Editing PS2 Emulation/PS2 Config Commands

=PS2 Netemu Commands=

<!-- We need to find a better way to organize the commands info below, right now all the info is "constricted" inside the same table but is better to take them out of the table to have more freedon when adding comments, etc... Are a lot so by now i prefer to dont make page sections for every command. Im going to try something that visually looks like page sections but are not (so are not going to be displayed in the TOC at top of the page). With this change we are moving forward because the command info is not going to be inside the same table anymore, im going to split them but the visual look and other details are not going to be definitive because later can be converted into page sections if someone insists in it -->


{{Boxcomm|id=0x00|name=Title ID Enforce / Multidisc config|data=1x String in format: ABCD-12345}}
Restricts the CONFIG to be used only by a specific [[Template:TITLE_ID_for_Physical_Media|Title ID]]
The presence of this command in the CONFIG is optional. If present it needs to be located always at the last position in the CONFIG. When bytes are present after Title ID, emulator read them to setup multidisc info.
 Multidisc info bytes:
 First byte:  Unknown, seems to be unused. 00 in known configs (Grandia 3).
 Second byte: Discs count (0-9), when 0 or 1 emulator don't enable multidisc mode.
 Third byte:  Which disc in set is this one (0-8 for discs 1-9)
 Fourth byte: That one is optional, but very important. When set to 1,
              disc swap menu will be in "Reset game" menu and disc change will trigger reset (default behavior).
              But when this byte is set to 0, new option in main emu menu called "Switch Discs" will appear. Emulator change disc without reset. 
              Keep in mind we don't know how accurate swap emulation is here, games are picky for some details. 
              Every iso bin enc in set need to have proper data in separate config. 
              Disc 1: ISO.BIN.ENC --> CONFIG --> 00 02 00 00,
               00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
               00000010  2D 32 31 33 33 34 00 02 00                       -21334...
 
              Disc 2: ISO.BIN.ENC2--> CONFIG2--> 00 02 01 00, etc.
               00000000  3D 00 00 00 A8 3E 00 00 00 00 00 00 53 4C 55 53  =...¨>......SLUS
               00000010  2D 32 31 33 34 35 00 02 01                       -21345...

              Grandia 3 DISC.IDX, content:
               00000000  00 00                                            ..


{{Boxcomm|id=0x01|name=EE_ADD_HOOK|data=2x uint32_t Params (addr, func_id 0-0x3B)}}
Most of the hooks availables in netemu command 0x01 are fixes for a specific game, or a game engine<br>
The Maximum Amount of times netemu command 0x01 can be used consecutivelly in the same config is 255. This is actually limit for EE hooks at all, 0x01 don't have own limit.

<div style="overflow-x:auto">
{| class="wikitable" style="width:100%; font-size:0.9em; line-height:90%"
|-
!Function ID!! Notes
|-
|0x00|| FIFA 2000 use it as hook for EE kernel at 0x800017E8 (DMAC related). Command backup value from r5900 s0 register.
|-
|0x01|| FIFA 2000 use it as hook for EE kernel at 0x80001858 (DMAC related). Command restore previously backed up value to r5900 s0 register.
|-
|0x02|| 
Max Payne
 Write 0 to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
|-
|0x03|| 
Max Payne
 Write 0xFFFFFFFF (0x10000, other bits are ignored anyway) to D_ENABLEW in SPE 3 (EEDMA). D_ENABLER is NOT updated on PPE side.
|-
|0x04|| Castle Shikigami II
 Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes. Same as 0x03 command, but applied of selected ee offset.
 This is probably command from times when 0x03 was non existing, and while it apply on selected ee offset, command never recover default IXIN/IHIN handling.
 Note: There is leftover in emulator from command that reenable default behavior, but is unused now, and is not accessible by current config commands.
|-
|0x05|| Force events test if D2_CHCR & 0x100 is true (if GIF dma is running). For more info check _cpuEventTest_Shared from pcsx2. Star Wars games developed by Pandemic Studios (freeze fix), Worms 3D and NBA 08.
|-
|0x06|| Force events test if D1_CHCR & 0x100 is true (if VIF1 dma is running). For more info check _cpuEventTest_Shared from pcsx2.
|-
|0x07|| 
|-
|0x08|| Backup current unmodified COP0 status register state. Then disable EI bit, and notify emu that cmd 0x09 could be run. Harry Potter - Quidditch World Cup US use it at offset 0x2BD45C (EE)
|-
|0x09|| Restore COP0 status register state from previously created backup. Harry Potter - Quidditch World Cup US use it at offset 0x2BD620 (EE)
|-
|0x0A|| Fix for TriAce executable unpack function.
 Games unpack data using VU0 microruntime (not COP2). Because unpack involve floating points operations result can be inaccurate. And it is,
 exactly by 1 byte. Config add 1 to result of unpacked data. This can be confirmed also on pcsx2 with turned off TriAce hack, example for Radiata Stories US release.
 Set breakpoint on 0x124D90, and then when it's hit, add 1 to lower 64 bits of vf03 reg (in vu0f tab) and hit run.
 Game now work as it should. On PS3 this probably can be fixed also by 0x11 command, but since they had hook already done before 0x11 was a thing, it stayed as is.
|-
|0x0B|| Set lower 64 bits of mips $at register to 0
|-
|0x0C|| Piglet's Big Game
|-
|0x0D|| usleep(100)
|-
|0x0E|| Used 3 times in Need for Speed - Carbon [Collector's Edition] US.
 Force EE JIT LUT reset. Used in place where game load code overlays, and in place where game self-modify code. 
 Command could be potentially useful for games that like to change own code. Eg. Load "bin" files with code (HSG/HST), or modify own code by direct writes to memory (NFS Carbon CE...)
|-
|0x0F||
Grand Theft Auto 3 (SLUS-20062)
 using 0x348B40, 0x18E1F0, 0x348EC8 ( + 200000000 base )
 0x348B40 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
 0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
 0x348EC8 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
|-
|0x10||
Grand Theft Auto 3 (SLES-50330)
 using 0x349790, 0x18E1F0, 0x349B18 ( + 200000000 base ) 
 0x349790 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
 0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
 0x349B18 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
|-
|0x11||
Grand Theft Auto 3 (SLES-50793)
 using 0x3495C0, 0x18E1F0, 0x349948 ( + 200000000 base )
 0x3495C0 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
 0x18E1F0 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
 0x349948 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
|-
|0x12|| Disney/Pixar Finding Nemo (fixes the pause menu freeze)
 if COP0 status EI and EXL bits are 0, and other condition related to DMAC is met...
 store 0 in [ 0x204FC500 + 200000000 base] 0x4FC500 EE memory, and set lower 64 bits of mips $s0 register to 0.
|-
|0x13|| Snowblind Engine specific fix. Applies to the beginning of function called initLump. Config is responsible for grabbing data from one of registers for use in 0x14/0x15 hooks. Mentioned data is EE memory offset, if data from 0x13 is 0, 0x14/0x15 don't apply.  
|-
|0x14|| Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the older version of Snowblind Engine (Dark Alliance duology, The Bard's Tale, Fallout).
|-
|0x15|| Snowblind Engine specific fix. Applies to the end of function called initLump. Used in the newer version of Snowblind Engine (Champions duology, Justice League Heroes, Combat Elite).
|-
|0x16|| Champions of Norrath (SLUS-20565)
 store 0x01114BA8 in [ 0x208EAB4C + 200000000 base]
 store 0x010C9E40 in [ 0x208EAB6C + 200000000 base]
|-
|0x17|| NFS HP2 fpu rounding fix. 
 Check if a0 == 0x8000 (32768), apply config if true. Config is little bit more complicated than it should, emu flush all fpu regs to memory just to modify one field in altivec vector register.
 When condition is met ps2 cop1 f08 register is modified from 0x40490FDB to 0x40490FDA, this result in next operations to end up as negative 0.0 (0x80000000) instead of just 0.0 (0x00000000).
 Seems to trigger when loading of stage or loading of attract mode is close to finish or done.
|-
|0x18|| Okami PAL specific hook. 
 Check if opcode at 0x183F04 of EE memory is jal 0x183CB0 (0x0C060F2C). This is used to run additional hook patcher only 1 time.
 Later it will be nop here. so it means that new hooks are already applied. So function will just return early.
 if opcode at 0x183F04 is still jal 0x183CB0 (0x0C060F2C),
 then patch addresses 0x183F04 (jal 0x183CB0), 0x183F34 (jal 0x183CB0), 0x183F3C (jal 0x183D18) to nop.
 Finally adds 3 additional EE hooks. Emu addresses for ps2_netemu 4.70+
 
 EE address | EMU address 
 0x183F0C   | sub_46334
 0x183F3C   | sub_45DA4
 0x183D74   | sub_47B50
 
 First hook is responsible for grabbing EE addresses from one of EE gpr register. Second hook perform few checks from data in EE gpr registers, and 
 eventually store data from EE gpr registers on previously grabbed addresses. Hook 3 store one of previosly grabbed EE address on unknown part of memory.
 Whole thing looks like HLE version of noped functions.
|-
|0x19|| Burnout 2
 Copy lower 64 bits of $v0 r5900 register to lower 64 bits of $a1 r5900 register.
 All that to make next opcode (hook address + 4) "beq $a1, $v0, addr" always true. Because $a1 and $v0 now have the same value.
 This in turn skip CTimer::GetTimeSeconds((void)) in function CReplay::NextFrame((CDrivingControls *)). Worth to note that CReplay::NextFrame seems to be not related to replay per se, but to car physics.
|-
|0x1A||
 store 0 in [ 0x209FD560 + 200000000 base]
 store 0 in [ 0x209F9550 + 200000000 base]
 store 0 in [ 0x20A01570 + 200000000 base]
 store 0 in [ 0x209F9540 + 200000000 base]
 store 0 in [ 0x209F5540 + 200000000 base]
 store 0 in [ 0x209F1530 + 200000000 base]
|-
|0x1B||
 store 0 in [ 0x20552168 + 200000000 base]
|-
|0x1C||
 store 1 in [ 0x20552168 + 200000000 base]
|-
|0x1D||
 store 0 in [ 0x20556C08 + 200000000 base]
|-
|0x1E||
 store 1 in [ 0x20556C08 + 200000000 base]
|-
|0x1F||
 store 0 in [ 0x205243D8 + 200000000 base]
|-
|0x20||
 store 1 in [ 0x205243D8 + 200000000 base]
|-
|0x21||
 store 0 in [ 0x20524F88 + 200000000 base]
|-
|0x22||
 store 1 in [ 0x20524F88 + 200000000 base]
|-
|0x23||
 store 0 in [ 0x2047E7F8 + 200000000 base]
|-
|0x24||
 store 1 in [ 0x2047E7F8 + 200000000 base]
|-
|0x25||
 store 0 in [ 0x204802B8 + 200000000 base]
|-
|0x26||
 store 1 in [ 0x204802B8 + 200000000 base]
|-
|0x27||
 store 0 in [ 0x20586348 + 200000000 base]
|-
|0x28||
 store 1 in [ 0x20586348 + 200000000 base]
|-
|0x29||
 store 0 in [ 0x205868A8 + 200000000 base]
|-
|0x2A||
 store 1 in [ 0x205868A8 + 200000000 base]
|-
|0x2B|| 
 if ($a1 & 0xF0000000 != 0) a1 = 0 
|-
|0x2C|| Shin Onimusha - Dawn of Dreams Fix IPU DMA JPN((PlayStation 2 the Best)/US release.
|-
|0x2D|| Shin Onimusha - Dawn of Dreams Fix IPU DMA PAL release.
|-
|0x2E|| Shin Onimusha - Dawn of Dreams Fix IPU DMA Unk release. Code from emu match SLPM-66275 release. Why it is unused? Hook address will be 0x3BB4EC.
|-
|0x2F||
 if value at EE Mem 0x37B0C4 == 0, set mips pc register (program counter) to 0x100B98
 Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0. 
|-
|0x30||
 if value at EE Mem 0x37B704 == 0, set mips pc register (program counter) to 0x100B98
 Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x31||
 if value at EE Mem 0x37630C == 0, set mips pc register (program counter) to 0x100BA8 
 Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x32||
 if value at EE Mem 0x37BB0C == 0, set mips pc register (program counter) to 0x100BA8.
 Config is supposed to repeat chunk of code if EE mem 0x37BB0C == 0.
|-
|0x33|| 
|-
|0x34|| not filled
|-
|0x35|| Ninkyouden: Toseinin Ichidaiki
|-
|0x36|| 
|-
|0x37|| 
|-
|0x38||
|-
|0x39|| Used silently in command 0x4B with first param from 0x4B as hook address. Hook seems to be unusable without 0x4B command, because there is no way to setup redirect mode and ID without 0x4B.
|-
|0x3A|| Used silently in command 0x4C with first param from 0x4C as hook address. Hook seems to be unusable without 0x4C command, because there is no way to setup mode and ID without 0x4C.
|-
|0x3B|| Grand Theft Auto 3 (SLPM-55293 "Rockstar Classics")
 using 0x351210, 0x18F590, 0x351568 ( + 200000000 base )
 0x351210 = start CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
 0x18F590 = start CCollision::ProcessColModels((CMatrix const &, CColModel &, CMatrix const &, CColModel &, CColPoint *, CColPoint *, float *))
 0x351568 = Almost end (only loading values preserved on stack) of CTheScripts::ClearSpaceForMissionEntity((CVector const &, CEntity *)) 
|}
</div>

{{Boxcomm|id=0x02|name=Unknown|data=1x int32}}
Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.
*Valid values found:
**1000d
**3000d
**6000d

{{Boxcomm|id=0x03|name=Unknown|data=N/A}}
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.

{{Boxcomm|id=0x04|name=Unknown|data=1x uint32_t index (i*0x80, special 0x12345: 0x91a280?)}} 
Patch SPE 3 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80)
0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.
*Valid values found:
**0x08
**0x10

{{Boxcomm|id=0x05|name=N/A|data=N/A}} 
Command not available in ps2_netemu.self

{{Boxcomm|id=0x06|name=Unknown|data=N/A}}
Change VIF1 command 02h OFFSET behavior by patching pointer to function which process it to different previously unused function.

{{Boxcomm|id=0x07|name=Delay VU xgkick by X cycles|data=1x uint32_t}}
Default 1

{{Boxcomm|id=0x08|name=Patch VU memory by mask |data=8x uint32_t (read mask,read mask, original opcode, original opcode, write mask, write mask, replace opcode, replace opcode)}}
Maximum Amount of Usage: 3 times
 
{{Boxcomm|id=0x09|name=EE_INSN_REPLACE64|data=uint32_t count, <list> (offset, original opcode, original opcode, replace opcode, replace opcode)}}
Maximum List Count: 32
*Valid values found
**1 [Dark Cloud] and [Dead Or Alive 2 Hardcore]

{{Boxcomm|id=0x0A|name=EE_INSN_REPLACE32|data=uint32_t count, <List> (<nowiki>mode | offset</nowiki>, original opcode, replace opcode)}}
Command present only in the ps2_netemu. Maximum List Count: 32. Mode is first 4 bits of address field (Xyyyyyyy), can be either 0, 1, or 2. All known examples use this command in 0 mode, and modes 1 and 2 are here just for documentation purposes. 

*mode 0 - Replace 32 bit of EE memory. Params are EE offset, original opcode, replace opcode. 
*mode 1 - Write jr ra, li v0, xxxx to selected memory range. Params are EE memory start address, original opcode, u16 counter, u16 value for li, v0 xxxx
*mode 2 - NOP memory at selected range. Params: start address, end address, unused (can be anything, but is required to align config).
Problem: Original opcode validity check is performed before testing config for special cases. Thus making mode 2 almost inaccessible.<br>
Solution: We can patch that one line of code by the same 0x0A config. So if we want to nop region from 0x100000 to 0x100080, first we need to patch 0x100000 to 0x100080 opcode. So check will pass, "simple" as that.

{{Boxcomm|id=0x0B|name=MECHA_SET_PATCH|data=1x uint32_t count, <List> {sector id, offset, sizeof present opcodes, replace opcodes, original opcodes)}}
Offset on the disc = sector id * sector size + offset + correction [see below]<br>
Offset correction is based on selected read mode (not on media type):<br><br>
CDRead requested block size (CD disc):
*2048 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
*2328 = Offset + 0x18 (skip 12 sync bytes, 4 of header, and 8 of subheader)
*2340 = Offset + 0x0C (skip only 12 bytes of sync data)

DVDRead requested block size (DVD Disc):
*2064 = Offset match, but only until the 349th sector. Otherwise is offset - 0x0C because that read mode see data as ID DATA (4) + ID DATA EDC (2) + Reserved bytes (6) + 2048 data + EDC (4).

"Offset + XX" for CD assume that you use Isobuster RAW mode. "Offset - XX" for DVD assume that you use Isobuster NON RAW mode<br>
Special case is DVD read on very low sector, here you need to use exact offset without substrating 0x0C. Highest confirmed sector that don't use correction for now is 349.
  [Dead Or Alive 2 Hardcore] uses 7
  [Gradius V] uses 1
  [Grand Theft Auto III] uses 1
  [Katamari Damacy] uses 1
  [Manhunt] uses 1
  [Odin Sphere] uses 2
  [Primal] uses 1
  [Psychonauts] uses 1
  [Syphon Filter The Omega Strain] uses 1
 Maximum List Count: 47

{{Boxcomm|id=0x0C|name=Unknown|data=1x (uint16_t, uint16_t)}}
First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.<br>
Other valid values for the second param (found in oficial configs ?): 0x180, 0x800

{{Boxcomm|id=0x0D|name=Unknown|data=1x int32}}
True/false. Default = 1
 0 = Skip some IOP related code responsible for check value from IOP SPE LS 0x2C0C0 (and skip panic if value is 0 or -1).
 Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.

{{Boxcomm|id=0x0E|name=Improves ADD/SUB accuracy|data=1x int32}}
1 Param offset --- Improves ADD/SUB FPU/COP2 accuracy for selected offset. Work with opcodes from commands 0x26/0x27. Basically command like 0x0F just per offset, no per range.
  [Rygar] only has 0x147DA8 sub.s   $f12, $f20, $f12
 Used in official configs: SCUS97501=0x3C458C, SCES53642=0x3C4854, SLUS21026=0x386864, SLUS20916=0x121F64, SLUS20437=0x11EDF0
 Maximum Amount of Usage: 32 times

{{Boxcomm|id=0x0F|name=More accurate ADD/SUB memory range|data=List <uint32_t Param, uint32_t Param>}}
More accurate memory range. This command is combined 0x26, and 0x27 command.
  [Dark Cloud] uses 0x239334, 0x1FFFFFF
  [Grand Theft Auto SA] uses 0x1E46DC, 0x1E4AE8
 Maximum Amount of Usage: 32 (if there is no additional 0x26/0x27 command)

{{Boxcomm|id=0x10|name=MULDIV Accurate range|data=List <uint32_t Param, uint32_t Param>}}
More accurate MUL/DIV handling on selected memory range for selected FPU opcodes. Effectively work only with: 
 MUL.s, DIV.s, MULA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s. 
 For ADD/SUB opcodes, command is active only on Multiply stage.
 Maximum List Count: 32 

{{Boxcomm|id=0x11|name=VU0 Accurate ADD/SUB|data=1x uint32_t Param}}
Param is VU0 (MICROPROGRAM) memory offset, correct param is in range of 0x000 to 0xFF8.
 Lower pipeline fetch opcode from address, Upper from address + 4. So correct address for config needs to be 8 bytes aligned.
 Used in official configs: SLUS21172=0x208, SLUS20878=0x140,0x368,0x570
 Maximum Amount of Usage: 32 times

{{Boxcomm|id=0x12|name=Unknown|data=<List> (uint32_t count,}}
VU0/COP2 multicommand.<br>
First 8 bytes of that command are special flags.<br>
First 4 bytes are used to enable flags mentioned below.<br>
Second 4 bytes are used to disable them (they aren't all 0's by default).<br>
Valid 0x12 command is required to have those 8 bytes, they can be all 0's, but are mandatory. 

Flags:
{| class="wikitable"
|-
! Value !! Description
|-
|0x1000     || Run additional MAC flag related code after every FMAC operation, VU0 only, COP2 do this by default.
|-
|0x2000     || Additionally update status flag on every FMAC opcode, this config flag requires 0x1000 to be enabled. VU0 only.
|-
|0x100000   || When enabled opcodes like MSUB, MADDA, etc, do proper multiply first, then add/sub. When disabled (default) single opcode is used (vmaddfp / vmmsubfp).  VU0 only.
Note: When this command is disabled, then "Accurate MUL" is skipped for MADDxx/MSUBxx regardless that 0x30000000 is set or not.
Because there is no way to do correct MUL separately when altivec madd/msub is used.
|-
|0x200000   || Run some additional code in VU0 load/store opcodes (ILW, LQI, ISWR, etc.) VU0 only.
|-
|0x400000   || Skip emu syscall_3(3). Skip cached programs lookup and go directly to long and short hash checks, every time when VU0 starts.
|-
|0x800000   || Skip emu syscall_3(4). Skip both long and short hash checks and forcibly recompile program. This command combined with 0x400000, practically force new recompilation every time VU0 run program.
|-
|0x4000000  || Enable type 3/4 subcommand.
|-
|0x8000000  || Accurate VU0 DIV opcode, VU0 only.
|-
|0x10000000 || Full Accurate VU0 MUL. Use runtime from CMD 0x10, but for every matching VU0 opcode, including opcodes like MSUB for mul part.
Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them.
|-
|0x20000000 || Fast Accurate VU0 MUL. Opcodes like MSUB/MADD additionally require 0x100000 to be enabled, otherwise command skip them. Not used in COP2 mode.
Selecting both 0x10000000 and 0x20000000 (0x30000000) work the same way as 0x20000000.
|-
|}

Next section of 0x12 cmd is dedicated to subcommands. There are 4 types of subcommands available, and types 2/3/4 are tied to themselfs to make correct use of them, either 2/3 or 2/4 need to be active to create valid action. Type 1 is separate subcommand that works on its own.

Subcommand:

'''type 1'''

Fix for for internal emulator hash collision. For every recompilled micropragram, emulator calculates hash. This ensures that emulator do not recompile same code more than once, and speed up comparing process, as only hash need to be compared, not whole program.<br>
Due to very low-quality hashing method used, it is possible that 2 different programs ends up having the same hash. Hash is calculated from first 128 bits of VU0 program start, and from its start address, that's not enough to make it unique.<br>
Due to that bug, emulator can use wrong VU0 micro program, running totally different code than it should.

Config data itself points emulator to place where wrong hash is stored, and force emulator to use alternative VU0 offset to recaltulate new hash.<br>
Data is split into 2 parts. Hash Offset, and (VU0 address >> 3) latter is used as new VU0 adrress for hash recalculation.<br>
XXXXX000 are used for hash address, and 00000XXX is where VU address is.
<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" background:#cccccc;">'''Additional info'''
<div class="mw-collapsible-content" style="text-align:left;">
<pre>
Dawn of Mana example, chosen that one because it use only 1 count,
and because hash used here is from addr 0x000 of vu0 micromem.

Title : Dawn of Mana
Game ID : SLUS_215.74
[Net] Command ID : 0x12
Data Number : 00000004
    Param 1 : 00000000 ON  flags, unused here
    Param 2 : 00000000 OFF flags, unused here
    Param 3 : 00010001 type 1, count 1
    Param 4 : 0DDF000C Type 1 command data (Big endian here)


VU0 address from config is now left shifted by 3 and masked with 0x7FFF8
This VU0 address is used for new hash calculation.

Hash Offset is obtained by right shifting data by 12 and mask with 0xFFFF0, in this example:
(0x0DDF000C >> 12) & 0xFFFF0 = 0x0DDF0
This finally end up as full address in vu0 jit data memory, 0x1C00DDF0 + 4 (4 is always added while processing)


Ok, but how that "Hash Offset" is calculated? From Previous hash.<br>
Here is code that calculates hash and offset:

#First 64 bits of current microprogram start (Big endian)
a = 0x000002FF4000000B
#Second 64 bits of current microprogram start (Big endian)
b = 0x000002FF8000033C
#Microprogram start address (full, not right shifted by 3)
c = 0x000

a = a + b + c
a &= 0xFFFFFFFFFFFFFFFF
b = (a >> 32) & 0xFFFFFFFF | (a << 32) & 0xFFFFFFFF00000000
a = a^b
b = (a << 5) & 0xFFFFFFFFFFFFFFE0 | (a >> 59) & 0x1F
a = a + b
b = (a << 51) & 0xFFF8000000000000 | (a >> 13) & 0x7FFFFFFFFFFFF
a = a + b
a = a & 0xFFFFFFFF
b = a & 0x1FFF0

print("Hash: {:08X}".format(a))
print("Addr: {:05X}".format(b))

#Hash: AF8EDDF7
#Addr: 0DDF0  <-- our Hash Offset part from config

Bugs: 
* Bad mask used. Hash Offset and VU0 Address while read from cfg are not masked properly, allowing to patch data above 0x1C01FFF0.
</pre>
</div>
</div>

'''type 2'''

Fix for interlocking/synchronization EE with VU0 in micro mode. Usually used for games that are M bit sensitive or loop endlessly on VU0 due to fact that emulator tries to run whole VU0 program at once. 

Single entry have at least 3 * 4 bytes values, but there is possibility for additional values here.

*First value is VU0 microprogram start address, left shift by 3 to get correct offset in VU0 micro memory.
*Second value is a hash, calculated from first 128 bits of VU0 program start, and from its start address. 1st and 2nd values are used only in comparison that ensures that config will apply to correct microprogram.
*Third value is combined from 2 values. It's (VU0 address >> 3) & 0x1FF, and (subtype << 9), accepted subtypes are 1/2/3.
*Fourth and next values, if available are next phases with the same structure as third value. Up to 8 values is accepted for single entry.

VU0 address from 3rd+ values points to VU0 code where branch occurs, branch that is usually dealing with problematic value that is just wrong because of lack of communication with EE during microprogram run.
This is address where execution of VU0 will be halted, and chunk of EE code will be run to ensure that correct values are transfered to VU0, and that VU0 is aware of changes made by EE in mean time (real hardware run VU0 micro and EE mips core simultaneously).

It is very important to remember that delay slot instructions are executed before we get back to EE code.

Subtypes:
*1 = unknown, not used by known configs
*2 = After VU0 halt, when execution from EE back to VU0. Assume that branch on which VU0 halted was taken, and start execution on branch target.
*3 = After VU0 halt, when execution from EE back to VU0. Assume that branch on which VU0 halted was not taken, start execution after delay slot.

This subcommand is always used in conjunction with subcommand type 3, or 4.
<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" background:#cccccc;">'''Additional info'''
<div class="mw-collapsible-content" style="text-align:left;">
<pre>
Primal - Civilization Is Only Skin Deep
Data Number : 0000000D
	Param 1 : 04000000 ON  flags, enable subcmd 3/4
	Param 2 : 00000000 OFF flags, unused here
	Param 3 : 00030002 count 3, type 2
	Param 4 : 0000015F VU0 program start address >> 3
	Param 5 : 2C6FBD8D VU0 program hash
	Param 6 : 00000367 (subtype << 9) + (VU0 pause addr >> 3)
	Param 7 : 00030002 count 3, type 2
	Param 8 : 0000016B VU0 program start address >> 3
	Param 9 : E9703531 VU0 program hash
	Param 10: 00000372 (subtype << 9) + (VU0 pause addr >> 3)
	Param 11: 00020003 count 2, type 3
	Param 12: 10399B60
	Param 13: 10399C18

Hash needs to be calculated from VU code part that we want to use config on.

Python script to generate hash (second value). 
#Using Rayman 3 as an example, because addr = 0, so is easier to compare.
#First 64 bits of current microprogram start (Big endian)
a = 0x000002FF4000001F
#Second 64 bits of current microprogram start (Big endian)
b = 0x000002FF80000070
#Microprogram start address (full, not right shifted by 3)
c = 0x000

a = a + b + c
a &= 0xFFFFFFFFFFFFFFFF
b = (a >> 32) & 0xFFFFFFFF | (a << 32) & 0xFFFFFFFF00000000
a = a^b
b = (a << 5) & 0xFFFFFFFFFFFFFFE0 | (a >> 59) & 0x1F
a = a + b
b = (a << 51) & 0xFFF8000000000000 | (a >> 13) & 0x7FFFFFFFFFFFF
a = a + b
a = a & 0xFFFFFFFF
print("Hash: {:08X}".format(a))
</pre>
</div>
</div>

'''type 3'''

todo

'''type 4'''

todo

  [Primal] uses 0xD of type 2/3 subcommand (minus 0x2 for flags)
  [Rayman Arena] uses 0x11 of type 2/3 subcommand (minus 0x2 for flags)
  [Syphon Filter: The Omega Strain] uses 0x5 of type 1 subcommand (minus 0x2 for flags)
 Maximum List Count: 63 

{{Boxcomm|id=0x13|name=Memory card timing related delay|data=1x uint64_t Param}}
 0x9bdc  (39900)  - Used by "Phantasy Star Universe" (official config for SLPM-66031), "WRC II Extreme", and "Burnout Dominator"
 0xf960  (63840)  - Used by "Jak X: Combat Racing" (official config for SCUS-97429), and "Netsu Chu! Pro Yakyuu 2004"
 0x1d394 (119700) - Used by "Jissen Pachi-Slot Hisshouhou! Kemono-Oh" (official config for SLPS-20131)

{{Boxcomm|id=0x14|name=VU1 transform ADD/SUB|data=N/A}}
When enabled ADD/SUB VU1 opcodes are processed differently on recompiling/translation stage. Seems to be very specific hack, most likely not usable outside of THPS 4+ engine games. <br>
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.

{{Boxcomm|id=0x15|name=Unknown|data=1 Param ( <1, >1 )}}
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A2C0 - 0x3A6C0 and patch first branch that match to "bi r127". That weird approach was probably used because spe program differ little bit between emu versions, so they don't need to update command on every new emu revision. Currently (4.75+) this command patch branch at address 0x3A3A4 (bra sub_2E600). This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
 [Aeon Flux] uses 2 (gxemu config)
 [Bloodrayne 2] uses 4
 [GRIMgRiMoiRe] uses 4
 [Mana Khemia 2] uses 4
 [Odin Sphere] uses 4
 [SMT Persona 3 FES] uses 4
 [Parappa the Rapper 2] uses 0x14 (softemu config) or 0x4 (gxemu config)
{{Boxcomm|id=0x16|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x17|name=COP0 configure MTC0/MFC0|data=1x int32 ?}}
True/false. Default 0.
<br>Command change behavior of MTC0/MFC0 operation of COP0 Count ($9) register. When enabled time base register is used as a base for calculation, when disabled decrementer register is used as a base for calculations (using emu syscall 12). 
 [Bully] uses 1

{{Boxcomm|id=0x18|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x19|name=Force analog controller mode|data=N/A}}
Skips check for analog/digital controller mode and returns forced analog mode
 [Grand Theft Auto III]
 [Grandia II]
 [Red Faction 2]
 [Siren]

{{Boxcomm|id=0x1A|name=Unknown|data=N/A}}
IPU hack to end fromIPU DMA transfer on BCLR command (store 0 on D3_QWC and D3_CHCR.STR). Not stopping that transfer is actually correct behavior..

{{Boxcomm|id=0x1B|name=Unknown|data=N/A}}
When IDEC command don't finish, probably due to bad timings. Hack clear D3_CHCR.STR bit when there is still QW left in D3_QWC reg , and IDEC finished already. 
 [Mana Khemia 2]

{{Boxcomm|id=0x1C|name=Emulate Multitap|data=read uint32_t (use uint8_t)}}
Enables/disables Multitap emulation. Default 3
 0 = disable multitap emulation
 1 = enable multitap in controller port 1 (when needed)
 2 = enable multitap in controller port 2 (when needed)
 3 = enable multitaps in both controller ports (when needed)
  [Medal of Honor: European Assault] uses 1
  [Twisted Metal: Black] uses 1


{{Boxcomm|id=0x1D|name=Set Multitap|data=read uint32_t (use uint8_t)}}
Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 0?
 0 = no multitap set (only when needed)
     Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
 1 = sets multitap in controller port 1 at all times
     Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
 2 = sets multitap in controller port 2 at all times
     Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
 3 = sets multitaps in both controller ports at all times
     Controller sync order: same as 0
  [Medal of Honor: European Assault] uses 1
  [Twisted Metal: Black] uses 1
  [Mystic Heroes] uses 2 (game does not detect multitap in controller port 1)
  [Sonic Riders] uses 2 (GX config, game may not detect multitap in controller port 1)

{{Boxcomm|id=0x1E|name=Multitap related|data=read uint32_t (use uint8_t)}}
 [FIFA 2001] uses 3 (settings for both multitaps?)

{{Boxcomm|id=0x1F|name=Unknown|data=1x uint32_t}}
Default 1
 Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant. By default every VIF0 command take 1 cycle, so it's instant.
 This config give vif0 some timing sense.
 When delta from config passed and vpustat vu0 bits are non 0 (so practically if vif0 is still running),
 add 500 cycles and go on until next event test before doing anything on vif0.
 This can also be used to ensure that next vif0 command won't run until delta from config passed.
 Value from config is added to current r5900 cycles and vif0 will do nothing unless current cycles match new value.
 *Valid values found: 200d, 1000d

{{Boxcomm|id=0x20|name=Unknown|data=1x uint64_t}}
Default 0x3C
 Config value is used as multiplier for value:
 if (mode == NTSC) multiplicand = 2535;
 if (mode == PAL)  multiplicand = 5107;
 if (mode == 1080) multiplicand = 2364;
 
 At default config value of 0x3C results are:
 NTSC = 152100
 PAL  = 306420
 1080 = 141840
 
 Result is compared against decrementer ticks.
 This result value determines how frequently emulator events test checks GS related things.
 This include raising GS irq if VSINT/SIGNAL/FINISH occurred, updating display parameters, etc. 

*Valid values found: 10d, 60d, 100d, 120d, 200d, 240d

{{Boxcomm|id=0x21|name=Unknown|data=1x uint32_t}}
 Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.
 This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).
 Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap (tw opcode) at the end. 1 is valid only when option one is 0.
 
 0 = sets an option one to 0 and option two to 0
 1 = sets an option one to 0 and option two to 1
 2 = sets an option one to 1 and option two to 0 (default)
  [Fatal Frame II] uses 0
  [Grand Theft Auto Vice City] uses 1
  [Grand Theft Auto III (EU)] uses 1
  [SMT Persona 3 FES] uses 0

{{Boxcomm|id=0x22|name=Unknown|data=N/A}}
Sets something 1

{{Boxcomm|id=0x23|name=Unknown|data=N/A}}
Copy VIF1 command 01h STCYCL handler struct into unused 08h slot (slots are 100 bytes per command, include pointer to function that handle command, and other data). Then patch slot 08h function pointers to function at 0x14E00. 08h is normally unused, and handled as a NOP. This command is useful only with additional 0x01 (0x13-0x15) hooks, which inject 08h VIF1 command into game code when other conditions are met.

{{Boxcomm|id=0x24|name=Unknown|data=1x uint64_t}}
SIO2 related
*Valid values found: 12000d, 48000d

{{Boxcomm|id=0x25|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x26|name=FPU Accurate ADD/SUB range|data=List <uint32_t Param,uint32_t Param>}}
Improves FPU accuracy for selected memory range. Efective only on:
 ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s
 For M(UL) opcodes, command is active only on ADD/SUB stage.
 
  [Bloodrayne 2] uses 0x340000, 0x350000
  [Gradius V] uses 0x3046E0, 0x0x305E44
 Maximum Amount of Usage: 32 (if there is no additional 0x0F command)

{{Boxcomm|id=0x27|name=VU0 macromode accurate range|data=List <uint32_t Param,uint32_t Param>}}
Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:
 VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
 VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
 VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
 VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD
 
 Maximum Amount of Usage: 32 (if there is no additional 0x0F command)
 Seems to affect only ADD/SUB part of opcode. 

{{Boxcomm|id=0x28|name=Unknown|data=1x uint32_t}}
<=3
*Valid values found: 0, 1, 2, 3

{{Boxcomm|id=0x29|name=Unknown|data=2x uint32_t}}
Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.

{{Boxcomm|id=0x2A|name=Unknown|data=N/A}}
Sets something 1. 
 All-Star Baseball 2004

{{Boxcomm|id=0x2B|name=Unknown|data=N/A}}
When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD), confirmed in emu code/assembly. Ps2_emu do same thing in "Setting mecha HACK to show GODZCD as GODZCDDA", but due to real media support this is done in little bit different way (but still, 1F40200F is set to 0x13). During testing Dance Factory game, still no tracks are detected regardless of the command. Could be a netemu or Cobra issue (single, mixed mode .bin/.cue loaded).
 Dance Factory

{{Boxcomm|id=0x2C|name=Unknown|data=1x uint32_t}}
Store (value | value << 32 | value << 64 | value << 96) on 0x2B4F0 of SPE 0 (IOP) LS.
In summoner config it will be 0x00000001000000010000000100000001 stored at 0x2B4F0.
Value is later used in clgt compare as rb register. Default seems to be 0x00000020000000200000002000000020.
 Summoner uses 0x1

{{Boxcomm|id=0x2D|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x2E|name=Unknown|data=1x uint32_t}}
*Valid values found: 0x172

{{Boxcomm|id=0x2F|name=Unknown|data=1x uint32_t}}
Store value on 0x2E784 in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).
* Infamous Final Fantasy confirmation sound issue (in fact it does affect every sound effect using the reverb and only in the ps2_netemu) is fixed by 0x2 value.
 Indigo Prophecy/Fahrenheit uses 0x1
 Kengo 3 uses 0x2

{{Boxcomm|id=0x30|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x31|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x32|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x33|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x34|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x35|name=Enable Force Flip Field|data=N/A}}
Described in emu setting as "''Fix for [Hang] for soft-lock''"

{{Boxcomm|id=0x36|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x37|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x38|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x39|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x3A|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x3B|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x3C|name=N/A|data=N/A}}
Command not available in ps2_netemu.self

{{Boxcomm|id=0x3D|name=Config revision|data=1x uint32_t}}
Used by debug menu to print config revision. While every official and unofficial config use it, command is not mandatory. Debug menu will just print '''None''' as a config revision if command is missing. Official configs use this as a kind of debugging info to know minimal required emu revision.

{| class="wikitable" style="font-size:1em; line-height:1em"
|+Config commands supported by emulator revision
! Supported Commands !! ps2_netemu Revision !! PS3 Firmware
|-
| Up to 0x41 || 15686 || 3.70 or newer
|-
| Unknown || 16040 || Unknown
|-
| Up to 0x43 || 16604 || 4.20 or newer
|-
| Up to 0x45 || 16808 || 4.30 or newer
|-
| Up to 0x46 || 16916 || 4.40 or newer
|-
| Up to 0x48 || 17041 || 4.45 or newer
|-
| Up to 0x4A || 17179 || 4.50 or newer
|-
| Up to 0x4D || 17277 || 4.55 or newer
|- 
| Up to 0x50 || 17495 || 4.78 or newer
|}
See: [[PS2_Emulation#PS2 Emulator Types and Revisions|PS2 Emulator Types and Revisions]]

{{Boxcomm|id=0x3E|name=Unknown|data=N/A}}
Similar to 0x0D with param 0. Affect the same IOP related code path, but skips more code. 
 

{{Boxcomm|id=0x3F|name=Unknown|data=1x uint32_t}}
Store value on 0x2B700 of SPE 0 (IOP) LS. SIF1 DMA related.

{{Boxcomm|id=0x40|name=Unknown|data=N/A}}
Command change GIF behavior by setting value to 1 at address 0x2F0 LS in SPU4.
 Grand Theft Auto SA
 Silent Hill Origins - unofficial fix

{{Boxcomm|id=0x41|name=Unknown|data=N/A}}
When enabled ignore D_ENABLEW (1000F590) writes from EE on SPE3 (EEDMA). D_ENABLER is updated regardless of cmd on PPE side. Enabling that command nullify 0x01 hooks for Max Payne!
 Dragon Force
 God Hand
 Gradius V
 Katamari Damacy

{{Boxcomm|id=0x42|name=EE Overlay patch|data=2 main Params + patch data: uint32_t address, uint32_t count, opcode,opcode,opcode...}}
Applied on game start (more precisely while executing ps2 bios syscall 7 ExecPS2), if game overwrite selected part of memory, it will wipe 0x42 patch. See [[Special:Diff/67828/67858]]
 Start address can be (in theory) anywhere, but Sony used the 0xFF000 - 0xFFFFC range for this purpose.
 Count is size of patch in 4 bytes opcodes. So 5 opcode patch = count 5.
 Opcodes will be placed on selected address, we use only patch code, no need for original opcode.
 Next opcode addresses are auto calculated (+4..) so we need to specify only patch start address.
 Remember we need to jump to our new code, best way is command 0x0A with j (jump) opcode.
 Also is important to add return jump if required. That one need to be added in our 0x42 patch.
 Maximum opcodes count seems to be 0x3FF (1023 opcodes).

{{Boxcomm|id=0x43|name=Unknown|data=1x int32}}
Equal to command 0x40, but with Parameter:
 Command change GIF behavior by setting value at address 0x2F0 LS in SPU4, correct values are:
 0 = Default
 1 = More agressive changes (like 0x40)
 anything other = less agressive changes
 Code on SPU side check for non zero value, and in few places explicitly for 1 (ceqi rxx,rxx,1) without mask. 
 Config have weird behavior. When there is no param, and config end (no more bytes after 43 00 00 00), then param 0xFFFFFFFF is set automatically.  
 
 Shin Sangoku Musou uses 0xFFFFFFFF

{{Boxcomm|id=0x44|name=Disables Smoothing and Smoothing option|data=N/A}}

{{Boxcomm|id=0x45|name=Unknown|data=N/A}}
Sets something 1
 Prevent  display_mode 2 (CELL_GCM_DISPLAY_576_unk)         [640x576]
 and      display_mode 0 (CELL_GCM_DISPLAY_480_unk) (60Hz?) [640x480]
 from beign set.
 
 Allow   display_mode 1 (CELL_GCM_DISPLAY_480_unk2) (59Hz?) [640x480]
 and     display_mode 5 (CELL_GCM_DISPLAY_720P_59)          [1280x720]
 depending on sys_info.video_mode & 0x200 is 0 or not.
 Both 480 modes can be either I or P, so is something else, probably 59/60Hz.
 This config possibly affect only in-emu UI, but this require testing.
 
 Phantasy Star Complete Collection

{{Boxcomm|id=0x46|name=Enable L2H Improvement|data=N/A}}
Performance related setting for titles using L2H (Local to Host, so called GS download (from GS to  EE))
 SMT Digital Devil Saga 1 - Crazy amount of GS downloads used to draw characters in-game
 SMT Nocturne
 Fatal Frame II
Other games affected (not in official config)
 Soul Calibur 2 - When looking at the sun
 GT4 - When looking at the sun
 Valkyrie Profile 2 - Similar situation to SMT DDS1, in Solde game literally do thousands of 30QWC downloads all the time.
 Tak and the Power of JuJu - Fix freeze during loading of the Burial Ground level in the NTSC version. This probably getting lucky with VIF1/GIF timing, normally command is not supposed to fix hang issues.

{{Boxcomm|id=0x47|name=Enables XOR CSR|data=N/A}}
Graphics related setting.<br>
XOR  bit 13 of GS CSR register (CSR.FIELD). Should fix fullscreen line corruption, maybe some interlacing issues. Long shot, but can possibly affect SCANMSK games.

{{Boxcomm|id=0x48|name=VSYNC Delay|data=2x uint32_t}}
*First param possible value are 1 = No IPU, 2 = IPU, 3 = Anytime.
*Second param is delay (in ms?), and can be also negative value.
**Emu has standard presets for second param.
***Agressive = 0x3D090 (250000 decimal),
***Normal = 0x186A0 (100000 decimal),
***Conservative = 0x4E20 (20000 decimal),
***But other values can be used.
 [SMT Digital Devil Saga 1] uses 1, 0x3D090
 [Fatal Frame II] uses 0x2, 0xFFFFE69C (-6500 decimal)

{{Boxcomm|id=0x49|name=Unknown|data=N/A}}
Skip part of code which use GS XYOFFSET_1 register, possibly ignore it at all.  
 Trapt

{{Boxcomm|id=0x4A|name=Unknown|data=N/A}}
Change VIF1 command 14h MSCAL behavior to use 15h MSCALF (VIF1) instead. MSCALF behavior is the same as MSCAL, but also waits for PATH1 and PATH2 to not be active before starting a microprogram. This is hack, and MSCAL should be fixed instead to wait in queue instead of triggering early.
 Applies to the Snowblind Engine games. Fixes the rest of flickering textures.
 Meant to be used in conjunction with the GX/SOFT Snowblind Engine's specific commands (double 0x01 and 0x23 combo).

{{Boxcomm|id=0x4B|name=Redirect SAVEDATA by ID|data=2x uint32_t + ID: offset, int, char[]}}
 For proper config we need at least 2 (can be more if needed) 0x4B commands, one to enable redirect, one to disable.
 First param is EE memory offset that when is hit enable/disable redirection.
 Second param is used to select which card will be redirected:
   0x00 do nothing
   0x01 for SCEVMC0.VME
   0x02 for SCEVMC1.VME
   0x03 for SCEVMC0.VME and SCEVMC1.VME
   0xFFFFFFFF to disable redirection, and use original VMEs.
 Third param is ID of SAVEDATA we want to use padded with 00 to match 12 bytes, or all 00 in disable redirect config.
 Important note here is that config have own 00 00 00 00 terminator at the end. 
 So after 12 bytes of ID we need to add 4 bytes of 00. That apply also to disable redirect version.
 Under the hood config also setup 0x01 hook commands with 0x39 subcommand on selected addresses. 

{{Boxcomm|id=0x4C|name=Unknown|data=2x uint32_t + ID: offset, int, char[]}}
 Used to redirect to different ISO without game reset. First param is EE offset to hook, second param is some kind of mode selector, depending on that 
 emulator later set mecha switch disc state:
   mode 0x01 = set disc switch state to 1 (on next mecha main loop it will emulate opening the tray).
   mode 0x02 = set disc switch state to 3.
   mode 0x03 = set disc switch state to 3. This state repeats because it work different way depending that emulated tray is closed or no.
   mode 0x04 = set disc switch state to 2.
   mode anything else = do nothing.
 Third value is ID in big endian hex ascii (eg. NPJD12345), additionally 0x4C expect own 00 00 00 00 terminator. To eventually end redirection use 
 another 0x4C but with (offset, 0xFFFFFFFF, 4 * 0x00000000 . This config have very similar usage to 0x4B, just redirect to different iso, instead to 
 different MC. Currently is unknown that cobra patched emulators support that config properly, and swap disc thru 0x00 command seems to be easier.
 This config don't work if 0x00 multidisc config is detected. Config under the hood setup 0x01 hooks with subcommand 0x3A

{{Boxcomm|id=0x4D|name=Unknown|data=1x uint32_t}}
Param is floating point value. Default value 0.
 if Q in GS RGBAQ write is 0.0 or -0.0 then
     Q = Q | value from config
 else
     Q = Q
  
 Wild Arms: The Fifth Vanguard uses 0x3F800000 (1.0)

{{Boxcomm|id=0x4E|name=Unknown|data=Unknown}}

{{Boxcomm|id=0x4F|name=Unknown|data=Unknown}}

{{Boxcomm|id=0x50|name=Enable pressure sensitive controls|data=N/A}}

=PS2 Gxemu Commands=
PS2 GX Emu commands are Big Endian unless noted. Every command size is 0x18, and unused data need to be filled with zeros. Commands which point to emulator memory have additional data, but command itself is still 0x18 in size. Data fields are just example values and can be changed to different value when needed. 
{{BoxcommGX|id=0x01|net_id=0x02|data=1x int32|}}
Used in function that handle D6 CHCR writes (SIF1), seems to be some kind of timing command for EE --> IOP DMA.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000001 |  0x00000000  | 0x00000BB8  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x02|net_id=0x03|data=None|}}
Skip r5900 CACHE IXIN/IHIN (Index/Hit invalidate) opcodes.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000002 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x03|net_id=0x04|data=1x int32|}}
Patch SPE 4 program (eedma) by searching for ila r4, xxxxx, starting at 0x178A0 and replacing them with (0x42000004 | ((value << 7) & 0x1FFFF80) 0x42000004 is ila r4 opcode. Due to opcode encoding example result of that patch with value 0x08 will be 0x42000404 (ila r4, 0x08). There is little bit more than that, but main purpose is just to patch SPE program behavior.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000003 |  0x00000000  | 0x00000008  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x04|net_id=Not available|data=None|}}
Patch spe 4 program to use alternative VIF1 Direct/DirectHL command handler.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000004 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x05|net_id=0x06|data=None|}}
Patch spe 4 program to use alternative VIF1 Offset command handler.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000005 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x06|net_id=0x07|data=1x int32|}}
Delay XGKICK by x cycles.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000006 |  0x00000000  | 0x00000008  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x07|net_id=0x08|data=1x int32|}}
Patch 2 x 32 bit opcodes of VU1 microprogram (lower and upper opcode). Config allow to specify bitmask for both read and write.
 Format:
 32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit align | 32 bit align
 0x00000007 |  0x00000000  |   0x0000000000341190    |  0x00000000  |  0x00000000

 Additional example data at 0x341190 looks like this:
  64 bit read mask  | 64 bit read value  | 64 bit write mask  | 64 bit write value
 0x80000000FFFFFFFF | 0x0000000040000001 | 0x00000000FFFFFFFF | 0x000000008000033C

 Which translates to C:
 if readVu1Code(i) & 0x80000000FFFFFFFF == 0x0000000040000001
     writeVu1Code(i, 0x000000008000033C & 0x00000000FFFFFFFF)

{{BoxcommGX|id=0x08|net_id=0x09|data=1x int32|}}
Patch 2 x 32 bit opcodes of EE executable code.
 Format:
 32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
 0x00000008 |  0x00000000  |   0x0000000000341190    |  0x00000002  |  0x00000000

 Additional example data at 0x341190 looks like this:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
     0x00418750     |  0x00000000  |       0x1062FFFA       |       0x00000000       |       0x00000000      |      0x00000000
 
 due to patch count == 2 in this example, there is next set of data right after first one:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
     0x00418808     |  0x00000000  |       0x1062FFFA       |       0x00000000       |       0x00000000      |      0x00000000

<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" style="width:1000px; background:#cccccc;">'''More info'''
<div class="mw-collapsible-content" style="text-align:left;">
This command read and write opcodes as a 64 bit value. This can be really confusing when creating custom config.

Lets assume that EE offset 0x100000 holds value (in raw hex) 00 11 22 33 44 55 66 77 and we want to change it to 88 99 AA BB CC DD EE FF
 Format:
 32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
 0x00000008 |  0x00000000  |   0x0000000000341190    |  0x00000001  |  0x00000000
 
 Additional example data at 0x341190 looks like this:
  32 bit EE offset  | 32 bit align | 32 bit original opcode | 32 bit original opcode | 32 bit replace opcode | 32 bit replace opcode 
     0x00100000     |  0x00000000  |       0x77665544       |       0x33221100       |       0xFFEEDDCC      |      0xBBAA9988
                    |              |value read from 0x100004|value read from 0x100000|value write to 0x100004|value write to 0x100000
 
This happen because emulator read 64 bit value from 0x100000 and reverse it from little to big endian as whole 64 bits. Exactly the same happen for values that emulator write to memory.
This little code snippet can help little bit with conversion.
 # Value to convert, copied from hex editor or disassembler.
 x = "00 11 22 33 44 55 66 77"
 
 x = x.replace(" ", "")
 x = int(x, 16)
 
 x = (x & 0x00000000FFFFFFFF) << 32 | (x & 0xFFFFFFFF00000000) >> 32
 x = (x & 0x0000FFFF0000FFFF) << 16 | (x & 0xFFFF0000FFFF0000) >> 16
 x = (x & 0x00FF00FF00FF00FF) << 8  | (x & 0xFF00FF00FF00FF00) >> 8
 a = x >> 56
 b = (x >> 48) & 0xFF
 c = (x >> 40) & 0xFF
 d = (x >> 32) & 0xFF
 e = (x >> 24) & 0xFF
 f = (x >> 16) & 0xFF
 g = (x >> 8) & 0xFF
 h = x & 0xFF
 print("{:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X} {:02X}".format(a,b,c,d,e,f,g,h))
Beside own python installation, code can be used on site like https://www.w3schools.com/python/trypython.asp?filename=demo_compiler
</div>
</div>
{{BoxcommGX|id=0x09|net_id=0x0B|data=1x int32|}}
Patch disc data during read operation. <!--todo: explain lba/offset.. offset.-->
 Format:
 32 bit ID  | 32 bit align | 64bit ptr to emu memory | 32 bit count | 32 bit align
 0x00000009 |  0x00000000  |   0x0000000000341190    |  0x00000001  |  0x00000000

 Additional example data at 0x341190 looks like this:
  32 bit lba | 32 bit offset in lba | 64 bit ptr to replace data | 64 bit ptr to original data | 32 bit data size in bytes | 32 bit align
  0x00000471 |      0x00000280      |     0x00000000003411B0     |     0x00000000003411B4      |         0x00000004        |  0x00000000

{{BoxcommGX|id=0x0A|net_id=0x0C|data=2x uint16|}}
First param can be 0, 1, or 2. Second param in range of 0 and 0xFFFF. Second param is used only if first param == 1. Default values are (1, 0x1000) for PS2DVD, and (1, 0x400) for PS2CD and PS2CDDA.
 Format:
 32 bit ID  | 32 bit align | 16 bit data | 16 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000000A |  0x00000000  |    0x0001   |    0x0400   |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x0B|net_id=0x0D|data=1x int32|}}
Command take bool value and default is 1. When set to 0: Skip some IOP related code responsible for check value from IOP SPE (and skip panic if value is 0 or -1).<br>
Also skip write of value 0x80000000 to SPU Signal Notification 1 Register of IOP SPE.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000000B |  0x00000000  | 0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x0C|net_id=0x0E|data=1x int32|}}
Use PS2 accurate add/sub math for selected opcode/offset. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc). 
 Format:
 32 bit ID  | 32 bit align | 32 bit EE memory offset | 32 bit align | 32 bit align | 32 bit align
 0x0000000C |  0x00000000  |       0x001264D4        |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x0D|net_id=0x0F|data=2x int32|}}
Use PS2 accurate add/sub math for selected opcode/offsets range. Command is valid for every FPU and COP2 opcode that do add/sub (also for opcodes like VMSUBA, MADD, etc). 
 Format:
 32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
 0x0000000D |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x0E|net_id=0x10|data=2x int32|}}
Use PS2 accurate mul/div math for selected opcode/offsets range. Command is valid for every FPU opcode that do mul/div (also for opcodes like MADD, MSUBA etc). Command does not work for COP2 opcodes. 
 Format:
 32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
 0x0000000E |  0x00000000  |          0x005719D8           |         0x00571C2C         |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x0F|net_id=0x11|data=1x int32|}}
Use PS2 accurate add/sub math for selected opcode/offset in VU0 microprogram. Command is valid for every VU0 opcode that do add/sub (also for opcodes like MSUBAQ, MADDAx, etc).<br>
Valid VU0 memory offset is in range (0x000 to 0xFFF) & 0xFF8, which mean that last nibble needs to be either 0 or 8. <!--Todo: Is it really VU0 offset in plain hex or (offset >> 8)-->
 Format:
 32 bit ID  | 32 bit align | 32 bit VU0 memory offset | 32 bit align | 32 bit align | 32 bit align
 0x0000000F |  0x00000000  |        0x00000208        |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x10|net_id=0x12|data=1x int64, 1x int32|}}
Multi-purpose VU0/COP2 command. Data size vary depending on sub commands, but at least 2 x 32 bit is required to make command valid. 
 Format:
 32 bit ID  | 32 bit align | 64 bit ptr to emu memory with data | Data size / 4 | 32 bit align
 0x00000010 |  0x00000000  |         0x0000000000323288         |  0x0000000D   |  0x00000000

{{BoxcommGX|id=0x11|net_id=0x13|data=1x int64|}}
Delay memory card related operations by x cycles.
 Format:
 32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
 0x00000011 |  0x00000000  | 0x000000000000F960 |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x12|net_id=0x14|data=None|}}
Use alternative code path during ADD/SUB VU1 recompilation. Config seems to be very specific hack, most likely not usable outside of THPS 4+ engine games.<br>
Note: This setting affects only VU1, and only ADD/SUB. All other opcodes like ADDi,ADDq, MSUB, ADDbc, are not affected.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000012 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x13|net_id=0x15|data=1x int32|}}
Patch SPE 0 (IOP) program in local memory. Command search for absolute branches in LS 0x3A9C0 - 0x3ADC0 and patch first found absolute branch to "bi r127".<br>
This command takes partially unused value. Value 0,1 do nothing, values 2 and above run command. Doesn't matter is 2,4, or 10. Nothing will change in command behavior.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000013 |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x14|net_id=Not available|data=1x int8|}}
Gsgif related command. Unused in latest emu, also seems to be unreachable even if set.
 Format:
 32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000014 |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x15|net_id=0x17|data=1x int8|}}
Value is bool, default 0. When set to true, MTC0/MFC0 operation of COP0 Count ($9) register uses ppc timebase register as a base for calculation, when disabled decrementer register is used as a base for calculations.
 Format:
 32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000015 |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x16|net_id=Not available|data=None|}}
Perform additional check during GS CSR write and if there is SIGNAL clear bit active and other dependencies are fulfilled, do some additional operations with GS.
 Format:
 32 bit ID   | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x000000016 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x17|net_id=0x1A|data=None|}}
IPU BCLR command hack <!--todo-->
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000017 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x18|net_id=0x1B|data=None|}}
IPU IDEC command hack <!--todo-->
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000018 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x19|net_id=Not available|data=None|}}
Disable DEV9. Disables net/ps2hdd capabilities including Network Adapter detection.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000019 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

<div class="mw-collapsible mw-collapsed" data-expandtext="{{int:Show}}" data-collapsetext="{{int:Hide}}" style="width:700px; background:#cccccc;">'''More info'''
<div class="mw-collapsible-content" style="text-align:left;">

Command disable reads/writes to selected IOP HW registers. Disabled regs are:
* 0x10000000 - 0x10003FFF (DEV9/SPEED/ATA/SMAP)
* 0x1F801460 - 0x1F80147F (Unknown)

Command is auto applied to titles listed here (duplicates are really there in emu too):
     Hash           ID                 Name
 0x0CD1298155  SLES_540.13  World Snooker Championship 2007
 0x12C93199A5  SLES_518.40  NHL Hitz Pro
 0x15C93199AD  SLES_549.13  Pro Evolution Soccer 2008
 0x24D92589A5  SLUS_211.86  NBA Ballers - Phenom
 0x2CD12D8125  SLUS_212.35  MLB 2K6
 0x34C9359935  SLUS_211.38  X-Men Legends II - Rise of Apocalypse
 0x34C93599E5  SLUS_211.28  Blitz - The League
 0x34C93599E5  SLUS_211.28  Blitz - The League
 0x449961C9E5  SLES_542.10  NBA 2K7
 0x4C9169C1CD  SLES_542.46  FIFA '07
 0x4C9169C1D5  SLES_542.45  NHL '07
 0x4C9169C1DD  SLES_542.44  FIFA '07
 0x4C9169C1E5  SLES_542.43  FIFA '07
 0x4C9169C1F5  SLES_542.41  FIFA '07
 0x4C9169C1FD  SLES_542.40  FIFA '07
 0x4CB14DE12D  SLUS_213.74  Marvel - Ultimate Alliance
 0x54A955F915  SLUS_212.74  Outrun 2006 - Coast 2 Coas
 0x5CA15DF165  SLUS_213.01  World Series of Poker
 0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
 0x5CA15DF1FD  SLUS_212.86  WWE SmackDown! vs RAW 2006
 0x649965C94D  SLUS_214.63  Tom Clancy's Ghost Recon 2
 0x649965C955  SLUS_214.60  NBA Live '07
 0x649965C95D  SLUS_214.61  NASCAR '07
 0x649965C965  SLUS_214.58  NHL '07
 0x649965C96D  SLUS_214.59  NCAA Football '07
 0x6BB149E15D  SLES_531.04  Tom Clancy's Rainbow Six - Lockdown
 0x6C916DC165  SLUS_214.91  World Series of Poker - Tournament of Champions
 0x6C916DC1A5  SLUS_214.83  Tiger Woods PGA Tour '07
 0x6C916DC1AD  SLUS_214.82  NFL Street 3
 0x6C916DC1B5  SLUS_214.81  NCAA March Madness '07
 0x6C916DC1D5  SLUS_214.77  Madden NFL '07 [Hall of Fame Edition]
 0x6C916DC1DD  SLUS_214.76  Madden NFL '07
 0x748975D9DD  SLUS_213.83  Fight Night - Round 3
 0x7C817DD125  SLUS_214.33  FIFA Soccer '07
 0x7C817DD165  SLUS_214.25  NHL 2K7
 0x7C817DD16D  SLUS_214.24  NBA 2K7
 0x7C817DD175  SLUS_214.27  WWE SmackDown! vs RAW 2007
 0x7C817DD1CD  SLUS_214.12  World Championship Poker featuring Howard Lederer - All-In
 0x84798529BD  SLUS_205.65  Champions of Norrath
 0x8559A109AD  uuunnnnnkkk  
 0x8579852915  SLUS_215.68  Arena Football - Road to Glory
 0x8579852965  SLUS_215.82  MVP '07 - NCAA Baseball
 0x8D51A90145  SLES_545.11  UEFA Champions League
 0x8D51A901B5  SLES_545.13  UEFA Champions League
 0x8D51A901BD  SLES_545.12  UEFA Champions League
 0x8D718D21BD  SLUS_216.20  NCAA Football '08
 0x9C619D31E5  SLUS_205.41  NBA Ballers
 0x9D41B911AD  SLES_544.48  World Series of Poker - Tournament of Champions
 0x9D619D31C5  SLUS_215.61  Major League Baseball 2K7
 0x9F29357805  SCUS_975.44  NBA '07 featuring The Life Vol.2
 0x9F293578E5  SCUS_975.56  MLB '07 - The Show
 0xB549B51915  SLUS_216.38  Madden NFL '0
 0xB549B51925  SLUS_216.32  NHL 2K8
 0xB549B5195D  SLUS_216.47  NHL '08
 0xB549B519A5  SLUS_216.48  FIFA Soccer '08
 0xB549B519AD  SLUS_216.49  NBA Live '08
 0xBC61793025  SCES_532.85  Ratchet - Gladiator
 0xBD41BD1105  SLUS_216.69  NBA 2K8
 0xC439C569F5  SLUS_208.20  Tom Clancy's Ghost Recon - Jungle Storm
 0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
 0xC7716D20D5  SCUS_974.01  Hot Shots Golf FORE!
 0xCA11E941F5  SLES_516.97  SSX 3
 0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
 0xCF7965285D  SCUS_973.53  Ratchet and Clank - Up Your Arsenal
 0xD20911582D  SCES_515.93  Hardware Online Arena [Beta, Promo & Full Release]
 0xD7617D308D  SCUS_973.28  Gran Turismo 4
 0xE339C1695D  SLES_525.45  Star Wars Battlefront
 0xE794CCB06D  PCPX_980.42  Minna no Tennis
 0xEA3129608D  SCES_515.78  Network Access Disc [Original, v4.02 & v4.03]
 0xEC11ED4115  SLUS_209.73  Champions - Return to Arms
 0xEF594508D5  SCUS_975.00  MLB '06 - The Show
 0xF409F559AD  SLUS_208.89  MLB Slugfest - Loaded
 0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked
 0xF7415D10E5  SCUS_974.65  Ratchet - Deadlocked
As a result config disable HDD/NET capabilities.
</div>
</div>

{{BoxcommGX|id=0x1A|net_id=0x1D|data=1x int8|}}
Sets multitap to specific controller ports and adjusts the order of ports to which controllers are synced. Default 3
*0 = no multitap set (only when needed). Controller sync order: 1/1-A, 2/2-A, 1-B, 2-B...
*1 = sets multitap in controller port 1 at all times. Controller sync order: 1/1-A, 1-B, 1-C, 1-D...
*2 = sets multitap in controller port 2 at all times. Controller sync order: 1/1-A, 2/2-A, 2-B, 2-C...
*3 = sets multitaps in both controller ports at all times. Controller sync order: same as 0
 Format:
 32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
 0x0000001A |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x1B|net_id=0x1E|data=1x int8|}}
Unknown. Probably mtap related. Command is a 2 bit bitfield. Default value 0
 Format:
 32 bit ID  | 32 bit align | 8 bit data | 24 bit align | 32 bit align | 32 bit align | 32 bit align
 0x0000001B |  0x00000000  |    0x01    |   0x000000   |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x1C|net_id=0x1F|data=1x int32|}}
Make VIF0 commands MSCAL/MSCALF/MSCNT/MPG/FLUSHE non instant.<br>By default every VIF0 command take 1 cycle, so it's instant.
This config give vif0 some timing sense. Value is cycle count before first event check related to VIF0.<br>
When delta from config passed and vif0 is still running, add 500 cycles and go on until next event test.<br>
This can also be used to ensure that next vif0 command after MSCAL/MSCALF/MSCNT/MPG/FLUSHE won't run until delta from config passed.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000001C |  0x00000000  | 0x000003F8  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x1D|net_id=0x20|data=1x int64|}}
Vblank timing related, still partially unknown.
 Format:
 32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
 0x0000001D |  0x00000000  | 0x00000000000000C8 |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x1E|net_id=0x21|data=1x int32|}}
Option one default value = 1, when set to 0: r5900 CACHE opcode IXLTG store 0 in COP0 TagLo register. More than that recompiler skip function responsible for analyze and emitting costly iCache checks.<br>
This drastically reduce emitted code size, and practically disable iCache emulation. Additionally CACHE IXIN/IHIN opcodes use different very long code path (this can be skipped with cmd 0x03).<br>
Option two default value = 0, when set to 1: Emit some kind of check for current r5900 PC with possible trap opcode at the end. 1 is valid only when option one is 0.
*0 = sets an option one to 0 and option two to 0
*1 = sets an option one to 0 and option two to 1
*2 = sets an option one to 1 and option two to 0 (default)
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000001E |  0x00000000  | 0x00000002  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x1F|net_id=0x23|data=None|}}
Patch spe 4 program with new custom VIF1 STCYCL alike command 08h handler.
This command is useful only with additional 0x00 hooks. Said hooks inject 08h VIF1 command into game code when other conditions are met.
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x0000001F |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x20|net_id=0x24|data=1x int64|}}
SIO2 timing related, still partially unknown.
 Format:
 32 bit ID  | 32 bit align |    64 bit data     | 32 bit align | 32 bit align
 0x00000020 |  0x00000000  | 0x0000000000002EE0 |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x21|net_id=Not available|data=1x int32|}}
Unknown, GSGIF SPE related. 
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000021 |  0x00000000  | 0x00000009  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x22|net_id=0x26|data=2x int32|}}
Improves FPU accuracy for selected memory range. Efective only on: ADD.s, SUB.s, ADDA.s, SUBA.s, MADD.s, MSUB.s, MADDA.s, MSUBA.s. 

For M(UL) opcodes, command is active only on ADD/SUB stage.
 Format:
 32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
 0x00000022 |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x23|net_id=0x27|data=2x int32|}}
Improves COP2 operations accuracy for selected memory range. Effective only for opcodes:
 VSUBAxyzw, VSUBAq, VSUBAi, VSUBA, VSUBxyzw, VSUBq, VSUBi, VSUB, VMSUBAxyzw,
 VMSUBAq, VMSUBAi, VMSUBA, VMSUBxyzw, VMSUBq, VMSUBi, VMSUB, VMADDAxyzw,
 VMADDAq, VMADDAi, VMADDA, VMADDxyzw, VMADDq, VMADDi, VMADD, VADDAxyzw,
 VADDAq, VADDAi, VADDA, VADDxyzw, VADDq, VADDi, VADD

 Format:
 32 bit ID  | 32 bit align | 32 bit EE start memory offset | 32bit EE end memory offset | 32 bit align | 32 bit align
 0x00000023 |  0x00000000  |          0x0012A3D4           |         0x0012A468         |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x24|net_id=0x28|data=1x int32|}}
Unknown, CDVD related. Only accept values 0/1/2/3
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000024 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x25|net_id=0x29|data=2x int32|}}
Seek time modifier. Exact values meaning is unknown for now, they are used as multiplier. First param affect fast seek time, second param affect full seek time. Default value is 0x1F40, 0xBB80 (8000, 48000). Config affect only CDVD N Command Seek, read command that "SeekToSector" is not affected.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit data | 32 bit align | 32 bit align
 0x00000025 |  0x00000000  | 0x00001F40  |  0x0000BB80 |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x26|net_id=0x2A|data=None|}}
Unknown, used only in All-Star Baseball 2004
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000026 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x27|net_id=0x2B|data=None|}}
When enabled emulated register 0x1F40200F (disc type) is set to 0x13 (PS2CDDA) when media type detected by emu is 0x12 (PS2CD). Required for multi-track PS2 games like Dance Factory. 
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000027 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x28|net_id=0x2C|data=1x int32|}}
Store (value | value << 32 | value << 64 | value << 96) in SPE 0 (IOP) LS.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x00000028 |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x29|net_id=Not available|data=None|}}
Skip one of functions in r5900 event test. Said function interact with GSGIF SPE and GS hardware, but in some conditions can also write to BGCOLOR GS register (why?).

Used in Final Fantasy X
 Format:
 32 bit ID  | 32 bit align | 32 bit align | 32 bit align | 32 bit align | 32 bit align
 0x00000029 |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x2A|net_id=0x2E|data=1x int32|}}
Unknown.
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000002A |  0x00000000  | 0x00000172  |  0x00000000  |  0x00000000  |  0x00000000

{{BoxcommGX|id=0x2B|net_id=0x2F|data=1x int32|}}
Store value in SPE 1 (PS2 SPU2) LS. Used values are 1, and 2 (after andi, so 3 trigger both configs).

Indigo Prophecy/Fahrenheit uses 0x1, Kengo 3 uses 0x2
 Format:
 32 bit ID  | 32 bit align | 32 bit data | 32 bit align | 32 bit align | 32 bit align
 0x0000002B |  0x00000000  | 0x00000001  |  0x00000000  |  0x00000000  |  0x00000000