Post Reply 
 
Thread Rating:
  • 7 Votes - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Discussion] 60FPS patches for PSP games that run at 30FPS
10-27-2016, 02:45 PM (This post was last modified: 01-11-2017 08:25 PM by Kabuto_Kun.)
Post: #648
RE: [Discussion] 60FPS patches for PSP games that run at 30FPS
Hey, I've not been that active around here for some time but I actually have 60FPS cheats for several games that I have not posted, some cheats updates, and even some hacks/tweaks to fix some games that are normally broken/buggy in PPSSPP, so they are now fully playable. I'll try to post all these things shortly.

@Lycanphoenix:
I have tested again, in several ways, the posted cheats for WipEout Pure and Pulse: used several PPSSPP versions, booted the games with different languages, changed the PSP model option to 1000 and 2000, and compressed the ISOs in CSOs. The cheats worked every time, and I know these are clean dumps so I don't have an explanation on why they are not working for you. Check if you are using the correct cheat for your game release (Pure has 2 USA releases with different BIN files, v1 and v2, each one has cheats posted). Just to be safe, I updated the cheats with conditional codes to avoid them to be enabled in an incorrect game release, situation that may cause the game to crash/freeze.

It's very easy to permanently patch a game ROM or ISO with a given cheat using any emulator that has a functional disassembly, and the one in PPSSPP is the best I have used. So let's make a tutorial Big Grin

How to permanently patch a PSP game ISO/BIN file with a CW cheat using PPSSPP

This tutorial can be also used with others emulators that have a disassembly (PCSX2, Dolphin, etc.), but some steps may and will vary (like the conversion between a cheat address and a valid disassembly address, or the endianness change of cheat values).

For this specific example, I will explain how to permanently patch WipEout Pure USA-v2 with the 60 FPS cheat available, this one:
Code:
_S UCUS-98612
_G WipEout Pure [USA]
_C0 60 FPS UMDv2.00 [Always]
_L 0xE001FFFB 0x000652A8
_L 0x200652A8 0x00000000
_C0 60 FPS UMDv2.00 [Ingame only]
_L 0xE0020001 0x0028E390//ingameCond
_L 0xE001FFFB 0x000652A8
_L 0x200652A8 0x00000000
_L 0xE0020000 0x0028E390//ingameCond
_L 0xE0010000 0x000652A8
_L 0x200652A8 0x1480FFFB
_C0 30/60 FPS UMDv2.00 [Default]
_L 0xE0010000 0x000652A8
_L 0x200652A8 0x1480FFFB
You can get the latest version of this cheat (if it has been updated) HERE.

Step 1: Initial considerations.

The 0xE lines are conditional codes for CW cheats only so they are optional (we can't integrate them in the ISO), we need to use the line that actually writes the cheat: the 0x2 line (sometimes we have 0x1 or 0x0 lines, depending on the CW cheat). Remember that CW cheats use the first character as a cheat type identifier, so the real address of the cheat is 7 characters long (ignoring the 2).

But before we start this tutorial, we should know that there are 2 "types" of cheats:
1- Cheats that modify a value/game runtime data.
2- Cheats that modify game code/instructions.

With the first type, we can't follow this tutorial before doing some initial extra steps, this is because the values/data that are used for ingame calculations are not directly saved in the BIN file as is; these are initialized and, most of the time, dynamically changed by game code/instructions while the game is running. If the cheat you want to permanently patch is type 1, start in step 2; if it is a type 2 cheat, go to step 3.

With the cheats disabled boot the game, pause the emulator, click Debug and then click Disassembly... You will see a window like the one below.

[Image: YbRzYdDm.png]

Step 2: Getting the instruction/s.

To get a valid PPSSPP disassembly address from a CW cheat, we add 08800000 to the cheat address using a hex calculator: 00652A8 + 08800000 = 088652A8 (disassembly address).

We have to use the disassembly to identify which instruction/s writes this value (yeah, there can be more than one); if you have the address of the value (like a working CW cheat) you can set a write breakpoint to it using the disassembly, reboot the game with it enabled and take note of every instruction that stops the game execution to write values to it while you play the game.

For example, if you are trying to patch an infinite health CW cheat to your game, every time your player gets damaged, the write breakpoint you enabled will stop the execution of the game and show you in the disassembly the exact instruction/line that writes that value; in a case like this, you can replace that line with a NOP (0x00000000 in HEX) to prevent the health value from being overwritten.

Once you have found the needed instruction/s, you will use them for the next steps.

Step 3: Finding the search pattern.

In this case for WipEout Pure USA-v2, I was the user that posted this cheat and I know that it is a type 2 cheat (code/instruction). The default (original game value) hex code 0x1480FFFB from the cheat is the instruction "bne a0,zero,0x08865298" in this game.

Write or paste the disassembly address we calculated above (088652A8) on the Go to textbox and press your Enter key. The highlighted instruction in the colored box is the one affected by the cheat; right click it and click Go to in Memory View. The cursor will be located in the memory view box, and the first highlighted byte you see is the first one of the 4 bytes that this instruction has (in modern consoles, like the PSP, every instruction is 4 bytes/8 characters long).

As you may have noticed (see picture above), in the memory view box we see FBFF8014, which actually is our already known default CW cheat value 1480FFFB inverted in pairs (endianness changed). We must keep/copy this found inverted value and also a couple extra bytes more (doesn't matter how many, but around 12 bytes/24 characters in total should be enough) so we can hex search this pattern in the next step. The hex pattern I copied from the memory view and that we will use in this example is FBFF8014259060021B000010.

Step 4: Patching the game BIN/ISO.

Now we will hex search (not the same as a text search) this pattern using a hex editor within a decrypted BOOT.BIN/EBOOT.BIN file, or even inside the game ISO if we are totally sure that the BIN file inside are already decrypted. AFAIK when you boot a PSP game, it first tries to load the encrypted EBOOT.BIN, even when the BOOT.BIN file (a decrypted copy) is present (however, sometimes this file is just a dummy or it is zero filled).

*Note 1: To avoid problems in the patching process, I recommend to enable the option Dump encrypted EBOOT.BIN on game boot in PPSSPP Developer tools settings, then boot the game, go to PPSSPP-FOLDER\memstick\PSP\SYSTEM\DUMP and use the newly created UCUS98612.BIN (named with the game ID from WipEout Pure USA, the actual example) to replace the BOOT.BIN file (leaving this name) from inside the ISO and relink the file EBOOT.BIN to it (UMDGen is useful for this), so both files point to the same decrypted BIN file.

As a hex editor I use HxD (it's free); load the decrypted file (UCUS98612.BIN) on it and hex search the hex pattern we decided before: FBFF8014259060021B000010. You should get a match (see picture below).

[Image: VMdSrKlm.png]

In this case, the shown file UCUS98612.BIN is a clean decrypted BOOT.BIN from WipEout Pure USA-v2, with a size of 3,795,981 bytes and a MD5 76FBD47B2DF2EBBFD0C57C11DC1215E6. The match was found in offset 0x61328 within this BIN file (not inside the ISO). We used a large pattern to avoid false positives in the hex search, and you can visually check that the values around the memory view box in PPSSPP and the values around the match in the BIN file are all the same, so here we are sure that we got the correct result. Remember that according to the CW cheat we have, we must only change the default value 1480FFFB (30FPS) to 00000000 (60FPS, replacing the BNE instruction with a NOP).

Using the hex editor, replace (do NOT add!) the found hex match FBFF8014 with 00000000. Remember that this new value must be reversed from the CW cheat in the same way as the default value already is, but in this case we don't have to reverse all the 0 because it will be the same value anyway Wink .

Now save the edit in the hex editor. If you only edited the BIN file, then rebuild the game ISO using the new BIN file (read Note 1 from above). If you directly edited the game ISO, then just boot the game and check the results.

That's all, the process is easy and not that long in practice, but I tried to give all the details I could. I always update this kind of tutorials so please do not quote this whole post. If you need help or more details, just ask.

goo.gl/kNOhTz : 60FPS master list, Mar. 2017 ; Reddit /u/Kabuto_Kun
forums.ppsspp.org/showthread.php?tid=4799&pid=105128#pid105128 : Unlock FPS in PSP games ("easy method")
forums.ppsspp.org/showthread.php?tid=4799&pid=123500#pid123500 : Permanently patch a PSP game with CW cheats.
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
RE: [Discussion] 60FPS patches for PSP games that run at 30FPS - Kabuto_Kun - 10-27-2016 02:45 PM

Forum Jump: