PS2 Emulation: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(→‎Config Commands: Redundant but visually better)
 
(98 intermediate revisions by 9 users not shown)
Line 3: Line 3:
Emulation of Playstation 2 is currently handled by 3 kind of emulators. CECH-A/B models use ps2_emu.self able to use built-in PS2 hardware (EE/GS/Rambus memory), and have best compatibility. CECH-C/E use ps2_gxemu, this emulator use physical Graphic Synthesizer found in this ps3 model, but Emotion Engine is fully emulated here, also there is no Rambus memory. All other models emulate PS2 thru fully software based ps2_netemu used for ps2 classics, and hacked now to use decrypted ISO files. Earlier before Sony provided ps2 classics on PS Store there was another soft only emulator strongly based on ps2_gxemu. It was called ps2_softemu, and had support for original PS2 CDVD. Only emulator not able to run physical discs is ps2_netemu.  
Emulation of Playstation 2 is currently handled by 3 kind of emulators. CECH-A/B models use ps2_emu.self able to use built-in PS2 hardware (EE/GS/Rambus memory), and have best compatibility. CECH-C/E use ps2_gxemu, this emulator use physical Graphic Synthesizer found in this ps3 model, but Emotion Engine is fully emulated here, also there is no Rambus memory. All other models emulate PS2 thru fully software based ps2_netemu used for ps2 classics, and hacked now to use decrypted ISO files. Earlier before Sony provided ps2 classics on PS Store there was another soft only emulator strongly based on ps2_gxemu. It was called ps2_softemu, and had support for original PS2 CDVD. Only emulator not able to run physical discs is ps2_netemu.  


Emulators are self files, but not typical one. Emulators are not truly PS3 Game OS elf executables, but Guest OS'es running on LV1 of PS3. This mean that LV2, or more friendly Game OS is unloaded before emulator is loaded. This also mean that while emulators are running we can't call any LV2 function. Also LV1 syscalls are limited to call from all emulators, but can be fully unlocked.  
Emulators are self files, but not typical one. Emulators are not truly PS3 Game OS elf executables, but Guest OS'es running on LV1 of PS3. This mean that LV2, or more friendly Game OS is unloaded before emulator is loaded. This also mean that while emulators are running we can't call any LV2 function. Also LV1 syscalls are limited to call from all emulators, but can be fully unlocked.


All emulators use built-in stripped developement version of PS2 BIOS with disabled debug functions that can affect some games. This is done because some games print debug info on screen when found that are run on dev bios. Bios between ps2_emu, and ps2_gxemu/ps2_netemu are different. Ps2_emu BIOS is able to run only on ps2emu version of emulator due to RDRAM check.
All emulators use built-in stripped developement version of PS2 BIOS with disabled debug functions that can affect some games. This is done because some games print debug info on screen when found that are run on dev bios. Bios between ps2_emu, and ps2_gxemu/ps2_netemu are different. Ps2_emu BIOS is able to run only on ps2emu version of emulator due to RDRAM check.


PS3 models without Emotion Engine unit use "SPE-compatible SIMD graphics-rounding mode for VMX/Altivec Instructions" for FPU, and VU0 emulated floats calculations. This is set on emulator init by HV call 97 with param 1. VU1 actually run at SPE core so no compatibility mode need (or can) to be set. SPE compatible mode for PPE mean that rounding mode is set as round to zero, denormals are treated as zero, and there are no infinities or NaNs. So literally what PS2 VU was originally. Although SPE, and PPE SPE compatibility mode can still be inaccurate comparing to PS2. Good example here are TriAce games, or Castlevania COD where SPE calculation is wrong by 1 bit making games unplayable without patch. This is due to some PS2 math algo specific inaccuracies in FPU/VU implementation that are not present on any other hardware.
PS3 models without Emotion Engine unit use "SPE-compatible SIMD graphics-rounding mode for VMX/Altivec Instructions" for FPU, and VU0 emulated floats calculations. This is set on emulator init by HV call 97 with param 1. VU1 actually run at SPE core so no compatibility mode need (or can) to be set. SPE compatible mode for PPE mean that rounding mode is set as round to zero, denormals are treated as zero, and there are no infinities or NaNs. So theoretically what PS2 FPU/VU was originally. Although SPE and PPE SPE compatibility mode is still inaccurate comparing to PS2, because Sony decided to cut off 2 guard bits from calculations on PS2. Probably because there was no need for round and sticky bits (no Nan/Inf, one round mode, etc.). Additionally float divide algorithm is custom and not fully understood up to this day. Good example here are TriAce games, or Castlevania COD where SPE calculation is wrong by 1 bit making games unplayable without patch. This are PS2 math algo specific inaccuracies in FPU/VU implementation that are not present on any other hardware.


Note:  
Note:  
* not available in early Tool/DECR and Debug/DEX firmwares. But available in AV TOOL firmware since 1.00
* not available in early Tool/DECR and Debug/DEX firmwares. But available in AV TOOL firmware since 1.00
* Emulation is based on a SCPH-50000/SCPH-20401 Playstation 2 Model.
* Emulation is based on a SCPH-50000/SCPH-20401 Playstation 2 Model.
* [http://unina.stidue.net/Universita'%20di%20Trieste/Ingegneria%20Industriale%20e%20dell'Informazione/Tuzzi/Architetture_Avanzate_dei_Calcolatori/Emotion_2.pdf Introduction to PlayStation2 Architecture.pdf]
* [https://web.archive.org/web/20211118050305/http://unina.stidue.net/Universita'%20di%20Trieste/Ingegneria%20Industriale%20e%20dell'Informazione/Tuzzi/Architetture_Avanzate_dei_Calcolatori/Emotion_2.pdf Introduction to PlayStation2 Architecture.pdf]
* ps2tek docs - https://psi-rockin.github.io/ps2tek/
* ps2tek docs - https://psi-rockin.github.io/ps2tek/


Line 137: Line 137:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares the only difference is the build label">every firmware version</abbr><br>
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares the only difference is the build label">every firmware version</abbr><br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''ps2ver:'''<br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, with timestamp, search for '''ps2ver:'''<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Revision''': unknown
{{dot}}'''Revision''': unknown
</span>
</span>
</div>
</div>
Line 205: Line 205:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Revision''': unknown
{{dot}}'''Revision''': unknown
</span>
</span>
</div><div style="float:left; width:24%;">
</div><div style="float:left; width:24%;">
Line 261: Line 261:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': no/unknown<br>
{{widedot}}'''Target Firmware''': no/unknown<br>
{{dot}}'''Target Firmware''': no/unknown<br>
{{widedot}}'''Revision''': unknown
{{dot}}'''Revision''': unknown
</span>
</span>
</div><div style="float:left; width:24%;">
</div><div style="float:left; width:24%;">
Line 319: Line 319:
|}
|}
<span style="font-size:small">
<span style="font-size:small">
{{widedot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{dot}}'''Decrypted (elf)''': changes <abbr title="when comparing two decrypted files of the same revision from different firmwares there are no differences">every emu revision</abbr><br>
{{widedot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, without timestamp, search for '''build r'''<br>
{{dot}}'''<abbr title="0x20 bytes">Build label</abbr>''': yes, without timestamp, search for '''build r'''<br>
{{widedot}}'''Target Firmware''': included in the build label<br>
{{dot}}'''Target Firmware''': included in the build label<br>
{{widedot}}'''Revision''': yes, <abbr title="the location can be seen by comparing 4.23 (value 0x40DC) with 4.25 (value 0x4164) at offset 0x3E4BA in both">'''one''' time</abbr>, and included in the build label
{{dot}}'''Revision''': yes, <abbr title="the location can be seen by comparing 4.23 (value 0x40DC) with 4.25 (value 0x4164) at offset 0x3E4BA in both">'''one''' time</abbr>, and included in the build label
</span>
</span>
</div>
</div>
Line 423: Line 423:


===LIMG Segment===
===LIMG Segment===
The ISO.BIN.ENC have a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor of the ISO structure
The ISO.BIN.ENC has a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor for the ISO structure


{| class="wikitable"
{| class="wikitable"
Line 606: Line 606:
|-
|-
|}
|}
Additionally, emulator access SPU directly with those addresses. <br>
{| class="wikitable"
|-
! Address !! Channel !! Channel description !! Access type !! Notes
|-
| 0x44004 || SPU_Out_Mbox || SPU Outbound Mailbox Register || Read only || Used to read 32 bits of data from the corresponding SPU outbound mailbox queue. Outbound Mailbox Register has a corresponding SPU Write Outbound Mailbox Channel for writing data into outbound mailbox queue.
|-
| 0x4400C || SPU_In_Mbox || SPU Inbound Mailbox Register || Write only || Used to write 32 bits of data into the corresponding SPU inbound mailbox queue. Inbound mailbox queue has a corresponding SPU Read Inbound Mailbox Channel for reading data from the queue.
|-
| 0x44014 || SPU_Mbox_Stat || SPU Mailbox Status Register || Read only || Contains the current In_Mbox/Out_Mbox/Out_Intr_Mbox count of the mailbox queues in the corresponding SPE. 
|-
| 0x4401C || SPU_RunCntl || SPU Run Control Register || Read/Write || Used to start and stop the execution of instructions in the SPU.
The SPU can dynamically change the state of the Run Status bit (that is, SPU_Status[R]). 
|-
| 0x44024 || SPU_Status || SPU Status Register || Read only || Used to report the status (state) of an SPU. Emulator use it mostly to check if SPU is running (bit31).
|-
| 0x44034 || SPU_NPC || SPU Next Program Counter Register || Read/Write || Contains the address from which an SPU starts executing when the Run Control bit is set in the SPU Run Control Register.
Used in function that start SPU programs, and in interrupts handlers, plus in few other places.
|-
| 0x5400C || SPU_Sig_Notify_1 || SPU Signal Notification 1 Register || Read/Write || Used to write data that can be read in SPU_RdSigNotify1 channel corresponding SPE.
|-
| 0x5C00C || SPU_Sig_Notify_2 || SPU Signal Notification 2 Register || Read/Write || Used to write data that can be read in SPU_RdSigNotify2 channel corresponding SPE.
|-
|}
Address = SPU base + Address. For example, IPU SPU is mapped to 0x40300000 so accessing SPU_Sig_Notify1 will be done by read/write to 0x4035400C.


===PS2 Memory and Hardware Mapped Registers Layout===
===PS2 Memory and Hardware Mapped Registers Layout===
Line 916: Line 944:


===ps2_netemu.self===
===ps2_netemu.self===
Support for USB devices seems to be limited comparing to other available emulators. Although PS2 side of USB subsystem seems to be fully implemented. IOP emulator in SPU handle USB HW registers addresses and generate interrupt for PPU which later handle RW to mentioned registers in similar fashion to ps2_emu/ps2_gxemu. PS2 side of things can be disabled/enabled using one byte, when disabled USB writes are ignored, and USB reads return 0. Initial state is unknown. Emulator seems to accept HID controllers and use them as DS3.
<br/><br/>
Supported devices:
#BD Remote Control
#BD Remote Control
#PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),  
#PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),  
Line 925: Line 956:
#Vendor ID 0xF0D (Hori), Product ID 0x4A  
#Vendor ID 0xF0D (Hori), Product ID 0x4A  
#Vendor ID 0x54C (Sony), Product ID 0x5AF
#Vendor ID 0x54C (Sony), Product ID 0x5AF
<br/>
Few peripherals not listed above work fine or with issues.
#PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time.
#Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file.
#Retro-Bit Official SEGA Mega Drive USB 6-Button Controller. Mapped for PS3 already and also works with this emulator. Lacks analogue sticks and shoulder buttons.


==BIOS==
==BIOS==
Line 987: Line 1,023:
| ADDDRV || 0x85E960 || 0x3DF60 ||  Adds support for the DVD ROM (rom1:), via ROMDRV. || ELF
| ADDDRV || 0x85E960 || 0x3DF60 ||  Adds support for the DVD ROM (rom1:), via ROMDRV. || ELF
|-
|-
| STDIO || 0x85DDC0 || 0x3D3C0 || Standard I/O library. || ELF
| STDIO || 0x85EDC0 || 0x3D3C0 || Standard I/O library. || ELF
|-
|-
| SIFMAN || 0x85F9B0 || 0x3EFB0 || SIF manager. || ELF
| SIFMAN || 0x85F9B0 || 0x3EFB0 || SIF manager. || ELF
Line 1,017: Line 1,053:
| RDRAM || 0x861A00 || 0x41000  || Provides a RDRAM test for the EE at power-on. This is run from RESET. || BIN
| RDRAM || 0x861A00 || 0x41000  || Provides a RDRAM test for the EE at power-on. This is run from RESET. || BIN
|-
|-
| EELOADCNF || 0x864750 || 0x43D50 || Contains the IOP boot configuration file for EELOAD. || BIN
| - || 0x864190 || 0x43A30 ||  || BIN
|-
| EELOADCNF || 0x864200 || 0x43D50 || Contains the IOP boot configuration file for EELOAD. || BIN
|-
|-
| SIFCMD || 0x864900 || 0x43F00 || SIF command module. Contains the SIF command and SIF RPC functions. || ELF
| SIFCMD || 0x864900 || 0x43F00 || SIF command module. Contains the SIF command and SIF RPC functions. || ELF
Line 1,042: Line 1,080:
|-
|-
| - || 0x87FE20 || 0x5F420 ||  || BIN
| - || 0x87FE20 || 0x5F420 ||  || BIN
|-
| BNNETCNF || 0x881D00 || 0x61300 ||  Network configuration. Used by BB Navigator Network Configuration Library. || BIN
|-
|-
| MCSERV || 0x881D40 || 0x61340 ||  RPC server for MCMAN. || ELF
| MCSERV || 0x881D40 || 0x61340 ||  RPC server for MCMAN. || ELF
Line 1,051: Line 1,091:
| - || 0x8866C0 || 0x65CC0 ||  || BIN
| - || 0x8866C0 || 0x65CC0 ||  || BIN
|-
|-
| KROM || 0x886A00 || 0x66000 || Kanji ROM? Not sure where this is used. || BIN
| KROM || 0x886A30 || 0x66030 || Kanji ROM? Not sure where this is used. || BIN
|-
|-
| - || 0x8A0870 || 0x7FE70 ||  || BIN
| - || 0x8A0870 || 0x7FE70 ||  || BIN
Line 1,156: Line 1,196:
*Notes
*Notes
**List of PS2 disc games compatibles with PS3 HDD installation hardcoded in '''dev_flash/vsh/module/[[game_ext_plugin]].sprx'''
**List of PS2 disc games compatibles with PS3 HDD installation hardcoded in '''dev_flash/vsh/module/[[game_ext_plugin]].sprx'''
**Virtuall PS2 HDD support module '''dev_flash/vsh/module/[[libps2hdd]].sprx''' ?
**Virtual PS2 HDD support module '''dev_flash/vsh/module/[[libps2hdd]].sprx''' ?


===PS2 System Data (PSN HDD Tool package)===
===PS2 System Data (PSN HDD Tool package)===
Line 1,251: Line 1,291:
===ps2_netemu syscalls ===
===ps2_netemu syscalls ===
Vector at 0xC00 address.
Vector at 0xC00 address.
  0x0 - 0 = exec smth,  
  0x00 -
       1 = 0x132 lv1 panic,
      0 = return ((unk from 0x1C30/0x1C38 << 56) | thread_number << 48 | ctrl_CT1 (in bit 30) | srr1_EE (in bit 15) | srr1_PS (in bit 14) | srr1_DR (in bit 4))
       2 = 0x133 lv1 panic,
          Where 0x1C30/0x1C38 is selected depending on current HW thread.
       3 = 0x134 lv1 panic,
          Thread number is current SW thread
       4 = 0x135 lv1 panic,
          ctrl_CT1 is lower bit of CT (Current Thread) from PPC Control Register (0 for HW0, 1 for HW1)
       else = 0x136 lv1 panic)
          srr1_EE is MSR Enable External Interrupts bit from time when exception occurred (from before syscall was executed)
  0xC - exec smth
          srr1_PS is MSR Problem State bit from time when exception occurred (from before syscall was executed)
  0x5 - exec smth
          srr1_DR is MSR Data Relocate bit from time when exception occurred (from before syscall was executed)
  0x6 - exec smth
       1 = 0x132 lv1 panic
  0x10 - lv1 panic
       2 = 0x133 lv1 panic
       3 = 0x134 lv1 panic
       4 = 0x135 lv1 panic
       else = 0x136 lv1 panic
0x02 - Destroy init code and perform illegal instructions check. Memzero following addresses:
      CODE: 0x16000 - 0x20B80
      DATA: 0x930F80 - 0x933F80
      UNK:  0x3D016000 - 0x3D020B80
0x03 - Enable additional code related to VU0/COP2.
      3 = Patch 0x186C10 to NOP
      4 = Patch 0x186C40 to NOP
      anything else = LV1 panic
0x04 - Unknown. Available for HW0 only.
0x05 - External interrupts disable (48 bit in MSR). Returns previous MSR state.
  0x06 - External interrupts enable (48 bit in MSR) if param & 0x8000 is not 0, otherwise disable them.
      This sc is more like restore 48th bit of MSR, but many times emu use it to enable bit without using old state.
      Also, emulator panic LV1 if syscall is called while external interrupts are already enabled.
0x0A - IPU emulation related syscall
  0x0B - IPU emulation related syscall
  0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15.
        Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it.
0x0E - PS2 counters/timers related (also used on vsync related functions).
0x0F - PS2 counters/timers related (also used on vsync related functions).
  0x10 - lv1 panic.
0x11 - Wrapper for lv1_read_virtual_uart(port_number, buffer, bytes) [HW0 only, only ports 0 and 2 available, else panic]
0x12 - Wrapper for lv1_storage_send_device_command(dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks)
      [HW0 only, Available only for threads: VRC, MECHA, HDD, else panic]
      params are rearranged:
      r3 = cmd_block (0x245E000 is added to this value internally)
      r4 = data_buffer (0x245E000 is added to this value internally)
      r5 = blocks
      dev_id is taken from 0x245D008 and it is 0(HDD) for my dump.
      cmd_id = 0x88 and cmd_size is 8.
0x13 - Set thread info unknown byte to 1 for respective thread and set unknown byte to 1 in USB thread.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x14 - Same as 0x13 but set all bits to 0 regardless which thread called it.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x1002 - Invalidate gpu hvcalls.
  0x800000XX - HV Syscall where XX is syscall nr.
  0x800000XX - HV Syscall where XX is syscall nr.
  else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0
  else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0
Line 1,400: Line 1,477:
If you want to read some speculation and brainstorming about them, please join the {{talk}} page
If you want to read some speculation and brainstorming about them, please join the {{talk}} page


<div>
<div style="float:top; text-align:center;">'''PS2 Emulators Config Commands Overview'''</div>
<div style="float:left; width:50%;">
<div style="float:right; padding-right:5px;">
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
|-
|+PS2 Emulators Config Commands Overview
! rowspan="2" | Command Name !! rowspan="36" style="padding:0px" |  || colspan="3" | Command ID !! rowspan="36" style="padding:0px" |  || rowspan="2" style="padding:1px" | Max<br>Usage !! rowspan="36" style="padding:0px" |  || colspan="4" | Command Data
! rowspan="2" | Command Name !! colspan="3" | Command ID !! rowspan="2" style="padding:1px" | Max<br>Usage !! colspan="4" | Command Data
|-
|-
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
Line 1,418: Line 1,491:
| 0x00 || 0x00 || 0x01
| 0x00 || 0x00 || 0x01
| 3 ? || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 3 ? || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#555|#fff|center}} offset || {{cellcolors|#555|#fff|center}} functionid
| {{cellcolors|#555|#fff|center}} offset || colspan="2" {{cellcolors|#555|#fff|center}} functionid
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x01 || 0x01 || 0x02
| 0x01 || 0x01 || 0x02
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 1000=?<br>3000=?<br>6000=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
Line 1,433: Line 1,506:
| 0x03 || 0x03 || 0x04
| 0x03 || 0x03 || 0x04
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 8=?<br>0x10=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#bd5|#000}} Set DIRECT/DIRECTHL VIF1 in SP3 EEDMA
! {{cellcolors|#bd5|#000}} Set DIRECT/DIRECTHL VIF1 in SP3 EEDMA
| 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} 0x05
| 0x04 || 0x04 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x05</abbr>
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,473: Line 1,546:
| 0x0A || 0x0A || 0x0C
| 0x0A || 0x0A || 0x0C
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint16_t
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint16_t
| 0=?<br>1=?<br>2=? || colspan="2" | 0=?<br>0x180=?<br>0x400=?<br>0x800=?
| <abbr title="0=?, 1=?, 2=?">unk_mode</abbr> || colspan="2" | <abbr title="min 0x0, max 0xFFFF">unk_range</abbr>
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x0B || 0x0B || 0x0D
| 0x0B || 0x0B || 0x0D
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 0=?<br>1=?(default?)
| colspan="3" | <abbr title="0=skip, 1=don't skip (default)">skip</abbr>
|-
|-
! {{cellcolors|#f93|#000}} COP2 and FPU accurate ADD/SUB address
! {{cellcolors|#f93|#000}} COP2 and FPU accurate ADD/SUB address
Line 1,488: Line 1,561:
| 0x0D || 0x0D || 0x0F
| 0x0D || 0x0D || 0x0F
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} COP2 accurate MUL/DIV range
! {{cellcolors|#f93|#000}} COP2 accurate MUL/DIV range
| 0x0E || 0x0E || 0x10
| 0x0E || 0x0E || 0x10
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} VU0 accurate ADD/SUB address
! {{cellcolors|#f93|#000}} VU0 accurate ADD/SUB address
Line 1,518: Line 1,591:
| 0x13 || 0x13 || 0x15
| 0x13 || 0x13 || 0x15
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 2=?<br>4=?<br>0x14=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Unknown
! {{cellcolors|#fff|#000}} Unknown
| 0x14? || 0x14? || {{cellcolors|#eee|#b44|center}} 0x16
| 0x14? || 0x14? || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x16</abbr>
| ? || style="text-align:left" | ?
| ? || style="text-align:left" | ?
| colspan="3" | ?
| colspan="3" | ?
Line 1,531: Line 1,604:
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
| 0x16 || 0x16 || {{cellcolors|#eee|#b44|center}} 0x18
| 0x16 || 0x16 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x18</abbr>
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,563: Line 1,636:
| 0x1B || {{NA}} || 0x1E
| 0x1B || {{NA}} || 0x1E
| 1 || style="text-align:left" | uint8_t
| 1 || style="text-align:left" | uint8_t
| colspan="3" | 3=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x1C || 0x1C || 0x1F
| 0x1C || 0x1C || 0x1F
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 200=?<br>1000=?(default)
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x1D || 0x1D || 0x20
| 0x1D || 0x1D || 0x20
| 1 || style="text-align:left" | uint64_t
| 1 || style="text-align:left" | uint64_t
| colspan="3" | 10=?<br>60=?(default)<br>100=?<br>120=?<br>200=?<br>240=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x1E || 0x1E || 0x21
| 0x1E || 0x1E || 0x21
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 0=?<br>1=?<br>2=?
| colspan="3" | ?
|}
</div>
</div>
<div style="float:right; width:50%;">
<div style="float:left; padding-left:5px;">
{| class="wikitable" style="font-size:85%; line-height:100%; text-align:center"
|-
! rowspan="2" | Command Name !! rowspan="39" style="padding:0px" |  || colspan="3" | Command ID !! rowspan="39" style="padding:0px" |  || rowspan="2" style="padding:1px" | Max<br>Usage !! rowspan="39" style="padding:0px" |  || colspan="4" | Command Data
|-
! style="padding:1px" | gxemu !! style="padding:1px" | softemu !! style="padding:1px" | netemu !! Length !! colspan="3" | Params
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
Line 1,603: Line 1,666:
| 0x20 || 0x21 || 0x24
| 0x20 || 0x21 || 0x24
| 1 || style="text-align:left" | uint64_t
| 1 || style="text-align:left" | uint64_t
| colspan="3" | 12000=?<br>48000=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
| 0x21 || 0x22 || {{cellcolors|#eee|#b44|center}} 0x25
| 0x21 || 0x22 || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x25</abbr>
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,613: Line 1,676:
| 0x22 || 0x23 || 0x26
| 0x22 || 0x23 || 0x26
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
|-
|-
! {{cellcolors|#f93|#000}} COP2 accurate ADD/SUB range
! {{cellcolors|#f93|#000}} COP2 accurate ADD/SUB range
| 0x23 || 0x24 || 0x27
| 0x23 || 0x24 || 0x27
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 32 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end offset</abbr>
| {{cellcolors|#f93|#000|center}} <abbr title="min 0x100000">start&nbsp;offset</abbr> || colspan="2" {{cellcolors|#f93|#000|center}} <abbr title="max 0x1FFFFFFF">end&nbsp;offset</abbr>
|-
|-
! {{cellcolors|#aaf|#000}} Set something <abbr title="PS2 MECHACON related">(CDVD)</abbr>
! {{cellcolors|#aaf|#000}} Set something <abbr title="PS2 MECHACON related">(CDVD)</abbr>
| 0x24? || 0x25? || 0x28
| 0x24 || 0x25? || 0x28
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 0=?<br>1=?<br>2=?<br>3=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#aaf|#000}} CDVD read/seek timings ?
! {{cellcolors|#aaf|#000}} CDVD read/seek timings ?
| 0x25? || 0x26? || 0x29
| 0x25 || 0x26? || 0x29
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| 1 || style="text-align:left" | 2&nbsp;*&nbsp;uint32_t
| ? || colspan="2" | ?
| ? || colspan="2" | ?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
| 0x26? || 0x27 || 0x2A
| 0x26 || 0x27 || 0x2A
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,643: Line 1,706:
| 0x28 || 0x29 || 0x2C
| 0x28 || 0x29 || 0x2C
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 1=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Switch something
! {{cellcolors|#fff|#000}} Switch something
| 0x29? || 0x2A || {{cellcolors|#eee|#b44|center}} 0x2D
| 0x29? || 0x2A || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x2D</abbr>
| 1 || style="text-align:left" | 0
| 1 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,653: Line 1,716:
| 0x2A || 0x2B || 0x2E
| 0x2A || 0x2B || 0x2E
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 0x172=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fff|#000}} Set something
! {{cellcolors|#fff|#000}} Set something
| 0x2B || {{NA}} || 0x2F
| 0x2B || {{NA}} || 0x2F
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 1=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#eee|#b44|left}} Reserved
! {{cellcolors|#eee|#b44|left}} Reserved
| {{cellcolors|#eee|#b44|center}} N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A || {{cellcolors|#eee|#b44|center}} N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A || {{cellcolors|#eee|#b44|center}} 0x30<br>0x31<br>0x32<br>0x33<br>0x34
| {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A</abbr> || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A</abbr> || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x30<br>0x31<br>0x32<br>0x33<br>0x34</abbr>
| 0 || style="text-align:left" | 0
| 0 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,671: Line 1,734:
|-
|-
! {{cellcolors|#eee|#b44|left}} Reserved
! {{cellcolors|#eee|#b44|left}} Reserved
| {{cellcolors|#eee|#b44|center}} N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A || {{cellcolors|#eee|#b44|center}} N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A || {{cellcolors|#eee|#b44|center}} 0x36<br>0x37<br>0x38<br>0x39<br>0x3A<br>0x3B<br>0x3C
| {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A</abbr> || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A<br>N&thinsp;/&thinsp;A</abbr> || {{cellcolors|#eee|#b44|center}} <abbr style="cursor:help; text-decoration:none" title="Not Available">0x36<br>0x37<br>0x38<br>0x39<br>0x3A<br>0x3B<br>0x3C</abbr>
| 0 || style="text-align:left" | 0
| 0 || style="text-align:left" | 0
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
Line 1,708: Line 1,771:
| {{NA}} || {{NA}} || 0x43
| {{NA}} || {{NA}} || 0x43
| 1 || style="text-align:left" | uint32_t
| 1 || style="text-align:left" | uint32_t
| colspan="3" | 0=?(default)<br>1=?
| colspan="3" | ?
|-
|-
! {{cellcolors|#fcc|#000}} Disable smoothing filter
! {{cellcolors|#fcc|#000}} Disable smoothing filter
Line 1,775: Line 1,838:
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
| colspan="3" {{cellcolors|#ddd|#666|center}} ''Nothing''
|}
|}
</div>
 
</div>
<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->
</div>
<br style="clear: both;" />




<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->
{{Boxcomm|id=0x00|name=Title ID Enforce / Multidisc config|data=1x String in format: ABCD-12345}}
Restricts the CONFIG to be used only by a specific [[Template:TITLE_ID_for_Physical_Media|Title ID]]
The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG. When bytes are present after Title ID, emulator read them to setup multidisc info.
Multidisc info bytes:
First byte:  Unknown, seems to be unused. 00 in known configs (Grandia 3).
Second byte: Discs count (0-9), when 0 or 1 emulator don't enable multidisc mode.
Third byte:  Which disc in set is this one (0-8 for discs 1-9)
Fourth byte: That one is optional, but very important. When set to 1,
              disc swap menu will be in "Reset game" menu and disc change will trigger reset (default behavior).
              But when this byte is set to 0, new option in main emu menu called "Switch Discs" will appear. Emulator change disc without reset.
              Keep in mind we don't know how accurate swap emulation is here, games are picky for some details.
              Every iso bin enc in set need to have proper data in separate config.
              Disc 1: ISO.BIN.ENC --> CONFIG --> 00 02 00 00,
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 33 34 00 02 00                      -21334...
              Disc 2: ISO.BIN.ENC2--> CONFIG2--> 00 02 01 00, etc.
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 34 35 00 02 01                      -21345...


              Grandia 3 DISC.IDX, content:
              00000000  00 00                                            ..


{{Boxcomm|id=0x00|name=Title ID Enforce|data=1x String in format: ABCD-12345}}
Restricts the CONFIG to be used only by a specific [[Template:TITLE_ID_for_Physical_Media|Title ID]]<br>
The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG


{{Boxcomm|id=0x01|name=EE_ADD_HOOK|data=2x uint32_t Params (addr, func_id 0-0x3B)}}
{{Boxcomm|id=0x01|name=EE_ADD_HOOK|data=2x uint32_t Params (addr, func_id 0-0x3B)}}
Line 1,792: Line 1,870:
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.


<div style="overflow-x:auto">
{| class="wikitable" style="width:100%; font-size:0.9em; line-height:90%"
{| class="wikitable" style="width:100%; font-size:0.9em; line-height:90%"
|-
|-
!Function ID!! Notes
!Function ID!! Notes
|-
|-
|0x00||  
|0x00|| FIFA 2000 use it as hook for EE kernel at 0x800017E8 (DMAC related). Command backup value from r5900 s0 register.
|-
|-
|0x01|| FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related).  
|0x01|| FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related). Command restore previously backed up value to r5900 s0 register.
|-
|-
|0x02||  
|0x02||  
Line 1,809: Line 1,888:
|-
|-
|0x04|| Castle Shikigami II
|0x04|| Castle Shikigami II
  store 0 on 0x94A290 (EMU Memory)
  Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes. Same as 0x03 command, but applied of selected ee offset.
This is probably command from times when 0x03 was non existing, and while it apply on selected ee offset, command never recover default IXIN/IHIN handling.
Note: There is leftover in emulator from command that reenable default behavior, but is unused now, and is not accessible by current config commands.
|-
|-
|0x05|| Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
|0x05|| Force events test if D2_CHCR & 0x100 is true (if GIF dma is running). For more info check _cpuEventTest_Shared from pcsx2. Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
|-
|-
|0x06||  
|0x06|| Force events test if D1_CHCR & 0x100 is true (if VIF1 dma is running). For more info check _cpuEventTest_Shared from pcsx2.
|-
|-
|0x07||  
|0x07||  
|-
|-
|0x08|| Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
|0x08|| Backup current unmodified COP0 status register state. Then disable EI bit, and notify emu that cmd 0x09 could be run. Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
|-
|-
|0x09|| Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
|0x09|| Restore COP0 status register state from previously created backup. Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
|-
|-
|0x0A||  
|0x0A|| Fix for TriAce executable unpack function.
Games unpack data using VU0 microruntime (not COP2). Because unpack involve floating points operations result can be inaccurate. And it is,
exactly by 1 byte. Config add 1 to result of unpacked data. This can be confirmed also on pcsx2 with turned off TriAce hack, example for Radiata Stories US release.
Set breakpoint on 0x124D90, and then when it's hit, add 1 to lower 64 bits of vf03 reg (in vu0f tab) and hit run.
Game now work as it should. On PS3 this probably can be fixed also by 0x11 command, but since they had hook already done before 0x11 was a thing, it stayed as is.
|-
|-
|0x0B||  
|0x0B|| Set lower 64 bits of mips $at register to 0
|-
|-
|0x0C|| Piglet's Big Game
|0x0C|| Piglet's Big Game
Line 1,829: Line 1,914:
|0x0D|| usleep(100)
|0x0D|| usleep(100)
|-
|-
|0x0E|| Used 3 times in Need for Speed - Carbon [Collector's Edition] US
|0x0E|| Used 3 times in Need for Speed - Carbon [Collector's Edition] US.
Used in place where game load code overlays, and in place where game self modify code.
Config run the same function which is run when PS2 syscall 7 (ExecPS2) hook is triggered (0x1831A8 in latest emu memory).
Only difference is that 0x42 overlay is not reloaded, and check for "cdrom0" string is not performed.
Command could be potentially useful for games that like to change own code. Eg. Load "bin" files with code (HSG/HST), or modify own code by direct writes to memory (NFS Carbon CE...)
|-
|-
|0x0F||  
|0x0F||
Grand Theft Auto 3 (SLUS-20062)
Grand Theft Auto 3 (SLUS-20062)
  using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
  using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
Line 1,838: Line 1,927:
  0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
  0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
|-
|-
|0x10||  
|0x10||
Grand Theft Auto 3 (SLES-50330), uses 0x349790, 0x10 (somewhat floats related)
Grand Theft Auto 3 (SLES-50330)
  using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base )  
  using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base )  
  0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
  0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
Line 1,845: Line 1,934:
  0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
  0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
|-
|-
|0x11||  
|0x11||
Grand Theft Auto 3 (SLES-50793)
Grand Theft Auto 3 (SLES-50793)
  using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
  using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
Line 1,853: Line 1,942:
|-
|-
|0x12|| Disney/Pixar Finding Nemo (fixes the pause menu freeze)
|0x12|| Disney/Pixar Finding Nemo (fixes the pause menu freeze)
  if condition met...
  if COP0 status EI and EXL bits are 0, and other condition related to DMAC is met...
  store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory
  store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory, and set lower 64 bits of mips $s0 register to 0.
|-
|-
|0x13|| Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply.   
|0x13|| Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply.   
Line 1,866: Line 1,955:
  store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
  store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
|-
|-
|0x17||  
|0x17|| NFS HP2 fpu rounding fix.
  condition r18 == 0x8000
  Check if a0 == 0x8000 (32768), apply config if true. Config is little bit more complicated than it should, emu flush all fpu regs to memory just to modify one field in altivec vector register.
  setting:
  When condition is met ps2 cop1 f08 register is modified from 0x40490FDB to 0x40490FDA, this result in next operations to end up as negative 0.0 (0x80000000) instead of just 0.0 (0x00000000).
  stores 0x40490FDA somewhere
Seems to trigger when loading of stage or loading of attract mode is close to finish or done.
Note: 0x40490FDA (3.14159250) is the highest float approximation to π in hexadecimal without going over the value.<br />
Probably can improve FPU accuracy for some games.
|-
|-
|0x18|| Okami PAL specific hook.  
|0x18|| Okami PAL specific hook.  
Line 1,889: Line 1,976:
  Whole thing looks like HLE version of noped functions.
  Whole thing looks like HLE version of noped functions.
|-
|-
|0x19||  
|0x19|| Burnout 2
Copy lower 64 bits of $v0 r5900 register to lower 64 bits of $a1 r5900 register.
All that to make next opcode (hook address + 4) "beq $a1, $v0, addr" always true. Because $a1 and $v0 now have the same value.
This in turn skip CTimer::GetTimeSeconds((void)) in function CReplay::NextFrame((CDrivingControls *)). Worth to note that CReplay::NextFrame seems to be not related to replay per se, but to car physics.
|-
|-
|0x1A||  
|0x1A||
  store 0 in [ 0x209FD560 + 200000000 base]
  store 0 in [ 0x209FD560 + 200000000 base]
  store 0 in [ 0x209F9550 + 200000000 base]
  store 0 in [ 0x209F9550 + 200000000 base]
Line 1,948: Line 2,038:
|-
|-
|0x2B||  
|0x2B||  
if ($a1 & 0xF0000000 != 0) a1 = 0
|-
|-
|0x2C|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - JPN/US release [https://github.com/PCSX2/pcsx2/issues/1141 bug]
|0x2C|| Shin Onimusha - Dawn of Dreams Fix IPU DMA JPN((PlayStation 2 the Best)/US release.
|-
|-
|0x2D|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - PAL release [https://github.com/PCSX2/pcsx2/issues/1141 bug]
|0x2D|| Shin Onimusha - Dawn of Dreams Fix IPU DMA PAL release.
|-
|-
|0x2E|| Shin Onimusha - Dawn of Dreams Fix ingame IPU runtime - Unk release (SCKA-20086? SLPM-66275? Why it is unused? Why non PS2 Best JPN release is missing hook?)
|0x2E|| Shin Onimusha - Dawn of Dreams Fix IPU DMA Unk release. Code from emu match SLPM-66275 release. Why it is unused? Hook address will be 0x3BB4EC.
|-
|-
|0x2F||
|0x2F||
  condition [ 0x37B0C4 + 200000000 base ] == 0 -> 00 10 0B 98
  if value at EE Mem 0x37B0C4 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|-
|0x30||
|0x30||
  condition [ 0x37B704 + 200000000 base ] == 0 -> 00 10 0B 98
  if value at EE Mem 0x37B704 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|-
|0x31||
|0x31||
  condition [ 0x37630C + 200000000 base ] == 0 -> 00 10 0B A8
  if value at EE Mem 0x37630C == 0, set mips pc register (program counter) to 0x100BA8
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|-
|0x32||
|0x32||
  condition [ 0x37BB0C + 200000000 base ] == 0 -> 00 10 0B A8
  if value at EE Mem 0x37BB0C == 0, set mips pc register (program counter) to 0x100BA8.
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|-
|0x33||  
|0x33||  
Line 1,979: Line 2,074:
|0x38||
|0x38||
|-
|-
|0x39|| Used silently in command 0x4B with first param from 0x4B as hook address.
|0x39|| Used silently in command 0x4B with first param from 0x4B as hook address. Hook seems to be unusable without 0x4B command, because there is no way to setup redirect mode and ID without 0x4B.
|-
|-
|0x3A|| Used silently in command 0x4C with first param from 0x4C as hook address.
|0x3A|| Used silently in command 0x4C with first param from 0x4C as hook address. Hook seems to be unusable without 0x4C command, because there is no way to setup mode and ID without 0x4C.
|-
|-
|0x3B|| Grand Theft Auto 3 (JP/AS) ? using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
|0x3B|| Grand Theft Auto 3 (SLPM-55293 "Rockstar Classics")
using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
0x351210 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x18F590 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x351568 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))  
|}
|}
</div>


{{Boxcomm|id=0x02|name=Unknown|data=1x int32}}
{{Boxcomm|id=0x02|name=Unknown|data=1x int32}}
Line 1,994: Line 2,094:


{{Boxcomm|id=0x03|name=Unknown|data=N/A}}
{{Boxcomm|id=0x03|name=Unknown|data=N/A}}
Sets something 0
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.


{{Boxcomm|id=0x04|name=Unknown|data=1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)}}  
{{Boxcomm|id=0x04|name=Unknown|data=1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)}}  
Line 2,020: Line 2,120:
**1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]
**1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]


{{Boxcomm|id=0x0A|name=EE_INSN_REPLACE32|data=uint32_t count, <List> (offset, original opcode, replace opcode)}}
{{Boxcomm|id=0x0A|name=EE_INSN_REPLACE32|data=uint32_t count, <List> (<nowiki>mode | offset</nowiki>, original opcode, replace opcode)}}
Command present only in the ps2_netemu. Maximum List Count: 32
Command present only in the ps2_netemu. Maximum List Count: 32. Mode is first 4 bits of address field (Xyyyyyyy), can be either 0, 1, or 2. All known examples use this command in 0 mode, and modes 1 and 2 are here just for documentation purposes.
*Valid values found
 
**1 [Deadly Strike]
*mode 0 - Replace 32 bit of EE memory. Params are EE offset, original opcode, replace opcode.
**2 [Dragon Force]
*mode 1 - Write jr ra, li v0, xxxx to selected memory range. Params are EE memory start address, original opcode, u16 counter, u16 value for li, v0 xxxx
*mode 2 - NOP memory at selected range. Params: start address, end address, unused (can be anything, but is required to align config).
Problem: Original opcode validity check is performed before testing config for special cases. Thus making mode 2 almost inaccessible.<br>
Solution: We can patch that one line of code by the same 0x0A config. So if we want to nop region from 0x100000 to 0x100080, first we need to patch 0x100000 to 0x100080 opcode. So check will pass, "simple" as that.


{{Boxcomm|id=0x0B|name=MECHA_SET_PATCH|data=1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)}}
{{Boxcomm|id=0x0B|name=MECHA_SET_PATCH|data=1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)}}
Line 2,051: Line 2,154:


{{Boxcomm|id=0x0C|name=Unknown|data=1x (uint16_t, uint16_t)}}
{{Boxcomm|id=0x0C|name=Unknown|data=1x (uint16_t, uint16_t)}}
0/1/2,<0x63>
First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.<br>
Other valid values for the second param (found in oficial configs ?): 0x180, 0x800


{{Boxcomm|id=0x0D|name=Unknown|data=1x int32}}
{{Boxcomm|id=0x0D|name=Unknown|data=1x int32}}
True/false. Default = 1
True/false. Default = 1
  0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
  0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
  Also skip write of 0x80000000 to unknown place related to IOP memory (to 0x4005400C).
  Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.


{{Boxcomm|id=0x0E|name=Improves ADD/SUB accuracy|data=1x int32}}
{{Boxcomm|id=0x0E|name=Improves ADD/SUB accuracy|data=1x int32}}
Line 2,087: Line 2,191:
  because at some point they are used to "andc" with first 4 bytes.
  because at some point they are used to "andc" with first 4 bytes.
  Some examples for first 4 bytes:
  Some examples for first 4 bytes:
  0x100000  = Different code path for VU0 opcodes that do ADD/SUB with multiply (MSUB, MADDA, etc.).  
0x1000    = Run additional flag related code after every FMAC operation, VU0 only, COP2 do this by default.
  0x200000  = Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.)
0x2000    = Emit some additional code when lower opcode is fsset, this flag require 0x1000 to be enabled. VU0 only.
  0x100000  = When enabled opcodes like MSUB, MADDA, etc, do proper multiply first, then add/sub. When disabled (default) single opcode is used (vmaddfp / vmmsubfp). Not used in COP2 mode.
              Note: When this command is disabled, then "Accurate MUL" is skipped for MADDxx/MSUBxx regardless that 0x30000000 is set or not.
              Because there is no way to do correct MUL separately when altivec madd/msub is used.
  0x200000  = Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.) Not used in COP2 mode.
  0x400000  = Skip emu syscall 3 (3)
  0x400000  = Skip emu syscall 3 (3)
  0x800000  = Skip emu syscall 3 (4)
  0x800000  = Skip emu syscall 3 (4)
  0x4000000  = This flag ensure that type 2 config from cmd 0x12 will run. Otherwise it seems to be skipped.  
  0x4000000  = Enable type 2 config from cmd 0x12.
  0x8000000  = Run some additional code for VU0 DIV opcode
  0x8000000  = Accurate VU0 DIV opcode, not used in COP2 mode.
  0x30000000 = Different code path for VU0 MUL opcodes, include opcodes like MSUB for mul part. So 0x30100000 work for mul, and sub part.  
  0x10000000 = Fast Accurate VU0 MUL. Try to round mantissa. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.
  0x10000000 and 0x20000000 also work for that purpose, emu just check for any active bits after applying 0x30000000 mask.
0x20000000 = Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
              Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.
   
Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
  Keep in mind that you still need to use at least 8 bytes for cmd 0x12, just use 00 for bytes 5,6,7,8.  
  Keep in mind that you still need to use at least 8 bytes for cmd 0x12, just use 00 for bytes 5,6,7,8.  
  Later bits are dependent on which subcommand we want to run.
  Later bits are dependent on which subcommand we want to run.
Line 2,113: Line 2,224:


{{Boxcomm|id=0x15|name=Unknown|data=1 Param ( <1, >1 )}}
{{Boxcomm|id=0x15|name=Unknown|data=1 Param ( <1, >1 )}}
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch them to bi r127. This command take partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch first branch that match to "bi r127". That weird approach was probably used because spe program differ little bit between emu versions, so they don't need to update command on every new emu revision. Currently (4.75+) this command patch branch at address 0x3A3A4 (bra sub_2E600). This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
  [Aeon Flux] uses 2 (gxemu config)
  [Aeon Flux] uses 2 (gxemu config)
  [Bloodrayne 2] uses 4
  [Bloodrayne 2] uses 4
Line 2,176: Line 2,287:
{{Boxcomm|id=0x1F|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x1F|name=Unknown|data=1x uint32_t}}
Default 1
Default 1
  Config value is added to another value, and stored later in negmem. For sure this is VIF0 related command, and can be VIF0 timing/cycle related.
  Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant. By default every VIF0 command take 1 cycle, so it's instant.
This config give vif0 some timing sense.
When delta from config passed and vpustat vu0 bits are non 0 (so practically if vif0 is still running),
add 500 cycles and go on until next event test before doing anything on vif0.
This can also be used to ensure that next vif0 command won't run until delta from config passed.
Value from config is added to current r5900 cycles and vif0 will do nothing unless current cycles match new value.
*Valid values found: 200d, 1000d


{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
Line 2,183: Line 2,300:
  Is worth to note that 0x3C is default multiplier even for PAL titles, so is not stricly related to framerate,
  Is worth to note that 0x3C is default multiplier even for PAL titles, so is not stricly related to framerate,
  but to vsync counters (where 0x3C is still wrong anyway..). Result of multiply is also compared at some point to vsync delay value.  
  but to vsync counters (where 0x3C is still wrong anyway..). Result of multiply is also compared at some point to vsync delay value.  
*Valid values found: 10d, 60d, 100d, 120d, 200d, 240d


{{Boxcomm|id=0x21|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x21|name=Unknown|data=1x uint32_t}}
  0 = sets an option from 1 to 0 and another one to 0,
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.
  1 = sets an option from 1 to 0 and another one to 1,
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).
  2 = sets an option from 1 to 1 and another one to 0
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap (tw opcode) at the end. 1 is valid only when option one is 0.
  0 = sets an option one to 0 and option two to 0
  1 = sets an option one to 0 and option two to 1
  2 = sets an option one to 1 and option two to 0 (default)
   [Fatal Frame II] uses 0
   [Fatal Frame II] uses 0
   [Grand Theft Auto Vice City] uses 1
   [Grand Theft Auto Vice City] uses 1
Line 2,201: Line 2,323:
{{Boxcomm|id=0x24|name=Unknown|data=1x uint64_t}}
{{Boxcomm|id=0x24|name=Unknown|data=1x uint64_t}}
SIO2 related
SIO2 related
*Valid values found: 12000d, 48000d
{{Boxcomm|id=0x25|name=N/A|data=N/A}}
{{Boxcomm|id=0x25|name=N/A|data=N/A}}
Command not available in ps2_netemu.self
Command not available in ps2_netemu.self
Line 2,225: Line 2,349:
{{Boxcomm|id=0x28|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x28|name=Unknown|data=1x uint32_t}}
<=3
<=3
*Valid values found: 0, 1, 2, 3


{{Boxcomm|id=0x29|name=Unknown|data=2x uint32_t}}
{{Boxcomm|id=0x29|name=Unknown|data=2x uint32_t}}
Seek/read time? Maybe seek/read delay? Full/fast seek? Default value is 0x1F40, 0xBB80 (8000, 48000)
Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.


{{Boxcomm|id=0x2A|name=Unknown|data=N/A}}
{{Boxcomm|id=0x2A|name=Unknown|data=N/A}}
Line 2,247: Line 2,372:


{{Boxcomm|id=0x2E|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x2E|name=Unknown|data=1x uint32_t}}
*Valid values found: 0x172


{{Boxcomm|id=0x2F|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x2F|name=Unknown|data=1x uint32_t}}
Line 2,294: Line 2,420:


{{Boxcomm|id=0x3D|name=Config revision|data=1x uint32_t}}
{{Boxcomm|id=0x3D|name=Config revision|data=1x uint32_t}}
This command works as a restriction, the emulator loads the config contents '''only''' if the '''emulator revision''' is bigger than the '''config revision'''. See: [[PS2_Emulation#PS2 Emulator Types and Revisions|PS2 Emulator Types and Revisions]]<br>
Used by debug menu to print config revision. While every official and unofficial config use it, command is not mandatory. Debug menu will just print '''None''' as a config revision if command is missing. Official configs use this as a kind of debugging info to know minimal required emu revision.
The goal of this restriction is to prevent the emulator to load a config containing unsupported commands, as example netemu command 0x50 is only supported since netemu revision 17495 (shipped with PS3 firmware 4.78 or newer), otherway if you try to load a config with a revision higher than your netemu revision the contents of the config are going to be ignored (as example when trying to load a modern config using commands higher than 0x41 in a custom firmware 3.70)<br>
In general is better to use a low revision with this command to lower the restriction as most as posible (oldest netemu revision is 15686), but '''only''' if the commands inside the config are not higher than 0x41, for a reference when creating custom configs check the table below, those are the minimal '''config revisions''' required that depends of the config commands contents


{| class="wikitable" style="font-size:1em; line-height:1em"
{| class="wikitable" style="font-size:1em; line-height:1em"
Line 2,303: Line 2,427:
|-
|-
| Up to 0x41 || 15686 || 3.70 or newer
| Up to 0x41 || 15686 || 3.70 or newer
|-
| Unknown || 16040 || Unknown
|-
|-
| Up to 0x43 || 16604 || 4.20 or newer
| Up to 0x43 || 16604 || 4.20 or newer
Line 2,318: Line 2,444:
| Up to 0x50 || 17495 || 4.78 or newer
| Up to 0x50 || 17495 || 4.78 or newer
|}
|}
 
See: [[PS2_Emulation#PS2 Emulator Types and Revisions|PS2 Emulator Types and Revisions]]
*Problems:
**The [[PS2 Official Configs|official NET config]] for Gradius V (SLPM-62462) uses config revision = 17498 (is the highest value ever found in a official PS2 classic config), this value is higher than any retail ps2_netemu.self revision, and is breaking the logic of the [[Template:Ps2configrev]] (used to calculate the PS3 firmware version required by the config). So either... 1) the description of this command written above is not accurate enought, or 2) the config has been "faked" to an incorrect revision, or 3) the config is real but sony made a mistake with the revision and the emulator is not loading it


{{Boxcomm|id=0x3E|name=Unknown|data=N/A}}
{{Boxcomm|id=0x3E|name=Unknown|data=N/A}}
Line 2,327: Line 2,451:


{{Boxcomm|id=0x3F|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x3F|name=Unknown|data=1x uint32_t}}
Store value on 0x2B700 of SPE 0 (IOP) LS.
Store value on 0x2B700 of SPE 0 (IOP) LS. SIF1 DMA related.


{{Boxcomm|id=0x40|name=Unknown|data=N/A}}
{{Boxcomm|id=0x40|name=Unknown|data=N/A}}
Line 2,342: Line 2,466:


{{Boxcomm|id=0x42|name=EE Overlay patch|data=2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...}}
{{Boxcomm|id=0x42|name=EE Overlay patch|data=2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...}}
Applied on game start, if game overwrite selected part of memory, it will wipe 0x42 patch. See [[Special:Diff/67828/67858]]
Applied on game start (more precisely while executing ps2 bios syscall 7 ExecPS2), if game overwrite selected part of memory, it will wipe 0x42 patch. See [[Special:Diff/67828/67858]]
  Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
  Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
  Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
  Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
Line 2,405: Line 2,529:


{{Boxcomm|id=0x49|name=Unknown|data=N/A}}
{{Boxcomm|id=0x49|name=Unknown|data=N/A}}
Sets something 0xB,0,0
Skip part of code which use GS XYOFFSET_1 register, possibly ignore it at all. 
  Trapt
  Trapt


Line 2,416: Line 2,540:
  For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
  For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
  First param is EE memory offset that when is hit enable/disable redirection.
  First param is EE memory offset that when is hit enable/disable redirection.
  Second param is partially unknown, seems to be size of next param to read * 4 (3 in known configs), or 0xFFFFFFFF for disable redirect command.
  Second param is used to select which card will be redirected:
  0x00 do nothing
  0x01 for SCEVMC0.VME
  0x02 for SCEVMC1.VME
  0x03 for SCEVMC0.VME and SCEVMC1.VME
  0xFFFFFFFF to disable redirection, and use original VMEs.
  Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
  Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
  Important note here is that config have own 00 00 00 00 terminator at the end.  
  Important note here is that config have own 00 00 00 00 terminator at the end.  
  So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
  So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
Under the hood config also setup 0x01 hook commands with 0x39 subcommand on selected addresses.


{{Boxcomm|id=0x4C|name=Unknown|data=2x uint32_t + ID: offset, int, char[]}}
{{Boxcomm|id=0x4C|name=Unknown|data=2x uint32_t + ID: offset, int, char[]}}
Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is ID size * 4. Emulator do some checks here, safe value is 3 (3 * 4 bytes), third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to different MC. Currently is unknown that cobra patched emulators support that config properly.
Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is some kind of mode selector, depending on that
emulator later set mecha switch disc state:
  mode 0x01 = set disc switch state to 1 (on next mecha main loop it will emulate opening the tray).
  mode 0x02 = set disc switch state to 3.
  mode 0x03 = set disc switch state to 3. This state repeats because it work different way depending that emulated tray is closed or no.
  mode 0x04 = set disc switch state to 2.
  mode anything else = do nothing.
Third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use  
another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to  
different MC. Currently is unknown that cobra patched emulators support that config properly, and swap disc thru 0x00 command seems to be easier.
This config don't work if 0x00 multidisc config is detected. Config under the hood setup 0x01 hooks with subcommand 0x3A


{{Boxcomm|id=0x4D|name=Unknown|data=1x uint32_t}}
{{Boxcomm|id=0x4D|name=Unknown|data=1x uint32_t}}
Param is MASK used in some conversion of Q value in RGBAQ writes. Default value 0.
Param is floating point value. Default value 0.
  tempQ = Q & 0x7FFFFFFF
  if Q in GS RGBAQ write is 0.0 or -0.0 then
  tempQ = tempQ & MASK
    Q = Q | value from config
Q = tempQ | unmasked Q
  else
 
    Q = Q
  Wild Arms: The Fifth Vanguard uses 0x3F800000
 
  Wild Arms: The Fifth Vanguard uses 0x3F800000 (1.0)


{{Boxcomm|id=0x4E|name=Unknown|data=Unknown}}
{{Boxcomm|id=0x4E|name=Unknown|data=Unknown}}
Line 2,518: Line 2,659:
! Bug !! Description !! Known Affected Games
! Bug !! Description !! Known Affected Games
|-
|-
| Missing Emotion Engine Data Cache emulation || Emulating that is literally not possible without making games run at 3 fps. Fixed by patches to game image, or EE code. Only known game that need Instruction Cache (not Data) seems to work fine, but this not necessarily mean that emu support I Cache emulation. Mentioned game is WRC4, and there are possible other bugs that allow it to run (not invalidating recompiler block). || Ice Age 2, DOA2: Extreme, Nascar 2009.
| Missing Emotion Engine Data Cache emulation || Emulating that is literally not possible without making games run at 3 fps. Fixed by patches to game image, or EE code. Instruction Cache (not Data) seems to be implemented, at least partially. || Ice Age 2, DOA2: Extreme, Nascar 2009.
|-
|-
| Branch delay slot violation not supported on EE || Some games have Branch instruction inside Branch delay slots, this is not emulated correctly on EE (VU have proper emulation of that). This is patched in configs by rearangging MIPS code. || WRC 3,4,Rally Evolved, one of Action Replay discs.   
| Branch delay slot violation not supported on EE || Some games have Branch instruction inside Branch delay slots, this is not emulated correctly on EE (VU have proper emulation of that). This is patched in configs by rearangging MIPS code. || WRC 3,4,Rally Evolved, one of Action Replay discs.   
|-
| Unmapped write only EE memory (confirmed only for SIF) || Reads/Writes to 0x2000000+ shouldn't throw bus error on dma transfers. Write should be performed as successful, memory should stay unchanged. Reads should return 0. || Games developed by In Utero, while creating initial save file, send DMA where address is EE stack pointer. At the time of transfer start $sp is too high, and requested transfer size make MADR overflow above 0x2000000 at some point. This is game bug, and happen also on real hardware. Fixed by config.
|-
|-
| VIF bugs || There is no correct timing, and queuing for some VIF commands like MSCAL. || Snowblind Engine games. Probably more.  
| VIF bugs || There is no correct timing, and queuing for some VIF commands like MSCAL. || Snowblind Engine games. Probably more.  
Line 2,528: Line 2,671:
| COP2 instructions are instant || Some games rely on fact that COP2 operations can take some time, on PS3 emulators they are done instantly due to lack of correctly emulated pipeline Patched by rearranging mips code || FFX, FFX-2, Ghost in The Shell SAC, Ace Combat series, Sprint Cars 1/2, Black, Run Like Hell, Everblue 2, Dragon Quest - Shounen Yangus no Fushigi na Daibouken, and many more
| COP2 instructions are instant || Some games rely on fact that COP2 operations can take some time, on PS3 emulators they are done instantly due to lack of correctly emulated pipeline Patched by rearranging mips code || FFX, FFX-2, Ghost in The Shell SAC, Ace Combat series, Sprint Cars 1/2, Black, Run Like Hell, Everblue 2, Dragon Quest - Shounen Yangus no Fushigi na Daibouken, and many more
|-
|-
| VU0 is not running in sync with EE core || Seems like old pcsx2 mVU approach is used where VU0 is running thousands of cycles ahead of EE. Partially resolved on emu using 0x12 command with 2/3 subcommands. || 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, All games using M-bit.  
| VU0 is not running in sync with EE core || VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging.|| 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit.
|-
| M-Bit not supported || Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands, or direct VU0/MIPS code rearranging. || Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more.
|-
|-
| M-Bit not supported || Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands. || Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more.
| T-Bit not supported on VU0 || Emulator ignore VU0 T-Bit, that cause issues for games that need it to work. Note: T-Bit is correctly handled for VU1. || Spiderman 3 set T-Bit, then do cfc2 from TPC (address where VU0 stopped). Since T-Bit is ignored, TPC is wrong. Value is later copied to CMSAR0, and program continue at wrong address. Well that's what should happen, but T-Bit also not signalize correct bit in VPU-STAT. Causing another issue, also in Spiderman 3.  
|-
|-
| Emulator Fail to save correct flag instances while ending VU0 program on Ebit || This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnesessary operations. || Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday.
| Emulator do not update correct flag instances for COP2 while ending VU0 program on Ebit || This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnecessary operations. || Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday.
|-
|-
| Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 || Potential bad flag state can cause a lot of issues that are not related on first sight || Yanya Caballista (already patched by custom config)
| Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 || Potential bad flag state can cause a lot of issues that are not related on first sight || Yanya Caballista (already patched by custom config)
|-
|-
| In corner cases emu select wrong block pipeline state while processing Flag VU opcodes. || This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. For now it was only confirmed that FSAND opcode don't ask for exact pipeline state, but looking at assembly of other opcode this rather affect all of them. || Tales of Legendia, more..
| In corner cases emu select wrong block flags pipeline state (both VU0/EEonBE and VU1/VRC affected). || This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. Issue seems to occur when branch/jump delay slot have opcode important for flags calculation. Theory is that cached microprogram don't include modified flags state from delay slot instruction. So when already recompiled program is fetched from pool, it will miss one cycle in fmac flags pipeline. This can be crucial in games that rely on it. || Tales of Legendia and Klonoa 2 set sticky flag bits to 0 and branch with sub.xyzw in delay slot (expecting that sub change status flag), Tamsoft engine games set sticky bits to 0 in branch delay slot, this was most ridiculous bug, because problematic branch was pointing to next opcode after delay slot, removing branch was enough. True Crime: NY is only known game where VU0 is affected by this bug. more..
|-
| CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. || Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [[https://github.com/PCSX2/pcsx2/pull/6611 more]]. || The one game that is known to be affected, and is already patched, is Musashi: Samurai Legend.
|-
| CFC2 from R register should return only 23 lower bits. || CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team  [[https://github.com/PCSX2/pcsx2/pull/8409 more]] and later confirmed to affect ps2_netemu in emu assembly. || There is only one game that is known to be affected, Onimusha Dawn of Dreams.
|-
| Missing floating point result overflow/underflow detection (U/O flags not set) || Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. || Superman Returns.
|-
|-
| CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. || Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [[https://github.com/PCSX2/pcsx2/pull/6611 more]]. || There is only one game that is known to be affected, and is already partially patched (patch still break fog), is Musashi Samurai Legend.
| DMA between SPR and VU1 memory cause emulator panic. || Currently cause is unknown. It seems that functions responsible for transfer don't check that VU is running. Manual state that dma can be performed only when VU is not active, and pcsx2 wait until VU end. Games affected in emulators on ps3 display this warning in pcsx2 if mtvu is enabled: "MTVU: SPR Accessing VU1 Memory". Affected games are fixed by rearranging code to do lq/sq loop instead of DMA. || Summoner 2 (SPRfrom to VU1 data mem), Kaena (SPRto from VU1 data mem).
|-
|-
| IOP SIF0/1 DMA IRQs can be disabled (masked), which is not true on real hardware. || IOP interrupts 0x2A and 0x2B should always trigger. Fixed by patches to IOP code. Ps2_emu seems to be unfacted, probably handled on real hw in CXD9208GP. || Knockout Kings 2001, DOA2: Hardcore.
|}
|}
===Software emulation bugs===
===Software emulation bugs===
Line 2,546: Line 2,698:
! Bug !! Description !! Known Affected Games
! Bug !! Description !! Known Affected Games
|-
|-
| No mipmapping support || Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing a garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. || Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more.
| No mipmapping support || Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. || Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more.
|-
| SCANMSK register ignored || Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. || Metal Gear Solid series (water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field effect)
|-
|-
| SCANMSK register ignored || Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. || Metal Gear Solid series (heavy used in the MGS2 on the water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field/tonemapping effect)
| Missing PCRTC feedback write support || PCRTC feature that writes back the image to the frame buffer is not supported or broken. Additional RGB to YCbCr conversion could be performed there. || Xenosaga Episode I: Der Wille zur Macht (black and white cut scenes)
|-
|-
|}
|}
Line 3,199: Line 3,353:
* http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games
* http://wiki.pcsx2.net/index.php/Category:Software_rendering_only_games


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>
[[Category:Main]]
</noinclude>

Latest revision as of 17:50, 29 March 2024

Description[edit | edit source]

Simplified block diagram of a PS2
source

Emulation of Playstation 2 is currently handled by 3 kind of emulators. CECH-A/B models use ps2_emu.self able to use built-in PS2 hardware (EE/GS/Rambus memory), and have best compatibility. CECH-C/E use ps2_gxemu, this emulator use physical Graphic Synthesizer found in this ps3 model, but Emotion Engine is fully emulated here, also there is no Rambus memory. All other models emulate PS2 thru fully software based ps2_netemu used for ps2 classics, and hacked now to use decrypted ISO files. Earlier before Sony provided ps2 classics on PS Store there was another soft only emulator strongly based on ps2_gxemu. It was called ps2_softemu, and had support for original PS2 CDVD. Only emulator not able to run physical discs is ps2_netemu.

Emulators are self files, but not typical one. Emulators are not truly PS3 Game OS elf executables, but Guest OS'es running on LV1 of PS3. This mean that LV2, or more friendly Game OS is unloaded before emulator is loaded. This also mean that while emulators are running we can't call any LV2 function. Also LV1 syscalls are limited to call from all emulators, but can be fully unlocked.

All emulators use built-in stripped developement version of PS2 BIOS with disabled debug functions that can affect some games. This is done because some games print debug info on screen when found that are run on dev bios. Bios between ps2_emu, and ps2_gxemu/ps2_netemu are different. Ps2_emu BIOS is able to run only on ps2emu version of emulator due to RDRAM check.

PS3 models without Emotion Engine unit use "SPE-compatible SIMD graphics-rounding mode for VMX/Altivec Instructions" for FPU, and VU0 emulated floats calculations. This is set on emulator init by HV call 97 with param 1. VU1 actually run at SPE core so no compatibility mode need (or can) to be set. SPE compatible mode for PPE mean that rounding mode is set as round to zero, denormals are treated as zero, and there are no infinities or NaNs. So theoretically what PS2 FPU/VU was originally. Although SPE and PPE SPE compatibility mode is still inaccurate comparing to PS2, because Sony decided to cut off 2 guard bits from calculations on PS2. Probably because there was no need for round and sticky bits (no Nan/Inf, one round mode, etc.). Additionally float divide algorithm is custom and not fully understood up to this day. Good example here are TriAce games, or Castlevania COD where SPE calculation is wrong by 1 bit making games unplayable without patch. This are PS2 math algo specific inaccuracies in FPU/VU implementation that are not present on any other hardware.

Note:

PS2 emulators workload comparison[edit | edit source]

[edit]
PS2 (GS+EE)
Core Job Source Notes
SPU0 Spu2 SPU Assembly Spu2 emulator
SPU1 Sif SPU Assembly Some kind of bridge to IOP, since SIF is part of EE hardware.
SPU2 Timer SPU Assembly IOP timers.
SPU3-6 - - Unknown, emulator seems to not use them
SPU7 - - Unavailable: Factory disabled SPU
PPU:0 PS2-Devices C++ and PPU ASM
PPU:1 - - unused?
PS2-EE Emotion Engine Hardware CXD2953AGB Only in CECHAxx and CECHBxx PS3 models with COK-001 motherboard
PS2-GS Graphic Synthesizer
PS2_GX
Core Job Source Notes
SPU0 IOP SPU ASM I/O Processor (originally PS1 main processor)
SPU1 DMA SPU ASM Emotion Engine DMA Controller
SPU2 Isolation C++ Raw SPU Used for MagicGate Encryption and others (?)
SPU3 IPU SPU ASM Image Processing Unit
SPU4 GFIF SPU ASM GIF?
SPU5 PS2-SPU2 C++ Sound processing unit 2 (originally SPU from PS1) about 50% load average
SPU6 VU1 SPU ASM Vector Unit 1
SPU7 - - Unavailable: Factory disabled SPU
PPU:0 PS2-Devices C++ and PPU ASM
PPU:1 Emotion Engine C++ and PPU ASM
PS2-GS Graphic Synthesizer Hardware CXD2972GB Only in CECHCxx PS3 models with COK-002 motherboard
PS2 Software
Core Job Source Notes
SPU0 IOP SPU ASM I/O Processor (originally PS1 main processor)
SPU1 SPU2 SPU ASM Sound Processing Unit 2
SPU2 VU1 SPU ASM Vector Unit 1
SPU3 EEDMA SPU ASM Emotion Engine DMA Controller
SPU4 GSEGIF SPU ASM GIF
SPU5 GSE SPU ASM
SPU6 IPU SPU ASM Image Processing Unit
SPU7 - - Unavailable: Factory disabled SPU
PPU:0 PS2-Devices C++ and PPU ASM
PPU:1 Emotion Engine C++ and PPU ASM
PS2 Netemu
Core Job Source Notes
SPU0 IOP SPU ASM I/O Processor (originally PS1 main processor)
SPU1 SPU2 SPU ASM Sound processing unit 2 (originally SPU from PS1)
SPU2 VU1 SPU ASM Running VU1 code translated previously on PPU side.
SPU3 EEDMA SPU ASM Partial DMAC, mostly channels 1/2, and VU1 CODE r/w. Also process VIF1 commands (incl. Unpacks).
SPU4 FE SPU ASM GIF unit, processing GIF tags, handling GS internal registers, etc.
SPU5 BE SPU ASM
SPU6 IPU SPU ASM EE Image Processing Unit
SPU7 BE Factory disabled SPU. Emulator set name for JOB, but never try to start/set it as active.
PPU:0 - -
PPU:1 - -

Note: Apparently ps2_gxemu SPU layout changed at some point (maybe ps2_emu too), and above table is not accurate for latest emu versions.
0-6 layout for ps2_gxemu currently look like this: IOP, SPU2, IPU, VU1, EEDMA, GSGIF, UNK(probably isolation).

PS2 Emulator Types and Revisions[edit | edit source]

PS2 Emulator Types and Revisions
ps2_emu.elf (decrypted)
Firmware Bytes MD5 Timestamp Rev Comm
1.00 AV 8 258 328 19DC714F1109FF772BEF5B00C4AF2CF7 06/10/04/12:15 ? ?
1.02 8.258.504 FF9C1C465DF6F501E418602A488CBD40 06/10/21/00:01 ? ?
1.10 8.254.568 72EFF1FB3E9A175253687634B698CC91 06/11/09/06:08 ? ?
1.11 8.255.192 98BCC06ACA07971DFE57A126000B6DEE 06/11/21/17:54 ? ?
1.30 8.787.800 3F1E943139329E8AD5461FA43DB4DD0E 06/12/05/05:33 same ?
1.30 AV 8.787.800 F2CE2D8CF41FF38E586AE7A91A13980C 06/12/05/07:15
1.31 8.790.440 CF13D31F202DA3C55009C06B6A2B27A0 06/12/12/18:47 ? ?
1.32 8.794.664 6DD631EEDE321AC7F59C85BC6AC0DCA9 06/12/18/05:54 ? ?
1.50 8.805.912 81B38EE824E460385B44FADE78CAA5DC 07/01/18/22:52 ? ?
? ? ? ? ? ?
1.70 8.854.680 CEACBB22EB450C5CC587C193CE7BBE91 07/04/16/16:11 ? ?
? ? ? ? ? ?
1.90 5.190.280 88B26FDC910B8633613BC366D39F439D 07/07/21/06:44 ? ?
? ? ? ? ? ?
2.10 5.223.112 CB1924E7163F01EA2DD3965918BACCE4 07/12/15/05:29 ? ?
? ? ? ? ? ?
3.40 5.267.128 916603300F798139456FCF1A40384A97 10/06/23/15:44 ? ?
? ? ? ? ? ?
3.66 5.267.112 BE20230D091F5C8AB8364607D49A6992 11/06/16/03:51 same ?
~ Any
3.74 5B2CA12EE08298094177667C681BC75F 11/10/25/00:30
4.00 5.272.152 08516640BE636F3E633C0416F09EF941 11/11/22/03:10 same ?
4.01 61ECD51036247547736274EEB52FA4C4 11/12/23/01:02
4.10 5.272.008 88CFD465D2F412C075C69531278BB3A9 12/02/05/23:08 same ?
4.11 2B45F72675B844C08E1735059F9826E3 12/02/11/07:05
4.20 5.272.264 23D3F9909EBA3F1AB0D757850C5D6809 12/06/15/02:01 same ?
4.21 110F0D01B39193F1A2031BBC7ADBBC2F 12/06/30/01:06
4.23 S 5.271.912 783201F2541117E545B8E01B3A0B1955 12/07/31/00:17 ? ?
4.25 5.272.264 C895EAA3F79BA2040D6C828A5B811139 12/09/07/06:55 ? ?
? ? ? ? ? ?
? ? ? ? ? ?
? ? ? ? ? ?
Abandoned (last revision)
4.78 5.274.984 ABC9228FCEA0E779E3157CA546A1FD02 15/12/17/01:14 same ?
~ Any
4.89 7523DE6D38B13B9C4B9F72419C50D4A7 22/02/04/14:35

 · Decrypted (elf): changes every firmware version
 · Build label: yes, with timestamp, search for ps2ver:
 · Target Firmware: no/unknown
 · Revision: unknown

ps2_gxemu.elf (decrypted)
Firmware Bytes MD5 Rev Comm
1.00 ~ 1.32 No
1.50 6.106.040 BACC208C8A793F82D71F85B02DD2D318 ? ?
? ? ? ? ?
1.70 6.763.336 B70A15512EF9FA74B798A5E9241FE571 ? ?
? ? ? ? ?
1.90 6.802.720 B9E2CC8D72779650D9B500B75AE552EB ? ?
? ? ? ? ?
2.10 6.822.576 E34C4EB587CCE44AB4B92D848DC391A7 ? ?
? ? ? ? ?
3.40 6.866.424 80091C68E2F8D2385A2125AB38085A3C ? ?
? ? ? ? ?
3.66 ~ 3.74 6.867.024 E04FA0FE63A968C53AE366B3AAD0141A ? ?
4.00 ~ 4.11 6.871.848 D5E97019132848203970213FF96F2AAB ? ?
4.20 ~ 4.25 6.872.128 678F16283CAA8CFBC03A5FBCB6ABA41E ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
Abandoned (last revision)
4.78 ~ 4.89 6.874.848 C7681420A7B3A2A6E3BF89F4A12A3DD6 ? 0x2B ?

 · Decrypted (elf): changes every emu revision
 · Build label: no/unknown
 · Target Firmware: no/unknown
 · Revision: unknown

ps2_softemu.elf (decrypted)
Firmware Bytes MD5 Rev Comm
1.00 ~ 1.82 No
1.90 ~ 1.94 6.142.080 812330515D01291488315BBE7E0F339E 11065 ?
1.97 ? ? ? ?
2.00 ~ 2.10 6.143.048 C0964350E3E8EA80EB5C7CB34901E9DE 11830 ?
2.16 ? ? ? ?
? ~ ? ? ? ? ?
3.10 ? ? ? ?
3.15 ? ? 12840 ?
3.16 ? ? ? ?
? ~ ? ? ? ? ?
3.40 6.146.424 97C33E83E14399EED1BD4F5351443E1C ? ?
3.41 ~ 3.65 ? ? 13474 ?
3.66 ~ 3.71 6.147.120 513B9160AD8C199CAEFC82C1B7D9D794 15435 ?
3.72 ~ 4.01 6.146.992 1232D3EEB48F301CBB61D76EB3046111 15529 ?
4.10 ~ 4.91 No

 · Decrypted (elf): changes every emu revision
 · Build label: no/unknown
 · Target Firmware: no/unknown
 · Revision: unknown

ps2_netemu.elf (decrypted)
Firmware Bytes MD5 Rev Comm
1.00 ~ 3.66 No
3.70 ~ 3.71 11.036.504 0D021D18CC63DDBDA530A93C41ABF865 15686 0x41
3.72 11.036.504 38EABD7E5F998BC04922CA3B70211208 15842
3.73 ~ 3.74 11.036.504 F21110A93BBEA416749283E6BF3D3C6B 15936
4.00 ~ 4.01 11.033.048 F770442DFA626282B01FEBE3DDFFC477 16195
4.10 ~ 4.11 11.033.216 8F0885BCC80A3617E654BB6151F4F718 16361
4.20 ~ 4.23 11.033.728 8EB5492E453C50B6D728E7999A57A689 16604 0x43
4.25 ~ 4.26 11.033.728 E38059300E31432A62967770C3E99EF6 16740
4.30 ~ 4.31 ? ? 16808 0x45
4.40 ~ 4.41 ? ? 16916 0x46
4.45 ~ 4.46 ? ? 17041 0x48
4.50 ? ? 17179 0x4A
4.55 ? ? 17277 0x4D
4.60 ~ 4.76 ? ? 17314
Abandoned (last revision)
4.78 ~ 4.89 10.442.536 8B2DBD1AAD22A0EDCF9C867A1A1FB94D 17495 0x50

 · Decrypted (elf): changes every emu revision
 · Build label: yes, without timestamp, search for build r
 · Target Firmware: included in the build label
 · Revision: yes, one time, and included in the build label


  • Alternative tables
ps2_emu.self
FW version TOC Notes
1.00 AV 0x7C3150
1.02 0x7C31F0
1.10 0x7C2168
1.11 0x7C23C8
1.30 0x8442E8
1.30 AV 0x8442E8
1.31 0x844C98
1.32 0x845CA0
1.50 0x848728
1.90 0x4D7ED8
3.66 - 3.74 0x4E9A20
4.00 - 4.01 0x4EADB8
4.10 - 4.11 0x4EAD28
4.20 - 4.21 0x4EAE30
4.23 0x4EACE0
4.25 0x4EAE30 Reverted to 4.20 - 4.21 version?
4.78 - 4.82 0x4EB8C0
ps2_gxemu.self
FW version TOC Notes
1.50 0x5BDFC8
1.90 0x666C78
3.66 - 3.74 0x6766B8
4.00 - 4.11 0x677990
3.66 - 3.74 0x677AA8
4.78 - 4.82 0x678548
ps2_softemu.self
FW version TOC Notes
1.90 0x5C7B10
2.50 0x5C7ED8
3.41 0x5C8C00
3.66 - 3.71 0x5C8EC0
3.72 - 4.01 0x5C8E40
ps2_netemu.self
FW version TOC Notes
3.73 - 3.74 0x7D8B00
4.00 - 4.01 0x7DA200
4.10 - 4.11 0x7DA180
4.20 - 4.25 0x7DA500
4.78 - 4.83 0x751280

General observations regarding PS2 Classics emulator (ps2_netemu)[edit | edit source]

  • Virtual memory cards are per title based, but apparently run through the current memory card system. The module used to manage memory cards is: vmc_savedata_plugin.sprx - Using a regular memory card that has been renamed result in a "The save data is corrupt (8XXXXXXX) error"
  • Loads an epilepsy warning before PS2 logo (PS button menu appears during epilepsy warning if controller is synced)
  • Does not support online functionality of PS2 titles (network configuration utility inside Full Spectrum Warrior claims no network adaptor has been found, same with Syphon Filter: The Omega Strain).

- Only file that is needed in the folder for PS2 Classics is "iso.bin.enc". Removing the manuals/DXT files will cause the game to boot IMMEDIATELY to the PS2 logo upon switching to 720p/starting PS2 LPAR.

LIMG Segment[edit | edit source]

The ISO.BIN.ENC has a block of 0x4000 bytes added at the end codenamed "LIMG" that works as a descriptor for the ISO structure

Offset Length Name Example Description
0x00 0x4 magic LIMG Logical IMaGe (layout) ?
0x04 0x4 img_type 0x00000001 1=DVD
2=CD
0x08 0x4 sector_count 0x00279890 sector_count = img_size / sector_size
0x0C 0x4 sector_size 0x0000800 sector_size = img_size / sector_count
0x800=DVD (Mode1/2048)
0x930=CD (Mode2/2352)
0x10 0x3FF0 padding 0x00000000...

folder/file layout[edit | edit source]

(in this example GTA San Andreas Classic) 

[NPUD20946]
       [USRDIR]
             [CONTENT]
                    001.dxt
                    002.dxt
                    003.dxt
                    004.dxt
                    005.dxt
                    006.dxt
                    007.dxt
                    008.dxt
                    009.dxt
                    010.dxt
                    011.dxt
                    012.dxt
                    013.dxt
                    014.dxt
                    015.dxt
                    016.dxt
                    017.dxt
                    Others.dxt
                    Manual.idx
             [SAVEDATA]
                    SCEVMC0.VME
                    SCEVMC1.VME
             CONFIG
             ISO.BIN.EDAT
             ISO.BIN.ENC
       PS3LOGO.DAT
       PARAM.SFO
       ICON0.PNG
       PIC0.PNG
       PIC1.PNG
       PIC2.PNG

Virtual PS2 (emulated machine) usage and features[edit | edit source]

Video Modes[edit | edit source]

Note: Real PS2 : http://users.neoscientists.org/~blue/ps2videomodes.txt 

Video Modes
----.-----------.---------------.-----------.-----------.
 No | Name      | Resolution	| fV(Hz)    | fH(kHz)   |
----+-----------+---------------+-----------+-----------|
  0 | NTSC-NI   |  640x240(224) | 59.940    | 15.734    |
  1 | NTSC-I    |  640x480(448) | 59.820    | 15.734    |
  2 | PAL-NI    |  640x288(256) | 50.000    | 15.625    |
  3 | PAL-I     |  640x576(512) | 49.760    | 15.625    |
  4 | VESA-1A   |  640x480      | 59.940    | 31.469    |
  5 | VESA-1C   |  640x480      | 75.000    | 37.500    |
  6 | VESA-2B   |  800x600      | 60.317    | 37.879    |
  7 | VESA-2D   |  800x600      | 75.000    | 46.875    |
  8 | VESA-3B   | 1024x768      | 60.004    | 48.363    |
  9 | VESA-3D   | 1024x768      | 75.029    | 60.023    |
 10 | VESA-4A   | 1280x1024     | 60.020    | 63.981    |
 11 | VESA-4B   | 1280x1024     | 75.025    | 79.976    |
 12 | DTV-480P  |  720x480      | 59.940    | 31.469    |
 13 | DTV-1080I | 1920x1080     | 60.000    | 33.750    |
 14 | DTV-720P  | 1280x720      | ??        | ??        |
----^-----------^---------------^-----------^-----------'

Memory Mapping[edit | edit source]

ps2netemu[edit | edit source]

Name ea lpar2(netemu 4.81) size flags lpar1(lv1 4.81)
text 0x0 0x3D00000 0x300000( 3 MB) 0x8000000000000003 0000000000000003 0x7D00000
ro_work 0x300000 0x300000 0x500000( 5 MB) 0x0000000000000003 0000000000000003 0x4300000
rw_work 0x800000 0x800000 0x2A00000( 42 MB) 0x0000000000000001 0000000000000003 0x4800000
negmem 0x1FFF0000 0x3210000 0x10000( 64 KB) 0x0000000000000001 0000000000000000 0x7210000
ee_ram 0x100000000 0x64000E000000 0x2000000( 32 MB) 0x0000000000000001 0000000000000000 0x3C00000 - 0x3F00000, 0x8000000 - 0x9B00000
ee_jit_code 0xD00000000 0x680024000000 0x3000000( 48 MB) 0x8000000000000001 0000000000000003 0xBC00000 - 0xEB00000
vu0_jit_code 0xD08000000 0x580000800000 0x400000( 4 MB) 0x8000000000000001 0000000000000003 0x900000 - 0xC00000
vu0_jit_data 0xD0C000000 0x3700000 0x400000( 4 MB) 0x0000000000000002 0000000000000003 0x7700000
eeram_jit_lut 0xE00000000 0x640010000000 0x2000000( 32 MB) 0x0000000000000001 0000000000000003 0x9C00000 - 0xBB00000
eerom_jit_lut 0xE0FC00000 0x580000C00000 0x400000( 4 MB) 0x0000000000000001 0000000000000003 0xD00000 - 0x1000000
ee_dbg_ram 0x90FFF8000 0x64000E078000 0x8000( 32 KB) 0x0000000000000001 0000000000000000
iop_ram 0x400000000 0x3300000 0x200000( 2 MB) 0x0000000000000001 0000000000000000 0x7300000
iop_rom 0x50FC00000 0x580001000000 0x400000( 4 MB) 0x0000000000000001 0000000000000002 0x1100000 - 0x1400000
iop_spad 0x50F800000 0x3220000 0x10000( 64 KB) 0x0000000000000001 0000000000000002 0x7220000
spu2_ram 0x600000000 0x3500000 0x200000( 2 MB) 0x0000000000000001 0000000000000000 0x7500000
spu2_ram2 0x600200000 0x3500000 0x200000( 2 MB) 0x0000000000000001 0000000000000000 0x7500000
spu2_pcm 0x1000000000 0x3230000 0x10000( 64 KB) 0x0000000000000001 0000000000000000 0x7230000
ee_spr_lo 0x700000000 0x3201000 0x2000( 8 KB) 0x0000000000000001 0000000000000000 0x7201000
ee_spr 0x800000000 0x3203000 0x6000( 24 KB) 0x0000000000000001 0000000000000000 0x7203000
ee_vu0_dmem0 0x301004000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
ee_vu0_dmem1 0x301005000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
ee_vu0_dmem2 0x301006000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
ee_vu0_dmem3 0x301007000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
ee_rom 0x30FC00000 0x580001000000 0x400000( 4 MB) 0x0000000000000001 0000000000000001 0x1100000 - 0x1400000
vrc 0xC00000000 0x600005000000 0x1000000( 16 MB) 0x0000000000000001 0000000000000000 0x1500000 - 0x2400000
/dev/zero 0x4000000000 0x3240000 0x10000( 64 KB) 0x0000000000000001 0000000000000001 0x7240000
dma_vu0_dmem0 0x4001004000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
dma_vu0_dmem1 0x4001005000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
dma_vu0_dmem2 0x4001006000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
dma_vu0_dmem3 0x4001007000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
imm_vu0_dmem0 0x30000000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
imm_vu0_dmem1 0x30001000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
imm_vu0_dmem2 0x30002000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
imm_vu0_dmem3 0x30003000 0x3200000 0x1000( 4 KB) 0x0000000000000001 0000000000000001 0x7200000
SGSXdr 0x1904000000 0x64000C000000 0x1700000( 23 MB) 0x0000000000000001 0000000000000000 0x2500000 - 0x3B00000
iopTrace 0x1400000000 0x3250000 0x10000( 64 KB) 0x0000000000000001 0000000000000000 0x7250000

SPE local storage[edit | edit source]

Emulator access SPE LS by accessing special addresses. Mapping as follows:

SPE Num. SPE task Address in netemu address in SPE
0 IOP 0x40000000 - 0x4003FFFF 0x0 - 3FFFF
1 SPU2 0x40080000 - 0x400BFFFF 0x0 - 3FFFF
2 VU1 0x40100000 - 0x4013FFFF 0x0 - 3FFFF
3 EEDMA 0x40180000 - 0x401BFFFF 0x0 - 3FFFF
4 FE 0x40200000 - 0x4023FFFF 0x0 - 3FFFF
5 BE 0x40280000 - 0x402BFFFF 0x0 - 3FFFF
6 IPU 0x40300000 - 0x4033FFFF 0x0 - 3FFFF

Additionally, emulator access SPU directly with those addresses.

Address Channel Channel description Access type Notes
0x44004 SPU_Out_Mbox SPU Outbound Mailbox Register Read only Used to read 32 bits of data from the corresponding SPU outbound mailbox queue. Outbound Mailbox Register has a corresponding SPU Write Outbound Mailbox Channel for writing data into outbound mailbox queue.
0x4400C SPU_In_Mbox SPU Inbound Mailbox Register Write only Used to write 32 bits of data into the corresponding SPU inbound mailbox queue. Inbound mailbox queue has a corresponding SPU Read Inbound Mailbox Channel for reading data from the queue.
0x44014 SPU_Mbox_Stat SPU Mailbox Status Register Read only Contains the current In_Mbox/Out_Mbox/Out_Intr_Mbox count of the mailbox queues in the corresponding SPE.
0x4401C SPU_RunCntl SPU Run Control Register Read/Write Used to start and stop the execution of instructions in the SPU.

The SPU can dynamically change the state of the Run Status bit (that is, SPU_Status[R]).

0x44024 SPU_Status SPU Status Register Read only Used to report the status (state) of an SPU. Emulator use it mostly to check if SPU is running (bit31).
0x44034 SPU_NPC SPU Next Program Counter Register Read/Write Contains the address from which an SPU starts executing when the Run Control bit is set in the SPU Run Control Register.

Used in function that start SPU programs, and in interrupts handlers, plus in few other places.

0x5400C SPU_Sig_Notify_1 SPU Signal Notification 1 Register Read/Write Used to write data that can be read in SPU_RdSigNotify1 channel corresponding SPE.
0x5C00C SPU_Sig_Notify_2 SPU Signal Notification 2 Register Read/Write Used to write data that can be read in SPU_RdSigNotify2 channel corresponding SPE.

Address = SPU base + Address. For example, IPU SPU is mapped to 0x40300000 so accessing SPU_Sig_Notify1 will be done by read/write to 0x4035400C.

PS2 Memory and Hardware Mapped Registers Layout[edit | edit source]

EE Virtual/Physical Memory Map
  KUSEG: 00000000h-7FFFFFFFh User segment
  KSEG0: 80000000h-9FFFFFFFh Kernel segment 0
  KSEG1: A0000000h-BFFFFFFFh Kernel segment 1
  KSSEG: C0000000h-DFFFFFFFh Supervisor segment
  KSEG3: E0000000h-FFFFFFFFh Kernel segment 3
  
  Virtual    Physical
  00000000h  00000000h  32 MB    Main RAM (first 1 MB reserved for kernel)
  20000000h  00000000h  32 MB    Main RAM, uncached
  30100000h  00100000h  31 MB    Main RAM, uncached and accelerated
  10000000h  10000000h  64 KB    I/O registers
  11000000h  11000000h  4 KB     VU0 code memory
  11004000h  11004000h  4 KB     VU0 data memory
  11008000h  11008000h  16 KB    VU1 code memory
  1100C000h  1100C000h  16 KB    VU1 data memory
  12000000h  12000000h  8 KB     GS privileged registers
  1C000000h  1C000000h  2 MB     IOP RAM
  1FC00000h  1FC00000h  4 MB     BIOS, uncached (rom0)
  9FC00000h  1FC00000h  4 MB     BIOS, cached (rom09)
  BFC00000h  1FC00000h  4 MB     BIOS, uncached (rom0b)
  70000000h  ---------  16 KB    Scratchpad RAM (only accessible via virtual addressing)

IOP Physical Memory Map
  KUSEG: 00000000h-7FFFFFFFh User segment
  KSEG0: 80000000h-9FFFFFFFh Kernel segment 0
  KSEG1: A0000000h-BFFFFFFFh Kernel segment 1
  
  Physical
  00000000h  2 MB     Main RAM (same as on PSX)
  1D000000h           SIF registers
  1F800000h  64 KB    Various I/O registers
  1F900000h  1 KB     SPU2 registers
  1FC00000h  4 MB     BIOS (rom0) - Same as EE BIOS
  
  FFFE0000h (KSEG2)   Cache control

Additional Memory
  4 MB   GS VRAM (used for framebuffer, textures, zbuffer, etc)
  2 MB   SPU2 work RAM - quadrupled from PSX's SPU
  8 MB   Memory card


Hardware Mapped Registers
EE Map
EE Timers
  100000xxh        Timer 0
  100008xxh        Timer 1
  100010xxh        Timer 2
  100018xxh        Timer 3
Image Processing Unit (IPU)
  10002000h 8h     IPU Command
  10002010h 4h     IPU Control
  10002020h 4h     IPU bit pointer control
  10002030h 8h     Top of bitstream
  10007000h 10h    Out FIFO (read)
  10007010h 10h    In FIFO (write)
Graphics Interface (GIF)
  10003000h 4h     GIF_CTRL - Control register
  10003010h 4h     GIF_MODE - Mode setting
  10003020h 4h     GIF_STAT - Status
  10003040h 4h     GIF_TAG0 - Bits 0-31 of tag before
  10003050h 4h     GIF_TAG1 - Bits 32-63 of tag before
  10003060h 4h     GIF_TAG2 - Bits 64-95 of tag before
  10003070h 4h     GIF_TAG3 - Bits 96-127 of tag before
  10003080h 4h     GIF_CNT - Transfer status counter
  10003090h 4h     GIF_P3CNT - PATH3 transfer status counter
  100030A0h 4h     GIF_P3TAG - Bits 0-31 of PATH3 tag when interrupted
  10006000h 10h    GIF FIFO
DMA Controller (DMAC)
  100080xxh        VIF0 - channel 0
  100090xxh        VIF1 - channel 1
  1000A0xxh        GIF - channel 2
  1000B0xxh        IPU_FROM - channel 3
  1000B4xxh        IPU_TO - channel 4
  1000C0xxh        SIF0 - channel 5
  1000C4xxh        SIF1 - channel 6
  1000C8xxh        SIF2 - channel 7
  1000D0xxh        SPR_FROM - channel 8
  1000D4xxh        SPR_TO - channel 9
  1000E000h 4h     D_CTRL - DMAC control
  1000E010h 4h     D_STAT - DMAC interrupt status
  1000E020h 4h     D_PCR - DMAC priority control
  1000E030h 4h     D_SQWC - DMAC skip quadword
  1000E040h 4h     D_RBSR - DMAC ringbuffer size
  1000E050h 4h     D_RBOR - DMAC ringbuffer offset
  1000E060h 4h     D_STADR - DMAC stall address
  1000F520h 4h     D_ENABLER - DMAC disabled status
  1000F590h 4h     D_ENABLEW - DMAC disable
Interrupt Controller (INTC)
  1000F000h 4h     INTC_STAT - Interrupt status
  1000F010h 4h     INTC_MASK - Interrupt mask
Subsystem Interface (SIF)
  1000F200h 4h     MSCOM - EE->IOP communication
  1000F210h 4h     SMCOM - IOP->EE communication
  1000F220h 4h     MSFLAG - EE->IOP flags
  1000F230h 4h     SMFLAG - IOP->EE flags
  1000F240h 4h     Control register
Privileged GS registers
  12000000h 8h     PMODE - various PCRTC controls
  12000010h 8h     SMODE1
  12000020h 8h     SMODE2
  12000030h 8h     SRFSH
  12000040h 8h     SYNCH1
  12000050h 8h     SYNCH2
  12000060h 8h     SYNCV
  12000070h 8h     DISPFB1 - display buffer for output circuit 1
  12000080h 8h     DISPLAY1 - output circuit 1 control
  12000090h 8h     DISPFB2 - display buffer for output circuit 2
  120000A0h 8h     DISPLAY2 - output circuit 2 control
  120000B0h 8h     EXTBUF
  120000C0h 8h     EXTDATA
  120000D0h 8h     EXTWRITE
  120000E0h 8h     BGCOLOR - background color
  12001000h 8h     GS_CSR - control register
  12001010h 8h     GS_IMR - GS interrupt control
  12001040h 8h     BUSDIR - transfer direction
  12001080h 8h     SIGLBLID - signal

IOP Map
Subsystem Interface (SIF)
  1D000000h 4h     MSCOM - EE->IOP communication
  1D000010h 4h     SMCOM - IOP->EE communication
  1D000020h 4h     MSFLAG - EE->IOP flags
  1D000030h 4h     SMFLAG - IOP->EE flags
  1D000040h 4h     Control register
CDVD Drive
  1F402004h 1h     Current N command
  1F402005h 1h     N command status (R)
  1F402005h 1h     N command params (W)
  1F402006h 1h     Error
  1F402007h 1h     Send BREAK command
  1F402008h 1h     CDVD I_STAT - interrupt register
  1F40200Ah 1h     Drive status
  1F40200Fh 1h     Disk type
  1F402016h 1h     Current S command
  1F402017h 1h     S command status
  1F402018h 1h     S command params
Interrupt Control
  1F801070h 4h     I_STAT - Interrupt status
  1F801074h 4h     I_MASK - Interrupt mask
  1F801078h 1h     I_CTRL - Global interrupt disable
DMA registers
  1F80108xh        MDECin - channel 0
  1F80109xh        MDECout - channel 1
  1F8010Axh        SIF2 (GPU) - channel 2
  1F8010Bxh        CDVD - channel 3
  1F8010Cxh        SPU2 Core0 - channel 4
  1F8010Dxh        PIO - channel 5
  1F8010Exh        OTC - channel 6
  1F80150xh        SPU2 Core1 - channel 8
  1F80151xh        ??? - channel 9
  1F80152xh        SIF0 - channel 10
  1F80153xh        SIF1 - channel 11
  1F80154xh        SIO2in - channel 12
  1F80155xh        SIO2out - channel 13
  
  1F8010F0h 4h     DPCR - DMA priority control
  1F8010F4h 4h     DICR - DMA interrupt control
  1F801570h 4h     DPCR2 - DMA priority control 2
  1F801574h 4h     DICR2 - DMA priority control 2
IOP Timers
  1F80110xh        Timer 0
  1F80111xh        Timer 1
  1F80112xh        Timer 2
  1F80148xh        Timer 3
  1F80149xh        Timer 4
  1F8014Axh        Timer 5
Serial Interface (SIO2)
  1F808200h 40h    SEND3 buffer
  1F808240h 20h    SEND1/2 buffers
  1F808260h 1h     In FIFO
  1F808264h 1h     Out FIFO
  1F808268h 4h     SIO2 control
  1F80826Ch 4h     RECV1
  1F808270h 4h     RECV2
  1F808274h 4h     RECV3
Sound Processing Unit (SPU2)
  1F900000h 180h   Core0 Voice 0-23 registers
  1F900190h 4h     Key ON 0/1
  1F900194h 4h     Key OFF 0/1
  1F90019Ah 2h     Core attributes
  1F90019Ch 4h     Interrupt address H/L
  1F9001A8h 4h     DMA transfer address H/L
  1F9001ACh 2h     Internal transfer FIFO
  1F9001B0h 2h     AutoDMA status
  1F9001C0h 120h   Core0 Voice 0-23 start/loop/next addresses
  1F900340h 4h     ENDX 0/1
  1F900344h 2h     Status register
  
  ... above addresses repeat for Core1 starting at 1F900400h ...
  
  1F900760h 2h     Master Volume Left
  1F900762h 2h     Master Volume Right
  1F900764h 2h     Effect Volume Left
  1F900766h 2h     Effect Volume Right
  1F900768h 2h     Core1 External Input Volume Left
  1F90076Ah 2h     Core1 External Input Volume Right

Memory Allocation[edit | edit source]

ps2_netemu[edit | edit source]

Name Size page_log2 lpar2(netemu 4.81) lpar1(lv1 4.81)
ra_vu0_dmem 0x1000 (4 KB) 12 (4 KB) 0x3200000 0x7200000
ra_ee_spr_lo 0x2000 (8 KB) 12 (4 KB) 0x3201000 0x7201000
ra_ee_sprx 0x6000 (24 KB) 12 (4 KB) 0x3203000 0x7203000
ra_negmem 0x10000 (64 KB) 16 (64 KB) 0x3210000 0x7210000
ra_iop_spad 0x10000 (64 KB) 16 (64 KB) 0x3220000 0x7220000
ra_spu2_pcm 0x10000 (64 KB) 16 (64 KB) 0x3230000 0x7230000
ra_nulls 0x10000 (64 KB) 16 (64 KB) 0x3240000 0x7240000
ra_itrace 0x10000 (64 KB) 16 (64 KB) 0x3250000 0x7250000
ra_iop_ram 0x200000 (2 MB) 20 (1 MB) 0x3300000 0x7300000
ra_spu2_ram 0x200000 (2 MB) 20 (1 MB) 0x3500000 0x7500000
ra_vu0_code 0x400000 (4 MB) 20 (1 MB) 0x580000800000 0x900000 - 0xC00000
ra_vu0_data 0x400000 (4 MB) 20 (1 MB) 0x3700000 0x7700000
ra_ee_rom_pc 0x400000 (4 MB) 20 (1 MB) 0x580000C00000 0xD00000 - 0x1000000
ra_ps2_rom 0x400000 (4 MB) 20 (1 MB) 0x580001000000 0x1100000 - 0x1400000
ra_vrc_mem 0x1000000 (16 MB) 20 (1 MB) 0x600005000000 0x1500000 - 0x2400000
ra_sgs_xdr 0x1700000 (23 MB) 20 (1 MB) 0x64000C000000 0x2500000 - 0x3B00000
ra_ee_ram 0x2000000 (32 MB) 20 (1 MB) 0x64000E000000 0x3C00000 - 0x3F00000, 0x8000000 - 0x9B00000
ra_ee_ram_pc 0x2000000 (32 MB) 20 (1 MB) 0x640010000000 0x9C00000 - 0xBB00000
ra_trans_code 0x3000000 (48 MB) 20 (1 MB) 0x680024000000 0xBC00000 - 0xEB00000


Controller[edit | edit source]

ID Controller #Number Note
1 (1-A) 1
2 (2-A) 2
3 (1-B) 3
4 (2-B) 4
5 (1-C) 5 Gamepad LED #1 + #4
6 (2-C) 6 Gamepad LED #2 + #4
7 (1-D) 7 Gamepad LED #3 + #4

Peripheral support[edit | edit source]

ps2_emu.self / ps2_gxemu.self[edit | edit source]

  1. Hub
  2. Mouse
  3. Keyboard
  4. EyeToy
  5. Head Mount Display
  6. Mic
  7. Ascii Mic
  8. Socom USB Headset
  9. Usb Headset
  10. Sea Mic Controller
  11. Force Feedback device
  12. GT Force
  13. Momo Force
  14. Driving Force Pro
  15. G25/G27
  16. Momo Racing
  17. Flight Force
  18. Force 3D Pro
  19. Modem
  20. Guncon2
  21. Densya de GO! controller type 2
  22. Densya de GO! Sincansen senyou controller
  23. Capture Eye
  24. Flight Stick
  25. Flight Stick 2
  26. Pop Egg
  27. Trance Vibrator
  28. PSP
  29. Compact Flight Controller
  30. Flash Memory
  31. Buzz!
  32. Pachi-Slot Controller Kurouto
  33. Usb Adapter
  34. Guncon3
  35. Multi Train Controller
  36. Para Para Paradise controller

ps2_netemu.self[edit | edit source]

Support for USB devices seems to be limited comparing to other available emulators. Although PS2 side of USB subsystem seems to be fully implemented. IOP emulator in SPU handle USB HW registers addresses and generate interrupt for PPU which later handle RW to mentioned registers in similar fashion to ps2_emu/ps2_gxemu. PS2 side of things can be disabled/enabled using one byte, when disabled USB writes are ignored, and USB reads return 0. Initial state is unknown. Emulator seems to accept HID controllers and use them as DS3.

Supported devices:

  1. BD Remote Control
  2. PLAYSTATION(R)3 Controller (Vendor ID 0x54C, Product ID 0x268),
  3. Motion Controller - Move (Vendor ID 0x54C, Product ID 0x3D5),
  4. Navigation Controller (Vendor ID 0x54C, Product ID 0x42F)
  5. "guncon3"


Unknown:

  1. Vendor ID 0xF0D (Hori), Product ID 0x4A
  2. Vendor ID 0x54C (Sony), Product ID 0x5AF


Few peripherals not listed above work fine or with issues.

  1. PS3 Dance Dance Revolution Dance Pad - not ps2 accessory, opposite arrows can't be pressed at the same time.
  2. Pop'N Music controllers - Require PS2 to USB converter. Wrong button mappings can be fixed by remap in config file.
  3. Retro-Bit Official SEGA Mega Drive USB 6-Button Controller. Mapped for PS3 already and also works with this emulator. Lacks analogue sticks and shoulder buttons.

BIOS[edit | edit source]

ps2_netemu.self[edit | edit source]

Ps2_netemu use integrated PS2 bios included in ps2netemu.elf, not additional file like in ps1_emu. In 4.81 firmware BIOS is located from 0x820A00 to 0x9F09FF (0x820900 to 0x9F08FF in fw4.50). Bios version is Developement v2.20 (22/01/2007).

Notable thing is that ps2_netemu use the same bios as ps2_gxemu, and ps2onps4. ps2_netemu not boot using ps2_emu bios because of failing RDRAM check.

Content[edit | edit source]

Files included in ps2_netemu/ps2_gxemu bios.

File Offset in fw4.81 ps2_netemu Offset in exported bin Description File type (exportable)
RESET 0x820A00 0x00 Bootstrap code for the EE and IOP. BIN
ROMDIR 0x823180 0x2780 The ROMDIR part of the ROM image, which provides information on the location and name of files contained in the image. BIN
EXTINFO 0x8236C0 0x2CC0 Contains the "EXTINFO" for all files in the ROM image. BIN
SBIN 0x823D30 0x3330 Seems to be the pad controller library for the PS1 monitor. BIN
LOGO 0x82ACD0 0xA2D0 PS1 logo? BIN
IOPBTCONF 0x83F420 0x1EA20 Boot configuration file for the IOP, during the final phase of the IOP reset. If no UDNL module is specified, the IOP will only have a single IOP reset in the reboot process, with the modules listed in IOPBTCONF. BIN
IOPBTCON2 0x83F510 0x1EB10 Boot configuration file for the IOP, for the first phase of the IOP reset (before UDNL is loaded). BIN
SYSMEM 0x83F5E0 0x1EBE0 System Memory Manager. ELF
LOADCORE 0x840800 0x1FE00 The core of IOP module loading. Provides the lowest level of IOP module loading functions. Also handles the startup of the IOP. ELF
EXCEPMAN 0x842D80 0x22380 Exception manager. ELF
INTRMANP 0x843960 0x22F60 Interrupt Manager. According to wisi, it is for PS mode. ELF
INTRMANI 0x845370 0x24970 Interrupt Manager. According to wisi, it is for IOP mode. ELF
SSBUSC 0x8471B0 0x267B0 SSBUS Controller library. The SSBUS seems to be the bus that all peripherals get connected to. It seems to have the power to control the mapping of the device registers, as well as access timing. ELF
TIMEMANP 0x847920 0x26F20 Timer Manager (PS mode) ELF
TIMEMANI 0x848500 0x27B00 Timer Manager (IOP mode) ELF
DMACMAN 0x849130 0x28730 DMA Controller Manager. ELF
SYSCLIB 0x84C830 0x2BE30 System C Library. ELF
HEAPLIB 0x84EF90 0x2E590 Memory HEAP LIBrary (i.e. thvpool, thfpool) ELF
THREADLIB 0x84FC90 0x2F290 Multi_Thread_Manager ELF
VBLANK 0x858A20 0x38020 V-Blank management ELF
IOMAN 0x8597B0 0x38DB0 IO Manager ELF
MODLOAD 0x85B720 0x3AD20 IOP module loader. ELF
ROMDRV 0x85DA70 0x3D070 ROM driver. Provides access to the boot ROM (rom0). ELF
ADDDRV 0x85E960 0x3DF60 Adds support for the DVD ROM (rom1:), via ROMDRV. ELF
STDIO 0x85EDC0 0x3D3C0 Standard I/O library. ELF
SIFMAN 0x85F9B0 0x3EFB0 SIF manager. ELF
SIFINIT 0x860F50 0x40550 Initializes the SIF. ELF
EESYNC 0x861370 0x40970 For synchronizing with the EE, at the end of IOP resets. EESYNC from DNAS images are evil; they also perform a memory wipe of the region from 0x00084000 to .0x00100000. ELF
EENULL 0x861810 0x40E10 The idle thread (id #0) module, in ps2 loaded to 0x00081FC0. BIN
PS1ID 0x861850 0x40E50 Only found in newer boot ROMs BIN
LIBFI 0x861860 0x40E60 Not present in the boot ROM of the SCPH-10000 and SCPH-15000. BIN
PS1VERJ 0x861950 0x40F50 BIN
PS1VERA 0x861960 0x40F60 BIN
PS1VERE 0x861970 0x40F70 BIN
PS1VERC 0x861980 0x40F80 BIN
PS1VERH 0x861990 0x40F90 BIN
OSDSYS 0x8619A0 0x40FA0 The browser BIN
- 0x8619B0 0x40FB0 BIN
RDRAM 0x861A00 0x41000 Provides a RDRAM test for the EE at power-on. This is run from RESET. BIN
- 0x864190 0x43A30 BIN
EELOADCNF 0x864200 0x43D50 Contains the IOP boot configuration file for EELOAD. BIN
SIFCMD 0x864900 0x43F00 SIF command module. Contains the SIF command and SIF RPC functions. ELF
REBOOT 0x866B40 0x46140 The reboot service. Receives IOP reset packets from the EE, from across the SIF. ELF
LOADFILE 0x867310 0x46910 The RPC server for MODLOAD ELF
EECONF 0x869A70 0x49070 Loads part of the system configuration from the MECHACON EEPROM. Also configures and resets some peripherals, depending on the model version. In slimlines, and possibly on PS3 EECONF will also load the MAC address. ELF
- 0x86A9F0 0x49FF0 BIN
IOPBOOT 0x86AA00 0x4A000 IOP bootup program BIN
- 0x86BB60 0x4B160 BIN
TBIN 0x86C200 0x4B800 The PS1 monitor program. Seems to be the PS1 BIOS. This is started by RESET, when the IOP is in PS1 mode. BIN
XSHA1 0x87A170 0x59770 sha1 - this only present in PS3. It is used as additional antipiracy check. It seems that it calculate disc main elf checksum and compares it with some database. Config related? ELF
XLOADFILE 0x87B140 0x5A740 Updated module ELF
SIO2MAN 0x87E1F0 0x5D7F0 SIO2 manager. Provides access to the SIO2 interface. ELF
- 0x87FE20 0x5F420 BIN
BNNETCNF 0x881D00 0x61300 Network configuration. Used by BB Navigator Network Configuration Library. BIN
MCSERV 0x881D40 0x61340 RPC server for MCMAN. ELF
- 0x883A40 0x63040 BIN
KROMG 0x884A00 0x64000 BIN
- 0x8866C0 0x65CC0 BIN
KROM 0x886A30 0x66030 Kanji ROM? Not sure where this is used. BIN
- 0x8A0870 0x7FE70 BIN
ROMVER 0x8A0900 0x7FF00 ROM version. BIN
- 0x8A0910 0x7FF10 BIN
VERSTR 0x8A0930 0x7FF30 Version string. Probably PS1 ROM will use this because that this string is also present in PlayStation consoles. BIN
- 0x8A0990 0x7FF90 BIN
ROMGSCRT 0x8A0A00 0x80000 BIN
NCDVDMAN 0x8A3730 0x82D30 It seems to be a heavily stripped-down CDVDMAN module, with no support for some S-command functions like sceCdRI. ELF
SECRMAN 0x8B0170 0x8F770 Security Manager. Signing is NOT done with the one in ROM, but with a special version that comes with the utility discs. Looks like PS3 units have a different SECRMAN module from retail sets, similar to PS2 TOOL one. ELF
MCMAN 0x8B4630 0x93C30 Memory Card Manager. ELF
PADMAN 0x8C3AC0 0xA30C0 Pad manager. ELF
CDVDMAN 0x8CD210 0xAC810 The CD/DVD manager. ELF
CDVDFSV 0x8D55C0 0xB4BC0 The RPC server for CDVDMAN. ELF
FILEIO 0x8DD980 0xBCF80 RPC server for IOMAN. Sony has greatly changed the semantics and design of FILEIO after some point. Connecting an old FILEIO EE RPC client to a newer server will result in a severe IOP crash. ELF
CLEARSPU 0x8DFA80 0xBF080 Seems to clear/reset the SPU, but is known to cause crashes under some conditions. Not sure if it's buggy or not. Only used by the OSDSYS of the SCPH-10000 and SCPH-15000, probably retained for backward-compatibility. ELF
UDNL 0x8E16C0 0xC0CC0 It is responsible for selecting the modules and starting the IOP, during the final phase of the IOP reset where the desired modules are to be loaded into the IOP. ELF
IGREETING 0x8E35C0 0xC2BC0 Displays boot information (i.e. IOP boot type, EBOOTP, IBOOTP, switch positions for DSW602 and the type of DSW602 board installed ELF
EELOAD 0x8E4620 0xC3C20 The EE ELF loader, which is loaded by LoadExecPS2() to 0x00082000 in PS2 for loading ELFs. BIN
XCDVDMAN 0x8F37A0 0xD2DA0 cdvd_driver - Updated module ELF
XCDVDFSV 0x902530 0xE1B30 cdvd_ee_driver - Updated module ELF
OSDSND 0x910960 0xEFF60 OSD sound library. This is actually the tentative sound driver, which is called "librspu2" in the Sony SDK. ELF
PS2LOGO 0x93B5B0 0x11ABB0 Displays the PlayStation 2 logo from the inserted disc. For newer consoles, if the logo cannot be decrypted properly, it will fall back to the browser. Not actually required to boot games, but the Sony OSDSYS boots PS2 games through this program. ELF
XPARAM2 0x957F00 0x137500 Store IOP emulation settings/flags ELF
OSDSYS 0x95A400 0x139A00 The browser, in ps3 is stripped to parse xparam2. No real browser here. BIN
PIOPRP 0x998280 0x177880 Present in the PS3 ps2_(gx/soft/net)emu; contains version 3.1.0 of the IOP software (compared to version 1.3.4 on the root). BIN
KERNEL 0x9DC1E0 0x1BB7E0 The EE kernel BIN

Description source: https://gist.github.com/uyjulian/25291080f083987d3f3c134f593483c5

Bios region patch[edit | edit source]

Emulator patch loaded bios image to set proper region based on target_id, and string (separated for readability): 

JJjpnJJ  AAengAUU EEengEEE EEengEOA HHengJAG ERengERD CCschJCC HKkorJAG HHtchJAG AAspaAMM

Note: Additional space after first set is intentional and exist also in full string.

Target id to region pairing: 

* JJjpnJJ  for 0x83
* AAengAUU for 0x84 , others (DECR, etc.)
* EEengEEE for 0x85 , 0x87 (also forced if game id from SYSTEM.CNF is xxEx_yy.zzz)
* HHengJAG for 0x86 , 0x8A , 0x8E
* AAspaAMM for 0x88 , 0x8F
* EEengEOA for 0x89
* HHtchJAG for 0x8B
* ERengERD for 0x8C
* CCschJCC for 0x8D (unreleased PS3 Chinese model)
* HKkorJAG unused

Bios is patched using EE memory mapping addresses, so offset in file + 0x1FC00000. Using HKkorJAG example, addresses below are set to: 

* 0x1FC7FF04 = H (x in "0220xD20121227" string)
* 0x1FC7FF14 = K
* 0x1FC7FF15 = k
* 0x1FC7FF16 = o
* 0x1FC7FF17 = r
* 0x1FC7FF52 = J (x in "System ROM Version 5.0 12/27/12 x" string)
* 0x1FC7FF20 = A
* 0x1FC7FF90 = G

Virtual PS2 HDD[edit | edit source]

There are 2 different "PS2 game" contents that can be installed in PS3 HDD (CATEGORY's 2P and 2G ). 2P are games released from PSN as "PS2 Classic" in .PKG format, and 2G are a few real "PS2 DVD discs" that can be installed in the PS3 HDD, this installation is managed by the PS2_system_data.pkg.

This games can be installed in real PS2 (in the internall HDD of a PS2 fat)... later this same installation was used in the PSX... and when implemented in PS3 there was needed to use a virtual PS2 HDD image file keeping the same format than the original HDD used in PS2.

Game files (extracted from the real PS2 disc) are installed in a IMAGE.DAT file, this file is a 1:1 "raw copy" of a PS2 HDD.

This IMAGE.DAT is placed in the "install folder" (inside USRDIR folder) and his size can vary up to 10+GB

There are 2 different installations: the most common is used to store "game expansions" (e.g: used by additional content in SOCOM games)... the other type of installation is a "full install" and it seems the only game that uses it is "Final Fantasy XI" (main game installation when the game boots for first time + game expansions added later when needed in the same IMAGE.DAT)

PS2_system_data.pkg itself uses an IMAGE.DAT file (6.43 MB)

The structure of this "virtual PS2 HDD" uses an "APA header" and a "APA MBR" + several "APA partitions", some of them containing "PFS filesystems". 

Error message trying to boot a CATEGORY "2G" game with hand-made SFO's and invalid IMAGE.DAT file:
The game partition for this game cannot be created because the installed game is corrupted.
To perform this operation, delete the game, and then reinstall the game using the disc.
  • Notes
    • List of PS2 disc games compatibles with PS3 HDD installation hardcoded in dev_flash/vsh/module/game_ext_plugin.sprx
    • Virtual PS2 HDD support module dev_flash/vsh/module/libps2hdd.sprx ?

PS2 System Data (PSN HDD Tool package)[edit | edit source]

A direct link to the package can be found in NoPayStation database in DLCs 

Content ID: IP9100-NPIA00001_00-PS2HDDSYSDAT0001
QA Digest: 2A876715D42678BB7A6E00C030C0121B
HASH: E1B0DBE46FC44190DC7A140681D8B9D4

http://manuals.playstation.net/document/en/ps3/current/game/hddinstall.html

Titles supporting HDD installation

  • Nobunaga's Ambition Online and Expansion Packs
  • Final Fantasy XI (disc1=SCUS97266 disc2=SCUS97269)and Expansion Discs
  • SOCOM II: U.S. NAVY SEALs and Related discs included with OPM Issue 87, OPM Issue 88, OPM Issue 89, OPM Issue 90
  • SOCOM 3: U.S. NAVY SEALs
  • SOCOM: U.S. NAVY SEALs Combined Assault
  • Front Mission Online
  • Official PlayStation Magazine Issue 87, 88, 89, 90 Discs

( non-official ps2hdd gameslist )

TitleID/DiscID in game_ext_plugin.sprx[edit | edit source]

Mainly Final Fantasy 11, Nobunaga Ambition Online, Socom IDs and the required HDD Gigabyte amount for install onto the internal hdd.

Speculation: flags are AND' with 0,1,2 (selected from sys_sm_get_hw_config according to ps2emu hardware flags? 0 = no hw?, 1 = gxemu?, 2=full hw? )

Flags DiscID Alternative? DiscID GigaByte Title 0 = VMC
1 = IMAGE.DAT		 Internal Name? GigaByte
0xFFFF SLPS20200 SLPS25200 0x15 FINAL FANTASY XI 1 PP.SLPM-25200.MAGIC.APPLICATION 0x15
SLPM65705
SLPM65706
SLPM65953
SLPM66393
SLPM66394
SLPM66893
SLPM66894
SLPM55229
0x0001 SLPM65197 SLPM65197 0x07 信長の野望 Online 1 PP.SLPM-65197.MAGIC.APPLICATION 0x07
SLPM65783
SLPM66539
SLPM66954
0xFFFF SCUS97269 SCUS97269 0x15 FINAL FANTASY XI 1 PP.SCUS-97266.MAGIC.APPLICATION 0x15
SLUS21070
SLUS21404
SLUS21694
SLUS21704
0xFFFF SCUS97275 SCUS97275 0x02 SOCOM 0 PP.SCUS-97275..SOCOM_II 0x02
SCUS97474
SCUS97340
SCUS97341
SCUS97342
SCUS97442
SCUS97545

In PS2 Emulator same Title IDs are present with following information: 

SLPS25200 FINAL FANTASY XI          : 0x100000000 (4 GB?)
SCUS97269 FINAL FANTASY XI          : 0x300000000 (12GB?)
SLPM65981 Front Mission Online      : 0x100000000 (4 GB?)
SLPM65197 Nobunagas Ambition Online : 0x200000000 (8 GB?)

Emulators management from GameOS[edit | edit source]

Mountpoints[edit | edit source]

 dev_ps2disc
 dev_ps2disc1

ps2_netemu syscalls[edit | edit source]

Vector at 0xC00 address. 

0x00 -
      0 = return ((unk from 0x1C30/0x1C38 << 56) | thread_number << 48 | ctrl_CT1 (in bit 30) | srr1_EE (in bit 15) | srr1_PS (in bit 14) | srr1_DR (in bit 4))
          Where 0x1C30/0x1C38 is selected depending on current HW thread.
          Thread number is current SW thread
          ctrl_CT1 is lower bit of CT (Current Thread) from PPC Control Register (0 for HW0, 1 for HW1)
          srr1_EE is MSR Enable External Interrupts bit from time when exception occurred (from before syscall was executed)
          srr1_PS is MSR Problem State bit from time when exception occurred (from before syscall was executed)
          srr1_DR is MSR Data Relocate bit from time when exception occurred (from before syscall was executed)
      1 = 0x132 lv1 panic
      2 = 0x133 lv1 panic
      3 = 0x134 lv1 panic
      4 = 0x135 lv1 panic
      else = 0x136 lv1 panic
0x02 - Destroy init code and perform illegal instructions check. Memzero following addresses:
      CODE: 0x16000 - 0x20B80
      DATA: 0x930F80 - 0x933F80
      UNK:  0x3D016000 - 0x3D020B80
0x03 - Enable additional code related to VU0/COP2.
      3 = Patch 0x186C10 to NOP
      4 = Patch 0x186C40 to NOP
      anything else = LV1 panic
0x04 - Unknown. Available for HW0 only. 
0x05 - External interrupts disable (48 bit in MSR). Returns previous MSR state.
0x06 - External interrupts enable (48 bit in MSR) if param & 0x8000 is not 0, otherwise disable them.
      This sc is more like restore 48th bit of MSR, but many times emu use it to enable bit without using old state.
      Also, emulator panic LV1 if syscall is called while external interrupts are already enabled.
0x0A - IPU emulation related syscall
0x0B - IPU emulation related syscall
0x0C - Used in PS2 COP0 MTC0/MFC0 r9/r25 (count/perf), decrementer/timing related, return value in r15.
       Config CMD 0x17 disable that syscall for r9 (count) r/w, and alternative path is used. Perf r/w still use it.
0x0E - PS2 counters/timers related (also used on vsync related functions).
0x0F - PS2 counters/timers related (also used on vsync related functions).
0x10 - lv1 panic.
0x11 - Wrapper for lv1_read_virtual_uart(port_number, buffer, bytes) [HW0 only, only ports 0 and 2 available, else panic]
0x12 - Wrapper for lv1_storage_send_device_command(dev_id, cmd_id, cmd_block, cmd_size, data_buffer, blocks)
      [HW0 only, Available only for threads: VRC, MECHA, HDD, else panic]
      params are rearranged:
      r3 = cmd_block (0x245E000 is added to this value internally)
      r4 = data_buffer (0x245E000 is added to this value internally)
      r5 = blocks
      dev_id is taken from 0x245D008 and it is 0(HDD) for my dump.
      cmd_id = 0x88 and cmd_size is 8.
0x13 - Set thread info unknown byte to 1 for respective thread and set unknown byte to 1 in USB thread.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x14 - Same as 0x13 but set all bits to 0 regardless which thread called it.
      [HW0 only, else panic. Available only for threads: BL2MAIN and BL2LNK, else do nothing in exception handler]
0x1002 - Invalidate gpu hvcalls.
0x800000XX - HV Syscall where XX is syscall nr.
else (other syscalls) - jump to 0x12670 (FW4.78 - current) for HW_0
                        jump to 0x12050 (FW4.78 - current) for HW_1

List of used HV syscalls: 

0x80000000 - HV_Syscall_Reference#lv1_allocate_memory
0x80000001 - HV_Syscall_Reference#lv1_write_htab_entry
0x80000002 - HV_Syscall_Reference#lv1_construct_virtual_address_space
0x80000007 - HV_Syscall_Reference#lv1_select_virtual_address_space
0x80000009 - HV_Syscall_Reference#lv1_pause
0x8000000F - HV_Syscall_Reference#lv1_put_iopte
0x80000012 - HV_Syscall_Reference#lv1_construct_event_receive_port
0x8000001A - HV_Syscall_Reference#lv1_detect_pending_interrupts
0x8000001B - HV_Syscall_Reference#lv1_end_of_interrupt
0x8000001C - HV_Syscall_Reference#lv1_connect_irq_plug
0x80000039 - HV_Syscall_Reference#lv1_construct_logical_spe
0x8000003D - HV_Syscall_Reference#lv1_set_spe_interrupt_mask
0x80000042 - HV_Syscall_Reference#lv1_clear_spe_interrupt_status
0x80000043 - HV_Syscall_Reference#lv1_get_spe_interrupt_status
0x80000045 - HV_Syscall_Reference#lv1_get_logical_ppe_id
0x80000049 - HV_Syscall_Reference#lv1_set_interrupt_mask
0x8000004A - HV_Syscall_Reference#lv1_get_logical_partition_id
0x8000004E - HV_Syscall_Reference#lv1_get_spe_irq_outlet
0x8000005B - HV_Syscall_Reference#lv1_get_repository_node_value
0x8000005F - HV_Syscall_Reference#lv1_read_htab_entries
0x80000061 - HV_Syscall_Reference#lv1_set_vmx_graphics_mode
0x80000062 - HV_Syscall_Reference#lv1_set_thread_switch_control_register
0x80000074 - HV_Syscall_Reference#lv1_allocate_io_segment
0x80000076 - HV_Syscall_Reference#lv1_allocate_ioid
0x80000078 - HV_Syscall_Reference#lv1_construct_io_irq_outlet
0x8000007C - HV_Syscall_Reference#lv1_undocumented_function_124
0x8000007D - HV_Syscall_Reference#lv1_undocumented_function_125
0x8000007E - HV_Syscall_Reference#lv1_undocumented_function_126
0x80000088 - HV_Syscall_Reference#lv1_undocumented_function_136
0x8000008C - HV_Syscall_Reference#lv1_construct_lpm
0x8000008D - HV_Syscall_Reference#lv1_destruct_lpm
0x8000008E - HV_Syscall_Reference#lv1_start_lpm
0x8000008F - HV_Syscall_Reference#lv1_stop_lpm
0x80000090 - HV_Syscall_Reference#lv1_copy_lpm_trace_buffer
0x80000091 - HV_Syscall_Reference#lv1_add_lpm_event_bookmark
0x80000092 - HV_Syscall_Reference#lv1_delete_lpm_event_bookmark
0x80000093 - HV_Syscall_Reference#lv1_set_lpm_interrupt_mask
0x80000094 - HV_Syscall_Reference#lv1_get_lpm_interrupt_status
0x80000095 - HV_Syscall_Reference#lv1_set_lpm_general_control
0x80000096 - HV_Syscall_Reference#lv1_set_lpm_interval
0x80000097 - HV_Syscall_Reference#lv1_set_lpm_trigger_control
0x80000098 - HV_Syscall_Reference#lv1_set_lpm_counter_control
0x80000099 - HV_Syscall_Reference#lv1_set_lpm_group_control
0x8000009A - HV_Syscall_Reference#lv1_set_lpm_debug_bus_control
0x8000009B - HV_Syscall_Reference#lv1_set_lpm_counter
0x8000009C - HV_Syscall_Reference#lv1_set_lpm_signal
0x8000009D - HV_Syscall_Reference#lv1_set_lpm_spr_trigger
0x800000A3 - HV_Syscall_Reference#lv1_write_virtual_uart
0x800000A4 - HV_Syscall_Reference#lv1_set_virtual_uart_param
0x800000A5 - HV_Syscall_Reference#lv1_get_virtual_uart_param
0x800000A6 - HV_Syscall_Reference#lv1_configure_virtual_uart_irq
0x800000AA - HV_Syscall_Reference#lv1_open_device
0x800000AB - HV_Syscall_Reference#lv1_close_device
0x800000AC - HV_Syscall_Reference#lv1_map_device_mmio_region
0x800000AE - HV_Syscall_Reference#lv1_allocate_device_dma_region
0x800000AF - HV_Syscall_Reference#lv1_free_device_dma_region
0x800000B0 - HV_Syscall_Reference#lv1_map_device_dma_region
0x800000B1 - HV_Syscall_Reference#lv1_unmap_device_dma_region
0x800000B2 - HV_Syscall_Reference#lv1_read_pci_config
0x800000B3 - HV_Syscall_Reference#lv1_write_pci_config
0x800000C5 - HV_Syscall_Reference#lv1_connect_interrupt_event_receive_port
0x800000CF - HV_Syscall_Reference#lv1_enable_logical_spe
0x800000D2 - HV_Syscall_Reference#lv1_gpu_open
0x800000D4 - HV_Syscall_Reference#lv1_gpu_device_map
0x800000D6 - HV_Syscall_Reference#lv1_gpu_memory_allocate
0x800000D9 - HV_Syscall_Reference#lv1_gpu_context_allocate
0x800000DD - HV_Syscall_Reference#lv1_gpu_context_iomap
0x800000E1 - HV_Syscall_Reference#lv1_gpu_context_attribute
0x800000E3 - HV_Syscall_Reference#lv1_gpu_context_intr
0x800000E4 - HV_Syscall_Reference#lv1_gpu_attribute
0x800000F5 - HV_Syscall_Reference#lv1_storage_read
0x800000F6 - HV_Syscall_Reference#lv1_storage_write
0x800000F9 - HV_Syscall_Reference#lv1_storage_get_async_status
0x800000FF - HV_Syscall_Reference#lv1_panic

LPAR / AUTH ID's[edit | edit source]

Name Auth ID Self
(/dev_flash/ps2emu)		 Notes
PS2_LPAR 0x1020000003000001 ps2_emu.self
*SCE_CELLOS_SYSTEM_MGR_PS2 0x107000001D000001
PS2_GX_LPAR 0x1020000003000001 ps2_gxemu.self
*SCE_CELLOS_SYSTEM_MGR_PS2_GX 0x107000001D000001
PS2_SW_LPAR 0x1020000003000001 ps2_softemu.self
*SCE_CELLOS_SYSTEM_MGR_PS2_SW 0x107000001D000001
PS2_NE_LPAR 0x1020000003000001 ps2_netemu.self
*SCE_CELLOS_SYSTEM_MGR_PS2_NE 0x107000001D000001

Getting compatibility hardware info[edit | edit source]

See: PS2_Compatibility#Software

ps2bootparam.dat[edit | edit source]

A file created at path: dev_hdd0/tmp/game/ps2bootparam.dat

Cobra core[edit | edit source]

taken from storage_ext.c 

 patch_ps2emu_entry(ps2emu_type);
  • sets proper ps2_(gx/soft)emu.self path for reboot
  • patches ss_storage service 0x5004 disc checks on ss_server3.self inside lv1
 (Change from Parameter li r3, 2 and li r3, 1E (Drive Authentification) to li r3, 0x29 (Reset Drive))
  • and the usual either replace read/ioctl for iso etc.

Game CONFIG[edit | edit source]

Some of the PS2 emulator types (such ps2_gxemu.self, ps2netemu.self) are able to load config commands that are applyed "by game ID". The concept of "game patches" is not technically correct because some of the commands does patching functions but others does other things (not patching), and other commands works as switches or sets a value that are enviromental settings for the emulator (not for the game) but because are applyed "by game" should be considered enviromental settings for that specific game, so for simplification purposes you can think in all this data as "game configs"

This "game config" data seems to work in the same way for all the PS2 emulator types but can be located in different places, some are hardcoded inside the emulators itself (inside the .self), and at the time the "PS2 classics" emulator (ps2_netemu.self) was developed this config can be loaded from an external file

In short, the "game configs" can modify the game image (by patching it) and can be used to configure the virtual PS2 (the emulated machine). And can be loaded from hardcoded data (inside the .self) or from an external file (this feature is supported only by ps2_netemu.self). Maximum CONFIG size for ps2_netemu is 16384 bytes.

The config data consists in a list of concatenated values of 8 bytes length (uint32_t), and can be processed like this: 

union{
 uint32_t command
 ...data...
}

Config Commands[edit | edit source]

ps2_netemu.self fw4.50 sub_12D7D8, fw4.81 sub_12E050
params are uint32_t unless noted.

At the time of writing this, most of the commands are completely or partially unknown.
If you want to read some speculation and brainstorming about them, please join the Discussion page

PS2 Emulators Config Commands Overview
Command Name Command ID Max
Usage		 Command Data
gxemu softemu netemu Length Params
TitleID enforce N / A N / A 0x00 1 char[10] titleid
Hook EE memory offset with emu function ID 0x00 0x00 0x01 3 ? 2 * uint32_t offset functionid
Set something 0x01 0x01 0x02 1 uint32_t ?
Switch something 0x02 0x02 0x03 1 0 Nothing
Patch something in SP3 EEDMA 0x03 0x03 0x04 1 uint32_t ?
Set DIRECT/DIRECTHL VIF1 in SP3 EEDMA 0x04 0x04 0x05 1 0 Nothing
Switch something 0x05 0x05 0x06 1 0 Nothing
Delay VU xgkick by X cycles 0x06 0x06 0x07 1 uint32_t cycles
Patch VU memory by bitmask 0x07 0x07 0x08 3 8 * uint32_t MASK
Patch EE memory with 2 opcodes 0x08 0x08 0x09 132 uint32_t + LIST count LIST
Patch EE memory with 1 opcode N / A N / A 0x0A 132 uint32_t + LIST count LIST
Patch game disc by sector & offset 0x09 0x09 0x0B 147 uint32_t + LIST count LIST
Set something 0x0A 0x0A 0x0C 1 2 * uint16_t unk_mode unk_range
Set something 0x0B 0x0B 0x0D 1 uint32_t skip
COP2 and FPU accurate ADD/SUB address 0x0C 0x0C 0x0E 32 uint32_t offset
COP2 and FPU accurate ADD/SUB range 0x0D 0x0D 0x0F 32 2 * uint32_t start offset end offset
COP2 accurate MUL/DIV range 0x0E 0x0E 0x10 32 2 * uint32_t start offset end offset
VU0 accurate ADD/SUB address 0x0F 0x0F 0x11 32 uint32_t offset
VU related ? 0x10 0x10 0x12 163 uint32_t + LIST flags ? LIST
Memory Card Delay 0x11 0x11 0x13 1 uint64_t time ?
VU1 transform ADD/SUB 0x12 0x12 0x14 1 0 Nothing
Set something with bit flags 0x13 0x13 0x15 1 uint32_t ?
Unknown 0x14? 0x14? 0x16 ? ? ?
COP0 configure MTC0/MFC0 0x15 0x15 0x17 1 uint8_t ? status
Switch something 0x16 0x16 0x18 1 0 Nothing
Force analog controller mode N / A 0x17 0x19 1 0 Nothing
Switch something 0x17 0x18 0x1A 1 0 Nothing
Switch something 0x18 0x19 0x1B 1 0 Nothing
Emulate Multitap 0x19? 0x1A? 0x1C 1 uint8_t port
Set Multitap 0x1A 0x1B 0x1D 1 uint8_t order
Multitap related 0x1B N / A 0x1E 1 uint8_t ?
Set something 0x1C 0x1C 0x1F 1 uint32_t ?
Set something 0x1D 0x1D 0x20 1 uint64_t ?
Set something 0x1E 0x1E 0x21 1 uint32_t ?
Switch something N / A 0x1F 0x22 1 0 Nothing
Switch something 0x1F 0x20 0x23 1 0 Nothing
Internal image aspect ratio ? 0x20 0x21 0x24 1 uint64_t ?
Switch something 0x21 0x22 0x25 1 0 Nothing
FPU accurate ADD/SUB range 0x22 0x23 0x26 32 2 * uint32_t start offset end offset
COP2 accurate ADD/SUB range 0x23 0x24 0x27 32 2 * uint32_t start offset end offset
Set something (CDVD) 0x24 0x25? 0x28 1 uint32_t ?
CDVD read/seek timings ? 0x25 0x26? 0x29 1 2 * uint32_t ? ?
Switch something 0x26 0x27 0x2A 1 0 Nothing
Switch something (CDVD) 0x27? 0x28 0x2B 1 0 Nothing
Set something 0x28 0x29 0x2C 1 uint32_t ?
Switch something 0x29? 0x2A 0x2D 1 0 Nothing
Set something 0x2A 0x2B 0x2E 1 uint32_t ?
Set something 0x2B N / A 0x2F 1 uint32_t ?
Reserved N / A
N / A
N / A
N / A
N / A		 N / A
N / A
N / A
N / A
N / A		 0x30
0x31
0x32
0x33
0x34 		0 0 Nothing
Enable Force Flip Field N / A N / A 0x35 1 0 Nothing
Reserved N / A
N / A
N / A
N / A
N / A
N / A
N / A		 N / A
N / A
N / A
N / A
N / A
N / A
N / A		 0x36
0x37
0x38
0x39
0x3A
0x3B
0x3C 		0 0 Nothing
Config revision N / A N / A 0x3D 1 uint32_t revision
Switch something N / A N / A 0x3E 1 0 Nothing
Set something N / A N / A 0x3F 1 uint32_t ?
Switch something N / A N / A 0x40 1 0 Nothing
Switch something N / A N / A 0x41 1 0 Nothing
Patch EE memory by overlay N / A N / A 0x42 11023 2 * uint32_t + LIST offset count LIST
Set something N / A N / A 0x43 1 uint32_t ?
Disable smoothing filter N / A N / A 0x44 1 0 Nothing
Switch something N / A N / A 0x45 1 0 Nothing
Enable L2H Improvement N / A N / A 0x46 1 0 Nothing
Enable XOR CSR N / A N / A 0x47 1 0 Nothing
Set VSYNC IPU & Delay N / A N / A 0x48 1 2 * uint32_t ipu delay
Switch something N / A N / A 0x49 1 0 Nothing
Switch something N / A N / A 0x4A 1 0 Nothing
Set something N / A N / A 0x4B 1 2 * uint32_t ? ?
Set something N / A N / A 0x4C 1 2 * uint32_t ? ?
Set something N / A N / A 0x4D 1 uint32_t ?
Unknown N / A N / A 0x4E 1 ? ?
Unknown N / A N / A 0x4F 1 ? ?
Enable pressure sensitive controls N / A N / A 0x50 1 0 Nothing


0x00 Command Name: Title ID Enforce / Multidisc config
Command Data: 1x String in format: ABCD-12345

Restricts the CONFIG to be used only by a specific Title ID The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG. When bytes are present after Title ID, emulator read them to setup multidisc info. 

Multidisc info bytes:
First byte:  Unknown, seems to be unused. 00 in known configs (Grandia 3).
Second byte: Discs count (0-9), when 0 or 1 emulator don't enable multidisc mode.
Third byte:  Which disc in set is this one (0-8 for discs 1-9)
Fourth byte: That one is optional, but very important. When set to 1,
             disc swap menu will be in "Reset game" menu and disc change will trigger reset (default behavior).
             But when this byte is set to 0, new option in main emu menu called "Switch Discs" will appear. Emulator change disc without reset. 
             Keep in mind we don't know how accurate swap emulation is here, games are picky for some details. 
             Every iso bin enc in set need to have proper data in separate config. 
             Disc 1: ISO.BIN.ENC --> CONFIG --> 00 02 00 00,
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 33 34 00 02 00                       -21334...

             Disc 2: ISO.BIN.ENC2--> CONFIG2--> 00 02 01 00, etc.
              00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
              00000010  2D 32 31 33 34 35 00 02 01                       -21345...

             Grandia 3 DISC.IDX, content:
              00000000  00 00                                            ..


0x01 Command Name: EE_ADD_HOOK
Command Data: 2x uint32_t Params (addr, func_id 0-0x3B)

Most of the hooks availables in netemu command 0x01 are fixes for a specific game, or a game engine
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.

Function ID Notes
0x00 FIFA 2000 use it as hook for EE kernel at 0x800017E8 (DMAC related). Command backup value from r5900 s0 register.
0x01 FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related). Command restore previously backed up value to r5900 s0 register.
0x02

Max Payne 

Write 0 to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
0x03

Max Payne 

Write 0xFFFFFFFF (0x10000, other bits are ignored anyway) to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
0x04 Castle Shikigami II 
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes. Same as 0x03 command, but applied of selected ee offset.
This is probably command from times when 0x03 was non existing, and while it apply on selected ee offset, command never recover default IXIN/IHIN handling.
Note: There is leftover in emulator from command that reenable default behavior, but is unused now, and is not accessible by current config commands.
0x05 Force events test if D2_CHCR & 0x100 is true (if GIF dma is running). For more info check _cpuEventTest_Shared from pcsx2. Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
0x06 Force events test if D1_CHCR & 0x100 is true (if VIF1 dma is running). For more info check _cpuEventTest_Shared from pcsx2.
0x07
0x08 Backup current unmodified COP0 status register state. Then disable EI bit, and notify emu that cmd 0x09 could be run. Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
0x09 Restore COP0 status register state from previously created backup. Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
0x0A Fix for TriAce executable unpack function. 
Games unpack data using VU0 microruntime (not COP2). Because unpack involve floating points operations result can be inaccurate. And it is,
exactly by 1 byte. Config add 1 to result of unpacked data. This can be confirmed also on pcsx2 with turned off TriAce hack, example for Radiata Stories US release.
Set breakpoint on 0x124D90, and then when it's hit, add 1 to lower 64 bits of vf03 reg (in vu0f tab) and hit run.
Game now work as it should. On PS3 this probably can be fixed also by 0x11 command, but since they had hook already done before 0x11 was a thing, it stayed as is.
0x0B Set lower 64 bits of mips $at register to 0
0x0C Piglet's Big Game
0x0D usleep(100)
0x0E Used 3 times in Need for Speed - Carbon [Collector's Edition] US. 
Used in place where game load code overlays, and in place where game self modify code. 
Config run the same function which is run when PS2 syscall 7 (ExecPS2) hook is triggered (0x1831A8 in latest emu memory).
Only difference is that 0x42 overlay is not reloaded, and check for "cdrom0" string is not performed. 
Command could be potentially useful for games that like to change own code. Eg. Load "bin" files with code (HSG/HST), or modify own code by direct writes to memory (NFS Carbon CE...)
0x0F

Grand Theft Auto 3 (SLUS-20062) 

using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
0x348B40 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x10

Grand Theft Auto 3 (SLES-50330) 

using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base ) 
0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x11

Grand Theft Auto 3 (SLES-50793) 

using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
0x3495C0 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x349948 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x12 Disney/Pixar Finding Nemo (fixes the pause menu freeze) 
if COP0 status EI and EXL bits are 0, and other condition related to DMAC is met...
store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory, and set lower 64 bits of mips $s0 register to 0.
0x13 Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply.
0x14 Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the older version of Snowblind Engine (Dark Alliance duology, The Bard's Tale, Fallout).
0x15 Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the newer version of Snowblind Engine (Champions duology, Justice League Heroes, Combat Elite).
0x16 Champions of Norrath (SLUS-20565) 
store 0x01114BA8 in [ 0x208EAB4C + 200000000 base]
store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
0x17 NFS HP2 fpu rounding fix. 
Check if a0 == 0x8000 (32768), apply config if true. Config is little bit more complicated than it should, emu flush all fpu regs to memory just to modify one field in altivec vector register.
When condition is met ps2 cop1 f08 register is modified from 0x40490FDB to 0x40490FDA, this result in next operations to end up as negative 0.0 (0x80000000) instead of just 0.0 (0x00000000).
Seems to trigger when loading of stage or loading of attract mode is close to finish or done.
0x18 Okami PAL specific hook. 
Check if opcode at 0x183F04 of EE memory is jal 0x183CB0 (0x0C060F2C). This is used to run additional hook patcher only 1 time.
Later it will be nop here. so it means that new hooks are already applied. So function will just return early.
if opcode at 0x183F04 is still jal 0x183CB0 (0x0C060F2C),
then patch addresses 0x183F04 (jal 0x183CB0), 0x183F34 (jal 0x183CB0), 0x183F3C (jal 0x183D18) to nop.
Finally adds 3 additional EE hooks. Emu addresses for ps2_netemu 4.70+

EE address | EMU address 
0x183F0C   | sub_46334
0x183F3C   | sub_45DA4
0x183D74   | sub_47B50

First hook is responsible for grabbing EE addresses from one of EE gpr register. Second hook perform few checks from data in EE gpr registers, and 
eventually store data from EE gpr registers on previously grabbed addresses. Hook 3 store one of previosly grabbed EE address on unknown part of memory.
Whole thing looks like HLE version of noped functions.
0x19 Burnout 2 
Copy lower 64 bits of $v0 r5900 register to lower 64 bits of $a1 r5900 register.
All that to make next opcode (hook address + 4) "beq $a1, $v0, addr" always true. Because $a1 and $v0 now have the same value.
This in turn skip CTimer::GetTimeSeconds((void)) in function CReplay::NextFrame((CDrivingControls *)). Worth to note that CReplay::NextFrame seems to be not related to replay per se, but to car physics.
0x1A 
store 0 in [ 0x209FD560 + 200000000 base]
store 0 in [ 0x209F9550 + 200000000 base]
store 0 in [ 0x20A01570 + 200000000 base]
store 0 in [ 0x209F9540 + 200000000 base]
store 0 in [ 0x209F5540 + 200000000 base]
store 0 in [ 0x209F1530 + 200000000 base]
0x1B 
store 0 in [ 0x20552168 + 200000000 base]
0x1C 
store 1 in [ 0x20552168 + 200000000 base]
0x1D 
store 0 in [ 0x20556C08 + 200000000 base]
0x1E 
store 1 in [ 0x20556C08 + 200000000 base]
0x1F 
store 0 in [ 0x205243D8 + 200000000 base]
0x20 
store 1 in [ 0x205243D8 + 200000000 base]
0x21 
store 0 in [ 0x20524F88 + 200000000 base]
0x22 
store 1 in [ 0x20524F88 + 200000000 base]
0x23 
store 0 in [ 0x2047E7F8 + 200000000 base]
0x24 
store 1 in [ 0x2047E7F8 + 200000000 base]
0x25 
store 0 in [ 0x204802B8 + 200000000 base]
0x26 
store 1 in [ 0x204802B8 + 200000000 base]
0x27 
store 0 in [ 0x20586348 + 200000000 base]
0x28 
store 1 in [ 0x20586348 + 200000000 base]
0x29 
store 0 in [ 0x205868A8 + 200000000 base]
0x2A 
store 1 in [ 0x205868A8 + 200000000 base]
0x2B 
if ($a1 & 0xF0000000 != 0) a1 = 0
0x2C Shin Onimusha - Dawn of Dreams Fix IPU DMA JPN((PlayStation 2 the Best)/US release.
0x2D Shin Onimusha - Dawn of Dreams Fix IPU DMA PAL release.
0x2E Shin Onimusha - Dawn of Dreams Fix IPU DMA Unk release. Code from emu match SLPM-66275 release. Why it is unused? Hook address will be 0x3BB4EC.
0x2F 
if value at EE Mem 0x37B0C4 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x30 
if value at EE Mem 0x37B704 == 0, set mips pc register (program counter) to 0x100B98
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x31 
if value at EE Mem 0x37630C == 0, set mips pc register (program counter) to 0x100BA8 
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x32 
if value at EE Mem 0x37BB0C == 0, set mips pc register (program counter) to 0x100BA8.
Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
0x33
0x34 not filled
0x35 Ninkyouden: Toseinin Ichidaiki
0x36
0x37
0x38
0x39 Used silently in command 0x4B with first param from 0x4B as hook address. Hook seems to be unusable without 0x4B command, because there is no way to setup redirect mode and ID without 0x4B.
0x3A Used silently in command 0x4C with first param from 0x4C as hook address. Hook seems to be unusable without 0x4C command, because there is no way to setup mode and ID without 0x4C.
0x3B Grand Theft Auto 3 (SLPM-55293 "Rockstar Classics") 
using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
0x351210 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
0x18F590 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
0x351568 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *))
0x02 Command Name: Unknown
Command Data: 1x int32

Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.

  • Valid values found:
    • 1000d
    • 3000d
    • 6000d
0x03 Command Name: Unknown
Command Data: N/A

Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.

0x04 Command Name: Unknown
Command Data: 1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)

Patch SPE 3 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.

  • Valid values found:
    • 0x08
    • 0x10
0x05 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x06 Command Name: Unknown
Command Data: N/A

Change VIF1 command 02h OFFSET behavior by patching pointer to function which process it to different previously unused function.

0x07 Command Name: Delay VU xgkick by X cycles
Command Data: 1x uint32_t

Default 1

0x08 Command Name: Patch VU memory by mask
Command Data: 8x uint32_t (read mask,read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode)

Maximum Amount of Usage: 3 times

0x09 Command Name: EE_INSN_REPLACE64
Command Data: uint32_t count, <list> (offset, original opcode, original opcode, replace opcode, replace opcode)

Maximum List Count: 32

  • Valid values found
    • 1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]
0x0A Command Name: EE_INSN_REPLACE32
Command Data: uint32_t count, <List> (mode | offset, original opcode, replace opcode)

Command present only in the ps2_netemu. Maximum List Count: 32. Mode is first 4 bits of address field (Xyyyyyyy), can be either 0, 1, or 2. All known examples use this command in 0 mode, and modes 1 and 2 are here just for documentation purposes.

  • mode 0 - Replace 32 bit of EE memory. Params are EE offset, original opcode, replace opcode.
  • mode 1 - Write jr ra, li v0, xxxx to selected memory range. Params are EE memory start address, original opcode, u16 counter, u16 value for li, v0 xxxx
  • mode 2 - NOP memory at selected range. Params: start address, end address, unused (can be anything, but is required to align config).

Problem: Original opcode validity check is performed before testing config for special cases. Thus making mode 2 almost inaccessible.
Solution: We can patch that one line of code by the same 0x0A config. So if we want to nop region from 0x100000 to 0x100080, first we need to patch 0x100000 to 0x100080 opcode. So check will pass, "simple" as that.

0x0B Command Name: MECHA_SET_PATCH
Command Data: 1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)

Offset on the disc = sector id * sector size + offset + correction [see below]
Offset correction is based on selected read mode (not on media type):

CDRead requested block size (CD disc):

  • 2048 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
  • 2328 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
  • 2340 = Offset + 0x0C (skip only 12 bytes of sync data)

DVDRead requested block size (DVD Disc):

  • 2064 = Offset match, but only until the 349th sector. Otherwise is offset - 0x0C because that read mode see data as ID DATA (4) + ID DATA EDC (2) + Reserved bytes (6) + 2048 data + EDC (4).

"Offset + XX" for CD assume that you use Isobuster RAW mode. "Offset - XX" for DVD assume that you use Isobuster NON RAW mode
Special case is DVD read on very low sector, here you need to use exact offset without substrating 0x0C. Highest confirmed sector that don't use correction for now is 349. 

 [Dead Or Alive 2 Hardcore] uses 7
 [Gradius V] uses 1
 [Grand Theft Auto III] uses 1
 [Katamari Damacy] uses 1
 [Manhunt] uses 1
 [Odin Sphere] uses 2
 [Primal] uses 1
 [Psychonauts] uses 1
 [Syphon Filter The Omega Strain] uses 1
Maximum List Count: 47
0x0C Command Name: Unknown
Command Data: 1x (uint16_t, uint16_t)

First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.
Other valid values for the second param (found in oficial configs ?): 0x180, 0x800

0x0D Command Name: Unknown
Command Data: 1x int32

True/false. Default = 1 

0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.
0x0E Command Name: Improves ADD/SUB accuracy
Command Data: 1x int32

1 Param offset --- Improves ADD/SUB FPU/COP2 accuracy for selected offset. Work with opcodes from commands 0x26/0x27. Basically command like 0x0F just per offset, no per range. 

 [Rygar] only has 0x147DA8 sub.s   $f12, $f20, $f12
Used in official configs: SCUS97501=0x3C458C, SCES53642=0x3C4854, SLUS21026=0x386864, SLUS20916=0x121F64, SLUS20437=0x11EDF0
Maximum Amount of Usage: 32 times
0x0F Command Name: More accurate ADD/SUB memory range
Command Data: List <uint32_t Param, uint32_t Param>

More accurate memory range. This command is combined 0x26, and 0x27 command. 

 [Dark Cloud] uses 0x239334, 0x1FFFFFF
 [Grand Theft Auto SA] uses 0x1E46DC, 0x1E4AE8
Maximum Amount of Usage: 32 (if there is no additional 0x26/0x27 command)
0x10 Command Name: MULDIV Accurate range
Command Data: List <uint32_t Param, uint32_t Param>

More accurate MUL/DIV handling on selected memory range for selected FPU opcodes. Effectively work only with: 

MUL.s, DIV.s, MULA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s. 
For ADD/SUB opcodes, command is active only on Multiply stage.
Maximum List Count: 32
0x11 Command Name: VU0 Accurate ADD/SUB
Command Data: 1x uint32_t Param

Param is VU0 (MICROPROGRAM) memory offset, correct param is in range of 0x000 to 0xFF8. 

Lower pipeline fetch opcode from address, Upper from address + 4. So correct address for config needs to be 8 bytes aligned.
Used in official configs: SLUS21172=0x208, SLUS20878=0x140,0x368,0x570
Maximum Amount of Usage: 32 times
0x12 Command Name: Unknown
Command Data: <List> (uint32_t count,

VU0/COP2 related multicommand. 

First 8 bytes of that command are special flags. Not quite sure about bytes 5-8 yet,
because at some point they are used to "andc" with first 4 bytes.
Some examples for first 4 bytes:
0x1000     = Run additional flag related code after every FMAC operation, VU0 only, COP2 do this by default.
0x2000     = Emit some additional code when lower opcode is fsset, this flag require 0x1000 to be enabled. VU0 only. 
0x100000   = When enabled opcodes like MSUB, MADDA, etc, do proper multiply first, then add/sub. When disabled (default) single opcode is used (vmaddfp / vmmsubfp). Not used in COP2 mode.
             Note: When this command is disabled, then "Accurate MUL" is skipped for MADDxx/MSUBxx regardless that 0x30000000 is set or not.
             Because there is no way to do correct MUL separately when altivec madd/msub is used.
0x200000   = Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.) Not used in COP2 mode.
0x400000   = Skip emu syscall 3 (3)
0x800000   = Skip emu syscall 3 (4)
0x4000000  = Enable type 2 config from cmd 0x12.
0x8000000  = Accurate VU0 DIV opcode, not used in COP2 mode.
0x10000000 = Fast Accurate VU0 MUL. Try to round mantissa. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.
0x20000000 = Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
             Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.

Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
Keep in mind that you still need to use at least 8 bytes for cmd 0x12, just use 00 for bytes 5,6,7,8. 
Later bits are dependent on which subcommand we want to run.

 [Primal] uses 0xD of type 2/3 subcommand (minus 0x2 for flags)
 [Rayman Arena] uses 0x11 of type 2/3 subcommand (minus 0x2 for flags)
 [Syphon Filter: The Omega Strain] uses 0x5 of type 1 subcommand (minus 0x2 for flags)
Maximum List Count: 63
0x13 Command Name: Memory card timing related delay
Command Data: 1x uint64_t Param 
0x9bdc  (39900)  - Used by "Phantasy Star Universe" (official config for SLPM-66031), "WRC II Extreme", and "Burnout Dominator"
0xf960  (63840)  - Used by "Jak X: Combat Racing" (official config for SCUS-97429), and "Netsu Chu! Pro Yakyuu 2004"
0x1d394 (119700) - Used by "Jissen Pachi-Slot Hisshouhou! Kemono-Oh" (official config for SLPS-20131)
0x14 Command Name: VU1 transform ADD/SUB
Command Data: N/A

When enabled ADD/SUB VU1 opcodes are processed differently on recompiling/translation stage. Seems to be very specific hack, most likely not usable outside of THPS 4+ engine games.
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.

0x15 Command Name: Unknown
Command Data: 1 Param ( <1, >1 )

Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch first branch that match to "bi r127". That weird approach was probably used because spe program differ little bit between emu versions, so they don't need to update command on every new emu revision. Currently (4.75+) this command patch branch at address 0x3A3A4 (bra sub_2E600). This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior. 

[Aeon Flux] uses 2 (gxemu config)
[Bloodrayne 2] uses 4
[GRIMgRiMoiRe] uses 4
[Mana Khemia 2] uses 4
[Odin Sphere] uses 4
[SMT Persona 3 FES] uses 4
[Parappa the Rapper 2] uses 0x14 (softemu config) or 0x4 (gxemu config)
0x16 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x17 Command Name: COP0 configure MTC0/MFC0
Command Data: 1x int32 ?

True/false. Default 0.
Command change behavior of MTC0/MFC0 operation of COP0 Count ($9) register. When enabled time base register is used as a base for calculation, when disabled decrementer register is used as a base for calculations (using emu syscall 12). 

[Bully] uses 1
0x18 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x19 Command Name: Force analog controller mode
Command Data: N/A

Skips check for analog/digital controller mode and returns forced analog mode 

[Grand Theft Auto III]
[Grandia II]
[Red Faction 2]
[Siren]
0x1A Command Name: Unknown
Command Data: N/A

IPU hack to end fromIPU DMA transfer on BCLR command (store 0 on D3_QWC and D3_CHCR.STR). Not stopping that transfer is actually correct behavior..

0x1B Command Name: Unknown
Command Data: N/A

When IDEC command don't finish, probably due to bad timings. Hack clear D3_CHCR.STR bit when there is still QW left in D3_QWC reg , and IDEC finished already. 

[Mana Khemia 2]
0x1C Command Name: Emulate Multitap
Command Data: read uint32_t (use uint8_t)

Enables/disables Multitap emulation. Default 3 

0 = disable multitap emulation
1 = enable multitap in controller port 1 (when needed)
2 = enable multitap in controller port 2 (when needed)
3 = enable multitaps in both controller ports (when needed)
 [Medal of Honor: European Assault] uses 1
 [Twisted Metal: Black] uses 1


0x1D Command Name: Set Multitap
Command Data: read uint32_t (use uint8_t)

Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 0? 

0 = no multitap set (only when needed)
    Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
1 = sets multitap in controller port 1 at all times
    Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
2 = sets multitap in controller port 2 at all times
    Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
3 = sets multitaps in both controller ports at all times
    Controller sync order: same as 0
 [Medal of Honor: European Assault] uses 1
 [Twisted Metal: Black] uses 1
 [Mystic Heroes] uses 2 (game does not detect multitap in controller port 1)
 [Sonic Riders] uses 2 (GX config, game may not detect multitap in controller port 1)
0x1E Command Name: Multitap related
Command Data: read uint32_t (use uint8_t) 
[FIFA 2001] uses 3 (settings for both multitaps?)
0x1F Command Name: Unknown
Command Data: 1x uint32_t

Default 1 

Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant. By default every VIF0 command take 1 cycle, so it's instant.
This config give vif0 some timing sense.
When delta from config passed and vpustat vu0 bits are non 0 (so practically if vif0 is still running),
add 500 cycles and go on until next event test before doing anything on vif0.
This can also be used to ensure that next vif0 command won't run until delta from config passed.
Value from config is added to current r5900 cycles and vif0 will do nothing unless current cycles match new value.
*Valid values found: 200d, 1000d
0x20 Command Name: Unknown
Command Data: 1x uint64_t

Default 0x3C 

Config value is used as multiplier for some value, and result is used in vsync related runtimes.
Is worth to note that 0x3C is default multiplier even for PAL titles, so is not stricly related to framerate,
but to vsync counters (where 0x3C is still wrong anyway..). Result of multiply is also compared at some point to vsync delay value.
  • Valid values found: 10d, 60d, 100d, 120d, 200d, 240d
0x21 Command Name: Unknown
Command Data: 1x uint32_t 
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap (tw opcode) at the end. 1 is valid only when option one is 0.

0 = sets an option one to 0 and option two to 0
1 = sets an option one to 0 and option two to 1
2 = sets an option one to 1 and option two to 0 (default)
 [Fatal Frame II] uses 0
 [Grand Theft Auto Vice City] uses 1
 [Grand Theft Auto III (EU)] uses 1
 [SMT Persona 3 FES] uses 0
0x22 Command Name: Unknown
Command Data: N/A

Sets something 1

0x23 Command Name: Unknown
Command Data: N/A

Copy VIF1 command 01h STCYCL handler struct into unused 08h slot (slots are 100 bytes per command, include pointer to function that handle command, and other data). Then patch slot 08h function pointers to function at 0x14E00. 08h is normally unused, and handled as a NOP. This command is useful only with additional 0x01 (0x13-0x15) hooks, which inject 08h VIF1 command into game code when other conditions are met.

0x24 Command Name: Unknown
Command Data: 1x uint64_t

SIO2 related

  • Valid values found: 12000d, 48000d
0x25 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x26 Command Name: FPU Accurate ADD/SUB range
Command Data: List <uint32_t Param,uint32_t Param>

Improves FPU accuracy for selected memory range. Efective only on: 

ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s
For M(UL) opcodes, command is active only on ADD/SUB stage.

 [Bloodrayne 2] uses 0x340000, 0x350000
 [Gradius V] uses 0x3046E0, 0x0x305E44
Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
0x27 Command Name: VU0 macromode accurate range
Command Data: List <uint32_t Param,uint32_t Param>

Improves COP2 operations accuracy for selected memory range. Effective only for opcodes: 

VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD

Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
Seems to affect only ADD/SUB part of opcode.
0x28 Command Name: Unknown
Command Data: 1x uint32_t

<=3

  • Valid values found: 0, 1, 2, 3
0x29 Command Name: Unknown
Command Data: 2x uint32_t

Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.

0x2A Command Name: Unknown
Command Data: N/A

Sets something 1. 

All-Star Baseball 2004
0x2B Command Name: Unknown
Command Data: N/A

When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD), confirmed in emu code/assembly. Ps2_emu do same thing in "Setting mecha HACK to show GODZCD as GODZCDDA", but due to real media support this is done in little bit different way (but still, 1F40200F is set to 0x13). During testing Dance Factory game, still no tracks are detected regardless of the command. Could be a netemu or Cobra issue (single, mixed mode .bin/.cue loaded). 

Dance Factory
0x2C Command Name: Unknown
Command Data: 1x uint32_t

Store (value | value << 32 | value << 64 | value << 96) on 0x2B4F0 of SPE 0 (IOP) LS. In summoner config it will be 0x00000001000000010000000100000001 stored at 0x2B4F0. Value is later used in clgt compare as rb register. Default seems to be 0x00000020000000200000002000000020. 

Summoner uses 0x1
0x2D Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x2E Command Name: Unknown
Command Data: 1x uint32_t
  • Valid values found: 0x172
0x2F Command Name: Unknown
Command Data: 1x uint32_t

Store value on 0x2E784 in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).

  • Infamous Final Fantasy confirmation sound issue (in fact it does affect every sound effect using the reverb and only in the ps2_netemu) is fixed by 0x2 value.
Indigo Prophecy/Fahrenheit uses 0x1
Kengo 3 uses 0x2
0x30 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x31 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x32 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x33 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x34 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x35 Command Name: Enable Force Flip Field
Command Data: N/A

Described in emu setting as "Fix for [Hang] for soft-lock"

0x36 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x37 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x38 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x39 Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3A Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3B Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3C Command Name: N/A
Command Data: N/A

Command not available in ps2_netemu.self

0x3D Command Name: Config revision
Command Data: 1x uint32_t

Used by debug menu to print config revision. While every official and unofficial config use it, command is not mandatory. Debug menu will just print None as a config revision if command is missing. Official configs use this as a kind of debugging info to know minimal required emu revision.

Config commands supported by emulator revision
Supported Commands ps2_netemu Revision PS3 Firmware
Up to 0x41 15686 3.70 or newer
Unknown 16040 Unknown
Up to 0x43 16604 4.20 or newer
Up to 0x45 16808 4.30 or newer
Up to 0x46 16916 4.40 or newer
Up to 0x48 17041 4.45 or newer
Up to 0x4A 17179 4.50 or newer
Up to 0x4D 17277 4.55 or newer
Up to 0x50 17495 4.78 or newer

See: PS2 Emulator Types and Revisions

0x3E Command Name: Unknown
Command Data: N/A

Similar to 0x0D with param 0. Affect the same IOP related code path, but skips more code.


0x3F Command Name: Unknown
Command Data: 1x uint32_t

Store value on 0x2B700 of SPE 0 (IOP) LS. SIF1 DMA related.

0x40 Command Name: Unknown
Command Data: N/A

Command change GIF behavior by setting value to 1 at address 0x2F0 LS in SPU4. 

Grand Theft Auto SA
Silent Hill Origins - unofficial fix
0x41 Command Name: Unknown
Command Data: N/A

When enabled ignore D_ENABLEW (1000F590) writes from EE on SPE3 (EEDMA). D_ENABLER is updated regardless of cmd on PPE side. Enabling that command nullify 0x01 hooks for Max Payne! 

Dragon Force
God Hand
Gradius V
Katamari Damacy
0x42 Command Name: EE Overlay patch
Command Data: 2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...

Applied on game start (more precisely while executing ps2 bios syscall 7 ExecPS2), if game overwrite selected part of memory, it will wipe 0x42 patch. See Special:Diff/67828/67858 

Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
Opcodes will be placed on selected address, we use only patch code, no need for original opcode.
Next opcode addresses are auto calculated (+4..) so we need to specify only patch start address.
Remember we need to jump to our new code, best way is command 0x0A with j (jump) opcode.
Also is important to add return jump if required. That one need to be added in our 0x42 patch.
Maximum opcodes count seems to be 0x3FF (1023 opcodes).
0x43 Command Name: Unknown
Command Data: 1x int32

Equal to command 0x40, but with Parameter: 

Command change GIF behavior by setting value at address 0x2F0 LS in SPU4, correct values are:
0 = Default
1 = More agressive changes (like 0x40)
anything other = less agressive changes
Code on SPU side check for non zero value, and in few places explicitly for 1 (ceqi rxx,rxx,1) without mask. 
Config have weird behavior. When there is no param, and config end (no more bytes after 43 00 00 00), then param 0xFFFFFFFF is set automatically.  

Shin Sangoku Musou uses 0xFFFFFFFF
0x44 Command Name: Disables Smoothing and Smoothing option
Command Data: N/A
0x45 Command Name: Unknown
Command Data: N/A

Sets something 1 

Prevent  display_mode 2 (CELL_GCM_DISPLAY_576_unk)         [640x576]
and      display_mode 0 (CELL_GCM_DISPLAY_480_unk) (60Hz?) [640x480]
from beign set.

Allow   display_mode 1 (CELL_GCM_DISPLAY_480_unk2) (59Hz?) [640x480]
and     display_mode 5 (CELL_GCM_DISPLAY_720P_59)          [1280x720]
depending on sys_info.video_mode & 0x200 is 0 or not.
Both 480 modes can be either I or P, so is something else, probably 59/60Hz.
This config possibly affect only in-emu UI, but this require testing.

Phantasy Star Complete Collection
0x46 Command Name: Enable L2H Improvement
Command Data: N/A

Performance related setting for titles using L2H (Local to Host, so called GS download (from GS to EE)) 

SMT Digital Devil Saga 1 - Crazy amount of GS downloads used to draw characters in-game
SMT Nocturne
Fatal Frame II

Other games affected (not in official config) 

Soul Calibur 2 - When looking at the sun
GT4 - When looking at the sun
Valkyrie Profile 2 - Similar situation to SMT DDS1, in Solde game literally do thousands of 30QWC downloads all the time.
Tak and the Power of JuJu - Fix freeze during loading of the Burial Ground level in the NTSC version. This probably getting lucky with VIF1/GIF timing, normally command is not supposed to fix hang issues.
0x47 Command Name: Enables XOR CSR
Command Data: N/A

Graphics related setting.
XOR bit 13 of GS CSR register (CSR.FIELD). Should fix fullscreen line corruption, maybe some interlacing issues. Long shot, but can possibly affect SCANMSK games.

0x48 Command Name: VSYNC Delay
Command Data: 2x uint32_t
  • First param possible value are 1 = No IPU, 2 = IPU, 3 = Anytime.
  • Second param is delay (in ms?), and can be also negative value.
    • Emu has standard presets for second param.
      • Agressive = 0x3D090 (250000 decimal),
      • Normal = 0x186A0 (100000 decimal),
      • Conservative = 0x4E20 (20000 decimal),
      • But other values can be used.
[SMT Digital Devil Saga 1] uses 1, 0x3D090
[Fatal Frame II] uses 0x2, 0xFFFFE69C (-6500 decimal)
0x49 Command Name: Unknown
Command Data: N/A

Skip part of code which use GS XYOFFSET_1 register, possibly ignore it at all. 

Trapt
0x4A Command Name: Unknown
Command Data: N/A

Change VIF1 command 14h MSCAL behavior to use 15h MSCALF (VIF1) instead. MSCALF behavior is the same as MSCAL, but also waits for PATH1 and PATH2 to not be active before starting a microprogram. This is hack, and MSCAL should be fixed instead to wait in queue instead of triggering early. 

Applies to the Snowblind Engine games. Fixes the rest of flickering textures.
Meant to be used in conjunction with the GX/SOFT Snowblind Engine's specific commands (double 0x01 and 0x23 combo).
0x4B Command Name: Redirect SAVEDATA by ID
Command Data: 2x uint32_t + ID: offset, int, char[] 
For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
First param is EE memory offset that when is hit enable/disable redirection.
Second param is used to select which card will be redirected:
  0x00 do nothing
  0x01 for SCEVMC0.VME
  0x02 for SCEVMC1.VME
  0x03 for SCEVMC0.VME and SCEVMC1.VME
  0xFFFFFFFF to disable redirection, and use original VMEs.
Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
Important note here is that config have own 00 00 00 00 terminator at the end. 
So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
Under the hood config also setup 0x01 hook commands with 0x39 subcommand on selected addresses.
0x4C Command Name: Unknown
Command Data: 2x uint32_t + ID: offset, int, char[] 
Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is some kind of mode selector, depending on that 
emulator later set mecha switch disc state:
  mode 0x01 = set disc switch state to 1 (on next mecha main loop it will emulate opening the tray).
  mode 0x02 = set disc switch state to 3.
  mode 0x03 = set disc switch state to 3. This state repeats because it work different way depending that emulated tray is closed or no.
  mode 0x04 = set disc switch state to 2.
  mode anything else = do nothing.
Third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use 
another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to 
different MC. Currently is unknown that cobra patched emulators support that config properly, and swap disc thru 0x00 command seems to be easier.
This config don't work if 0x00 multidisc config is detected. Config under the hood setup 0x01 hooks with subcommand 0x3A
0x4D Command Name: Unknown
Command Data: 1x uint32_t

Param is floating point value. Default value 0. 

if Q in GS RGBAQ write is 0.0 or -0.0 then
    Q = Q | value from config
else
    Q = Q
 
Wild Arms: The Fifth Vanguard uses 0x3F800000 (1.0)
0x4E Command Name: Unknown
Command Data: Unknown
0x4F Command Name: Unknown
Command Data: Unknown
0x50 Command Name: Enable pressure sensitive controls
Command Data: N/A

Config file examples (for netemu)[edit | edit source]

Official PS2 Classic[edit | edit source]

See: PS2 Official Configs

Official GXEMU/SOFTEMU extracted[edit | edit source]

See: PS2 Official Configs

Custom Configs[edit | edit source]

See: PS2 Custom Configs

Config data examples (hardcoded)[edit | edit source]

Inside ps2_emu.self[edit | edit source]

Embedded patches are based on Checksum/Hash of title. ps2_emu is only emulator version where patches are described inside self file in ascii. Known patch types described in ascii are: Patch data, new SPU2 params, and Setting mecha HACK to show GODZCD as GODZCDDA.

PS2 Title Hash Game Patch Type Data
SCUS_971.46 0x6B1ADE00D Disney's Treasure Planet Patch data - Fixes black screen at start, it apply to STREAM_D.IRX file in IOP folder. 0x147C (sector) , 0x580 (offset) (- 0xC on disc) 
Replace opcodes
00 01 01 3C	lui	at,0x0100
80 BF 03 3C 	lui	v1,0xBF80
C8 10 63 8C	lw	v1,0x10C8(v1)
24 18 61 00	and	v1,at
FB FF 61 10	beq	v1,at, -0x10
00 00 00 00 	nop	

Original opcodes
FF FF 01 24	li	at,-0x1
04 00 61 14 	bne	at,v1, +0x14
00 80 01 3C	lui	at,0x8000
02 00 41 14	bne	at,v0, +0x0C
00 00 00 00	nop	
0D 00 06 00 	break
SLUS_201.74 0x23D92589C5 Rumble Racing Patch data - fixes black screen after Playstation 2 logo. Patch apply to AUDIO.IRX file in MODULES folder 0x3AEDA (sector), 0x120 (offset) 
Replace opcodes
06 00 80 14	bnez	a0, +0x1C
21 20 43 00 	addu	a0,v0,v1
21 10 A0 00	move	v0,a1
02 00 A0 14 	bnez	a1, +0x0C
00 00 00 00	nop	
01 00 05 24 	li	a1,0x1
EB FF 40 10	beqz	v0, -0x50
04 00 84 24 	addiu	a0,0x4
FC FF 90 24	addiu	s0,a0,-0x4
	
Original opcodes
07 00 80 14	bnez	a0, +0x20
21 80 43 00 	addu	s0,v0,v1
21 10 A0 00	move	v0,a1
02 00 A0 14	bnez	a1, +0x0C
00 00 00 00	nop	
01 00 05 24 	li	a1,0x1
FC FF 40 10	beqz	v0, -0x0C
00 00 00 00	nop	
04 00 04 26	addiu	a0,s0,0x4
SLUS_211.96 0x24D92589D5 Indigo Prophecy new SPU2 params 1
SLPM_661.93 0x608634992D Fahrenheit (NTSC-J) new SPU2 params 1
SLUS_212.96 0x5CA15DF14D Dance Factory Setting mecha HACK to show GODZCD as GODZCDDA

Inside ps2_gxemu.self/ps2_softemu.self[edit | edit source]

There are hundreds of configs hidden in ps2_gxemu, and ps2_softemu self files. Internal config structure is basing on custom hash based on Title ID, internal memory offset pointing to place where true patch instruction is, and count of used commands. When disc/iso is started emulator search for configs, and if config for selected ID exist, then emulator apply it by itself. Is not perfect way of applying patches, because some games use the same ID, but different content. Good example here is Star Wars Battlefront II SLUS-21240, where some versions of game can refuse to work because it apply bad patch.

PS2 Title Hash Game Patch Type Data

Known Emulation Bugs[edit | edit source]

This list known bugs inside emulator code that make emulation inaccurate. Since those are only EE side bugs for now, ps2_gxemu/ps2_netemu/ps_softemu share the same issues.

Bug Description Known Affected Games
Missing Emotion Engine Data Cache emulation Emulating that is literally not possible without making games run at 3 fps. Fixed by patches to game image, or EE code. Instruction Cache (not Data) seems to be implemented, at least partially. Ice Age 2, DOA2: Extreme, Nascar 2009.
Branch delay slot violation not supported on EE Some games have Branch instruction inside Branch delay slots, this is not emulated correctly on EE (VU have proper emulation of that). This is patched in configs by rearangging MIPS code. WRC 3,4,Rally Evolved, one of Action Replay discs.
Unmapped write only EE memory (confirmed only for SIF) Reads/Writes to 0x2000000+ shouldn't throw bus error on dma transfers. Write should be performed as successful, memory should stay unchanged. Reads should return 0. Games developed by In Utero, while creating initial save file, send DMA where address is EE stack pointer. At the time of transfer start $sp is too high, and requested transfer size make MADR overflow above 0x2000000 at some point. This is game bug, and happen also on real hardware. Fixed by config.
VIF bugs There is no correct timing, and queuing for some VIF commands like MSCAL. Snowblind Engine games. Probably more.
XGKick is instant Some games expect to XGKick happen few cycles in future, on PS3 is done instant. Fixed by config 0x07 which delay XGKick by selected value WRC series, Wakeboarding Unleashed, TriAce games, World of Outlaws - Sprint Cars, Ty - The Tazmanian Tiger, dot Hack - G.U. series, and more
COP2 instructions are instant Some games rely on fact that COP2 operations can take some time, on PS3 emulators they are done instantly due to lack of correctly emulated pipeline Patched by rearranging mips code FFX, FFX-2, Ghost in The Shell SAC, Ace Combat series, Sprint Cars 1/2, Black, Run Like Hell, Everblue 2, Dragon Quest - Shounen Yangus no Fushigi na Daibouken, and many more
VU0 is not running in sync with EE core VU0 is running program "at once", which mean that VU0 run until it hits E bit. From EE perspective it looks like whole VU0 program run in 1 cycle. Games that expect VU0 registers to be changed from EE side while VU0 is running are broken due to that. Partially resolved using 0x12 command with 2/3 subcommands, or by code rearranging. 24 The Game, ATV Quad Power Racing 2, Twisted Metal Head-On, Primal, Ghosthunter, Rayman Arena, Rayman 3, Largo winch. All games using M-bit.
M-Bit not supported Emulator ignore VU0 M-Bit, that cause issues for games that need it to work correctly. This is done because there is no way to sync correctly running VU0 without sync with EE. Partially resolved on emu using 0x12 command with 2/3 subcommands, or direct VU0/MIPS code rearranging. Totally Spies! Totally Party, Mike Tyson Heavyweight Boxing, My Street, Crash Twinsanity, Marvel Nemesis, Panzer Elite Action - Fields of Glory, TriAce games (speed optimizations only), Super Monkey Ball Adventure, most Eko Software games, and many more.
T-Bit not supported on VU0 Emulator ignore VU0 T-Bit, that cause issues for games that need it to work. Note: T-Bit is correctly handled for VU1. Spiderman 3 set T-Bit, then do cfc2 from TPC (address where VU0 stopped). Since T-Bit is ignored, TPC is wrong. Value is later copied to CMSAR0, and program continue at wrong address. Well that's what should happen, but T-Bit also not signalize correct bit in VPU-STAT. Causing another issue, also in Spiderman 3.
Emulator do not update correct flag instances for COP2 while ending VU0 program on Ebit This cause few games to read bad flag status (not status flag!) on COP2. This is resolved on emu by forcing update of MAC flag on every STATUS flag read (by config 0x12), this cause slowdowns creating a lot of unnecessary operations. Driving Emotion Type-S, State of Emergency 2, The Getaway Black Monday.
Not updated status flag when VDIV/VSQRT/VRSQRT is done on COP2 Potential bad flag state can cause a lot of issues that are not related on first sight Yanya Caballista (already patched by custom config)
In corner cases emu select wrong block flags pipeline state (both VU0/EEonBE and VU1/VRC affected). This can cause various issues, mostly SPS, missing graphic, specific slowdowns, etc. Issue seems to occur when branch/jump delay slot have opcode important for flags calculation. Theory is that cached microprogram don't include modified flags state from delay slot instruction. So when already recompiled program is fetched from pool, it will miss one cycle in fmac flags pipeline. This can be crucial in games that rely on it. Tales of Legendia and Klonoa 2 set sticky flag bits to 0 and branch with sub.xyzw in delay slot (expecting that sub change status flag), Tamsoft engine games set sticky bits to 0 in branch delay slot, this was most ridiculous bug, because problematic branch was pointing to next opcode after delay slot, removing branch was enough. True Crime: NY is only known game where VU0 is affected by this bug. more..
CTC2 opcode write whole value to R register, while only 23 bits are writable. Rest is hardcoded to 0x3F800000. Can cause many weird issues like broken physics, broken graphics. PCSX2 was also affected [more]. The one game that is known to be affected, and is already patched, is Musashi: Samurai Legend.
CFC2 from R register should return only 23 lower bits. CFC2 from R on real PS2 return only lower 23 bits. Originally found out by PCSX2 team [more] and later confirmed to affect ps2_netemu in emu assembly. There is only one game that is known to be affected, Onimusha Dawn of Dreams.
Missing floating point result overflow/underflow detection (U/O flags not set) Since this affect all units (FPU/VU), many issues can occur. But in reality it seems to not affect any games. While this is easier to implement than on x86 system (full floats range, compared to ieee754), there is no way to do that by hardware way. Because SPU add/sub don't set those flags on single precision operations, and vmx have them disabled in spu compatibility mode. Superman Returns.
DMA between SPR and VU1 memory cause emulator panic. Currently cause is unknown. It seems that functions responsible for transfer don't check that VU is running. Manual state that dma can be performed only when VU is not active, and pcsx2 wait until VU end. Games affected in emulators on ps3 display this warning in pcsx2 if mtvu is enabled: "MTVU: SPR Accessing VU1 Memory". Affected games are fixed by rearranging code to do lq/sq loop instead of DMA. Summoner 2 (SPRfrom to VU1 data mem), Kaena (SPRto from VU1 data mem).
IOP SIF0/1 DMA IRQs can be disabled (masked), which is not true on real hardware. IOP interrupts 0x2A and 0x2B should always trigger. Fixed by patches to IOP code. Ps2_emu seems to be unfacted, probably handled on real hw in CXD9208GP. Knockout Kings 2001, DOA2: Hardcore.

Software emulation bugs[edit | edit source]

Related to the GS emulation issues mostly. Apply to the ps2_netemu especially.

Bug Description Known Affected Games
No mipmapping support Emulator does ignore the mipmap layers, probably for performance reasons. It is processing only the level 0 texture base pointer specified in the TEX0 register. There are games writing garbage data into that memory area, when the mipmap level is different than zero. As a result, a garbled texture is shown instead of a correct one. Ace Combat series, Ape Escape 2, EA Sports F1 series, Harry Potter series, ICO (psuedo volumetric rays), Jak and Daxter series, Nickelodeon Barnyard and Nicktoons Unite (very strange implementation), Ratchet and Clank series and more.
SCANMSK register ignored Emulator does ignore the SCANMSK setting responsible for restricting the drawing primitives on the odd or even lines. It is used as a fake transparency effect in some games by merging the two display circuits. Metal Gear Solid series (water and reflection effects), Gran Turismo series (ghost cars), Raw Danger! (depth of field effect)
Missing PCRTC feedback write support PCRTC feature that writes back the image to the frame buffer is not supported or broken. Additional RGB to YCbCr conversion could be performed there. Xenosaga Episode I: Der Wille zur Macht (black and white cut scenes)

TitleID/DiscID in ps2_netemu.self[edit | edit source]

There are 193 titleIDs listed inside ps2_netemu.self. More precisely, into XPARAM2.ELF file of PS2 Bios included in ps2_netemu.self. XPARAM2.ELF is called by OSDSYS, then ID check is performed. If title ID match to one of included in the table, different IOP emulation settings are applied. There are internal flags related to every title ID included inside file, still unknown what they do. Also some arguments, in plain text. File in real ps2 is introduced in SCPH-750XX models so exactly when DECKARD Power PC chip exchanged original IOP chip. This can explain why it is still in PS3 netemu bios. Because PS3 it is ppc that can need the same/similar flags.

Original PS2 bios include similar list file called XPARAM.ELF, but Title IDs there are not the same, although some of them exist on both lists.

Command Name
0x00 TITLE_MASK
0x01 SIO2_MASK
0x02 DEV9_MASK
0x03 USB_MASK
0x04 SIF_DMA_SYNC
0x05 SIF_DMA_LOAD
0x06 DMAC_CH10_INT_DELAY
0x07 MECHA_RECOGTIME
0x08 CPU_DELAY
0x09 DEV5_INT_SPEED
0x0A CDVD_READ_DELAY
0x0B SPU2_BEHAVIOR
ID Title Command Value Remarks
PBPX_952.01 DVD Utility Disc Version 1.00 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.02 DVD Utility Disc Version 1.01 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.03 DVD Utility Disc Version 1.01 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.06 DVD Player (Version 2.01) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.07 DVD Player (Version 2.10) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.08 DVD Player (Version 2.10) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.09 DVD Player (Version 2.10) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.10 DVD Utility Disc Version 2.10 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.11 DVD Utility Disc Version 1.00 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.21 DVD Player (Version 2.12) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.22 DVD Player (Version 2.14) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.24 DVD Player (Version 2.16) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.28 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.35 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_952.39 Online Start Up Disc v3.0 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_955.01 Linux for PS2 Beta Release 1 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_955.07 Playstation 2 Linux Runtime Environment v1.0 (Disc 1) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_955.09 Linux for PS2 Release 1.0 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PBPX_955.18 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PDPX_991.09 DVD Player (Version 3.04) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PSXC_002.01 PSX Update Disc 1.10 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PSXC_002.02 PSX Update Disc 1.20 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PSXC_002.03 PSX Update Disc 1.31 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
PTPX_970.38 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCAJ_201.25 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SCAJ_201.26 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SCES_532.02 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SCKA_200.49 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SCPM_621.15 0x00 0x1000000 TITLE_MASK
SCPM_621.16 0x00 0x1000000 TITLE_MASK
SCPN_601.01 PlayStation BB Navigator (Version 0.10) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPN_601.30 PlayStation BB Navigator (Version 0.20) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPN_601.40 PlayStation BB Navigator (Version 0.30) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPN_601.50 PlayStation BB Navigator (Version 0.31) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPN_601.60 PlayStation BB Navigator (Version 0.32) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPS_110.01 I.Q. Remix 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPS_110.10 Yoake no Mariko (Performance Pack Edition) 0x01 0x1800 SIO2_MASK
SCPS_110.18 Yoake no Mariko 0x01 0x1800 SIO2_MASK
SCPS_110.21 Yoake no Mariko 2nd Act (Limited Edition) 0x01 0x1800 SIO2_MASK
SCPS_110.22 Yoake no Mariko 2nd Act 0x01 0x1800 SIO2_MASK
SCPS_150.38 Lifeline 0x0A 0x80300 CDVD_READ_DELAY
SCPS_150.39 Lifeline 0x0A 0x80300 CDVD_READ_DELAY
SCPS_170.01 Gran Turismo 4 0x0B 0x10000000 SPU2_BEHAVIOR
SCPS_175.01 Linux (for PlayStation2) Release 1.0 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SCPS_200.39 0x00 0x4000000 TITLE_MASK
SCUS_971.67 PaRappa the Rapper 2 0x04 0x2000 SIF_DMA_SYNC
SCUS_972.69 Final Fantasy XI [Disc 2] 0x02 0xB DEV9_MASK
SLES_500.48 Donald Duck: Quack Attack 0x01 0x800 SIO2_MASK
SLES_500.62 Orphen: Scion of Sorcery 0x08 0xC1C CPU_DELAY
SLES_503.64 City Crisis 0x0A 0x80BB8 CDVD_READ_DELAY
SLES_504.46 Shadow Man 2: The Second Coming 0x0A 0x80600 CDVD_READ_DELAY
SLES_505.40 Simpsons: Road Rage 0x01 0x800 SIO2_MASK
SLES_506.08 Shadow Man 2: The Second Coming 0x0A 0x80600 CDVD_READ_DELAY
SLES_506.28 Simpsons: Road Rage 0x01 0x800 SIO2_MASK
SLES_507.28 Tiger Woods PGA Tour 2002 0x0A 0x803E8 CDVD_READ_DELAY
SLES_507.29 0x0A 0x803E8 CDVD_READ_DELAY
SLES_512.82 Tiger Woods PGA Tour 2003 0x0A 0x803E8 CDVD_READ_DELAY
SLES_514.79 Def Jam Vendetta 0x01 0x802 SIO2_MASK
SLES_518.41 SpyHunter 2 0x01 0x800 SIO2_MASK
SLES_518.44 Time Crisis 3 0x01 0x800 SIO2_MASK
SLES_519.97 SWAT: Global Strike Team 0x01 0x800 SIO2_MASK
SLES_520.97 SWAT: Global Strike Force 0x01 0x800 SIO2_MASK
SLES_530.37 Super Monkey Ball Deluxe 0x01 0x802 SIO2_MASK
SLES_536.68 Micro Machines v4 0x01 0x801 SIO2_MASK
SLES_537.55 Castlevania: Curse of Darkness 0x04 0x10 SIF_DMA_SYNC
SLES_537.96 FIFA Street 2 0x01 0x1800 SIO2_MASK
SLPM_620.42 Kurogane no Houkou: Warship Commander 0x01 0x3000 SIO2_MASK
SLPM_620.62 Gitaroo Man One 0x0A 0x80540 CDVD_READ_DELAY
SLPM_621.05 Taikou Risshiden IV 0x09 0x2B47000A DEV5_INT_SPEED
SLPM_621.24 Ready 2 Rumble Boxing: Round 2 0x08 0x1388 CPU_DELAY
SLPM_621.25 Gauntlet: Dark Legacy 0x08 0xC1C CPU_DELAY
SLPM_621.25 Gauntlet: Dark Legacy 0x09 0x2B470005 DEV5_INT_SPEED
SLPM_621.35 Final Fantasy: XI (Beta Version) 0x00 0xA0000000 TITLE_MASK, 0xA0000000 = Blacklist, boot after removing flag
SLPM_621.54 DDRMAX Dance Dance Revolution 6thMix 0x08 0x1A5E CPU_DELAY
SLPM_622.39 Supercar Street Challenge 0x0A 0x80300 CDVD_READ_DELAY
SLPM_623.69 Karaoke Revolution: J-Pop Vol.1 0x08 0x1388 CPU_DELAY
SLPM_623.79 Karaoke Revolution: J-Pop Vol.2 0x08 0x1388 CPU_DELAY
SLPM_623.80 Karaoke Revolution: J-Pop Vol.3 0x08 0x1388 CPU_DELAY
SLPM_623.81 Karaoke Revolution: J-Pop Vol.4 0x08 0x1388 CPU_DELAY
SLPM_623.82 Karaoke Revolution: Love & Ballad 0x08 0x1388 CPU_DELAY
SLPM_623.83 Karaoke Revolution: Night Selection 2003 0x08 0x1388 CPU_DELAY
SLPM_624.14 Karaoke Revolution: Dreams & Memories 0x08 0x1388 CPU_DELAY
SLPM_624.37 Suisui Sweet: Amai Ai no Mitsukekata 0x0B 0x40000000 SPU2_BEHAVIOR
SLPM_624.50 Karaoke Revolution: Anime Song Selection 0x08 0x1388 CPU_DELAY
SLPM_624.51 Karaoke Revolution: J-Pop Vol.5 0x08 0x1388 CPU_DELAY
SLPM_624.54 Karaoke Revolution: J-Pop Vol.6 0x08 0x1388 CPU_DELAY
SLPM_624.55 Karaoke Revolution: J-Pop Vol.7 0x08 0x1388 CPU_DELAY
SLPM_624.56 Karaoke Revolution: J-Pop Vol.8 0x08 0x1388 CPU_DELAY
SLPM_624.57 Karaoke Revolution: Snow & Party 0x08 0x1388 CPU_DELAY
SLPM_624.64 Pop'n Taisen Pazurudame Online 0x08 0x1F40 CPU_DELAY
SLPM_624.79 Karaoke Revolution: J-Pop Vol.9 0x08 0x1388 CPU_DELAY
SLPM_624.91 Mega Man: The Power Battle 0x04 0x2000 SIF_DMA_SYNC
SLPM_624.92 Karaoke Revolution: Kids Song Selection 0x08 0x1388 CPU_DELAY
SLPM_625.28 Karaoke Revolution: Kazoku Idol Sengen (Bundle Edition) 0x08 0x1388 CPU_DELAY
SLPM_625.29 Karaoke Revolution: Kazoku Idol Sengen 0x08 0x1388 CPU_DELAY
SLPM_650.86 A Visual Mix: Ayumi Hamasaki Dome Tour 2001 (Disc 1) 0x08 0x1450 CPU_DELAY
SLPM_650.87 A Visual Mix: Ayumi Hamasaki Dome Tour 2001 (Disc 2) 0x08 0x1450 CPU_DELAY
SLPM_650.90 Spy Hunter 0x01 0x1800 SIO2_MASK
SLPM_651.97 Nobunaga's Ambition Online 0x02 0xB DEV9_MASK
SLPM_652.09 Star Ocean: Till the End of Time 0x0B 0x20014 SPU2_BEHAVIOR
SLPM_654.38 Star Ocean: Till the End of Time (Director's Cut) (Disc 1) 0x0B 0x20014 SPU2_BEHAVIOR
SLPM_654.39 Star Ocean: Till the End of Time (Director's Cut) (Disc 2) 0x0B 0x20014 SPU2_BEHAVIOR
SLPM_654.88 Grand Theft Auto: Vice City 0x0A 0x300 CDVD_READ_DELAY
SLPM_654.88 Grand Theft Auto: Vice City 0x09 0x36000200 DEV5_INT_SPEED
SLPM_656.33 I Love Baseball: Pro Yakyu wo Koyonaku 0x08 0xFA0 CPU_DELAY
SLPM_656.98 Love Songs: ADV Futaba Riho 14-sai Natsu 0x0A 0x80380 CDVD_READ_DELAY
SLPM_657.05 Final Fantasy XI: Chains of Promathia (Expansion Disc) 0x02 0xB DEV9_MASK
SLPM_657.06 Final Fantasy XI: Chains of Promathia (All-In-One Edition) 0x02 0xB DEV9_MASK
SLPM_657.19 Burnout 3: Takedown 0x01 0x1C00 SIO2_MASK
SLPM_657.83 Nobunaga no Yabou Online: Tappi no Shou 0x02 0xB DEV9_MASK
SLPM_658.94 Winning Post 6: 2005 Version 0x01 0x2400 SIO2_MASK
SLPM_659.34 Maple Colors 0x0A 0x80300 CDVD_READ_DELAY
SLPM_659.53 Final Fantasy: XI (Entry Disc 2005) 0x02 0xB DEV9_MASK
SLPM_659.84 Grand Theft Auto: San Andreas 0x0A 0x803E8 CDVD_READ_DELAY
SLPM_660.33 The Sword of Etheria 0x08 0xC1C CPU_DELAY
SLPM_660.33 The Sword of Etheria 0x00 0x2000000 TITLE_MASK
SLPM_660.48 The Sword of Etheria 0x08 0xC1C CPU_DELAY
SLPM_660.48 The Sword of Etheria 0x00 0x2000000 TITLE_MASK
SLPM_660.57 Taito Memories Vol.1 0x08 0xCE4 CPU_DELAY
SLPM_661.56 Marheaven: Arm Fight Dream 0x01 0x1800 SIO2_MASK
SLPM_661.75 Akumajo Dracula: Yami no Juin 0x08 0x60 CPU_DELAY
SLPM_661.75 Akumajo Dracula: Yami no Juin 0x0B 0x2001C SPU2_BEHAVIOR
SLPM_663.93 Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) 0x0A 0x803E8 CDVD_READ_DELAY
SLPM_663.93 Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) 0x09 0x2B47000A DEV5_INT_SPEED
SLPM_663.93 Final Fantasy XI: Treasures of Aht Urhgan (All-In-One Edition) 0x02 0xB DEV9_MASK
SLPM_663.94 Final Fantasy XI: Treasures of Aht Urhgan 0x02 0xB DEV9_MASK
SLPM_664.36 Aria the Natural 0x01 0x1800 SIO2_MASK
SLPM_664.36 Aria the Natural 0x00 0xA000000 TITLE_MASK
SLPM_665.39 Nobunaga no Yabou Online: Haten no Shou 0x02 0xB DEV9_MASK
SLPM_665.58 Tomb Raider: Legend 0x08 0x3E8 CPU_DELAY
SLPM_665.74 Detective Evangelion 0x00 0x2000000 TITLE_MASK
SLPM_680.07 Karaoke Revolution (Trial) 0x08 0x1388 CPU_DELAY
SLPM_680.10 0x08 0x1388 CPU_DELAY
SLPS_200.08 Morita Shogi 0x08 0x1388 CPU_DELAY
SLPS_200.20 FIFA 2000 World Championship 0x04 0x2001 SIF_DMA_SYNC
SLPS_200.37 Go Go Golf 0x09 0x2B47000A DEV5_INT_SPEED
SLPS_200.38 Grappler Baki: Baki Saidai no Tournament 0x08 0x1194 CPU_DELAY
SLPS_200.53 Tenshi no Present: Marle Oukoku Monogatari (Limited Edition) 0x0B 0x20000000 SPU2_BEHAVIOR
SLPS_200.66 Tenshi no Present: Marle Oukoku Monogatari 0x0B 0x20000000 SPU2_BEHAVIOR
SLPS_201.01 City Crisis 0x0A 0x80BB8 CDVD_READ_DELAY
SLPS_201.11 Magical Sports Pro Baseball 2001 0x09 0x2B47000A DEV5_INT_SPEED
SLPS_201.72 Koushien: Konpeki no Sora 0x09 0x2B47000A DEV5_INT_SPEED
SLPS_201.73 Hard Hitter 2 0x0A 0x80300 CDVD_READ_DELAY
SLPS_201.97 Surfing Air Show with RatBoy 0x09 0x2B47000A DEV5_INT_SPEED
SLPS_201.99 F1 2002 0x0B 0x20005 SPU2_BEHAVIOR
SLPS_202.00 Final Fantasy XI 0x02 0xB DEV9_MASK
SLPS_204.04 Rakushou! Pachi-Slot Sengen 2 0x0A 0x80300 CDVD_READ_DELAY
SLPS_204.29 Hissatsu Pachi-Slot Evolution: Ninja Hattori-Kun V 0x08 0x1B58 CPU_DELAY
SLPS_204.55 Simple 2000 Series Vol.94: The Aka-Champion - Come on Baby 0x0B 0x40000000 SPU2_BEHAVIOR
SLPS_250.08 Sorcerous Stabber Orphen 0x08 0xC1C CPU_DELAY
SLPS_250.71 A Visual Mix: Ayumi Hamasaki Dome Tour 2001 0x08 0x1450 CPU_DELAY
SLPS_250.72 A Visual Mix: Ayumi Hamasaki Dome Tour 2001 0x08 0x1450 CPU_DELAY
SLPS_250.81 Saishuu Densha 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_251.36 Kuon no Kizuna Sairin Mikotonori 0x0A 0x805DC CDVD_READ_DELAY
SLPS_251.42 Tiger Woods PGA Tour 2002 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_251.50 Only You 0x0B 0x40000000 SPU2_BEHAVIOR
SLPS_252.37 Only You 0x0B 0x40000000 SPU2_BEHAVIOR
SLPS_252.75 Def Jam: Vendetta 0x01 0x802 SIO2_MASK
SLPS_252.78 Memories Off: Mix 0x0A 0x80300 CDVD_READ_DELAY
SLPS_252.90 Time Crisis 3 0x01 0x800 SIO2_MASK
SLPS_253.15 One Piece: Grand Battle 3 0x01 0x1800 SIO2_MASK
SLPS_253.57 3-Nen B-Gumi Kinpachi Sensei: Densetsu no Kyoudan ni Tate! 0x01 0x1800 SIO2_MASK
SLPS_253.79 Tokyo Majin Gakuen: Kaihoujyou Kefurokou 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_254.06 Hitman: Contracts 0x08 0xDAC CPU_DELAY
SLPS_254.18 Ace Combat 5: The Unsung War 0x0A 0x500000 CDVD_READ_DELAY
SLPS_255.10 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SLPS_255.85 Monster Farm 5: Circus Caravan 0x07 5 MECHA_RECOGTIME
SLPS_255.86 Tales of the Abyss 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_256.04 Ar tonelico Qoga: Knell of Ar Ciel 0x00 0xA000000 TITLE_MASK
SLPS_256.67 Daito Giken Premium Pachi-Slot Collection: Yoshimune 0x01 0x1800 SIO2_MASK
SLPS_256.98 Fatal Fury Battle Archives Volume 2 0x00 0xA000000 TITLE_MASK
SLPS_257.08 The Familiar of Zero (Limited Edition) 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_257.09 The Familiar of Zero 0x0A 0x803E8 CDVD_READ_DELAY
SLPS_257.21 HimeHibi - Princess Days 0x0B 0x8000000 SPU2_BEHAVIOR
SLPS_257.22 Routes PE (Limited Edition) 0x08 0x3E8 CPU_DELAY
SLPS_257.27 Routes PE 0x08 0x3E8 CPU_DELAY
SLPS_732.49 Ar tonelico Qoga: Knell of Ar Ciel (Platinum) 0x00 0xA000000 TITLE_MASK
SLUS_200.11 Orphen: Ocion of Sorcery 0x08 0x1388 CPU_DELAY
SLUS_200.11 Orphen: Ocion of Sorcery 0x09 0x8000010 DEV5_INT_SPEED
SLUS_200.77 Donald Duck: Go'in Quackers 0x01 0x800 SIO2_MASK
SLUS_202.74 City Crisis 0x0A 0x80BB8 CDVD_READ_DELAY
SLUS_203.05 Simpsons: Road Rage 0x01 0x800 SIO2_MASK
SLUS_203.64 Tiger Woods PGA Tour 2002 0x0A 0x803E8 CDVD_READ_DELAY
SLUS_204.13 Shadowman 2 0x0A 0x80600 CDVD_READ_DELAY
SLUS_204.33 SWAT: Global Strike Team 0x01 0x800 SIO2_MASK
SLUS_204.88 Star Ocean: Til the end of Time [Disc 1] 0x08 0x1388 CPU_DELAY
SLUS_205.72 Tiger Woods PGA Tour 2003 0x0A 0x803E8 CDVD_READ_DELAY
SLUS_205.90 Spyhunter 2 0x01 0x800 SIO2_MASK
SLUS_206.35 Muppets Party Cruise 0x01 0x801 SIO2_MASK
SLUS_206.39 Def Jam Vendetta 0x01 0x800 SIO2_MASK
SLUS_206.86 Splashdown: Rides Gone Wild 0x0A 0x80400 CDVD_READ_DELAY
SLUS_208.38 All-Star Baseball 2005 0x01 0x802 SIO2_MASK
SLUS_208.51 Ace Combat 5: The Unsung War 0x0A 0x500000 CDVD_READ_DELAY
SLUS_208.91 Star Ocean: Til the end of Time [Disc 2] 0x08 0x1388 CPU_DELAY
SLUS_209.18 Super Monkey Ball: Deluxe 0x01 0x800 SIO2_MASK
SLUS_210.59 Tekken 5 0x0B 0x40000000 SPU2_BEHAVIOR
SLUS_210.70 Final Fantasy XI: Chains of Promathia 0x02 0xB DEV9_MASK
SLUS_210.89 Karaoke Revolution Vol.3 0x08 0x1388 CPU_DELAY
SLUS_213.31 Sonic Riders 0x01 0x800 SIO2_MASK
SLUS_213.39 Puzzle Challenge 0x01 0x800 SIO2_MASK
SLUS_214.04 Final Fantasy XI: Treasures of Aht Urhgan 0x02 0xB DEV9_MASK
SLUS_214.52 Valkyrie Profile 2: Silmeria 0x08 0x1388 CPU_DELAY

Other game patches (unofficial)[edit | edit source]

There are other unofficial ways to patch the PS2 games such the pnach format, or the widescreen patches that allows 16:9 screen output for some games by hex editing the ISO, or by applying ppf patches. Games work fine on PS3 with same compatibility like before patching. Also some 480p (aka progressive scan) patches work fine. http://ps2wide.net/

The problem of this methods is the patch is applyed over the ISO and is modifyed permanently, but this problem can be avoided in PS3 because that unofficial patches can be "ported" to the official config format to be used by ps2_netemu.self, by using the official config format the settings and patchs from the config file are applyed "on the fly" and the ISO is not modifyed

ps2_title_brute code[edit | edit source]

A script to calculate cdvd key magic used in ps2emu, gxemu and softemu from given input title id. On real PS2 this value seems to be stored at 0x1F402020-0x1F402024. It contains code for bruting as well. Just call gen_sum with the title id in a specific format to get it. 

title_ = "SLUS_200.73"

#patches = [0x6b1ade00dL, 0x23d92589c5L, 0x24d92589d5L, 0x608634992dL, 0x5ca15df14dL]
#patches = [0x37ae1cb18dL, 0x608634999dL, 0x06b1ade00dL, 0x5fc674d915L, 0x178e3c9165L, 0x3889349935L,0x18fe4ce145L,0xc126943985,0xe90ebc11b5,0x58be0ca165L]
patches = [ 0xCD1298155L, 0x12C93199A5L, 0x15C93199ADL, 0x24D92589A5L, 0x2CD12D8125L, 0x34C9359935L, 0x34C93599E5L, 0x34C93599E5L, 0x449961C9E5L, 0x4C9169C1CDL, 0x4C9169C1D5L, 0x4C9169C1DDL, 0x4C9169C1E5L, 0x4C9169C1F5L, 0x4C9169C1FDL, 0x4CB14DE12DL, 0x54A955F915L, 0x5CA15DF165L, 0x5CA15DF1FDL, 0x5CA15DF1FDL, 0x649965C94DL, 0x649965C955L, 0x649965C95DL, 0x649965C965L, 0x649965C96DL, 0x6BB149E15DL, 0x6C916DC165L, 0x6C916DC1A5L, 0x6C916DC1ADL, 0x6C916DC1B5L, 0x6C916DC1D5L, 0x6C916DC1DDL, 0x748975D9DDL, 0x7C817DD125L, 0x7C817DD165L, 0x7C817DD16DL, 0x7C817DD175L, 0x7C817DD1CDL, 0x84798529BDL, 0x8559A109ADL, 0x8579852915L, 0x8579852965L, 0x8D51A90145L, 0x8D51A901B5L, 0x8D51A901BDL, 0x8D718D21BDL, 0x9C619D31E5L, 0x9D41B911ADL, 0x9D619D31C5L, 0x9F29357805L, 0x9F293578E5L, 0xB549B51915L, 0xB549B51925L, 0xB549B5195DL, 0xB549B519A5L, 0xB549B519ADL, 0xBC61793025L, 0xBD41BD1105L, 0xC439C569F5L, 0xC7716D20D5L, 0xC7716D20D5L, 0xCA11E941F5L, 0xCF7965285DL, 0xCF7965285DL, 0xD20911582DL, 0xD7617D308DL, 0xE339C1695DL, 0xE794CCB06DL, 0xEA3129608DL, 0xEC11ED4115L, 0xEF594508D5L, 0xF409F559ADL, 0xF7415D10E5L, 0xF7415D10E5L]

def gen_sum(title):
        var_30 = []
        for i in range(0x1A):
                var_30.append(0)
        r9=5
        r31=0
        #Title 2 decimal
        while r9 != 0xB:
                r11 = r9 + 1
                if r9 == 8:
                        pass
                else:
                        r5 = ord(title[r9:r9+1])
                        r7 = r31 * 0xA
                        r6 = r7 & 0xFFFFFFFF
                        r4 = r5 + r6
                        r9 = r4 - 0x30
                        r31 = r9 & 0xFFFFFFFF
                r9 = r11
        #print r31
        r10 = ord(title[3:4]) # S
        r7 = (r31 >> 10) & 0x7F
        r11 = ord(title[1:2]) # L
        r8 = ord(title[2:3])  # U
        r6 = (r10 >> 1) & 0x3F
        r12 = ord(title[0:1]) # S
        r4 = (r11 >> 3) & 0xF
        r5 = (r8 >> 2) & 0x1F
        r3 = (r12 >> 4) & 7
        r9 = r10 << 7
        r0 = r8 << 6
        r10 = r11 << 5
        r8 = r12 << 4
        r12 = r31 << 3
        r11 = r10 | r5
        r9 = r9 | r7
        r0 = r0 | r6
        var_30[2] = r11 & 0xFF
        r7 = r8 | r4
        var_30[0] = (r9 & 0xFF)
        r10 = r12 | r3
        var_30[1] = (r0 & 0xFF)
        r12 = (r31 >> 2) & 0x3FFFFFF8
        var_30[3] = (r7 & 0xFF)
        r8 = 5
        var_30[4] = (r10 & 0xFF)
        var_30[0x19] = (r12 & 0xFF)
        var_30[0x18] = (r8 & 0xFF)
        var_30 = [int(v) for v in var_30]
        #print [hex(v) for v in var_30]
        r5 = var_30
        r6 = 0
        r4 = 0
        while r6 < 5:
                r12 = r5[r6:r6+1][0]
                r7 = r6 + 1
                r0 = var_30[0x19]
                r3 = r6 + 0x10
                r9 = r12 ^ r0
                r31 = r3
                r5[r6] = r9
                r6 = r7
                r5[r31] = r4
        #print [hex(v) for v in r5]
        r9 = 0
        r10 = 0
        while r10 < 5:
                r11 = r10 + 1
                r6 = r5[r10:r10+1][0]
                r4 = r9 << 8
                r10 = r11
                r9 = r4 | r6
        return r9
'''
print hex(gen_sum(title_))

a1='A'
a2='A'
a3='A'
a4='A'
while a1 <= 'Z':
        a2='A'
        a3='A'
        a4='A'
        while a2 <= 'Z':
                a3='A'
                a4='A'
                while a3 <= 'Z':
                        a4='A'
                        while a4 <= 'Z':
                                #print "%s%s%s%s" % (a1,a2,a3,a4)
                                for i in range(99999):
                                        t = "%s%s%s%s_" % (a1,a2,a3,a4) + '{4}{3}{2}.{1}{0}'.format(i%10,(i/10)%10,(i/100)%10,(i/1000)%10,(i/10000)%10)
                                        if gen_sum(t) in patches:
                                                print t
                                                print True
                                a4=chr(ord(a4)+1)
                                print "%s%s%s%s" % (a1,a2,a3,a4)
                        a3=chr(ord(a3)+1)
                        print "%s%s%s%s" % (a1,a2,a3,a4)
                a2=chr(ord(a2)+1)
        a1=chr(ord(a1)+1)
'''

print hex(gen_sum("SLUS_213.86"))
'''
for i in range(99999):
        t = "SLUS_" + '{4}{3}{2}.{1}{0}'.format(i%10,(i/10)%10,(i/100)%10,(i/1000)%10,(i/10000)%10)
        if gen_sum(t) in patches:
                print "%s %x" % (t, gen_sum(t))

'''


Alternative script version for better readability. Work same way as one above, just cleaner looking code. 

ID = "SLUS_202.02"

def gen_sum2(title):

        decimal_id = 0
        decimal_id += ( ord(title[10:11]) - 0x30)
        decimal_id += ((ord(title[9:10])  - 0x30) * 10)
        decimal_id += ((ord(title[7:8])   - 0x30) * 100)
        decimal_id += ((ord(title[6:7])   - 0x30) * 1000)
        decimal_id += ((ord(title[5:6])   - 0x30) * 10000)
        
        first_char  = ord(title[0:1])
        second_char = ord(title[1:2])
        third_char  = ord(title[2:3])
        fourth_char = ord(title[3:4])
        
        temp0  = (first_char  >> 4) & 7
        temp1  = (second_char >> 3) & 0xF
        temp2  = (third_char  >> 2) & 0x1F
        temp3  = (fourth_char >> 1) & 0x3F
        temp4  = (first_char  << 4)
        temp5  = (second_char << 5)
        temp6  = (third_char  << 6)
        temp7  = (fourth_char << 7)
        
        temp8  = (decimal_id >> 10) & 0x7F
        temp9  = (decimal_id << 3 )
        temp10 = (decimal_id >> 2 ) & 0xF8

        temp8 |= temp7
        temp3 |= temp6
        temp2 |= temp5
        temp1 |= temp4
        temp0 |= temp9
        
        temp8 &= 0xFF
        temp3 &= 0xFF
        temp2 &= 0xFF
        temp1 &= 0xFF
        temp0 &= 0xFF
        
        temp8 ^= temp10
        temp3 ^= temp10
        temp2 ^= temp10
        temp1 ^= temp10
        temp0 ^= temp10        

        result = (temp0 | (temp1 << 8) | (temp2 << 16) | (temp3 << 24) | (temp8 << 32))
        return result

print(hex(gen_sum2(ID)))

Alternative implementation: https://github.com/PCSX2/pcsx2/blob/1a3d77b2c0c6b57313f0dceaf5ecc3f8cb453497/pcsx2/CDVD/CDVD.cpp#L545

External References[edit | edit source]


CPU-GPU intensive games + games only playable in software render on PCSX2:

General
Hypervisor
Services
Plugin
Interfaces
ap_plugin · audioplayer_plugin · audiop_plugin_dummy · audiop_plugin_mini · auth_plugin · autodownload_plugin · autoupdateconf_plugin · avc_plugin · avc_util · avc2_game_plugin · avc2_game_video_plugin · avc2_text_plugin · bdp_disccheck_plugin · bdp_plugin · bdp_storage_plugin · campaign_plugin · category_setting_plugin · comboplay_plugin · custom_render_plugin · data_copy_plugin · deviceconf_plugin · dlna_plugin · download_plugin · dtcpip_util · edy_plugin · esehttp · eseibrd · eseidle · eselock · eula_cddb_plugin · eula_hcopy_plugin · eula_net_plugin · explore_plugin · explore_plugin_ft · explore_plugin_game · explore_plugin_np · filecopy_plugin · friendim_plugin · friendml_plugin · friendtrophy_plugin · game_ext_plugin · game_indicator_plugin · game_plugin · gamedata_plugin · gamelib_plugin · gameupdate_plugin · hknw_plugin · idle_plugin · impose_plugin · kensaku_plugin · msgdialog_plugin · mtpinitiator_plugin · musicbrowser_plugin · nas_plugin · netconf_plugin · newstore_plugin · np_eula_plugin · np_matching_plugin · np_multisignin_plugin · np_sns_plugin · npsignin_plugin · np_trophy_ingame · np_trophy_plugin · osk · oskfullkeypanel · oskpanel · pesm_plugin · photo_network_sharing_plugin · photolist_plugin · photoviewer_plugin · playlist_plugin · poweroff_plugin · premo_plugin · premo_game_plugin · print_plugin · profile_plugin · ps3_savedata_plugin · ps3_savedata_plugin_game · ps3_savedata_plugin_psp · rec_plugin · regcam_plugin · remotedownload_plugin · sacd_plugin · scenefolder_plugin · screenshot_plugin · software_update_plugin · soundvisualizer_plugin · strviewer_plugin · sysconf_plugin · system_plugin · thumthum_plugin · upload_util · user_info_plugin · user_plugin · videodownloader_plugin · videoeditor_plugin · videoplayer_util · videoplayer_plugin · vmc_savedata_plugin · wboard_plugin · webbrowser_plugin · webbrowser_service · webrender_plugin · xai_plugin · xmb_ingame · xmb_plugin
Emulation
Extended
features
Online
Hardware
SC
CELL
RAM
SB
HDD
BD
Tools
Strings
files
dumps
Reference
Keys & Seeds
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=PS2_Emulation&oldid=73867"