Difference between revisions of "Kernel Syscalls"

From The iPhone Wiki
Jump to: navigation, search
(Mach)
(arm64)
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Note on these ==
 
== Note on these ==
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
+
Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.
   
 
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
 
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
 
 
   
 
== Unix ==
 
== Unix ==
 
 
=== Usage ===
 
=== Usage ===
 
<pre>
 
<pre>
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
+
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
 
SVC 0x80 // Formerly, SWI (software interrupt)
 
SVC 0x80 // Formerly, SWI (software interrupt)
 
</pre>
 
</pre>
   
For example:
+
For example, arm32:
 
<pre>
 
<pre>
   
Line 20: Line 17:
 
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
 
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
 
0x30d2ad58 <chown+4>: svc 0x00000080
 
0x30d2ad58 <chown+4>: svc 0x00000080
  +
</pre>
  +
  +
And arm64:
  +
<pre>
  +
libsystem_kernel.dylib`chown:
  +
0x1866c6084 <+0>: mov x16, #0x10
  +
0x1866c6088 <+4>: svc #0x80
 
</pre>
 
</pre>
   
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
   
=== sysent ===
 
   
  +
=== sysent ===
 
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
+
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
   
 
<pre>
 
<pre>
Line 46: Line 49:
 
</pre>
 
</pre>
   
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
+
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:
   
=== List of system calls from iOS 5.1 ===
+
=== List of system calls from [[iOS]] 6.0 GM ===
   
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
+
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
   
  +
A good reference on these can be found at [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]. The joker tool (shown below) can be downloaded from the same site.
<pre>
 
   
  +
<pre>
$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel
 
  +
$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel
 
This is an ARM binary. Applying iOS kernel signatures
 
This is an ARM binary. Applying iOS kernel signatures
  +
Entry point is 0x80085084....This appears to be XNU 2107.2.33
Sysent offset in file (for patching purposes): 2931636 (0x2cbbb4)
 
  +
Syscall names are @2a70f0
This appears to be XNU 1878.11.8
 
  +
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0
syscall 801b3aa4 T
 
  +
exit 8019e924 T
 
  +
Suppressing enosys (0x800b3429) T = Thumb
fork 801a15cc T
 
read 801b3ac0 T
+
1. exit 801d4a74 T
write 801b3ea0 T
+
2. fork 801d7980 T
open 800a1e64 T
+
3. read 801eb584 T
close 80197570 T
+
4. write 801eb958 T
wait4 8019f464 T
+
5. open 800b13a4 T
8 old creat 801b3aa4 T
+
6. close 801ccab4 T
link 800a23a4 T
+
7. wait4 801d56bc T
unlink 800a2aa8 T
+
9. link 800b18e8 T
11 old execv 801b3aa4 T
+
10. unlink 800b1ff0 T
chdir 800a175c T
+
12. chdir 800b0c60 T
fchdir 800a15f4 T
+
13. fchdir 800b0af0 T
mknod 800a1f64 T
+
14. mknod 800b14bc T
chmod 800a3598 T
+
15. chmod 800b2b40 T
chown 800a3714 T
+
16. chown 800b2c9c T
17 old break 801b3aa4 T
+
18. getfsstat 800b088c T
getfsstat 800a1390 T
+
20. getpid 801dc20c T
19 old lseek 801b3aa4 T
+
23. setuid 801dc4c0 T
getpid 801a5838 T
+
24. getuid 801dc290 T
21 old mount 801b3aa4 T
+
25. geteuid 801dc2a0 T
22 old umount 801b3aa4 T
+
26. ptrace 801e812c T
setuid 801a5aec T
+
27. recvmsg 8020a8fc T
getuid 801a58bc T
+
28. sendmsg 8020a444 T
geteuid 801a58cc T
+
29. recvfrom 8020a528 T
ptrace 801b0a9c T
+
30. accept 80209dfc T
recvmsg 801cfde4 T
+
31. getpeername 8020abc8 T
sendmsg 801cf958 T
+
32. getsockname 8020ab18 T
recvfrom 801cfa40 T
+
33. access 800b24ac T
accept 801cf32c T
+
34. chflags 800b2928 T
getpeername 801d00a8 T
+
35. fchflags 800b29f0 T
getsockname 801cfff8 T
+
36. sync 800b0320 T
access 800a2f14 T
+
37. kill 801dfdcc T
chflags 800a336c T
+
39. getppid 801dc214 T
fchflags 800a343c T
+
41. dup 801cab04 T
sync 800a0e5c T
+
42. pipe 801edbe4 T
kill 801a91b0 T
+
43. getegid 801dc318 T
38 old stat 801b3aa4 T
+
46. sigaction 801deee8 T
getppid 801a5840 T
+
47. getgid 801dc308 T
40 old lstat 801b3aa4 T
+
48. sigprocmask 801df42c T
dup 80195890 T
+
49. getlogin 801dd0e8 T
pipe 801b6a00 T
+
50. setlogin 801dd160 T
getegid 801a5944 T
+
51. acct 801c54ec T
profil 801b3400 T
+
52. sigpending 801df5d0 T
45 old ktrace 801b3aa4 T
+
53. sigaltstack 801dfd10 T
sigaction 801a8348 T
+
54. ioctl 801ebd1c T
getgid 801a5934 T
+
55. reboot 801e8090 T
sigprocmask 801a8868 T
+
56. revoke 800b43f8 T
getlogin 801a66cc T
+
57. symlink 800b1b58 T
setlogin 801a6728 T
+
58. readlink 800b282c T
acct 801908f0 T
+
59. execve 801d4448 T
sigpending 801a8a0c T
+
60. umask 800b43d0 T
sigaltstack 801a90f4 T
+
61. chroot 800b0d30 T
ioctl 801b426c T
+
65. msync 801d84d0 T
reboot 801b0a2c T
+
66. vfork 801d7018 T
revoke 800a4d8c T
+
73. munmap 801d857c T
symlink 800a2620 T
+
74. mprotect 801d85b0 T
readlink 800a328c T
+
75. madvise 801d8668 T
execve 8019e49c T
+
78. mincore 801d86d4 T
umask 800a4d64 T
+
79. getgroups 801dc328 T
chroot 800a1824 T
+
80. setgroups 801dd02c T
62 old fstat 801b3aa4 T
+
81. getpgrp 801dc21c T
  +
82. setpgid 801dc3c8 T
63 used internally , reserved 801b3aa4 T
 
  +
83. setitimer 801e7b78 T
64 old getpagesize 801b3aa4 T
 
  +
124. fchmod 800b2c70 T
87 old gethostname 801b3aa4 T
 
  +
126. setreuid 801dc80c T
88 old sethostname 801b3aa4 T
 
  +
151. getpgid 801dc224 T
103 old sigreturn 801b3aa4 T
 
  +
159. unmount 800afe88 T
109 old sigblock 801b3aa4 T
 
  +
165. quotactl 800b03bc T
110 old sigsetmask 801b3aa4 T
 
  +
169. csops 801dafd0 T
112 old sigstack 801b3aa4 T
 
  +
191. pathconf 800b27c8 T
125 old recvfrom 801b3aa4 T
 
  +
196. getdirentries 800b3f94 T
129 old truncate 801b3aa4 T
 
  +
197. mmap 801d7fc0 T
130 old ftruncate 801b3aa4 T
 
shutdown 801cfee0 T
+
202. __sysctl 801e2478 T
socketpair 801cf534 T
+
203. mlock 801d8820 T
mkdir 800a46b4 T
+
204. munlock 801d8878 T
rmdir 800a46fc T
+
205. undelete 800b1cf0 T
utimes 800a38f0 T
+
216. mkcomplex 800b12c4 T
futimes 800a3a70 T
+
220. getattrlist 8009b060 T
adjtime 801b0338 T
+
221. setattrlist 8009b0d8 T
  +
222. getdirentriesattr 800b44e0 T
141 old getpeername 801b3aa4 T
 
  +
225. searchfs 800b48dc T
143 old sethostid 801b3aa4 T
 
  +
226. delete 800b202c T
144 old getrlimit 801b3aa4 T
 
  +
227. copyfile 800b32cc T
145 old setrlimit 801b3aa4 T
 
  +
230. poll 801ec72c T
148 old setquota 801b3aa4 T
 
  +
232. waitevent 801ed1f8 T
150 old getsockname 801b3aa4 T
 
pwrite 801b4008 T
+
236. setxattr 800b578c T
nfssvc 801b3aa4 T
+
237. fsetxattr 800b5898 T
  +
238. removexattr 800b5994 T
156 old getdirentries 801b3aa4 T
 
unmount 800a09f0 T
+
241. flistxattr 800b5c00 T
  +
242. fsctl 800b4dd4 T
160 old async_daemon 801b3aa4 T
 
  +
244. posix_spawn 801d351c T
162 old getdomainname 801b3aa4 T
 
  +
245. ffsctl 800b5474 T
163 old setdomainname 801b3aa4 T
 
164 801b3aa4 T
+
250. minherit 801d8630 T
quotactl 800a0ee8 T
+
266. shm_open 8020eb24 T
  +
267. shm_unlink 8020f604 T
166 old exportfs 801b3aa4 T
 
csops 801a47bc T
+
270. sem_unlink 8020e4e0 T
170 old table 801b3aa4 T
+
271. sem_wait 8020e76c T
171 old wait3 801b3aa4 T
+
272. sem_trywait 8020e834 T
172 old rpause 801b3aa4 T
+
273. sem_post 8020e8d8 T
waitid 8019f860 T
+
274. sem_getvalue 8020e97c T
  +
275. sem_init 8020e974 T
174 old getdents 801b3aa4 T
 
  +
276. sem_destroy 8020e978 T
175 old gc_control 801b3aa4 T
 
setgid 801a5fe0 T
+
282. chmod_extended 800b2a30 T
  +
283. fchmod_extended 800b2b74 T
setegid 801a60ec T
 
  +
284. access_extended 800b21a0 T
seteuid 801a5d48 T
 
chud 801e1acc T
+
286. gettid 801dc2b0 T
186 801b3aa4 T
+
287. setsgroups 801dd03c T
fdatasync 800a3cd8 T
+
288. getsgroups 801dc37c T
stat 800a2fec T
+
289. setwgroups 801dd040 T
fstat 801977f8 T
+
290. getwgroups 801dc380 T
  +
291. mkfifo_extended 800b16f4 T
lstat 800a3134 T
 
  +
294. shared_region_check_np 8021c3a4 T
fpathconf 80197858 T
 
  +
296. vm_pressure_monitor 8021cb08 T
193 801b3aa4 T
 
  +
297. psynch_rw_longrdlock 802159ac T
getrlimit 801a75d4 T
 
  +
298. psynch_rw_yieldwrlock 80215c60 T
setrlimit 801a6eb8 T
 
  +
299. psynch_rw_downgrade 80215c68 T
getdirentries 800a4928 T
 
  +
300. psynch_rw_upgrade 80215c64 T
mmap 801a1b84 T
 
  +
301. psynch_mutexwait 80212bd8 T
198 __syscall 801b3aa4 T
 
  +
302. psynch_mutexdrop 80213b9c T
lseek 800a2b20 T
 
  +
304. psynch_cvsignal 802141c0 T
ftruncate 800a3b90 T
 
  +
306. psynch_rw_rdlock 80214d7c T
mlock 801a2418 T
 
  +
307. psynch_rw_wrlock 802159b0 T
munlock 801a246c T
 
  +
308. psynch_rw_unlock 80215c6c T
undelete 800a27c8 T
 
  +
309. psynch_rw_unlock2 80215f64 T
ATsocket 801b3aa4 T
 
  +
311. settid_with_pid 801dcdcc T
ATputmsg 801b3aa4 T
 
  +
312. psynch_cvclrprepost 80214c7c T
ATPsndreq 801b3aa4 T
 
ATPgetreq 801b3aa4 T
+
314. aio_return 801c60a8 T
ATPgetrsp 801b3aa4 T
+
315. aio_suspend 801c6330 T
  +
316. aio_cancel 801c5a48 T
213 Reserved for AppleTalk 801b3aa4 T
 
mkcomplex 800a1d9c T
+
319. aio_write 801c6544 T
statv 801b3aa4 T
+
320. lio_listio 801c6564 T
lstatv 801b3aa4 T
+
322. iopolicysys 801de420 T
fstatv 801b3aa4 T
+
323. process_policy 8021a72c T
getattrlist 8008d1c4 T
+
324. mlockall 801d88b4 T
setattrlist 8008d23c T
+
325. munlockall 801d88b8 T
  +
327. issetugid 801dc4b0 T
getdirentriesattr 800a4e80 T
 
  +
329. __pthread_sigmask 801dfaa4 T
224 old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T
 
  +
331. __disable_threadsignal 801df720 T
delete 800a2ae4 T
 
  +
332. __pthread_markcancel 801df73c T
copyfile 800a3cf4 T
 
  +
333. __pthread_canceled 801df784 T
fgetattrlist 8008a6c8 T
 
  +
334. __semwait_signal 801df924 T
fsetattrlist 8008d904 T
 
  +
341. stat64_extended 800b2624 T
getxattr 800a6048 T
 
  +
342. lstat64_extended 800b2770 T
fgetxattr 800a6160 T
 
  +
343. fstat64_extended 801cd00c T
setxattr 800a6240 T
 
  +
344. getdirentries64 800b4340 T
fsetxattr 800a6328 T
 
removexattr 800a6408 T
+
345. statfs64 800b06e0 T
fremovexattr 800a64b0 T
+
346. fstatfs64 800b0828 T
listxattr 800a654c T
+
347. getfsstat64 800b0a38 T
  +
348. __pthread_chdir 800b0d28 T
flistxattr 800a6610 T
 
  +
349. __pthread_fchdir 800b0c58 T
fsctl 800a5964 T
 
246 801b3aa4 T
+
354. setauid 801c1a80 T
nfsclnt 801b3aa4 T
+
357. getaudit_addr 801c1a84 T
fhopen 801b3aa4 T
+
358. setaudit_addr 801c1a88 T
249 801b3aa4 T
+
359. auditctl 801c1a8c T
  +
360. bsdthread_create 80216ab8 T
minherit 801a222c T
 
  +
361. bsdthread_terminate 80216d30 T
semsys 801b3aa4 T
 
  +
366. bsdthread_register 80216d94 T
semop 801b3aa4 T
 
257 801b3aa4 T
+
367. workq_open 802179e8 T
  +
368. workq_kernreturn 80217e50 T
msgctl 801b3aa4 T
 
  +
370. __old_semwait_signal 801df7f8 T
msgsnd 801b3aa4 T
 
  +
371. __old_semwait_signal_nocancel 801df82c T
msgrcv 801b3aa4 T
 
shmat 801b3aa4 T
+
372. thread_selfid 80218354 T
shmctl 801b3aa4 T
+
373. ledger 801ed70c T
shmdt 801b3aa4 T
+
380. __mac_execve 801d4468 T
shmget 801b3aa4 T
+
381. __mac_syscall 8027d0a8 T
shm_open 801d3b34 T
+
382. __mac_get_file 8027cd50 T
shm_unlink 801d45d0 T
+
383. __mac_set_file 8027cf98 T
sem_open 801d3110 T
+
384. __mac_get_link 8027ce74 T
sem_close 801d379c T
+
385. __mac_set_link 8027d098 T
sem_unlink 801d35cc T
+
386. __mac_get_proc 8027c844 T
sem_wait 801d37f8 T
+
387. __mac_set_proc 8027c904 T
sem_trywait 801d38bc T
+
388. __mac_get_fd 8027cbfc T
sem_post 801d395c T
+
389. __mac_set_fd 8027ce84 T
sem_getvalue 801d39fc T
+
390. __mac_get_pid 8027c778 T
sem_init 801d39f4 T
+
391. __mac_get_lcid 8027c9b8 T
sem_destroy 801d39f8 T
+
392. __mac_get_lctx 8027ca7c T
open_extended 800a1cb8 T
+
393. __mac_set_lctx 8027cb38 T
  +
394. setlcid 801dd228 T
umask_extended 800a4d14 T
 
  +
396. read_nocancel 801eb5a4 T
lstat_extended 800a30e0 T
 
  +
397. write_nocancel 801eb978 T
fstat_extended 801975e4 T
 
  +
398. open_nocancel 800b1434 T
chmod_extended 800a347c T
 
  +
399. close_nocancel 801ccad0 T
fchmod_extended 800a35d4 T
 
  +
400. wait4_nocancel 801d56dc T
access_extended 800a2c54 T
 
  +
401. recvmsg_nocancel 8020a91c T
settid 801a6358 T
 
  +
402. sendmsg_nocancel 8020a464 T
gettid 801a58dc T
 
  +
403. recvfrom_nocancel 8020a548 T
setsgroups 801a6620 T
 
  +
404. accept_nocancel 80209b1c T
getsgroups 801a59a8 T
 
  +
407. select_nocancel 801ebfe4 T
mkfifo_extended 800a21a8 T
 
  +
408. fsync_nocancel 800b32a8 T
mkdir_extended 800a44ac T
 
  +
409. connect_nocancel 80209e34 T
identitysvc 801b3aa4 T
 
  +
410. sigsuspend_nocancel 801df6b4 T
shared_region_check_np 801e0a68 T
 
  +
411. readv_nocancel 801eb830 T
shared_region_map_np 801b3aa4 T
 
  +
412. writev_nocancel 801ebbd0 T
vm_pressure_monitor 801e1150 T
 
  +
413. sendto_nocancel 8020a188 T
psynch_rw_longrdlock 801da274 T
 
  +
414. pread_nocancel 801eb794 T
psynch_rw_yieldwrlock 801da79c T
 
  +
415. pwrite_nocancel 801ebaf0 T
psynch_rw_downgrade 801daa38 T
 
  +
416. waitid_nocancel 801d5ad0 T
psynch_rw_upgrade 801daa34 T
 
  +
417. poll_nocancel 801ec74c T
psynch_mutexwait 801d77d0 T
 
  +
420. sem_wait_nocancel 8020e788 T
psynch_mutexdrop 801d85f8 T
 
  +
421. aio_suspend_nocancel 801c6350 T
psynch_cvbroad 801d864c T
 
  +
422. __sigwait_nocancel 801dfb8c T
psynch_cvsignal 801d8bb4 T
 
  +
423. __semwait_signal_nocancel 801df958 T
psynch_cvwait 801d9020 T
 
  +
424. __mac_mount 800af08c T
psynch_rw_rdlock 801d96ec T
 
  +
425. __mac_get_mount 8027d2a0 T
psynch_rw_wrlock 801da508 T
 
  +
426. __mac_getfsstat 800b08b0 T
psynch_rw_unlock 801daa3c T
 
  +
427. fsgetpath 800b5ce4 T
psynch_rw_unlock2 801dad10 T
 
  +
428. audit_session_self 801c1a68 T
getsid 801a5880 T
 
  +
429. audit_session_join 801c1a6c T
settid_with_pid 801a63f8 T
 
  +
430. fileport_makeport 801ce2f0 T
312 old __pthread_cond_timedwait 801d95e8 T
 
  +
431. fileport_makefd 801ce494 T
aio_fsync 80191278 T
 
  +
432. audit_session_port 801c1a70 T
aio_return 8019143c T
 
  +
436. pid_shutdown_sockets 8021c2c0 T
aio_read 8019141c T
 
  +
438. shared_region_map_and_slide_np 8021c954 T
aio_write 801918a4 T
 
  +
439. kas_info 8021cb50 T ; Provides ASLR information to user space
lio_listio 801918c4 T
 
  +
; (intentionally crippled in iOS, works in ML)
321 old __pthread_cond_wait 801b3aa4 T
 
  +
440. memorystatus_control 801e62a0 T ;; Controls JetSam - supersedes old sysctl interface
iopolicysys 801a795c T
 
  +
441. guarded_open_np 801cead0 T
323 801df090 T
 
  +
442. guarded_close_np 801cebdc T
mlockall 801a24ac T
 
msync 801a20c0 T
+
85. swapon 8021be68 T
vfork 801a0cfc T
+
86. getitimer 801e7a30 T
67 old vread 801b3aa4 T
+
89. getdtablesize 801ca6dc T
68 old vwrite 801b3aa4 T
+
90. dup2 801caf54 T
69 old sbrk 801b3aa4 T
+
92. fcntl 801cb420 T
70 old sstk 801b3aa4 T
+
93. select 801ebfc8 T
71 old mmap 801b3aa4 T
+
95. fsync 800b3238 T
72 old vadvise 801b3aa4 T
+
96. setpriority 801dd494 T
munmap 801a216c T
+
97. socket 802098a4 T
mprotect 801a21a4 T
+
98. connect 80209e1c T
madvise 801a2264 T
+
100. getpriority 801dd388 T
76 old vhangup 801b3aa4 T
+
104. bind 80209970 T
77 old vlimit 801b3aa4 T
+
105. setsockopt 8020aa30 T
mincore 801a22d0 T
+
106. listen 80209adc T
getgroups 801a5954 T
+
111. sigsuspend 801df5f8 T
setgroups 801a6610 T
+
116. gettimeofday 801e7840 T
getpgrp 801a5848 T
+
117. getrusage 801de22c T
setpgid 801a59f4 T
+
118. getsockopt 8020aa94 T
setitimer 801b0518 T
+
120. readv 801eb810 T
84 old wait 801b3aa4 T
+
121. writev 801ebbb0 T
swapon 801e0548 T
+
122. settimeofday 801e789c T
getitimer 801b03c8 T
+
123. fchown 800b2dac T
getdtablesize 80195480 T
+
127. setregid 801dcba0 T
dup2 80195bc4 T
+
128. rename 800b3428 T
91 old getdopt 801b3aa4 T
+
131. flock 801ce20c T
fcntl 80195fc4 T
+
132. mkfifo 800b1798 T
select 801b44fc T
+
133. sendto 8020a168 T
94 old setdopt 801b3aa4 T
+
134. shutdown 8020aa00 T
fsync 800a3c60 T
+
135. socketpair 8020a00c T
setpriority 801a6a24 T
+
136. mkdir 800b3d1c T
socket 801cedc8 T
+
137. rmdir 800b3d5c T
connect 801cf34c T
+
138. utimes 800b2e60 T
99 old accept 801b3aa4 T
+
139. futimes 800b3034 T
getpriority 801a6918 T
+
140. adjtime 801e79a0 T
101 old send 801b3aa4 T
+
142. gethostuuid 801ed6a4 T
102 old recv 801b3aa4 T
+
147. setsid 801dc384 T
bind 801cee98 T
+
152. setprivexec 801dc1f4 T
setsockopt 801cff10 T
+
153. pread 801eb774 T
listen 801cf00c T
+
154. pwrite 801ebad0 T
107 old vtimes 801b3aa4 T
+
157. statfs 800b03c0 T
108 old sigvec 801b3aa4 T
+
158. fstatfs 800b0678 T
sigsuspend 801a8a34 T
+
167. mount 800af068 T
113 old recvmsg 801b3aa4 T
+
170. 170 old table 801db4bc T
114 old sendmsg 801b3aa4 T
+
173. waitid 801d5ab4 T
115 old vtrace 801b3aa4 T
+
180. kdebug_trace 801c2db4 T
gettimeofday 801b01d8 T
+
181. setgid 801dc9a4 T
getrusage 801a7798 T
+
182. setegid 801dcab0 T
getsockopt 801cff74 T
+
183. seteuid 801dc710 T
119 old resuba 801b3aa4 T
+
184. sigreturn 8021e7e4 T
readv 801b3d4c T
+
185. chud 8021d4f4 T
writev 801b40f4 T
+
187. fdatasync 800b32b0 T
settimeofday 801b0238 T
+
188. stat 800b2588 T
fchown 800a3830 T
+
189. fstat 801ccfec T
fchmod 800a36dc T
+
190. lstat 800b26d4 T
setreuid 801a5e40 T
+
192. fpathconf 801cd048 T
setregid 801a61d8 T
+
194. getrlimit 801de074 T
rename 800a3e34 T
+
195. setrlimit 801dd93c T
flock 801989e4 T
+
199. lseek 800b2068 T
mkfifo 800a2254 T
+
200. truncate 800b30b4 T
sendto 801cf67c T
+
201. ftruncate 800b3174 T
gethostuuid 801b5c44 T
+
223. exchangedata 800b469c T
146 old killpg 801b3aa4 T
+
228. fgetattrlist 80098488 T
setsid 801a59b0 T
+
229. fsetattrlist 8009b7e0 T
149 old qquota 801b3aa4 T
+
231. watchevent 801ed054 T
getpgid 801a5850 T
+
233. modwatch 801ed368 T
setprivexec 801a5820 T
+
234. getxattr 800b5550 T
pread 801b3ca4 T
+
235. fgetxattr 800b568c T
statfs 800a0eec T
+
239. fremovexattr 800b5a5c T
fstatfs 800a117c T
+
240. listxattr 800b5b1c T
getfh 801b3aa4 T
+
243. initgroups 801dcea8 T
mount 8009fd10 T
+
268. sem_open 8020df80 T
168 old ustat 801b3aa4 T
+
269. sem_close 8020e718 T
add_profil 801b3404 T
+
277. open_extended 800b11d8 T
177 801b3aa4 T
+
278. umask_extended 800b4380 T
178 801b3aa4 T
+
279. stat_extended 800b2530 T
179 801b3aa4 T
+
280. lstat_extended 800b267c T
kdebug_trace 8018e964 T
+
281. fstat_extended 801ccdd0 T
sigreturn 801e2cb0 T
+
285. settid 801dcd2c T
pathconf 800a3228 T
+
292. mkdir_extended 800b3b30 T
truncate 800a3ac4 T
+
303. psynch_cvbroad 80213bf0 T
__sysctl 801ab798 T
+
305. psynch_cvwait 80214648 T
ATgetmsg 801b3aa4 T
+
310. getsid 801dc254 T
ATPsndrsp 801b3aa4 T
+
313. aio_fsync 801c5ed0 T
214 801b3aa4 T
+
317. aio_error 801c5e24 T
215 801b3aa4 T
+
318. aio_read 801c6088 T
exchangedata 800a5018 T
+
328. __pthread_kill 801dfa44 T
searchfs 800a5258 T
+
330. __sigwait 801dfb54 T
poll 801b4d04 T
+
336. proc_info 80218618 T
watchevent 801b5604 T
+
338. stat64 800b25d4 T
waitevent 801b579c T
+
339. fstat64 801cd028 T
modwatch 801b5914 T
+
340. lstat64 800b2720 T
initgroups 801a64d0 T
+
350. audit 801c1a74 T
posix_spawn 8019d658 T
+
351. auditon 801c1a78 T
ffsctl 800a5f78 T
+
353. getauid 801c1a7c T
msgsys 801b3aa4 T
+
362. kqueue 801cf594 T
shmsys 801b3aa4 T
+
363. kevent 801cf614 T
semctl 801b3aa4 T
+
364. lchown 800b2d94 T
semget 801b3aa4 T
+
365. stack_snapshot 801c520c T
msgget 801b3aa4 T
+
369. kevent64 801cf8ac T
stat_extended 800a2f98 T
+
395. getlcid 801dd310 T
setwgroups 801a6624 T
+
405. msync_nocancel 801d84e8 T
getwgroups 801a59ac T
+
406. fcntl_nocancel 801cb440 T
aio_suspend 801916a0 T
+
433. pid_suspend 8021c180 T
aio_cancel 80190e24 T
+
434. pid_resume 8021c1f0 T
aio_error 801911d4 T
+
435. pid_hibernate 8021c268 T
munlockall 801a24b0 T
 
326 801b3aa4 T
 
issetugid 801a5adc T
 
__pthread_kill 801a8e34 T
 
__pthread_sigmask 801a8e94 T
 
__sigwait 801a8f38 T
 
__disable_threadsignal 801a8b48 T
 
__pthread_markcancel 801a8b64 T
 
__pthread_canceled 801a8bac T
 
__semwait_signal 801a8d30 T
 
335 old utrace 801b3aa4 T
 
proc_info 801dd524 T
 
sendfile 801b3aa4 T
 
stat64 800a3038 T
 
fstat64 80197838 T
 
lstat64 800a3180 T
 
stat64_extended 800a3088 T
 
lstat64_extended 800a31d0 T
 
fstat64_extended 80197818 T
 
getdirentries64 800a4cd0 T
 
statfs64 800a11e4 T
 
fstatfs64 800a132c T
 
getfsstat64 800a1540 T
 
__pthread_chdir 800a181c T
 
__pthread_fchdir 800a1754 T
 
; -----------------------
 
; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)
 
audit 8018d990 T
 
auditon 8018d994 T
 
352 801b3aa4 T
 
getauid 8018d998 T
 
setauid 8018d99c T
 
getaudit 8018d9a0 T
 
setaudit 8018d9a4 T
 
getaudit_addr 8018d9a8 T
 
setaudit_addr 8018d9ac T
 
auditctl 8018d9b0 T
 
; ---------------------
 
bsdthread_create 801db740 T
 
bsdthread_terminate 801db9b4 T
 
kqueue 801998c4 T
 
kevent 80199948 T
 
lchown 800a3818 T
 
stack_snapshot 8019066c T
 
bsdthread_register 801dba18 T
 
workq_open 801dc70c T
 
workq_kernreturn 801dccac T
 
kevent64 80199bd4 T
 
__old_semwait_signal 801a8c1c T
 
__old_semwait_signal_nocancel 801a8c54 T
 
thread_selfid 801dd27c T
 
373 801b5c98 T
 
374 801b3aa4 T
 
375 801b3aa4 T
 
376 801b3aa4 T
 
377 801b3aa4 T
 
378 801b3aa4 T
 
379 801b3aa4 T
 
__mac_execve 8019e4bc T
 
__mac_syscall 80244734 T
 
__mac_get_file 802443d4 T
 
__mac_set_file 80244628 T
 
__mac_get_link 80244504 T
 
__mac_set_link 80244724 T
 
__mac_get_proc 80243eb0 T
 
__mac_set_proc 80243f74 T
 
__mac_get_fd 80244280 T
 
__mac_set_fd 80244514 T
 
__mac_get_pid 80243ddc T
 
__mac_get_lcid 80244030 T
 
__mac_get_lctx 802440fc T
 
__mac_set_lctx 802441c0 T
 
setlcid 801a67cc T
 
getlcid 801a68ac T
 
read_nocancel 801b3ae0 T
 
write_nocancel 801b3ec0 T
 
open_nocancel 800a1ee8 T
 
close_nocancel 8019758c T
 
wait4_nocancel 8019f484 T
 
recvmsg_nocancel 801cfe04 T
 
sendmsg_nocancel 801cf978 T
 
recvfrom_nocancel 801cfa60 T
 
accept_nocancel 801cf04c T
 
msync_nocancel 801a20d8 T
 
fcntl_nocancel 80195fe4 T
 
select_nocancel 801b4518 T
 
fsync_nocancel 800a3cd0 T
 
connect_nocancel 801cf364 T
 
sigsuspend_nocancel 801a8ae4 T
 
readv_nocancel 801b3d6c T
 
writev_nocancel 801b4114 T
 
sendto_nocancel 801cf69c T
 
pread_nocancel 801b3cc4 T
 
pwrite_nocancel 801b4028 T
 
waitid_nocancel 8019f87c T
 
poll_nocancel 801b4d24 T
 
msgsnd_nocancel 801b3aa4 T
 
msgrcv_nocancel 801b3aa4 T
 
sem_wait_nocancel 801d3814 T
 
aio_suspend_nocancel 801916c0 T
 
__sigwait_nocancel 801a8f70 T
 
__semwait_signal_nocancel 801a8d68 T
 
__mac_mount 8009fd34 T
 
__mac_get_mount 80244900 T
 
__mac_getfsstat 800a13b4 T
 
fsgetpath 800a66d4 T
 
audit_session_self 8018d984 T
 
audit_session_join 8018d988 T
 
fileport_makeport 80198ad4 T
 
fileport_makefd 80198c58 T
 
audit_session_port 8018d98c T
 
pid_suspend 801e084c T
 
pid_resume 801e08bc T
 
pid_hibernate 801e0928 T
 
pid_shutdown_sockets 801e0984 T
 
437 old shared_region_slide_np 801b3aa4 T
 
shared_region_map_and_slide_np 801e1008 T
 
   
 
</pre>
 
</pre>
Line 505: Line 392:
 
== Mach ==
 
== Mach ==
   
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is interpreted as Mach trap instead.
+
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:
   
  +
<pre>
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS.
 
  +
_mach_msg_trap:
  +
0001a8b4 e1a0c00d mov ip, sp
  +
0001a8b8 e92d0170 push {r4, r5, r6, r8}
  +
0001a8bc e89c0070 ldm ip, {r4, r5, r6}
  +
0001a8c0 e3e0c01e mvn ip, #30 @ 0x1e ; Move NEGATIVE -30 into IP (R12)
  +
0001a8c4 ef000080 svc 0x00000080 ; issue a supervisor call
  +
0001a8c8 e8bd0170 pop {r4, r5, r6, r8}
  +
0001a8cc e12fff1e bx lr
  +
..
  +
_semaphore_signal_all_trap:
  +
0001a8f8 e3e0c021 mvn ip, #33 @ 0x21 ; NEGATIVE -33 into IP (R12)
  +
0001a8fc ef000080 svc 0x00000080
  +
0001a900 e12fff1e bx lr
  +
</pre>
  +
  +
  +
Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.
  +
  +
== mach_trap_table ==
  +
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table:
   
 
<pre>
 
<pre>
  +
$ ./joker -ls mach kernel.iPod4.iOS6.0b1
__data:802BA684 DCD aKern_invalid ; "kern_invalid"
 
  +
This is an ARM binary. Applying iOS kernel signatures
__data:802BA688 DCD aKern_invalid ; "kern_invalid"
 
  +
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
__data:802BA68C DCD aKern_invalid ; "kern_invalid"
 
  +
Kern invalid should be 0x80027ec1. Ignoring those
__data:802BA690 DCD aKern_invalid ; "kern_invalid"
 
  +
..This appears to be XNU 2107.1.78
__data:802BA694 DCD aKern_invalid ; "kern_invalid"
 
  +
10 _kernelrpc_mach_vm_allocate_trap 80014460 T
__data:802BA698 DCD aKern_invalid ; "kern_invalid"
 
  +
12 _kernelrpc_mach_vm_deallocate_trap 800144cc T
__data:802BA69C DCD aKern_invalid ; "kern_invalid"
 
  +
14 _kernelrpc_mach_vm_protect_trap 80014510 T
__data:802BA6A0 DCD aKern_invalid ; "kern_invalid"
 
  +
16 _kernelrpc_mach_port_allocate_trap 80014564 T
__data:802BA6A4 DCD aKern_invalid ; "kern_invalid"
 
  +
17 _kernelrpc_mach_port_destroy_trap 800145b4 T
__data:802BA6A8 DCD aKern_invalid ; "kern_invalid"
 
  +
18 _kernelrpc_mach_port_deallocate_trap 800145f0 T
__data:802BA6AC DCD a_kernelrpc_mac ; "_kernelrpc_mach_vm_allocate_trap"
 
  +
19 _kernelrpc_mach_port_mod_refs_trap 8001462c T
__data:802BA6B0 DCD a_kernelrpc_vm_ ; "_kernelrpc_vm_allocate_trap"
 
  +
20 _kernelrpc_mach_port_move_member_trap 8001466c T
__data:802BA6B4 DCD a_kernelrpc_m_0 ; "_kernelrpc_mach_vm_deallocate_trap"
 
  +
21 _kernelrpc_mach_port_insert_right_trap 800146b0 T
__data:802BA6B8 DCD a_kernelrpc_v_0 ; "_kernelrpc_vm_deallocate_trap"
 
  +
22 _kernelrpc_mach_port_insert_member_trap 80014710 T
__data:802BA6BC DCD a_kernelrpc_m_1 ; "_kernelrpc_mach_vm_protect_trap"
 
  +
23 _kernelrpc_mach_port_extract_member_trap 80014754 T
__data:802BA6C0 DCD a_kernelrpc_v_1 ; "_kernelrpc_vm_protect_trap"
 
__data:802BA6C4 DCD a_kernelrpc_m_2 ; "_kernelrpc_mach_port_allocate_trap"
+
26 mach_reply_port 8001b5b4 T
__data:802BA6C8 DCD a_kernelrpc_m_3 ; "_kernelrpc_mach_port_destroy_trap"
+
27 thread_self_trap 8001b598 T
__data:802BA6CC DCD a_kernelrpc_m_4 ; "_kernelrpc_mach_port_deallocate_trap"
+
28 task_self_trap 8001b578 T
__data:802BA6D0 DCD a_kernelrpc_m_5 ; "_kernelrpc_mach_port_mod_refs_trap"
+
29 host_self_trap 80019910 T
__data:802BA6D4 DCD a_kernelrpc_m_6 ; "_kernelrpc_mach_port_move_member_trap"
+
31 mach_msg_trap 80014ec0 T
  +
32 mach_msg_overwrite_trap 80014d20 T
__data:802BA6D8 DCD a_kernelrpc_m_7 ; "_kernelrpc_mach_port_insert_right_trap"
 
  +
33 semaphore_signal_trap 80027188 T
__data:802BA6DC DCD a_kernelrpc_m_8 ; "_kernelrpc_mach_port_insert_member_trap"...
 
  +
34 semaphore_signal_all_trap 8002720c T
__data:802BA6E0 DCD a_kernelrpc_m_9 ; "_kernelrpc_mach_port_extract_member_tra"...
 
  +
35 semaphore_signal_thread_trap 80027114 T
__data:802BA6E4 DCD aKern_invalid ; "kern_invalid"
 
  +
37 semaphore_wait_signal_trap 80027658 T
__data:802BA6EC DCD aMach_reply_por ; "mach_reply_port"
 
  +
38 semaphore_timedwait_trap 80027598 T
__data:802BA6F0 DCD aThread_self_tr ; "thread_self_trap"
 
  +
39 semaphore_timedwait_signal_trap 8002773c T
__data:802BA6F4 DCD aTask_self_trap ; "task_self_trap"
 
__data:802BA708 DCD aSemaphore_sign ; "semaphore_signal_trap"
+
49 macx_swapoff 8021b668 T
__data:802BA70C DCD aSemaphore_si_0 ; "semaphore_signal_all_trap"
+
51 macx_triggers 8021b3f4 T
  +
52 macx_backing_store_suspend 8021b370 T
__data:802BA710 DCD aSemaphore_si_1 ; "semaphore_signal_thread_trap"
 
  +
53 macx_backing_store_recovery 8021b318 T
__data:802BA714 DCD aSemaphore_wait ; "semaphore_wait_trap"
 
__data:802BA720 DCD aSemaphore_ti_0 ; "semaphore_timedwait_signal_trap"
+
60 swtch 8002781c T
__data:802BA724 DCD aKern_invalid ; "kern_invalid"
+
61 thread_switch 80027ad4 T
__data:802BA728 DCD aKern_invalid ; "kern_invalid"
+
62 clock_sleep_trap 80017520 T
  +
89 mach_timebase_info_trap 80016658 T
__data:802BA72C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA73C DCD aPid_for_task ; "pid_for_task"
+
93 mk_timer_arm_trap 8001f544 T
__data:802BA740 DCD aKern_invalid ; "kern_invalid"
+
94 mk_timer_cancel_trap 8001f5c8 T
__data:802BA744 DCD aMacx_swapon ; "macx_swapon"
+
100 iokit_user_client_trap 8026c11c T
  +
__data:802BA748 DCD aMacx_swapoff ; "macx_swapoff"
 
__data:802BA6E8 DCD aKern_invalid ; "kern_invalid"
+
36 semaphore_wait_trap 800274b0 T
__data:802BA6F8 DCD aHost_self_trap ; "host_self_trap"
+
44 task_name_for_pid 8021a838 T
__data:802BA6FC DCD aKern_invalid ; "kern_invalid"
+
45 task_for_pid 8021a688 T
__data:802BA700 DCD aMach_msg_trap ; "mach_msg_trap"
+
46 pid_for_task 8021a63c T
__data:802BA704 DCD aMach_msg_overw ; "mach_msg_overwrite_trap"
+
48 macx_swapon 8021b414 T
__data:802BA718 DCD aSemaphore_wa_0 ; "semaphore_wait_signal_trap"
+
58 pfz_exit 80027818 T
__data:802BA71C DCD aSemaphore_time ; "semaphore_timedwait_trap"
+
59 swtch_pri 800278e4 T
__data:802BA730 DCD aMap_fd ; "map_fd"
+
90 mach_wait_until_trap 80016d20 T
__data:802BA734 DCD aTask_name_for_ ; "task_name_for_pid"
+
91 mk_timer_create_trap 8001f2f4 T
__data:802BA738 DCD aTask_for_pid ; "task_for_pid"
+
92 mk_timer_destroy_trap 8001f500 T
__data:802BA74C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA750 DCD aMacx_triggers ; "macx_triggers"
 
__data:802BA754 DCD aMacx_backing_s ; "macx_backing_store_suspend"
 
__data:802BA758 DCD aMacx_backing_0 ; "macx_backing_store_recovery"
 
__data:802BA75C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA760 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA764 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA768 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA76C DCD aPfz_exit ; "pfz_exit"
 
__data:802BA770 DCD aSwtch_pri ; "swtch_pri"
 
__data:802BA774 DCD aSwtch ; "swtch"
 
__data:802BA778 DCD aThread_switch ; "thread_switch"
 
__data:802BA77C DCD aClock_sleep_tr ; "clock_sleep_trap"
 
__data:802BA780 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA784 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA788 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA78C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA790 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA794 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA798 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA79C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7A0 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7A4 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7A8 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7AC DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7B0 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7B4 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7B8 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7BC DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7C0 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7C4 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7C8 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7CC DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7D0 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7D4 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7D8 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7DC DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7E0 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7E4 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA7E8 DCD aMach_timebase_ ; "mach_timebase_info_trap"
 
__data:802BA7EC DCD aMach_wait_unti ; "mach_wait_until_trap"
 
__data:802BA7F0 DCD aMk_timer_creat ; "mk_timer_create_trap"
 
__data:802BA7F4 DCD aMk_timer_destr ; "mk_timer_destroy_trap"
 
__data:802BA7F8 DCD aMk_timer_arm_t ; "mk_timer_arm_trap"
 
__data:802BA7FC DCD aMk_timer_cance ; "mk_timer_cancel_trap"
 
__data:802BA800 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA804 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA808 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA80C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA810 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA814 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA818 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA81C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA820 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA824 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA828 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA82C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA830 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA834 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA838 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA83C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA840 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA844 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA848 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA84C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA850 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA854 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA858 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA85C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA860 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA864 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA868 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA86C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA870 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA874 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA878 DCD aKern_invalid ; "kern_invalid"
 
__data:802BA87C DCD aKern_invalid ; "kern_invalid"
 
__data:802BA880 DCD aKern_invalid ; "kern_invalid"
 
 
</pre>
 
</pre>
  +
  +
== References ==
  +
* [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]

Latest revision as of 21:48, 2 February 2018

Note on these

Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

Unix

Usage

MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
SVC 0x80   // Formerly, SWI (software interrupt)

For example, arm32:


(gdb) disass chown
0x30d2ad54 <chown>:	mov	r12, #16	       ; 0x10, being # of chown
0x30d2ad58 <chown+4>:	svc	0x00000080

And arm64:

libsystem_kernel.dylib`chown:
    0x1866c6084 <+0>:  mov    x16, #0x10
    0x1866c6088 <+4>:  svc    #0x80

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)


sysent

The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:


struct sysent {         /* system call table */
        int16_t         sy_narg;        /* number of args */
        int8_t          sy_resv;        /* reserved  */
        int8_t          sy_flags;       /* flags */
        sy_call_t       *sy_call;       /* implementing function */
        sy_munge_t      *sy_arg_munge32; /* system call arguments munger for 32-bit process */
        sy_munge_t      *sy_arg_munge64; /* system call arguments munger for 64-bit process */
        int32_t         sy_return_type; /* system call return types */
        uint16_t        sy_arg_bytes;   /* Total size of arguments in bytes for
                                         * 32-bit system calls
                                         */
};

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:

List of system calls from iOS 6.0 GM

note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).

A good reference on these can be found at Wiley's OS X and iOS Internals online appendix. The joker tool (shown below) can be downloaded from the same site.

$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel 
This is an ARM binary. Applying iOS kernel signatures
Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T
10. unlink               800b1ff0 T
12. chdir                800b0c60 T
13. fchdir               800b0af0 T
14. mknod                800b14bc T
15. chmod                800b2b40 T
16. chown                800b2c9c T
18. getfsstat            800b088c T
20. getpid               801dc20c T
23. setuid               801dc4c0 T
24. getuid               801dc290 T
25. geteuid              801dc2a0 T
26. ptrace               801e812c T
27. recvmsg              8020a8fc T
28. sendmsg              8020a444 T
29. recvfrom             8020a528 T
30. accept               80209dfc T
31. getpeername          8020abc8 T
32. getsockname          8020ab18 T
33. access               800b24ac T
34. chflags              800b2928 T
35. fchflags             800b29f0 T
36. sync                 800b0320 T
37. kill                 801dfdcc T
39. getppid              801dc214 T
41. dup                  801cab04 T
42. pipe                 801edbe4 T
43. getegid              801dc318 T
46. sigaction            801deee8 T
47. getgid               801dc308 T
48. sigprocmask          801df42c T
49. getlogin             801dd0e8 T
50. setlogin             801dd160 T
51. acct                 801c54ec T
52. sigpending           801df5d0 T
53. sigaltstack          801dfd10 T
54. ioctl                801ebd1c T
55. reboot               801e8090 T
56. revoke               800b43f8 T
57. symlink              800b1b58 T
58. readlink             800b282c T
59. execve               801d4448 T
60. umask                800b43d0 T
61. chroot               800b0d30 T
65. msync                801d84d0 T
66. vfork                801d7018 T
73. munmap               801d857c T
74. mprotect             801d85b0 T
75. madvise              801d8668 T
78. mincore              801d86d4 T
79. getgroups            801dc328 T
80. setgroups            801dd02c T
81. getpgrp              801dc21c T
82. setpgid              801dc3c8 T
83. setitimer            801e7b78 T
85. swapon               8021be68 T
86. getitimer            801e7a30 T
89. getdtablesize        801ca6dc T
90. dup2                 801caf54 T
92. fcntl                801cb420 T
93. select               801ebfc8 T
95. fsync                800b3238 T
96. setpriority          801dd494 T
97. socket               802098a4 T
98. connect              80209e1c T
100. getpriority          801dd388 T
104. bind                 80209970 T
105. setsockopt           8020aa30 T
106. listen               80209adc T
 111. sigsuspend           801df5f8 T
116. gettimeofday         801e7840 T
117. getrusage            801de22c T
118. getsockopt           8020aa94 T
120. readv                801eb810 T
121. writev               801ebbb0 T
122. settimeofday         801e789c T
123. fchown               800b2dac T
124. fchmod               800b2c70 T
126. setreuid             801dc80c T
127. setregid             801dcba0 T
128. rename               800b3428 T
131. flock                801ce20c T
132. mkfifo               800b1798 T
133. sendto               8020a168 T
134. shutdown             8020aa00 T
135. socketpair           8020a00c T
136. mkdir                800b3d1c T
137. rmdir                800b3d5c T
138. utimes               800b2e60 T
139. futimes              800b3034 T
140. adjtime              801e79a0 T
142. gethostuuid          801ed6a4 T
147. setsid               801dc384 T
151. getpgid              801dc224 T
152. setprivexec          801dc1f4 T
153. pread                801eb774 T
154. pwrite               801ebad0 T
157. statfs               800b03c0 T
158. fstatfs              800b0678 T
159. unmount              800afe88 T
165. quotactl             800b03bc T
167. mount                800af068 T
169. csops                801dafd0 T
170. 170  old table       801db4bc T
173. waitid               801d5ab4 T
180. kdebug_trace         801c2db4 T
181. setgid               801dc9a4 T
182. setegid              801dcab0 T
183. seteuid              801dc710 T
184. sigreturn            8021e7e4 T
185. chud                 8021d4f4 T
187. fdatasync            800b32b0 T
188. stat                 800b2588 T
189. fstat                801ccfec T
190. lstat                800b26d4 T
191. pathconf             800b27c8 T
192. fpathconf            801cd048 T
194. getrlimit            801de074 T
195. setrlimit            801dd93c T
196. getdirentries        800b3f94 T
197. mmap                 801d7fc0 T
199. lseek                800b2068 T
200. truncate             800b30b4 T
201. ftruncate            800b3174 T
202. __sysctl             801e2478 T
203. mlock                801d8820 T
204. munlock              801d8878 T
205. undelete             800b1cf0 T
216. mkcomplex            800b12c4 T
220. getattrlist          8009b060 T
221. setattrlist          8009b0d8 T
222. getdirentriesattr    800b44e0 T
223. exchangedata         800b469c T
225. searchfs             800b48dc T
226. delete               800b202c T
227. copyfile             800b32cc T
228. fgetattrlist         80098488 T
229. fsetattrlist         8009b7e0 T
230. poll                 801ec72c T
231. watchevent           801ed054 T
232. waitevent            801ed1f8 T
233. modwatch             801ed368 T
234. getxattr             800b5550 T
235. fgetxattr            800b568c T
236. setxattr             800b578c T
237. fsetxattr            800b5898 T
238. removexattr          800b5994 T
239. fremovexattr         800b5a5c T
240. listxattr            800b5b1c T
241. flistxattr           800b5c00 T
242. fsctl                800b4dd4 T
243. initgroups           801dcea8 T
244. posix_spawn          801d351c T
245. ffsctl               800b5474 T
250. minherit             801d8630 T
266. shm_open             8020eb24 T
267. shm_unlink           8020f604 T
268. sem_open             8020df80 T
269. sem_close            8020e718 T
270. sem_unlink           8020e4e0 T
271. sem_wait             8020e76c T
272. sem_trywait          8020e834 T
273. sem_post             8020e8d8 T
274. sem_getvalue         8020e97c T
275. sem_init             8020e974 T
276. sem_destroy          8020e978 T
277. open_extended        800b11d8 T
278. umask_extended       800b4380 T
279. stat_extended        800b2530 T
280. lstat_extended       800b267c T
281. fstat_extended       801ccdd0 T
282. chmod_extended       800b2a30 T
283. fchmod_extended      800b2b74 T
284. access_extended      800b21a0 T
285. settid               801dcd2c T
286. gettid               801dc2b0 T
287. setsgroups           801dd03c T
288. getsgroups           801dc37c T
289. setwgroups           801dd040 T
290. getwgroups           801dc380 T
291. mkfifo_extended      800b16f4 T
292. mkdir_extended       800b3b30 T
294. shared_region_check_np 8021c3a4 T
296. vm_pressure_monitor  8021cb08 T
297. psynch_rw_longrdlock 802159ac T
298. psynch_rw_yieldwrlock 80215c60 T
299. psynch_rw_downgrade  80215c68 T
300. psynch_rw_upgrade    80215c64 T
301. psynch_mutexwait     80212bd8 T
302. psynch_mutexdrop     80213b9c T
303. psynch_cvbroad       80213bf0 T
304. psynch_cvsignal      802141c0 T
305. psynch_cvwait        80214648 T
306. psynch_rw_rdlock     80214d7c T
307. psynch_rw_wrlock     802159b0 T
308. psynch_rw_unlock     80215c6c T
309. psynch_rw_unlock2    80215f64 T
310. getsid               801dc254 T
311. settid_with_pid      801dcdcc T
312. psynch_cvclrprepost  80214c7c T
313. aio_fsync            801c5ed0 T
314. aio_return           801c60a8 T
315. aio_suspend          801c6330 T
316. aio_cancel           801c5a48 T
317. aio_error            801c5e24 T
318. aio_read             801c6088 T
319. aio_write            801c6544 T
320. lio_listio           801c6564 T
322. iopolicysys          801de420 T
323. process_policy       8021a72c T
324. mlockall             801d88b4 T
325. munlockall           801d88b8 T
327. issetugid            801dc4b0 T
328. __pthread_kill       801dfa44 T
329. __pthread_sigmask    801dfaa4 T
330. __sigwait            801dfb54 T
331. __disable_threadsignal 801df720 T
332. __pthread_markcancel 801df73c T
333. __pthread_canceled   801df784 T
334. __semwait_signal     801df924 T
336. proc_info            80218618 T
338. stat64               800b25d4 T
339. fstat64              801cd028 T
340. lstat64              800b2720 T
341. stat64_extended      800b2624 T
342. lstat64_extended     800b2770 T
343. fstat64_extended     801cd00c T
344. getdirentries64      800b4340 T
345. statfs64             800b06e0 T
346. fstatfs64            800b0828 T
347. getfsstat64          800b0a38 T
348. __pthread_chdir      800b0d28 T
349. __pthread_fchdir     800b0c58 T
350. audit                801c1a74 T
351. auditon              801c1a78 T
353. getauid              801c1a7c T
354. setauid              801c1a80 T
357. getaudit_addr        801c1a84 T
358. setaudit_addr        801c1a88 T
359. auditctl             801c1a8c T
360. bsdthread_create     80216ab8 T
361. bsdthread_terminate  80216d30 T
362. kqueue               801cf594 T
363. kevent               801cf614 T
364. lchown               800b2d94 T
365. stack_snapshot       801c520c T
366. bsdthread_register   80216d94 T
367. workq_open           802179e8 T
368. workq_kernreturn     80217e50 T
369. kevent64             801cf8ac T
370. __old_semwait_signal 801df7f8 T
371. __old_semwait_signal_nocancel 801df82c T
372. thread_selfid        80218354 T
373. ledger               801ed70c T
380. __mac_execve         801d4468 T
381. __mac_syscall        8027d0a8 T
382. __mac_get_file       8027cd50 T
383. __mac_set_file       8027cf98 T
384. __mac_get_link       8027ce74 T
385. __mac_set_link       8027d098 T
386. __mac_get_proc       8027c844 T
387. __mac_set_proc       8027c904 T
388. __mac_get_fd         8027cbfc T
389. __mac_set_fd         8027ce84 T
390. __mac_get_pid        8027c778 T
391. __mac_get_lcid       8027c9b8 T
392. __mac_get_lctx       8027ca7c T
393. __mac_set_lctx       8027cb38 T
394. setlcid              801dd228 T
395. getlcid              801dd310 T
396. read_nocancel        801eb5a4 T
397. write_nocancel       801eb978 T
398. open_nocancel        800b1434 T
399. close_nocancel       801ccad0 T
400. wait4_nocancel       801d56dc T
401. recvmsg_nocancel     8020a91c T
402. sendmsg_nocancel     8020a464 T
403. recvfrom_nocancel    8020a548 T
404. accept_nocancel      80209b1c T
405. msync_nocancel       801d84e8 T
406. fcntl_nocancel       801cb440 T
407. select_nocancel      801ebfe4 T
408. fsync_nocancel       800b32a8 T
409. connect_nocancel     80209e34 T
410. sigsuspend_nocancel  801df6b4 T
411. readv_nocancel       801eb830 T
412. writev_nocancel      801ebbd0 T
413. sendto_nocancel      8020a188 T
414. pread_nocancel       801eb794 T
415. pwrite_nocancel      801ebaf0 T
416. waitid_nocancel      801d5ad0 T
417. poll_nocancel        801ec74c T
420. sem_wait_nocancel    8020e788 T
421. aio_suspend_nocancel 801c6350 T
422. __sigwait_nocancel   801dfb8c T
423. __semwait_signal_nocancel 801df958 T
424. __mac_mount          800af08c T
425. __mac_get_mount      8027d2a0 T
426. __mac_getfsstat      800b08b0 T
427. fsgetpath            800b5ce4 T
428. audit_session_self   801c1a68 T
429. audit_session_join   801c1a6c T
430. fileport_makeport    801ce2f0 T
431. fileport_makefd      801ce494 T
432. audit_session_port   801c1a70 T
433. pid_suspend          8021c180 T
434. pid_resume           8021c1f0 T
435. pid_hibernate        8021c268 T
436. pid_shutdown_sockets 8021c2c0 T
438. shared_region_map_and_slide_np 8021c954 T
439. kas_info             8021cb50 T   ; Provides ASLR information to user space 
                                       ; (intentionally crippled in iOS, works in ML)
440. memorystatus_control 801e62a0 T   ;; Controls JetSam - supersedes old sysctl interface
441. guarded_open_np      801cead0 T  
442. guarded_close_np     801cebdc T

Mach

XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:

_mach_msg_trap:
0001a8b4        e1a0c00d        mov     ip, sp
0001a8b8        e92d0170        push    {r4, r5, r6, r8}
0001a8bc        e89c0070        ldm     ip, {r4, r5, r6}
0001a8c0        e3e0c01e        mvn     ip, #30 @ 0x1e    ; Move NEGATIVE -30 into IP (R12)
0001a8c4        ef000080        svc     0x00000080        ; issue a supervisor call
0001a8c8        e8bd0170        pop     {r4, r5, r6, r8}
0001a8cc        e12fff1e        bx      lr
..
_semaphore_signal_all_trap:
0001a8f8        e3e0c021        mvn     ip, #33 @ 0x21   ; NEGATIVE -33 into IP (R12)
0001a8fc        ef000080        svc     0x00000080
0001a900        e12fff1e        bx      lr


Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.

mach_trap_table

In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table:

$ ./joker -ls mach kernel.iPod4.iOS6.0b1
This is an ARM binary. Applying iOS kernel signatures
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
Kern invalid should be 0x80027ec1. Ignoring those
..This appears to be XNU 2107.1.78
 10 _kernelrpc_mach_vm_allocate_trap         80014460 T
 12 _kernelrpc_mach_vm_deallocate_trap       800144cc T
 14 _kernelrpc_mach_vm_protect_trap          80014510 T
 16 _kernelrpc_mach_port_allocate_trap       80014564 T
 17 _kernelrpc_mach_port_destroy_trap        800145b4 T
 18 _kernelrpc_mach_port_deallocate_trap     800145f0 T
 19 _kernelrpc_mach_port_mod_refs_trap       8001462c T
 20 _kernelrpc_mach_port_move_member_trap    8001466c T
 21 _kernelrpc_mach_port_insert_right_trap   800146b0 T
 22 _kernelrpc_mach_port_insert_member_trap  80014710 T
 23 _kernelrpc_mach_port_extract_member_trap 80014754 T
 26 mach_reply_port                          8001b5b4 T
 27 thread_self_trap                         8001b598 T
 28 task_self_trap                           8001b578 T
 29 host_self_trap                           80019910 T
 31 mach_msg_trap                            80014ec0 T
 32 mach_msg_overwrite_trap                  80014d20 T
 33 semaphore_signal_trap                    80027188 T
 34 semaphore_signal_all_trap                8002720c T
 35 semaphore_signal_thread_trap             80027114 T
 36 semaphore_wait_trap                      800274b0 T
 37 semaphore_wait_signal_trap               80027658 T
 38 semaphore_timedwait_trap                 80027598 T
 39 semaphore_timedwait_signal_trap          8002773c T
 44 task_name_for_pid                        8021a838 T
 45 task_for_pid                             8021a688 T
 46 pid_for_task                             8021a63c T
 48 macx_swapon                              8021b414 T
 49 macx_swapoff                             8021b668 T
 51 macx_triggers                            8021b3f4 T
 52 macx_backing_store_suspend               8021b370 T
 53 macx_backing_store_recovery              8021b318 T
 58 pfz_exit                                 80027818 T
 59 swtch_pri                                800278e4 T
 60 swtch                                    8002781c T
 61 thread_switch                            80027ad4 T
 62 clock_sleep_trap                         80017520 T
 89 mach_timebase_info_trap                  80016658 T
 90 mach_wait_until_trap                     80016d20 T
 91 mk_timer_create_trap                     8001f2f4 T
 92 mk_timer_destroy_trap                    8001f500 T
 93 mk_timer_arm_trap                        8001f544 T
 94 mk_timer_cancel_trap                     8001f5c8 T
100 iokit_user_client_trap                   8026c11c T

References