Talk:PS1 Emulation: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(I just realized ps1_netemu.self contains an string with the revision, located inmediatly before the "human readable" list with the Title ID's of the game configs)
Line 253: Line 253:
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''-sgpu-sli4'''<br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''-sgpu-sli4'''<br>
{{widedot}}'''<abbr title="2 bytes">Target Firmware</abbr>''': yes repeated '''two''' times<br>
{{widedot}}'''<abbr title="2 bytes">Target Firmware</abbr>''': yes repeated '''two''' times<br>
{{widedot}}'''Revision''': sometimes, search for '''Revision'''
{{widedot}}'''Revision''': <abbr title="ps1_netemu.self from firmware 2.10 (or older) doesnt contains the revision string">sometimes</abbr>, search for '''Revision'''
</span>
</span>
</div><div style="float:left;">
</div><div style="float:left;">

Revision as of 08:38, 2 February 2022

PS1 Emulator Types and Revisions

PS1 Emulator Types and Revisions
ps1_emu.elf (decrypted)
Firmware Size MD5 Timestamp Rev Comm
1.00 AV 10 296 408 981A7428C2A59219FA05861EDEEDBD4A 06/10/04/12:16 ? ?
1.02 10.296.408 C5FE03742A951194C336EE33783F5CD6 06/10/21/00:01 ? ?
1.10 10.296.408 C9C9D7D2E36F3E3579A5DF713E9ABE1E 06/11/09/06:09 ? ?
1.11 10.296.408 26271CCA29B77483DC3D7FDDE7B9CC3C 06/11/21/17:55 ? ?
1.30 10.296.496 E7932EC24E72B3005EE152B141A63690 06/12/05/05:34 ? ?
1.31 10.296.496 2244DE70C85093D7E37BC3D3F4278BE1 06/12/12/18:48 ? ?
1.32 10.296.496 601BCADBBBC0A2D0433C932A2D67C4EF 06/12/18/05:55 ? ?
1.50 10.303.536 F8050B006CDFCC64DF742D7BBDC03130 07/01/18/22:53 ? ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
1.90 6.974.864 478CFED0F7EE13C94F01C2A246C83D45 07/07/21/06:45 ? ?
? ? ? ? ? ?
Stripped/extracted rom/bios
2.10 2.887.152 AEE181B061E586F99E76C033C9DCF726 07/12/15/05:30 ? ?
? ? ? ? ? ?
3.40 2.824.576 A6ABFB04739575E2264A4D3FEB2A9CBF 10/06/23/15:45 ? ?
? ? ? ? ? ?
3.66 2.824.832 95399A202003E216794511BD2D2E9DF6 11/06/16/03:52 ? ?
3.70 2.824.920 045D81147B9BDFB8C8A416FD5F5A0C56 11/08/05/03:42 same ?
~ Any
3.72 C745A30231103B83F04539021E4878FC 11/09/14/01:17
3.73 2.824.920 EB3AFF30B3206CFA6A8962AB393F773E 11/10/04/12:55 same ?
3.74 E2A77C3DC9FD5AD4264341196462D096 11/10/25/00:38
4.00 2.829.784 94A8E6A8063C08FAD8CA9B340CCCAE67 11/11/22/03:17 same ?
~ Any
4.11 02B7F6D5F517959161B2154135D4B3BC 12/02/11/07:13
4.15 ? ? ? ? ?
4.20 2.829.912 3778948C92F5FA12CB0AABE65BEE5465 12/06/15/02:09 same ?
4.21 B7B662397E3FFDD7C11F9617C1B41856 12/06/30/01:13
4.23 S 2.829.912 6E74CC51E0C6462DF1F9278ED9DB9593 12/07/31/00:22 ? ?
4.25 2.829.912 03EA65C3EA3F8DB04F236C49C6B6C0E1 12/09/07/07:03 same ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
4.78 2.765.488 354F1DEEDCA3C4CFA1B49B6B28B1648D 15/12/17/01:18 ? ?
4.80 ? ? ? ? ?
4.81 2.765.616 2123E3D6A8E81647CB41F51AFEE6CCD6 16/10/24/19:23 ? ?
Abandoned (last revision)
4.82 2.765.616 64BFA4DBD595A20E317B2189B54BF673 17/08/24/15:42 Last 0x15
~ Any
4.88 0C553CE93A2A6322E16636DD76D75E32 21/04/12/11:34

  ·  Decrypted (elf): changes every firmware version
  ·  Build label: yes, with timestamp, search for -sgpu-sspu-sli4
  ·  Target Firmware: yes repeated one time
  ·  Revision: unknown

ps1_netemu.elf (decrypted)
Firmware Size MD5 Timestamp Rev Comm
1.70 ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
1.90 6.853.368 8A5A3676B461C97A9A467D5651D6EAAD 07/07/21/06:47 ? ?
? ? ? ? ? ?
Stripped/extracted rom/bios
2.10 2.764.288 7826B1C6799404216D4771C07DE12F53 07/12/15/05:31 ? ?
? ? ? ? ? ?
3.40 2.971.288 FD32C7B7CBA2639FC8DB9EB615A16461 10/06/23/15:46 6520 ?
? ? ? ? ? ?
3.66 2.971.976 9586FC8B121E59526C31405DCFFB79CA 11/06/16/03:54 ? ?
3.70 2.972.168 AA1DB63461EE0BE021ED45F85A6EECE0 11/08/05/03:43 same ?
~ Any
3.72 32F45129EC2844D419582912E54CEB22 11/09/14/01:18
3.73 2.972.168 17063FFAB205B72ABF7F59582B8A7988 11/10/04/12:56 same ?
3.74 89C03D80ACE7C4FA914DD699621EB4F8 11/10/25/00:40
4.00 2.977.128 DBB8FB62BE3F2064D31332FCB7575DF1 11/11/22/03:19 same ?
4.01 9E60379FA979B0440C27C6AEE38754AF 11/12/23/01:10
4.10 2.977.208 B3CD41AB8235906AB41D3DA18D04F00E 12/02/05/23:19 same ?
4.11 4DDF2C3289AD9BEDF0719DBE1BDA971C 12/02/11/07:15
4.15 ? ? ? ? ?
4.20 2.977.432 363A2D5EE2246E9CEFCBF1078593C771 12/06/15/02:10 same ?
4.21 5E08C86EC07E4F227D3591DD9530CC95 12/06/30/01:15
4.23 S 2.977.416 149E5E6AD727B1B37E29D4E8D15D5BB0 12/07/31/00:23 ? ?
4.25 2.977.432 295B61D9EEE704077FEC870C8EAC7D35 12/09/07/07:04 same ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
4.78 2.913.480 398A7CA9F0E8449E15FCB33B87C96194 15/12/17/01:19 ? ?
4.80 ? ? ? ? ?
4.81 2.913.656 8765A00EE467B8635A13ECCBB1F85B89 16/10/24/19:24 ? ?
4.82 2.913.752 FCEB6595F9F8E5C77BA36C73C38397D9 17/08/24/15:43 ? ?
Abandoned (last revision)
4.83 2.913.992 CA9509623B9885E18D12E14FA1488EEF 18/09/02/18:03 11624 0x3C
~ Any
4.88 D3283D3F3B5CDF68113560829530E7B3 21/04/12/11:34

  ·  Decrypted (elf): changes every firmware version
  ·  Build label: yes, with timestamp, search for -sgpu-sli4
  ·  Target Firmware: yes repeated two times
  ·  Revision: sometimes, search for Revision

ps1_newemu.elf (decrypted)
Firmware Size MD5 Timestamp Rev Comm
2.10 2.763.848 C792C72A06B94705374B846B94981B1A 07/12/15/05:31 ? ?
? ? ? ? ? ?
3.40 2.708.856 C866D54E85BAA06D111C8300F9EA85F1 10/06/23/15:51 ? ?
? ? ? ? ? ?
3.66 2.708.864 9AB86CFAEB12675F3DB08FCAA3541534 11/06/16/03:54 ? ?
3.70 2.708.880 7AB7C32901778E3F0C9B8DB45296821B 11/08/05/03:44 same ?
~ Any
3.72 2863E9B70B4FB6C5A0938FF508C46057 11/09/14/01:18
3.73 2.708.880 871E256771632569D664FF2A1ECE82C3 11/10/04/12:57 same ?
3.74 8A8AC80CBA58561CC754C6CF66B059AB 11/10/25/00:40
4.00 2.713.832 F9E840430B2BC982CB1A71B7BDD7FC35 11/11/22/03:19 same ?
4.01 953090CBCB96626899731B711B3D5B6A 11/12/23/01:11
4.10 2.713.720 47E7FA52DB7BDEDF2187EB02D868834D 12/02/05/23:20 same ?
4.11 8A90DB2A206BE79423A99D4CF2458241 12/02/11/07:16
4.15 ? ? ? ? ?
4.20 2.713.904 8AC80356D1EFDDCFF7A7AD82136137D2 12/06/15/02:11 same ?
4.21 E482927E47B00C1478313E343DD652C4 12/06/30/01:15
4.23 S 2.713.888 A2CF9C4C00B40779FB5C529849E0D6A4 12/07/31/00:24 ? ?
4.25 2.713.904 24107753F0B02075DAB20492BA67167D 12/09/07/07:05 same ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
4.78 2.649.144 BF78A0DC74084B43777A7F8CE6C7B66A 15/12/17/01:20 ? ?
4.80 ? ? ? ? ?
4.81 2.649.272 0C76DE974439B12546EA494639C8EE9A 16/10/24/19:25 ? ?
Abandoned (last revision)
4.82 2.649.288 C5957F268EE9E1429DE3AF0BC15F1395 17/08/24/15:44 Last 0x18
~ Any
4.88 4002EC6CB88F5D2D5E7DF0B0F80A6A0A 21/04/12/11:35

  ·  Decrypted (elf): changes every firmware version
  ·  Build label: yes, with timestamp, search for -sgpu-sspu-sli4
  ·  Target Firmware: yes repeated two times
  ·  Revision: unknown


Memory Map

For now here, i will move when finished. Based on ps1_netemu 4.86.

  • emu memory 0x770780 - 0x97077F = PS1 RAM (80000000 - 801FFFFF)
  • emu memory 0x970780 - 0x970B7F = PS1 Scratchpad (1F800000 - 1F8003FF)
  • emu memory 0x970B80 - 0xD70B80 = PS1 ROM (1FC00000 - 1FFFFFFF) (only 512kb used)

GPU related info

Highly recommended to visit site below to understand this info:
http://problemkaputt.de/psx-spx.htm#gpustatusregister
http://problemkaputt.de/psx-spx.htm#gpudisplaycontrolcommandsgp1

Offset in emu memory (ps1_netemu 4.86) | name | info

GP1 CMD parsers
0x10C48C process_GP1_cmd
0x10C5E4 GP1_reset_gpu
0x10C88C GP1_reset_command_buffer
0x10C940 GP1_acknowledge_gpu_IRQ1
0x10C968 GP1_display_enable
0x10C9A4 GP1_dma_direction___data_request
0x10CA20 GP1_display_mode
0x10CAEC GP1_get_gpu_info
0x10CB00 GP1_horizontal_display_range
0x10CB30 GP1_vertical_display_range
0x10CB60 GP1_start_of_display_area_in_VRAM
0x10CBD8 dma_dir_GPUREADtoCPU
0x10CD34 dma_dir_Off

Emulated GPU important data addresses.
0xD70BE4 E2_REG (used for immediate response by GPUINFO request)\
0xD70BE8 E3_REG (used for immediate response by GPUINFO request) \ Set by GP0 Ex cmds.
0xD70BEC E4_REG (used for immediate response by GPUINFO request) /
0xD70BF0 E5_REG (used for immediate response by GPUINFO request)/
0xD70C1C GP1_get_gpu_info_request (data supplied in GP1 0x10-0x1F cmd)
0xD70C20 GPUSTAT_r (PS1 GPU status register 1F801814 in read mode)
0xD70C24 dma_dir__data_req (from GP1 0x04 cmd)
0xD70C28 - 0xD70DA0 UNCONFIRMED seems to be GP0 fifo on PPU side, but need some reversing to confirm. 
0xD70DA4 display_enable_request (based on GP1 0x03 cmd)
0xD70DA8 start_of_display_area_in_VRAM__X (from GP1 0x05 cmd)
0xD70DAC start_of_display_area_in_VRAM__Y (from GP1 0x05 cmd)
0xD70DB0 H_display_range_X1 (from GP1 0x06 cmd)
0xD70DB4 H_display_range_X2 (from GP1 0x06 cmd)
0xD70DB8 V_display_range_Y1 (from GP1 0x07 cmd)
0xD70DBC V_display_range_Y2 (from GP1 0x07 cmd)
0xD70DC0 H_resolution_1 (from GP1 0x08 cmd)
0xD70DC4 V_resolution (from GP1 0x08 cmd)
0xD70DC8 video_mode___is_pal (from GP1 0x08 cmd)
0xD70DCC display_area_color_depth (from GP1 0x08 cmd)
0xD70DD0 vertical_interlace (from GP1 0x08 cmd)
0xD70DD4 H_resolution_2 (from GP1 0x08 cmd)
0xD70DD8 reverse_flag (from GP1 0x08 cmd)
0xD70DEC display_enable (from GP1 0x03 cmd)
0xD70DF0 display_params_change_requested (1 when old display_mode != new from cmd 0x08)
0xD70DF4 display_mode (whole 8 bits of GP1 0x08)


Config GPU related commands.
Some values are not directly from cfg (are shifted before writing here, etc.).
0xD70E14 set_by_cmd_21
0xD70E18 set_by_cmd_22
0xD70E1C set_by_cmd_23
0xD70E20 set_by_cmd_24
0xD70E24 set_by_cmd_25
0xD70E28 set_by_cmd_26
0xD70E2C set_by_cmd_27
0xD70E30 set_by_cmd_28
0xD70E34 set_by_cmd_29
0xD70E38 set_by_cmd_2B
0xD70E3C set_by_cmd_2C
0xD70E40 set_by_cmd_2D
0xD70E44 set_by_cmd_2E
0xD70E48 set_by_cmd_2F
0xD70E4C set_by_cmd_20
0xD70E50 set_by_cmd_31
0xD70E54 set_by_cmd_30

Command IDs mapping

All the PS1 emulators have some game settings hardcoded inside them organized in a table using a hierarchy, pretty much the same structure used by ps2_gxemu.self and ps2_softemu.self to store the CONFIGS
There is a point of the hierarchy where is indicated the number of commands and the offset where are located. Every command is composed by ID[4] and data[4] (where the data coould be another offset to load more data from a deeper level of the hierarchy)
That IDs differs in between the PS1 emulator versions because are not a direct ID, it seems every ID is mapped to a different ID (probably static and common for all emu versions) in a separated table

How hardcoded config is read based on ps1emu.

Like mentioned above config is created from 2x u32 values. Lets call first value command, and second value param.
Command is used to calculate address for param, and only param is stored on obtained address.
Emulator then check for params, and if found (usually when not zero) apply settings based on them.

0x10BC8                 lwz       r0, 0(r9)       # load HASH
0x10BCC                 cmpw      cr7, r0, r27    # compare title HASH with one from DB
0x10BD0                 bne       cr7, loc_10BB8  # loop till HASH found
0x10BD4                 slwi      r0, r10, 4      # config number << 4 to get offset from first entry in table
0x10BD8                 addi      r24, r1, 0xAB0+var_A40
0x10BDC                 extsw     r0, r0
0x10BE0                 clrldi    r3, r24, 32
0x10BE4                 add       r29, r0, r8     # r29 now points to game entry in config table
0x10BE8                 lwz       r4, 4(r29)      # load pointer to game ID
0x10BEC                 bl        sub_137FF8
0x10BF0                 nop
0x10BF4                 lwz       r28, 8(r29)
0x10BF8                 cmpwi     cr7, r28, 0
0x10BFC                 ble       cr7, loc_10C58  # check config count is not 0 or less
0x10C00                 lwz       r26, 0xC(r29)   # r26 is now pointer to configs for game
0x10C04                 li        r30, 0
0x10C08                 li        r29, 0
0x10C0C                 lwz       r25, off_17B5D8 # "core.c: CoreCheckTitle: param[%d] = 0x%"...
0x10C10
0x10C10 read_conf_loop:                           # CODE XREF: CoreCheckTitle+2DC↓j
0x10C10                 add       r11, r30, r26   # r11 is now pointer to currently read config for game
0x10C14                 addi      r29, r29, 1     # count...
0x10C18                 clrldi    r11, r11, 32
0x10C1C                 mr        r3, r25         # just for print
0x10C20                 addi      r30, r30, 8     # add 8 so next time in loop we read new config (4),
0x10C20                                           # and new params (4) if game have more than one config
0x10C24                 lwz       r4, 0(r11)      # load command
0x10C28                 lwz       r0, 4(r11)      # load params
0x10C2C                 slwi      r9, r4, 2       # r9 = r4 << 2 so shift our command to the left by 2, and store in r9
0x10C30                 clrldi    r5, r0, 32      # just print again
0x10C34                 addi      r9, r9, 0x10    # add 0x10 to shifted command value
0x10C34                                           # to create address where param of config will be stored
0x10C38                 extsw     r4, r4
0x10C3C                 extsw     r9, r9
0x10C40                 add       r9, r9, r31     # r31 is value that change between emu versions. 
0x10C40                                           # That way emulator can keep correct config IDs without changes to table.
0x10C40                                           # r31 0x2B0930 + what we currently have in r9 after previous calculations.
0x10C44                 stw       r0, 4(r9)       # Store param on finally calculated address + 4. For example for config 04
0x10C44                                           # address will be 0x2B0954.
0x10C48                 bl        print_
0x10C4C                 nop
0x10C50                 cmpw      cr7, r28, r29   # r28 overall config count
0x10C50                                           # r29 currently read count
0x10C54                 bne       cr7, read_conf_loop

Per game hash calculation

Hash is calculated using the data contents only (2048 bytes or 0x800h) of the sector 16 (beginning at the 0x9318 of the RAW/2352 image). Every single byte is used in the process. Calculation code does start at 0xC1658 in the ps1_netemu from 4.88 firmware.

loc_C1658:
0xC1658   lwz       r11, -0x7E4C(r2)
0xC165C   lis       r6, -0x7FF9
0xC1660   li        r9, 0x800                           # number of bytes to process. The value is passed to the CTR register next.
0xC1664   li        r0, 1
0xC1668   ori       r6, r6, 0x8071 # 0xFFFFFFFF80078071 # value the bytes are multiplied by
0xC166C   mtctr     r9                                  # set the CTR register for the loop count decrement
0xC1670   mr        r7, r24                             # first offset of the sector data to process moved into the r7 register (0x2DC28C in the RAM).
0xC1674   li        r10, 1                              # set the r10 register to 1.
0xC1678   li        r8, 0                               # set the r8 register to 0.
0xC167C   addi      r15, r24, 0x800                     # last offset of the sector data to process. It does not seem to be used at all.
0xC1680   stw       r0, 0x2640(r11)
loc_C1684:
0xC1684   clrldi    r11, r7, 32                         # move the content from r7 to the r11 (it is the current offset of the byte to process)
0xC1688   addi      r7, r7, 1
0xC168C   lbz       r9, 0(r11)                          # load the byte for calculation
0xC1690   add       r9, r10, r9                         # add r10 to r9
0xC1694   mulhwu    r0, r9, r6                          # multiply the byte by constant and store the high 32 bits of result in the r0
0xC1698   srwi      r10, r0, 15                         # divide the result by 0x8000
0xC169C   slwi      r11, r10, 4                         # multiply r10 by 0x10
0xC16A0   slwi      r0, r10, 16                         # multiply r10 by 0x10000
0xC16A4   subf      r0, r11, r0
0xC16A8   add       r0, r0, r10
0xC16AC   subf      r10, r0, r9
0xC16B0   add       r11, r8, r10
0xC16B4   mulhwu    r0, r11, r6
0xC16B8   srwi      r8, r0, 15
0xC16BC   slwi      r9, r8, 4
0xC16C0   slwi      r0, r8, 16
0xC16C4   subf      r0, r9, r0
0xC16C8   add       r0, r0, r8
0xC16CC   subf      r8, r0, r11
0xC16D0   bdnz+     loc_C1684                           # loop

0xC16D4   lwz       r22, -0x7E4C(r2)
0xC16D8   mr        r3, r22
0xC16DC   lbz       r4, 0xA7(r22)
0xC16E0   lbz       r0, 0xA6(r22)
0xC16E4   slwi      r4, r4, 8
0xC16E8   lbz       r9, 0xA5(r22)
0xC16EC   lbz       r11, 0xA4(r22)
0xC16F0   or        r4, r4, r0
0xC16F4   slwi      r0, r8, 16                         # multiply the r8 by 0x10000 and place the result in the r0 register. It is the higher four bytes of hash.
0xC16F8   slwi      r4, r4, 8
0xC16FC   add       r0, r0, r10                        # add the r10 to r0 - the lower four bytes of hash
0xC1700   or        r4, r4, r9
0xC1704   stw       r0, 0x2640(r22)                    # store the hash

Super simple python script to calculate checksum, script lack of some checks performed by emu, and is hardcoded to 0x9318 offset, but should be enough.
Usage: edit *your first.bin* to name of your image, run script from CMD. Require python (3?).

import zlib

with open('your first.bin', 'rb') as f:
    f.seek(0x9318)
    suma = zlib.adler32(f.read(2048))
    print (hex(suma))

Known ps1emu.self commands

  • 0xB param is magic word for libcrypt.
  • 0xE param is divider for 0x204CC00 (psx cpu speed), result is stored on fixed address and used by many functions.
  • 0x15 when param is set to 3, force game reload with ps1netemu. Is not known what other param values do.

Commands Info

The command ID's varies in between firmware versions, most probably because new functions was added every few versions, reorganized, etc... and this changes created a "displacement" of the old commands that causes them to increase his ID
At the time of writing this we dont know how to map that variable ID's to an static ID (that could be valid for all firmware versions), so by now in this list is needed to indicate the firmware version where the command ID was found
Coincidentially there are a few commands that preserves his ID in between firmware versions, most probably is because are the first commands implemented (up to netemu command 0x04)) and the variable ID given to them is a very low value, so always was kept at a low position in the commands list and was not disturbed by the modifications made to the other commands.

According to internal tables (4.86):

  • ps1_emu support commands up to 0x15
  • ps1_newemu support commands up to 0x18
  • ps1_netemu support commands up to 0x3C

Beside functions that read command params directly, every emulator have function (madeup name) ReadInternalConfigValue(u32 command_id). This function take command_id as only variable, and return param in r3 for selected command. This is used widely to read command params, that include libcrypt commands.

Function mentioned above is placed on (in emu memory, 4.86):

  • ps1_emu 0x10638
  • ps1_newemu 0x12F54
  • ps1_netemu 0xB65F0

Command 0x00 (netemu 3.40 up to 4.88)

  • Valid values found
    • 0 = ? (used by SCPS-18011 Um Jammer Lammy, and SLPS-01818 Langrisser IV & V Final Edition [Disc1of2])

In Um Jammer Lammy is used together with command 0x13, so it was a bit doubtful if it was a mistake. But Langrisser IV & V Final Edition [Disc1of2] uses it too and is the only command used by this disc, so it "should" do something

Command 0x01 (netemu 3.40 up to 4.88)

  • Valid values found
    • 1 = ? (used by SLPS_004.16, SLUS_004.33)
    • 2 = ? (used by SLPM_865.49, SLPM_865.50, SLPS_017.16)

Command 0x02 (netemu 3.40 up to 4.88)

The command data contains an offset that points to an area where are stored a list of sectors (4 bytes each), there are only 3 games using this command and are libcrypt protected: MediEvil (SCES-00311), Vagrant Story (SLES-02754), and Crash Team Racing (SCES-02105)
The libcrypt protection is related with subchannel data stored by sectors, in redump.org this data is managed with the SBI files, displayed in a hexeditor view in each specific game page. If we convert the data from the official format to decimal and we compare it with the sector numbers in the redump.org SBI file it can be seen all the libcrypt protected sectors from the SBI file are included in the official format
The official format seems to include a lot more sectors which purpose is unknown
There seems to be way to supply that data/command from external file. Some research by "Fedor Wearing A Fedora" here and here

Crash Team Racing SCES-02105 (at absolute offset 0x1627E4 in ps1_netemu.self 4.88)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

001627E0              00 00 06 A3 00 00 0E 21 00 00 17 79      ...£...!...y
001627F0  00 00 29 CB 00 00 2B 21 00 00 2E 22 00 00 31 31  ..)Ë..+!..."..11
00162800  00 00 37 19 00 00 37 1E 00 00 38 35 00 00 38 95  ..7...7...85..8•
00162810  00 00 38 9A 00 00 3A D0 00 00 3A D5 00 00 3B 1A  ..8š..:Ð..:Õ..;.
00162820  00 00 3B 1F 00 00 3B D0 00 00 3B D5 00 00 3C 12  ..;...;Ð..;Õ..<.
00162830  00 00 3C 17 00 00 3D 0C 00 00 3D 11 00 00 3F 27  ..<...=...=...?'
00162840  00 00 3F 2C 00 00 48 91 00 00 55 35 00 00 57 A1  ..?,..H‘..U5..W¡
00162850  00 00 58 38 00 00 59 38 00 00 5B 67 00 00 62 A9  ..X8..Y8..[g..b©
00162860  00 00 62 C5 00 00 78 4F 00 00 78 CA 00 00 7E 94  ..bÅ..xO..xÊ..~”
00162870  00 00 90 30 00 00 9A D5 00 00 9E 05 00 00 A4 3D  ...0..šÕ..ž...¤=
00162880  00 00 A4 42 00 00 A5 C0 00 00 A5 C5 00 00 A8 04  ..¤B..¥À..¥Å..¨.
00162890  00 00 A8 09 00 00 A8 A9 00 00 A8 AE 00 00 A9 5A  ..¨...¨©..¨®..©Z
001628A0  00 00 A9 5F 00 00 A9 90 00 00 A9 95 00 00 AA 72  ..©_..©...©•..ªr
001628B0  00 00 AA 77 00 00 AD 18 00 00 AD 1D 00 00 C5 5C  ..ªw........Å\
001628C0  00 00 EC 56 00 00 FB CA 00 01 04 52 00 01 04 7C  ..ìV..ûÊ...R...|
001628D0  00 01 08 F4 00 01 22 A3 00 01 26 79 00 01 2F 8B  ...ô.."£..&y../‹
001628E0  00 01 2F A6 00 01 2F CE 00 01 53 A8 00 01 79 10  ../¦../Î..S¨..y.
001628F0  00 01 86 0D 00 01 C3 96 00 01 CD 83 00 01 EA 08  ..†...Ö..̓..ê.
00162900  00 01 F6 92 00 02 02 57 00 02 1C 08 00 02 53 85  ..ö’...W......S…
00162910  00 02 91 5D 00 02 93 8F 00 02 93 A6 00 02 AB 93  ..‘]..“...“¦..«“
00162920  00 02 AB FB 00 02 BC 8C 00 02 CA 39 00 02 D2 17  ..«û..¼Œ..Ê9..Ò.
00162930  00 02 F1 35 00 03 16 06 00 03 4A 45 00 03 4C B6  ..ñ5......JE..L¶
00162940  00 03 68 26 00 03 6B 1D 00 03 92 B8 00 03 92 F2  ..h&..k...’¸..’ò
00162950  00 03 9B 5D 00 03 A7 76 00 03 BA 90 00 03 C5 1A  ..›]..§v..º...Å.
00162960  00 03 C5 41 00 03 C5 A3 00 03 FC F1 00 03 FD DA  ..ÅA..Å£..üñ..ýÚ
00162970  00 04 14 C2 00 04 1F 49 00 04 26 57 00 04 87 5F  ...Â...I..&W..‡_
00162980  00 04 8E 65 00 04 C0 DA 00 00 00 00              ..Že..ÀÚ....


000006A3
00000E21
00001779
000029CB
00002B21
00002E22
00003131
00003719 --- to decimal ---> 14105 (mentioned in the redump SBI file)
0000371E --- to decimal ---> 14110 (mentioned in the redump SBI file)
00003835
00003895 --- to decimal ---> 14485 (mentioned in the redump SBI file)
0000389A --- to decimal ---> 14490 (mentioned in the redump SBI file)
00003AD0 --- to decimal ---> 15056 (mentioned in the redump SBI file)
00003AD5 --- to decimal ---> 15061 (mentioned in the redump SBI file)
00003B1A --- to decimal ---> 15130 (mentioned in the redump SBI file)
00003B1F --- to decimal ---> 15135 (mentioned in the redump SBI file)
00003BD0 --- to decimal ---> 15312 (mentioned in the redump SBI file)
00003BD5 --- to decimal ---> 15317 (mentioned in the redump SBI file)
00003C12 --- to decimal ---> 15378 (mentioned in the redump SBI file)
00003C17 --- to decimal ---> 15383 (mentioned in the redump SBI file)
00003D0C --- to decimal ---> 15628 (mentioned in the redump SBI file)
00003D11 --- to decimal ---> 15633 (mentioned in the redump SBI file)
00003F27 --- to decimal ---> 16167 (mentioned in the redump SBI file)
00003F2C --- to decimal ---> 16172 (mentioned in the redump SBI file)
00004891
00005535
000057A1
00005838
00005938
00005B67
000062A9
000062C5
0000784F
000078CA
00007E94
00009030
00009AD5
00009E05
0000A43D --- to decimal ---> 42045 (mentioned in the redump SBI file)
0000A442 --- to decimal ---> 42050 (mentioned in the redump SBI file)
0000A5C0 --- to decimal ---> 42432 (mentioned in the redump SBI file)
0000A5C5 --- to decimal ---> 42437 (mentioned in the redump SBI file)
0000A804 --- to decimal ---> 43012 (mentioned in the redump SBI file)
0000A809 --- to decimal ---> 43017 (mentioned in the redump SBI file)
0000A8A9 --- to decimal ---> 43177 (mentioned in the redump SBI file)
0000A8AE --- to decimal ---> 43182 (mentioned in the redump SBI file)
0000A95A --- to decimal ---> 43354 (mentioned in the redump SBI file)
0000A95F --- to decimal ---> 43359 (mentioned in the redump SBI file)
0000A990 --- to decimal ---> 43408 (mentioned in the redump SBI file)
0000A995 --- to decimal ---> 43413 (mentioned in the redump SBI file)
0000AA72 --- to decimal ---> 43634 (mentioned in the redump SBI file)
0000AA77 --- to decimal ---> 43639 (mentioned in the redump SBI file)
0000AD18 --- to decimal ---> 44312 (mentioned in the redump SBI file)
0000AD1D --- to decimal ---> 44317 (mentioned in the redump SBI file)
0000C55C
0000EC56
0000FBCA
00010452
0001047C
000108F4
000122A3
00012679
00012F8B
00012FA6
00012FCE
000153A8
00017910
0001860D
0001C396
0001CD83
0001EA08
0001F692
00020257
00021C08
00025385
0002915D
0002938F
000293A6
0002AB93
0002ABFB
0002BC8C
0002CA39
0002D217
0002F135
00031606
00034A45
00034CB6
00036826
00036B1D
000392B8
000392F2
00039B5D
0003A776
0003BA90
0003C51A
0003C541
0003C5A3
0003FCF1
0003FDDA
000414C2
00041F49
00042657
0004875F
00048E65
0004C0DA
00000000

MediEvil SCES-00311 (at absolute offset 0x16298C in ps1_netemu.self 4.88)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00162980                                      00 00 06 15              ....
00162990  00 00 2A 75 00 00 37 19 00 00 3A 33 00 00 3A D0  ..*u..7...:3..:Ð
001629A0  00 00 3B 1A 00 00 3B 8A 00 00 3C 12 00 00 3E 2F  ..;...;Š..<...>/
001629B0  00 00 3E E5 00 00 5D FC 00 00 71 8E 00 00 7C 17  ..>å..]ü..qŽ..|.
001629C0  00 00 80 35 00 00 A4 3D 00 00 A7 3D 00 00 A8 04  ..€5..¤=..§=..¨.
001629D0  00 00 A8 A9 00 00 A9 19 00 00 A9 90 00 00 AB BB  ..¨©..©...©...«»
001629E0  00 00 AC 7F 00 00 BA B2 00 00 BE E3 00 00 C0 AF  ..¬...º²..¾ã..À¯
001629F0  00 00 C1 93 00 00 C1 C4 00 00 C3 A1 00 00 DA DE  ..Á“..ÁÄ..á..ÚÞ
00162A00  00 00 E7 C1 00 00 FD 3A 00 01 1A 1C 00 01 1D 6A  ..çÁ..ý:.......j
00162A10  00 01 1D CF 00 01 29 EF 00 01 45 E2 00 01 6A 98  ...Ï..)ï..Eâ..j˜
00162A20  00 01 7F BB 00 01 B7 A0 00 01 BB 05 00 01 BF 12  ...»..· ..»...¿.
00162A30  00 01 EE 64 00 02 02 6E 00 02 0B CA 00 02 10 19  ..îd...n...Ê....
00162A40  00 02 37 24 00 02 45 EC 00 02 54 06 00 02 55 A1  ..7$..Eì..T...U¡
00162A50  00 02 5D 48 00 02 62 C8 00 02 81 12 00 02 9B 2D  ..]H..bÈ......›-
00162A60  00 02 BD 04 00 02 C2 AF 00 02 D9 2A 00 02 DC 90  ..½...¯..Ù*..Ü.
00162A70  00 02 E1 3A 00 02 F2 18 00 02 FC C8 00 03 51 CF  ..á:..ò...üÈ..QÏ
00162A80  00 03 52 AA 00 03 72 3F 00 00 00 00              ..Rª..r?....


00000615 --- to decimal ---> 1557
00002A75 --- to decimal ---> 10869
00003719 --- to decimal ---> 14105 (mentioned in the redump SBI file)
00003A33 --- to decimal ---> 14899 (mentioned in the redump SBI file)
00003AD0 --- to decimal ---> 15056 (mentioned in the redump SBI file)
00003B1A --- to decimal ---> 15130 (mentioned in the redump SBI file)
00003B8A --- to decimal ---> 15242 (mentioned in the redump SBI file)
00003C12 --- to decimal ---> 15378 (mentioned in the redump SBI file)
00003E2F --- to decimal ---> 15919 (mentioned in the redump SBI file)
00003EE5 --- to decimal ---> 16101 (mentioned in the redump SBI file)
00005DFC --- to decimal ---> 24060
0000718E --- to decimal ---> 29070
00007C17 --- to decimal ---> 31767
00008035 --- to decimal ---> 32821
0000A43D --- to decimal ---> 42045 (mentioned in the redump SBI file)
0000A73D --- to decimal ---> 42813 (mentioned in the redump SBI file)
0000A804 --- to decimal ---> 43012 (mentioned in the redump SBI file)
0000A8A9 --- to decimal ---> 43177 (mentioned in the redump SBI file)
0000A919 --- to decimal ---> 43289 (mentioned in the redump SBI file)
0000A990 --- to decimal ---> 43408 (mentioned in the redump SBI file)
0000ABBB --- to decimal ---> 43963 (mentioned in the redump SBI file)
0000AC7F --- to decimal ---> 44159 (mentioned in the redump SBI file)
0000BAB2 --- to decimal ---> 47794
0000BEE3 --- to decimal ---> 48867
0000C0AF --- to decimal ---> 49327
0000C193 --- to decimal ---> 49555
0000C1C4 --- to decimal ---> 49604
0000C3A1 --- to decimal ---> 50081
0000DADE --- to decimal ---> 56030
0000E7C1 --- to decimal ---> 59329
0000FD3A --- to decimal ---> 64826
00011A1C --- to decimal ---> 72220
00011D6A --- to decimal ---> 73066
00011DCF --- to decimal ---> 73167
000129EF --- to decimal ---> 76271
000145E2 --- to decimal ---> 83426
00016A98 --- to decimal ---> 92824
00017FBB --- to decimal ---> 98235
0001B7A0 --- to decimal ---> 112544
0001BB05 --- to decimal ---> 113413
0001BF12 --- to decimal ---> 114450
0001EE64 --- to decimal ---> 126564
0002026E --- to decimal ---> 131694
00020BCA --- to decimal ---> 134090
00021019 --- to decimal ---> 135193
00023724 --- to decimal ---> 145188
000245EC --- to decimal ---> 148972
00025406 --- to decimal ---> 152582
000255A1 --- to decimal ---> 152993
00025D48 --- to decimal ---> 154952
000262C8 --- to decimal ---> 156360
00028112 --- to decimal ---> 164114
00029B2D --- to decimal ---> 170797
0002BD04 --- to decimal ---> 179460
0002C2AF --- to decimal ---> 180911
0002D92A --- to decimal ---> 186666
0002DC90 --- to decimal ---> 187536
0002E13A --- to decimal ---> 188730
0002F218 --- to decimal ---> 193048
0002FCC8 --- to decimal ---> 195784
000351CF --- to decimal ---> 217551
000352AA --- to decimal ---> 217770
0003723F --- to decimal ---> 225855
00000000

Vagrant Story SLES-02754 (at absolute offset 0x162A8C in ps1_netemu.self 4.88)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00162A80                                      00 00 14 B5              ...µ
00162A90  00 00 38 F3 00 00 38 F8 00 00 39 39 00 00 39 3E  ..8ó..8ø..99..9>
00162AA0  00 00 3A 33 00 00 3A 38 00 00 3A D0 00 00 3A D5  ..:3..:8..:Ð..:Õ
00162AB0  00 00 3B 1A 00 00 3B 1F 00 00 3B 8A 00 00 3B 8F  ..;...;...;Š..;.
00162AC0  00 00 3B D0 00 00 3B D5 00 00 3F 27 00 00 3F 2C  ..;Ð..;Õ..?'..?,
00162AD0  00 00 3F AA 00 00 90 84 00 00 A6 54 00 00 A6 59  ..?ª...„..¦T..¦Y
00162AE0  00 00 A6 AF 00 00 A6 B4 00 00 A7 3D 00 00 A7 42  ..¦¯..¦´..§=..§B
00162AF0  00 00 A8 04 00 00 A8 09 00 00 A8 A9 00 00 A8 AE  ..¨...¨...¨©..¨®
00162B00  00 00 A9 19 00 00 A9 1E 00 00 A9 5A 00 00 A9 5F  ..©...©...©Z..©_
00162B10  00 00 AD 18 00 00 AD 1D 00 00 BD D6 00 00 BE B1  ........½Ö..¾±
00162B20  00 00 BF AC 00 00 C9 BC 00 00 E5 11 00 01 07 06  ..¿¬..ɼ..å.....
00162B30  00 01 0C 80 00 01 18 E0 00 01 1E 36 00 01 41 46  ...€...à...6..AF
00162B40  00 01 55 E7 00 01 71 BF 00 01 D2 F5 00 01 D8 B5  ..Uç..q¿..Òõ..ص
00162B50  00 01 E4 5A 00 01 E6 29 00 01 F1 FD 00 01 FE B9  ..äZ..æ)..ñý..þ¹
00162B60  00 02 40 5D 00 02 59 9A 00 02 59 ED 00 02 5A 2F  ...]..Yš..Yí..Z/
00162B70  00 02 8B F6 00 02 8C A0 00 02 8C C2 00 02 A0 62  ..‹ö..Œ ..ŒÂ.. b
00162B80  00 02 DD 59 00 02 FD F1 00 03 0B FC 00 03 0C 26  ..ÝY..ýñ...ü...&
00162B90  00 03 9A B1 00 03 A9 E1 00 03 BC 7F 00 03 E1 B9  ..š±..©á..¼...á¹
00162BA0  00 03 E2 08 00 03 F8 8F 00 04 01 72 00 04 05 91  ..â...ø....r...‘
00162BB0  00 04 13 8F 00 04 3E D8 00 04 40 DC 00 04 48 94  ......>Ø...Ü..H”
00162BC0  00 04 67 FB 00 04 78 2C 00 04 8A CE 00 04 B4 A0  ..gû..x,..ŠÎ..´ 
00162BD0  00 04 B9 60 00 04 BE 93 00 04 C3 0C 00 04 CB 0E  ..¹`..¾“..Ã...Ë.
00162BE0  00 04 CB C9 00 04 D5 C8 00 00 00 00              ..ËÉ..ÕÈ....


000014B5
000038F3 --- to decimal ---> 14579 (mentioned in the redump SBI file)
000038F8 --- to decimal ---> 14584 (mentioned in the redump SBI file)
00003939 --- to decimal ---> 14649 (mentioned in the redump SBI file)
0000393E --- to decimal ---> 14654 (mentioned in the redump SBI file)
00003A33 --- to decimal ---> 14899 (mentioned in the redump SBI file)
00003A38 --- to decimal ---> 14904 (mentioned in the redump SBI file)
00003AD0 --- to decimal ---> 15056 (mentioned in the redump SBI file)
00003AD5 --- to decimal ---> 15061 (mentioned in the redump SBI file)
00003B1A --- to decimal ---> 15130 (mentioned in the redump SBI file)
00003B1F --- to decimal ---> 15135 (mentioned in the redump SBI file)
00003B8A --- to decimal ---> 15242 (mentioned in the redump SBI file)
00003B8F --- to decimal ---> 15247 (mentioned in the redump SBI file)
00003BD0 --- to decimal ---> 15312 (mentioned in the redump SBI file)
00003BD5 --- to decimal ---> 15317 (mentioned in the redump SBI file)
00003F27 --- to decimal ---> 16167 (mentioned in the redump SBI file)
00003F2C --- to decimal ---> 16172 (mentioned in the redump SBI file)
00003FAA
00009084
0000A654 --- to decimal ---> 42580 (mentioned in the redump SBI file)
0000A659 --- to decimal ---> 42585 (mentioned in the redump SBI file)
0000A6AF --- to decimal ---> 42671 (mentioned in the redump SBI file)
0000A6B4 --- to decimal ---> 42676 (mentioned in the redump SBI file)
0000A73D --- to decimal ---> 42813 (mentioned in the redump SBI file)
0000A742 --- to decimal ---> 42818 (mentioned in the redump SBI file)
0000A804 --- to decimal ---> 43012 (mentioned in the redump SBI file)
0000A809 --- to decimal ---> 43017 (mentioned in the redump SBI file)
0000A8A9 --- to decimal ---> 43177 (mentioned in the redump SBI file)
0000A8AE --- to decimal ---> 43182 (mentioned in the redump SBI file)
0000A919 --- to decimal ---> 43289 (mentioned in the redump SBI file)
0000A91E --- to decimal ---> 43294 (mentioned in the redump SBI file)
0000A95A --- to decimal ---> 43354 (mentioned in the redump SBI file)
0000A95F --- to decimal ---> 43359 (mentioned in the redump SBI file)
0000AD18 --- to decimal ---> 44312 (mentioned in the redump SBI file)
0000AD1D --- to decimal ---> 44317 (mentioned in the redump SBI file)
0000BDD6
0000BEB1
0000BFAC
0000C9BC
0000E511
00010706
00010C80
000118E0
00011E36
00014146
000155E7
000171BF
0001D2F5
0001D8B5
0001E45A
0001E629
0001F1FD
0001FEB9
0002405D
0002599A
000259ED
00025A2F
00028BF6
00028CA0
00028CC2
0002A062
0002DD59
0002FDF1
00030BFC
00030C26
00039AB1
0003A9E1
0003BC7F
0003E1B9
0003E208
0003F88F
00040172
00040591
0004138F
00043ED8
000440DC
00044894
000467FB
0004782C
00048ACE
0004B4A0
0004B960
0004BE93
0004C30C
0004CB0E
0004CBC9
0004D5C8
00000000

Command 0x03 (netemu 3.40 up to 4.88)

  • Valid values found: 0x32 (50d), 0xC8 (200d), 0x12C (300d), 0x1F4 (500d), 0x258 (600d), 0x2BC (700d), 0x320 (800d), 0x384 (900d), 0x44C (1100d), 0x4B0 (1200d), 0x578 (1400d), 0x5DC (1500d), 0x708 (1800d)
  • Default value: 0x3E8
  • _xcdrom_thread related.

Value is integer that is later converted to double float using fcfid, and truncated to single precision by frsp.
I'm not familiar with CELL floating point unit quirks, but value could be just single precision float from the start, why complicate that so much?
_xcdrom_thread related.

Command 0x04 (netemu 3.40 up to 4.88)

  • Valid values found: 0x4, 0x7, 0x14 (20d), 0x46 (70d), 0x64 (100d), 0xC8 (200d), 0xFFFFFF38 (????????)
  • Default value: 0
  • _xcdrom_thread related.

Command 0x05 (netemu 3.40 up to 4.88)

The game configs inside ps1_netemu.self 3.40 doesnt seems to use this command, so is not posible to see if it matches in between 3.40 and 3.55/4.88 but we can assume is the same ID through netemu 3.40 up to 4.88 because higher command IDs (such 0x08) maintained his ID since 3.40

  • Default value: 0
  • _xcdrom_thread related.

Command 0x06 (netemu 4.83 up to 4.88)

  • Default value: 0
  • _xcdrom_thread related.

Command 0x07 (netemu 4.83 up to 4.88)

  • Default value: 0
  • _xcdrom_thread related.

Command 0x08 (netemu 3.40 up to 4.88)

  • Valid values found: 0xC8 (200d), 0x12C (300d), 0x1F4 (500d), 0x2BC (700d), 0x320 (800d). It seems to be an small selection of the same values used by command 0x03
  • Default value: 0x3E8
  • _xcdrom_thread related.

Command 0x0B (netemu 4.83 up to 4.88)

  • Or command 0x09 (netemu 3.40)
  • Valid values found: 0x27104E95 (in netemu 3.40 and 4.88). It seems to be composed by 2 values of 2 bytes size: 0x2710(hex)=10000(dec). And 0x4E95(hex)=20117(dec)

The command data seems to be a bit special, is a value higher than any other command, but is the same value along different ps1_netemu.self revisions, so is not an offset. There is only one game using this command: SLPS_030.12

Command 0x0E (netemu 4.83 up to 4.88)

  • Default value: 0x1F4
  • _xcdrom_thread related.

Command 0x0F (netemu 4.83 up to 4.88)

  • Default value: 0xFA
  • _xcdrom_thread related.

Command 0x10 (netemu 4.83 up to 4.88)

  • Default value: 0xFA
  • _xcdrom_thread related.

Command 0x11 (netemu 4.83 up to 4.88)

  • Default value: 0x7D
  • _xcdrom_thread related.

Command 0x13 (netemu 4.83 up to 4.88)

  • Default value: 0

Command 0x14 (netemu 4.83 up to 4.88)

  • Default value: 4

Command 0x15 (netemu 4.83 up to 4.88)

  • Default value: 4

Command 0x16 (netemu 4.83 up to 4.88)

  • Default value: 0

Command 0x17 (netemu 4.83 up to 4.88)

  • Or command 0x0A (netemu 2.10)
  • Or command 0x15 (netemu 3.40 up to 3.55)
  • Or command 0x0B (emu 2.10 up to 4.88)
  • Or command 0x07 (newemu 2.10)
  • Or command 0x0A (newemu 3.40 up to 4.88)

This is the libcrypt magic word. This command is used only in 3 games (SCES_016.95, SLES_019.07, SLES_013.01). see: PS1 Custom Patches In ps1_netemu there is possbility to setup that command from one of ps1 classic files (PSISOIMG0000 / PSTITLEIMG000000 related).

Command 0x18 (netemu 4.83 up to 4.88)

  • Default value: 0

Command 0x19 (netemu 4.83 up to 4.88)

  • Default value: 4
  • Set in same place where bios image is loaded, and region check/patch is performed.

Command 0x1A (netemu 4.83 up to 4.88)

Set PS1 PS1 Scratchpad address 0x1F800000 - 0x1F8003FF to given 4 bytes value. Only one game use this, game seems to expect memory initialized to 0xFFFFFFFF, while never do this.

  • Default value: 0

Command 0x1B (netemu 4.83 up to 4.88)

  • Default value: 0x3E8

Command 0x1E (netemu 4.83 up to 4.88)

  • Default value: 0x7D0
  • xPadThread related.

Command 0x21 (netemu 4.83 up to 4.88)

  • Default value: 0x3E8
  • PS1 GPU related.

Command 0x22 (netemu 4.83 up to 4.88)

  • Default value: 0x3E8
  • PS1 GPU related.

Command 0x23 (netemu 4.83 up to 4.88)

  • Default value: 0x3E8
  • PS1 GPU related.

Command 0x24 (netemu 4.83 up to 4.88)

  • Default value: 7
  • PS1 GPU related.

Command 0x25 (netemu 4.83 up to 4.88)

  • Default value: 0
  • PS1 GPU related.

Command 0x2A (netemu 4.83 up to 4.88)

  • Default value: 0
  • PS1 GPU related.

Command 0x2B(netemu 4.83 up to 4.88)

  • Default value: 0
  • PS1 GPU related.

Command 0x2C (netemu 4.83 up to 4.88)

  • Default value: 0
  • PS1 GPU related.

Command 0x2D (netemu 4.83 up to 4.88)

  • Default value: 0
  • PS1 GPU related.

Command 0x32 (netemu 4.83 up to 4.88)

Pad vibration related, seems to be big motor strength used in cellPadSetActDirect if value is less than one of function arguments. Default value set in xPadThread Init is 0x40(64).

Command 0x33 (netemu 4.83 up to 4.88)

Value is integer that is later converted to double float using fcfid, and truncated to single precision by frsp.
Pad vibration related, seems to be used to calculate big motor strength used later in cellPadSetActDirect, if other conditions are met. Default value set in xPadThread Init is 0x4B0(1200).

Command 0x36 (netemu 4.83 up to 4.88)

  • Maximum value 7
  • PSX HW regs access related
  • Valid values found:
    • 1 = ?
    • 2 = ?
    • 4 = ?

Multiple instances accepted, and not overwrite itself.

Command 0x37 (netemu 4.83 up to 4.88)

  • Default value: 1
  • Valid values found:
    • 2 = ?
    • 4 = ?

Something related to I_STAT (PSX Interrupt status register).

Command 0x38 (netemu 4.83 up to 4.88)

  • Valid values found:
    • 1 = relaunch the game with ps1_emu.self
    • 2 = relaunch the game with ps1_newemu.self

When value is not 0 relaunch game with different emu, there seems to be selection between ps1_emu, and ps1_newemu based on config value.

Possible Cobra implementation issues

Every CFW which use cobra module potentially can be affected by nasty bug that is there probably even before 7.00.
So the deal is patch in cobra that allow skip region check, example based on ps1_emu.

SprxPatch ps1_emu_patches[] =
{
	{ ps1_emu_get_region_offset, LI(R29, 0x82), &condition_true }, /* regions 0x80-0x82 bypass region check. */
	{ 0 }
};

While patch actually skip region check, is also skipping part of code where region of ps3 is stored for future usage. And probably set whole emulation to JPN
This can be important because function that cobra patch, probably is responsible for selecting region of ps1_rom.
There is a string in emulator JJJJAEJEAEJJEJJA which seems to be selector for bios/rom region based on target ID (Product_Code).

J    J    J    J    A    E    J    E    A    E    J    J    E    J    J    A
0x80 0x81 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8A 0x8B 0x8C 0x8D 0x8E 0x8F

Hard patch to 0x82 potentially lead to known PAL games frame pacing issues, and to desynced audio, and maybe more. While i can't test that i'm 100% sure that better solution here will be read third character of Title ID from SYSTEM.CNF file of disc/iso, and then patching same place with
ps1_emu_get_region_offset, LI(R29, title_id_based_region), &condition_true .
Generally if title have E then patch to ANY EU target ID, similar for US, for titles where U or E isn't found just use default J target ID. Above is based on static elf analyse, so i can't tell 100% that is an issue, but it looks like it in emu code.

  • Is that patch being applied every time, even on the PAL region console? I have never noticed any issues and I was playing the PAL games mostly. The only thing I noticed is the slowed and pitched down licence screen when the PAL game is launched through the ps1_netemu. --Agrippa (talk) 17:40, 6 January 2022 (UTC)
  • Ok, I have tested the Ape Escape PAL menu theme. There is neither any slowdown, nor pitch difference using either ps1_emu or ps1_netemu. As far as I know, no games are affected, because there are no multi region PS1 games ever released. As the video mode is set before the boot, everything seems to be ok. The cracktros are affected though, because they read that 0xBFC7FF52 offset to determine the video mode, causing the audio to be slower indeed. And it seems the ps1_netemu has got an internal audio pitch compensation, as the licence screen is pitched down (and every cracktro too). The proper patch is needed for the sake of completeness. --Agrippa (talk) 18:51, 1 February 2022 (UTC)

ps1_emu vs ps1_netemu emulation differences

In some cracktros (Spyro 3, Sydney 2000, NFS Porsche 2000) the GP0 command E4h (E4080200) draws the image on the wrong coordinates, causing the frozen image of the zoomed PS1 licence screen. According to this info, that command does make use of the newer 2MB VRAM GPU coordinates. Restricting the drawing area to the lower coordinates does fix the image. It looks like a lot of emulators are affected by this, either the Sony ones (ps1_emu on PS3, PS1 on PS2 hardware emulator, POPS on PSP) or the homebrew pSX 1.13. The ps1_netemu is displaying the image correctly. Does it mean the ps1_netemu emulate a different, newer GPU or just increase the emulation accuracy in general (assuming these cracktros work fine even on the oldest PSX released EDIT: I have found reports they are picky even on the original PS1 hardware too.)?

  • Yes, this should fail also on old PS1 GPU. I can also confirm that PS1DRV (at least before deckard PS2 models) emulate old GPU model.

As for PS3. ps1_emu, and ps1_newemu emulate old GPU, ps1_netemu emulate new GPU at least partially. Also small tip, all emulators have pair of 2 embed SPE ELFs. One is SPU emulator, second is GPU emulator. All of them have debug symbols.

ps1_emu

.text:000014D0 E4_cmd:                              
.text:000014D0      il         r56, 0x3FF
.text:000014D4      hbrr       loc_1504, loc_403C
.text:000014D8      rotmi      r54, r12, -10       # r12 = whole 32 bit command
                                                   # r54 = is command shifted by 10 to skip 
                                                   # x-cord. So now first bits are y-cord.
.text:000014DC      lqr        r51, xmmword_E520
.text:000014E0      and        r55, r12, r56       # x-cord and with whole 10 bits. 
.text:000014E4      cwd        r53, 0xF0+var_F0(sp)
.text:000014E8      cwd        r49, 0xF0+var_F0+8(sp)
.text:000014EC      ai         r52, r55, 1
.text:000014F0      andi       r50, r54, 0x1FF     # y-cord and with 0x1FF, so only 9 bits.

ps1_netemu

.text:00003338 E4_cmd:                          
.text:00003338      rotmi      r18, r12, -10       # r12 = whole 32 bit command
                                                   # r18 = is command shifted by 10 to skip 
                                                   # x-cord. So now first bits are y-cord.
.text:0000333C      hbrr       loc_3384, loc_3328
.text:00003340      il         r19, 0x3FF
.text:00003344      lqr        r39, xmmword_150D0
.text:00003348      il         r8, 0x200
.text:0000334C      lqr        r33, xmmword_150E0
.text:00003350      and        r44, r12, r19       # x-cord and with whole 10 bits. 
.text:00003354      cwd        r42, arg_0+0xC(sp)
.text:00003358      and        r43, r18, r19       # y-cord and with 0x3FF, so whole 10 bits.

---kozarovv.

Patches

Disable Dithering

Always set bit 9 in GP0 E1 command to 0. Patches apply to SPE PS1 GPU emulation program. Based on 4.86, but should be valid for all firmwares since 4.6x

For ps1_emu.elf

search for: 23 EC A4 04 23 E3 3B 85  33 7E 26 00 32 05 86 00 0F 3D C6 11
replace to: 23 EC A4 04 23 E3 3B 85  33 7E 26 00 32 05 86 00 40 80 00 11

For ps1_netemu.elf

search for: 7C 38 41 94 20 7F F4 94 0F 3D C6 3C 12 7F F3 8A
replace to: 7C 38 41 94 20 7F F4 94 40 80 00 3C 12 7F F3 8A

For ps1_newemu.elf

search for: 20 7F FD 4C 23 9D C5 85  32 05 B2 80 12 05 B2 0B 0F 3D C6 58
replace to: 20 7F FD 4C 23 9D C5 85  32 05 B2 80 12 05 B2 0B 40 80 00 58

Patch for rpcs3 (newemu only) for testing purpose.

Version: 1.2

SPU-f3d8be702bf4cb8545656e37c29fcc6201a57991:
  "Disable Dithering":
    Games:
      All:
        All: [ All ]
    Author: "kozarovv"
    Patch Version: 1.0
    Patch:
      - [ be32, 0xFB0, 0x40800058 ]

Psxtract

I updated psxtract to support proper subchannel data extraction for single, and multi discs. Based on most feature rich version from https://github.com/DeadlySystem/psxtract-2 github. Since i don't have github anymore, i think this is good place to share it. Only Windows version is updated! Linux code is not touched (i have no way to test). Please mirror or even make pr on github if that's prefered.

ps1_rom.bin

This file can be replaced by any ps1 rom image (incl. DTL models), and by most of PS2 rom images (maybe by all, deckard models untested). Replacing to bios from PS1 restore Sony logo at start up. That also should allow to run ps1 menu alone, but that's untested. Props to Jabu, iirc he figured out running Sony startup screen ages ago. Emulator have bug (netemu at least), that load whole 4MB file. They probably not changed that after stripping file from 4MB to 512KB. So any PS1/PS2(no deckard) bios image can be used unless is 4MB or less. All of that load games just fine.