Talk:PS1 Emulation: Difference between revisions
Line 554: | Line 554: | ||
</pre> | </pre> | ||
=== Command 0x03 (netemu 3. | === Command 0x03 (netemu 3.40 up to 4.88) === | ||
Command ID 0x03 seems to match too in between firmware 3.55 and 4.88 | Command ID 0x03 seems to match too in between firmware 3.55 and 4.88 | ||
Revision as of 14:40, 26 December 2021
PS1 Emulator Types and Revisions
Firmware | Bytes | MD5 | Timestamp | Rev |
---|---|---|---|---|
1.00 AV | 10 296 408 | 981A7428C2A59219FA05861EDEEDBD4A | 06/10/04/12:16 | ? |
1.02 | 10.296.408 | C5FE03742A951194C336EE33783F5CD6 | 06/10/21/00:01 | ? |
1.10 | 10.296.408 | C9C9D7D2E36F3E3579A5DF713E9ABE1E | 06/11/09/06:09 | ? |
1.11 | 10.296.408 | 26271CCA29B77483DC3D7FDDE7B9CC3C | 06/11/21/17:55 | ? |
1.30 | 10.296.496 | E7932EC24E72B3005EE152B141A63690 | 06/12/05/05:34 | ? |
1.31 | 10.296.496 | 2244DE70C85093D7E37BC3D3F4278BE1 | 06/12/12/18:48 | ? |
1.32 | 10.296.496 | 601BCADBBBC0A2D0433C932A2D67C4EF | 06/12/18/05:55 | ? |
1.50 | 10.303.536 | F8050B006CDFCC64DF742D7BBDC03130 | 07/01/18/22:53 | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
1.90 | 6.974.864 | 478CFED0F7EE13C94F01C2A246C83D45 | 07/07/21/06:45 | ? |
? | ? | ? | ? | ? |
stripped/extracted rom/bios | ||||
2.10 | ? | ? | ? | ? |
? | ? | ? | ? | ? |
3.40 | 2.824.576 | A6ABFB04739575E2264A4D3FEB2A9CBF | 10/06/23/15:45 | ? |
? | ? | ? | ? | ? |
3.66 | 2.824.832 | 95399A202003E216794511BD2D2E9DF6 | 11/06/16/03:52 | ? |
3.70 | 2.824.920 | 045D81147B9BDFB8C8A416FD5F5A0C56 | 11/08/05/03:42 | same |
~ | Any | |||
3.72 | C745A30231103B83F04539021E4878FC | 11/09/14/01:17 | ||
3.73 | 2.824.920 | EB3AFF30B3206CFA6A8962AB393F773E | 11/10/04/12:55 | same |
3.74 | E2A77C3DC9FD5AD4264341196462D096 | 11/10/25/00:38 | ||
4.00 | 2.829.784 | 94A8E6A8063C08FAD8CA9B340CCCAE67 | 11/11/22/03:17 | same |
~ | Any | |||
4.11 | 02B7F6D5F517959161B2154135D4B3BC | 12/02/11/07:13 | ||
4.15 | ? | ? | ? | ? |
4.20 | 2.829.912 | 3778948C92F5FA12CB0AABE65BEE5465 | 12/06/15/02:09 | same |
4.21 | B7B662397E3FFDD7C11F9617C1B41856 | 12/06/30/01:13 | ||
4.23 S | 2.829.912 | 6E74CC51E0C6462DF1F9278ED9DB9593 | 12/07/31/00:22 | ? |
4.25 | 2.829.912 | 03EA65C3EA3F8DB04F236C49C6B6C0E1 | 12/09/07/07:03 | same |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
4.78 | 2.765.488 | 354F1DEEDCA3C4CFA1B49B6B28B1648D | 15/12/17/01:18 | ? |
4.80 | ? | ? | ? | ? |
4.81 | 2.765.616 | 2123E3D6A8E81647CB41F51AFEE6CCD6 | 16/10/24/19:23 | ? |
Abandoned (last revision) | ||||
4.82 | 2.765.616 | 64BFA4DBD595A20E317B2189B54BF673 | 17/08/24/15:42 | Same |
~ | Any | |||
4.88 | 0C553CE93A2A6322E16636DD76D75E32 | 21/04/12/11:34 |
· Decrypted (elf): changes every firmware version
· Build label: yes, with timestamp, search for -sgpu-sspu-sli4
· Target Firmware: yes repeated one time
· Revision: unknown
Firmware | Bytes | MD5 | Timestamp | Rev |
---|---|---|---|---|
1.00 ~ 1.60 | No | |||
1.70 | ? | ? | ? | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
1.90 | 6.853.368 | 8A5A3676B461C97A9A467D5651D6EAAD | 07/07/21/06:47 | ? |
? | ? | ? | ? | ? |
stripped/extracted rom/bios | ||||
2.10 | ? | ? | ? | ? |
? | ? | ? | ? | ? |
3.40 | 2.971.288 | FD32C7B7CBA2639FC8DB9EB615A16461 | 10/06/23/15:46 | ? |
? | ? | ? | ? | ? |
3.66 | 2.971.976 | 9586FC8B121E59526C31405DCFFB79CA | 11/06/16/03:54 | ? |
3.70 | 2.972.168 | AA1DB63461EE0BE021ED45F85A6EECE0 | 11/08/05/03:43 | same |
~ | Any | |||
3.72 | 32F45129EC2844D419582912E54CEB22 | 11/09/14/01:18 | ||
3.73 | 2.972.168 | 17063FFAB205B72ABF7F59582B8A7988 | 11/10/04/12:56 | same |
3.74 | 89C03D80ACE7C4FA914DD699621EB4F8 | 11/10/25/00:40 | ||
4.00 | 2.977.128 | DBB8FB62BE3F2064D31332FCB7575DF1 | 11/11/22/03:19 | same |
4.01 | 9E60379FA979B0440C27C6AEE38754AF | 11/12/23/01:10 | ||
4.10 | 2.977.208 | B3CD41AB8235906AB41D3DA18D04F00E | 12/02/05/23:19 | same |
4.11 | 4DDF2C3289AD9BEDF0719DBE1BDA971C | 12/02/11/07:15 | ||
4.15 | ? | ? | ? | ? |
4.20 | 2.977.432 | 363A2D5EE2246E9CEFCBF1078593C771 | 12/06/15/02:10 | same |
4.21 | 5E08C86EC07E4F227D3591DD9530CC95 | 12/06/30/01:15 | ||
4.23 S | 2.977.416 | 149E5E6AD727B1B37E29D4E8D15D5BB0 | 12/07/31/00:23 | ? |
4.25 | 2.977.432 | 295B61D9EEE704077FEC870C8EAC7D35 | 12/09/07/07:04 | same |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
4.78 | 2.913.480 | 398A7CA9F0E8449E15FCB33B87C96194 | 15/12/17/01:19 | ? |
4.80 | ? | ? | ? | ? |
4.81 | 2.913.656 | 8765A00EE467B8635A13ECCBB1F85B89 | 16/10/24/19:24 | ? |
4.82 | 2.913.752 | FCEB6595F9F8E5C77BA36C73C38397D9 | 17/08/24/15:43 | ? |
Abandoned (last revision) | ||||
4.83 | 2.913.992 | CA9509623B9885E18D12E14FA1488EEF | 18/09/02/18:03 | Same |
~ | Any | |||
4.88 | D3283D3F3B5CDF68113560829530E7B3 | 21/04/12/11:34 |
· Decrypted (elf): changes every firmware version
· Build label: yes, with timestamp, search for -sgpu-sli4
· Target Firmware: yes repeated two times
· Revision: unknown
Firmware | Bytes | MD5 | Timestamp | Rev |
---|---|---|---|---|
1.00 ~ 2.01 | No | |||
2.10 | ? | ? | ? | ? |
? | ? | ? | ? | ? |
3.40 | 2.708.856 | C866D54E85BAA06D111C8300F9EA85F1 | 10/06/23/15:51 | ? |
? | ? | ? | ? | ? |
3.66 | 2.708.864 | 9AB86CFAEB12675F3DB08FCAA3541534 | 11/06/16/03:54 | ? |
3.70 | 2.708.880 | 7AB7C32901778E3F0C9B8DB45296821B | 11/08/05/03:44 | same |
~ | Any | |||
3.72 | 2863E9B70B4FB6C5A0938FF508C46057 | 11/09/14/01:18 | ||
3.73 | 2.708.880 | 871E256771632569D664FF2A1ECE82C3 | 11/10/04/12:57 | same |
3.74 | 8A8AC80CBA58561CC754C6CF66B059AB | 11/10/25/00:40 | ||
4.00 | 2.713.832 | F9E840430B2BC982CB1A71B7BDD7FC35 | 11/11/22/03:19 | same |
4.01 | 953090CBCB96626899731B711B3D5B6A | 11/12/23/01:11 | ||
4.10 | 2.713.720 | 47E7FA52DB7BDEDF2187EB02D868834D | 12/02/05/23:20 | same |
4.11 | 8A90DB2A206BE79423A99D4CF2458241 | 12/02/11/07:16 | ||
4.15 | ? | ? | ? | ? |
4.20 | 2.713.904 | 8AC80356D1EFDDCFF7A7AD82136137D2 | 12/06/15/02:11 | same |
4.21 | E482927E47B00C1478313E343DD652C4 | 12/06/30/01:15 | ||
4.23 S | 2.713.888 | A2CF9C4C00B40779FB5C529849E0D6A4 | 12/07/31/00:24 | ? |
4.25 | 2.713.904 | 24107753F0B02075DAB20492BA67167D | 12/09/07/07:05 | same |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
? | ? | ? | ? | ? |
4.78 | 2.649.144 | BF78A0DC74084B43777A7F8CE6C7B66A | 15/12/17/01:20 | ? |
4.80 | ? | ? | ? | ? |
4.81 | 2.649.272 | 0C76DE974439B12546EA494639C8EE9A | 16/10/24/19:25 | ? |
Abandoned (last revision) | ||||
4.82 | 2.649.288 | C5957F268EE9E1429DE3AF0BC15F1395 | 17/08/24/15:44 | Same |
~ | Any | |||
4.88 | 4002EC6CB88F5D2D5E7DF0B0F80A6A0A | 21/04/12/11:35 |
· Decrypted (elf): changes every firmware version
· Build label: yes, with timestamp, search for -sgpu-sspu-sli4
· Target Firmware: yes repeated two times
· Revision: unknown
Command IDs mapping
All the PS1 emulators have some game settings hardcoded inside them organized in a table using a hierarchy, pretty much the same structure used by ps2_gxemu.self and ps2_softemu.self to store the CONFIGS
There is a point of the hierarchy where is indicated the number of commands and the offset where are located. Every command is composed by ID[4] and data[4] (where the data coould be another offset to load more data from a deeper level of the hierarchy)
That IDs differs in between the PS1 emulator versions because are not a direct ID, it seems every ID is mapped to a different ID (probably static and common for all emu versions) in a separated table
How hardcoded config is read based on ps1emu.
Like mentioned above config is created from 2x u32 values. Lets call first value command, and second value param.
Command is used to calculate address for param, and only param is stored on obtained address.
Emulator then check for params, and if found (usually when not zero) apply settings based on them.
0x10BC8 lwz r0, 0(r9) # load HASH 0x10BCC cmpw cr7, r0, r27 # compare title HASH with one from DB 0x10BD0 bne cr7, loc_10BB8 # loop till HASH found 0x10BD4 slwi r0, r10, 4 # config number << 4 to get offset from first entry in table 0x10BD8 addi r24, r1, 0xAB0+var_A40 0x10BDC extsw r0, r0 0x10BE0 clrldi r3, r24, 32 0x10BE4 add r29, r0, r8 # r29 now points to game entry in config table 0x10BE8 lwz r4, 4(r29) # load pointer to game ID 0x10BEC bl sub_137FF8 0x10BF0 nop 0x10BF4 lwz r28, 8(r29) 0x10BF8 cmpwi cr7, r28, 0 0x10BFC ble cr7, loc_10C58 # check config count is not 0 or less 0x10C00 lwz r26, 0xC(r29) # r26 is now pointer to configs for game 0x10C04 li r30, 0 0x10C08 li r29, 0 0x10C0C lwz r25, off_17B5D8 # "core.c: CoreCheckTitle: param[%d] = 0x%"... 0x10C10 0x10C10 read_conf_loop: # CODE XREF: CoreCheckTitle+2DC↓j 0x10C10 add r11, r30, r26 # r11 is now pointer to currently read config for game 0x10C14 addi r29, r29, 1 # count... 0x10C18 clrldi r11, r11, 32 0x10C1C mr r3, r25 # just for print 0x10C20 addi r30, r30, 8 # add 8 so next time in loop we read new config (4), 0x10C20 # and new params (4) if game have more than one config 0x10C24 lwz r4, 0(r11) # load command 0x10C28 lwz r0, 4(r11) # load params 0x10C2C slwi r9, r4, 2 # r9 = r4 << 2 so shift our command to the left by 2, and store in r9 0x10C30 clrldi r5, r0, 32 # just print again 0x10C34 addi r9, r9, 0x10 # add 0x10 to shifted command value 0x10C34 # to create address where param of config will be stored 0x10C38 extsw r4, r4 0x10C3C extsw r9, r9 0x10C40 add r9, r9, r31 # r31 is value that change between emu versions. 0x10C40 # That way emulator can keep correct config IDs without changes to table. 0x10C40 # r31 0x2B0930 + what we currently have in r9 after previous calculations. 0x10C44 stw r0, 4(r9) # Store param on finally calculated address + 4. For example for config 04 0x10C44 # address will be 0x2B0954. 0x10C48 bl print_ 0x10C4C nop 0x10C50 cmpw cr7, r28, r29 # r28 overall config count 0x10C50 # r29 currently read count 0x10C54 bne cr7, read_conf_loop
Known ps1emu.self commands
- 0xB param is magic word for libcrypt, but emulator seems to not use it at all(?).
- 0xE param is divider for 0x204CC00 (psx cpu speed), result is stored on fixed address and used by many functions.
- 0x15 when param is set to 3, force game reload with ps1netemu. Is not known what other param values do.
- 0x19 is related to cdrom, xCdromRead use it as first argument.
Commands Info
The command ID's varies in between firmware versions, most probably because new functions was added every few versions, reorganized, etc... and this changes created a "displacement" of the old commands that causes them to increase his ID
At the time of writing this we dont know how to map that variable ID's to an static ID (that could be valid for all firmware versions), so by now in this list is needed to indicate the firmware version where the command ID was found
Command 0x01 (netemu 3.40 up to 4.88)
Used by SLPM_865.49, SLPM_865.50, SLPS_017.16, SLPS_004.16, SLUS_004.33)
- Valid values found
- 2 (in SLPM_865.49, SLPM_865.50, SLPS_017.16)
- 1 (in SLPS_004.16, SLUS_004.33)
Command 0x02 (netemu 3.40 up to 4.88)
Coincidentially this is one of the few commands that preserves his ID in between firmware versions, most probably is because it was one of the first commands implemented (is either the second or the third from the whole command list) and the variable ID given to it is a very low value (so always was kept at a low position in the commands list and was not disturbed by the modifications made to the other commands)
Is used to load a list of sectors, there are only 3 games using it (and the 3 games are libcrypt protected), as example this is the data loaded by Medievil (SCES_003.11), located at absolute offset 0x16298C in ps1_netemu.self from firmware 4.88
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00162980 00 00 06 15 .... 00162990 00 00 2A 75 00 00 37 19 00 00 3A 33 00 00 3A D0 ..*u..7...:3..:Ð 001629A0 00 00 3B 1A 00 00 3B 8A 00 00 3C 12 00 00 3E 2F ..;...;Š..<...>/ 001629B0 00 00 3E E5 00 00 5D FC 00 00 71 8E 00 00 7C 17 ..>å..]ü..qŽ..|. 001629C0 00 00 80 35 00 00 A4 3D 00 00 A7 3D 00 00 A8 04 ..€5..¤=..§=..¨. 001629D0 00 00 A8 A9 00 00 A9 19 00 00 A9 90 00 00 AB BB ..¨©..©...©...«» 001629E0 00 00 AC 7F 00 00 BA B2 00 00 BE E3 00 00 C0 AF ..¬...º²..¾ã..À¯ 001629F0 00 00 C1 93 00 00 C1 C4 00 00 C3 A1 00 00 DA DE ..Á“..ÁÄ..á..ÚÞ 00162A00 00 00 E7 C1 00 00 FD 3A 00 01 1A 1C 00 01 1D 6A ..çÁ..ý:.......j 00162A10 00 01 1D CF 00 01 29 EF 00 01 45 E2 00 01 6A 98 ...Ï..)ï..Eâ..j˜ 00162A20 00 01 7F BB 00 01 B7 A0 00 01 BB 05 00 01 BF 12 ...»..· ..»...¿. 00162A30 00 01 EE 64 00 02 02 6E 00 02 0B CA 00 02 10 19 ..îd...n...Ê.... 00162A40 00 02 37 24 00 02 45 EC 00 02 54 06 00 02 55 A1 ..7$..Eì..T...U¡ 00162A50 00 02 5D 48 00 02 62 C8 00 02 81 12 00 02 9B 2D ..]H..bÈ......›- 00162A60 00 02 BD 04 00 02 C2 AF 00 02 D9 2A 00 02 DC 90 ..½...¯..Ù*..Ü. 00162A70 00 02 E1 3A 00 02 F2 18 00 02 FC C8 00 03 51 CF ..á:..ò...üÈ..QÏ 00162A80 00 03 52 AA 00 03 72 3F 00 00 00 00 ..Rª..r?....
The libcrypt protection is related with subchannel data stored by sectors, in redump this data is managed with the SBI files, displayed in a hexeditor view in the game page http://redump.org/disc/592/
If we convert the data from the official format to decimal and we compare it with the sector numbers in the SBI file it can be seen the 16 libcrypt protected sectors from the SBI file are included in the official format
The official format seems to include a lot more sectors which purpose is unknown
This is the medievil data from the official format, converted to decimal, and marked the sectors that matches with the SBI file in redump
00000615 --- to decimal ---> 1557 00002A75 --- to decimal ---> 10869 00003719 --- to decimal ---> 14105 (mentioned in the redump SBI file) 00003A33 --- to decimal ---> 14899 (mentioned in the redump SBI file) 00003AD0 --- to decimal ---> 15056 (mentioned in the redump SBI file) 00003B1A --- to decimal ---> 15130 (mentioned in the redump SBI file) 00003B8A --- to decimal ---> 15242 (mentioned in the redump SBI file) 00003C12 --- to decimal ---> 15378 (mentioned in the redump SBI file) 00003E2F --- to decimal ---> 15919 (mentioned in the redump SBI file) 00003EE5 --- to decimal ---> 16101 (mentioned in the redump SBI file) 00005DFC --- to decimal ---> 24060 0000718E --- to decimal ---> 29070 00007C17 --- to decimal ---> 31767 00008035 --- to decimal ---> 32821 0000A43D --- to decimal ---> 42045 (mentioned in the redump SBI file) 0000A73D --- to decimal ---> 42813 (mentioned in the redump SBI file) 0000A804 --- to decimal ---> 43012 (mentioned in the redump SBI file) 0000A8A9 --- to decimal ---> 43177 (mentioned in the redump SBI file) 0000A919 --- to decimal ---> 43289 (mentioned in the redump SBI file) 0000A990 --- to decimal ---> 43408 (mentioned in the redump SBI file) 0000ABBB --- to decimal ---> 43963 (mentioned in the redump SBI file) 0000AC7F --- to decimal ---> 44159 (mentioned in the redump SBI file) 0000BAB2 --- to decimal ---> 47794 0000BEE3 --- to decimal ---> 48867 0000C0AF --- to decimal ---> 49327 0000C193 --- to decimal ---> 49555 0000C1C4 --- to decimal ---> 49604 0000C3A1 --- to decimal ---> 50081 0000DADE --- to decimal ---> 56030 0000E7C1 --- to decimal ---> 59329 0000FD3A --- to decimal ---> 64826 00011A1C --- to decimal ---> 72220 00011D6A --- to decimal ---> 73066 00011DCF --- to decimal ---> 73167 000129EF --- to decimal ---> 76271 000145E2 --- to decimal ---> 83426 00016A98 --- to decimal ---> 92824 00017FBB --- to decimal ---> 98235 0001B7A0 --- to decimal ---> 112544 0001BB05 --- to decimal ---> 113413 0001BF12 --- to decimal ---> 114450 0001EE64 --- to decimal ---> 126564 0002026E --- to decimal ---> 131694 00020BCA --- to decimal ---> 134090 00021019 --- to decimal ---> 135193 00023724 --- to decimal ---> 145188 000245EC --- to decimal ---> 148972 00025406 --- to decimal ---> 152582 000255A1 --- to decimal ---> 152993 00025D48 --- to decimal ---> 154952 000262C8 --- to decimal ---> 156360 00028112 --- to decimal ---> 164114 00029B2D --- to decimal ---> 170797 0002BD04 --- to decimal ---> 179460 0002C2AF --- to decimal ---> 180911 0002D92A --- to decimal ---> 186666 0002DC90 --- to decimal ---> 187536 0002E13A --- to decimal ---> 188730 0002F218 --- to decimal ---> 193048 0002FCC8 --- to decimal ---> 195784 000351CF --- to decimal ---> 217551 000352AA --- to decimal ---> 217770 0003723F --- to decimal ---> 225855 00000000
Command 0x03 (netemu 3.40 up to 4.88)
Command ID 0x03 seems to match too in between firmware 3.55 and 4.88
Command 0x04 (netemu 3.55 up to 4.88)
Command ID 0x04 seems to match too in between firmware 3.55 and 4.88
Command 0x05 (netemu 3.55 up to 4.88)
Command ID 0x05 seems to match too in between firmware 3.55 and 4.88
Command 0x17 (netemu 4.83 up to 4.88) or command 0x15 (netemu 3.40 up to 3.55)
This is the libcrypt magic word. This command is used only in 3 games (SCES_016.95, SLES_019.07, SLES_013.01). see: PS1 Custom Patches