War of the Lions

Archaemic's Notes

Assorted notes taken by User:Archaemic when investigating slowdown and the graphics engine. See also the git repo

SYSDIR/BOOT.BIN

Add 0x8803fac for offsets in memory

• 0x00000054: .text (mapped to 0x08804000 in RAM, entry at 0x08814b00)
• 0x002479a8: .rodata.sceNid (mapped to 0x08a4b954 in RAM)
• 0x0015fe14: .data (mapped to 0x08a4c11c in RAM)
• 0x0026f930: Dimensions of battle screen
• 0x002793cc: Dimensions of world map when returning from chronicle screen
• 0x0027a1d4: Dimensions of world map when returning from tutorial screen

See also: War of the Lions/BOOT.BIN

Set dimensions to 00 00 00 00 e0 01 10 01 46 00 10 00 e0 01 10 01 to disable stretch and center screen

USRDIR/fftpack.bin

• ASM block at 0x00009a30 - 0x00021604
• ASM block at 0x00039448 - 0x0003d458
• ASM block at 0x0004f8a4 - 0x00054948
• ASM block at 0x0005dbc0 - 0x00089438
• ASM block at 0x000dca4c (?) - 0x000eb28c
• ASM block at 0x001223f8 - 0x00141e1c
• ASM block at 0x00167b3c - 0x00182ca0
• ASM block at 0x0018761c - 0x001a8058
• ASM block at 0x001b2800 - 0x001b6c5c
• ASM block at 0x001c001c - 0x001cc278
• ASM block at 0x001df000 - 0x001e05d4
• ASM block at 0x001f1004 - 0x001f6ffc
• ASM block at 0x00209004 - 0x00213f98
• ASM block at 0x00228800 - 0x0022ea40
• ASM block at 0x00238818 - 0x00249858
• ASM block at 0x00263170 - 0x0026cfb8
• ASM block at 0x0027e204 - 0x0028d880

• SLPS-00770 system.cnf: 0x00008000 (not mapped)
• SLPS-00770 PS-X EXE: 0x00008800 (not mapped)
• psx_main thread entry: 0x002633d8 (mapped to 0x089efcc0)

In memory

Syscall table (.sce.stubText): 0x08a4af14 - 0x08a4b4e8

Near $gp:

/* Final screen texture x */
unsigned short textureX; // 0x8bae180

/* Final screen texture y */
unsigned short textureY; // 0x8bae182

/* Final screen texture width */
unsigned short textureWidth; // 0x8bae184

/* Final screen texture height */
unsigned short textureHeight; // 0x8bae186

/* Final screen polygon x */
unsigned short polyX; // 0x8bae188

/* Final screen polygon y */
unsigned short polyY; // 0x8bae18a

/* Final screen polygon width */
unsigned short polyWidth; // 0x8bae18c

/* Final screen polygon height */
unsigned short polyHeight; // 0x8bae18e

Map of .bss:
...
// 0x8baf764 : numeric or logical
...
// 0x8baf76c : size is 0x72 + 0xFC * 5
struct WotlDrawContext {
	// 0x8baf76c : numeric or logical (can be -1)

	// 0x8baf770 : numeric or logical
	...
	/* -1 to 4, index of active WotlGeContext */
	int activeIndex; // 0x8baf778

	// 0x8baf77c : tested against 1, but also used as a pointer; same type as 0x8baf7b8
	...
	/* Queue ID from sceGeListEnQueue, set in func_88047bc */
	int qid0; // 0x8baf784

	/* Queue ID from sceGeListEnQueue, set in func_8804d30 */
	int qid1; // 0x8baf788

	/* Callback ID for sceGeListEnQueue */
	int cbid; // 0x8baf78c

	/* Framebuffer pixel store mode */
	int fbPsm; // 0x8baf790

	/* Framebuffer width */
	int fbWidth; // 0x8baf794

	/* Pointer to framebuffer */
	void* framebuffer; // 0x8baf798;
	...
	/* Viewport width */
	int vpWidth; // 0x8baf7a8

	/* Viewport height */
	int vpHeight; // 0x8baf7ac

	// 0x8baf7b0 : int

	WotlGeContext* activeGeContext; // 0x8baf7b4

	// 0x8baf7b8 : size is 0xFC * 5
	struct WotlGeContext {
		// 0x8baf7b8 : numeric (?)

		/* Pointer to the GE list */
		void* list; // 0x8baf7bc

		/* Pointer to the GE stall list */
		void* stall; // 0x8baf7c0

		/* Size of the GE list */
		int size; 0x8baf7c4

		/* Index into the following array */
		int index; // 0x8baf7c8
		...
		// 0x8baf7cc : array of pointer
		...
		/* Framebuffer pixel store mode */
		int fbPsm; // 0x8baf850
		...
		/* Viewport width */
		int vpWidth; // 0x8baf858

		/* Viewport height */
		int vpHeight; // 0x8baf85c
		...
		// 0x8baf8b0 : -1 to 4?
	} geContext[5];
}

• psx_main thread entry: 0x089efcc0
• global pointer: 0x08bb3ea0
• GE instruction lists:
• 0x90f2c80 - 0x90f3c80: copy screen buffer
• 0x90f3c80 - 0x9173c80: redraw scene

ACTIONS

To disable stretch:

pokeh 0x08bae18a 16
pokeh 0x08bae188 70
pokeh 0x08bae186 0x110
pokeh 0x08bae184 0x1e0

ARCHITECTURE

There are two GE lists. One is at 0x90f2c80. This list stays mostly static and is used for copying the screen buffer onto the screen. The second is at 0x90f3c80, and contains all of the instructions used for redrawing the screen. Note that pointers into the information referenced within the instructions (like the vertex buffers) point to addresses within the lists. These are skipped using JUMPs.

The GE lists are rewritten in their entireties every frame. Note that nuances may change between frames, like vertex locations. I am still investigating where this gets rewritten.

There are 3 signals used for GE calls:

• 1192: Redrawing the back buffer (scene)
• 1919: Copying the back buffer to the main screen
• 2005: Unknown

There are 5 GE contexts (WotlGeContext). Each of them corresponds to a different operation:

• 0: Drawing the back buffer onto the current frame
• 1: ???
• 2: Drawing the current scene
• 3: ???
• 4: ???

MISCELLANEOUS

The PSP (MIPS32R2 Allegrex) calling convention seems to dictate that args that don't fit into $a* go into $t*. Beware!

Evidence in the function at 0x88350c0 suggests that the game is still using the PS1's graphics protocol, emulated onto the PSP. Yikes.

I found some dead code that seems to access 0x1f80xxxx, which are related to the PS1's scratchpad, but none of these accesses are ever actually made. No references to PS1's GPU registers appear to be made.

Code that writes to the stall list seems to start at 0x880513c and continue until perhaps 0x8806cd8. These are probably the guts of the graphics routines. Look for lui *, 0x8bb followed by lw *, -2124(*).

The slowdown is directly affected by the return value of the function at 0x882b800. The number of frames to slow down appears to be related to the value stored at 0x9275224. The slowdown is set in the function at 0x8a0ef00, and is related to the value at 0x9275218, which itself is set in 0x887b400 and 0x8875a00.

GLOSSARY

GE: Presumably stands for "graphics engine". It's the graphics API on the PSP, and works by sending a list of assembled instructions in the GE's native format to the GPU all at once. There is no high-level abstraction of the instructions used in War of the Lions: they assemble the instructions by hand.

GE list: A list of instructions that are to be fed to the PSP's GPU. The instructions themselves are 4 bytes per instruction and documentation of the instructions can be found in the PSPSDK at src/gu/doc/commands.txt.

NID: An identifier that maps to a kernel system call on the PSP. Instead of using a straightforward constant syscall table like a sane operating system like Linux, they use NIDs to refer to syscalls, and then syscall table is loaded into the .sceStub.text section.

stall address: The address at which a GE list will stop executing until another list is enqueued or the stall address is updated to be further into the list.

SCRATCH

These are miscellaneous notes for what I'm working on at the moment

There is a large struct (at least 108 bytes) that starts at 0x974ba80

Unstretch queue (calls to 0x8a08b80):

• [x] 0x88d84a4 (new game prologue screen)
• [-] 0x88d8308 (video cutscene, not stretched?)
• [x] 0x887503c (battle map)
• [?] 0x89aa3b4 (save screen)
• [ ] 0x89aa938 (???)
• [ ] 0x8a0b14c (pre-character info screen?, pre-world map?)
• [x] 0x897f800 (character info screen)
• [ ] 0x897ff80 (post-character info screen?)
• [x] 0x8a0ab38 (data screen)
• [ ] 0x88f806c (pre-world map?)
• [x] 0x88f7ed8 (world map)
• [ ] 0x8882ccc (after death before title screen?)
• [ ] 0x88826e0 (title screen?)
• [x] 0x88e3368 (return from chronicle screen)
• [x] 0x890d61c (return from tutorial screen)
• [ ] 0x88f7f60 (tavern)
• [x] 0x8971c04 (outfitter)

RE queue:

• 0x887b400, 0x8875a00 (sets slowdown, gigantic!)

-- Line of no real value --

• 0x882bb40 (sets a function that's called by 0x882b800)
• 0x882c1e0 (calls 0x882d600)
• 0x882d600 (called every frame, write a decompiler!)
• 0x8835798, 0x882eab0, 0x882e880, 0x883165c
• 0x8805518, 0x8805690, 0x8849540 (inserts JUMPs)
• 0x8804f78, 0x8807db0 (might have something to do with initializing the GE contexts)
• 0x882c280 (might be what executes PS1 instructions)
• 0x8835f00 (GE signal handler)
• 0x8835f80 (install GE signal handler)
• 0x8a08d80, 0x8a08cc0 (used for storing dimensions)
• 0x8a0aac0, 0x88d8180
• 0x88358c0, 0x88054c8
• 0x89e8fc0, 0x89d7180
• 0x8874f80 (battle map loading?)
• 0x8874740, 0x88d6700, 0x88dbc40, 0x88e3140, 0x88f1040, 0x88f1980, 0x88f7e40, 0x88fa380, 0x890d440, 0x891f280, 0x893d340, 0x893e740, 0x893f640, 0x8946540

Use constants, especially for GE instructions!

Slowdown information/offsets

The slowdown is caused by three values in the executable that dictate how long the game should wait between frames. The reason this is incorrect in the game is unknown, but they can be fixed by patching these offsets into /PSP_GAME/SYSDIR/BOOT.BIN:

• 0x20afd4 should be changed to 02
• 0x20afe4 should be changed to 03
• 0x20aff0 should be changed to 02

You must then replace /PSP_GAME/SYSDIR/EBOOT.BIN with the modified BOOT.BIN, or else the ISO loader will try to run the unmodified EBOOT.BIN.