PS2 Emulation/PS2 Config Commands: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
 
(38 intermediate revisions by the same user not shown)
Line 1: Line 1:
==PS2 Netemu Commands==
=PS2 Netemu Commands=


<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->
<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->
Line 363: Line 363:
  0x4000000  = Enable type 2 config from cmd 0x12.
  0x4000000  = Enable type 2 config from cmd 0x12.
  0x8000000  = Accurate VU0 DIV opcode, not used in COP2 mode.
  0x8000000  = Accurate VU0 DIV opcode, not used in COP2 mode.
  0x10000000 = Fast Accurate VU0 MUL. Try to round mantissa. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.
  0x10000000 = Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
0x20000000 = Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
               Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.
               Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.
0x20000000 = Fast Accurate VU0 MUL. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.
   
   
  Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
  Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
Line 459: Line 459:
{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
Default 0x3C
Default 0x3C
  Config value is used as multiplier for some value, and result is used in vsync related runtimes.
  Config value is used as multiplier for value:
  Is worth to note that 0x3C is default multiplier even for PAL titles, so is not stricly related to framerate,
if (mode == NTSC) multiplicand = 2535;
  but to vsync counters (where 0x3C is still wrong anyway..). Result of multiply is also compared at some point to vsync delay value.  
  if (mode == PAL)  multiplicand = 5107;
  if (mode == 1080) multiplicand = 2364;
At default config value of 0x3C results are:
NTSC = 152100
PAL  = 306420
1080 = 141840
Result is compared against decrementer ticks.
This result value determines how frequently emulator events test checks GS related things.
This include raising GS irq if VSINT/SIGNAL/FINISH occurred, updating display parameters, etc.
 
*Valid values found: 10d, 60d, 100d, 120d, 200d, 240d
*Valid values found: 10d, 60d, 100d, 120d, 200d, 240d


Line 741: Line 752:
{{Boxcomm|id=0x50|name=Enable pressure sensitive controls|data=N/A}}
{{Boxcomm|id=0x50|name=Enable pressure sensitive controls|data=N/A}}


==PS2 Gxemu Commands==
=PS2 Gxemu Commands=
PS2 GX Emu commands are Big Endian unless noted. Every command size is 0x18, and unused data need to be filled with zeros.
PS2 GX Emu commands are Big Endian unless noted. Every command size is 0x18, and unused data need to be filled with zeros. Commands which point to emulator memory have additional data, but command itself is still 0x18 in size. Data fields are just example values and can be changed to different value when needed.  
{{Boxcomm|id=0x01|name=Unknown|data=1x int32|}}
{{BoxcommGX|id=0x01|net_id=0x02|data=1x int32|}}
Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.
Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.
  Format:
  Format:
  32 bit ID  | 32 bit align | 32bit data | 32 bit align | 32 bit align | 32 bit align
  32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
  0x00000001 |  0x00000000  | 0x00000BB8 |  0x00000000  |  0x00000000  |  0x00000000
  0x00000001 |  0x00000000  | 0x00000BB8 |  0x00000000  |  0x00000000  |  0x00000000


{{Boxcomm|id=0x02|name=Unknown|data=None|}}
{{BoxcommGX|id=0x02|net_id=0x03|data=None|}}
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.
  Format:
  Format:
Line 755: Line 766:
  0x00000002 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
  0x00000002 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000


{{Boxcomm|id=0x03|name=Unknown|data=1x int32|}}
{{BoxcommGX|id=0x03|net_id=0x04|data=1x int32|}}
Patch SPE 4 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.
Patch SPE 4 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.
  Format:
  Format:
  32 bit ID  | 32 bit align | 32bit data | 32 bit align | 32 bit align | 32 bit align
  32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
  0x00000003 |  0x00000000  | 0x00000008 |  0x00000000  |  0x00000000  |  0x00000000
  0x00000003 |  0x00000000  | 0x00000008 |  0x00000000  |  0x00000000  |  0x00000000


{{Boxcomm|id=0x04|name=Unknown|data=None|}}
{{BoxcommGX|id=0x04|net_id=Not available|data=None|}}
Patch spe 4 program to use alternative VIF1 Direct/DirectHL command handler.
Patch spe 4 program to use alternative VIF1 Direct/DirectHL command handler.
  Format:
  Format:
Line 767: Line 778:
  0x00000004 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
  0x00000004 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000


{{Boxcomm|id=0x05|name=Unknown|data=None|}}
{{BoxcommGX|id=0x05|net_id=0x06|data=None|}}
Patch spe 4 program to use alternative VIF1 Offset command handler.
Patch spe 4 program to use alternative VIF1 Offset command handler.
  Format:
  Format:
Line 773: Line 784:
  0x00000005 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
  0x00000005 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000


{{Boxcomm|id=0x06|name=Unknown|data=1x int32|}}
{{BoxcommGX|id=0x06|net_id=0x07|data=1x int32|}}
Delay XGKICK by x cycles.
Delay XGKICK by x cycles.
  Format:
  Format:
  32 bit ID  | 32 bit align | 32bit data | 32 bit align | 32 bit align | 32 bit align
  32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
  0x00000006 |  0x00000000  | 0x00000008 |  0x00000000  |  0x00000000  |  0x00000000
  0x00000006 |  0x00000000  | 0x00000008 |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x07|net_id=0x08|data=1x int32|}}
Patch 2 x 32 bit opcodes of VU1 microprogram (lower and upper opcode). Config allow to specify bitmask for both read and write.
Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit align | 32 bit align
0x00000007 |  0x00000000  |  0x0000000000341190    |  0x00000000  |  0x00000000
 
Additional example data at 0x341190 looks like this:
  64 bit read mask  | 64 bit read value  | 64 bit write mask  | 64 bit write value
0x80000000FFFFFFFF | 0x0000000040000001 | 0x00000000FFFFFFFF | 0x000000008000033C
 
Which translates to C:
if readVu1Code(i) & 0x80000000FFFFFFFF == 0x0000000040000001
    writeVu1Code(i, 0x000000008000033C & 0x00000000FFFFFFFF)
 
{{BoxcommGX|id=0x08|net_id=0x09|data=1x int32|}}
Patch 2 x 32 bit opcodes of EE executable code.
Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000008 |  0x00000000  |  0x0000000000341190    |  0x00000002  |  0x00000000
 
Additional example data at 0x341190 looks like this:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode
    0x00418750    |  0x00000000  |      0x1062FFFA      |      0x00000000      |      0x00000000      |      0x00000000
due to patch count == 2 in this example, there is next set of data right after first one:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode
    0x00418808    |  0x00000000  |      0x1062FFFA      |      0x00000000      |      0x00000000      |      0x00000000
 
<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" style="width:1000px; background:#cccccc;">'''More info'''
<div class="mw-collapsible-content" style="text-align:left;">
This command read and write opcodes as a 64 bit value. This can be really confusing when creating custom config.
 
Lets assume that EE offset 0x100000 holds value (in raw hex) 00 11 22 33 44 55 66 77 and we want to change it to 88 99 AA BB CC DD EE FF
Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000008 |  0x00000000  |  0x0000000000341190    |  0x00000001  |  0x00000000
Additional example data at 0x341190 looks like this:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode
    0x00100000    |  0x00000000  |      0x77665544      |      0x33221100      |      0xFFEEDDCC      |      0xBBAA9988
                    |              |value read from 0x100004|value read from 0x100000|value write to 0x100004|value write to 0x100000
This happen because emulator read 64 bit value from 0x100000 and reverse it from little to big endian as whole 64 bits. Exactly the same happen for values that emulator write to memory.
This little code snippet can help little bit with conversion.
# Value to convert, copied from hex editor or disassembler.
x = "00 11 22 33 44 55 66 77"
x = x.replace(" ", "")
x = int(x, 16)
x = (x & 0x00000000FFFFFFFF) << 32 | (x & 0xFFFFFFFF00000000) >> 32
x = (x & 0x0000FFFF0000FFFF) << 16 | (x & 0xFFFF0000FFFF0000) >> 16
x = (x & 0x00FF00FF00FF00FF) << 8  | (x & 0xFF00FF00FF00FF00) >> 8
a = x >> 56
b = (x >> 48) & 0xFF
c = (x >> 40) & 0xFF
d = (x >> 32) & 0xFF
e = (x >> 24) & 0xFF
f = (x >> 16) & 0xFF
g = (x >> 8) & 0xFF
h = x & 0xFF
print("{:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X}".format(a,b,c,d,e,f,g,h))
Beside own python installation, code can be used on site like https://www.w3schools.com/python/trypython.asp?filename=demo_compiler
</div>
</div>
{{BoxcommGX|id=0x09|net_id=0x0B|data=1x int32|}}
Patch disc data during read operation. <!--todo: explain lba/offset.. offset.-->
Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000009 |  0x00000000  |  0x0000000000341190    |  0x00000001  |  0x00000000
 
Additional example data at 0x341190 looks like this:
  32 bit lba | 32 bit offset in lba | 64 bit ptr to replace data | 64 bit ptr to original data | 32 bit data size in bytes | 32 bit align
  0x00000471 |      0x00000280      |    0x00000000003411B0    |    0x00000000003411B4      |        0x00000004        |  0x00000000
 
{{BoxcommGX|id=0x0A|net_id=0x0C|data=2x uint16|}}
First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.
Format:
32 bit ID  | 32 bit align | 16 bit data | 16 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000000A |  0x00000000  |    0x0001  |    0x0400  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x0B|net_id=0x0D|data=1x int32|}}
Command take bool value and default is 1. When set to 0: Skip some IOP related code responsible for check value from IOP SPE (and skip panic if value is 0 or -1).<br>
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000000B |  0x00000000  | 0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x0C|net_id=0x0E|data=1x int32|}}
Use PS2 accurate add/sub math for selected opcode/offset. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc).
Format:
32 bit ID  | 32 bit align | 32 bit EE memory offset | 32 bit align | 32 bit align | 32 bit align
0x0000000C |  0x00000000  |      0x001264D4        |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x0D|net_id=0x0F|data=2x int32|}}
Use PS2 accurate add/sub math for selected opcode/offsets range. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc).
Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x0000000D |  0x00000000  |          0x0012A3D4          |        0x0012A468        |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x0E|net_id=0x10|data=2x int32|}}
Use PS2 accurate mul/div math for selected opcode/offsets range. Command is valid for every FPU opcode that do mul/div (also for opcodes like MADD, MSUBA etc). Command does not work for COP2 opcodes.
Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x0000000E |  0x00000000  |          0x005719D8          |        0x00571C2C        |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x0F|net_id=0x11|data=1x int32|}}
Use PS2 accurate add/sub math for selected opcode/offset in VU0 microprogram. Command is valid for every VU0 opcode that do add/sub (also for opcodes like MSUBAQ, MADDAx, etc).<br>
Valid VU0 memory offset is in range (0x000 to 0xFFF) & 0xFF8, which mean that last nibble needs to be either 0 or 8. <!--Todo: Is it really VU0 offset in plain hex or (offset >> 8)-->
Format:
32 bit ID  | 32 bit align | 32 bit VU0 memory offset | 32 bit align | 32 bit align | 32 bit align
0x0000000F |  0x00000000  |        0x00000208        |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x10|net_id=0x12|data=1x int64, 1x int32|}}
Multi-purpose VU0/COP2 command. Data size vary depending on sub commands, but at least 2 x 32 bit is required to make command valid.
Format:
32 bit ID  | 32 bit align | 64 bit ptr to emu memory with data | Data size / 4 | 32 bit align
0x00000010 |  0x00000000  |        0x0000000000323288        |  0x0000000D  |  0x00000000
 
{{BoxcommGX|id=0x11|net_id=0x13|data=1x int64|}}
Delay memory card related operations by x cycles.
Format:
32 bit ID  | 32 bit align |    64 bit data    | 32 bit align | 32 bit align
0x00000011 |  0x00000000  | 0x000000000000F960 |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x12|net_id=0x14|data=None|}}
Use alternative code path during ADD/SUB VU1 recompilation. Config seems to be very specific hack, most likely not usable outside of THPS 4+ engine games.<br>
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000012 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x13|net_id=0x15|data=1x int32|}}
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A9C0 - 0x3ADC0 and patch first found absolute branch to "bi r127".<br>
This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000013 |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x14|net_id=Not available|data=1x int8|}}
Gsgif related command. Unused in latest emu, also seems to be unreachable even if set.
Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000014 |  0x00000000  |    0x01    |  0x000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x15|net_id=0x17|data=1x int8|}}
Value is bool, default 0. When set to true, MTC0/MFC0 operation of COP0 Count ($9) register uses ppc timebase register as a base for calculation, when disabled decrementer register is used as a base for calculations.
Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000015 |  0x00000000  |    0x01    |  0x000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x16|net_id=Not available|data=None|}}
Perform additional check during GS CSR write and if there is SIGNAL clear bit active and other dependencies are fulfilled, do some additional operations with GS.
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x000000016 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x17|net_id=0x1A|data=None|}}
IPU BCLR command hack <!--todo-->
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000017 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x18|net_id=0x1B|data=None|}}
IPU IDEC command hack <!--todo-->
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000018 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x19|net_id=Not available|data=None|}}
Disable DEV9. Disables net/ps2hdd capabilities including Network Adapter detection.
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000019 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" style="width:700px; background:#cccccc;">'''More info'''
<div class="mw-collapsible-content" style="text-align:left;">
 
Command disable reads/writes to selected IOP HW registers. Disabled regs are:
* 0x10000000 - 0x10003FFF (DEV9/SPEED/ATA/SMAP)
* 0x1F801460 - 0x1F80147F (Unknown)
 
Command is auto applied to titles listed here (duplicates are really there in emu too):
    Hash          ID                Name
0x0CD1298155  SLES_540.13  World Snooker Championship 2007
0x12C93199A5  SLES_518.40  NHL Hitz Pro
0x15C93199AD  SLES_549.13  Pro Evolution Soccer 2008
0x24D92589A5  SLUS_211.86  NBA Ballers - Phenom
0x2CD12D8125  SLUS_212.35  MLB 2K6
0x34C9359935  SLUS_211.38  X-Men Legends II - Rise of Apocalypse
0x34C93599E5  SLUS_211.28  Blitz - The League
0x34C93599E5  SLUS_211.28  Blitz - The League
0x449961C9E5  SLES_542.10  NBA 2K7
0x4C9169C1CD  SLES_542.46  FIFA '07
0x4C9169C1D5  SLES_542.45  NHL '07
0x4C9169C1DD  SLES_542.44  FIFA '07
0x4C9169C1E5  SLES_542.43  FIFA '07
0x4C9169C1F5  SLES_542.41  FIFA '07
0x4C9169C1FD  SLES_542.40  FIFA '07
0x4CB14DE12D  SLUS_213.74  Marvel - Ultimate Alliance
0x54A955F915  SLUS_212.74  Outrun 2006 - Coast 2 Coas
0x5CA15DF165  SLUS_213.01  World Series of Poker
0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
0x649965C94D  SLUS_214.63  Tom Clancy's Ghost Recon 2
0x649965C955  SLUS_214.60  NBA Live '07
0x649965C95D  SLUS_214.61  NASCAR '07
0x649965C965  SLUS_214.58  NHL '07
0x649965C96D  SLUS_214.59  NCAA Football '07
0x6BB149E15D  SLES_531.04  Tom Clancy's Rainbow Six - Lockdown
0x6C916DC165  SLUS_214.91  World Series of Poker - Tournament of Champions
0x6C916DC1A5  SLUS_214.83  Tiger Woods PGA Tour '07
0x6C916DC1AD  SLUS_214.82  NFL Street 3
0x6C916DC1B5  SLUS_214.81  NCAA March Madness '07
0x6C916DC1D5  SLUS_214.77  Madden NFL '07 [Hall of Fame Edition]
0x6C916DC1DD  SLUS_214.76  Madden NFL '07
0x748975D9DD  SLUS_213.83  Fight Night - Round 3
0x7C817DD125  SLUS_214.33  FIFA Soccer '07
0x7C817DD165  SLUS_214.25  NHL 2K7
0x7C817DD16D  SLUS_214.24  NBA 2K7
0x7C817DD175  SLUS_214.27  WWE SmackDown! vs RAW 2007
0x7C817DD1CD  SLUS_214.12  World Championship Poker featuring Howard Lederer - All-In
0x84798529BD  SLUS_205.65  Champions of Norrath
0x8559A109AD  uuunnnnnkkk 
0x8579852915  SLUS_215.68  Arena Football - Road to Glory
0x8579852965  SLUS_215.82  MVP '07 - NCAA Baseball
0x8D51A90145  SLES_545.11  UEFA Champions League
0x8D51A901B5  SLES_545.13  UEFA Champions League
0x8D51A901BD  SLES_545.12  UEFA Champions League
0x8D718D21BD  SLUS_216.20  NCAA Football '08
0x9C619D31E5  SLUS_205.41  NBA Ballers
0x9D41B911AD  SLES_544.48  World Series of Poker - Tournament of Champions
0x9D619D31C5  SLUS_215.61  Major League Baseball 2K7
0x9F29357805  SCUS_975.44  NBA '07 featuring The Life Vol.2
0x9F293578E5  SCUS_975.56  MLB '07 - The Show
0xB549B51915  SLUS_216.38  Madden NFL '0
0xB549B51925  SLUS_216.32  NHL 2K8
0xB549B5195D  SLUS_216.47  NHL '08
0xB549B519A5  SLUS_216.48  FIFA Soccer '08
0xB549B519AD  SLUS_216.49  NBA Live '08
0xBC61793025  SCES_532.85  Ratchet - Gladiator
0xBD41BD1105  SLUS_216.69  NBA 2K8
0xC439C569F5  SLUS_208.20  Tom Clancy's Ghost Recon - Jungle Storm
0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
0xCA11E941F5  SLES_516.97  SSX 3
0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
0xD20911582D  SCES_515.93  Hardware Online Arena [Beta, Promo & Full Release]
0xD7617D308D  SCUS_973.28  Gran Turismo 4
0xE339C1695D  SLES_525.45  Star Wars Battlefront
0xE794CCB06D  PCPX_980.42  Minna no Tennis
0xEA3129608D  SCES_515.78  Network Access Disc [Original, v4.02 & v4.03]
0xEC11ED4115  SLUS_209.73  Champions - Return to Arms
0xEF594508D5  SCUS_975.00  MLB '06 - The Show
0xF409F559AD  SLUS_208.89  MLB Slugfest - Loaded
0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked
0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked
As a result config disable HDD/NET capabilities.
</div>
</div>
 
{{BoxcommGX|id=0x1A|net_id=0x1D|data=1x int8|}}
Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 3
*0 = no multitap set (only when needed). Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
*1 = sets multitap in controller port 1 at all times. Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
*2 = sets multitap in controller port 2 at all times. Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
*3 = sets multitaps in both controller ports at all times. Controller sync order: same as 0
Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001A |  0x00000000  |    0x01    |  0x000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x1B|net_id=0x1E|data=1x int8|}}
Unknown. Probably mtap related. Command is a 2 bit bitfield. Default value 0
Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001B |  0x00000000  |    0x01    |  0x000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x1C|net_id=0x1F|data=1x int32|}}
Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant.<br>By default every VIF0 command take 1 cycle, so it's instant.
This config give vif0 some timing sense. Value is cycle count before first event check related to VIF0.<br>
When delta from config passed and vif0 is still running, add 500 cycles and go on until next event test.<br>
This can also be used to ensure that next vif0 command after MSCAL/MSCALF/MSCNT/MPG/FLUSHE won't run until delta from config passed.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000001C |  0x00000000  | 0x000003F8  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x1D|net_id=0x20|data=1x int64|}}
Vblank timing related, still partially unknown.
Format:
32 bit ID  | 32 bit align |    64 bit data    | 32 bit align | 32 bit align
0x0000001D |  0x00000000  | 0x00000000000000C8 |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x1E|net_id=0x21|data=1x int32|}}
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.<br>
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).<br>
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap opcode at the end. 1 is valid only when option one is 0.
*0 = sets an option one to 0 and option two to 0
*1 = sets an option one to 0 and option two to 1
*2 = sets an option one to 1 and option two to 0 (default)
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000001E |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x1F|net_id=0x23|data=None|}}
Patch spe 4 program with new custom VIF1 STCYCL alike command 08h handler.
This command is useful only with additional 0x00 hooks. Said hooks inject 08h VIF1 command into game code when other conditions are met.
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001F |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x20|net_id=0x24|data=1x int64|}}
SIO2 timing related, still partially unknown.
Format:
32 bit ID  | 32 bit align |    64 bit data    | 32 bit align | 32 bit align
0x00000020 |  0x00000000  | 0x0000000000002EE0 |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x21|net_id=Not available|data=1x int32|}}
Unknown, GSGIF SPE related.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000021 |  0x00000000  | 0x00000009  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x22|net_id=0x26|data=2x int32|}}
Improves FPU accuracy for selected memory range. Efective only on: ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s.
 
For M(UL) opcodes, command is active only on ADD/SUB stage.
Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x00000022 |  0x00000000  |          0x0012A3D4          |        0x0012A468        |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x23|net_id=0x27|data=2x int32|}}
Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:
VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD
 
Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x00000023 |  0x00000000  |          0x0012A3D4          |        0x0012A468        |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x24|net_id=0x28|data=1x int32|}}
Unknown, CDVD related. Only accept values 0/1/2/3
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000024 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x25|net_id=0x29|data=2x int32|}}
Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit data | 32 bit align | 32 bit align
0x00000025 |  0x00000000  | 0x00001F40  |  0x0000BB80 |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x26|net_id=0x2A|data=None|}}
Unknown, used only in All-Star Baseball 2004
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000026 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x27|net_id=0x2B|data=None|}}
When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD). Required for multi-track PS2 games like Dance Factory.
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000027 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x28|net_id=0x2C|data=1x int32|}}
Store (value | value << 32 | value << 64 | value << 96) in SPE 0 (IOP) LS.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000028 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x29|net_id=Not available|data=None|}}
Skip one of functions in r5900 event test. Said function interact with GSGIF SPE and GS hardware, but in some conditions can also write to BGCOLOR GS register (why?).
Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000029 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x2A|net_id=0x2E|data=1x int32|}}
Unknown.
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000002A |  0x00000000  | 0x00000172  |  0x00000000  |  0x00000000  |  0x00000000
 
{{BoxcommGX|id=0x2B|net_id=0x2F|data=1x int32|}}
Store value in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).
 
Indigo Prophecy/Fahrenheit uses 0x1, Kengo 3 uses 0x2
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000002B |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000

Latest revision as of 11:24, 22 November 2024

PS2 Netemu Commands[edit | edit source]

0x00 Command Name: Title ID Enforce / Multidisc config
Command Data: 1x String in format: ABCD-12345

Restricts the CONFIG to be used only by a specific Title ID The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG. When bytes are present after Title ID, emulator read them to setup multidisc info.

Multidisc info bytes:
First byte:  Unknown, seems to be unused. 00 in known configs (Grandia 3).
Second byte: Discs count (0-9), when 0 or 1 emulator don't enable multidisc mode.
Third byte:  Which disc in set is this one (0-8 for discs 1-9)
Fourth byte: That one is optional, but very important. When set to 1,
             disc swap menu will be in "Reset game" menu and disc change will trigger reset (default behavior).
             But when this byte is set to 0, new option in main emu menu called "Switch Discs" will appear. Emulator change disc without reset. 
             Keep in mind we don't know how accurate swap emulation is here, games are picky for some details. 
             Every iso bin enc in set need to have proper data in separate config. 
             Disc 1: ISO.BIN.ENC --> CONFIG --> 00 02 00 00,
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 33 34 00 02 00                       -21334...

             Disc 2: ISO.BIN.ENC2--> CONFIG2--> 00 02 01 00, etc.
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 34 35 00 02 01                       -21345...
             Grandia 3 DISC.IDX, content:
              00000000  00 00                                            ..


0x01 Command Name: EE_ADD_HOOK
Command Data: 2x uint32_t Params (addr, func_id 0-0x3B)

Most of the hooks availables in netemu command 0x01 are fixes for a specific game, or a game engine
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.

Function ID Notes
0x00 FIFA 2000 use it as hook for EE kernel at 0x800017E8 (DMAC related). Command backup value from r5900 s0 register.
0x01 FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related). Command restore previously backed up value to r5900 s0 register.
0x02

Max Payne

Write 0 to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
0x03

Max Payne

Write 0xFFFFFFFF (0x10000, other bits are ignored anyway) to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
0x04 Castle Shikigami II
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes. Same as 0x03 command, but applied of selected ee offset.
This is probably command from times when 0x03 was non existing, and while it apply on selected ee offset, command never recover default IXIN/IHIN handling.
Note: There is leftover in emulator from command that reenable default behavior, but is unused now, and is not accessible by current config commands.
0x05 Force events test if D2_CHCR & 0x100 is true (if GIF dma is running). For more info check _cpuEventTest_Shared from pcsx2. Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
0x06 Force events test if D1_CHCR & 0x100 is true (if VIF1 dma is running). For more info check _cpuEventTest_Shared from pcsx2.
0x07
0x08 Backup current unmodified COP0 status register state. Then disable EI bit, and notify emu that cmd 0x09 could be run. Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
0x09 Restore COP0 status register state from previously created backup. Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
0x0A Fix for TriAce executable unpack function.
Games unpack data using VU0 microruntime (not COP2). Because unpack involve floating points operations result can be inaccurate. And it is,
exactly by 1 byte. Config add 1 to result of unpacked data. This can be confirmed also on pcsx2 with turned off TriAce hack, example for Radiata Stories US release.
Set breakpoint on 0x124D90, and then when it's hit, add 1 to lower 64 bits of vf03 reg (in vu0f tab) and hit run.
Game now work as it should. On PS3 this probably can be fixed also by 0x11 command, but since they had hook already done before 0x11 was a thing, it stayed as is.
0x0B Set lower 64 bits of mips $at register to 0
0x0C Piglet's Big Game
0x0D usleep(100)
0x0E Used 3 times in Need for Speed - Carbon [Collector's Edition] US.
Used in place where game load code overlays, and in place where game self modify code. 
Config run the same function which is run when PS2 syscall 7 (ExecPS2) hook is triggered (0x1831A8 in latest emu memory).
Only difference is that 0x42 overlay is not reloaded, and check for "cdrom0" string is not performed. 
Command could be potentially useful for games that like to change own code. Eg. Load "bin" files with code (HSG/HST), or modify own code by direct writes to memory (NFS Carbon CE...)
0x0F

Grand Theft Auto 3 (SLUS-20062)

using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
0x348B40 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x10

Grand Theft Auto 3 (SLES-50330)

using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base ) 
0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x11

Grand Theft Auto 3 (SLES-50793)

using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
0x3495C0 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349948 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x12 Disney/Pixar Finding Nemo (fixes the pause menu freeze)
if COP0 status EI and EXL bits are 0, and other condition related to DMAC is met...
store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory, and set lower 64 bits of mips $s0 register to 0.
0x13 Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply.
0x14 Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the older version of Snowblind Engine (Dark Alliance duology, The Bard's Tale, Fallout).
0x15 Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the newer version of Snowblind Engine (Champions duology, Justice League Heroes, Combat Elite).
0x16 Champions of Norrath (SLUS-20565)
store 0x01114BA8 in [ 0x208EAB4C + 200000000 base]
store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
0x17 NFS HP2 fpu rounding fix.
Check if a0 == 0x8000 (32768), apply config if true. Config is little bit more complicated than it should, emu flush all fpu regs to memory just to modify one field in altivec vector register.
When condition is met ps2 cop1 f08 register is modified from 0x40490FDB to 0x40490FDA, this result in next operations to end up as negative 0.0 (0x80000000) instead of just 0.0 (0x00000000).
Seems to trigger when loading of stage or loading of attract mode is close to finish or done.
0x18 Okami PAL specific hook.
Check if opcode at 0x183F04 of EE memory is jal 0x183CB0 (0x0C060F2C). This is used to run additional hook patcher only 1 time.
Later it will be nop here. so it means that new hooks are already applied. So function will just return early.
if opcode at 0x183F04 is still jal 0x183CB0 (0x0C060F2C),
then patch addresses 0x183F04 (jal 0x183CB0), 0x183F34 (jal 0x183CB0), 0x183F3C (jal 0x183D18) to nop.
Finally adds 3 additional EE hooks. Emu addresses for ps2_netemu 4.70+

EE address | EMU address 
0x183F0C   | sub_46334
0x183F3C   | sub_45DA4
0x183D74   | sub_47B50

First hook is responsible for grabbing EE addresses from one of EE gpr register. Second hook perform few checks from data in EE gpr registers, and 
eventually store data from EE gpr registers on previously grabbed addresses. Hook 3 store one of previosly grabbed EE address on unknown part of memory.
Whole thing looks like HLE version of noped functions.
0x19 Burnout 2
Copy lower 64 bits of $v0 r5900 register to lower 64 bits of $a1 r5900 register.
All that to make next opcode (hook address + 4) "beq $a1, $v0, addr" always true. Because $a1 and $v0 now have the same value.
This in turn skip CTimer::GetTimeSeconds((void)) in function CReplay::NextFrame((CDrivingControls *)). Worth to note that CReplay::NextFrame seems to be not related to replay per se, but to car physics.
0x1A
store 0 in [ 0x209FD560 + 200000000 base]
store 0 in [ 0x209F9550 + 200000000 base]
store 0 in [ 0x20A01570 + 200000000 base]
store 0 in [ 0x209F9540 + 200000000 base]
store 0 in [ 0x209F5540 + 200000000 base]
store 0 in [ 0x209F1530 + 200000000 base]
0x1B
store 0 in [ 0x20552168 + 200000000 base]
0x1C
store 1 in [ 0x20552168 + 200000000 base]
0x1D
store 0 in [ 0x20556C08 + 200000000 base]
0x1E
store 1 in [ 0x20556C08 + 200000000 base]
0x1F
store 0 in [ 0x205243D8 + 200000000 base]
0x20
store 1 in [ 0x205243D8 + 200000000 base]
0x21
store 0 in [ 0x20524F88 + 200000000 base]
0x22
store 1 in [ 0x20524F88 + 200000000 base]
0x23
store 0 in [ 0x2047E7F8 + 200000000 base]
0x24
store 1 in [ 0x2047E7F8 + 200000000 base]
0x25
store 0 in [ 0x204802B8 + 200000000 base]
0x26
store 1 in [ 0x204802B8 + 200000000 base]
0x27
store 0 in [ 0x20586348 + 200000000 base]
0x28
store 1 in [ 0x20586348 + 200000000 base]
0x29
store 0 in [ 0x205868A8 + 200000000 base]
0x2A
store 1 in [ 0x205868A8 + 200000000 base]
0x2B
if ($a1 & 0xF0000000 != 0) a1 = 0 
0x2C Shin Onimusha - Dawn of Dreams Fix IPU DMA JPN((PlayStation 2 the Best)/US release.
0x2D Shin Onimusha - Dawn of Dreams Fix IPU DMA PAL release.
0x2E Shin Onimusha - Dawn of Dreams Fix IPU DMA Unk release. Code from emu match SLPM-66275 release. Why it is unused? Hook address will be 0x3BB4EC.
0x2F
if value at EE Mem 0x37B0C4 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0. 
0x30
if value at EE Mem 0x37B704 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x31
if value at EE Mem 0x37630C == 0, set mips pc register (program counter) to 0x100BA8 
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x32
if value at EE Mem 0x37BB0C == 0, set mips pc register (program counter) to 0x100BA8.
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x33
0x34 not filled
0x35 Ninkyouden: Toseinin Ichidaiki
0x36
0x37
0x38
0x39 Used silently in command 0x4B with first param from 0x4B as hook address. Hook seems to be unusable without 0x4B command, because there is no way to setup redirect mode and ID without 0x4B.
0x3A Used silently in command 0x4C with first param from 0x4C as hook address. Hook seems to be unusable without 0x4C command, because there is no way to setup mode and ID without 0x4C.
0x3B Grand Theft Auto 3 (SLPM-55293 "Rockstar Classics")
using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
0x351210 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18F590 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x351568 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x02 Command Name: Unknown
Command Data: 1x int32

Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.

  • Valid values found:
    • 1000d
    • 3000d
    • 6000d
0x03 Command Name: Unknown
Command Data: N/A

Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.

0x04 Command Name: Unknown
Command Data: 1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)

Patch SPE 3 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.

  • Valid values found:
    • 0x08
    • 0x10
0x05 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x06 Command Name: Unknown
Command Data: N/A

Change VIF1 command 02h OFFSET behavior by patching pointer to function which process it to different previously unused function.

0x07 Command Name: Delay VU xgkick by X cycles
Command Data: 1x uint32_t

Default 1

0x08 Command Name: Patch VU memory by mask
Command Data: 8x uint32_t (read mask,read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode)

Maximum Amount of Usage: 3 times

0x09 Command Name: EE_INSN_REPLACE64
Command Data: uint32_t count, <list> (offset, original opcode, original opcode, replace opcode, replace opcode)

Maximum List Count: 32

  • Valid values found
    • 1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]
0x0A Command Name: EE_INSN_REPLACE32
Command Data: uint32_t count, <List> (mode | offset, original opcode, replace opcode)

Command present only in the ps2_netemu. Maximum List Count: 32. Mode is first 4 bits of address field (Xyyyyyyy), can be either 0, 1, or 2. All known examples use this command in 0 mode, and modes 1 and 2 are here just for documentation purposes.

  • mode 0 - Replace 32 bit of EE memory. Params are EE offset, original opcode, replace opcode.
  • mode 1 - Write jr ra, li v0, xxxx to selected memory range. Params are EE memory start address, original opcode, u16 counter, u16 value for li, v0 xxxx
  • mode 2 - NOP memory at selected range. Params: start address, end address, unused (can be anything, but is required to align config).

Problem: Original opcode validity check is performed before testing config for special cases. Thus making mode 2 almost inaccessible.
Solution: We can patch that one line of code by the same 0x0A config. So if we want to nop region from 0x100000 to 0x100080, first we need to patch 0x100000 to 0x100080 opcode. So check will pass, "simple" as that.

0x0B Command Name: MECHA_SET_PATCH
Command Data: 1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)

Offset on the disc = sector id * sector size + offset + correction [see below]
Offset correction is based on selected read mode (not on media type):

CDRead requested block size (CD disc):

  • 2048 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
  • 2328 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
  • 2340 = Offset + 0x0C (skip only 12 bytes of sync data)

DVDRead requested block size (DVD Disc):

  • 2064 = Offset match, but only until the 349th sector. Otherwise is offset - 0x0C because that read mode see data as ID DATA (4) + ID DATA EDC (2) + Reserved bytes (6) + 2048 data + EDC (4).

"Offset + XX" for CD assume that you use Isobuster RAW mode. "Offset - XX" for DVD assume that you use Isobuster NON RAW mode
Special case is DVD read on very low sector, here you need to use exact offset without substrating 0x0C. Highest confirmed sector that don't use correction for now is 349.

 [Dead Or Alive 2 Hardcore] uses 7
 [Gradius V] uses 1
 [Grand Theft Auto III] uses 1
 [Katamari Damacy] uses 1
 [Manhunt] uses 1
 [Odin Sphere] uses 2
 [Primal] uses 1
 [Psychonauts] uses 1
 [Syphon Filter The Omega Strain] uses 1
Maximum List Count: 47
0x0C Command Name: Unknown
Command Data: 1x (uint16_t, uint16_t)

First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.
Other valid values for the second param (found in oficial configs ?): 0x180, 0x800

0x0D Command Name: Unknown
Command Data: 1x int32

True/false. Default = 1

0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.
0x0E Command Name: Improves ADD/SUB accuracy
Command Data: 1x int32

1 Param offset --- Improves ADD/SUB FPU/COP2 accuracy for selected offset. Work with opcodes from commands 0x26/0x27. Basically command like 0x0F just per offset, no per range.

 [Rygar] only has 0x147DA8 sub.s   $f12, $f20, $f12
Used in official configs: SCUS97501=0x3C458C, SCES53642=0x3C4854, SLUS21026=0x386864, SLUS20916=0x121F64, SLUS20437=0x11EDF0
Maximum Amount of Usage: 32 times
0x0F Command Name: More accurate ADD/SUB memory range
Command Data: List <uint32_t Param, uint32_t Param>

More accurate memory range. This command is combined 0x26, and 0x27 command.

 [Dark Cloud] uses 0x239334, 0x1FFFFFF
 [Grand Theft Auto SA] uses 0x1E46DC, 0x1E4AE8
Maximum Amount of Usage: 32 (if there is no additional 0x26/0x27 command)
0x10 Command Name: MULDIV Accurate range
Command Data: List <uint32_t Param, uint32_t Param>

More accurate MUL/DIV handling on selected memory range for selected FPU opcodes. Effectively work only with:

MUL.s, DIV.s, MULA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s. 
For ADD/SUB opcodes, command is active only on Multiply stage.
Maximum List Count: 32 
0x11 Command Name: VU0 Accurate ADD/SUB
Command Data: 1x uint32_t Param

Param is VU0 (MICROPROGRAM) memory offset, correct param is in range of 0x000 to 0xFF8.

Lower pipeline fetch opcode from address, Upper from address + 4. So correct address for config needs to be 8 bytes aligned.
Used in official configs: SLUS21172=0x208, SLUS20878=0x140,0x368,0x570
Maximum Amount of Usage: 32 times
0x12 Command Name: Unknown
Command Data: <List> (uint32_t count,

VU0/COP2 related multicommand.

First 8 bytes of that command are special flags. Not quite sure about bytes 5-8 yet,
because at some point they are used to "andc" with first 4 bytes.
Some examples for first 4 bytes:
0x1000     = Run additional flag related code after every FMAC operation, VU0 only, COP2 do this by default.
0x2000     = Emit some additional code when lower opcode is fsset, this flag require 0x1000 to be enabled. VU0 only. 
0x100000   = When enabled opcodes like MSUB, MADDA, etc, do proper multiply first, then add/sub. When disabled (default) single opcode is used (vmaddfp / vmmsubfp). Not used in COP2 mode.
             Note: When this command is disabled, then "Accurate MUL" is skipped for MADDxx/MSUBxx regardless that 0x30000000 is set or not.
             Because there is no way to do correct MUL separately when altivec madd/msub is used.
0x200000   = Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.) Not used in COP2 mode.
0x400000   = Skip emu syscall 3 (3)
0x800000   = Skip emu syscall 3 (4)
0x4000000  = Enable type 2 config from cmd 0x12.
0x8000000  = Accurate VU0 DIV opcode, not used in COP2 mode.
0x10000000 = Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
             Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.
0x20000000 = Fast Accurate VU0 MUL. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.

Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
Keep in mind that you still need to use at least 8 bytes for cmd 0x12, just use 00 for bytes 5,6,7,8. 
Later bits are dependent on which subcommand we want to run.
 [Primal] uses 0xD of type 2/3 subcommand (minus 0x2 for flags)
 [Rayman Arena] uses 0x11 of type 2/3 subcommand (minus 0x2 for flags)
 [Syphon Filter: The Omega Strain] uses 0x5 of type 1 subcommand (minus 0x2 for flags)
Maximum List Count: 63 
0x13 Command Name: Memory card timing related delay
Command Data: 1x uint64_t Param
0x9bdc  (39900)  - Used by "Phantasy Star Universe" (official config for SLPM-66031), "WRC II Extreme", and "Burnout Dominator"
0xf960  (63840)  - Used by "Jak X: Combat Racing" (official config for SCUS-97429), and "Netsu Chu! Pro Yakyuu 2004"
0x1d394 (119700) - Used by "Jissen Pachi-Slot Hisshouhou! Kemono-Oh" (official config for SLPS-20131)
0x14 Command Name: VU1 transform ADD/SUB
Command Data: N/A

When enabled ADD/SUB VU1 opcodes are processed differently on recompiling/translation stage. Seems to be very specific hack, most likely not usable outside of THPS 4+ engine games.
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.

0x15 Command Name: Unknown
Command Data: 1 Param ( <1, >1 )

Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch first branch that match to "bi r127". That weird approach was probably used because spe program differ little bit between emu versions, so they don't need to update command on every new emu revision. Currently (4.75+) this command patch branch at address 0x3A3A4 (bra sub_2E600). This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.

[Aeon Flux] uses 2 (gxemu config)
[Bloodrayne 2] uses 4
[GRIMgRiMoiRe] uses 4
[Mana Khemia 2] uses 4
[Odin Sphere] uses 4
[SMT Persona 3 FES] uses 4
[Parappa the Rapper 2] uses 0x14 (softemu config) or 0x4 (gxemu config)
0x16 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x17 Command Name: COP0 configure MTC0/MFC0
Command Data: 1x int32 ?

True/false. Default 0.
Command change behavior of MTC0/MFC0 operation of COP0 Count ($9) register. When enabled time base register is used as a base for calculation, when disabled decrementer register is used as a base for calculations (using emu syscall 12).

[Bully] uses 1
0x18 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x19 Command Name: Force analog controller mode
Command Data: N/A

Skips check for analog/digital controller mode and returns forced analog mode

[Grand Theft Auto III]
[Grandia II]
[Red Faction 2]
[Siren]
0x1A Command Name: Unknown
Command Data: N/A

IPU hack to end fromIPU DMA transfer on BCLR command (store 0 on D3_QWC and D3_CHCR.STR). Not stopping that transfer is actually correct behavior..

0x1B Command Name: Unknown
Command Data: N/A

When IDEC command don't finish, probably due to bad timings. Hack clear D3_CHCR.STR bit when there is still QW left in D3_QWC reg , and IDEC finished already.

[Mana Khemia 2]
0x1C Command Name: Emulate Multitap
Command Data: read uint32_t (use uint8_t)

Enables/disables Multitap emulation. Default 3

0 = disable multitap emulation
1 = enable multitap in controller port 1 (when needed)
2 = enable multitap in controller port 2 (when needed)
3 = enable multitaps in both controller ports (when needed)
 [Medal of Honor: European Assault] uses 1
 [Twisted Metal: Black] uses 1


0x1D Command Name: Set Multitap
Command Data: read uint32_t (use uint8_t)

Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 0?

0 = no multitap set (only when needed)
    Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
1 = sets multitap in controller port 1 at all times
    Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
2 = sets multitap in controller port 2 at all times
    Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
3 = sets multitaps in both controller ports at all times
    Controller sync order: same as 0
 [Medal of Honor: European Assault] uses 1
 [Twisted Metal: Black] uses 1
 [Mystic Heroes] uses 2 (game does not detect multitap in controller port 1)
 [Sonic Riders] uses 2 (GX config, game may not detect multitap in controller port 1)
0x1E Command Name: Multitap related
Command Data: read uint32_t (use uint8_t)
[FIFA 2001] uses 3 (settings for both multitaps?)
0x1F Command Name: Unknown
Command Data: 1x uint32_t

Default 1

Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant. By default every VIF0 command take 1 cycle, so it's instant.
This config give vif0 some timing sense.
When delta from config passed and vpustat vu0 bits are non 0 (so practically if vif0 is still running),
add 500 cycles and go on until next event test before doing anything on vif0.
This can also be used to ensure that next vif0 command won't run until delta from config passed.
Value from config is added to current r5900 cycles and vif0 will do nothing unless current cycles match new value.
*Valid values found: 200d, 1000d
0x20 Command Name: Unknown
Command Data: 1x uint64_t

Default 0x3C

Config value is used as multiplier for value:
if (mode == NTSC) multiplicand = 2535;
if (mode == PAL)  multiplicand = 5107;
if (mode == 1080) multiplicand = 2364;

At default config value of 0x3C results are:
NTSC = 152100
PAL  = 306420
1080 = 141840

Result is compared against decrementer ticks.
This result value determines how frequently emulator events test checks GS related things.
This include raising GS irq if VSINT/SIGNAL/FINISH occurred, updating display parameters, etc. 
  • Valid values found: 10d, 60d, 100d, 120d, 200d, 240d
0x21 Command Name: Unknown
Command Data: 1x uint32_t
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap (tw opcode) at the end. 1 is valid only when option one is 0.

0 = sets an option one to 0 and option two to 0
1 = sets an option one to 0 and option two to 1
2 = sets an option one to 1 and option two to 0 (default)
 [Fatal Frame II] uses 0
 [Grand Theft Auto Vice City] uses 1
 [Grand Theft Auto III (EU)] uses 1
 [SMT Persona 3 FES] uses 0
0x22 Command Name: Unknown
Command Data: N/A

Sets something 1

0x23 Command Name: Unknown
Command Data: N/A

Copy VIF1 command 01h STCYCL handler struct into unused 08h slot (slots are 100 bytes per command, include pointer to function that handle command, and other data). Then patch slot 08h function pointers to function at 0x14E00. 08h is normally unused, and handled as a NOP. This command is useful only with additional 0x01 (0x13-0x15) hooks, which inject 08h VIF1 command into game code when other conditions are met.

0x24 Command Name: Unknown
Command Data: 1x uint64_t

SIO2 related

  • Valid values found: 12000d, 48000d
0x25 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x26 Command Name: FPU Accurate ADD/SUB range
Command Data: List <uint32_t Param,uint32_t Param>

Improves FPU accuracy for selected memory range. Efective only on:

ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s
For M(UL) opcodes, command is active only on ADD/SUB stage.

 [Bloodrayne 2] uses 0x340000, 0x350000
 [Gradius V] uses 0x3046E0, 0x0x305E44
Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
0x27 Command Name: VU0 macromode accurate range
Command Data: List <uint32_t Param,uint32_t Param>

Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:

VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD

Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
Seems to affect only ADD/SUB part of opcode. 
0x28 Command Name: Unknown
Command Data: 1x uint32_t

<=3

  • Valid values found: 0, 1, 2, 3
0x29 Command Name: Unknown
Command Data: 2x uint32_t

Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.

0x2A Command Name: Unknown
Command Data: N/A

Sets something 1.

All-Star Baseball 2004
0x2B Command Name: Unknown
Command Data: N/A

When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD), confirmed in emu code/assembly. Ps2_emu do same thing in "Setting mecha HACK to show GODZCD as GODZCDDA", but due to real media support this is done in little bit different way (but still, 1F40200F is set to 0x13). During testing Dance Factory game, still no tracks are detected regardless of the command. Could be a netemu or Cobra issue (single, mixed mode .bin/.cue loaded).

Dance Factory
0x2C Command Name: Unknown
Command Data: 1x uint32_t

Store (value | value << 32 | value << 64 | value << 96) on 0x2B4F0 of SPE 0 (IOP) LS. In summoner config it will be 0x00000001000000010000000100000001 stored at 0x2B4F0. Value is later used in clgt compare as rb register. Default seems to be 0x00000020000000200000002000000020.

Summoner uses 0x1
0x2D Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x2E Command Name: Unknown
Command Data: 1x uint32_t
  • Valid values found: 0x172
0x2F Command Name: Unknown
Command Data: 1x uint32_t

Store value on 0x2E784 in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).

  • Infamous Final Fantasy confirmation sound issue (in fact it does affect every sound effect using the reverb and only in the ps2_netemu) is fixed by 0x2 value.
Indigo Prophecy/Fahrenheit uses 0x1
Kengo 3 uses 0x2
0x30 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x31 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x32 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x33 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x34 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x35 Command Name: Enable Force Flip Field
Command Data: N/A

Described in emu setting as "Fix for [Hang] for soft-lock"

0x36 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x37 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x38 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x39 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3A Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3B Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3C Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3D Command Name: Config revision
Command Data: 1x uint32_t

Used by debug menu to print config revision. While every official and unofficial config use it, command is not mandatory. Debug menu will just print None as a config revision if command is missing. Official configs use this as a kind of debugging info to know minimal required emu revision.

Config commands supported by emulator revision
Supported Commands ps2_netemu Revision PS3 Firmware
Up to 0x41 15686 3.70 or newer
Unknown 16040 Unknown
Up to 0x43 16604 4.20 or newer
Up to 0x45 16808 4.30 or newer
Up to 0x46 16916 4.40 or newer
Up to 0x48 17041 4.45 or newer
Up to 0x4A 17179 4.50 or newer
Up to 0x4D 17277 4.55 or newer
Up to 0x50 17495 4.78 or newer

See: PS2 Emulator Types and Revisions

0x3E Command Name: Unknown
Command Data: N/A

Similar to 0x0D with param 0. Affect the same IOP related code path, but skips more code.


0x3F Command Name: Unknown
Command Data: 1x uint32_t

Store value on 0x2B700 of SPE 0 (IOP) LS. SIF1 DMA related.

0x40 Command Name: Unknown
Command Data: N/A

Command change GIF behavior by setting value to 1 at address 0x2F0 LS in SPU4.

Grand Theft Auto SA
Silent Hill Origins - unofficial fix
0x41 Command Name: Unknown
Command Data: N/A

When enabled ignore D_ENABLEW (1000F590) writes from EE on SPE3 (EEDMA). D_ENABLER is updated regardless of cmd on PPE side. Enabling that command nullify 0x01 hooks for Max Payne!

Dragon Force
God Hand
Gradius V
Katamari Damacy
0x42 Command Name: EE Overlay patch
Command Data: 2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...

Applied on game start (more precisely while executing ps2 bios syscall 7 ExecPS2), if game overwrite selected part of memory, it will wipe 0x42 patch. See Special:Diff/67828/67858

Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
Opcodes will be placed on selected address, we use only patch code, no need for original opcode.
Next opcode addresses are auto calculated (+4..) so we need to specify only patch start address.
Remember we need to jump to our new code, best way is command 0x0A with j (jump) opcode.
Also is important to add return jump if required. That one need to be added in our 0x42 patch.
Maximum opcodes count seems to be 0x3FF (1023 opcodes).
0x43 Command Name: Unknown
Command Data: 1x int32

Equal to command 0x40, but with Parameter:

Command change GIF behavior by setting value at address 0x2F0 LS in SPU4, correct values are:
0 = Default
1 = More agressive changes (like 0x40)
anything other = less agressive changes
Code on SPU side check for non zero value, and in few places explicitly for 1 (ceqi rxx,rxx,1) without mask. 
Config have weird behavior. When there is no param, and config end (no more bytes after 43 00 00 00), then param 0xFFFFFFFF is set automatically.  

Shin Sangoku Musou uses 0xFFFFFFFF
0x44 Command Name: Disables Smoothing and Smoothing option
Command Data: N/A
0x45 Command Name: Unknown
Command Data: N/A

Sets something 1

Prevent  display_mode 2 (CELL_GCM_DISPLAY_576_unk)         [640x576]
and      display_mode 0 (CELL_GCM_DISPLAY_480_unk) (60Hz?) [640x480]
from beign set.

Allow   display_mode 1 (CELL_GCM_DISPLAY_480_unk2) (59Hz?) [640x480]
and     display_mode 5 (CELL_GCM_DISPLAY_720P_59)          [1280x720]
depending on sys_info.video_mode & 0x200 is 0 or not.
Both 480 modes can be either I or P, so is something else, probably 59/60Hz.
This config possibly affect only in-emu UI, but this require testing.

Phantasy Star Complete Collection
0x46 Command Name: Enable L2H Improvement
Command Data: N/A

Performance related setting for titles using L2H (Local to Host, so called GS download (from GS to EE))

SMT Digital Devil Saga 1 - Crazy amount of GS downloads used to draw characters in-game
SMT Nocturne
Fatal Frame II

Other games affected (not in official config)

Soul Calibur 2 - When looking at the sun
GT4 - When looking at the sun
Valkyrie Profile 2 - Similar situation to SMT DDS1, in Solde game literally do thousands of 30QWC downloads all the time.
Tak and the Power of JuJu - Fix freeze during loading of the Burial Ground level in the NTSC version. This probably getting lucky with VIF1/GIF timing, normally command is not supposed to fix hang issues.
0x47 Command Name: Enables XOR CSR
Command Data: N/A

Graphics related setting.
XOR bit 13 of GS CSR register (CSR.FIELD). Should fix fullscreen line corruption, maybe some interlacing issues. Long shot, but can possibly affect SCANMSK games.

0x48 Command Name: VSYNC Delay
Command Data: 2x uint32_t
  • First param possible value are 1 = No IPU, 2 = IPU, 3 = Anytime.
  • Second param is delay (in ms?), and can be also negative value.
    • Emu has standard presets for second param.
      • Agressive = 0x3D090 (250000 decimal),
      • Normal = 0x186A0 (100000 decimal),
      • Conservative = 0x4E20 (20000 decimal),
      • But other values can be used.
[SMT Digital Devil Saga 1] uses 1, 0x3D090
[Fatal Frame II] uses 0x2, 0xFFFFE69C (-6500 decimal)
0x49 Command Name: Unknown
Command Data: N/A

Skip part of code which use GS XYOFFSET_1 register, possibly ignore it at all.

Trapt
0x4A Command Name: Unknown
Command Data: N/A

Change VIF1 command 14h MSCAL behavior to use 15h MSCALF (VIF1) instead. MSCALF behavior is the same as MSCAL, but also waits for PATH1 and PATH2 to not be active before starting a microprogram. This is hack, and MSCAL should be fixed instead to wait in queue instead of triggering early.

Applies to the Snowblind Engine games. Fixes the rest of flickering textures.
Meant to be used in conjunction with the GX/SOFT Snowblind Engine's specific commands (double 0x01 and 0x23 combo).
0x4B Command Name: Redirect SAVEDATA by ID
Command Data: 2x uint32_t + ID: offset, int, char[]
For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
First param is EE memory offset that when is hit enable/disable redirection.
Second param is used to select which card will be redirected:
  0x00 do nothing
  0x01 for SCEVMC0.VME
  0x02 for SCEVMC1.VME
  0x03 for SCEVMC0.VME and SCEVMC1.VME
  0xFFFFFFFF to disable redirection, and use original VMEs.
Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
Important note here is that config have own 00 00 00 00 terminator at the end. 
So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
Under the hood config also setup 0x01 hook commands with 0x39 subcommand on selected addresses. 
0x4C Command Name: Unknown
Command Data: 2x uint32_t + ID: offset, int, char[]
Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is some kind of mode selector, depending on that 
emulator later set mecha switch disc state:
  mode 0x01 = set disc switch state to 1 (on next mecha main loop it will emulate opening the tray).
  mode 0x02 = set disc switch state to 3.
  mode 0x03 = set disc switch state to 3. This state repeats because it work different way depending that emulated tray is closed or no.
  mode 0x04 = set disc switch state to 2.
  mode anything else = do nothing.
Third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use 
another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to 
different MC. Currently is unknown that cobra patched emulators support that config properly, and swap disc thru 0x00 command seems to be easier.
This config don't work if 0x00 multidisc config is detected. Config under the hood setup 0x01 hooks with subcommand 0x3A
0x4D Command Name: Unknown
Command Data: 1x uint32_t

Param is floating point value. Default value 0.

if Q in GS RGBAQ write is 0.0 or -0.0 then
    Q = Q | value from config
else
    Q = Q
 
Wild Arms: The Fifth Vanguard uses 0x3F800000 (1.0)
0x4E Command Name: Unknown
Command Data: Unknown
0x4F Command Name: Unknown
Command Data: Unknown
0x50 Command Name: Enable pressure sensitive controls
Command Data: N/A

PS2 Gxemu Commands[edit | edit source]

PS2 GX Emu commands are Big Endian unless noted. Every command size is 0x18, and unused data need to be filled with zeros. Commands which point to emulator memory have additional data, but command itself is still 0x18 in size. Data fields are just example values and can be changed to different value when needed.

0x01 Equivalent Netemu ID: 0x02
Command Data: 1x int32

Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000001 |  0x00000000  | 0x00000BB8  |  0x00000000  |  0x00000000  |  0x00000000
0x02 Equivalent Netemu ID: 0x03
Command Data: None

Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000002 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x03 Equivalent Netemu ID: 0x04
Command Data: 1x int32

Patch SPE 4 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000003 |  0x00000000  | 0x00000008  |  0x00000000  |  0x00000000  |  0x00000000
0x04 Equivalent Netemu ID: Not available
Command Data: None

Patch spe 4 program to use alternative VIF1 Direct/DirectHL command handler.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000004 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x05 Equivalent Netemu ID: 0x06
Command Data: None

Patch spe 4 program to use alternative VIF1 Offset command handler.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000005 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x06 Equivalent Netemu ID: 0x07
Command Data: 1x int32

Delay XGKICK by x cycles.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000006 |  0x00000000  | 0x00000008  |  0x00000000  |  0x00000000  |  0x00000000
0x07 Equivalent Netemu ID: 0x08
Command Data: 1x int32

Patch 2 x 32 bit opcodes of VU1 microprogram (lower and upper opcode). Config allow to specify bitmask for both read and write.

Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit align | 32 bit align
0x00000007 |  0x00000000  |   0x0000000000341190    |  0x00000000  |  0x00000000
Additional example data at 0x341190 looks like this:
 64 bit read mask  | 64 bit read value  | 64 bit write mask  | 64 bit write value
0x80000000FFFFFFFF | 0x0000000040000001 | 0x00000000FFFFFFFF | 0x000000008000033C
Which translates to C:
if readVu1Code(i) & 0x80000000FFFFFFFF == 0x0000000040000001
    writeVu1Code(i, 0x000000008000033C & 0x00000000FFFFFFFF)
0x08 Equivalent Netemu ID: 0x09
Command Data: 1x int32

Patch 2 x 32 bit opcodes of EE executable code.

Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000008 |  0x00000000  |   0x0000000000341190    |  0x00000002  |  0x00000000
Additional example data at 0x341190 looks like this:
 32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
    0x00418750     |  0x00000000  |       0x1062FFFA       |       0x00000000       |       0x00000000      |      0x00000000

due to patch count == 2 in this example, there is next set of data right after first one:
 32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
    0x00418808     |  0x00000000  |       0x1062FFFA       |       0x00000000       |       0x00000000      |      0x00000000
More info

This command read and write opcodes as a 64 bit value. This can be really confusing when creating custom config.

Lets assume that EE offset 0x100000 holds value (in raw hex) 00 11 22 33 44 55 66 77 and we want to change it to 88 99 AA BB CC DD EE FF

Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000008 |  0x00000000  |   0x0000000000341190    |  0x00000001  |  0x00000000

Additional example data at 0x341190 looks like this:
 32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
    0x00100000     |  0x00000000  |       0x77665544       |       0x33221100       |       0xFFEEDDCC      |      0xBBAA9988
                   |              |value read from 0x100004|value read from 0x100000|value write to 0x100004|value write to 0x100000

This happen because emulator read 64 bit value from 0x100000 and reverse it from little to big endian as whole 64 bits. Exactly the same happen for values that emulator write to memory. This little code snippet can help little bit with conversion.

# Value to convert, copied from hex editor or disassembler.
x = "00 11 22 33 44 55 66 77"

x = x.replace(" ", "")
x = int(x, 16)

x = (x & 0x00000000FFFFFFFF) << 32 | (x & 0xFFFFFFFF00000000) >> 32
x = (x & 0x0000FFFF0000FFFF) << 16 | (x & 0xFFFF0000FFFF0000) >> 16
x = (x & 0x00FF00FF00FF00FF) << 8  | (x & 0xFF00FF00FF00FF00) >> 8
a = x >> 56
b = (x >> 48) & 0xFF
c = (x >> 40) & 0xFF
d = (x >> 32) & 0xFF
e = (x >> 24) & 0xFF
f = (x >> 16) & 0xFF
g = (x >> 8) & 0xFF
h = x & 0xFF
print("{:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X}".format(a,b,c,d,e,f,g,h))

Beside own python installation, code can be used on site like https://www.w3schools.com/python/trypython.asp?filename=demo_compiler

0x09 Equivalent Netemu ID: 0x0B
Command Data: 1x int32

Patch disc data during read operation.

Format:
32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
0x00000009 |  0x00000000  |   0x0000000000341190    |  0x00000001  |  0x00000000
Additional example data at 0x341190 looks like this:
 32 bit lba | 32 bit offset in lba | 64 bit ptr to replace data | 64 bit ptr to original data | 32 bit data size in bytes | 32 bit align
 0x00000471 |      0x00000280      |     0x00000000003411B0     |     0x00000000003411B4      |         0x00000004        |  0x00000000
0x0A Equivalent Netemu ID: 0x0C
Command Data: 2x uint16

First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.

Format:
32 bit ID  | 32 bit align | 16 bit data | 16 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000000A |  0x00000000  |    0x0001   |    0x0400   |  0x00000000  |  0x00000000  |  0x00000000
0x0B Equivalent Netemu ID: 0x0D
Command Data: 1x int32

Command take bool value and default is 1. When set to 0: Skip some IOP related code responsible for check value from IOP SPE (and skip panic if value is 0 or -1).
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000000B |  0x00000000  | 0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x0C Equivalent Netemu ID: 0x0E
Command Data: 1x int32

Use PS2 accurate add/sub math for selected opcode/offset. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc).

Format:
32 bit ID  | 32 bit align | 32 bit EE memory offset | 32 bit align | 32 bit align | 32 bit align
0x0000000C |  0x00000000  |       0x001264D4        |  0x00000000  |  0x00000000  |  0x00000000
0x0D Equivalent Netemu ID: 0x0F
Command Data: 2x int32

Use PS2 accurate add/sub math for selected opcode/offsets range. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc).

Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x0000000D |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000
0x0E Equivalent Netemu ID: 0x10
Command Data: 2x int32

Use PS2 accurate mul/div math for selected opcode/offsets range. Command is valid for every FPU opcode that do mul/div (also for opcodes like MADD, MSUBA etc). Command does not work for COP2 opcodes.

Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x0000000E |  0x00000000  |          0x005719D8           |         0x00571C2C         |  0x00000000  |  0x00000000
0x0F Equivalent Netemu ID: 0x11
Command Data: 1x int32

Use PS2 accurate add/sub math for selected opcode/offset in VU0 microprogram. Command is valid for every VU0 opcode that do add/sub (also for opcodes like MSUBAQ, MADDAx, etc).
Valid VU0 memory offset is in range (0x000 to 0xFFF) & 0xFF8, which mean that last nibble needs to be either 0 or 8.

Format:
32 bit ID  | 32 bit align | 32 bit VU0 memory offset | 32 bit align | 32 bit align | 32 bit align
0x0000000F |  0x00000000  |        0x00000208        |  0x00000000  |  0x00000000  |  0x00000000
0x10 Equivalent Netemu ID: 0x12
Command Data: 1x int64, 1x int32

Multi-purpose VU0/COP2 command. Data size vary depending on sub commands, but at least 2 x 32 bit is required to make command valid.

Format:
32 bit ID  | 32 bit align | 64 bit ptr to emu memory with data | Data size / 4 | 32 bit align
0x00000010 |  0x00000000  |         0x0000000000323288         |  0x0000000D   |  0x00000000
0x11 Equivalent Netemu ID: 0x13
Command Data: 1x int64

Delay memory card related operations by x cycles.

Format:
32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
0x00000011 |  0x00000000  | 0x000000000000F960 |  0x00000000  |  0x00000000
0x12 Equivalent Netemu ID: 0x14
Command Data: None

Use alternative code path during ADD/SUB VU1 recompilation. Config seems to be very specific hack, most likely not usable outside of THPS 4+ engine games.
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000012 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x13 Equivalent Netemu ID: 0x15
Command Data: 1x int32

Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A9C0 - 0x3ADC0 and patch first found absolute branch to "bi r127".
This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000013 |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000
0x14 Equivalent Netemu ID: Not available
Command Data: 1x int8

Gsgif related command. Unused in latest emu, also seems to be unreachable even if set.

Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000014 |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000
0x15 Equivalent Netemu ID: 0x17
Command Data: 1x int8

Value is bool, default 0. When set to true, MTC0/MFC0 operation of COP0 Count ($9) register uses ppc timebase register as a base for calculation, when disabled decrementer register is used as a base for calculations.

Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000015 |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000
0x16 Equivalent Netemu ID: Not available
Command Data: None

Perform additional check during GS CSR write and if there is SIGNAL clear bit active and other dependencies are fulfilled, do some additional operations with GS.

Format:
32 bit ID   | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x000000016 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x17 Equivalent Netemu ID: 0x1A
Command Data: None

IPU BCLR command hack

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000017 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x18 Equivalent Netemu ID: 0x1B
Command Data: None

IPU IDEC command hack

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000018 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x19 Equivalent Netemu ID: Not available
Command Data: None

Disable DEV9. Disables net/ps2hdd capabilities including Network Adapter detection.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000019 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
More info

Command disable reads/writes to selected IOP HW registers. Disabled regs are:

  • 0x10000000 - 0x10003FFF (DEV9/SPEED/ATA/SMAP)
  • 0x1F801460 - 0x1F80147F (Unknown)

Command is auto applied to titles listed here (duplicates are really there in emu too):

    Hash           ID                 Name
0x0CD1298155  SLES_540.13  World Snooker Championship 2007
0x12C93199A5  SLES_518.40  NHL Hitz Pro
0x15C93199AD  SLES_549.13  Pro Evolution Soccer 2008
0x24D92589A5  SLUS_211.86  NBA Ballers - Phenom
0x2CD12D8125  SLUS_212.35  MLB 2K6
0x34C9359935  SLUS_211.38  X-Men Legends II - Rise of Apocalypse
0x34C93599E5  SLUS_211.28  Blitz - The League
0x34C93599E5  SLUS_211.28  Blitz - The League
0x449961C9E5  SLES_542.10  NBA 2K7
0x4C9169C1CD  SLES_542.46  FIFA '07
0x4C9169C1D5  SLES_542.45  NHL '07
0x4C9169C1DD  SLES_542.44  FIFA '07
0x4C9169C1E5  SLES_542.43  FIFA '07
0x4C9169C1F5  SLES_542.41  FIFA '07
0x4C9169C1FD  SLES_542.40  FIFA '07
0x4CB14DE12D  SLUS_213.74  Marvel - Ultimate Alliance
0x54A955F915  SLUS_212.74  Outrun 2006 - Coast 2 Coas
0x5CA15DF165  SLUS_213.01  World Series of Poker
0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
0x649965C94D  SLUS_214.63  Tom Clancy's Ghost Recon 2
0x649965C955  SLUS_214.60  NBA Live '07
0x649965C95D  SLUS_214.61  NASCAR '07
0x649965C965  SLUS_214.58  NHL '07
0x649965C96D  SLUS_214.59  NCAA Football '07
0x6BB149E15D  SLES_531.04  Tom Clancy's Rainbow Six - Lockdown
0x6C916DC165  SLUS_214.91  World Series of Poker - Tournament of Champions
0x6C916DC1A5  SLUS_214.83  Tiger Woods PGA Tour '07
0x6C916DC1AD  SLUS_214.82  NFL Street 3
0x6C916DC1B5  SLUS_214.81  NCAA March Madness '07
0x6C916DC1D5  SLUS_214.77  Madden NFL '07 [Hall of Fame Edition]
0x6C916DC1DD  SLUS_214.76  Madden NFL '07
0x748975D9DD  SLUS_213.83  Fight Night - Round 3
0x7C817DD125  SLUS_214.33  FIFA Soccer '07
0x7C817DD165  SLUS_214.25  NHL 2K7
0x7C817DD16D  SLUS_214.24  NBA 2K7
0x7C817DD175  SLUS_214.27  WWE SmackDown! vs RAW 2007
0x7C817DD1CD  SLUS_214.12  World Championship Poker featuring Howard Lederer - All-In
0x84798529BD  SLUS_205.65  Champions of Norrath
0x8559A109AD  uuunnnnnkkk  
0x8579852915  SLUS_215.68  Arena Football - Road to Glory
0x8579852965  SLUS_215.82  MVP '07 - NCAA Baseball
0x8D51A90145  SLES_545.11  UEFA Champions League
0x8D51A901B5  SLES_545.13  UEFA Champions League
0x8D51A901BD  SLES_545.12  UEFA Champions League
0x8D718D21BD  SLUS_216.20  NCAA Football '08
0x9C619D31E5  SLUS_205.41  NBA Ballers
0x9D41B911AD  SLES_544.48  World Series of Poker - Tournament of Champions
0x9D619D31C5  SLUS_215.61  Major League Baseball 2K7
0x9F29357805  SCUS_975.44  NBA '07 featuring The Life Vol.2
0x9F293578E5  SCUS_975.56  MLB '07 - The Show
0xB549B51915  SLUS_216.38  Madden NFL '0
0xB549B51925  SLUS_216.32  NHL 2K8
0xB549B5195D  SLUS_216.47  NHL '08
0xB549B519A5  SLUS_216.48  FIFA Soccer '08
0xB549B519AD  SLUS_216.49  NBA Live '08
0xBC61793025  SCES_532.85  Ratchet - Gladiator
0xBD41BD1105  SLUS_216.69  NBA 2K8
0xC439C569F5  SLUS_208.20  Tom Clancy's Ghost Recon - Jungle Storm
0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
0xCA11E941F5  SLES_516.97  SSX 3
0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
0xD20911582D  SCES_515.93  Hardware Online Arena [Beta, Promo & Full Release]
0xD7617D308D  SCUS_973.28  Gran Turismo 4
0xE339C1695D  SLES_525.45  Star Wars Battlefront
0xE794CCB06D  PCPX_980.42  Minna no Tennis
0xEA3129608D  SCES_515.78  Network Access Disc [Original, v4.02 & v4.03]
0xEC11ED4115  SLUS_209.73  Champions - Return to Arms
0xEF594508D5  SCUS_975.00  MLB '06 - The Show
0xF409F559AD  SLUS_208.89  MLB Slugfest - Loaded
0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked
0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked

As a result config disable HDD/NET capabilities.

0x1A Equivalent Netemu ID: 0x1D
Command Data: 1x int8

Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 3

  • 0 = no multitap set (only when needed). Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
  • 1 = sets multitap in controller port 1 at all times. Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
  • 2 = sets multitap in controller port 2 at all times. Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
  • 3 = sets multitaps in both controller ports at all times. Controller sync order: same as 0
Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001A |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000
0x1B Equivalent Netemu ID: 0x1E
Command Data: 1x int8

Unknown. Probably mtap related. Command is a 2 bit bitfield. Default value 0

Format:
32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001B |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000
0x1C Equivalent Netemu ID: 0x1F
Command Data: 1x int32

Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant.
By default every VIF0 command take 1 cycle, so it's instant. This config give vif0 some timing sense. Value is cycle count before first event check related to VIF0.
When delta from config passed and vif0 is still running, add 500 cycles and go on until next event test.
This can also be used to ensure that next vif0 command after MSCAL/MSCALF/MSCNT/MPG/FLUSHE won't run until delta from config passed.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000001C |  0x00000000  | 0x000003F8  |  0x00000000  |  0x00000000  |  0x00000000
0x1D Equivalent Netemu ID: 0x20
Command Data: 1x int64

Vblank timing related, still partially unknown.

Format:
32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
0x0000001D |  0x00000000  | 0x00000000000000C8 |  0x00000000  |  0x00000000
0x1E Equivalent Netemu ID: 0x21
Command Data: 1x int32

Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap opcode at the end. 1 is valid only when option one is 0.

  • 0 = sets an option one to 0 and option two to 0
  • 1 = sets an option one to 0 and option two to 1
  • 2 = sets an option one to 1 and option two to 0 (default)
Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000001E |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000
0x1F Equivalent Netemu ID: 0x23
Command Data: None

Patch spe 4 program with new custom VIF1 STCYCL alike command 08h handler. This command is useful only with additional 0x00 hooks. Said hooks inject 08h VIF1 command into game code when other conditions are met.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x0000001F |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x20 Equivalent Netemu ID: 0x24
Command Data: 1x int64

SIO2 timing related, still partially unknown.

Format:
32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
0x00000020 |  0x00000000  | 0x0000000000002EE0 |  0x00000000  |  0x00000000
0x21 Equivalent Netemu ID: Not available
Command Data: 1x int32

Unknown, GSGIF SPE related.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000021 |  0x00000000  | 0x00000009  |  0x00000000  |  0x00000000  |  0x00000000
0x22 Equivalent Netemu ID: 0x26
Command Data: 2x int32

Improves FPU accuracy for selected memory range. Efective only on: ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s.

For M(UL) opcodes, command is active only on ADD/SUB stage.

Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x00000022 |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000
0x23 Equivalent Netemu ID: 0x27
Command Data: 2x int32

Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:

VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD
Format:
32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
0x00000023 |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000
0x24 Equivalent Netemu ID: 0x28
Command Data: 1x int32

Unknown, CDVD related. Only accept values 0/1/2/3

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000024 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000
0x25 Equivalent Netemu ID: 0x29
Command Data: 2x int32

Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit data | 32 bit align | 32 bit align
0x00000025 |  0x00000000  | 0x00001F40  |  0x0000BB80 |  0x00000000  |  0x00000000
0x26 Equivalent Netemu ID: 0x2A
Command Data: None

Unknown, used only in All-Star Baseball 2004

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000026 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x27 Equivalent Netemu ID: 0x2B
Command Data: None

When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD). Required for multi-track PS2 games like Dance Factory.

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000027 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x28 Equivalent Netemu ID: 0x2C
Command Data: 1x int32

Store (value | value << 32 | value << 64 | value << 96) in SPE 0 (IOP) LS.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x00000028 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000
0x29 Equivalent Netemu ID: Not available
Command Data: None

Skip one of functions in r5900 event test. Said function interact with GSGIF SPE and GS hardware, but in some conditions can also write to BGCOLOR GS register (why?).

Format:
32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
0x00000029 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000
0x2A Equivalent Netemu ID: 0x2E
Command Data: 1x int32

Unknown.

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000002A |  0x00000000  | 0x00000172  |  0x00000000  |  0x00000000  |  0x00000000
0x2B Equivalent Netemu ID: 0x2F
Command Data: 1x int32

Store value in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).

Indigo Prophecy/Fahrenheit uses 0x1, Kengo 3 uses 0x2

Format:
32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
0x0000002B |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000