[PS2] POPS stuff & POPStarter

@kHn
After I played one ps game ,I found another thing need to change : IGR BOOT.

Code:

  while (!SifIopReset(NULL, 0)) {
        };

        FlushCache(0);
        FlushCache(2);
        while (!SifIopSync()) {
        };
       SifInitRpc(0);
        //Load modules.
        SifLoadFileInit();
        SifLoadModule("rom0:SIO2MAN", 0, NULL);
        SifLoadModule("rom0:MCMAN", 0, NULL);
        SifLoadModule("rom0:MCSERV", 0, NULL);
       sbv_patch xxx
       SifLoadElf("mc0:/BOOT/BOOT.ELF, &exd);
        ExecPS2(...)

Since POPS does not support MC access ,you must reset iop to load mcman mcserv.
If this is what your code does ,may you change try to load from mass:/BOOT.ELF before IOPREBOOT ?
Another method is load boot.elf from memory ,just like usbd.irx and usbhsfsd.irx ,but I think this is not as simple as boot from mass .

If this bothers you ,just forget it !

 

After disassembling the loader code to check, yes, it's pretty much what it does.

Sadly the IGR loader code is precompiled. Since I don't have the source code of it, it is needed to write a new one. POPStarter is abandoned and I don't code for the PS2 anymore.
Perhaps I'll write a new IGR loader while adapting POPStarter to load your custom modules from memory, but I cannot promise this.

Yes, it is not possible due to memory usage constraints. There are things everywhere in the EE RAM when POPS runs. Including resident POPStarter subroutines, cheat codes compiled by the cheat engine (chained instructions, heh), and custom functions the user may attach to POPS with TROJAN files.
Trying to find where to cache a program ELF so it's not corrupted by anything, would cause a major headache.


Oh, by the way, the last POPStarter version executes POPS at 0x00200000, and the true entry point of POPS is 0x00200008. This way, a user/coder/hacker can hook a TROJAN at 0x00200000, to have a custom function invoked one time, after POPStarter has set up POPS, and just before POPS begins to run.
For example, to patch a lot of code in POPS, disable POPStarter's hooked functions (restore original opcodes of POPS), or load and attach new subroutines... Like a single program in one TROJAN file, which does the jobs of ten PATCH files. As long as the registers are backed up before they're destroyed, then restored when the program ends and jumps to the entry point, it should work no problem.

I don't think I've posted about the TROJAN files header properties. One day I'll write a sample file and documentation... Could be somehow useful...

 

Do you lose the network interface on a phat model? Because i only see the USB port

 

Is there may link to this file that allows it to work on pcsx2?

I know how to set it all up, never figured it was the USB module that caused the crash.

 

Don't know if there exist device plugins to do this. As always, I'm thinking hackish :

Spoiler

Get the last stable PCSX2 release;
Switch PCSX2 EE (or both the EE and the IOP) options from recompiler to interpreter;
Enable Host Filesystem;

Write a mass to host wrapper;
Write a dummy module;
Put the wrapper in a PS2 virtual MC as /POPSTARTER/usbd.irx
Put the dummy module in a PS2 virtual MC as /POPSTARTER/usbhdfsd.irx

Set up POPS and POPStarter like this, in a folder of your PC :
/XX.GameName.elf
/POPS/POPS_IOX.PAK
/POPS/GameName.VCD

Then run XX.GameName.elf

Normally it should start POPStarter in USB mode, and load things from the POPS dir, thru host filesystem.
I haven't tried this myself...

EDIT : But if your goal is to hack POPS nor code things for POPS, I recommend you run POPS in a real PS2 console, and debug it with kermit. For the sake of accuracy.

 

Another method is redirect mass to host by hack PCSX2 like this :

Code:

iopbios.cpp :
int open_HLE()
    {
        IOManFile *file = NULL;
        const char *name = Ra0;
        s32 flags = a1;
        u16 mode = a2;
        iopConLog("open file :");
        iopConLog(name);
        if ((!g_GameStarted || EmuConfig.HostFs)
            && (  (!strncmp(name, "host", 4) && name[4 + strspn(name + 4, "0123456789")] == ':')
                ||!strncmp(name, "mc0:", 4)
                || !strncmp(name, "mass:", 5)
              )
                )
        {
  

Popstarter can boot pops in both method , I have tried them before port popstarter to ps2netbox/ps2usb.
You will get many warning like "cache method 0 not implemented ". It can not be used play ps1 game .

 

@kHn ,
From sp193 's this post , I found fakeboot.irx .

I load fakeboot.irx before I launch popstarter. It worked . So I just write a irx ,redirect mc0:/POPSTARTER/usbd.irx to my hardware 's version .
Now I do not need to write usbd.irx /usbhdfsd.rx to mc0.
But for IGR , I failed to redirect mc0:/BOOT/BOOT.ELF to my hardware .

 

@ps2netbox
Tu es sensationnel, tu as tous mes remerciements pour le travail que tu accomplis. Vivement que je puisse tester en réel tes softs ainsi que tes interfaces sur OPL et POPStarter !!! Mon épouse "Anevi" sera aussi de la partie pour m'aider dans cette énorme tâche. Dès que j'aurai d'autres interfaces, je demanderai à mes proches de m'y aider. Ainsi, il y aura "GarGamel, Anevi, Alcyon, Drake, TheGunner, Mistral, Natla, The Blade, WorKING Girl…" qui seront capables de m'aider et de faire grandir rapidement ces listes. Tu pourras les inscrire dans les "Contributeurs" à ton projet sans oublier "krHACKen" et aussi TOUS les autres plus ou moins connus.

Cordialement.

 

Fantastic, congrats !

Yeah, it's because the IGR loader defeats fakeboot, then it resets the IOP before it loads the MC drivers, so your IRX is no longer resident .
I have tried to code a new ELF loader yesterday. Unfortunately I could not get it to open mass:/BOOT.ELF without resetting the IOP. Fails to open it for some reasons. I will try again later.

Do you still need a moditication of POPStarter to load your IRX from memory ? Or it is no longer necessary ?

 

No .
POPS really do defeat fakeboot. But this is a good thing for me , no need to unload fakeboot .
After POPS open SLOT0.VMC with read write mode , I reload fakeboot and install ioman's hook for IGR boot
(mc0:/BOOT/BOOT.ELF).
IGR loader does not defeat fakeboot.When IGR active, I get log below:

Code:

 Fake Reboot request from EE.
 Fake  Reboot complete
 Fake Reboot request from EE.
 Fake  Reboot complete
 new_open rom0:SIO2MAN
 new_open rom0:MCMAN
 new_open rom0:MCSERV

I will try to see what really happened tomorrow.

No ,it is no longer necessary. Thank you !

 

I guess pfs0:/BOOT.ELF or pfs1:/BOOT.ELF maybe work.

 

If I remember right, "Fakeboot" only fakes the IOP reboot once. In the first place, it is not a very good thing because you would be taking the next IOP reboot into your own hands (you have to ensure that the correct modules are loaded etc).
It is for this reason, that no working game loader uses it. PS2ESDL eventually used the same method as HDLoader.

What happened to passing the modules to POPStarter, in memory?
For IGR, why isn't exiting the normal way sufficient? The OSD will boot the update on ps2netbox/FMCB again.... unless you wish to allow the user to boot another program from your custom hardware?

 

No, fake boot call

Code:

 
 sceSifAddCmdHandler(SIF_CMD_RESET_CMD, ResetCmdHandler, (void*)arg_ef);

and never restore the old command handle .

I guess game loader can work like :
do a complete iop reset , load irx / ioprp from ISO , load fakeboot execute game startup elf .

After loader fakeboot ,start popstareter , redirect mc0 to iop memory .

For PS2Netbox , user's mc0:/BOOT/BOOT.ELF of FMCB is uLaunchElf , so need additional operation to launch custom OPL .
For PS2USB , it does not need FMCB ,so users must copy custom OPL to mc0 as BOOT/BOOT.ELF .
This is not much user friendly .

 

Then this is worse. You cannot even boot other software or reboot the IOP again (since it does not work).
You should not use this module because it will prevent other software from working. IGR hence cannot work.

Yes, but the reason why nobody does this, is because it does not work for games that reboot the IOP multiple times, games that have multiple ELFs, and you need to first find the IOPRP image.

So nowadays, we hook onto SifSetDma on the EE to locate outbound SIF reboot command packets, so that we can replace that part of the IOP reboot process.
HDLoader and early versions of OPL used to generate a new IOPRP image in EE RAM, but nowadays we let the UDNL module handle things (no EE RAM required).
rom0:UDNL will select the newest versions of the modules listed within the rom0:IOPBTCONF list, out of all the IOPRP images (including rom0) specified. OPL uses a custom UDNL module because we need to disable the USB DMA channel prior to reboots (otherwise, it can corrupt IOP RAM), but it does not otherwise function differently from rom0:UDNL.

I mean, kHn wrote a custom POPStarter version that will copy your custom modules from EE memory and will load them for you (hence no need for Fakeboot). Why do you no longer use that?

So you want to boot OPL directly? If LaunchELF is not user-friendly, why not just get FMCB/FHDB to boot OPL directly?

 

kHn does not send the file to me ,so I mean ,if he does not complete it , he do not need to do , since fakeboot has worked.

Yes , after IGR , I think user will select another game , so boot to OPL is the best .

After pops started , fakeboot no longer wok . so I think one can just reregister a command handle to reset iop completely. something found by google :

Code:

struct reboot{
        int    statusFlag;    //+00
        int    flag          //+04
        char   data[80];      //+08
} common;            //=58

int thread_entry();

//////////////////////////////entrypoint///////////////////////////////
int start(){
    struct ThreadParam    threadParam;
    register int    *v;
    register int     thid;

    FlushDcache();                        //loadcore
    if (v=QueryBootMode(3)){                //loadcore
        if (v[1] & 1){
            printf(" No SIF service(reboot)\n");    //stdio
            return 1;
        }
        if (v[1] & 2){
            printf(" No Reboot by EE service\n");    //stdio
            return 1;
        }
    }

    CpuEnableIntr();                    //intrman
    threadParam.attr    =0x200;
    threadParam.entry    =thread_entry;
    threadParam.initPriority=10;
    threadParam.stackSize    =0x800;
    threadParam.option    =0;
    if ((thid=CreateThread(&threadParam))<=0)        //thbase
        return 1;
    StartThread(thid, 0);                    //thbase
    return 0;
}

///////////////////////////////////////////////////////////////////////
int cmd80000003_REBOOT_CMD(sceSifCmdResetData *packet, struct reboot *common){
    for (i=0; i<packet.size; i++)
        common.data[i]=packet.data[i];
    common.flag=packet.flag;
    return iSetEventFlag(common.statusFlag, 0x400);        //thevent
}

///////////////////////////////////////////////////////////////////////
int thread_entry(){
    if (sceSifCheckInit()==0)                //sifman
        sceSifInit();                    //sifman
    printf("Reboot service module.(99/11/10)\n");        //printf
    common.statusFlag=GetSystemStatusFlag();        //thbase
    sceSifInitCmd();                    //sifcmd
    sceSifAddCmdHandler(0x80000003, cmd80000003_REBOOT_CMD, &common);//sifcmd
    WaitEventFlag(common.SystemStatusFlag, 0x400, 0, 0);    //thevent//?unk20?
    printf("Get Reboot Request From EE\n");            //stdio
    sifman_call22_setBD000020(0x20000);            //sifman
    DMAch_SIFA_CHCR=0;                    //clear SIF1
    ReBootStart(common.data, common.flag);            //modload
    return 0;
}

 

@sp193, @kHn
After yesterday's work， I get some idea about IOP reboot.
1) hook iop reboot command from ee by sceSifAddCmdHandler .
2) In iop reboot hook, use UNDL.IRX to add/replace/reload module .
3) This lead to a irx only PS2 game loader core .
As it does not use any ee side memory , I think it can give better game compatibility.

I will try to implement it with popstarter ( it is more mysterious then game's elf ).

 

It is up to you, but I would try not to modify the kernel (unless I have no choice).

The code that you found earlier is present in rom0:REBOOT. It contains the IOP-side handler for SIFCMD 0x80000003.

You will still have to use some EE memory, to store your code (and UDNL). But you will not need as much memory, as HDLoader and early OPL versions needed.

Game compatibility is not directly influenced by this use of memory. By design, the region between 0x00084000-0x00100000 is free for use by OPL because it was used by EELOAD (which OPL's EE core replaces), but some games were deliberately made to block HDLoader from working by being loaded into that place (i.e. Sonic Unleashed is loaded at 0x000D0000, while Virtua Quest chose 0x000A0000). Most games that have compatibility problems are probably not affected by this...

EELOAD itself loads are 0x00082000, but newer games also install a patch for the alarm functions to 0x00082000. This is probably why the HDD Browser's EELOAD loads are 0x00084000 instead.

OPL uses 0x00088000-0x000D0000 to avoid as much problems as possible

It is also possible to make everything IOP-side (i.e. by replacing REBOOT), but you still need to store your replacement UDNL and modules somewhere (i.e. on memory card). For the convenice of the user, we chose to just use EE memory instead.

Kernel memory was also once used by OPL (not sure if HDLoader used it though), which was not a very good idea (depends on PS2 model): https://assemblergames.com/threads/known-playstation-2-kernel-patch-locations.65944/
Some modchips also use this memory.

 

I 'm working on this to make popstarter/pops happy ,I store UNDL and other irxes to another irx in comressed format .
It does not use any ee side memory ,just use additional less than 100KB iop memory.
All the code is done today ,since it is simple copy /paste , they are sleep on somewhere in OPL /ps2sdk code .

Many Chinese translated game use this memory , perhaps because they can not find other memory .

 

My reason for wanting pops to run in pcsx2 is so I can find a certain recompiled psx-ps2 code since pops will not recompile ASM changed by jokered GS codes.

See here:https://gamehacking.org/game/54174

Scroll to the bottom and look at my WTW code. That is the recompiled MIPS to PPC clipping code. That took a while to make but it works.

I want to do something similar with POPS.

 

After some work on popstarter/pops.
There is maybe a bug found in OPL :
// from Open-PS2-Loader/modules/iopcore/eesync/eesync.c

Code:

#define MODNAME "SyncEE"
IRX_ID(MODNAME, 0x01, 0x01);

static int PostResetCallback(int *arg1, int arg2)
{
sceSifSetSMFlag(SIF_STAT_BOOTEND);
return 0;
}
int _start(int argc, char **argv)
{
loadcore20(&PostResetCallback, 2, 0);
return MODULE_RESIDENT_END;
}

// from Open-PS2-Loader/modules/iopcore/udnl/udnl.c

Code:

/* 0x00000878    - Scans through all loaded IOPRP images for the newest version of the specified module. */
static struct RomdirFileStat *SelectModuleFromImages(const struct ImageData *ImageDataBuffer, unsigned int NumFiles, const char *line, struct RomdirFileStat *stat_out)

// from Log of Popstarter

Code:

27: SECRMAN
SelectModule: SECRMAN, ROM, 0x103
28: EESYNC
SelectModule: EESYNC, crap:, 0x201

If game use a newer version than 0x101 , ee_core loader maybe stuck since ee_core only need BOOTEND flags , this will not be a problem ,but does OPL really need a custom EESYNC ?