | CPU_DELAY |
SLUS_200.11 | Orphen: Ocion of Sorcery | 0x09 | 0x8000010 | DEV5_INT_SPEED |
SLUS_200.77 | Donald Duck: Go'in Quackers | 0x01 | 0x800 | SIO2_MASK |
SLUS_202.74 | City Crisis | 0x0A | 0x80BB8 | CDVD_READ_DELAY |
SLUS_203.05 | Simpsons: Road Rage | 0x01 | 0x800 | SIO2_MASK |
SLUS_203.64 | Tiger Woods PGA Tour 2002 | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLUS_204.13 | Shadowman 2 | 0x0A | 0x80600 | CDVD_READ_DELAY |
SLUS_204.33 | SWAT: Global Strike Team | 0x01 | 0x800 | SIO2_MASK |
SLUS_204.88 | Star Ocean: Til the end of Time [Disc 1] | 0x08 | 0x1388 | CPU_DELAY |
SLUS_205.72 | Tiger Woods PGA Tour 2003 | 0x0A | 0x803E8 | CDVD_READ_DELAY |
SLUS_205.90 | Spyhunter 2 | 0x01 | 0x800 | SIO2_MASK |
SLUS_206.35 | Muppets Party Cruise | 0x01 | 0x801 | SIO2_MASK |
SLUS_206.39 | Def Jam Vendetta | 0x01 | 0x800 | SIO2_MASK |
SLUS_206.86 | Splashdown: Rides Gone Wild | 0x0A | 0x80400 | CDVD_READ_DELAY |
SLUS_208.38 | All-Star Baseball 2005 | 0x01 | 0x802 | SIO2_MASK |
SLUS_208.51 | Ace Combat 5: The Unsung War | 0x0A | 0x500000 | CDVD_READ_DELAY |
SLUS_208.91 | Star Ocean: Til the end of Time [Disc 2] | 0x08 | 0x1388 | CPU_DELAY |
SLUS_209.18 | Super Monkey Ball: Deluxe | 0x01 | 0x800 | SIO2_MASK |
SLUS_210.59 | Tekken 5 | 0x0B | 0x40000000 | SPU2_BEHAVIOR |
SLUS_210.70 | Final Fantasy XI: Chains of Promathia | 0x02 | 0xB | DEV9_MASK |
SLUS_210.89 | Karaoke Revolution Vol.3 | 0x08 | 0x1388 | CPU_DELAY |
SLUS_213.31 | Sonic Riders | 0x01 | 0x800 | SIO2_MASK |
SLUS_213.39 | Puzzle Challenge | 0x01 | 0x800 | SIO2_MASK |
SLUS_214.04 | Final Fantasy XI: Treasures of Aht Urhgan | 0x02 | 0xB | DEV9_MASK |
SLUS_214.52 | Valkyrie Profile 2: Silmeria | 0x08 | 0x1388 | CPU_DELAY |
Other game patches (unofficial)[edit | edit source]
There are other unofficial ways to patch the PS2 games such the pnach format, or the widescreen patches that allows 16:9 screen output for some games by hex editing the ISO, or by applying ppf patches. Games work fine on PS3 with same compatibility like before patching. Also some 480p (aka progressive scan) patches work fine. http://ps2wide.net/
The problem of this methods is the patch is applyed over the ISO and is modifyed permanently, but this problem can be avoided in PS3 because that unofficial patches can be "ported" to the official config format to be used by ps2_netemu.self, by using the official config format the settings and patchs from the config file are applyed "on the fly" and the ISO is not modifyed
ps2_title_brute code[edit | edit source]
A script to calculate cdvd key magic used in ps2emu, gxemu and softemu from given input title id. On real PS2 this value seems to be stored at 0x1F402020-0x1F402024. It contains code for bruting as well. Just call gen_sum with the title id in a specific format to get it.
title_ = "SLUS_200.73"
#patches = [0x6b1ade00dL, 0x23d92589c5L, 0x24d92589d5L, 0x608634992dL, 0x5ca15df14dL]
#patches = [0x37ae1cb18dL, 0x608634999dL, 0x06b1ade00dL, 0x5fc674d915L, 0x178e3c9165L, 0x3889349935L,0x18fe4ce145L,0xc126943985,0xe90ebc11b5,0x58be0ca165L]
patches = [ 0xCD1298155L, 0x12C93199A5L, 0x15C93199ADL, 0x24D92589A5L, 0x2CD12D8125L, 0x34C9359935L, 0x34C93599E5L, 0x34C93599E5L, 0x449961C9E5L, 0x4C9169C1CDL, 0x4C9169C1D5L, 0x4C9169C1DDL, 0x4C9169C1E5L, 0x4C9169C1F5L, 0x4C9169C1FDL, 0x4CB14DE12DL, 0x54A955F915L, 0x5CA15DF165L, 0x5CA15DF1FDL, 0x5CA15DF1FDL, 0x649965C94DL, 0x649965C955L, 0x649965C95DL, 0x649965C965L, 0x649965C96DL, 0x6BB149E15DL, 0x6C916DC165L, 0x6C916DC1A5L, 0x6C916DC1ADL, 0x6C916DC1B5L, 0x6C916DC1D5L, 0x6C916DC1DDL, 0x748975D9DDL, 0x7C817DD125L, 0x7C817DD165L, 0x7C817DD16DL, 0x7C817DD175L, 0x7C817DD1CDL, 0x84798529BDL, 0x8559A109ADL, 0x8579852915L, 0x8579852965L, 0x8D51A90145L, 0x8D51A901B5L, 0x8D51A901BDL, 0x8D718D21BDL, 0x9C619D31E5L, 0x9D41B911ADL, 0x9D619D31C5L, 0x9F29357805L, 0x9F293578E5L, 0xB549B51915L, 0xB549B51925L, 0xB549B5195DL, 0xB549B519A5L, 0xB549B519ADL, 0xBC61793025L, 0xBD41BD1105L, 0xC439C569F5L, 0xC7716D20D5L, 0xC7716D20D5L, 0xCA11E941F5L, 0xCF7965285DL, 0xCF7965285DL, 0xD20911582DL, 0xD7617D308DL, 0xE339C1695DL, 0xE794CCB06DL, 0xEA3129608DL, 0xEC11ED4115L, 0xEF594508D5L, 0xF409F559ADL, 0xF7415D10E5L, 0xF7415D10E5L]
def gen_sum(title):
var_30 = []
for i in range(0x1A):
var_30.append(0)
r9=5
r31=0
#Title 2 decimal
while r9 != 0xB:
r11 = r9 + 1
if r9 == 8:
pass
else:
r5 = ord(title[r9:r9+1])
r7 = r31 * 0xA
r6 = r7 & 0xFFFFFFFF
r4 = r5 + r6
r9 = r4 - 0x30
r31 = r9 & 0xFFFFFFFF
r9 = r11
#print r31
r10 = ord(title[3:4]) # S
r7 = (r31 >> 10) & 0x7F
r11 = ord(title[1:2]) # L
r8 = ord(title[2:3]) # U
r6 = (r10 >> 1) & 0x3F
r12 = ord(title[0:1]) # S
r4 = (r11 >> 3) & 0xF
r5 = (r8 >> 2) & 0x1F
r3 = (r12 >> 4) & 7
r9 = r10 << 7
r0 = r8 << 6
r10 = r11 << 5
r8 = r12 << 4
r12 = r31 << 3
r11 = r10 | r5
r9 = r9 | r7
r0 = r0 | r6
var_30[2] = r11 & 0xFF
r7 = r8 | r4
var_30[0] = (r9 & 0xFF)
r10 = r12 | r3
var_30[1] = (r0 & 0xFF)
r12 = (r31 >> 2) & 0x3FFFFFF8
var_30[3] = (r7 & 0xFF)
r8 = 5
var_30[4] = (r10 & 0xFF)
var_30[0x19] = (r12 & 0xFF)
var_30[0x18] = (r8 & 0xFF)
var_30 = [int(v) for v in var_30]
#print [hex(v) for v in var_30]
r5 = var_30
r6 = 0
r4 = 0
while r6 < 5:
r12 = r5[r6:r6+1][0]
r7 = r6 + 1
r0 = var_30[0x19]
r3 = r6 + 0x10
r9 = r12 ^ r0
r31 = r3
r5[r6] = r9
r6 = r7
r5[r31] = r4
#print [hex(v) for v in r5]
r9 = 0
r10 = 0
while r10 < 5:
r11 = r10 + 1
r6 = r5[r10:r10+1][0]
r4 = r9 << 8
r10 = r11
r9 = r4 | r6
return r9
'''
print hex(gen_sum(title_))
a1='A'
a2='A'
a3='A'
a4='A'
while a1 <= 'Z':
a2='A'
a3='A'
a4='A'
while a2 <= 'Z':
a3='A'
a4='A'
while a3 <= 'Z':
a4='A'
while a4 <= 'Z':
#print "%s%s%s%s" % (a1,a2,a3,a4)
for i in range(99999):
t = "%s%s%s%s_" % (a1,a2,a3,a4) + '{4}{3}{2}.{1}{0}'.format(i%10,(i/10)%10,(i/100)%10,(i/1000)%10,(i/10000)%10)
if gen_sum(t) in patches:
print t
print True
a4=chr(ord(a4)+1)
print "%s%s%s%s" % (a1,a2,a3,a4)
a3=chr(ord(a3)+1)
print "%s%s%s%s" % (a1,a2,a3,a4)
a2=chr(ord(a2)+1)
a1=chr(ord(a1)+1)
'''
print hex(gen_sum("SLUS_213.86"))
'''
for i in range(99999):
t = "SLUS_" + '{4}{3}{2}.{1}{0}'.format(i%10,(i/10)%10,(i/100)%10,(i/1000)%10,(i/10000)%10)
if gen_sum(t) in patches:
print "%s %x" % (t, gen_sum(t))
'''
Alternative script version for better readability. Work same way as one above, just cleaner looking code.
ID = "SLUS_202.02"
def gen_sum2(title):
decimal_id = 0
decimal_id += ( ord(title[10:11]) - 0x30)
decimal_id += ((ord(title[9:10]) - 0x30) * 10)
decimal_id += ((ord(title[7:8]) - 0x30) * 100)
decimal_id += ((ord(title[6:7]) - 0x30) * 1000)
decimal_id += ((ord(title[5:6]) - 0x30) * 10000)
first_char = ord(title[0:1])
second_char = ord(title[1:2])
third_char = ord(title[2:3])
fourth_char = ord(title[3:4])
temp0 = (first_char >> 4) & 7
temp1 = (second_char >> 3) & 0xF
temp2 = (third_char >> 2) & 0x1F
temp3 = (fourth_char >> 1) & 0x3F
temp4 = (first_char << 4)
temp5 = (second_char << 5)
temp6 = (third_char << 6)
temp7 = (fourth_char << 7)
temp8 = (decimal_id >> 10) & 0x7F
temp9 = (decimal_id << 3 )
temp10 = (decimal_id >> 2 ) & 0xF8
temp8 |= temp7
temp3 |= temp6
temp2 |= temp5
temp1 |= temp4
temp0 |= temp9
temp8 &= 0xFF
temp3 &= 0xFF
temp2 &= 0xFF
temp1 &= 0xFF
temp0 &= 0xFF
temp8 ^= temp10
temp3 ^= temp10
temp2 ^= temp10
temp1 ^= temp10
temp0 ^= temp10
result = (temp0 | (temp1 << 8) | (temp2 << 16) | (temp3 << 24) | (temp8 << 32))
return result
print(hex(gen_sum2(ID)))
Alternative implementation: https://github.com/PCSX2/pcsx2/blob/1a3d77b2c0c6b57313f0dceaf5ecc3f8cb453497/pcsx2/CDVD/CDVD.cpp#L545
External References[edit | edit source]
- Digital Foundry vs. PS2 Classics on PS3
- PS2 Classics Algorithm By flatz
- C port
- Alternative Compatibility List (outdated)
- How to properly convert Final Fantasy XII: IZJS For ps2classics
- Wikipedia list of officially released PS2 Classics
CPU-GPU intensive games + games only playable in software render on PCSX2:
- http://wiki.pcsx2.net/index.php/Category:GPU_intensive_games
- http://wiki.pcsx2.net/index.php/Category:CPU_intensive_games
- http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games