Talk:PS1 Emulation

PS1 Emulator Types and Revisions

Command IDs mapping

All the PS1 emulators have some game settings hardcoded inside them organized in a table using a hierarchy, pretty much the same structure used by ps2_gxemu.self and ps2_softemu.self to store the CONFIGS
There is a point of the hierarchy where is indicated the number of commands and the offset where are located. Every command is composed by ID[4] and data[4] (where the data coould be another offset to load more data from a deeper level of the hierarchy)
That IDs differs in between the PS1 emulator versions because are not a direct ID, it seems every ID is mapped to a different ID (probably static and common for all emu versions) in a separated table

How hardcoded config is read based on ps1emu.

Like mentioned above config is created from 2x u32 values. Lets call first value command, and second value param.
Command is used to calculate address for param, and only param is stored on obtained address.
Emulator then check for params, and if found (usually when not zero) apply settings based on them.

0x10BC8                 lwz       r0, 0(r9)       # load HASH
0x10BCC                 cmpw      cr7, r0, r27    # compare title HASH with one from DB
0x10BD0                 bne       cr7, loc_10BB8  # loop till HASH found
0x10BD4                 slwi      r0, r10, 4      # config number << 4 to get offset from first entry in table
0x10BD8                 addi      r24, r1, 0xAB0+var_A40
0x10BDC                 extsw     r0, r0
0x10BE0                 clrldi    r3, r24, 32
0x10BE4                 add       r29, r0, r8     # r29 now points to game entry in config table
0x10BE8                 lwz       r4, 4(r29)      # load pointer to game ID
0x10BEC                 bl        sub_137FF8
0x10BF0                 nop
0x10BF4                 lwz       r28, 8(r29)
0x10BF8                 cmpwi     cr7, r28, 0
0x10BFC                 ble       cr7, loc_10C58  # check config count is not 0 or less
0x10C00                 lwz       r26, 0xC(r29)   # r26 is now pointer to configs for game
0x10C04                 li        r30, 0
0x10C08                 li        r29, 0
0x10C0C                 lwz       r25, off_17B5D8 # "core.c: CoreCheckTitle: param[%d] = 0x%"...
0x10C10
0x10C10 read_conf_loop:                           # CODE XREF: CoreCheckTitle+2DC↓j
0x10C10                 add       r11, r30, r26   # r11 is now pointer to currently read config for game
0x10C14                 addi      r29, r29, 1     # count...
0x10C18                 clrldi    r11, r11, 32
0x10C1C                 mr        r3, r25         # just for print
0x10C20                 addi      r30, r30, 8     # add 8 so next time in loop we read new config (4),
0x10C20                                           # and new params (4) if game have more than one config
0x10C24                 lwz       r4, 0(r11)      # load command
0x10C28                 lwz       r0, 4(r11)      # load params
0x10C2C                 slwi      r9, r4, 2       # r9 = r4 << 2 so shift our command to the left by 2, and store in r9
0x10C30                 clrldi    r5, r0, 32      # just print again
0x10C34                 addi      r9, r9, 0x10    # add 0x10 to shifted command value
0x10C34                                           # to create address where param of config will be stored
0x10C38                 extsw     r4, r4
0x10C3C                 extsw     r9, r9
0x10C40                 add       r9, r9, r31     # r31 is value that change between emu versions. 
0x10C40                                           # That way emulator can keep correct config IDs without changes to table.
0x10C40                                           # r31 0x2B0930 + what we currently have in r9 after previous calculations.
0x10C44                 stw       r0, 4(r9)       # Store param on finally calculated address + 4. For example for config 04
0x10C44                                           # address will be 0x2B0954.
0x10C48                 bl        print_
0x10C4C                 nop
0x10C50                 cmpw      cr7, r28, r29   # r28 overall config count
0x10C50                                           # r29 currently read count
0x10C54                 bne       cr7, read_conf_loop

Known ps1emu.self commands

• 0xB param is magic word for libcrypt, but emulator seems to not use it at all(?).
• 0xE param is divider for 0x204CC00 (psx cpu speed), result is stored on fixed address and used by many functions.
• 0x15 when param is set to 3, force game reload with ps1netemu. Is not known what other param values do.
• 0x19 is related to cdrom, xCdromRead use it as first argument.

Commands Info

The command ID's varies in between firmware versions, most probably because new functions was added every few versions, reorganized, etc... and this changes created a "displacement" of the old commands that causes them to increase his ID
At the time of writing this we dont know how to map that variable ID's to an static ID (that could be valid for all firmware versions), so by now in this list is needed to indicate the firmware version where the command ID was found

Command 0x01 (netemu 3.55 up to 4.88)

Used by SLPM_865.49, SLPM_865.50, SLPS_017.16, SLPS_004.16, SLUS_004.33)

• Valid values found
  • 2 (in SLPM_865.49, SLPM_865.50, SLPS_017.16)
  • 1 (in SLPS_004.16, SLUS_004.33)

Command 0x02 (netemu 3.55 up to 4.88)

Coincidentially this is one of the few commands that preserves his ID in between firmware versions, most probably is because it was one of the first commands implemented (is either the second or the third from the whole command list) and the variable ID given to it is a very low value (so always was kept at a low position in the commands list and was not disturbed by the modifications made to the other commands)
Is used to load a list of sectors, there are only 3 games using it (and the 3 games are libcrypt protected), as example this is the data loaded by Medievil (SCES_003.11), located at absolute offset 0x16298C in ps1_netemu.self from firmware 4.88

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00162980                                      00 00 06 15              ....
00162990  00 00 2A 75 00 00 37 19 00 00 3A 33 00 00 3A D0  ..*u..7...:3..:Ð
001629A0  00 00 3B 1A 00 00 3B 8A 00 00 3C 12 00 00 3E 2F  ..;...;Š..<...>/
001629B0  00 00 3E E5 00 00 5D FC 00 00 71 8E 00 00 7C 17  ..>å..]ü..qŽ..|.
001629C0  00 00 80 35 00 00 A4 3D 00 00 A7 3D 00 00 A8 04  ..€5..¤=..§=..¨.
001629D0  00 00 A8 A9 00 00 A9 19 00 00 A9 90 00 00 AB BB  ..¨©..©...©...«»
001629E0  00 00 AC 7F 00 00 BA B2 00 00 BE E3 00 00 C0 AF  ..¬...º²..¾ã..À¯
001629F0  00 00 C1 93 00 00 C1 C4 00 00 C3 A1 00 00 DA DE  ..Á“..ÁÄ..á..ÚÞ
00162A00  00 00 E7 C1 00 00 FD 3A 00 01 1A 1C 00 01 1D 6A  ..çÁ..ý:.......j
00162A10  00 01 1D CF 00 01 29 EF 00 01 45 E2 00 01 6A 98  ...Ï..)ï..Eâ..j˜
00162A20  00 01 7F BB 00 01 B7 A0 00 01 BB 05 00 01 BF 12  ...»..· ..»...¿.
00162A30  00 01 EE 64 00 02 02 6E 00 02 0B CA 00 02 10 19  ..îd...n...Ê....
00162A40  00 02 37 24 00 02 45 EC 00 02 54 06 00 02 55 A1  ..7$..Eì..T...U¡
00162A50  00 02 5D 48 00 02 62 C8 00 02 81 12 00 02 9B 2D  ..]H..bÈ......›-
00162A60  00 02 BD 04 00 02 C2 AF 00 02 D9 2A 00 02 DC 90  ..½...¯..Ù*..Ü.
00162A70  00 02 E1 3A 00 02 F2 18 00 02 FC C8 00 03 51 CF  ..á:..ò...üÈ..QÏ
00162A80  00 03 52 AA 00 03 72 3F 00 00 00 00              ..Rª..r?....

The libcrypt protection is related with subchannel data stored by sectors, in redump this data is managed with the SBI files, displayed in a hexeditor view in the game page http://redump.org/disc/592/
If we convert the data from the official format to decimal and we compare it with the sector numbers in the SBI file it can be seen the 16 libcrypt protected sectors from the SBI file are included in the official format
The official format seems to include a lot more sectors which purpose is unknown
This is the medievil data from the official format, converted to decimal, and marked the sectors that matches with the SBI file in redump

00000615 --- to decimal ---> 1557
00002A75 --- to decimal ---> 10869
00003719 --- to decimal ---> 14105 (mentioned in the redump SBI file)
00003A33 --- to decimal ---> 14899 (mentioned in the redump SBI file)
00003AD0 --- to decimal ---> 15056 (mentioned in the redump SBI file)
00003B1A --- to decimal ---> 15130 (mentioned in the redump SBI file)
00003B8A --- to decimal ---> 15242 (mentioned in the redump SBI file)
00003C12 --- to decimal ---> 15378 (mentioned in the redump SBI file)
00003E2F --- to decimal ---> 15919 (mentioned in the redump SBI file)
00003EE5 --- to decimal ---> 16101 (mentioned in the redump SBI file)
00005DFC --- to decimal ---> 24060
0000718E --- to decimal ---> 29070
00007C17 --- to decimal ---> 31767
00008035 --- to decimal ---> 32821
0000A43D --- to decimal ---> 42045 (mentioned in the redump SBI file)
0000A73D --- to decimal ---> 42813 (mentioned in the redump SBI file)
0000A804 --- to decimal ---> 43012 (mentioned in the redump SBI file)
0000A8A9 --- to decimal ---> 43177 (mentioned in the redump SBI file)
0000A919 --- to decimal ---> 43289 (mentioned in the redump SBI file)
0000A990 --- to decimal ---> 43408 (mentioned in the redump SBI file)
0000ABBB --- to decimal ---> 43963 (mentioned in the redump SBI file)
0000AC7F --- to decimal ---> 44159 (mentioned in the redump SBI file)
0000BAB2 --- to decimal ---> 47794
0000BEE3 --- to decimal ---> 48867
0000C0AF --- to decimal ---> 49327
0000C193 --- to decimal ---> 49555
0000C1C4 --- to decimal ---> 49604
0000C3A1 --- to decimal ---> 50081
0000DADE --- to decimal ---> 56030
0000E7C1 --- to decimal ---> 59329
0000FD3A --- to decimal ---> 64826
00011A1C --- to decimal ---> 72220
00011D6A --- to decimal ---> 73066
00011DCF --- to decimal ---> 73167
000129EF --- to decimal ---> 76271
000145E2 --- to decimal ---> 83426
00016A98 --- to decimal ---> 92824
00017FBB --- to decimal ---> 98235
0001B7A0 --- to decimal ---> 112544
0001BB05 --- to decimal ---> 113413
0001BF12 --- to decimal ---> 114450
0001EE64 --- to decimal ---> 126564
0002026E --- to decimal ---> 131694
00020BCA --- to decimal ---> 134090
00021019 --- to decimal ---> 135193
00023724 --- to decimal ---> 145188
000245EC --- to decimal ---> 148972
00025406 --- to decimal ---> 152582
000255A1 --- to decimal ---> 152993
00025D48 --- to decimal ---> 154952
000262C8 --- to decimal ---> 156360
00028112 --- to decimal ---> 164114
00029B2D --- to decimal ---> 170797
0002BD04 --- to decimal ---> 179460
0002C2AF --- to decimal ---> 180911
0002D92A --- to decimal ---> 186666
0002DC90 --- to decimal ---> 187536
0002E13A --- to decimal ---> 188730
0002F218 --- to decimal ---> 193048
0002FCC8 --- to decimal ---> 195784
000351CF --- to decimal ---> 217551
000352AA --- to decimal ---> 217770
0003723F --- to decimal ---> 225855
00000000

Command 0x03 (netemu 3.55 up to 4.88)

Command ID 0x03 seems to match too in between firmware 3.55 and 4.88

Command 0x04 (netemu 3.55 up to 4.88)

Command ID 0x04 seems to match too in between firmware 3.55 and 4.88

Command 0x05 (netemu 3.55 up to 4.88)

Command ID 0x05 seems to match too in between firmware 3.55 and 4.88

Command 0x17 (netemu 4.88) or command 0x15 (netemu 3.55)

This is the libcrypt magic word. This command is used only in 3 games (SCES_016.95, SLES_019.07, SLES_013.01). see: PS1 Custom Patches