├── .gitignore ├── guides └── ppsspp │ ├── creating-cheats-with-ppsspp │ ├── assets │ │ ├── cheat-engine-memmapped.png │ │ ├── ppsspp-breakpoint-hit.png │ │ ├── ps2dis-load-memory-dump.png │ │ ├── cheat-engine-open-process.png │ │ ├── ppsspp-dumping-user-memory.png │ │ ├── ppsspp-setting-a-breakpoint.png │ │ ├── ppsspp-rewriting-the-game-logic.png │ │ ├── ppsspp-determine-user-memory-offset.png │ │ ├── cheat-engine-determine-cheat-address.png │ │ └── cheat-engine-determine-user-memory-offset.png │ └── creating-cheats-with-ppsspp.md │ └── introduction.md ├── README.md ├── cheat-devices ├── mkultra.md ├── nitepr.md ├── tempar.md ├── pspar.md └── cwcheat.md └── other └── button-activators.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-memmapped.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-memmapped.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-breakpoint-hit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-breakpoint-hit.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ps2dis-load-memory-dump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ps2dis-load-memory-dump.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-open-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-open-process.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-dumping-user-memory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-dumping-user-memory.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-setting-a-breakpoint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-setting-a-breakpoint.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-rewriting-the-game-logic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-rewriting-the-game-logic.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-determine-user-memory-offset.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/ppsspp-determine-user-memory-offset.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-determine-cheat-address.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-determine-cheat-address.png -------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-determine-user-memory-offset.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raing3/psp-cheat-documentation/HEAD/guides/ppsspp/creating-cheats-with-ppsspp/assets/cheat-engine-determine-user-memory-offset.png -------------------------------------------------------------------------------- /guides/ppsspp/introduction.md: -------------------------------------------------------------------------------- 1 | ## Introduction 2 | 3 | PPSSPP is a multi-platform opensource PSP emulator by Henrik Rydgård. 4 | 5 | The emulator has a fully functional debugger and is compatible with CWCheat format codes. 6 | 7 | ## Guides 8 | 9 | * [Creating Cheats with PPSSPP](creating-cheats-with-ppsspp/creating-cheats-with-ppsspp.md) 10 | 11 | ## Useful Links 12 | 13 | * [Project Home Page](https://www.ppsspp.org/) 14 | * [Github Page](https://www.github.com/hrydgard/ppsspp) 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## PSP cheat documentation 2 | 3 | ### Cheat devices 4 | 5 | * [CWCheat](cheat-devices/cwcheat.md) 6 | * [MKUltra](cheat-devices/mkultra.md) 7 | * [NitePR](cheat-devices/nitepr.md) 8 | * [PSP Action Replay (PSPAR)](cheat-devices/pspar.md) 9 | * [TempAR](cheat-devices/tempar.md) 10 | 11 | ### Other 12 | 13 | * [Button activators](other/button-activators.md) 14 | 15 | ### Guides 16 | 17 | #### PPSSPP 18 | 19 | * [Introduction](guides/ppsspp/introduction.md) 20 | * [Creating Cheats with PPSSPP](guides/ppsspp/creating-cheats-with-ppsspp/creating-cheats-with-ppsspp.md) 21 | -------------------------------------------------------------------------------- /cheat-devices/mkultra.md: -------------------------------------------------------------------------------- 1 | ## MKUltra 2 | 3 | ### Description 4 | 5 | MKUltra by RedHate is a mod of NitePR which features a number of changes including register highlighting for the 6 | disassembler, POPS support, improved copier, configurable colours, support for more MIPS opcodes and an additional 7 | code type. 8 | 9 | ### Code types 10 | 11 | Supports the same code types as [NitePR](nitepr.md) in addition to the below. 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 25 | 26 | 27 |
TypeDescription
Button Press Code Types
21 | Type 0xFF
22 | Button Press
23 | FFYYYYYY 0XXXXXXX 24 | 		Checks if YYYYYY == (value at [XXXXXXX]) & YYYYYY.
If not, the code(s) following this one are not executed.
28 | -------------------------------------------------------------------------------- /cheat-devices/nitepr.md: -------------------------------------------------------------------------------- 1 | ## NitePR 2 | 3 | ### Description 4 | 5 | NitePR by SANiK is widely known for its online cheating capabilities and open source license. NitePR supports a 6 | very limited set of code types. 7 | 8 | ### Code types 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 21 | 22 | 23 | 24 | 28 | 29 | 30 | 31 | 35 | 36 | 37 | 38 | 39 | 44 | 45 | 46 |
TypeDescription
Constant RAM Writes
18 | 32-bit
19 | 0XXXXXXX YYYYYYYY 20 | 		Writes word YYYYYYYY to [XXXXXXX+offset].
25 | 16-bit
26 | 0XXXXXXX YYYY 27 | 		Writes halfword YYYY to [XXXXXXX+offset].
32 | 8-bit
33 | 0XXXXXXX YY 34 | 		Writes byte YY to [XXXXXXX+offset].
Pointer Code Types
40 | Type 0xFFFFFFFF
41 | Load Offset
42 | FFFFFFFF 0XXXXXXX 43 | 		Loads the 32-bit value into the offset.
offset = word at [XXXXXXX].
47 | -------------------------------------------------------------------------------- /other/button-activators.md: -------------------------------------------------------------------------------- 1 | ## Button activators 2 | 3 | ### Description 4 | 5 | The PSP offers various `sceCtrl*` functions for reading the state of the buttons. These functions provide the button 6 | state as a single integer bit mask. 7 | 8 | Depending on the cheat device being used the following options may be available for reading the button state: 9 | 10 | * Use a code type (or similar) specifically provided by the cheat device to read button state. 11 | * Identify the memory address where the game writes button state to and use the condition types or assembly to 12 | toggle the cheat. 13 | 14 | ### Button bit flags 15 | 16 | The following table shows the possible values of the controller button data. Note that the kernel mode flags will 17 | **NOT** be available when using button data that has been read by the game. 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 |
ButtonCode
User mode flags
PSP_CTRL_SELECT0x00000001
PSP_CTRL_START0x00000008
PSP_CTRL_UP0x00000010
PSP_CTRL_RIGHT0x00000020
PSP_CTRL_DOWN0x00000040
PSP_CTRL_LEFT0x00000080
PSP_CTRL_LTRIGGER0x00000100
PSP_CTRL_RTRIGGER0x00000200
PSP_CTRL_TRIANGLE0x00001000
PSP_CTRL_CIRCLE0x00002000
PSP_CTRL_CROSS0x00004000
PSP_CTRL_SQUARE0x00008000
Kernel mode flags
PSP_CTRL_HOME0x00010000
PSP_CTRL_HOLD0x00020000
PSP_CTRL_NOTE0x00800000
PSP_CTRL_SCREEN0x00400000
PSP_CTRL_VOLUP0x00100000
PSP_CTRL_VOLDOWN0x00200000
PSP_CTRL_WLAN_UP0x00040000
PSP_CTRL_REMOTE0x00080000
PSP_CTRL_DISC0x01000000
PSP_CTRL_MS0x02000000
-------------------------------------------------------------------------------- /cheat-devices/tempar.md: -------------------------------------------------------------------------------- 1 | ## TempAR 2 | 3 | ### Description 4 | 5 | TempAR by raing3 is a mod of NitePR which was updated to support PSPAR and CWCheat code types as well as additional 6 | code types inspired by NitroHax for the DS. 7 | 8 | ### Code types 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 38 | 39 | 40 | 41 | 46 | 47 | 48 | 49 | 50 | 55 | 56 | 57 | 58 | 63 | 64 | 65 | 66 | 71 | 72 | 73 | 74 | 79 | 80 | 81 | 82 | 83 | 88 | 89 | 90 | 91 | 92 | 99 | 100 | 101 | 102 | 107 | 108 | 109 | 110 | 115 | 116 | 117 |
TypeDescription
Conditional 32-bit Code Types
18 | Type 0x03
19 | Greater Than
20 | 3XXXXXXX YYYYYYYY 21 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
26 | Type 0x04
27 | Less Than
28 | 4XXXXXXX YYYYYYYY 29 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
34 | Type 0x05
35 | Equal To
36 | 5XXXXXXX YYYYYYYY 37 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
42 | Type 0x06
43 | Not Equal To
44 | 6XXXXXXX YYYYYYYY 45 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
Conditional 16-bit + Masking Code Types
51 | Type 0x07
52 | Greater Than
53 | 7XXXXXXX ZZZZYYYY 54 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
59 | Type 0x08
60 | Less Than
61 | 8XXXXXXX ZZZZYYYY 62 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
67 | Type 0x09
68 | Equal To
69 | 9XXXXXXX ZZZZYYYY 70 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
75 | Type 0x0A
76 | Not Equal To
77 | AXXXXXXX ZZZZYYYY 78 | 		Same as PSPAR engine except if lowest bit of address is set the offset is added to the address.
Data Register Codes
84 | Type 0xD4
85 | Dx Data Operation
86 | D400000Y XXXXXXXX 87 | 		Sets the 'Dx data register' to Data = ? XXXXXXXX where ? is determined by Y as follows:
0 - add
1 - or
2 - and
3 - xor
4 - logical shift left
5 - logical shift right
6 - rotate right
7 - arithmetic shift right
8 - multiply
Miscellaneous Codes
93 | Type 0xC1
94 | Call Function with Arguments
95 | C100000Y XXXXXXXX
96 | AAAAAAAA BBBBBBBB
97 | CCCCCCCC DDDDDDDD 98 | 		Performs a jal to the function at XXXXXXXX. The number of arguments to pass to the function is specified by Y.
a0 = 0xAAAAAAAA
a1 = 0xBBBBBBBB
a2 = 0xCCCCCCCC
a3 = 0xDDDDDDDD.
103 | Type 0xC2
104 | Run Code From Cheat List
105 | C2000000 XXXXXXXX 106 | 		Performs a jal to the function directly after the 0xC2 code line. The length of function is specified by XXXXXXXX.
111 | Type 0xC5
112 | Counter
113 | C5000000 ZZZZYYYY 114 | 		Checks if YYYY == (not ZZZZ < cheat apply count).
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
118 | 119 | ### Fake addresses 120 | 121 | Fake address are used to return system information which either can't be accessed from memory or does not have a 122 | static address. These are intended to simplify the process of cheat creation / conversion from other cheat devices. 123 | 124 | Presently these addresses can only be accessed using the exact address listed 125 | (ie. no 8/16-bit retrieval of the upper return bits). 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 |
AddressReturn Value
0x0A000000Pressed buttons. See button activators for possible values.
0x0A000004X-axis of analog nub.
0x0A000008Y-axis of analog nub.
-------------------------------------------------------------------------------- /guides/ppsspp/creating-cheats-with-ppsspp/creating-cheats-with-ppsspp.md: -------------------------------------------------------------------------------- 1 | ## Requirements 2 | 3 | * PPSSPP: https://www.ppsspp.org/downloads.html 4 | * Cheat Engine: http://www.cheatengine.org/downloads.php 5 | * ps2dis: http://www.codemasters-project.net/portal-english/apportal/download.php?view.23 6 | 7 | ## Limitations 8 | 9 | PPSSPP is an emulator and does not perfectly emulate games. 10 | 11 | This can lead to cases where memory may be mapped to a different address in the emulator vs. where it would be mapped to on a physical PSP. The address may also shift over time with new releases of the emulator. 12 | 13 | This issue is limited to 14 | 15 | ## Assumptions 16 | 17 | This guide assumes the following knowledge: 18 | * An understanding of common cheat related terms. 19 | * How to use search tools to find the address of a value you want to modify. 20 | * An understanding of the basic MIPS instructions. 21 | 22 | ## Steps 23 | 24 | ### 1. Launch the game 25 | 1. Launch PPSSPP and open the game you want to make cheats for. 26 | 27 | ### 2. Attaching Cheat Engine to PPSSPP 28 | 1. Launch Cheat Engine. 29 | 2. Click the open process button. 30 | 3. Select the PPSSPP process from the list. 31 | 4. Click the "Open" button. 32 | 5. Ensure the "MEM_MAPPED" setting is enabled in the settings. 33 | 34 | ![Open Process](assets/cheat-engine-open-process.png) 35 | 36 | ![MEM_MAPPED Setting](assets/cheat-engine-memmapped.png) 37 | 38 | ### 3. Determining the PSP user memory offset 39 | 1. Open the PPSSPP Memory Viewer (Debug > Memory Viewer). 40 | 2. Navigate to the start of user memory by double clicking on the "0x08800000 (User Memory)". 41 | 3. Set the first 4 bytes of the user memory to something you can easily search for in PPSSPP. 42 | 4. Search for the value in Cheat Engine. 43 | 5. Repeat the above 2 steps until you are able to filter the address down to a single result in Cheat Engine the address of this result is where the user memory starts. 44 | 45 | ![PPSSPP Determine User Memory Offset](assets/ppsspp-determine-user-memory-offset.png) 46 | 47 | ![Cheat Engine Determine User Memory Offset](assets/cheat-engine-determine-user-memory-offset.png) 48 | 49 | In the above example the user memory starts at 0x01540000 in the process memory. 50 | 51 | ### 4. Use Cheat Engine to find the address of the variable you want to modify 52 | 1. Set the memory scan start address to the address where the user memory starts. 53 | 2. Use the search options in Cheat Engine to find a list of potential addresses. Try to reduce the search results to as small a number as possible. 54 | 3. Determine the address in user memory where the value is located by subtracting the offset where user memory starts in the PC process and then adding 0x08800000. 55 | 4. Filter down any remaining results by changing the value in PPSSPP using the memory viewer mentioned above and determining to see which address is the source of truth. 56 | 57 | ![PPSSPP Determine User Memory Offset](assets/ppsspp-determine-user-memory-offset.png) 58 | 59 | In the above example the search results have been filtered to 2 possible addresses. The user memory starts at offset 0x01540000 in the process memory. This gives the following 2 potential PSP memory addresses for the variable: 60 | 61 | * 0x08B4A8D0 (= 0x1574A8D0 - 0x15400000 + 0x08800000) ** this address is the source of truth in this case. 62 | * 0x0960237C (= 0x1620237C - 0x15400000 + 0x08800000) 63 | 64 | ### 5. Use the disassembly tool to determine what code changes the value. 65 | 66 | Because the offsets of data addresses may not be consistent across emulator versions and physical hardware it makes our job a little harder. 67 | 68 | Rather than using the cheat engine to set the value direct it the compatibility of the cheat can be increased by instead rewriting the logic of the game. 69 | 70 | For example, when making an infinite health cheat there are a couple of ways to accomplish this: 71 | * Jump to a subroutine created by the cheat when the value is read from (in this case we would set a read breakpoint). Typically 0x08802000 is unused by games and is safe for writing custom logic to. 72 | * No-op the logic responsible for decreasing the health value (in this case we would set a write breakpoint). 73 | 74 | 1. Open the PPSSPP Disassembler (Debug > Disassembly...). 75 | 2. Click the "Breakpoint" button, enter the address of the value found in step 4 and configure the conditions under which the breakpoint should be triggered. 76 | 3. Play the game to trigger the condition for the breakpoint to be hit. The game will often read/write to an address in a number of different functions. To avoid the breakpoint being hit in unwanted cases it may be necessary to continue past these using the debugger (by clicking the "Go" button) or nop out/change the address these functions similar to what is described below. 77 | 78 | ![PPSSPP Setting a Breakpoint](assets/ppsspp-setting-a-breakpoint.png) 79 | 80 | ![PPSSPP Breakpoint Hit](assets/ppsspp-breakpoint-hit.png) 81 | 82 | The above screenshots show a write breakpoint being set and how the debugger looks when it is hit. 83 | 84 | In the example above a write breakpoint has been set and the instruction at 0x0883F114 is responsible for writing to that address. From the logic around that area the following can be observed: 85 | * The value stored in the a0 register is writen to the address we set our breakpoint to. 86 | * The value in the a0 register is loaded from the same address it is written to and then incremented by the value in the s3 register being being stored. 87 | * In our case the value in the s3 register is set to 1 at 0x0883F0B0. 88 | 89 | The following step will be looking at rewriting the logic which sets this value. 90 | 91 | ### 6. Re-writing the games logic 92 | 93 | This is where things get quite tedious. The memory editor of PPSSPP is very restrictive and doesn't offer a method of converting a MIPS instruction to its hexadecimal representation. Fortunately ps2dis can be used to work around this limitation but adds additional steps to the process. 94 | 95 | 1. Create a memory dump of the user memory by opening the memory viewer once again. Right click on the hex view and click the "Dump..." menu item. In this case a memory dump of any other game will do, or even a file full of nothing. This file is just needed so that we have something to load into ps2dis. 96 | 2. Open ps2dis and load your memory dump. Enter "08800000" in the "Address From" text box when prompted. 97 | 3. Navigate to an empty space of the file. There is often a sufficient empty space around "0x08802000" which is perfect for injecting your subroutines. 98 | 4. Start writing the instructions you want to inject into the game. You can edit the value of an address by double clicking on it. 99 | 100 | ![PPSSPP Dumping User Memory](assets/ppsspp-dumping-user-memory.png) 101 | 102 | ![ps2dis Load Memory Dump](assets/ps2dis-load-memory-dump.png) 103 | 104 | The above example shows that the instruction "addiu s3, zero, $0064" translates to a value of 0x24130064. This value will be injected into the game in the next step to influence the final value of the a0 register. Rather than incrementing by 1 each time the breakpoint is hit the register will instead be increased by 100 (0x64). 105 | 106 | ### 7. Injecting your new logic 107 | 108 | Again, because the memory editing capabilities of PPSSPP are quite limited this step can also be quite tedious. 109 | 110 | 1. Navigate to the address you want to edit in either the disassembler or memory viewer. If in the disassembler you can quickly navigate to an address displayed in the disassembler by right clicking on it and selecting "Go to in Memory View". 111 | 2. Insert your updated logic into the appropriate addresses in the memory editor. Ensure you enter the bytes of each instruction in reverse order. 112 | 113 | ![PPSSPP Rewriting the Game Logic](assets/ppsspp-rewriting-the-game-logic.png) 114 | 115 | ### 7. Test your changes 116 | 117 | Almost done. Resume the game and test the changes work as expected. If the changes work as expected all that is needed is to convert them to CWCheat format so they can be used by everyone. 118 | 119 | ### 8. Convert the cheat to CWCheat format 120 | 121 | This step is much simpler, in our case all of the instructions we change will follow the following format: 122 | 123 | ``` 124 | _S GAME-ID (eg. NPEZ-00044) 125 | _G Game Name 126 | _C0 Cheat Name 127 | _L 0x2AAAAAAA 0xBBBBBBBB 128 | _L 0x2AAAAAAA 0xBBBBBBBB 129 | ... 130 | ``` 131 | 132 | In the above example: 133 | * AAAAAAA should be substituted with the address(es) you wrote to (minus 0x08800000 as CWCheat uses 0x08800000 as a base address) 134 | * BBBBBBBB should be substituted with the hex value of the instruction. 135 | 136 | Continuing from the example above, the cheat code would be as follows: 137 | 138 | ``` 139 | _S NPEZ-00044 140 | _G Jetpack Joyride 141 | _C0 Coin Multiplier 142 | _L 0x2003F0B0 0x24130064 143 | ``` 144 | -------------------------------------------------------------------------------- /cheat-devices/pspar.md: -------------------------------------------------------------------------------- 1 | ## PSP Action Replay (PSPAR) 2 | 3 | ### Description 4 | 5 | PSP Action Replay is the first commercial cheat device for the PSP. The first PSPAR (released October 2008) used the 6 | Pandora exploit to launch the software on PSP-1000 and early PSP-2000 consoles. A newer version released in 7 | December 2009 used a signed binary installed in the UPDATE folder and launched directly from the XMB. 8 | 9 | ### Code types 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 23 | 24 | 25 | 26 | 31 | 32 | 33 | 34 | 39 | 40 | 41 | 42 | 43 | 48 | 49 | 50 | 51 | 56 | 57 | 58 | 59 | 64 | 65 | 66 | 67 | 72 | 73 | 74 | 75 | 76 | 81 | 82 | 83 | 84 | 89 | 90 | 91 | 92 | 97 | 98 | 99 | 100 | 105 | 106 | 107 | 108 | 109 | 114 | 115 | 116 | 117 | 122 | 123 | 124 | 125 | 130 | 131 | 132 | 133 | 138 | 139 | 140 | 141 | 146 | 147 | 148 | 149 | 150 | 154 | 155 | 156 | 157 | 158 | 163 | 164 | 165 | 166 | 171 | 172 | 173 | 174 | 179 | 180 | 181 | 182 | 183 | 188 | 189 | 190 | 191 | 196 | 197 | 198 | 199 | 204 | 205 | 206 | 207 | 212 | 213 | 214 | 215 | 220 | 221 | 222 | 223 | 228 | 229 | 230 | 231 | 236 | 237 | 238 | 239 | 244 | 245 | 246 | 247 | 248 | 253 | 254 | 255 | 256 | 261 | 262 | 263 | 264 | 265 | 270 | 271 | 272 | 273 | 278 | 279 | 280 | 281 | 286 | 287 | 288 |
TypeDescription
Constant RAM Writes
19 | Type 0x00
20 | 32-bit
21 | 0XXXXXXX YYYYYYYY 22 | 		Writes word YYYYYYYY to [XXXXXXX+offset].
27 | Type 0x01
28 | 16-bit
29 | 1XXXXXXX 0000YYYY 30 | 		Writes halfword YYYY to [XXXXXXX+offset].
35 | Type 0x02
36 | 8-bit
37 | 2XXXXXXX 000000YY 38 | 		Writes byte YY to [XXXXXXX+offset].
Conditional 32-bit Code Types
44 | Type 0x03
45 | Greater Than
46 | 3XXXXXXX YYYYYYYY 47 | 		Checks if YYYYYYYY > (word at [XXXXXXX] or [offset] if [XXXXXXX] is 0)
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of thecode list is reached.
52 | Type 0x04
53 | Less Than
54 | 4XXXXXXX YYYYYYYY 55 | 		Checks if YYYYYYYY < (word at [XXXXXXX] or [offset] if [XXXXXXX] is 0)
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of thecode list is reached.
60 | Type 0x05
61 | Equal To
62 | 5XXXXXXX YYYYYYYY 63 | 		Checks if YYYYYYYY == (word at [XXXXXXX] or [offset] if [XXXXXXX] is 0)
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of thecode list is reached.
68 | Type 0x06
69 | Not Equal To
70 | 6XXXXXXX YYYYYYYY 71 | 		Checks if YYYYYYYY != (word at [XXXXXXX] or [offset] if [XXXXXXX] is 0)
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of thecode list is reached.
Conditional 16-bit + Masking Code Types
77 | Type 0x07
78 | Greater Than
79 | 7XXXXXXX ZZZZYYYY 80 | 		Checks if YYYY > (not ZZZZ < halfword at [XXXXXXX] or [offset] if [XXXXXXX] is 0).
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
85 | Type 0x08
86 | Less Than
87 | 8XXXXXXX ZZZZYYYY 88 | 		Checks if YYYY < (not ZZZZ < halfword at [XXXXXXX] or [offset] if [XXXXXXX] is 0).
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
93 | Type 0x09
94 | Equal To
95 | 9XXXXXXX ZZZZYYYY 96 | 		Checks if YYYY == (not ZZZZ < halfword at [XXXXXXX] or [offset] if [XXXXXXX] is 0).
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
101 | Type 0x0A
102 | Not Equal To
103 | AXXXXXXX ZZZZYYYY 104 | 		Checks if YYYY != (not ZZZZ < halfword at [XXXXXXX] or [offset] if [XXXXXXX] is 0).
If not, the code(s) following this one are not executed (ie. execution status is set to false) until a code type D0 or D2 is encountered, or until the end of the code list is reached.
Offset Codes
110 | Type 0x0B
111 | Load Offset
112 | BXXXXXXX 00000000 113 | 		Loads the 32-bit value into the 'offset'.
Offset = word at [XXXXXXX+offset].
118 | Type 0xC4
119 | Safe Data Store
120 | C4000000 XXXXXXXX 121 | 		Sets the offset value to point to the first word of this code. Storing data at offset+0x4 will save over the top of XXXXXXXX.
126 | Type 0xC6
127 | Write Offset
128 | C6000000 XXXXXXXX 129 | 		Writes the offset value to [XXXXXXXX].
134 | Type 0xD3
135 | Set Offset
136 | D3000000 XXXXXXXX 137 | 		Sets the offset value to XXXXXXXX.
142 | Type 0xDC
143 | Add Offset
144 | DC000000 XXXXXXXX 145 | 		Adds XXXXXXXX to the current offset (Dual Offset).
Loop Codes
151 | Type 0x0C
152 | C0000000 YYYYYYYY 153 | 		This sets the 'Dx repeat value' to YYYYYYYY and saves the 'Dx nextcode to be executed' and the 'Dx execution status'. Repeat will be executed when a D1/D2 code is encountered.
When repeat is executed, the AR reloads the 'next code to be executed' and the 'execution status' from the Dx registers.
Terminator Codes
159 | Type 0xD0
160 | Terminator
161 | D0000000 00000000 162 | 		Loads the previous execution status. If none exists, the execution status stays at 'execute codes'.
167 | Type 0xD1
168 | Loop Execute Variant
169 | D1000000 00000000 170 | 		Executes the next block of codes 'n' times (specified by the 0x0C codetype), but doesn't clear the Dx register upon completion.
175 | Type 0xD2
176 | Loop Execute Variant / Full Terminator
177 | D2000000 00000000 178 | 		Executes the next block of codes 'n' times (specified by the 0x0C codetype), and clears all temporary data. (i.e. execution status, offsets, code C settings, etc.)
This code can also be used as a full terminator, giving the same effects to any block of code.
Data Register Codes
184 | Type 0xD4
185 | Add Value
186 | D4000000 XXXXXXXX 187 | 		Adds XXXXXXXX to the 'Dx data register'.
192 | Type 0xD5
193 | Set Value
194 | D5000000 XXXXXXXX 195 | 		Set XXXXXXXX to the 'Dx data register'.
200 | Type 0xD6
201 | 32-bit Incrementive Write
202 | D6000000 XXXXXXXX 203 | 		Writes the 'Dx data register' word to [XXXXXXXX+offset], and increments the offset by 4.
208 | Type 0xD7
209 | 16-bit Incrementive Write
210 | D7000000 XXXXXXXX 211 | 		Writes the 'Dx data register' halfword to [XXXXXXXX+offset], and increments the offset by 2.
216 | Type 0xD8
217 | 8-bit Incrementive Write
218 | D8000000 XXXXXXXX 219 | 		Writes the 'Dx data register' byte to [XXXXXXXX+offset], and increments the offset by 1.
224 | Type 0xD9
225 | 32-bit Load
226 | D9000000 XXXXXXXX 227 | 		Loads the word at [XXXXXXXX+offset] and stores it in the'Dx data register'.
232 | Type 0xDA
233 | 16-bit Load
234 | DA000000 XXXXXXXX 235 | 		Loads the halfword at [XXXXXXXX+offset] and stores it in the'Dx data register'.
240 | Type 0xDB
241 | 8-bit Load
242 | DB000000 XXXXXXXX 243 | 		Loads the byte at [XXXXXXXX+offset] and stores it in the'Dx data register'.
Miscellaneous Codes
249 | Type 0x0E
250 | Patch Code
251 | EXXXXXXX YYYYYYYY 252 | 		Copies YYYYYYYY bytes from directly after the 0xE code line to [XXXXXXXX+offset].
257 | Type 0x0F
258 | Memory Copy Code
259 | FXXXXXXX YYYYYYYY 260 | 		Copy YYYYYYYY bytes from offset to XXXXXXX (XXXXXXX is fixed, no offsets are added to it).
Folder/Comment Codes
266 | Type 0xCF
267 | Single Select Folder
268 | CF000000 XXXXXXXX 269 | 		Sets the cheat as a single select folder and the next XXXXXXXX items (codes, folders and comments) will be subitems of the current item.
274 | Type 0xCF
275 | Comment
276 | CF000001 XXXXXXXX 277 | 		Sets the cheat as a comment and the next XXXXXXXX items will also be treated as comments.
282 | Type 0xCF
283 | Multi Select Folder
284 | CF000002 XXXXXXXX 285 | 		Sets the cheat as a folder and the next XXXXXXXX items (codes, folders and comments) will be subitems of the current item.
289 | -------------------------------------------------------------------------------- /cheat-devices/cwcheat.md: -------------------------------------------------------------------------------- 1 | ## CWCheat 2 | 3 | ### Description 4 | 5 | CWCheat by weltall was the first universal cheat device for the PSP. Inspired by the PS2 Action Replay code types 6 | this cheat device also supports native PS1 Action Replay codes and homebrew software. 7 | 8 | ### Code types 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 38 | 39 | 40 | 41 | 42 | 47 | 48 | 49 | 50 | 55 | 56 | 57 | 58 | 64 | 65 | 66 | 67 | 72 | 73 | 74 | 75 | 80 | 81 | 82 | 83 | 89 | 90 | 91 | 92 | 93 | 98 | 99 | 100 | 101 | 106 | 107 | 108 | 109 | 114 | 115 | 116 | 117 | 122 | 123 | 124 | 125 | 130 | 131 | 132 | 133 | 138 | 139 | 140 | 141 | 146 | 147 | 148 | 149 | 154 | 155 | 156 | 157 | 158 | 163 | 164 | 165 | 166 | 171 | 172 | 173 | 174 | 179 | 180 | 181 | 182 | 187 | 188 | 189 | 190 | 195 | 196 | 197 | 198 | 203 | 204 | 205 | 206 | 211 | 212 | 213 | 214 | 219 | 220 | 221 | 222 | 223 | 229 | 230 | 231 | 232 | 238 | 239 | 240 | 241 | 247 | 248 | 249 | 250 | 256 | 257 | 258 | 259 | 260 | 265 | 266 | 267 | 268 | 273 | 274 | 275 | 276 | 281 | 282 | 283 | 284 | 289 | 290 | 291 | 292 | 297 | 298 | 299 | 300 | 305 | 306 | 307 | 308 | 309 | 314 | 315 | 316 | 317 | 318 | 323 | 324 | 325 | 326 | 331 | 332 | 333 | 334 | 340 | 341 | 342 | 343 | 349 | 350 | 351 | 352 | 357 | 358 | 359 | 360 | 365 | 366 | 367 |
TypeDescription
Constant RAM Writes
18 | Type 0x00
19 | 8-bit
20 | 0XXXXXXX YYYYYYYY 21 | 		Writes byte YY to [XXXXXXX].
26 | Type 0x01
27 | 16-bit
28 | 1XXXXXXX 0000YYYY 29 | 		Writes halfword YYYY to [XXXXXXX].
34 | Type 0x02
35 | 32-bit
36 | 2XXXXXXX 000000YY 37 | 		Writes word YYYYYYYY to [XXXXXXX].
Increment and Decrement Code Types
43 | Type 0x03
44 | 8-bit Increment
45 | 301000YY XXXXXXXX 46 | 		Adds YY to the byte stored at [XXXXXXXX].
51 | Type 0x03
52 | 16-bit Increment
53 | 3030YYYY XXXXXXXX 54 | 		Adds YYYY to the halfword stored at [XXXXXXXX].
59 | Type 0x03
60 | 32-bit Increment
61 | 30500000 XXXXXXXX
62 | YYYYYYYY 000000000 63 | 		Adds YYYYYYYY to the word stored at [XXXXXXXX].
68 | Type 0x03
69 | 8-bit Decrement
70 | 302000YY XXXXXXXX 71 | 		Subtracts YY from the byte stored at [XXXXXXXX].
76 | Type 0x03
77 | 16-bit Decrement
78 | 3040YYYY XXXXXXXX 79 | 		Subtracts YYYY from the halfword stored at [XXXXXXXX].
84 | Type 0x03
85 | 32-bit Decrement
86 | 30600000 XXXXXXXX
87 | YYYYYYYY 000000000 88 | 		Subtracts YYYYYYYY from the word stored at [XXXXXXXX].
Conditional Code Types
94 | Type 0x0D
95 | 8-bit Equal To
96 | DXXXXXXX 200000YY 97 | 		Checks if YY == (byte at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
102 | Type 0x0D
103 | 8-bit Not Equal To
104 | DXXXXXXX 201000YY 105 | 		Checks if YY != (byte at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
110 | Type 0x0D
111 | 8-bit Less Than
112 | DXXXXXXX 202000YY 113 | 		Checks if YY < (byte at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
118 | Type 0x0D
119 | 8-bit Greater Than
120 | DXXXXXXX 203000YY 121 | 		Checks if YY > (byte at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
126 | Type 0x0D
127 | 16-bit Equal To
128 | DXXXXXXX 0000YYYY 129 | 		Checks if YYYY == (halfword at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
134 | Type 0x0D
135 | 16-bit Not Equal To
136 | DXXXXXXX 0010YYYY 137 | 		Checks if YYYY != (halfword at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
142 | Type 0x0D
143 | 16-bit Less Than
144 | DXXXXXXX 0020YYYY 145 | 		Checks if YYYY < (halfword at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
150 | Type 0x0D
151 | 16-bit Greater Than
152 | DXXXXXXX 0030YYYY 153 | 		Checks if YYYY > (halfword at [XXXXXXX]).
If not, the following line is not executed (ie. execution status is set to false for 1 line).
Multiple Skip Conditional Code Types
159 | Type 0x0E
160 | 8-bit Equal To
161 | E1ZZYYYY 0XXXXXXX 162 | 		Checks if YY == (byte at [XXXXXXX]).
If not, the next ZZ are not executed (ie. execution status is set to false for ZZ lines).
167 | Type 0x0E
168 | 8-bit Not Equal To
169 | E1ZZYYYY 1XXXXXXX 170 | 		Checks if YY != (byte at [XXXXXXX]).
If not, the next ZZ are not executed (ie. execution status is set to false for ZZ lines).
175 | Type 0x0E
176 | 8-bit Less Than
177 | E1ZZYYYY 2XXXXXXX 178 | 		Checks if YY < (byte at [XXXXXXX]).
If not, the next ZZ are not executed (ie. execution status is set to false for ZZ lines).
183 | Type 0x0E
184 | 8-bit Greater Than
185 | E1ZZYYYY 3XXXXXXX 186 | 		Checks if YY > (byte at [XXXXXXX]).
If not, the next ZZ are not executed (ie. execution status is set to false for ZZ lines).
191 | Type 0x0E
192 | 16-bit Equal To
193 | EZZZYYYY 0XXXXXXX 194 | 		Checks if YYYY == (halfword at [XXXXXXX]).
If not, the next ZZZ are not executed (ie. execution status is set to false for ZZZ lines).
199 | Type 0x0E
200 | 16-bit Not Equal To
201 | EZZZYYYY 1XXXXXXX 202 | 		Checks if YYYY != (halfword at [XXXXXXX]).
If not, the next ZZZ are not executed (ie. execution status is set to false for ZZZ lines).
207 | Type 0x0E
208 | 16-bit Less Than
209 | EZZZYYYY 2XXXXXXX 210 | 		Checks if YYYY < (halfword at [XXXXXXX]).
If not, the next ZZZ are not executed (ie. execution status is set to false for ZZZ lines).
215 | Type 0x0E
216 | 16-bit Greater Than
217 | EZZZYYYY 3XXXXXXX 218 | 		Checks if YYYY > (halfword at [XXXXXXX]).
If not, the next ZZZ are not executed (ie. execution status is set to false for ZZZ lines).
Address Conditional Code Types
224 | Type 0x0D
225 | Address Equal To
226 | DXXXXXXX 4YYYYYYY
227 | ZZZZZZZZ 0000000W 228 | 		Checks if value at [XXXXXXX] == value at [YYYYYYY].
If not, the next ZZZZZZZZ lines are not executed (ie. execution status is set to false for ZZZ lines).
W = Address type; 0 - 8-bit, 1 - 16-bit, 2 - 32-bit
233 | Type 0x0D
234 | Address Not Equal To
235 | DXXXXXXX 5YYYYYYY
236 | ZZZZZZZZ 0000000W 237 | 		Checks if value at [XXXXXXX] != value at [YYYYYYY].
If not, the next ZZZZZZZZ lines are not executed (ie. execution status is set to false for ZZZ lines).
W = Address type; 0 - 8-bit, 1 - 16-bit, 2 - 32-bit
242 | Type 0x0D
243 | Address Less Than
244 | DXXXXXXX 6YYYYYYY
245 | ZZZZZZZZ 0000000W 246 | 		Checks if value at [XXXXXXX] < value at [YYYYYYY].
If not, the next ZZZZZZZZ lines are not executed (ie. execution status is set to false for ZZZ lines).
W = Address type; 0 - 8-bit, 1 - 16-bit, 2 - 32-bit
251 | Type 0x0D
252 | Address Greater Than
253 | DXXXXXXX 7YYYYYYY
254 | ZZZZZZZZ 0000000W 255 | 		Checks if value at [XXXXXXX] > value at [YYYYYYY].
If not, the next ZZZZZZZZ lines are not executed (ie. execution status is set to false for ZZZ lines).
W = Address type; 0 - 8-bit, 1 - 16-bit, 2 - 32-bit
Boolean Code Types
261 | Type 0x07
262 | 8-bit OR
263 | 7XXXXXXX 000000YY 264 | 		Writes byte (byte at [XXXXXXX] OR YY) to [XXXXXXX].
269 | Type 0x07
270 | 8-bit AND
271 | 7XXXXXXX 000200YY 272 | 		Writes byte (byte at [XXXXXXX] AND YY) to [XXXXXXX].
277 | Type 0x07
278 | 8-bit XOR
279 | 7XXXXXXX 000400YY 280 | 		Writes byte (byte at [XXXXXXX] XOR YY) to [XXXXXXX].
285 | Type 0x07
286 | 16-bit OR
287 | 7XXXXXXX 000100YY 288 | 		Writes halfword (halfword at [XXXXXXX] OR YYYY) to [XXXXXXX].
293 | Type 0x07
294 | 16-bit AND
295 | 7XXXXXXX 000300YY 296 | 		Writes halfword (halfword at [XXXXXXX] AND YYYY) to [XXXXXXX].
301 | Type 0x07
302 | 16-bit XOR
303 | 7XXXXXXX 000500YY 304 | 		Writes halfword (halfword at [XXXXXXX] XOR YYYY) to [XXXXXXX].
Pointer Code Types
310 | Type 0x06
311 | 8-bit
312 | ... 313 | 		TODO... well the TODO has been here since at least 2011... I don't know if I'm ever going to do it at this point.
Miscellaneous Code Types
319 | Type 0x0D
320 | Button Press
321 | D00000YY 1XXXXXXX 322 | 		Checks if ctrl & XXXXXXX == XXXXXXX.
If not, the next YY+1 lines are not executed (ie. execution status is set to false for YY+1 lines). See button activators for possible values.
327 | Type 0x0D
328 | Inverse Button Press
329 | D00000YY 3XXXXXXX 330 | 		Checks if ctrl & XXXXXXX != XXXXXXX.
If not, the next YY+1 lines are not executed (ie. execution status is set to false for YY+1 lines). See button activators for possible values.
335 | Type 0x05
336 | Copy Bytes
337 | 5XXXXXXX ZZZZZZZZ
338 | 0YYYYYYY 0000000 339 | 		Copies ZZZZZZZZ bytes from [XXXXXXX] to [YYYYYYY].
344 | Type 0x04
345 | 32-bit Multi Write
346 | 4XXXXXXX YYYYZZZZ
347 | VVVVVVVV WWWWWWWW 348 | 		Starting at address [XXXXXXX], this code will loop YYYY times.
The next address is determined by the incrementing the current address by (ZZZZ * 4).
The value written to the address is specified by VVVVVVVV+(WWWWWWWW * loop count).
353 | Type 0x0B
354 | Pause
355 | B0000000 XXXXXXXX 356 | 		Delays the code engine for XXXXXXXX cycles. Will delay the application of all following code lines.
Simply performs sceKernelDelayThread(XXXXXXXX), hopefully this is what CWCheat does when this code type is encountered.
361 | Type 0x0C
362 | 32-bit Equal To
363 | CXXXXXXX YYYYYYYY 364 | 		Checks if YYYYYYYY == (word at [XXXXXXX]).
If not, the remainder of the code is not executed (ie. execution status is set to false until the next cheat is reached).
368 | --------------------------------------------------------------------------------