FuSa Project: Play via composite cable with FuSa!

[OldPrisoneR]

Who wants to play on TV screen? - Me, me! ^^


FuSa's official website


--------------------------
I need to change framebuffer address, width, and may be color mode right in game via my prx plugin. The function sceDisplaySetFrameBuf doesn't take any effect if I call it in my plugin, so how can I fix it?

[KickinAezz]

I need to change framebuffer address, width, and may be color mode right in game via my prx plugin. The function sceDisplaySetFrameBuf doesn't take any effect if I call it in my plugin, so how can I fix it?

You will need to "getframebuf" and do manipulation to it.

[OldPrisoneR]

I need to change framebuffer address, width, and may be color mode right in game via my prx plugin. The function sceDisplaySetFrameBuf doesn't take any effect if I call it in my plugin, so how can I fix it?

You will need to "getframebuf" and do manipulation to it.

You may be haven't understood me. sceDisplayGetFrameBuf works nice. But I need to set up the
frmbfr with another values.
In plain words I can get frmbfr but I can't manipulate it.

Code: Select all

#include <pspkernel.h>
#include <stdio.h>
#include <pspctrl.h>
#include <string.h>

PSP_MODULE_INFO&#40;"FSL", 0x1000, 1, 1&#41;;

...

int pwidth, pheight, bufferwidth, pixelformat, unk;
unsigned int* vram32;

sceDisplayGetFrameBuf&#40;&#40;void*&#41;&vram32, &bufferwidth, &pixelformat, &unk&#41;;

if &#40;&#40;pad.Buttons & PSP_CTRL_CROSS&#41; && &#40;pad.Buttons & PSP_CTRL_RIGHT&#41;&#41; 
&#123;
//sceDisplaySetFrameBuf&#40;&#40;void*&#41;0x0a000000, 768, &pixelformat, &unk&#41;; // no effect &#58;&#40;
sceDisplay_driver_63E22A26&#40;0,&#40;void*&#41;0x0a000000, 768, &pixelformat, &unk&#41;; // the same &#58;&#40;
&#125;;

...

[gauri]

if the sdk GU library routines are modeled after "official" ones, then you should expect that framebuffer pointers get stored somewhere inside userland data. see GU library for more info.

[OldPrisoneR]

So you suggest to find frmbfr pointer in user memory...
Hmm... I suppose it's not what I need

May be I called this topic not correct, so, let me explain the situation:
Let's suppose that the game has 2 buffers for ex. 0x4000000 and 0x4044000,
so 0x4088000 will be the end of last buffer

I need to make some manipulation with one which, changed, during copying it to new location, for ex. to 0x4088000, with width equal 768 and may be with another pixel format

And after I've finished copying, I must display it

[J.F.]

Remember that most programs will be calling sceDisplaySetFrameBuf() themselves on a regular basis - probably every vertical blank, or maybe every other vb. If you are trying to redirect the video elsewhere, you need to hook that function. That allows you to kill two birds with one stone. You call the original vector to set your frame buffer, and when the program running under your plugin calls your hooked function, it can record where the program is trying to set the frame buffer it's ready to display. You simply save that info for later when you're ready to copy/scale that data into your own buffer for display.

[OldPrisoneR]

J.F.,hmm... that's a good idea! I like it! But I have no experience of function hooking :P
Don't blame me :(
I'll be very grateful if somebody can give some information about hooking. I mean any sources or docs or may be just some links :)

[J.F.]

There are a number of plugins out there that hook functions, and with source. Look at pikey, for example. The control output module does function hooking on the control pad functions so that it can insert fake button presses. That should give you an example of how to hook, calling the original vector, and how the hook responds to calls.

[OldPrisoneR]

J.F., thanks for quick reply, I'll have a look at it right now

[OldPrisoneR]

I've got some question about sceDisplaySetFrameBuf.
So for ex. I have following code of eboot

Code: Select all

...
sceDisplaySetFrameBuf(vram, 512, PSP_DISPLAY_PIXEL_FORMAT_8888, 1);
while(1)
{
//main loop, in which I never call sceDisplaySetFrameBuf
some piece of code
}
...

So it's mean that I call sceDisplaySetFrameBuf only for one time, and when I try to change this eboot's frmbuffer via my prx - nothing happens, my prx still report that frmbuffer is the same :(

I also tried to suspend this eboot's thread. And then to change the frmbuffer - no luck :(

What's the problem?

Code: Select all

[J.F.]

How are you hooking sceDisplaySetFrameBuf()? That might be your problem.

[OldPrisoneR]

No, no, no. I'm not hooking it I just tried to call sceDisplaySetFrameBuf() via my prx.
I do the following:
I enter the game (see the code above), then my prx reports that frmbfr's changed.
Ok, that's mean that we are now in the main loop of eboot :)
In main loop, as I've already said, I never change the frmbfr
Now I try to change the frmbfr via my prx. Prx reports that it's trying to set the frmbfr, but frmbfr's not changed :(

So what's happening?

[J.F.]

Now I try to change the frmbfr via my prx. Prx reports that it's trying to set the frmbfr, but frmbfr's not changed :(

So what's happening?

Remember that most programs change the buffer nearly every vblank. If you simply change it once, odds are you won't even see a flicker as the other program has already changed it a dozen times since you tried to change it. You HAVE to intercept their calls to set the framebuffer or your own will probably never have any affect.

[jimparis]

their calls to set the framebuffer

if I'm understanding correctly, "their calls" do not exist, he's running his own game executable that called it once and never calls it again. Only two things running, and both are his code.

[OldPrisoneR]

Ok, now I'm trying hooking sceDisplaySetFrameBuf.
a piece of my prx code:

Code: Select all

...
//Global variable
int hookid;
...
int opsDisplaySetFrameBuf(void *  topaddr, int  bufferwidth, int  pixelformat, int  sync)
{
	u32 k1 = pspSdkSetK1(0);
	int res = callApiHook(hookid,0x0a000000, 768, pixelformat,  sync);
	myPrintf(1,1,"We are in hook");
	pspSdkSetK1(k1);
	
	return 0;
}
...
//Prx's main thread
sceKernelDelayThread(10*1000*1000); //Wait for 10 sec
hookid = apiHookByNid("sceDisplay_Service","sceDisplay",0x289D82FE,opsDisplaySetFrameBuf);
//here main loop begins...
...
int module_stop(SceSize args, void *argp)
{
	unHookApi(hookid);
	return 0;
};

Nothing happens, though prx reports "We are in hook" when we are in game.
In my eboot it reports nothing (almost nothing :p), because I set frmbfr just one time in the beginning.
May be another module or library or NID?
I don't understand where is the problem :(

Look at what moonlight wrote:

The thing can be achieved by setting the DmaLcdcBaseAddr to your memory, destroying the function to avoid it being set again, and painting the screen (copying it to the true framebuffer that you set) in each vertical sync interrupt from the framebuffer that was set by sceDisplaySetFrameBuf but that didn't arrived to sceDmaLcdcSetBaseAddr because you avoided it.

I've not found any information about DmaLcdcBaseAddr and sceDmaLcdcSetBaseAddr. Does somebody know anything about it?

[OldPrisoneR]

their calls to set the framebuffer

if I'm understanding correctly, "their calls" do not exist, he's running his own game executable that called it once and never calls it again. Only two things running, and both are his code.

Yes, you are right, in my eboot I call set frmbfr just once.

Nevertheless I still can't change frmbfr via prx, but in eboot it's very simple by calling known function :)
But via prx :( ...

[OldPrisoneR]

It seems that we can't call sceDisplaySetFrameBuf in kernel mode :(
If it's so, then everything becomes clearly - if we call sceDisplaySetFrameBuf directly or undirectly through the hook, nothing will happen.
We need to use another method.
I mean some manipulation with DmaLcdcBaseAddr, but I don't know how.
Maybe moonlight has his own "secret SDK" with sceDmaLcdcSetBaseAddr in it :)
I think so, because I've just downloaded the newest SDK and there is no word "sceDmaLcdcSetBaseAddr" in it.
If you'll try googling it'll bring you back to this topic and to another :p
So we've come to the impasse :X

[J.F.]

You should look at the way pikey calls vshCtrlReadBufferPositiveFake.

Code: Select all

int vshCtrlReadBufferPositiveFake(SceCtrlData *pad_data, int count)
{
	u32 k1 = pspSdkSetK1(0);

	int res = callApiHook(mainHookSave[0].hookid,pad_data, count);

	add_values(pad_data, res, 0);

	pspSdkSetK1(k1);
	
	return res;
}

You then look at CallApiHook() in the framework directory, in the apihook.c file.

[OldPrisoneR]

Hm... I've tested my prx again and I've discovered the following things:
Hooked sceDisplaySetFrameBuf works :) but...

In some games (which begins with playing of some video) it starts work immediately.
But in others - no, though we can see that it's trying to set it :( It starts work only after we've entered loading menu.

It's not work with Home button menu :(

If we're trying to copy frmbfr to another location odd things happen. :X

So maybe somebody know how home menu works, it goes without saying, that home menu uses another method to Set frmbfr.
I'm still thinking about sceDmaLcdcSetBaseAddr... No suggestions?
J.F., what do you think about it?

[J.F.]

I've never used the lower level LCD commands. I also don't mess much with plugins, so I'm not the best authority here on that. It does sound like you're getting close, though. If I remember correctly, there's a kernel-level sceDisplaySetFrameBuf in addition to the user-level one. The Home code may be bypassing the user one, which is why you don't catch it. I wonder if the user one calls the kernel one, so you could get by with just hooking the kernel one. You might want to check the kernel Display driver for that call. You might have to hook both.

[moonlight]

The home doesn't work because there are various scedisplay framebuffers (i think it was 4), like if they were layers, but only one of them is really active, this means only one of them is the real framebuffer (e.g. the real active lcdc baseaddr).
So yeah, the method should be hooking direcly the sceLcdcDmacSetBaseAddr import that display does from the dmacplus driver.

To use lcdc functions you just have to create a stub file using some command with prxtool using lowio.prx as input, or if you are lazy like me, use the sctrlHENFindFunction of M33 SDK to get the address of the function without needeing a stub or library.

Code could be something like this:

Code: Select all

int (* sceDmacplusLcdcSetBaseAddr)(void *addr);

int MySetBaseAddr(void *addr)
{
    // do something

    return sceDmacplusLcdcSetBaseAddr(...);
}

void maincode()
{
    	sceDmacplusLcdcSetBaseAddr = (void *)sctrlHENFindFunction("sceLowIO_Driver",  "sceDmacplus_driver", 0x29B50A82);

    u32 import_address = FindImport("sceDisplay_Service", "sceDmacplus_driver", 0x29B50A82);

    REDIRECT_FUNCTION(import_address, (u32)MySetBaseAddr);

   sceKernelDcacheWritebackAll();
   sceKernelIcacheClearAll();

}

And implementation of REDIRECT_FUNCTION and FindImport:

Code: Select all

#define J_OPCODE	0x08000000
#define NOP	0x00000000
#define REDIRECT_FUNCTION(a, f) _sw(J_OPCODE | (((u32)(f) >> 2)  & 0x03ffffff), a);  _sw(NOP, a+4);


u32 FindImport(char *prxname, char *importlib, u32 nid)
{
	SceModule2 *pMod;
	void *stubTab;
	int stubLen;

	pMod = sceKernelFindModuleByName(prxname);
	if (!pMod)
		return 0;

	pMod = sceKernelFindModuleByUID(pMod->modid);
	if(pMod != NULL)
	{
		int i = 0;

		stubTab = pMod->stub_top;
		stubLen = pMod->stub_size;
		//printf("stubTab %p - stubLen %d\n", stubTab, stubLen);
		while&#40;i < stubLen&#41;
		&#123;
			int count;
			struct PspModuleImport *pImp = &#40;struct PspModuleImport *&#41; &#40;stubTab + i&#41;;

			if&#40;pImp->name&#41;
			&#123;
				//printf&#40;"Import Library %s, attr 0x%04X\n", pImp->name, pImp->attribute&#41;;
			&#125;
			else
			&#123;
				//printf&#40;"Import Library %s, attr 0x%04X\n", "Unknown", pImp->attribute&#41;;
			&#125;

			if&#40;pImp->funcCount > 0&#41;
			&#123;
				//printf&#40;"Function Imports&#58;\n"&#41;;
				for&#40;count = 0; count < pImp->funcCount; count++&#41;
				&#123;
					//printf&#40;"Entry %-3d&#58; UID 0x%08X, Function 0x%08X\n", count+1, pImp->fnids&#91;count&#93;, &#40;u32&#41; &pImp->funcs&#91;count*2&#93;&#41;;

					if &#40;pImp->name&#41;
					&#123;
						if &#40;strcmp&#40;pImp->name, importlib&#41; == 0&#41;
						&#123;
							if &#40;pImp->fnids&#91;count&#93; == nid&#41;
							&#123;
								return &#40;u32&#41;&pImp->funcs&#91;count*2&#93;;
							&#125;
						&#125;						
					&#125;

				&#125;
			&#125;

			i += &#40;pImp->entLen * 4&#41;;
		&#125;
	&#125;
	
	return 0;

P.D: there is one problem with the code: the nids change. sctrlHENFindFunction will handle fine the old nid and convert it to the new, but this FindImport won't do it.

You may have to replace the nid of sceDmacPlusLcdcSetBaseAddr that FindImport uses by the one of the firmware you are using, in case of 3.80-3.90 is 0x86106AD9

Maybe I should add a import to systemctrl in next revision to include some function that returns the pointer of nids translation tables to solve these problems.

[OldPrisoneR]

Awesome! It's working! Now I can manipulate frmbfr address!
I've done a little test in which I always set frmbfr addr to 0x4000000, and here is what I've got:
Home menu doesn't appear! I can see that it tries to set frmbfr to 882ab500, but my hook doesn't allow this thing :p
But as we aren't hooking width and psm, it sets it and picture becomes ugly

So I suppose there are another low function which allow such things
Maybe it is sceDmacplusLcdcSetFormat? I'm not sure about parameters which it receives
Maybe (int psm,int displaywidth,int frmbfrwidth)?
And as nid's changed I'm not sure about it too :) 0x1B9DA332 ?

I've tried to hook it, but Home menu still change it :( I suppose I've made a mistake somewhere
here is my code:

Code: Select all

#include <pspkernel.h>
#include <string.h>
#include <systemctrl.h>

PSP_MODULE_INFO&#40;"FuSa", 0x1000, 1, 1&#41;;
PSP_MAIN_THREAD_ATTR&#40;0&#41;;
PSP_MAIN_THREAD_STACK_SIZE_KB&#40;0&#41;;

#define J_OPCODE   0x08000000 
#define NOP   0x00000000 
#define REDIRECT_FUNCTION&#40;a, f&#41; _sw&#40;J_OPCODE | &#40;&#40;&#40;u32&#41;&#40;f&#41; >> 2&#41;  & 0x03ffffff&#41;, a&#41;;  _sw&#40;NOP, a+4&#41;;

struct PspModuleImport
&#123;
	const char *name;
	unsigned short version;
	unsigned short attribute;
	unsigned char entLen;
	unsigned char varCount;
	unsigned short funcCount;
	u32 *fnids;
	u32 *funcs;
	u32 *vnids;
	u32 *vars;
&#125; __attribute__&#40;&#40;packed&#41;&#41;;

int &#40;* sceDmacplusLcdcSetBaseAddr&#41;&#40;void *addr&#41;;
int &#40;* sceDmacplusLcdcSetFormat&#41;&#40;int *pfrmt,int *dwidth,int *fwidth&#41;;

int MySetBaseAddr&#40;void *addr&#41; 
&#123; 
    char buf&#91;64&#93;;
    sprintf&#40;buf,"X = %p",addr&#41;;
    myPrintf&#40;1,1,buf,0xFFFFFF,0xFFFFFF&#41;;
    return sceDmacplusLcdcSetBaseAddr&#40;0x4000000&#41;; 
&#125;

int MySetFormat&#40;int pfrmt,int dwidth,int fwidth&#41; 
&#123; 
    char buf&#91;64&#93;;
    sprintf&#40;buf,"X = %d %d %d",pfrmt,dwidth,fwidth&#41;;
    myPrintf&#40;5,5,buf,0xFFFFFF,0xFFFFFF&#41;;
    return sceDmacplusLcdcSetFormat&#40;0,480,768&#41;; 
&#125;

u32 FindImport&#40;char *prxname, char *importlib, u32 nid&#41; 
&#123; 
   SceModule2 *pMod; 
   void *stubTab; 
   int stubLen; 

   pMod = sceKernelFindModuleByName&#40;prxname&#41;; 
   if &#40;!pMod&#41; 
      return 0; 

   pMod = sceKernelFindModuleByUID&#40;pMod->modid&#41;; 
   if&#40;pMod != NULL&#41; 
   &#123; 
      int i = 0; 

      stubTab = pMod->stub_top; 
      stubLen = pMod->stub_size; 

      while&#40;i < stubLen&#41; 
      &#123; 
         int count; 
         struct PspModuleImport *pImp = &#40;struct PspModuleImport *&#41; &#40;stubTab + i&#41;; 

         if&#40;pImp->funcCount > 0&#41; 
         &#123; 
            for&#40;count = 0; count < pImp->funcCount; count++&#41; 
            &#123; 

               if &#40;pImp->name&#41; 
               &#123; 
                  if &#40;strcmp&#40;pImp->name, importlib&#41; == 0&#41; 
                  &#123; 
                     if &#40;pImp->fnids&#91;count&#93; == nid&#41; 
                     &#123; 
                        return &#40;u32&#41;&pImp->funcs&#91;count*2&#93;; 
                     &#125; 
                  &#125;                   
               &#125; 

            &#125; 
         &#125; 

         i += &#40;pImp->entLen * 4&#41;; 
      &#125; 
   &#125; 
    
   return 0;
&#125;

int module_start&#40;SceSize args, void *argp&#41;
&#123;
   sceDmacplusLcdcSetBaseAddr = &#40;void *&#41;sctrlHENFindFunction&#40;"sceLowIO_Driver",  "sceDmacplus_driver", 0x86106AD9&#41;; 
   u32 import_address = FindImport&#40;"sceDisplay_Service", "sceDmacplus_driver", 0x86106AD9&#41;; 
   REDIRECT_FUNCTION&#40;import_address, &#40;u32&#41;MySetBaseAddr&#41;; 
   sceKernelDcacheWritebackAll&#40;&#41;; 
   sceKernelIcacheClearAll&#40;&#41;;
   
   sceDmacplusLcdcSetFormat = &#40;void *&#41;sctrlHENFindFunction&#40;"sceLowIO_Driver",  "sceDmacplus_driver", 0x1B9DA332&#41;; 
   u32 import_address2 = FindImport&#40;"sceDisplay_Service", "sceDmacplus_driver", 0x1B9DA332&#41;; 
   REDIRECT_FUNCTION&#40;import_address2, &#40;u32&#41;MySetFormat&#41;; 
   sceKernelDcacheWritebackAll&#40;&#41;; 
   sceKernelIcacheClearAll&#40;&#41;;
   
	return 0;
	sceKernelExitDeleteThread&#40;0&#41;;
&#125;

int module_stop&#40;SceSize args, void *argp&#41;
&#123;
	return 0;
&#125;

Question in advance:
I also tried to write directly to vram - result: game crashes :(
look at this code:

Code: Select all

int MySetBaseAddr(void *addr) 
{ 
    u32* vram = (u32*)addr;
    short x;
    for &#40;x = 0; x < 480; x++&#41; vram&#91;x&#93;=0xFFFFFFFF;
    return sceDmacplusLcdcSetBaseAddr&#40;addr&#41;; 
&#125;

What's happening?

[OldPrisoneR]

I've experimented with sceDmacplusLcdcSetFormat and what I've got:
It seems that I was right - the NID = 0x1B9DA332 :)
but parameters were wrong - (int pfrmt,int dwidth,int fwidth)
The real ones are ( int dwidth, int fwidth, int unk )
dwidth - display width (for ex. 480)
fwidth - frmbfr width (for ex. 512)
unk - ??? if 0 then no result, if 2 then we can set frmbfr's width

So what's it mean? There is another low function for setting psm?

[whazilla]

hey,

http://www.psp-programming.com/forums/i ... pic=2011.0

This is how i do vram manipulation
check the ninth post in that thread

cheers
whazilla

[OldPrisoneR]

I have completely got confused with frmbfr width and psm format :)
I've just found another function ("sceLowIO_Driver", "sceLcdc_driver", 0xbc9d4a51);
It receives the following parameters (0,480,272,0,0x8000000,1) in one of "16bit" games and (0,480,272,0,0x8000000,3) in one of "32bit".
Home screen calls with these ones (0,480,272,2,0x8000000,1)
So the sixth parameter,I suppose, is PSM format.
I tried to fix it in my hook but I failed.
Interesting thing happens when I hook it with these params (0,480,2,0,0x8000000,3)
Instead of height (272) I set 2 and BOOM, PSM changes! But home screen still changes it to his values (
I'm confused... If I only knew what functions calls home screen, everything would be more clearly
If somebody knows what they are or how to figure out them plz tell us :)

If only moonlight would be here... :)

P.S.: whazilla, your code is something good, but not useful in my situation :(
at any rate thanks for attention to my topic :)

[OldPrisoneR]

hi guys, now I want to introduce my PRX.
latest release with menu:
http://www.mediafire.com/?kcddm425zsc
1st release
http://www.mediafire.com/?djzmxjx0ga4
This is the first alpha:
http://www.mediafire.com/?yinyq3bxlt2
!!! It's not even alpha version, just proof of concept !!!
Let's take off sony's limitation together :)
And now what we've got:
This prx will allow you to play on TV via composite cable (It's for S&L :p)
It has a lot of bugs ), but works with some games )
See the readme for more info )

P.S.: If somebody want to join to this project - you are welcome :)
At any rate, try it and speak what do you think about it )

BTW I tested it with 3.80 M33-5 :) (but it must work with 3.7x too)

[J.F.]

hi guys, now I want to introduce my PRX.
http://www.mediafire.com/?djzmxjx0ga4
!!! It's not even alpha version, just proof of concept !!!
Let's take off sony's limitation together :)
And now what we've got:
This prx will allow you to play on TV via composite cable (It's for S&L :p)
It has a lot of bugs ), but works with some games )
See the readme for more info )

P.S.: If somebody want to join to this project - you are welcome :)
At any rate, try it and speak what do you think about it )

BTW I tested it with 3.80 M33-5 :) (but it must work with 3.7x too)

You might think of adding support for the component cable as well. Some folks use the component cable, but their TV only supports interlaced mode. They would have the same trouble as someone using the composite cable. If you add component interlaced, they'd be able to use this... and I could also test it. :)

[OldPrisoneR]

J.F. special for you :P
new FuSa with component interlace support, see readme for more info :)
http://www.mediafire.com/?mjy2zdmmi5f
Here is next build with SH: origins support and VRAM grabbing
http://www.mediafire.com/?sed3mzsnfxy

[J.F.]

That works! A few observations: very cool for how new this is; the display seems squished horizontally - I suppose you're just copying the 480x272 data directly into your 720x480 buffer; and finally, the buttons used to control this are confusing and interfere with the games.

You need to make a menu kinda like the M33 menu, activated with a user selectable combo... like NOTE + LTRIGGER + RTRIGGER, then have all the commands and options in the menu. Using X and O and TRI and R own their own or in two button combos means that you are doing things in the game instead of prx commands, or vice versa.

But it's a GREAT start. I was playing Daxter on my HDTV! Of course, I can do that anyway since I have one that supports progressive, but this could eventually be better than Sony's support. :) With that in mind, you might also want to eventually add progressive TV support as well.

[OldPrisoneR]

the buttons used to control this are confusing and interfere with the games.

Yeah, J.F. I know it :) It's very confusing, heh heh...
It WAS confusing... but now we have another built with MENU :)
Though I've wanted to make it some time later, Andy_maN's said that he's already coded it :) Looks nice and handy even in interlaced mode!, so what can I say... thanx dude :p
Now you can grab this built from here:
http://www.mediafire.com/?kcddm425zsc
Has somebody else tried it, except J.F.?

With that in mind, you might also want to eventually add progressive TV support as well.

Yes, I'll add pr. TV fullscreen support :)
but first of all we must solve another problems
As I've already said in readme I still don't know low functions for width and PSM adjusting ...
Guys, where are you all?