## EROM EMOTICN TOEMULATION

 Celebrating 2oyenrs of revirse enenverning



- Core PCSX2 contributor

- Core PCSX2 contributor
- CS professor

- Core PCSX2 contributor
- CS professor
- VG industry contractor

- Core PCSX2 contributor
- CS professor
- VG industry contractor
- Reverse engineer, console hacker


- $98.24 \%$ of playable games!

- $98.24 \%$ of playable games!
- Website's Alexa rank ~40k, most popular VG emulator I'm aware of

- $98.24 \%$ of playable games!
- Website's Alexa rank ~40k, most popular VG emulator I'm aware of
- Very complex software project

- $98.24 \%$ of playable games!
- Website's Alexa rank ~40k, most popular VG emulator I'm aware of
- Very complex software project
- 20 year old project




## TECHNICALLY A PS2?



## THAT'S STRETCHING IT!



## AND A BLACK BOX TO EMULATE



HARDWARE

## BLACK BOX

## HARDWARE

## BLACK BOX

How do we break into one?

## BLACK BOX

How do we break into one?
We hack its web browser!

- failOverflow, circa 2013


## BLACK BOX

How do we break into one?
We hack its web browser!

- failOverflow, circa 2013


## BLACK BOX

How do we break into one?
We hack its web browser!

- failOverflow, circa 2013
$\times$ Enter
$\Delta$ Version

Us, circa 2002

HARDWARE

## BLACK BOX

## HARDWARE

## BLACK BOX

Let's do it the good old way :)

## BLACK BOX

## Let's do it the good old way :)



## BlaCK BDX

## Let's do it the good old way :)



I'll explain first how all of this works and then how we figured it out


Reversible logo!




## EE














## WHAT IS THE EE

More like what contains the EE

## WHAT IS THE EE

More like what contains the EE

A core with 3 co-processors: (COP)

## WHAT IS THE EE

More like what contains the EE
A core with 3 co-processors: (COP)

- COPO: System co-processor


## WHATSTHEE

More like what contains the EE
A core with 3 co-processors: (COP)

- COPO: System co-processor
- COP1: A floating point unit (FPU)


## WHATSTHEEE

More like what contains the EE
A core with 3 co-processors: (COP)

- COPO: System co-processor
- COP1: A floating point unit (FPU)
- COP2: Vector Unit 0 Macro Mode (VU0 - Macro)


## WHATSTHEE

More like what contains the EE

A core with 3 co-processors: (COP)

- COPO: System co-processor
- COP1: A floating point unit (FPU)
- COP2: Vector Unit 0 Macro Mode (VU0 - Macro)

Also partly designed by a chip designer called coolchips for his Master's thesis, pretty cool!

## WHAT IS THE EE

- Image Processing Unit (IPU)


## WHAT IS THE EE

- Image Processing Unit (IPU)
- VPU1


## WHATIS THE EE

- Image Processing Unit (IPU)
- VPU1
- VPU0 with VU0 accessible as a COP


## WHAT IS THE EE

- Image Processing Unit (IPU)
- VPU1
- VPU0 with VU0 accessible as a COP
- GIF/VIF (Graphics/Vector Interface)


## WHATS THE EE

- Image Processing Unit (IPU)
- VPU1
- VPU0 with VU0 accessible as a COP
- GIF/VIF (Graphics/Vector Interface)
- i/dCache + ScratchPad (on die memory)


## WHAT IS THE EE

- Image Processing Unit (IPU)
- VPU1
- VPU0 with VU0 accessible as a COP
- GIF/VIF (Graphics/Vector Interface)
- i/dCache + ScratchPad (on die memory)
- DMA Controller


## WHAT IS THE EE

- Image Processing Unit (IPU)
- VPU1
- VPU0 with VU0 accessible as a COP
- GIF/VIF (Graphics/Vector Interface)
- i/dCache + ScratchPad (on die memory)
- DMA Controller

We're only getting started!




Only the best of MIPS have been used as we will see


EE Core - MIPS

| ADD | 40 DSUBU | 79 SRA |
| :---: | :---: | :---: |
| ADDI | 41 JAL | 80 SRAV |
| ADDIU | 42 JALR | 80 SRAV |
| 4 ADDU | 43 JR 44 LB | 81 SRL |
| ANDI | 45 LBU | 82 SRLV |
| BEQ | 46 LD | 83 SUB |
| BEQL | 47 LDL | 83 SUB |
| BGEZ | 48 LDR | 84 SUBU |
| 10 BGEZAL | 49 LH | 85 SW |
| 11 BGEZALL | 50 LHU | 85 SW |
| 12 BGEZL | 51 LUI | 86 SWL |
| 13 14 BGTZ | 52 LW 53 LWL | 87 SWR |
| 14 15 BLEZ | 54 LWR | 88 SYNC.stype |
| 16 BLEZL | 55 LWU | 88 SYNC.stype |
| 17 BLTZ | 56 MFHI | 89 SYSCALL |
| 18 BLTZAL | 57 MFLO | 90 TEQ |
| 19 BLTZALL | 58 MOVN 59 MOVZ | 91 TEQI |
| 21 BNE | 60 MTHI | 92 TGE |
| 22 BNEL | 61 MTLO | 92 TGE |
| 23 BREAK | 62 MULT | 93 TGEI |
| 24 DADD | 63 MULTU 64 NOR | 94 TGEIU |
| 26 DADDIU | 65 OR | 95 TGEU |
| 27 DADDU | 66 ORI |  |
| 28 DIV | 67 PREF | 96 TLT |
| 29 DIVU | 68 SB | 97 TLTI |
| 30 DSLL ${ }^{31}$ | 69 SD | 98 TLTIU |
| 32 DSLLV | 71 SDR | 99 TLTU |
| 33 DSRA | 72 SH | 99 TLTU |
| 34 DSRA32 | 73 SLL | 100 TNE |
| 35 DSRAV | 74 SLLV | 101 TNEI |
| 36 DSRL | 75 SLT |  |
| 37 DSRL32 | 76 SLTI | 102 XOR |
| 38 DSRLV | 77 SLTIU |  |
| 39 DSUB | 78 SLTU | 103 XORI |

EE Core additions

| 104 DIV1 | 143 PCPYLD | 182 PMTLO |
| :---: | :---: | :---: |
| 105 DIVU1 | 144 PCPYUD | 183 PMULTH |
| 106 LQ | 145 PDIVBW | 184 PMULTUW |
| 107 MADD | 146 PDIVUW | 185 PMULTW |
| 108 MADD1 | 147 PDIVW | 185 PMULTW |
| 109 MADDU | 148 PEXCH | 186 PNOR |
| 110 MADDU1 | 149 PEXCW | 187 POR |
| 111 MFHI1 | 150 PEXEH | 188 PPAC5 |
| 112 MFL01 | 151 PEXEW | 189 PPACB |
| 113 MFSA | 152 PEXT5 | 1.90 PPACH |
| 114 MTHI1 | 153 PEXTLB |  |
| 115 MTL01 | 154 PEXTLH | 191 PPACW |
| 116 MTSA | 155 PEXTLW | 192 PREVH |
| 117 MTSAB | 156 PEXTUB | 193 PROT3W |
| 118 MTSAH | 157 PEXTUH | 194 PSLLH |
| 119 MULT | 158 PEXTUW | 195 PSLLVW |
| 120 MULT1 | 159 PHMADH |  |
| 121 MULTU | 160 PHMSBH | 196 PSLLW |
| 122 MULTU1 | 161 PINTEH | 197 PSRAH |
| 123 PABSH | 162 PINTH | 198 PSRAVW |
| 124 PABSW | 163 PLZCW | 199 PSRAW |
| 125 PADDB | 164 PMADDH | 200 PSRLH |
| 126 PADDH | 165 PMADDUW | 201 PSRLVW |
| 127 PADDSB | 166 PMADDW |  |
| 128 PADDSH | 167 PMAXH | 202 PSRLW |
| 129 PADDSW | 168 PMAXW | 203 PSUBB |
| 130 PADDUB | 169 PMFHI | 204 PSUBH |
| 131 PADDUH | 170 PMFHL.LH | 205 PSUBSB |
| 132 PADDUW | 171 PMFHL.LW | 206 PSUBSH |
| 133 PADDW | 172 PMFHL.SH | 207 PSUBSW |
| 134 PADSBH | 173 PMFHL.SLW |  |
| 135 PAND | 174 PMFHL.UW | 208 PSUBUB |
| 136 PCEQB | 175 PMFLO | 209 PSUBUH |
| 137 PCEQH | 176 PMINH | 210 PSUBUW |
| 138 PCEQW | 177 PMINW | 211 PSUBW |
| 139 PCGTB | 178 PMSUBH | 212 PXOR |
| 140 PCGTH | 179 PMSUBW |  |
| 141 PCGTW | 180 PMTHI | 213 QFSRV |
| 142 PCPYH | 181 PMTHL.LW | 214 SQ |

EE - COPO

| 215 | BCOF |  |  |
| :---: | :---: | :---: | :---: |
| 216 | BCOFL |  |  |
| 217 | BCOT |  |  |
| 218 | BCOTL |  |  |
| 219 | CACHE BFH |  |  |
| 220 | CACHE BHINBT |  |  |
| 221 | CACHE BXLBT |  |  |
| 222 | CACHE BXSBT |  |  |
| 223 | CACHE DHIN |  |  |
| 224 | CACHE DHWBIN |  |  |
| 225 | CACHE DHWOIN |  |  |
| 226 | CACHE DXIN | 25 | MTDAB |
| 227 | CACHE DXLDT | 25 | MTDABM |
| 228 | CACHE DXLTG | 25 | MIDADM |
| 229 | CACHE DXSDT | 25 | MTDVB |
| 230 | CACHE DXSTG |  |  |
| 231 | CACHE DXWBIN | 25 | MTDVBM |
| 232 | CACHE IFL |  |  |
| 233 | CACHE IHIN | 25 | MTIAB |
| 234 | CACHE IXIN | 25 | MTIABM |
| 235 | CACHE IXLDT |  | MTIABM |
| 236 | CACHE IXLTG | 26 | MTPC |
| 237 | CACHE IXSDT |  |  |
| 238 | CACHE IXSTG | 261 | MTPS |
| 239 | DI |  |  |
| 240 | EI | 26 | TLBP |
| 241 | ERET MFBPC | 26 | TLBR |
| 243 | MFC0 |  |  |
| 244 | MFDAB |  | LBWI |
| 245 | MFDABM | 265 | TLBWR |

EE-COP1

|  |  |  |  |  | ```266 ABS.S 267 ADD.S 268 ADD 269 ADDA.S 270 BC1F 271 BC1FL 272 FP False 273 BC1T 274 BC1TL 2 7 5 \text { FP True Likely} 2 7 6 ~ C F C 1 277 CTC1 278 CVT.S.W 279 CVT.W.S 2 8 0 ~ D I V . S ~ S 281 LWC1 282 MADD.S 283 MADDA.S 284 MAX.S 285 MFC1 286 MIN.S 287 MOV.S 288 MSUB.S 2 8 9 \text { MSUBA.S} 290 MTC1 291 MUL.S 292 MULA.S 293 NEG.S 294 RSQRT.S 295 SQRT.S 296 SUB.S 297 SUBA.S 2 9 8 \text { SWC1}``` |
| :---: | :---: | :---: | :---: | :---: | :---: |

EE - COP2





| 299 | BC2F |
| :---: | :---: |
| 300 | BC2FL |
| 301 | BC2T |
| 302 | BC2TL |
| 303 | CFC2 |
| 304 | CTC2 |
| 305 | LQC2 |
| 306 | QMFC2 |
| 307 | QMTC2 |
| 308 | SQC2 |
| 309 | VABS |
| 310 | VADD |
| 311 | VADDi |
| 312 | VADDq |
| 313 | VADDbc |
| 314 | VADDA |
| 315 | VADDAi |
| 316 | VADDAq |
| 317 | VADDAbc |
| 318 | VCALLMS |
| 319 | VCALLMSR |
| 320 | VCLIP |
| 321 | VDIV |
| 322 | VFTOIO |
| 323 | VFTOI4 |
| 324 | VFTOI12 |
| 325 | VFTOI15 |
| 326 | VIADD |
| 327 | VIADDI |
| 328 | VIAND |
| 329 | VILWR |
| 330 | VIOR |
| 331 | VISUB |
| 332 | VISWR |
| 333 | VITOF0 |
| 334 | VITOF4 |
| 335 | VIT0F12 |
| 336 | VIT0F15 |
| 337 | VLQD |



This is the
MIPS part!

EE - COP2



## D:LAY SLOTS

$$
\begin{aligned}
& 1 \text { lw t5, } 0 \times 0(\mathrm{t} 7) \text {; } \mathrm{t} 5=\mathrm{MEM}[\mathrm{t} 7] \\
& 2 \text { jr t5 ; jump to t5 } \\
& 3 \text { addiu t5,t5,4 ; t5+=4 }
\end{aligned}
$$

## D:LAY SLOTS

```
1 lw t5,0x0(t7) ; t5 = MEM[t7]
2 jr t5 ; jump to t5
3 addiu t5,t5,4 ; t5+=4
```


## D:LAY SLOTS

```
1 lw t5,0x0(t7) ; t5 = MEM[t7]
2 jr t5 ; jump to t5
3 addiu t5,t5,4 ; t5+=4
```


## D:LAY SLOTS

```
1 lw t5,0x0(t7) ; t5 = MEM[t7]
2 jr t5 ; jump to t5
3 addiu t5,t5,4 ; t5+=4
```

???

PIPELINE

## PIPELINE

A CPU executes instructions by passing through multiple steps

## PIPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline

## PIPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline

## FETCH

## PIPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline

## PIPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline

## PIPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline


## PPPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline


Not exactly true but it'll work for now

## PPPELINE

A CPU executes instructions by passing through multiple steps

We call those a pipeline


Not exactly true but it'll work for now
The execute step will also be used as memory access

## PPPELINE

Here's an example

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=00$


7800 b3 ff

## PPPELINE

Here's an example

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=00$


## PPPELINE

Here's an example

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=00$

sd

## PPPELINE

Here's an example

## FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 = FF

## WRITE

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=\mathrm{FF}$

sd

In reality all of those steps are executed in parallel on multiple instructions

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 = FF


IR = Instruction Register, current instruction

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=\mathrm{FF}$


IR = Instruction Register, current instruction
What if this is a jump?

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF s3 $=\mathrm{FF}$


IR = Instruction Register, current instruction
What if this is a jump?

## PIPELINE

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Instead of wasting 2 steps, MIPS decided to execute an instruction out of order to waste 1


IR = Instruction Register, current instruction
What if this is a jump?

## PPPELINE

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Here's an example FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Instead of wasting 2 steps, MIPS decided to execute an instruction out of order to waste 1


IR = Instruction Register, current instruction
What if this is a jump?

## THE DELAY SLOTS STRIKES BACK

```
1 lui $a0, 0
2 li $v1, FlushCache
3 syscall
4 li $v1, ResetEE
```


## THE DELAY SLOTS STRIKES BACK

```
1 lui $a0, 0
2 li $v1, FlushCache
3 syscall
4 li $v1, ResetEE
```


## THE DELAY SLOTS STRIKES BACK

```
1 lui $a0, 0
2 li $v1, FlushCache
3 syscall
4 li $v1, ResetEE
```


## THE DELAY SLOTS STRKKES BAGK

```
1 lui $a0, 0
2 li $v1, FlushCache
3 syscall
4 li $v1, ResetEE
```


# THE DELAY SLOTS STRIKES BACK 

```
1 lui $a0, 0
2 li $v1, FlushCache
3 syscall
4 li $v1, ResetEE
```

¿¿i

## WTIERRUPTS

syscall is like an interrupt instruction

## INTERRUPTS

syscall is like an interrupt instruction

The CPU switches to kernel mode and drops
the entire pipeline

## INTERRUPTS

## syscall is like an interrupt instruction

The CPU switches to kernel mode and drops the entire pipeline

Everything gets fetched back again after the syscall is done

COPO

## COPO

Handles multiple system things:

## COPO

Handles multiple system things:

- Memory Management


## COPO

Handles multiple system things:

- Memory Management
- Exceptions


## COPO

Handles multiple system things:

- Memory Management
- Exceptions
- Debugging


## COPO

Handles multiple system things:

- Memory Management
- Exceptions
- Debugging
- Cache


## COPO

Handles multiple system things:

- Memory Management
- Exceptions
- Debugging
- Cache
- Interrupts! (Nice transition)

GOPI

## COP1

## A Floating Point Unit (FPU)

## COP

## COP1

## A Floating Point Unit (FPU) 0.3921230137348175048828125

(this thing)
$0 \times 3 e c 8 c 459$

## COP

## COP1

## A Floating Point Unit (FPU) 0.3921230137348175048828125

(this thing)
0x3ec8c459
Not IEEE 754 compliant!!

## COP

## COP1

## A Floating Point Unit (FPU) 0.3921230137348175048828125 <br> (this thing) <br> $0 \times 3 e c 8 c 459$

Not IEEE 754 compliant!!
Relevant list of features not implemented:

## COP

## COP1

## A Floating Point Unit (FPU) 0.3921230137348175048828125 <br> (this thing) <br> $0 \times 3 e c 8 c 459$

Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN


## COP

## COP1

## A Floating Point Unit (FPU) 0.3921230137348175048828125 <br> (this thing) <br> $0 \times 3 e c 8 c 459$

Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN
- Nearest roundings


## COP

## COP1

A Floating Point Unit (FPU) (this thing)

### 0.3921230137348175048828125

$0 \times 3 e c 8 c 459$
Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN
- Nearest roundings
- $+/-\infty$


## COP

## COP1

A Floating Point Unit (FPU) (this thing)

### 0.3921230137348175048828125

$0 \times 3 e c 8 c 459$
Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN
- Nearest roundings
- +/- $\infty$
- Exceptions


## COP

## COP1

A Floating Point Unit (FPU) (this thing)

### 0.3921230137348175048828125

$0 \times 3 e c 8 c 459$
Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN
- Nearest roundings
- +/- $\infty$
- Exceptions
- Denormalized numbers


## COP

## COP1

A Floating Point Unit (FPU) (this thing)
0.3921230137348175048828125
$0 \times 3 e c 8 c 459$
Not IEEE 754 compliant!!
Relevant list of features not implemented:

- NaN
- Nearest roundings
- +/- $\infty$
- Exceptions
- Denormalized numbers

Result: an absolute pain in the ass to emulate

VPV

Two of them, composed of two things:

- A Vector Unit (VU)

Two of them, composed of two things:

- A Vector Unit (VU)
- A Vector Interface (VIF)


## VPU

Two of them, composed of two things:

- A Vector Unit (VU)
- A Vector Interface (VIF)

VPUO can either work as a COP or as a microprocessor

## VPU

Two of them, composed of two things:

- A Vector Unit (VU)
- A Vector Interface (VIF)

VPUO can either work as a COP or as a microprocessor
If it runs in COP(macro) mode, it will act as a superset of instructions for the EE core

## VPU

Two of them, composed of two things:

- A Vector Unit (VU)
- A Vector Interface (VIF)

VPUO can either work as a COP or as a microprocessor
If it runs in COP(macro) mode, it will act as a superset of instructions for the EE core

Otherwise it will execute instructions in parallel fed in a microprogram by the EE

VPV

VPU1 can transfer directly to the GS memory by using 2 methods:

## VPU

## VPU1 can transfer directly to the GS memory by using 2

 methods:- XGKICK (Path 1)


## VPU

## VPU1 can transfer directly to the GS memory by using 2

 methods:- XGKICK (Path 1)
- VIF1 (Path 2)


## VPU

VPU1 can transfer directly to the GS memory by using 2 methods:

- XGKICK (Path 1)
- VIF1 (Path 2)

The EE and the VU1 uses a third method to transfer data to the GPU, the GIF

## VPU

VPU1 can transfer directly to the GS memory by using 2 methods:

- XGKICK (Path 1)
- VIF1 (Path 2)

The EE and the VU1 uses a third method to transfer data to the GPU, the GIF

NB: Path 1 and Path 2 also use the GIF but have higher priority, confusing yet?

VPU- EXAMPLE

The EE sends the model

## VPU-EXAMPLE

 data to the VIF
## VPU

## The EE sends the model

## VPU-EXAMPLE

 data to the VIF```
.align 0
;test.dae_mp1_pkt1.obj
;Automatically generated by kh2vif
;kh2vif by Govanify ~ 2017
stcycl 01, O1
unpack[r] V4_32, 0, *
.int 1, 0, 0, 0
.int 36, 4, 54, 56
.int 0, 0, 0, 0
.int 14, 40, 0, 5
.EndUnpack
stcycl 01, 01
unpack[r] V2_16, 4, *
.short 2048, 0
.short 1024, 1024
.short 1024, 0
.short 1024, 3071
.short 2048, 2048
.short 2048, 3071
.short 3071, 2048
```


## VPU

The EE sends the model data to the VIF

```
```

.align 0

```
```

.align 0
;test.dae_mp1_pkt1.obj
;test.dae_mp1_pkt1.obj
;Automatically generated by kh2vif
;Automatically generated by kh2vif
;kh2vif by Govanify ~ 2017
;kh2vif by Govanify ~ 2017
stcycl 01, O1
stcycl 01, O1
unpack[r] V4_32, 0, *
unpack[r] V4_32, 0, *
.int 1, 0, 0, 0
.int 1, 0, 0, 0
.int 36, 4, 54, 56
.int 36, 4, 54, 56
.int 0, 0, 0, 0
.int 0, 0, 0, 0
.int 14, 40, 0, 5
.int 14, 40, 0, 5
.EndUnpack
.EndUnpack
stcycl 01, 01
stcycl 01, 01
unpack[r] V2_16, 4, *
unpack[r] V2_16, 4, *
.short 2048, 0
.short 2048, 0
.short 1024, 1024
.short 1024, 1024
.short 1024, 0
.short 1024, 0
.short 1024, 3071
.short 1024, 3071
.short 2048, 2048
.short 2048, 2048
.short 2048, 3071
.short 2048, 3071
.short 3071, 2048

```
```

.short 3071, 2048

```
```


## VPU-EXAMPLE

The VIF1 executes the unpack commands and writes the data to its memory

## VPU

The EE sends the model data to the VIF

```
.align 0
```

.align 0
;test.dae_mp1_pkt1.obj
;test.dae_mp1_pkt1.obj
;Automatically generated by kh2vif
;Automatically generated by kh2vif
;kh2vif by Govanify ~ 2017
;kh2vif by Govanify ~ 2017
stcycl 01, 01
stcycl 01, 01
unpack[r] V4_32, 0, *
unpack[r] V4_32, 0, *
.int 1, 0, 0, 0
.int 1, 0, 0, 0
.int 36, 4, 54, 56
.int 36, 4, 54, 56
.int 0, 0, 0,0
.int 0, 0, 0,0
.int 14, 40, 0,5
.int 14, 40, 0,5
. EndUnpack
. EndUnpack
stcycl 01, 01
stcycl 01, 01
unpack[r] V2_16, 4, *
unpack[r] V2_16, 4, *
.short 2048, 0
.short 2048, 0
.short 1024, 1024
.short 1024, 1024
.short 1024, 0
.short 1024, 0
.short 1024, 3071
.short 1024, 3071
.short 2048, 2048
.short 2048, 2048
.short 2048, 3071
.short 2048, 3071
.short 3071, 2048
.short 3071, 2048
*Nort 1024, 3071

```
*Nort 1024, 3071
```


## VPU-EXAMPLE

The VU1 transforms the data and calculate relative positions


The VIF1 executes the unpack commands and writes the data to its memory

The EE sends the model data to the VIF

```
```

.align 0

```
```

.align 0
;test.dae_mp1_pkt1.obj
;test.dae_mp1_pkt1.obj
;Automatically generated by kh2vif
;Automatically generated by kh2vif
;kh2vif by Govanify ~ 2017
;kh2vif by Govanify ~ 2017
stcycl 01, 01
stcycl 01, 01
unpack[r] V4_32, 0, *
unpack[r] V4_32, 0, *
.int 1, 0, 0, 0
.int 1, 0, 0, 0
.int 36, 4, 54, 56
.int 36, 4, 54, 56
.int 0, 0, 0, 0
.int 0, 0, 0, 0
.int 14, 40, 0, 5
.int 14, 40, 0, 5
.EndUnpack
.EndUnpack
stcycl 01, 01
stcycl 01, 01
unpack[r] V2_16, 4, *
unpack[r] V2_16, 4, *
.short 2048, 0
.short 2048, 0
.short 1024, 1024
.short 1024, 1024
.short 1024, 0
.short 1024, 0
.short 1024, 3071
.short 1024, 3071
.short 2048, 2048
.short 2048, 2048
.short 2048, 3071
.short 2048, 3071
.short 3071, 2048

```
.short 3071, 2048
```

```
*hort 1024, 3071
```

```
*hort 1024, 3071
```


## VPU-EXAMPLE

The VU1 transforms the data and calculate relative positions


The VIF1 executes the unpack commands and writes the data to its memory

SPU2

## SPU2

Based on the PS1 SPU, but with 2 cores!

## SPV2

Based on the PS1 SPU, but with 2 cores!

## CORE 0 <br> CORE 1 <br> 24 VOICES 24 VOICES

## SPU2

Based on the PS1 SPU, but with 2 cores!

## CORE 0 CORE 1 24 VOICES 24 VOICES

Has customizable IRQ!!

## SPU2

Based on the PS1 SPU, but with 2 cores!

## CORE 0 24 VOICES CORE 1 24 VOICES

Has customizable IRQ!!
Games use them as highly precise interrupts by setting an IRQ at a write-back address
used during the mixing stage

## SPI2

Based on the PS1 SPU, but with 2 cores!

## CORE 0 24 VOICES

## Has customizable IRQ!!

Games use them as highly precise interrupts by setting an IRQ at a write-back address
used during the mixing stage
The mixer has a sample rate of 48 kHZ in PS2
mode, 44.1 in PS1 compatible mode

SPU2

## SPV2

## Also has a Schroeder Reverberator!

Uses 4 parallel comb filters in a rotating buffer

## SPU2

## Also has a Schroeder Reverberator!

Uses 4 parallel comb filters in a rotating buffer
Adds gain, then mixes back with the original input, rewriting the rotating buffer in the process

## SPI2

## Also has a Schroeder Reverberator!

Uses 4 parallel comb filters in a rotating buffer Adds gain, then mixes back with the original input, rewriting the rotating buffer in the process


## WHAT I THE IOP

## WHAT IS THE IOP

## Good question! It's a MIPS-based processor...

## WHAT I THE IOP

Good question! It's a MIPS-based processor...
... or PowerPC.

## WHAT I THE IOP

Good question! It's a MIPS-based processor...
... or PowerPC.
wait...WHAT?

## WHAT I THE IOP

Good question! It's a MIPS-based processor...
... or PowerPC.
wait...WHAT?
... Let's ignore that for now.

## WHAT I THEIOP

... Let's ignore that for now.

## WHAT I THE IOP

Good question! It's a MIPS-based processor... ... Let's ignore that for now.

It is the PS1 CPU, just repurposed in order to handle all the I/O, devices and drivers in the PS2.

## WHAT IS THE IOP

Good question! It's a MIPS-based processor... ... Let's ignore that for now.

It is the PS1 CPU, just repurposed in order to handle all the I/O, devices and drivers in the PS2.

The EE and the IOP communicate through the Subsystem Interface (SIF).



## WHATISTHE IOP

## WHATISTHE IOP

## A MIPS I "compatible" CPUs with 2 COP

## WHATISTHE IOP

## A MIPS I "compatible" CPUs with 2 COP

- COPO: System Management


## WHATIS THE IOP

A MIPS I "compatible" CPUs with 2 COP

- COPO: System Management
- COP2: Geometry Transformation Engine (GTE)


## WHATIS THE IOP

A MIPS I "compatible" CPUs with 2 COP

- COPO: System Management
- COP1: ???
- COP2: Geometry Transformation Engine (GTE)


## WHATIS THE IOP

A MIPS I "compatible" CPUs with 2 COP

- COPO: System Management
- COP1: ???
- COP2: Geometry Transformation Engine (GTE)

Sony doesn't know how to count

## VOUGINTHITEMTISNTEETO

## IFYOODONTHITEOTE

## ONE LAST THING

## Dynamic Memory Allocation and the Heap

Memory allocation functions allow the programmer to increase the depth and variety of the game world whilst making the best use of the PlayStation's relatively modest memory size.
In C, memory allocation is achieved using the malloc and free functions. Unfortunately there have been several problems with these functions on PlayStation.
The standard malloc/free combination supplied as part of libc fragments memory due to a bug in the free function. This means that large chunks on the machine memory become inaccessible even though they are not holding any valid data.

## ONE LLST THING

> Dynamic Memory Allocation and the Heap
> Memory allocation functions allow the programmer to increase the depth and variety of the game world whilst making the best use of the PlayStation's relatively modest memory size.
> In C, memory allocation is achieved using the malloc and free functions. Unfortunately there have been several problems with these functions on PlayStation.
> The standard malloc/free combination supplied as part of libc fragments memory due to a bug in the free function. This means that large chunks on the machine memory become inaccessible even though they are not holding any valid data.

## PS1: Bring out your own f---ing chip and system libraries

## DECKARD



## DECKARD



Meet PS2 Slim hardware!

## DECKARD

Slim, right?


Meet PS2 Slim hardware!

## DECKARD

Slim, right?


Wanna know why?

Meet PS2 Slim hardware!

## DECKARD




## DECKARD

## A PS2 ON-A-CHIP IS NOT ENOUGH

## DECKARD

## A PS2 ON-A-CHIP IS NOT ENOUGH

Meet deckard!

## DECKARD

## A PS2 ON-A-CHIP IS NOT ENOUGH

Meet deckard!

A PowerPC based replacement for the IOP

# A PS2 ON-A-CHIP IS NOT ENOUGH 

Meet deckard!
A PowerPC based replacement for the IOP
Emulates PS1 features through software

## A PS2 ON-A-GHIP IS NOT ENOUQH

Meet deckard!

A PowerPC based replacement for the IOP
Emulates PS1 features through software

Fortunately we don't care about it, we are writing an emulator, not trying to emulate the emulator emulating the console :D

## About time we talk about it

## COPY PROTECTION

About time we talk about it
Essentially a mod of PS1's copy protection

## COPY PROTECTION

About time we talk about it
Essentially a mod of PS1's copy protection
The PS1 replaced CD's ATIP (which is a sinusoidal constant of $\sim 22 \mathrm{kHZ}$ ) by their own region specific constant

## COPY PROTECTION

About time we talk about it
Essentially a mod of PS1's copy protection
The PS1 replaced CD's ATIP (which is a sinusoidal constant of $\sim 22 \mathrm{kHZ}$ ) by their own region specific constant

The ATIP is normally used by players to synchronize their laser's timing

## COPY PROTECTION

About time we talk about it
Essentially a mod of PS1's copy protection
The PS1 replaced CD's ATIP (which is a sinusoidal constant of $\sim 22 \mathrm{kHZ}$ ) by their own region specific constant

The ATIP is normally used by players to synchronize their laser's timing

Data can also be stored by modulating the ATIP +/- 1kHZ!

GOPY PROTECTION


The ATIP is around there

## COPY PROTECTION

The PS2 instead stores the Title ID of the disc in it

## COPY PROTECTION

The PS2 instead stores the Title ID of the disc in it

Mechacon then derives an encryption key out of the Title ID which will be used to decrypt and verify the disc

## COPY PROTECTION

The PS2 instead stores the Title ID of the disc in it

Mechacon then derives an encryption key out of the Title ID which will be used to decrypt and verify the disc

It will then proceed to decrypt the "PlayStation 2" logo you see at each boot once sent to it

## COPY PROTECTION

The PS2 instead stores the Title ID of the disc in it

Mechacon then derives an encryption key out of the Title ID which will be used to decrypt and verify the disc

It will then proceed to decrypt the
"PlayStation 2" logo you see at each boot once sent to it
...But we can completely ignore this by skipping the verification logic in the BIOS!

## COPY PROTECTION

Sony tries to make this harder by making it harder to power on the mechacon

## COPY PROTECTION

Sony tries to make this harder by making it harder to power on the mechacon
...forgetting you could just dump the BIOS out of your flash chip and reverse engineer it

## COPY PROTECTION

Sony tries to make this harder by making it harder to power on the mechacon
...forgetting you could just dump the BIOS out of your flash chip and reverse engineer it
......and that the bootloader verifies the integrity of your BIOS with a simple CRC which is prone to collisions

## COPY PROTECTION

Sony tries to make this harder by making it harder to power on the mechacon
...forgetting you could just dump the BIOS out of your flash chip and reverse engineer it
......and that the bootloader verifies the integrity of your BIOS with a simple CRC which is prone to collisions

The mechacon is essentially a security processor that you can completely ignore and useless in functionality

```
void mechaconAuth()
{
    int k;
    while (cdvdRead(0x17) != 0x40) {;}
    cdvdWrite(0x17, 0);
    cdvdWrite(0x16, 0x80);
    while (cdvdRead(0x16) != 0x80) {;}
    while (cdvdRead(0x17) != 0x40)
    {
        cdvdRead(0x18);
    }
    while (cdvdRead(0x17) != 0x40) {;}
    cdvdWrite(0x16, 0x81);
    while (cdvdRead(0x16) != 0x81) {;}
    while (cdvdRead(0x17) != 0x40)
    {
        cdvdRead(0x18);
    }
    while (cdvdRead(0x17) != 0x40) {;}
    for (k = 0; k < 16; k++)
    {
    cdvdWrite(0x17, 0xff);
    }
```



Good thing we can just ignore it when emulating!


Good thing we can just ignore it when emulating!

```
case 0x80:
// secrman:
    SetResultSize(1); //in:1
    cdvd.mg_datatype = 0; //data
    cdvd.Result[0] = 0;
    break;
case 0x81: // secrman: mechacon auth 0x81
    SetResultSize(1); //in:1
        cdvd.mg datatype = 0; //data
        cdvd.Result[0] = 0;
        break;
case 0x82
                            // secrman:
        SetResultSize(1); //in:16
        cdvd.Result[0] = 0;
        break;
```



Good thing we can just ignore it when emulating!

Just have to make sure to return the nice values for the BIOS

COPY PROTECTION

## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

1 // letters $=$ SLES, numbers $=54232$
2 key[0] $=(($ numbers \& $0 x 1 F) \ll 3) \mid((0 x 0 F F F F F F F \&$ letters $) \gg 25)$;
3 key[1] = ( numbers >> 10) $\mid((0 x 0 F F F F F F F \&$ letters) $\ll 7)$;
4 key[2] = ((numbers \& 0x3E0) >> 2) | 0x04;

## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

1 // letters = SLES, numbers = 54232
2 key[0] = ((numbers \& 0x1F) << 3) | ((0x0FFFFFFF \& letters) >> 25);
3 key[1] = ( numbers >> 10) $\mid((0 x 0 F F F F F F F \&$ letters) $\ll 7)$;
4 key[2] = ((numbers \& 0x3E0) >> 2) | 0x04;

```
for(int i=0; i<12*2048; i++)
{
    logo[i] = ((logo[i]<<5)|(logo[i]>>3)) ^ magicNum;
```


## COPY PROTECTION

What would be Sony's copy protection without trademark infringement?

1 // letters = SLES, numbers = 54232
2 key[0] = ((numbers \& 0x1F) << 3) | ( (0x0FFFFFFF \& letters) >> 25) ;
3 key[1] = ( numbers >> 10) $\mid((0 x 0 F F F F F F F \&$ letters) $\ll 7)$;
4 key[2] = ((numbers \& 0x3E0) >> 2) | 0x04;

```
for(int i=0; i<12*2048; i++)
{
    logo[i] = ((logo[i]<<5)|(logo[i]>>3)) ^ magicNum;
```

Also differs between regions

## COPY PROTECTION

```
for(int i=0; i<12*2048; i++)
2 {
    logo[i] = ((logo[i]<<5)|(logo[i]>>3)) ^ magicNum;
```

11101010

## COPY PROTECTION

```
for(int i=0; i<12*2048; i++)
2 {
    logo[i] = ((logo[i]<<5)|(logo[i]>>3)) ^ magicNum;
```


## 01011101

## COPY PROTECTION

```
for(int i=0; i<12*2048; i++)
2 {
    logo[i] = ((logo[i]<<5)|(logo[i]>>3)) ^ magicNum;
```


## 01011101

$\wedge$
11110000

## COPY PROIECTION

```
for(int i=0; i<12*2048; i++)
{ logo[i] = ((logo[i]<<5)|(logo[i]>>>3)) ^ magicNum;
```

01011101
$\wedge$
11110000
=
00011010

COPY PROTECTION

## COPY PROTECTION

The key can be either calculated from the Title ID

## COPY PROIECTION

The key can be either calculated from the Title ID
...or guessed by reading any 00 encrypted byte

## COPY PROIECTION

The key can be either calculated from the Title ID
...or guessed by reading any 00 encrypted byte

$$
00^{\wedge} X X=X X
$$

## COPY PROTECTION

The key can be either calculated from the Title ID
...or guessed by reading any 00 encrypted byte

$$
00^{\wedge} X X=X X
$$

The first byte of the logo is always 00

## COPY PROIECTION

The key can be either calculated from the Title ID
...or guessed by reading any 00 encrypted byte

$$
00^{\wedge} X X=X X
$$

The first byte of the logo is always 00
The 12 first sectors are dedicated to this, The next 2 are for Master Drives, and the last 2
are unused

COPY PROTECTION

## COPY PROTECTION

Unhappy of having encrypted content which you can decrypt by simply reading its first byte Sony added a more convoluted protection mechanism called MagicGate to secure its memory cards

## COPY PROTECTION

Unhappy of having encrypted content which you can decrypt by simply reading its first byte Sony added a more convoluted protection mechanism called MagicGate to secure its memory cards

> You can obviously ask nicely the mechacon to sign and access memory cards for you, but that's not fun

## MAHIGEATE

## MAGIGEATE

MagicGate uses DES

## MAHIGEATE

## MagicGate uses DES

## Best public cryptanalysis

DES has been considered insecure right from
the start because of the feasilibity of brute-force
attacks ${ }^{[1]}$ Such attacks have been
demonstrated in practice (see EFF DES cracker)

## MAHIGEATE

## MagicGate uses DES

## Best public cryptanalysis

DES has been considered insecure right from the start because of the feasilibity of brute-force attacks ${ }^{[1]}$ Such attacks have been
demonstrated in practice (see EFF DES cracker)

## Oh boy

## MAHIGEATE

## MagicGate uses 3DES

Oh boy

## MAHIGEATE

## MagicGate uses 3DES

Best public cryptanalysis
Lucks: $2^{32}$ known plaintexts, $2^{113}$
operations including $2^{90}$ DES
encryptions, $2^{88}$ memory; Biham: find
one of $2^{28}$ target keys with a handful of
chosen plaintexts per key and $2^{84}$
encryptions

Oh boy

## MAGIGEATE

## MagicGate uses 3DES

| Best public cryptanalysis |
| :--- |
| Lucks: $2^{32}$ known plaintexts, $2^{113}$ |
| operations including $2^{90}$ DES |
| encryptions, $2^{88}$ memory; Biham: find |
| one of $2^{28}$ target keys with a handful of |
| chosen plaintexts per key and $2^{84}$ |
| encryptions |

...but with only 2 keys of security

## MAGICAATE

Their 3DES implementation changes the key schedule slightly

## MAGICGATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

## MAGICAATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier

## MAGICGATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this

## MAGICGATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this
3. We ask the memory card for a nonce it generated

## MAHIGEATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this
3. We ask the memory card for a nonce it generated
4. We generate our nonce

## MAHIGEATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this
3. We ask the memory card for a nonce it generated
4. We generate our nonce
5. We generate a challenge: OurNonce|CardNonce|CardIV encrypted with the Unique Key we calculated and using a built-in IV

## MAHIGEATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this
3. We ask the memory card for a nonce it generated
4. We generate our nonce
5. We generate a challenge: OurNonce|CardNonce|CardIV encrypted with the Unique Key we calculated and using a built-in IV
6. The memory card decrypts our challenge and rebuilds another: CardNonce|MechaNonce|SessionKey, using the IV of step 5

## MAHIGEATE

Their 3DES implementation changes the key schedule slightly
They use it in CBC mode as a challenge reply nonce based cryptosystem

1. We ask the memory card for some IV and its identifier
2. We derive a unique key based on this
3. We ask the memory card for a nonce it generated
4. We generate our nonce
5. We generate a challenge: OurNonce|CardNonce|CardIV encrypted with the Unique Key we calculated and using a built-in IV
6. The memory card decrypts our challenge and rebuilds another: CardNonce|MechaNonce|SessionKey, using the IV of step 5
7. The SessionKey will now be used as a Key Encryption Key

## MAGICAATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card


## MAGICGATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card
- The IV used for the challenge is baked in and will never change.


## MAHIGEATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card
- The IV used for the challenge is baked in and will never change.
- We can force Mechacon to keep reusing the same "unique" encryption key by resending the same CardIV and CardID


## MAHIGEATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card
- The IV used for the challenge is baked in and will never change.
- We can force Mechacon to keep reusing the same "unique" encryption key by resending the same CardIV and CardID
- We can arbitrarily replace CardID and CardIV in any communication while keeping the same unique key(!)


## MAHIGEATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card
- The IV used for the challenge is baked in and will never change.
- We can force Mechacon to keep reusing the same "unique" encryption key by resending the same CardIV and CardID
- We can arbitrarily replace CardID and CardIV in any communication while keeping the same unique key(!)
- ...not sensible to replay attacks, unlikely to be an oracle


## MAHIGEATE

This implementation has multiple issues:

- We can pull off chosen plaintext attacks by MITMing the mechacon and the memory card
- The IV used for the challenge is baked in and will never change.
- We can force Mechacon to keep reusing the same "unique" encryption key by resending the same CardIV and CardID
- We can arbitrarily replace CardID and CardIV in any communication while keeping the same unique key(!)
- ...not sensible to replay attacks, unlikely to be an oracle

Let's be smarter!

Mechacon challenge:


MAHIGEATE
Mechacon challenge:


## MAHIGEATE

Mechacon challenge:


We can always predict everything but K so we can generate infinitely many known plaintext!

## MAGIGEATE

We can thus pull off a Linear Cryptanalysis attack on DES with our known plaintext dictionary

## MAGICGATE

We can thus pull off a Linear Cryptanalysis attack on DES with our known plaintext dictionary

Matsui's attack can break it using $2^{\wedge} 47$ plaintext and was published in 1993. MagicGate was published in 1999.

## MAGICGATE

We can thus pull off a Linear Cryptanalysis attack on DES with our known plaintext dictionary

Matsui's attack can break it using $2^{\wedge} 47$ plaintext and was published in 1993. MagicGate was published in 1999.

Biryukov et al's attack only requires $2^{\wedge} 41$ and was released in 2004.

## MAHIGEATE

We can thus pull off a Linear Cryptanalysis attack on DES with our known plaintext dictionary

Matsui's attack can break it using 2^47 plaintext and was published in 1993. MagicGate was published in 1999.

Biryukov et al's attack only requires $2^{\wedge} 41$ and was released in 2004.

On Multiple Linear Approximations
https://doi.org/10.1007/978-3-540-28628-8_1
hint: sci-hub

## MAGICGATE

We can thus pull off a Linear Cryptanalysis attack on DES with our known plaintext dictionary

Matsui's attack can break it using $2^{\wedge} 47$ plaintext and was published in 1993. MagicGate was published in 1999.

Biryukov et al's attack only requires $2^{\wedge} 41$ and was released in 2004.

On Multiple Linear Approximations
https://doi.org/10.1007/978-3-540-28628-8_1
hint: sci-hub

But this only applies to DES!

## MABIGEATE

Sony uses 3DES with a 2 key scheme, using the two keys on three encryption steps in this order:

## WAGICAATE

Sony uses 3DES with a 2 key scheme, using the two keys on three encryption steps in this order:

$$
k_{1}, k_{2}, k_{1}
$$

## MAHIGEATE

Sony uses 3DES with a 2 key scheme, using the two keys on three encryption steps in this order:

$$
k_{1}, k_{2}, k_{1}
$$

An incorrect order could make a meet-in-the-middle attack possible, but unfortunately for us no can do here

## MAHIGEATE

Sony uses 3DES with a 2 key scheme, using the two keys on three encryption steps in this order:

$$
k_{1}, k_{2}, k_{1}
$$

An incorrect order could make a meet-in-the-middle attack possible, but unfortunately for us no can do here

Van Oorschot's attack based on Merkle is a known plaintext attack on 3DES with two triples which is now probably achievable by a dedicated adversary

## MAHIGEATE

Sony uses 3DES with a 2 key scheme, using the two keys on three encryption steps in this order:

$$
k_{1}, k_{2}, k_{1}
$$

An incorrect order could make a meet-in-the-middle attack possible, but unfortunately for us no can do here

Van Oorschot's attack based on Merkle is a known plaintext attack on 3DES with two triples which is now probably achievable by a dedicated adversary

A known-plaintext attack on two-key triple encryption
https://citeseerx.ist.psu.edu/viewdoc/summary?
doi=10.1.1.66.6575

## MAGICGATE

There are a few other details like Content Keys being derived after that, or the Memory Card replacing the Session Key by its own Storage Key once stored, but they are all vulnerable to this same attack.

## MAGICAATE

There are a few other details like Content Keys being derived after that, or the Memory Card replacing the Session Key by its own Storage Key once stored, but they are all vulnerable to this same attack.

In the end we can extract all keys from mechacon blindly without using nitric acid!
Although I am unsure which is costlier nowadays

## MAGICAATE

There are a few other details like Content Keys being derived after that, or the Memory Card replacing the Session Key by its own Storage Key once stored, but they are all vulnerable to this same attack.

In the end we can extract all keys from mechacon blindly without using nitric acid!
Although I am unsure which is costlier nowadays
...Or we can reverse engineer Sony's PS2 emulator which also includes the entire MagicGate algorithm to work with memory card adaptors

## WAHIGEATE

There are a few other details like Content Keys being derived after that, or the Memory Card replacing the Session Key by its own Storage Key once stored, but they are all vulnerable to this same attack.

In the end we can extract all keys from mechacon blindly without using nitric acid!
Although I am unsure which is costlier nowadays
...Or we can reverse engineer Sony's PS2 emulator which also includes the entire MagicGate algorithm to work with memory card adaptors

## MAHIGEATE

## MABIGEATE

Sent, here are some book recommendations if you want to study cryptography/DES a bit more

## DRM

## MAHIGEATE

Seny, here are some book recommendations if you want to study cryptography/DES a bit more

## DRM

## MAHIGEATE

Seny, here are some book recommendations if you want to study cryptography/DES a bit more


Applied Cryptography, Bruce Schneier


Serious Cryptography Jean-Philippe Aumasson

## MAGIGEATE

Seny, here are some book recommendations if you want to study cryptography/DES a bit more


Applied Cryptography, Bruce Schneier


Serious Cryptography Jean-Philippe Aumasson


The Manga Guide to Cryptography, Masaaki, Shinichi, Idero, Verte et al.

## WHATISTHE GS

A rasterizer

A rasterizer
That's it!!!

## WHATISTHE GS

A rasterizer

That's it!!!

| $X$ | $Y$ | $Z$ | $W$ |
| :--- | :--- | :--- | :--- |
| -1.0 | -1.0 | 0.0 | 1.0 |
| 1.0 | -1.0 | 0.0 | 1.0 |
| 0.0 | 1.0 | 0.0 | 1.0 |

## WHAT IS THE GS

## A rasterizer

That's it!!!

| $X$ | $Y$ | $Z$ | $W$ |
| :--- | :--- | :--- | :--- |
| -1.0 | -1.0 | 0.0 | 1.0 |
| 1.0 | -1.0 | 0.0 | 1.0 |
| 0.0 | 1.0 | 0.0 | 1.0 |

Draws Internally into a Framebuffer. A part of the GS called PCRTC then outputs it to your TV

## WHAT IS THE AS




## WHAT IS THE AS



## WHAT IS THE AS



## WHATIS THE ES



## WHATISTHE GS



WHAT IS THE GS

## WHAT IS THE GS

## Data is transferred to the GS by using the GIF which is a part of the EE

## WHAT IS THE ES

Data is transferred to the GS by using the GIF which is a part of the EE

Textures are transferred in a way that pleases the GS pixel units

## WHAT IS THE AS

Data is transferred to the GS by using the GIF which is a part of the EE

Textures are transferred in a way that pleases the GS pixel units

Here is an example with PSMCT32

## WHAT IS THE GS

Data is transferred to the GS by using the GIF which is a part of the EE

## Textures are transferred in a way that pleases the GS pixel units

Here is an example with PSMCT32


WHAT IS THE GS


## WHATISTHE GS

| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |

## WHATIS THE GS



## WHAT IS THE GS



## WHAT IS THE GS

| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |


| 0 | 1 | 4 | 5 | 16 | 17 | 20 | 21 |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| 2 | 3 | 6 | 7 | 18 | 19 | 22 | 23 |
| 8 | 9 | 12 | 13 | 24 | 25 | 28 | 29 |
| 10 | 11 | 14 | 15 | 26 | 27 | 30 | 31 |

## WHAT IS THE GS



WHAT IS THE GS

## WHAT IS THE GS

4 and 8 bit textures can optionally be indexed and use a palette, which is called in a PS2 world a CLUT (Color LookUp Table)

## WHAT IS THE AS

4 and 8 bit textures can optionally be indexed and use a palette, which is called in a PS2 world a CLUT (Color LookUp Table)

Other notable thing: the Framebuffer doesn't have a fixed size and can be resized to 1080p!

## WHAT IS THE AS

4 and 8 bit textures can optionally be indexed and use a palette, which is called in a PS2 world a CLUT (Color LookUp Table)

Other notable thing: the Framebuffer doesn't have a fixed size and can be resized to 1080p!

But we cannot output it unfortunately...

## WHAT IS THE AS

4 and 8 bit textures can optionally be indexed and use a palette, which is called in a PS2 world a CLUT (Color LookUp Table)

Other notable thing: the Framebuffer doesn't have a fixed size and can be resized to 1080p!

But we cannot output it unfortunately...
...without hacks :D

## OTHER HARDWARE

## OTHER HARDWARE

GamePads are handled by the IOP. Usually GamePad state is read at each VSync by the game logic

## OTHER HARDWARE

GamePads are handled by the IOP. Usually GamePad state is read at each VSync by the game logic

GamePad communicate with the SIO2 protocol to the PS2, which is an extension of the original PS1 protocol

## OTHER HARDWARE

GamePads are handled by the IOP. Usually GamePad state is read at each VSync by the game logic

GamePad communicate with the SIO2 protocol to the PS2, which is an extension of the original PS1 protocol

The IPU is a secondary processor hidden in the EE without any ISA

## OTHER HARDWARE

GamePads are handled by the IOP. Usually GamePad state is read at each VSync by the game logic

GamePad communicate with the SIO 2 protocol to the PS2, which is an extension of the original PS1 protocol

The IPU is a secondary processor hidden in the EE without any ISA

You write data, through DMA, send the command and it decodes the stream in real time.

## OTHER HARDWARE

## OTHER HARDWARE

Syscon is a separate processor on the motherboard that handles power management related tasks

We essentially can forget about it emulation wise

## OTHER HARDWARE

Syscon is a separate processor on the motherboard that handles power management related tasks

We essentially can forget about it emulation wise

The CDVD subsystem is essentially composed of 3 parts: the laser, a DSP to decode the laser signals and mechacon to ensure DRM

## OTHER HARDWARE

Syscon is a separate processor on the motherboard that handles power management related tasks

We essentially can forget about it emulation wise

The CDVD subsystem is essentially composed of 3 parts: the laser, a DSP to decode the laser signals and mechacon to ensure DRM

The BIOS also has the infamous CSS algorithm to decode DVDs, this is handled by the IOP

## OTHER HARDWARE

## OTHER HARDWARE

USB and IEEE 1394 are connected to IOP's
DMA access

## OTHER HARDWARE

## USB and IEEE 1394 are connected to IOP's

## DMA access

The protocols are game specific.

## OTHER HARDWARE

USB and IEEE 1394 are connected to IOP's DMA access

The protocols are game specific.

The SSBUS is essentially the DMA core of the PS2. The EE, IOP, DEV9, CDVD, etc... are all connected to it.

## OTHER HARDWARE

## USB and IEEE 1394 are connected to IOP's

 DMA accessThe protocols are game specific.

The SSBUS is essentially the DMA core of the PS2. The EE, IOP, DEV9, CDVD, etc... are all connected to it.

DEV9 is a PCMCIA-like device addressed through DMA. Protocols are game specific but are mostly centered around the ethernet and HDD adapter.




## EXAMPLE

## EXAMPLE

| EE |  |
| :---: | :---: |
| COP1 | COP2 |
| VU1 | VIF1 |

## EXAMPLE



## EXAMPLE



## EXAMPLE



## EXAMPLE



## EXAMPLE

A VSync interrupt is reached, EE reads PAD state, transferred through the SIF


## EXAMPLE

A VSync interrupt is reached, EE reads PAD state, transferred through the SIF


The EE runs the enemy's Al logic, does some trigonometry for hitbox with COP1 and COP2 for the next frame


Meanwhile the VU1 calculated the transformations of the 3D model for this frame and transfers it to the GS


The GS is now ready to draw! Meanwhile the game logic continued and need to play a sound effect
 3D model is loaded into VU memory


## EXAMPLE



And that's how you get a video game!

## EXAMPLE



And that's how you get a video game!
...and diagrams that doesn't make sense

## EXAMPLE



And that's how you get a video game!
...and diagrams that doesn't make sense

The core idea is that the game logic, rendering logic and I/O logic are all able to run in parallel on the different cores

## EXAMPLE



And that's how you get a video game!
...and diagrams that doesn't make sense

The core idea is that the game logic, rendering logic and I/O logic are all able to run in parallel on the different cores

There is an infinite number of possible arrangements of your rendering pipeline, try to imagine others!

## HOW DOES ENULATION WORK

## EMULATOR

What is the first step of making an emulator?

## What is the first step of making an emulator?

```
1 ( KH2FM file KH2FM.ISO
2 ~ K H 2 F M . I S O : ~ U D F ~ f i l e s y s t e m ~ d a t a ~ ( v e r s i o n ~ 1 . 5 ) ~
3 ( KH2FM file SLPM_666.75
4 SLPM_666.75: ELF 32-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically
linked, stripped
```


## What is the first step of making an emulator?

```
1 -> KH2FM file KH2FM.ISO
2 KH2FM.ISO: UDF filesystem data (version 1.5)
3 欴2FM file SLPM_666.75
4 SLPM_666.75: ELF 32-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically
    linked, stripped
```

File parsers!

## MEET SYSTEM.CNF

## PARSERS

## WEET SYSTEM.CNF

```
// return value:
// 0 - Invalid or unknown disc.
// 1 - PS1 CD
// 2 - PS2 CD
int GetPS2FlfName( wxString& name )
{
int retype = 0;
            try {
                IsoFSCDVD isofs;
                    IsoFile file( isofs, L"SYSTEM.CNF;1");
                    int size = file.getLength();
            if( size == 0 ) return 0;
}
```


## MEET SYSTEM.CNF

## PARSERS

## MEET SYSTEM.GNF

```
[...]
while( !file.eof() )
{
    const wxString original( fromUTF8(file.readLine().c_str()) );
    const ParsedAssignmentString parts( original );
    if( parts.lvalue.IsEmpty() && parts.rvalue.IsEmpty() ) continue;
    if( parts.rvalue.IsEmpty() && file.getLength() != file.getSeekPos() )
    { // Some games have a character on the last
        // line of the file, don't print the error in those cases.
            Console.Warning( "(SYSTEM.CNF) Unusual or malformed entry in SYSTEM.CNF
ignored:" );
                Console.Indent().WriteLn( original );
                continue;
    }
```


## MEET SYSTEM.CNF

## PARSERS

## MEET SYSTEM.CNF

```
[...]
if( parts.lvalue == L"ВООТ2" )
{
name = parts.rvalue;
Console.WriteLn( Color_StrongBlue, L"(SYSTEM.CNF) Detected PS2 Disc = " + name );
retype = 2;
}
else if( parts.lvalue == L"BOOT" )
{
name = parts.rvalue;
    Console.WriteLn( Color_StrongBlue, L"(SYSTEM.CNF) Detected PSX/PSone Disc = " +
name );
    retype = 1;
}
else if( parts.lvalue == L"VMODE" )
{
}
else if( parts.lvalue == L"VER" )
{
    Console.WriteLn( Color_Blue, L"(SYSTEM.CNF) Software version = " + parts.rvalue );
}
```


## WITEPRRIEER

```
void R5900::Interpreter::OpcodeImpl::SWC1() {
    u32 addr;
    // force sign extension to 32bit
    addr = cpuRegs.GPR.r[_Rs_].UL[0] + (s16)(cpuRegs.code & 0xffff);
    if (addr & 0x00000003)
    {
        Console.Error( "FPU (SWC1 Opcode): Invalid Unaligned Memory Address" );
        return;
    } // Should signal an exception?
    memWrite32(addr, fpuRegs.fpr[_Rt_].UL);
}
void recSWC1()
{
}
```


## RECOMPILER

```
void recSWC1()
{
#ifndef FPU_RECOMPILE
    recCall(::R5900::Interpreter::OpcodeImpl::SWC1) ;
#else
        _deleteFPtoXMMreg(_Rt_, 1);
    xMOV(arg2regd, ptr32[&fpuRegs.fpr[_Rt_].UL] );
    if( GPR_IS_CONST1( _Rs_ ) )
    {
        int addr = g_cpuConstRegs[_Rs_].UL[0] + _Imm_;
        vtlb_DynGenWrite_Const(32, addr);
    }
    else
    {
        _eeMoveGPRtoR(arg1regd, _Rs_);
        if (_Imm_ != 0)
            xADD(arglregd, _Imm_);
        iFlushCall(FLUSH_FULLVTLB) ;
        vtlb_DynGenWrite(32);
    }
    EE::Profiler.EmitOp(eeOpcode: :SWC1);
#endif
}
```


## SEIF-MODFFINMG CODE

```
void mmap_PageFaultHandler: OnPageFaultEvent( const PageFaultInfo& info, bool& handled )
{
pxAssert( eeMem );
// get bad virtual address
uptr offset = info.addr - (uptr)eeMem->Main;
if( offset >= Ps2MemSize::MainRam ) return;
mmap_ClearCpuBlock( offset );
handled = true;
}
// offset - offset of address relative to psM.
// All recompiled blocks belonging to the page are cleared, and any new blocks recompiled
// from code residing in this page will use manual protection.
static
```

$\qquad$

``` fi void mmap_ClearCpuBlock( uint offset )
{
[...]
}
```

18

SYSGALL

## SYSGALL

We can sorta emulate some instructions!

## SYSEALL

We can sorta emulate some instructions!

We now need to emulate PS2-specific ones

2 ways to do it:

## SYSEALL

We can sorta emulate some instructions!

We now need to emulate PS2-specific ones
2 ways to do it:

- HLE: Reimplement them like an interpreter


## SYSEALL

We can sorta emulate some instructions!

We now need to emulate PS2-specific ones
2 ways to do it:

- HLE: Reimplement them like an interpreter
- LLE: Run the BIOS


## SYSEALL

We can sorta emulate some instructions!

We now need to emulate PS2-specific ones
2 ways to do it:

- HEE: Reimplement them He-an interpreter
- LLE: Run the BIOS


## SYSGALL

We can sorta emulate some instructions!

We now need to emulate PS2-specific ones
2 ways to do it:

- HEE: Reimplement them like-an interpreter
- LLE: Run the BIOS


## PS2 GAMES PATCH THE BIOS

## DUWPING THE BIOS

## DUMPING THE BIOS

The BIOS is available on the flash chip!

## DUMPING THE BIOS

The BIOS is available on the flash chip!
Unencrypted!!

## DUWPING THE BIOS

The BIOS is available on the flash chip!
Unencrypted!!
Save for the DVD EROM, probably to hide the CSS

## DUWPING THE BIOS

The BIOS is available on the flash chip!
Unencrypted!!
Save for the DVD EROM, probably to hide the CSS
We don't really care about it though :D

## DUWPING THE BIOS

The BIOS is available on the flash chip!
Unencrypted!!
Save for the DVD EROM, probably to hide the CSS
We don't really care about it though :D
A few soldering hackjobs later...

## BIOS ETTRYPONITT

1 mfco
2 nop 3 slti
4 bne
nop
kO,PRId ; get register PRId from COPO
at, k0, 0x59
at, zero,LAB 00000024

## BIIS ETTRYPONIT

## 1 mfco

2 nop
3 slti
4 bne
5 nop
$\mathrm{k} 0, \mathrm{PRId}$
at, k0, $0 \times 59$ i if $(0 \times 59<=k 0)$ at $=0$
at, zero, LAB_00000024

## BIIS ETTRYPONIT

| 1 | mfc0 |
| :--- | :--- |
| 2 | nop |
| 3 | slti |
| 4 | bne |

k0,PRId ; get register PRId from COP0<br>at,zero,LAB_00000024 ; if (at == 0) jmp LAB_00000024

## BIOS ETTRYPONITT

```
1 mfc0
2 nop
4 \text { bne}
```

```
k0,PRId
```

k0,PRId
at,k0,0x59
at,k0,0x59
at,zero,LAB_00000024 ; if (at == 0) jmp LAB_00000024

```
at,zero,LAB_00000024 ; if (at == 0) jmp LAB_00000024
```

5 nop

COPO is not the same between the IOP and the EE

## BIOS ETTRYPONITT

```
k0,PRId ; get register PRId from COP0
at,k0,0x59
at,zero,LAB_00000024 ; if (at == 0) jmp LAB_00000024
```

COPO is not the same between the IOP and the EE
This bit of code effectively is the entrypoint for both the IOP and the EE

## BIIS ETITRYPONIT

k 0, PRId
at, k0, 0x59
at, zero,LAB_00000024 i if (at == 0) jmp LAB_00000024

COPO is not the same between the IOP and the EE
This bit of code effectively is the entrypoint for both the IOP and the EE

We already have to emulate the IOP

Architecture

## CUSTOM ARCHITECTURE

## CUSTOM ARCHITECTURE

How do you figure out a custom ISA?

## CUSTOM ARCHITECTUUR

How do you figure out a custom ISA?

Essentially 2 ways:

## CUSTOM ARCHIITECTURE

How do you figure out a custom ISA?

Essentially 2 ways:

- Make assumptions, test assumptions on hardware


## CUSTOM ARCHIITECTURE

How do you figure out a custom ISA?

## Essentially 2 ways:

- Make assumptions, test assumptions on hardware
- Get documentation from Sony


## CUSTOM ARCHIITECTURE

How do you figure out a custom ISA?

## Essentially 2 ways:

- Make assumptions, test assumptions on hardware
- Get decumentation frem Seny


## CUSTOM ARCHIITECTURE

How do you figure out a custom ISA?

## Essentially 2 ways:

- Make assumptions, test assumptions on hardware
- Get decumentation frem Seny

Here's a talk for some insight on the process:

## CUSTOM ARCHIITECTURE

How do you figure out a custom ISA?

## Essentially 2 ways:

- Make assumptions, test assumptions on hardware
- Get decumentation frem Seny

Here's a talk for some insight on the process:

Reverse engineering of binary programs for custom virtual machines

Memory


Virtual Memory


Memory
Virtual Memory


Memory
Virtual Memory


Memory
Virtual Memory


Memory
WNUU
Virtual Memory


## NIMU

The EE has an MMU we need to emulate, meet VTLB!

```
void __fastcall vtlb_memRead64(u32 mem, mem64_t *out)
2 {
    auto vmv = vtlbdata.vmap[mem>>VTLB_PAGE_BITS];
        if (!vmv.isHandler(mem))
    {
            if (!CHECK_EEREC) {
                        if(CHECK_CACHE && CheckCache(mem))
            {
                            *out = readCache64(mem);
                            return;
                            }
            }
            *out = *(mem64_t*)vmv.assumePtr(mem);
```

The EE has an MMU we need to emulate, meet recVTLB!

```
/| ----------------------------------------------------------------------------------
// TLB lookup is performed in const, with the assumption that the COPO/TLB will
clear the
// recompiler if the TLB is changed.
void vtlb_DynGenRead64_Const( u32 bits, u32 addr_const )
{
EE::Profiler.EmitConstMem(addr_const);
    auto vmv = vtlbdata.vmap[addr_const>>VILB_PAGE_BITS];
    if( !vmv.isHandler(addr_const) )
    {
        auto ppf = vmv.assumePtr(addr_const);
        switch( bits )
        {
            case 64:
                    iMOV64 Smart( ptr[arg2reg], ptr[(void*)ppf] );
                break;
                case 128:
                    iMOV128_SSE( ptr[arg2reg], ptr[(void*)ppf] );
                    break;
                    jNO_DEFAULT
            }
    }
[...]
```


## WULIII OORE SHENANIEANS

## WULTI CORE SHENANIEANS

Now that we have multiple CPU cores running in parallel we need to handle them concurrently

## WULTI CORE SHENANIEANS

Now that we have multiple CPU cores running in parallel we need to handle them concurrently

We have our own thread scheduler to do that, meet SysExecutor!

## WULII CORE SHENANIGANS

```
void pxEvtQueue::ProcessEvent( SysExecEvent* evt)
{ {
if( !evt ) return;
if( wxThread::GetCurrentId() != m_OwnerThreadId )
{
SynchronousActionState sync;
evt->SetSyncState( sync );
PostEvent( evt );
sync.WaitForResult();
}
else
{
std::unique_ptr<SysExecEvent> deleteMe(evt);
        deleteMe->_DoInvokeEvent();
}
[...]
```

Dispatch

## DISPATCHINE TO PROEESSORS

Dispatch

## DISPATCHING TO PROCESSORS

How do we transfer data from, say, the IOP to DEV9?

## DISPATCHINIG TO PROCESSORS

How do we transfer data from, say, the IOP to DEV9?

Our JIT fallbacks to Interpreters and verifies where the write should go!

## Dispatch

## DISPATCHING TO PROCESSORS

```
static void rpsxSB()
{
_psxDeleteReg(_Rs_, 1);
_psxDeleteReg(_Rt_, 1);
    xMOV(arg1regd, ptr32[&psxRegs.GPR.r[__Rs_]]);
    if (_Imm_) xADD(arglregd, _Imm_);
    xMOV( arg2regd, ptr32[&psxRegs.GPR.r[_Rt_]] );
    xFastCall((void*)iopMemWrite8, arg1regd, arg2regd );
}
void
            fastcall iopMemWrite8(u32 mem, u8 value)
{
mem &= 0xlfffffff;
u32 t = mem >> 16;
[...]
else
{
                    if (!(p != NULL && !(psxRegs.CP0.n.Status & 0x10000) ))
                    {
                                    if (t == 0x1000)
                            {
                            DEV9write8(mem, value); return;
                            }
                            PSXMEM LOG("err sb %8.8lx = %x", mem, value);
                }
    }
}
```


## EMULATING SOUND

We run an async loop that processes audio while everything else is running

## ENULATIUG SOUND

forceinline void TimeUpdate(u32 cClocks)

```
u32 dClocks
= cClocks
lClocks;
```

// Sanity Checks:
// It's not totally uncommon for the IOP's
// clock to jump backwards a cycle or two, and in
// such cases we just want to ignore the TimeUpdate call.
if (dClocks > (u32)-15)
return;
if (SynchMode == 1) // AsyncMix on
SndBuffer: : UpdateTempoChangeAsyncMixing() ;
else
TickInterval = 768; // Reset to default
//Update Mixing Progress
while (dClocks >= TickInterval)
\{
for (int $i=0$; $i<2$; i++)
\{
if (has_to_call_irq[i])
\{
has_to_call_irq[i] = false;
if (! (Spdif.Info \& ( $4 \ll$ i)) \&\& Cores[i].IRQEnable)
\{
Spdif.Info |= (4 << i);
if (!SPU2 dummy callback)
spu2Irq() ;
\}
\}
\}
Mix() ;
[...]

## EMULATING SOUND

```
forceinline void Mix()
{
[...]
Out.Left *= FinalVolume;
Out.Right *= FinalVolume;
SndBuffer::Write(Out);
[...]
9 }
void SndBuffer::Write(const StereoOut32& Sample)
{
        [...]
            else
            {
                if (SynchMode == 0) // TimeStrech on
                    timeStretchWrite();
                    else
                            _WriteSamples(sndTempBuffer, SndOutPacketSize);
        }
}
void SndOut_SDL::callback_fillBuffer(void* userdata, Uint8* stream, int len)
{
        [...]
        for (Uint16 i = 0; i < sdl_samples; i += SndOutPacketSize)
            SndBuffer::ReadSamples(&buffer[i]);
    SDL_MixAudio(stream, (Uint8*)buffer.get(), len, SDL_MIX_MAXVOLUME);
```

1 \}

## ENULATING GRAPHICS

```
void GSState::FlushPrim()
{
if (m_index.tail > 0)
{
GL_REG("FlushPrim ctxt %d", PRIM->CTXT);
    [...]
    if (GSLocalMemory::m_psm[m_context->FRAME.PSM].fmt < 3 && GSLocalMemory::m_psm[m_context->ZBUF.PSM].fmt < 3)
    {
        m_vt.Update(m_vertex.buff, m_index.buff, m_vertex.tail, m_index.tail, GSUtil::GetPrimClass(PRIM->PRIM));
            m_context->SaveReg();
        try
        {
                Draw();
        }
```


## ENULATING GRAPHICS

```
void GSRendererHW::Draw()
{
if(m_dev->IsLost() || IsBadFrame()) {
        GL_INS("Warning skipping a draw call (%d)", s_n);
        return;
}
GL_PUSH("HW Draw %d", s_n);
[...]
GSTextureCache::Target* rt = NULL;
GSTexture* rt_tex = NULL;
if (!no_rt) {
    rt = m_tc->LookupTarget(TEX0, m_width, m_height, GSTextureCache::RenderTarget, true, fm);
    rt_tex = rt->m_texture;
}
TEXO.TBPO = context->ZBUF.Block();
TEX0.TBW = context->FRAME.FBW;
TEX0.PSM = context->ZBUF.PSM;
GSTextureCache::Target* ds = NULL;
GSTexture* ds_tex = NULL;
if (!no_ds) {
    ds = m_tc->LookupTarget(TEX0, m_width, m_height, GSTextureCache::DepthStencil, context->DepthWrite());
    ds_tex = ds->m_texture;
}
[...]
DrawPrims(rt_tex, ds_tex, m_src);
```


## ENULATING GRAPHIICS

```
void GSRendererOGL::DrawPrims(GSTexture* rt, GSTexture* ds, GSTextureCache::Source* tex)
{ {
// HLE implementation of the channel selection effect
//
// Warning it must be done at the begining because it will change the
// vertex list (it will interact with PrimitiveOverlap and accurate
// blending)
EmulateChannelShuffle(&rt, tex);
// Upscaling hack to avoid various line/grid issues
MergeSprite(tex);
// Always check if primitive overlap as it is used in plenty of effects.
m_prim_overlap = PrimitiveOverlap();
[...]
// Blend
if (!IsOpaque() && rt) {
    EmulateBlending(DATE_GL42, DATE_GL45);
} else {
    dev->OMSetBlendState(); // No blending please
}
if (m_ps_sel.dfmt == 1) {
    // Disable writing of the alpha channel
    m_om_csel.wa = 0;
}
if (DATE && !DATE_GL45) {
    GSVector4i dRect = ComputeBoundingBox(rtscale, rtsize);
}
dev->BeginScene();
EmulateZbuffer(); // will update VS depth mask
```

OTHER COMPONENTS

## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

- PAD: SDL


## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

- PAD: SDL
- DEV9:TAP


## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

- PAD: SDL
- DEV9:TAP
- USB-video: V4L


## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

- PAD: SDL
- DEV9:TAP
- USB-video: V4L
- MCD: your filesystem!


## OTHER COMPONENTS

PAD, DEV9, USB, MCD and CDVD works relatively similarly and as such I won't mention them for brevity sake

Memory writes are handled by the module, which simulates the I/O.

It is then piped to one of multiple system backend. e.g.:

- PAD: SDL
- DEV9: TAP
- USB-video: V4L
- MCD: your filesystem!
- CDVD: <linux/cdrom.h>


## WHAT'SLEFT?

## WHATSLETT?

Threading the GS and the VU!

## WHATSLETT?

Threading the GS and the VU!
Threading the GS is done by waiting for data to be received then have multiple rendering threads in parallel when all transfers are achieved

## WHATSLETT?

Threading the GS and the VU!

Threading the GS is done by waiting for data to be received then have multiple rendering threads in parallel when all transfers are achieved

Fairly safe

## WHATSLETT?

Threading the GS and the VU!
Threading the GS is done by waiting for data to be received then have multiple rendering threads in parallel when all transfers are achieved

> Fairly safe

Threading the VU is much harder and not nearly as
safe

## WHATS LEFT?

Threading the GS and the VU!
Threading the GS is done by waiting for data to be received then have multiple rendering threads in parallel when all transfers are achieved

> Fairly safe

Threading the VU is much harder and not nearly as safe

Still considered a SpeedHack, still break things

## WHATSLETT?

Threading the GS and the VU!
Threading the GS is done by waiting for data to be received then have multiple rendering threads in parallel when all transfers are achieved
Fairly safe

Threading the VU is much harder and not nearly as safe

Still considered a SpeedHack, still break things
Read up our dev blog about threading VU1 for more infos!

## WHAT'SLEFT?

## WHATSLETT?

## Not going too fast!!

Make VU run closer in sync with EE, implement Mbit \#3593
refractionpcsx2 merged 2 commits into PCSX2:master from kozarovv:VU_cycleson Aug 29, 2020

## Changes by Refraction:

Implement basic cycle counting for COP2 operations, implement COP2 detection while not interlocking, implement Mbit, change drastically cycles required to run every microprogram. Improved flag handling while COP2 update them.

Additionally:
As explained here: Link. Hardware tests proved that VU run at the same speed as EE mips core. So lets set that in pcsx2 where it is possible.

## WHATS LEFT?

##  <br> - <br> Changes by Refiracition: <br> mplement basic cyclece counting for COP2 operations, Implement COP2 detection while not merlocking, Implement Mbtt, chance drasically cycles required to to nn every microprocogram. Improved flag handiling while COP2 updaile them <br> Addrimenly: <br> As explaned here: Lnk. Harcware tests proved that VU run at the same speed as EE mps core. So elets set that in possx2 where it is possille.

## Fixed games in this commit:

- (VIF) Hitman games - Could have potentially crashed randomly with TLB misses or FIFO errors, no longer happenin
- 24 The game, Primal, Ghosthunter - No longer need patches to get full speed
- Air Rescue Ranger - Textures are now displayed correctly
- Amplitude - SPS on characters fixed
- Gift, Woody Woodpecker, Kaan - Now work full speed
- Lotus Challenge - Cars are no longer bouncy!
- My Street - missing characters now visible, still exhibit a small amount of SPS in microVUo but perfect in VUo Int
- Mike Tysons Heavyweight Box - T posing seethrough characters are now whole and animated
- Next Generation Tennis 2003 - No longer need patch to fix SPS
- Sega Superstars Tennis - SPS on hands/feet is now gone
- Tiger woods PGA Tour 2002 - Fixed player stance
- Tony Hawk 4 - Wakeboarding Unleashed demo no longer crash at loading screen (demo need XGKick hack)
- Totally Spies Totally Party! - Bad SPS somewhat fixed - Will require you to set EE Cyclerate +3 to completely fix.
- Twisted Metal Head-On - Black doors have now proper colors
- Wakeboarding Unleashed - No longer hangs getting to the menu on release builds
- World Series Baseball 2k3 - No longer hang on loading screen (game still have other issues)

Game issues fixed:
fixes \#1448 fixes \#3252 fixes \#3028 fixes \#1473 fixes \#94

- Phase Paradox - Lighting and Camera in cutscenes are fixed


## WHAT'SLETT?

## Faster isn't always better !

## 

$-$

$$
\begin{aligned}
& \text { Changes by Reficacion: } \\
& \text { Implement basic cydcle cou }
\end{aligned}
$$

destically corcce reanurediting for COP2 operations, Implement COP2 delection wille not meerlocking,
Additionaly Acomionaly:
As explaned here: Lnkk. Harcware tests proved that VU run at the same speed as EE mps core. So elts set that in posxe where It Is
possible.

## Fixed games in this commit:

- (VIF) Hitman games - Could have potentially crashed randomly with TLB misses or FIFO errors, no longer happenin
- 24 The game, Primal, Ghosthunter - No longer need patches to get full speed
- Air Rescue Ranger - Textures are now displayed correctly
- Amplitude - SPS on characters fixed
- Gift, Woody Woodpecker, Kaan - Now work full speed
- Lotus Challenge - Cars are no longer bouncy!
- My Street - missing characters now visible, still exhibit a small amount of SPS in microVU0 but perfect in VU0 Int
- Mike Tysons Heavyweight Box - T posing seethrough characters are now whole and animated
- Next Generation Tennis 2003 - No longer need patch to fix SPS
- Sega Superstars Tennis - SPS on hands/feet is now gone
- Tiger woods PGA Tour 2002 - Fixed player stance
- Tony Hawk 4 - Wakeboarding Unleashed demo no longer crash at loading screen (demo need XGKick hack)
- Totally Spies Totally Party! - Bad SPS somewhat fixed - Will require you to set EE Cyclerate +3 to completely fix.
- Twisted Metal Head-On - Black doors have now proper colors
- Wakeboarding Unleashed - No longer hangs getting to the menu on release builds
- World Series Baseball 2k3 - No longer hang on loading screen (game still have other issues)

Game issues fixed:
fixes \#1448 fixes \#3252 fixes \#3028 fixes \#1473 fixes \#94

- Phase Paradox - Lighting and Camera in cutscenes are fixed
- Rayman 2 Revolution - Random jittering no longer happens


## WHAT'SLEFT?

## WHATS LEFT?

Emulating the laws of physics

## WHATS LETT?

## Emulating the laws of physics

No, really

## WHATS LEFT?

## Emulating the laws of physics

## No, really

CDVD: Adjust read speed depending on if in inner/outer edge \#3877

$$
\begin{array}{|l|l|}
\hline \text { Edit } & \text { Open win - } \\
\hline
\end{array}
$$

( 0 Merged ) refractionpcsx2 merged 2 commils into master from odvo timine $\uplus 22$ days ago

+31-9
refractionpcsx2 commented on Oct 31, 2020 • edilied
Member © ©
Reviewers No reviews

Fxes Shadownan 2 Second Coming texures
Fixes Arctic Thunder loading problems
Fees looping music on ONI titile screen and skipping dialogues
Fixes Klonoa 2 missing audio
Fixes SPS at the beginning of matches in Next Generation Tennis 2003 (Ronald Garros) - This one surprised me too
Original comments mentioned Silent Hill 2 being starved during videos, but seems fine to me, but if somebody could test further in o the game, that'd be great.

Assignee
No one-assign yourself
Labels

Edit: It does cause the second video (and later ones) to hang, however this isn't being starved of data, I can run the CDVD at $0.3 x$ the normal speed and it works, so there's some sort of annoying timing issue going on. Can be gotten around by setting the EE

CDVD) High Priority)
Projects
察

None yet

## WHATS LETT?

## Emulating the laws of physics

## No, really

```
// Read speed is roughly 37% at lowest and full speed on outer edge.
// I imagine it's more logarithmic than this
// Required for Shadowman to work
// Use SeekToSector as Sector hasn't been updated yet
const float sectorSpeed = (((float)(cdvd.SeekToSector-offset) / numSectors) * 0.63f) +
0.37f;
6 //DevCon.Warning("Read speed %f sector %d\n", sectorSpeed, cdvd.Sector);
return ((PSXCLK * cdvd.BlockSize) / ((float)(((mode == MODE_CDROM) ?
    PSX_CD_READSPEED : PSX_DVD_READSPEED) * cdvd.Speed) * sectorSpeed));
```


## WHAT'SLEFT?

## WHATS LEFT?

Making an infrastructure!

## WHATSLETT?

Making an infrastructure!
A website, forum, compatibility list, get testers...

## WHATSLETT?

Making an infrastructure!
A website, forum, compatibility list, get testers...

This is where YOU come in :D

## WHATS LEFT?

> Making an infrastructure!
> A website, forum, compatibility list, get testers...

This is where YOU come in :D
We always need help, feel free to hang out and say hi!

## WHATS LEFT?

Making an infrastructure!
A website, forum, compatibility list, get testers...

This is where YOU come in :D

We always need help, feel free to hang out and say hi!
https://discord.com/invite/TCz3t9k

## WHATSLETT?

Making an infrastructure!
A website, forum, compatibility list, get testers...

This is where YOU come in :D

We always need help, feel free to hang out and say hi!
https://discord.com/invite/TCz3t9k

You can bridge it to matrix with
https://github.com/matrix-discord/mx-
puppet-discord

## STATE

## STAIE OF THE PROIECT

## STATE

## STAIE OF THE PROIECT

PCSX2 is really old

## STATE OF THE PROIECT

## PCSX2 is really old

It has now a lot of legacy code that simply needs to be redone, redesigned or freshened
up

## STAIE OF THE PROIECT

## PCSX2 is really old

It has now a lot of legacy code that simply needs to be redone, redesigned or freshened
up

I am leading a whole codebase redesign effort

## STAIE OF THE PROIECT

PCSX2 is really old
It has now a lot of legacy code that simply needs to be redone, redesigned or freshened
up

I am leading a whole codebase redesign effort

I'll show you in the next slides the state of things and what to expect!

SysExecutor

## CODE ARCHITECTURE



## SysExecutor

## CODE ARCHITECTURE



## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHIIECTURE

## Plugins



## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHITECTURE

## Plugins

| GS | SPU2 | USB | CDVD | PAD |
| :--- | :--- | :--- | :--- | :--- |

## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHITECTURE

## Plugins



## SysExecutor

## CODE ARCHITLCTIURE Hard dependency on wxWidgets!!

## Plugins



CODE ARCHITECTURE
Frontend


Frontend 2


## JIT

> With all the mentioned challenges, it will take a couple of months to get things working reasonably stable. By that time, more people would have switched to 64bit OSs. If we're even half right in our estimates, Pcsx2 will run much faster on a 64bit OS than on a 32bit OS on the same computer once x86-64 recompilation is done.

With all the mentioned challenges, it will take a couple of months to get things working reasonably stable. By that time, more people would have switched to 64bit OSs. If we're even half right in our estimates, Pcsx2 will run much faster on a 64bit OS than on a 32bit OS on the same computer once $\times 86-64$ recompilation is done.

## PCSX2 64bit Recompilation

## Created: 29 October 2006 Written by ZeroFrog

With all the mentioned challenges, it will take a couple of months to get things working reasonably stable. By that time, more people would have switched to 64bit OSs. If we're even half right in our estimates, Pcsx2 will run much faster on a 64bit OS than on a 32bit OS on the same computer once $\times 86-64$ recompilation is done.

## PCSX2 64bit Recompilation <br> Created: 29 October 2006 Written by ZeroFrog

Fortunately, our 64 bit JIT is mostly done!

## Fortunately, our 64 bit JIT is mostly done!

## x64 Work and Testing \#4102

(3) tadanokojin 7dago . 4 comments

## tadanokojin 4d ago Maintainer Author

The memory card stuff should be sorted now, so Linux at least is ready to go. For GSdx, I understand tellow has it mostly working and @GovanifY is planning to take a closer look. Will need to sort out mipmapping but after those two we shall be ready for public release (and any fun bugs that come).

Write a reply

## Fortunately, our 64 bit JIT is mostly done!

## x64 Work and Testing \#4102

3) tadanokojin 7d ago . 4 comments
tadanokojin 4d ago Maintainer Author

The memory card stuff should be sorted now, so Linux at least is ready to go. For GSdx, I understand tellow has it mostly working and @GovanifY is planning to take a closer look. Will need to sort out mipmapping but after those two we shall be ready for public release (and any fun bugs that come).

Write a reply

IPC

I've worked on a new protocol for
3 way game<->emulator<-> OS communication

## I've worked on a new protocol for 3 way game<->emulator<-> OS communication

## \&o Merged

## Socket IPC implementation \#3591

tellowkrinkle merged 11 commits into pcsxz:master from govanify:socket_ipc $\downarrow$ on Sep 19, 2020
A 3 way communication can thus be established, game->OS; OS-> game; OS->emu and game->emu.
game->OS IPC is poll based, OS->game event, game->emu poll and OS->emu event.
This is due to how the IPC is implemented: Dolphin IPC implements an event based IPC for emu<-> game at the cost of having to modify the executable code of the game to implement this.
The upside of this PR is thus that you do not need to modify the game executable, only to reverse engineer it to find state variables and read off from it. As such this is not a no-cost implementation if the logic requires this.

# I've worked on a new protocol for 3 way game<->emulator<-> OS communication 

## \&o Merged

## Socket IPC implementation \#3591

tellowkrinkle merged 11 commits into pcsxz:master from govanify:socket_ipc $\downarrow$ on Sep 19, 2020
A 3 way communication can thus be established, game->OS; OS-> game; OS->emu and game->emu.
game->OS IPC is poll based, OS->game event, game->emu poll and OS->emu event.
This is due to how the IPC is implemented: Dolphin IPC implements an event based IPC for emu<-> game at the cost of having to modify the executable code of the game to implement this.
The upside of this PR is thus that you do not need to modify the game executable, only to reverse engineer it to find state variables and read off from it. As such this is not a no-cost implementation if the logic requires this.

## Romhacks and game modding tools are about to get a lot more interesting!

## STAIE OF THE PROIECT

## STAIE OF THE PROIECT

What to expect for 1.8:

## STAIE OF THE PROIECT

What to expect for 1.8:

- No Plugins!


## STATE OF THE PROIECT

What to expect for 1.8:

- No Plugins!
- 64-bit Support!


## STAIE OF THE PROIECT

What to expect for 1.8:

- No Plugins!
- 64-bit Support!
- Reduced Input Lag!


## STAIE OF THE PROIECT

What to expect for 1.8:

- No Plugins!
- 64-bit Support!
- Reduced Input Lag!
- A new shiny IPC protocol!


## STAIE OF THE PROIECT

What to expect for 1.8:

- No Plugins!
- 64-bit Support!
- Reduced Input Lag!
- A new shiny IPC protocol!
- ...and much more (read our progress reports!)


## STAIE OF THE PROIECT

## STAIE OF THE PROIECT

What might be ready for 2.0:

- A New Qt based GUI along with support for pluggable \& community GUls


## STAIE OF THE PROIECT

What might be ready for 2.0:

- A New Qt based GUI along with support for pluggable \& community GUls
- Rework of our Infrastructure/Website


## STAIE OF THE PROIECT

What might be ready for 2.0:

- A New Qt based GUI along with support for pluggable \& community GUls
- Rework of our Infrastructure/Website
- Work on a pluggable JIT backend


## STAIE OF THE PROIECT

What might be ready for 2.0:

- A New Qt based GUI along with support for pluggable \& community GUls
- Rework of our Infrastructure/Website
- Work on a pluggable JIT backend
- A full cleanup of the codebase!


## STAIE OF THE PROIECT

What might be ready for 2.0:

- A New Qt based GUI along with support for pluggable \& community GUls
- Rework of our Infrastructure/Website
- Work on a pluggable JIT backend
- A full cleanup of the codebase!
- And hopefully other nice surprises ;)


## CLOSING NOTES

## GLOSNIG NOTES

## We do not care about emulation wars

## CLOSING NOIES

We do not care about emulation wars
It's always a tradeoff, we chose playability over accuracy (we still aim for accuracy)

## CLOSING NOTES

We do not care about emulation wars
It's always a tradeoff, we chose playability over accuracy (we still aim for accuracy)

We all have different problems and different solutions

## CLOSING NOTES

We do not care about emulation wars
It's always a tradeoff, we chose playability over accuracy (we still aim for accuracy)

We all have different problems and different solutions

Come hang out with us, chill and have fun, that's what emulation is all about!

## CLOSING NOTES

We do not care about emulation wars
It's always a tradeoff, we chose playability over accuracy (we still aim for accuracy)

We all have different problems and different solutions

Come hang out with us, chill and have fun, that's what emulation is all about!

If you don't have fun, why even work on a project that you know you won't ever be paid for?

## THANKS

PCSX2 Team:

- refraction
- kotjin
- TellowKrinkle
- LightningTerror
- arcum42
- bositman
- jackun
- And others including past members like air and cottonvibes!

Friends:

- sirocyl
- ellie

PCSX2 Team:

- refraction
- kotjin
- TellowKrinkle
- LightningTerror
- arcum42
- bositman
- jackun
- And others including past members like air and cottonvibes!

Friends:

- sirocyl
- ellie

The PCSX2 Community:

- CK1
- Vaser
- RedDevilus
- pandubz

PCSX2 Team:

- refraction
- kotjin
- TellowKrinkle
- LightningTerror
- arcum42
- bositman
- jackun
- And others including past members like air and cottonvibes!

Friends:

- sirocyl
- ellie

The PCSX2 Community:

- CK1
- Vaser
- RedDevilus
- pandubz

Our Users

PCSX2 Team:

- refraction
- kotjin
- TellowKrinkle
- LightningTerror
- arcum42
- bositman
- jackun
- And others including past members like air and cottonvibes!

Friends:

- sirocyl
- ellie

The PCSX2 Community:

- CK1
- Vaser
- RedDevilus
- pandubz

Our Users

PCSX2 Team:

- refraction
- kotjin
- TellowKrinkle
- LightningTerror
- arcum42
- bositman
- jackun
- And others including past members like air and cottonvibes!
...And everyone else I forgot!


## THANK YOUS


@GovanifY
govanify.com
gauvain@govanify.com

@PCSX2
pcsx2.net
info@pcsx2.net

