The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Kernel Syscalls"

From The iPhone Wiki
Jump to: navigation, search
(List of system calls from iOS 6.0b1 - watch this space for more)
(arm64)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Note on these ==
  
== Note on these ==
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
 +
Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.
   
 
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
  
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
 
 
   
 
== Unix ==
  
== Unix ==
 
 
=== Usage ===
  
=== Usage ===
 
<pre>
  
<pre>
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
 +
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
 
SVC 0x80 // Formerly, SWI (software interrupt)
  
SVC 0x80 // Formerly, SWI (software interrupt)
 
</pre>
  
</pre>
   
For example:
 +
For example, arm32:
 
<pre>
  
<pre>
   
Line 20: Line 17:
 
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
  
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
 
0x30d2ad58 <chown+4>: svc 0x00000080
  
0x30d2ad58 <chown+4>: svc 0x00000080
  +
</pre>
  +
  +
And arm64:
  +
<pre>
  +
libsystem_kernel.dylib`chown:
  +
0x1866c6084 <+0>: mov x16, #0x10
  +
0x1866c6088 <+4>: svc #0x80
 
</pre>
  
</pre>
   
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
  
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
  +
   
 
=== sysent ===
 
=== sysent ===
  +
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
 
 
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
  
   
 
<pre>
  
<pre>
Line 46: Line 49:
 
</pre>
  
</pre>
   
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
 +
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:
   
=== List of system calls from iOS 6.b1 ===
+
=== List of system calls from [[iOS]] 6.0 GM ===
   
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
 +
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
  +
  +
A good reference on these can be found at [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]. The joker tool (shown below) can be downloaded from the same site.
   
 
<pre>
  
<pre>
  +
$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel
  +
This is an ARM binary. Applying iOS kernel signatures
  +
Entry point is 0x80085084....This appears to be XNU 2107.2.33
  +
Syscall names are @2a70f0
  +
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0
   
  +
Suppressing enosys (0x800b3429) T = Thumb
$ joker -ls unix ~/Documents/projects/iOS.6.0b1.iPod4.kernel
 
  +
1. exit 801d4a74 T
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
  
  +
2. fork 801d7980 T
Sysent offset in file (for patching purposes): 3076288 (0x2ef0c0)
  
  +
3. read 801eb584 T
This appears to be XNU 2107.1.78
  
  +
4. write 801eb958 T
 
syscall 801e9d5c T
 +
5. open 800b13a4 T
exit 801d32dc T
 +
6. close 801ccab4 T
fork 801d61d4 T
 +
7. wait4 801d56bc T
read 801e9d7c T
 +
9. link 800b18e8 T
write 801ea150 T
 +
10. unlink 800b1ff0 T
open 800b12f0 T
 +
12. chdir 800b0c60 T
close 801cb904 T
 +
13. fchdir 800b0af0 T
wait4 801d3f10 T
 +
14. mknod 800b14bc T
8 old creat 801e9d5c T
 +
15. chmod 800b2b40 T
link 800b1804 T
 +
16. chown 800b2c9c T
unlink 800b1f0c T
 +
18. getfsstat 800b088c T
11 old execv 801e9d5c T
 +
20. getpid 801dc20c T
chdir 800b0be0 T
 +
23. setuid 801dc4c0 T
fchdir 800b0a70 T
 +
24. getuid 801dc290 T
mknod 800b13d8 T
 +
25. geteuid 801dc2a0 T
chmod 800b2a5c T
 +
26. ptrace 801e812c T
chown 800b2bb8 T
 +
27. recvmsg 8020a8fc T
17 old break 801e9d5c T
 +
28. sendmsg 8020a444 T
getfsstat 800b080c T
 +
29. recvfrom 8020a528 T
19 old lseek 801e9d5c T
 +
30. accept 80209dfc T
getpid 801daa60 T
 +
31. getpeername 8020abc8 T
21 old mount 801e9d5c T
 +
32. getsockname 8020ab18 T
22 old umount 801e9d5c T
 +
33. access 800b24ac T
setuid 801dad14 T
 +
34. chflags 800b2928 T
getuid 801daae4 T
 +
35. fchflags 800b29f0 T
geteuid 801daaf4 T
 +
36. sync 800b0320 T
ptrace 801e6924 T
 +
37. kill 801dfdcc T
recvmsg 802090f4 T
 +
39. getppid 801dc214 T
sendmsg 80208c3c T
 +
41. dup 801cab04 T
recvfrom 80208d20 T
 +
42. pipe 801edbe4 T
accept 802085f4 T
 +
43. getegid 801dc318 T
getpeername 802093c0 T
 +
46. sigaction 801deee8 T
getsockname 80209310 T
 +
47. getgid 801dc308 T
access 800b23c8 T
 +
48. sigprocmask 801df42c T
chflags 800b2844 T
 +
49. getlogin 801dd0e8 T
fchflags 800b290c T
 +
50. setlogin 801dd160 T
sync 800b02a0 T
 +
51. acct 801c54ec T
kill 801de620 T
 +
52. sigpending 801df5d0 T
38 old stat 801e9d5c T
 +
53. sigaltstack 801dfd10 T
getppid 801daa68 T
 +
54. ioctl 801ebd1c T
40 old lstat 801e9d5c T
 +
55. reboot 801e8090 T
dup 801c9a94 T
 +
56. revoke 800b43f8 T
pipe 801ec3dc T
 +
57. symlink 800b1b58 T
getegid 801dab6c T
 +
58. readlink 800b282c T
profil 801e9d5c T
 +
59. execve 801d4448 T
45 old ktrace 801e9d5c T
 +
60. umask 800b43d0 T
sigaction 801dd73c T
 +
61. chroot 800b0d30 T
getgid 801dab5c T
 +
65. msync 801d84d0 T
sigprocmask 801ddc80 T
 +
66. vfork 801d7018 T
getlogin 801db93c T
 +
73. munmap 801d857c T
setlogin 801db9b4 T
 +
74. mprotect 801d85b0 T
acct 801c447c T
 +
75. madvise 801d8668 T
sigpending 801dde24 T
 +
78. mincore 801d86d4 T
sigaltstack 801de564 T
 +
79. getgroups 801dc328 T
ioctl 801ea514 T
 +
80. setgroups 801dd02c T
reboot 801e6888 T
 +
81. getpgrp 801dc21c T
revoke 800b4320 T
 +
82. setpgid 801dc3c8 T
symlink 800b1a74 T
 +
83. setitimer 801e7b78 T
readlink 800b2748 T
 +
85. swapon 8021be68 T
execve 801d2cb0 T
 +
86. getitimer 801e7a30 T
umask 800b42f8 T
 +
89. getdtablesize 801ca6dc T
chroot 800b0cb0 T
 +
90. dup2 801caf54 T
62 old fstat 801e9d5c T
 +
92. fcntl 801cb420 T
  +
93. select 801ebfc8 T
63 used internally , reserved 801e9d5c T
  
  +
95. fsync 800b3238 T
64 old getpagesize 801e9d5c T
  
  +
134. shutdown 8020aa00 T
87 old gethostname 801e9d5c T
  
  +
135. socketpair 8020a00c T
88 old sethostname 801e9d5c T
  
  +
165. quotactl 800b03bc T
103 old sigreturn 801e9d5c T
  
  +
181. setgid 801dc9a4 T
109 old sigblock 801e9d5c T
  
  +
182. setegid 801dcab0 T
110 old sigsetmask 801e9d5c T
  
  +
184. sigreturn 8021e7e4 T
112 old sigstack 801e9d5c T
  
  +
200. truncate 800b30b4 T
125 old recvfrom 801e9d5c T
  
  +
204. munlock 801d8878 T
129 old truncate 801e9d5c T
  
  +
205. undelete 800b1cf0 T
130 old ftruncate 801e9d5c T
  
  +
222. getdirentriesattr 800b44e0 T
shutdown 802091f8 T
  
utimes 800b2d7c T
 +
227. copyfile 800b32cc T
futimes 800b2f50 T
 +
228. fgetattrlist 80098488 T
adjtime 801e6198 T
 +
229. fsetattrlist 8009b7e0 T
  +
230. poll 801ec72c T
141 old getpeername 801e9d5c T
  
  +
232. waitevent 801ed1f8 T
143 old sethostid 801e9d5c T
  
  +
233. modwatch 801ed368 T
144 old getrlimit 801e9d5c T
  
  +
234. getxattr 800b5550 T
145 old setrlimit 801e9d5c T
  
  +
237. fsetxattr 800b5898 T
148 old setquota 801e9d5c T
  
149 old qquota 801e9d5c T
 +
238. removexattr 800b5994 T
  +
239. fremovexattr 800b5a5c T
150 old getsockname 801e9d5c T
  
setprivexec 801daa48 T
 +
241. flistxattr 800b5c00 T
pread 801e9f6c T
 +
242. fsctl 800b4dd4 T
pwrite 801ea2c8 T
 +
243. initgroups 801dcea8 T
nfssvc 801e9d5c T
 +
244. posix_spawn 801d351c T
  +
245. ffsctl 800b5474 T
156 old getdirentries 801e9d5c T
  
  +
268. sem_open 8020df80 T
160 old async_daemon 801e9d5c T
  
  +
270. sem_unlink 8020e4e0 T
162 old getdomainname 801e9d5c T
  
  +
271. sem_wait 8020e76c T
163 old setdomainname 801e9d5c T
  
164 801e9d5c T
 +
272. sem_trywait 8020e834 T
quotactl 800b033c T
 +
273. sem_post 8020e8d8 T
  +
274. sem_getvalue 8020e97c T
166 old exportfs 801e9d5c T
  
csops 801d9824 T
 +
277. open_extended 800b11d8 T
170 old table 801d9d10 T
 +
278. umask_extended 800b4380 T
171 old wait3 801e9d5c T
 +
279. stat_extended 800b2530 T
172 old rpause 801e9d5c T
 +
280. lstat_extended 800b267c T
waitid 801d4308 T
 +
281. fstat_extended 801ccdd0 T
  +
282. chmod_extended 800b2a30 T
174 old getdents 801e9d5c T
  
  +
283. fchmod_extended 800b2b74 T
175 old gc_control 801e9d5c T
  
  +
284. access_extended 800b21a0 T
add_profil 801e9d5c T
  
setegid 801db304 T
 +
290. getwgroups 801dc380 T
  +
291. mkfifo_extended 800b16f4 T
seteuid 801daf64 T
  
  +
294. shared_region_check_np 8021c3a4 T
chud 8021bcb8 T
  
  +
296. vm_pressure_monitor 8021cb08 T
186 801e9d5c T
  
  +
297. psynch_rw_longrdlock 802159ac T
fdatasync 800b31cc T
  
  +
298. psynch_rw_yieldwrlock 80215c60 T
stat 800b24a4 T
  
  +
299. psynch_rw_downgrade 80215c68 T
fstat 801cbb98 T
  
  +
300. psynch_rw_upgrade 80215c64 T
lstat 800b25f0 T
  
  +
301. psynch_mutexwait 80212bd8 T
pathconf 800b26e4 T
  
  +
302. psynch_mutexdrop 80213b9c T
fpathconf 801cbbf4 T
  
193 801e9d5c T
 +
303. psynch_cvbroad 80213bf0 T
  +
304. psynch_cvsignal 802141c0 T
getrlimit 801dc8c8 T
  
  +
306. psynch_rw_rdlock 80214d7c T
getdirentries 800b3eb0 T
  
  +
307. psynch_rw_wrlock 802159b0 T
mmap 801d6814 T
  
  +
308. psynch_rw_unlock 80215c6c T
198 __syscall 801e9d5c T
  
  +
309. psynch_rw_unlock2 80215f64 T
lseek 800b1f84 T
  
truncate 800b2fd0 T
 +
310. getsid 801dc254 T
  +
311. settid_with_pid 801dcdcc T
ftruncate 800b3090 T
  
  +
312. psynch_cvclrprepost 80214c7c T
__sysctl 801e0ccc T
  
munlock 801d70cc T
 +
314. aio_return 801c60a8 T
undelete 800b1c0c T
 +
315. aio_suspend 801c6330 T
ATsocket 801e9d5c T
 +
316. aio_cancel 801c5a48 T
ATgetmsg 801e9d5c T
 +
317. aio_error 801c5e24 T
ATputmsg 801e9d5c T
 +
318. aio_read 801c6088 T
ATPsndreq 801e9d5c T
 +
319. aio_write 801c6544 T
ATPsndrsp 801e9d5c T
 +
320. lio_listio 801c6564 T
ATPgetreq 801e9d5c T
 +
322. iopolicysys 801de420 T
ATPgetrsp 801e9d5c T
 +
323. process_policy 8021a72c T
  +
324. mlockall 801d88b4 T
213 Reserved for AppleTalk 801e9d5c T
  
  +
329. __pthread_sigmask 801dfaa4 T
statv 801e9d5c T
  
  +
331. __disable_threadsignal 801df720 T
fstatv 801e9d5c T
  
  +
332. __pthread_markcancel 801df73c T
getattrlist 8009afe0 T
  
  +
333. __pthread_canceled 801df784 T
setattrlist 8009b058 T
  
  +
334. __semwait_signal 801df924 T
getdirentriesattr 800b4408 T
  
  +
338. stat64 800b25d4 T
224 old checkuseraccess / fsgetpath ( which moved to 427 ) 801e9d5c T
  
  +
341. stat64_extended 800b2624 T
copyfile 800b31e8 T
  
  +
342. lstat64_extended 800b2770 T
fgetattrlist 80098408 T
  
  +
343. fstat64_extended 801cd00c T
fsetattrlist 8009b760 T
  
  +
344. getdirentries64 800b4340 T
poll 801eaf24 T
  
modwatch 801ebb60 T
 +
347. getfsstat64 800b0a38 T
  +
348. __pthread_chdir 800b0d28 T
getxattr 800b5478 T
  
  +
349. __pthread_fchdir 800b0c58 T
fgetxattr 800b55b4 T
  
fsetxattr 800b57c0 T
 +
351. auditon 801c1a78 T
removexattr 800b58bc T
 +
353. getauid 801c1a7c T
fremovexattr 800b5984 T
 +
354. setauid 801c1a80 T
listxattr 800b5a44 T
 +
357. getaudit_addr 801c1a84 T
flistxattr 800b5b28 T
 +
358. setaudit_addr 801c1a88 T
fsctl 800b4cfc T
 +
359. auditctl 801c1a8c T
  +
360. bsdthread_create 80216ab8 T
initgroups 801db6fc T
  
  +
361. bsdthread_terminate 80216d30 T
posix_spawn 801d1d74 T
  
  +
366. bsdthread_register 80216d94 T
249 801e9d5c T
  
  +
368. workq_kernreturn 80217e50 T
semsys 801e9d5c T
  
  +
370. __old_semwait_signal 801df7f8 T
shmsys 801e9d5c T
  
  +
371. __old_semwait_signal_nocancel 801df82c T
semctl 801e9d5c T
  
semget 801e9d5c T
 +
372. thread_selfid 80218354 T
semop 801e9d5c T
 +
373. ledger 801ed70c T
257 801e9d5c T
 +
380. __mac_execve 801d4468 T
msgctl 801e9d5c T
 +
381. __mac_syscall 8027d0a8 T
msgget 801e9d5c T
 +
382. __mac_get_file 8027cd50 T
msgsnd 801e9d5c T
 +
383. __mac_set_file 8027cf98 T
msgrcv 801e9d5c T
 +
384. __mac_get_link 8027ce74 T
shmat 801e9d5c T
 +
385. __mac_set_link 8027d098 T
shmctl 801e9d5c T
 +
386. __mac_get_proc 8027c844 T
shmdt 801e9d5c T
 +
387. __mac_set_proc 8027c904 T
shmget 801e9d5c T
 +
388. __mac_get_fd 8027cbfc T
shm_open 8020d2c0 T
 +
389. __mac_set_fd 8027ce84 T
shm_unlink 8020dda0 T
 +
390. __mac_get_pid 8027c778 T
sem_open 8020c718 T
 +
391. __mac_get_lcid 8027c9b8 T
sem_close 8020ceb0 T
 +
392. __mac_get_lctx 8027ca7c T
sem_unlink 8020cc78 T
 +
393. __mac_set_lctx 8027cb38 T
sem_wait 8020cf08 T
 +
394. setlcid 801dd228 T
sem_trywait 8020cfd0 T
 +
395. getlcid 801dd310 T
sem_post 8020d074 T
 +
396. read_nocancel 801eb5a4 T
sem_getvalue 8020d118 T
 +
397. write_nocancel 801eb978 T
sem_init 8020d110 T
 +
398. open_nocancel 800b1434 T
sem_destroy 8020d114 T
 +
399. close_nocancel 801ccad0 T
open_extended 800b1144 T
 +
400. wait4_nocancel 801d56dc T
  +
401. recvmsg_nocancel 8020a91c T
umask_extended 800b42a8 T
  
  +
402. sendmsg_nocancel 8020a464 T
stat_extended 800b244c T
  
  +
403. recvfrom_nocancel 8020a548 T
lstat_extended 800b2598 T
  
  +
404. accept_nocancel 80209b1c T
fstat_extended 801cb97c T
  
  +
405. msync_nocancel 801d84e8 T
chmod_extended 800b294c T
  
  +
406. fcntl_nocancel 801cb440 T
fchmod_extended 800b2a90 T
  
  +
407. select_nocancel 801ebfe4 T
access_extended 800b20bc T
  
  +
409. connect_nocancel 80209e34 T
gettid 801dab04 T
  
  +
410. sigsuspend_nocancel 801df6b4 T
setsgroups 801db890 T
  
  +
412. writev_nocancel 801ebbd0 T
setwgroups 801db894 T
  
  +
413. sendto_nocancel 8020a188 T
getwgroups 801dabd4 T
  
  +
414. pread_nocancel 801eb794 T
mkfifo_extended 800b1610 T
  
  +
415. pwrite_nocancel 801ebaf0 T
mkdir_extended 800b3a4c T
  
  +
416. waitid_nocancel 801d5ad0 T
identitysvc 801e9d5c T
  
  +
417. poll_nocancel 801ec74c T
shared_region_check_np 8021ab68 T
  
  +
420. sem_wait_nocancel 8020e788 T
shared_region_map_np 801e9d5c T
  
  +
421. aio_suspend_nocancel 801c6350 T
vm_pressure_monitor 8021b2cc T
  
  +
422. __sigwait_nocancel 801dfb8c T
psynch_rw_longrdlock 8021415c T
  
  +
423. __semwait_signal_nocancel 801df958 T
psynch_rw_yieldwrlock 80214408 T
  
  +
424. __mac_mount 800af08c T
psynch_rw_downgrade 80214410 T
  
  +
425. __mac_get_mount 8027d2a0 T
psynch_rw_upgrade 8021440c T
  
  +
426. __mac_getfsstat 800b08b0 T
psynch_mutexwait 80211374 T
  
  +
427. fsgetpath 800b5ce4 T
psynch_mutexdrop 80212338 T
  
  +
428. audit_session_self 801c1a68 T
psynch_cvbroad 8021238c T
  
  +
429. audit_session_join 801c1a6c T
psynch_cvsignal 80212970 T
  
  +
430. fileport_makeport 801ce2f0 T
psynch_cvwait 80212df8 T
  
  +
431. fileport_makefd 801ce494 T
psynch_rw_rdlock 80213530 T
  
  +
432. audit_session_port 801c1a70 T
psynch_rw_wrlock 80214160 T
  
  +
433. pid_suspend 8021c180 T
psynch_rw_unlock 80214414 T
  
  +
434. pid_resume 8021c1f0 T
psynch_rw_unlock2 8021470c T
  
  +
436. pid_shutdown_sockets 8021c2c0 T
settid_with_pid 801db620 T
  
  +
438. shared_region_map_and_slide_np 8021c954 T
312 old __pthread_cond_timedwait 80213430 T
  
  +
439. kas_info 8021cb50 T ; Provides ASLR information to user space
aio_fsync 801c4e60 T
  
  +
; (intentionally crippled in iOS, works in ML)
aio_return 801c5038 T
  
  +
440. memorystatus_control 801e62a0 T ;; Controls JetSam - supersedes old sysctl interface
aio_suspend 801c52c0 T
  
  +
441. guarded_open_np 801cead0 T
aio_cancel 801c49d8 T
  
  +
442. guarded_close_np 801cebdc T
aio_error 801c4db4 T
  
msync 801d6d24 T
 +
96. setpriority 801dd494 T
vfork 801d586c T
 +
97. socket 802098a4 T
67 old vread 801e9d5c T
 +
98. connect 80209e1c T
68 old vwrite 801e9d5c T
 +
100. getpriority 801dd388 T
69 old sbrk 801e9d5c T
 +
104. bind 80209970 T
70 old sstk 801e9d5c T
 +
105. setsockopt 8020aa30 T
71 old mmap 801e9d5c T
 +
106. listen 80209adc T
72 old vadvise 801e9d5c T
 +
111. sigsuspend 801df5f8 T
munmap 801d6dd0 T
 +
116. gettimeofday 801e7840 T
mprotect 801d6e04 T
 +
117. getrusage 801de22c T
madvise 801d6ebc T
 +
118. getsockopt 8020aa94 T
76 old vhangup 801e9d5c T
 +
120. readv 801eb810 T
77 old vlimit 801e9d5c T
 +
121. writev 801ebbb0 T
mincore 801d6f28 T
 +
122. settimeofday 801e789c T
getgroups 801dab7c T
 +
123. fchown 800b2dac T
setgroups 801db880 T
 +
124. fchmod 800b2c70 T
getpgrp 801daa70 T
 +
126. setreuid 801dc80c T
setpgid 801dac1c T
 +
127. setregid 801dcba0 T
setitimer 801e6370 T
 +
128. rename 800b3428 T
84 old wait 801e9d5c T
 +
131. flock 801ce20c T
swapon 8021a638 T
 +
132. mkfifo 800b1798 T
getitimer 801e6228 T
 +
133. sendto 8020a168 T
getdtablesize 801c966c T
 +
136. mkdir 800b3d1c T
dup2 801c9ec0 T
 +
137. rmdir 800b3d5c T
91 old getdopt 801e9d5c T
 +
138. utimes 800b2e60 T
fcntl 801ca2d8 T
 +
139. futimes 800b3034 T
select 801ea7c0 T
 +
140. adjtime 801e79a0 T
94 old setdopt 801e9d5c T
 +
142. gethostuuid 801ed6a4 T
fsync 800b3154 T
 +
147. setsid 801dc384 T
setpriority 801dbce8 T
 +
151. getpgid 801dc224 T
socket 8020809c T
 +
152. setprivexec 801dc1f4 T
connect 80208614 T
 +
153. pread 801eb774 T
99 old accept 801e9d5c T
 +
154. pwrite 801ebad0 T
getpriority 801dbbdc T
 +
157. statfs 800b03c0 T
101 old send 801e9d5c T
 +
158. fstatfs 800b0678 T
102 old recv 801e9d5c T
 +
159. unmount 800afe88 T
bind 80208168 T
 +
167. mount 800af068 T
setsockopt 80209228 T
 +
169. csops 801dafd0 T
listen 802082d4 T
 +
170. 170 old table 801db4bc T
107 old vtimes 801e9d5c T
 +
173. waitid 801d5ab4 T
108 old sigvec 801e9d5c T
 +
180. kdebug_trace 801c2db4 T
sigsuspend 801dde4c T
 +
183. seteuid 801dc710 T
113 old recvmsg 801e9d5c T
 +
185. chud 8021d4f4 T
114 old sendmsg 801e9d5c T
 +
187. fdatasync 800b32b0 T
115 old vtrace 801e9d5c T
 +
188. stat 800b2588 T
gettimeofday 801e6038 T
 +
189. fstat 801ccfec T
getrusage 801dca80 T
 +
190. lstat 800b26d4 T
getsockopt 8020928c T
 +
191. pathconf 800b27c8 T
119 old resuba 801e9d5c T
 +
192. fpathconf 801cd048 T
readv 801ea008 T
 +
194. getrlimit 801de074 T
writev 801ea3a8 T
 +
195. setrlimit 801dd93c T
settimeofday 801e6094 T
 +
196. getdirentries 800b3f94 T
fchown 800b2cc8 T
 +
197. mmap 801d7fc0 T
fchmod 800b2b8c T
 +
199. lseek 800b2068 T
setreuid 801db060 T
 +
201. ftruncate 800b3174 T
setregid 801db3f4 T
 +
202. __sysctl 801e2478 T
rename 800b3344 T
 +
203. mlock 801d8820 T
flock 801cce8c T
 +
216. mkcomplex 800b12c4 T
mkfifo 800b16b4 T
 +
220. getattrlist 8009b060 T
sendto 80208960 T
 +
221. setattrlist 8009b0d8 T
socketpair 80208804 T
 +
223. exchangedata 800b469c T
mkdir 800b3c38 T
 +
225. searchfs 800b48dc T
rmdir 800b3c78 T
 +
226. delete 800b202c T
gethostuuid 801ebe9c T
 +
231. watchevent 801ed054 T
146 old killpg 801e9d5c T
 +
235. fgetxattr 800b568c T
setsid 801dabd8 T
 +
236. setxattr 800b578c T
getpgid 801daa78 T
 +
240. listxattr 800b5b1c T
statfs 800b0340 T
 +
250. minherit 801d8630 T
fstatfs 800b05f8 T
 +
266. shm_open 8020eb24 T
unmount 800afe08 T
 +
267. shm_unlink 8020f604 T
getfh 801e9d5c T
 +
269. sem_close 8020e718 T
mount 800aefe8 T
 +
275. sem_init 8020e974 T
168 old ustat 801e9d5c T
 +
276. sem_destroy 8020e978 T
177 801e9d5c T
 +
285. settid 801dcd2c T
178 801e9d5c T
 +
286. gettid 801dc2b0 T
179 801e9d5c T
 +
287. setsgroups 801dd03c T
kdebug_trace 801c1d58 T
 +
288. getsgroups 801dc37c T
setgid 801db1f8 T
 +
289. setwgroups 801dd040 T
sigreturn 8021cfa8 T
 +
292. mkdir_extended 800b3b30 T
setrlimit 801dc190 T
 +
305. psynch_cvwait 80214648 T
mlock 801d7074 T
 +
313. aio_fsync 801c5ed0 T
214 801e9d5c T
 +
325. munlockall 801d88b8 T
215 801e9d5c T
 +
327. issetugid 801dc4b0 T
mkcomplex 800b1224 T
 +
328. __pthread_kill 801dfa44 T
lstatv 801e9d5c T
 +
330. __sigwait 801dfb54 T
exchangedata 800b45c4 T
 +
336. proc_info 80218618 T
searchfs 800b4804 T
 +
339. fstat64 801cd028 T
delete 800b1f48 T
 +
340. lstat64 800b2720 T
watchevent 801eb84c T
 +
345. statfs64 800b06e0 T
waitevent 801eb9f0 T
 +
346. fstatfs64 800b0828 T
setxattr 800b56b4 T
 +
350. audit 801c1a74 T
ffsctl 800b539c T
 +
362. kqueue 801cf594 T
246 801e9d5c T
 +
363. kevent 801cf614 T
nfsclnt 801e9d5c T
 +
364. lchown 800b2d94 T
fhopen 801e9d5c T
 +
365. stack_snapshot 801c520c T
minherit 801d6e84 T
 +
367. workq_open 802179e8 T
msgsys 801e9d5c T
 +
369. kevent64 801cf8ac T
settid 801db580 T
 +
408. fsync_nocancel 800b32a8 T
getsgroups 801dabd0 T
 +
411. readv_nocancel 801eb830 T
getsid 801daaa8 T
 +
435. pid_hibernate 8021c268 T
aio_read 801c5018 T
  
aio_write 801c54d4 T
  
lio_listio 801c54f4 T
  
321 old __pthread_cond_wait 801e9d5c T
  
iopolicysys 801dcc74 T
  
323 80218edc T
  
mlockall 801d7108 T
  
munlockall 801d710c T
  
326 801e9d5c T
  
issetugid 801dad04 T
  
__pthread_kill 801de298 T
  
__pthread_sigmask 801de2f8 T
  
__sigwait 801de3a8 T
  
__disable_threadsignal 801ddf74 T
  
__pthread_markcancel 801ddf90 T
  
__pthread_canceled 801ddfd8 T
  
__semwait_signal 801de178 T
  
335 old utrace 801e9d5c T
  
proc_info 80216dc0 T
  
sendfile 801e9d5c T
  
stat64 800b24f0 T
  
fstat64 801cbbd4 T
  
lstat64 800b263c T
  
stat64_extended 800b2540 T
  
lstat64_extended 800b268c T
  
fstat64_extended 801cbbb8 T
  
getdirentries64 800b4268 T
  
statfs64 800b0660 T
  
fstatfs64 800b07a8 T
  
getfsstat64 800b09b8 T
  
__pthread_chdir 800b0ca8 T
  
__pthread_fchdir 800b0bd8 T
  
audit 801c0a18 T
  
auditon 801c0a1c T
  
352 801e9d5c T
  
getauid 801c0a20 T
  
setauid 801c0a24 T
  
getaudit 801e9d5c T
  
setaudit 801e9d5c T
  
getaudit_addr 801c0a28 T
  
setaudit_addr 801c0a2c T
  
auditctl 801c0a30 T
  
bsdthread_create 80215260 T
  
bsdthread_terminate 802154d8 T
  
kqueue 801cddec T
  
kevent 801cde6c T
  
lchown 800b2cb0 T
  
stack_snapshot 801c41a0 T
  
bsdthread_register 8021553c T
  
workq_open 80216190 T
  
workq_kernreturn 802165f8 T
  
kevent64 801ce104 T
  
__old_semwait_signal 801de04c T
  
__old_semwait_signal_nocancel 801de080 T
  
thread_selfid 80216afc T
  
ledger 801ebf04 T
  
374 801e9d5c T
  
375 801e9d5c T
  
376 801e9d5c T
  
377 801e9d5c T
  
378 801e9d5c T
  
379 801e9d5c T
  
__mac_execve 801d2cd0 T
  
__mac_syscall 8027b874 T
  
__mac_get_file 8027b51c T
  
__mac_set_file 8027b764 T
  
__mac_get_link 8027b640 T
  
__mac_set_link 8027b864 T
  
__mac_get_proc 8027b010 T
  
__mac_set_proc 8027b0d0 T
  
__mac_get_fd 8027b3c8 T
  
__mac_set_fd 8027b650 T
  
__mac_get_pid 8027af44 T
  
__mac_get_lcid 8027b184 T
  
__mac_get_lctx 8027b248 T
  
__mac_set_lctx 8027b304 T
  
setlcid 801dba7c T
  
getlcid 801dbb64 T
  
read_nocancel 801e9d9c T
  
write_nocancel 801ea170 T
  
open_nocancel 800b1368 T
  
close_nocancel 801cb920 T
  
wait4_nocancel 801d3f30 T
  
recvmsg_nocancel 80209114 T
  
sendmsg_nocancel 80208c5c T
  
recvfrom_nocancel 80208d40 T
  
accept_nocancel 80208314 T
  
msync_nocancel 801d6d3c T
  
fcntl_nocancel 801ca2f8 T
  
select_nocancel 801ea7dc T
  
fsync_nocancel 800b31c4 T
  
connect_nocancel 8020862c T
  
select_nocancel 801ea7dc T
  
fsync_nocancel 800b31c4 T
  
connect_nocancel 8020862c T
  
sigsuspend_nocancel 801ddf08 T
  
readv_nocancel 801ea028 T
  
writev_nocancel 801ea3c8 T
  
sendto_nocancel 80208980 T
  
pread_nocancel 801e9f8c T
  
pwrite_nocancel 801ea2e8 T
  
waitid_nocancel 801d4324 T
  
poll_nocancel 801eaf44 T
  
msgsnd_nocancel 801e9d5c T
  
msgrcv_nocancel 801e9d5c T
  
sem_wait_nocancel 8020cf24 T
  
aio_suspend_nocancel 801c52e0 T
  
__sigwait_nocancel 801de3e0 T
  
__semwait_signal_nocancel 801de1ac T
  
__mac_mount 800af00c T
  
__mac_get_mount 8027ba6c T
  
__mac_getfsstat 800b0830 T
  
fsgetpath 800b5c0c T
  
audit_session_self 801c0a0c T
  
audit_session_join 801c0a10 T
  
fileport_makeport 801ccf70 T
  
fileport_makefd 801cd0f4 T
  
audit_session_port 801c0a14 T
  
pid_suspend 8021a950 T
  
pid_resume 8021a9c0 T
  
pid_hibernate 8021aa2c T
  
pid_shutdown_sockets 8021aa84 T
  
437 old shared_region_slide_np 801e9d5c T
  
shared_region_map_and_slide_np 8021b118 T
  
 
   
 
</pre>
  
</pre>
Line 529: Line 414:
   
 
== mach_trap_table ==
  
== mach_trap_table ==
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The fsysent binary can be used to find the Mach trap table, as well.
 +
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table:
   
 
<pre>
  
<pre>
  +
$ ./joker -ls mach kernel.iPod4.iOS6.0b1
$ ./fsysent -m ~/Documents/projects/iOS.5.1.iPod4.kernel
 
 
This is an ARM binary. Applying iOS kernel signatures
  
This is an ARM binary. Applying iOS kernel signatures
mach_trap_table offset in file (for patching purposes): 2855556 (0x2b9284)
 +
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
Kern invalid detected at 0x80025f50 (+1). Ignoring those.
 +
Kern invalid should be 0x80027ec1. Ignoring those
..This appears to be XNU 1878.11.8
 +
..This appears to be XNU 2107.1.78
  +
10 _kernelrpc_mach_vm_allocate_trap 80014460 T
// -- New in iOS 5 (and expect these in Mountain Lion)
  
  +
12 _kernelrpc_mach_vm_deallocate_trap 800144cc T
10 _kernelrpc_mach_vm_allocate_trap 800132ac T
  
  +
16 _kernelrpc_mach_port_allocate_trap 80014564 T
12 _kernelrpc_mach_vm_deallocate_trap 800133b4 T
  
  +
18 _kernelrpc_mach_port_deallocate_trap 800145f0 T
14 _kernelrpc_mach_vm_protect_trap 8001343c T
  
  +
19 _kernelrpc_mach_port_mod_refs_trap 8001462c T
15 _kernelrpc_vm_protect_trap 800133f8 T
  
  +
20 _kernelrpc_mach_port_move_member_trap 8001466c T
16 _kernelrpc_mach_port_allocate_trap 80013494 T
  
  +
21 _kernelrpc_mach_port_insert_right_trap 800146b0 T
17 _kernelrpc_mach_port_destroy_trap 800134e4 T
  
  +
22 _kernelrpc_mach_port_insert_member_trap 80014710 T
18 _kernelrpc_mach_port_deallocate_trap 80013520 T
  
  +
23 _kernelrpc_mach_port_extract_member_trap 80014754 T
19 _kernelrpc_mach_port_mod_refs_trap 8001355c T
  
  +
26 mach_reply_port 8001b5b4 T
20 _kernelrpc_mach_port_move_member_trap 8001359c T
  
  +
27 thread_self_trap 8001b598 T
21 _kernelrpc_mach_port_insert_right_trap 800135e0 T
  
  +
28 task_self_trap 8001b578 T
22 _kernelrpc_mach_port_insert_member_trap 8001363c T
  
  +
29 host_self_trap 80019910 T
23 _kernelrpc_mach_port_extract_member_trap 80013680 T
  
  +
31 mach_msg_trap 80014ec0 T
// -----------------------------------------
  
27 thread_self_trap 80019890 T
 +
33 semaphore_signal_trap 80027188 T
28 task_self_trap 80019870 T
 +
34 semaphore_signal_all_trap 8002720c T
29 host_self_trap 80017db8 T
 +
35 semaphore_signal_thread_trap 80027114 T
31 mach_msg_trap 80013c1c T
 +
36 semaphore_wait_trap 800274b0 T
32 mach_msg_overwrite_trap 80013ae4 T
 +
37 semaphore_wait_signal_trap 80027658 T
33 semaphore_signal_trap 800252d4 T
 +
38 semaphore_timedwait_trap 80027598 T
34 semaphore_signal_all_trap 80025354 T
 +
39 semaphore_timedwait_signal_trap 8002773c T
35 semaphore_signal_thread_trap 80025260 T
 +
44 task_name_for_pid 8021a838 T
36 semaphore_wait_trap 800255e8 T
 +
45 task_for_pid 8021a688 T
37 semaphore_wait_signal_trap 8002578c T
 +
46 pid_for_task 8021a63c T
38 semaphore_timedwait_trap 800256c8 T
 +
48 macx_swapon 8021b414 T
  +
49 macx_swapoff 8021b668 T
39 semaphore_timedwait_signal_trap 8002586c T
  
11 _kernelrpc_vm_allocate_trap 80013318 T
 +
14 _kernelrpc_mach_vm_protect_trap 80014510 T
13 _kernelrpc_vm_deallocate_trap 80013374 T
 +
17 _kernelrpc_mach_port_destroy_trap 800145b4 T
26 mach_reply_port 800198ac T
 +
32 mach_msg_overwrite_trap 80014d20 T
44 task_name_for_pid 801e0734 T
 +
51 macx_triggers 8021b3f4 T
45 task_for_pid 801e0598 T
 +
52 macx_backing_store_suspend 8021b370 T
46 pid_for_task 801e054c T
 +
53 macx_backing_store_recovery 8021b318 T
48 macx_swapon 801e127c T
 +
58 pfz_exit 80027818 T
49 macx_swapoff 801e14cc T
 +
59 swtch_pri 800278e4 T
51 macx_triggers 801e1260 T
 +
60 swtch 8002781c T
52 macx_backing_store_suspend 801e11f0 T
 +
61 thread_switch 80027ad4 T
53 macx_backing_store_recovery 801e1198 T
 +
62 clock_sleep_trap 80017520 T
58 pfz_exit 80025944 T
 +
89 mach_timebase_info_trap 80016658 T
59 swtch_pri 800259f4 T
 +
90 mach_wait_until_trap 80016d20 T
60 swtch 80025948 T
 +
91 mk_timer_create_trap 8001f2f4 T
61 thread_switch 80025bb8 T
 +
92 mk_timer_destroy_trap 8001f500 T
62 clock_sleep_trap 800160f0 T
 +
93 mk_timer_arm_trap 8001f544 T
89 mach_timebase_info_trap 80015318 T
 +
94 mk_timer_cancel_trap 8001f5c8 T
90 mach_wait_until_trap 80015934 T
 +
100 iokit_user_client_trap 8026c11c T
91 mk_timer_create_trap 8001d238 T
  
92 mk_timer_destroy_trap 8001d428 T
  
93 mk_timer_arm_trap 8001d46c T
  
94 mk_timer_cancel_trap 8001d4f0 T
  
100 iokit_user_client_trap (probably) 80234aa0 T
  
   
 
</pre>
  
</pre>
  +
  +
== References ==
  +
* [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]

Latest revision as of 21:48, 2 February 2018

Note on these

Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

Unix

Usage

MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
SVC 0x80   // Formerly, SWI (software interrupt)

For example, arm32: 


(gdb) disass chown
0x30d2ad54 <chown>:	mov	r12, #16	       ; 0x10, being # of chown
0x30d2ad58 <chown+4>:	svc	0x00000080

And arm64: 

libsystem_kernel.dylib`chown:
    0x1866c6084 <+0>:  mov    x16, #0x10
    0x1866c6088 <+4>:  svc    #0x80

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)


sysent

The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h: 


struct sysent {         /* system call table */
        int16_t         sy_narg;        /* number of args */
        int8_t          sy_resv;        /* reserved  */
        int8_t          sy_flags;       /* flags */
        sy_call_t       *sy_call;       /* implementing function */
        sy_munge_t      *sy_arg_munge32; /* system call arguments munger for 32-bit process */
        sy_munge_t      *sy_arg_munge64; /* system call arguments munger for 64-bit process */
        int32_t         sy_return_type; /* system call return types */
        uint16_t        sy_arg_bytes;   /* Total size of arguments in bytes for
                                         * 32-bit system calls
                                         */
};

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:

List of system calls from iOS 6.0 GM

note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).

A good reference on these can be found at Wiley's OS X and iOS Internals online appendix. The joker tool (shown below) can be downloaded from the same site. 

$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel 
This is an ARM binary. Applying iOS kernel signatures
Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T
10. unlink               800b1ff0 T
12. chdir                800b0c60 T
13. fchdir               800b0af0 T
14. mknod                800b14bc T
15. chmod                800b2b40 T
16. chown                800b2c9c T
18. getfsstat            800b088c T
20. getpid               801dc20c T
23. setuid               801dc4c0 T
24. getuid               801dc290 T
25. geteuid              801dc2a0 T
26. ptrace               801e812c T
27. recvmsg              8020a8fc T
28. sendmsg              8020a444 T
29. recvfrom             8020a528 T
30. accept               80209dfc T
31. getpeername          8020abc8 T
32. getsockname          8020ab18 T
33. access               800b24ac T
34. chflags              800b2928 T
35. fchflags             800b29f0 T
36. sync                 800b0320 T
37. kill                 801dfdcc T
39. getppid              801dc214 T
41. dup                  801cab04 T
42. pipe                 801edbe4 T
43. getegid              801dc318 T
46. sigaction            801deee8 T
47. getgid               801dc308 T
48. sigprocmask          801df42c T
49. getlogin             801dd0e8 T
50. setlogin             801dd160 T
51. acct                 801c54ec T
52. sigpending           801df5d0 T
53. sigaltstack          801dfd10 T
54. ioctl                801ebd1c T
55. reboot               801e8090 T
56. revoke               800b43f8 T
57. symlink              800b1b58 T
58. readlink             800b282c T
59. execve               801d4448 T
60. umask                800b43d0 T
61. chroot               800b0d30 T
65. msync                801d84d0 T
66. vfork                801d7018 T
73. munmap               801d857c T
74. mprotect             801d85b0 T
75. madvise              801d8668 T
78. mincore              801d86d4 T
79. getgroups            801dc328 T
80. setgroups            801dd02c T
81. getpgrp              801dc21c T
82. setpgid              801dc3c8 T
83. setitimer            801e7b78 T
85. swapon               8021be68 T
86. getitimer            801e7a30 T
89. getdtablesize        801ca6dc T
90. dup2                 801caf54 T
92. fcntl                801cb420 T
93. select               801ebfc8 T
95. fsync                800b3238 T
96. setpriority          801dd494 T
97. socket               802098a4 T
98. connect              80209e1c T
100. getpriority          801dd388 T
104. bind                 80209970 T
105. setsockopt           8020aa30 T
106. listen               80209adc T
 111. sigsuspend           801df5f8 T
116. gettimeofday         801e7840 T
117. getrusage            801de22c T
118. getsockopt           8020aa94 T
120. readv                801eb810 T
121. writev               801ebbb0 T
122. settimeofday         801e789c T
123. fchown               800b2dac T
124. fchmod               800b2c70 T
126. setreuid             801dc80c T
127. setregid             801dcba0 T
128. rename               800b3428 T
131. flock                801ce20c T
132. mkfifo               800b1798 T
133. sendto               8020a168 T
134. shutdown             8020aa00 T
135. socketpair           8020a00c T
136. mkdir                800b3d1c T
137. rmdir                800b3d5c T
138. utimes               800b2e60 T
139. futimes              800b3034 T
140. adjtime              801e79a0 T
142. gethostuuid          801ed6a4 T
147. setsid               801dc384 T
151. getpgid              801dc224 T
152. setprivexec          801dc1f4 T
153. pread                801eb774 T
154. pwrite               801ebad0 T
157. statfs               800b03c0 T
158. fstatfs              800b0678 T
159. unmount              800afe88 T
165. quotactl             800b03bc T
167. mount                800af068 T
169. csops                801dafd0 T
170. 170  old table       801db4bc T
173. waitid               801d5ab4 T
180. kdebug_trace         801c2db4 T
181. setgid               801dc9a4 T
182. setegid              801dcab0 T
183. seteuid              801dc710 T
184. sigreturn            8021e7e4 T
185. chud                 8021d4f4 T
187. fdatasync            800b32b0 T
188. stat                 800b2588 T
189. fstat                801ccfec T
190. lstat                800b26d4 T
191. pathconf             800b27c8 T
192. fpathconf            801cd048 T
194. getrlimit            801de074 T
195. setrlimit            801dd93c T
196. getdirentries        800b3f94 T
197. mmap                 801d7fc0 T
199. lseek                800b2068 T
200. truncate             800b30b4 T
201. ftruncate            800b3174 T
202. __sysctl             801e2478 T
203. mlock                801d8820 T
204. munlock              801d8878 T
205. undelete             800b1cf0 T
216. mkcomplex            800b12c4 T
220. getattrlist          8009b060 T
221. setattrlist          8009b0d8 T
222. getdirentriesattr    800b44e0 T
223. exchangedata         800b469c T
225. searchfs             800b48dc T
226. delete               800b202c T
227. copyfile             800b32cc T
228. fgetattrlist         80098488 T
229. fsetattrlist         8009b7e0 T
230. poll                 801ec72c T
231. watchevent           801ed054 T
232. waitevent            801ed1f8 T
233. modwatch             801ed368 T
234. getxattr             800b5550 T
235. fgetxattr            800b568c T
236. setxattr             800b578c T
237. fsetxattr            800b5898 T
238. removexattr          800b5994 T
239. fremovexattr         800b5a5c T
240. listxattr            800b5b1c T
241. flistxattr           800b5c00 T
242. fsctl                800b4dd4 T
243. initgroups           801dcea8 T
244. posix_spawn          801d351c T
245. ffsctl               800b5474 T
250. minherit             801d8630 T
266. shm_open             8020eb24 T
267. shm_unlink           8020f604 T
268. sem_open             8020df80 T
269. sem_close            8020e718 T
270. sem_unlink           8020e4e0 T
271. sem_wait             8020e76c T
272. sem_trywait          8020e834 T
273. sem_post             8020e8d8 T
274. sem_getvalue         8020e97c T
275. sem_init             8020e974 T
276. sem_destroy          8020e978 T
277. open_extended        800b11d8 T
278. umask_extended       800b4380 T
279. stat_extended        800b2530 T
280. lstat_extended       800b267c T
281. fstat_extended       801ccdd0 T
282. chmod_extended       800b2a30 T
283. fchmod_extended      800b2b74 T
284. access_extended      800b21a0 T
285. settid               801dcd2c T
286. gettid               801dc2b0 T
287. setsgroups           801dd03c T
288. getsgroups           801dc37c T
289. setwgroups           801dd040 T
290. getwgroups           801dc380 T
291. mkfifo_extended      800b16f4 T
292. mkdir_extended       800b3b30 T
294. shared_region_check_np 8021c3a4 T
296. vm_pressure_monitor  8021cb08 T
297. psynch_rw_longrdlock 802159ac T
298. psynch_rw_yieldwrlock 80215c60 T
299. psynch_rw_downgrade  80215c68 T
300. psynch_rw_upgrade    80215c64 T
301. psynch_mutexwait     80212bd8 T
302. psynch_mutexdrop     80213b9c T
303. psynch_cvbroad       80213bf0 T
304. psynch_cvsignal      802141c0 T
305. psynch_cvwait        80214648 T
306. psynch_rw_rdlock     80214d7c T
307. psynch_rw_wrlock     802159b0 T
308. psynch_rw_unlock     80215c6c T
309. psynch_rw_unlock2    80215f64 T
310. getsid               801dc254 T
311. settid_with_pid      801dcdcc T
312. psynch_cvclrprepost  80214c7c T
313. aio_fsync            801c5ed0 T
314. aio_return           801c60a8 T
315. aio_suspend          801c6330 T
316. aio_cancel           801c5a48 T
317. aio_error            801c5e24 T
318. aio_read             801c6088 T
319. aio_write            801c6544 T
320. lio_listio           801c6564 T
322. iopolicysys          801de420 T
323. process_policy       8021a72c T
324. mlockall             801d88b4 T
325. munlockall           801d88b8 T
327. issetugid            801dc4b0 T
328. __pthread_kill       801dfa44 T
329. __pthread_sigmask    801dfaa4 T
330. __sigwait            801dfb54 T
331. __disable_threadsignal 801df720 T
332. __pthread_markcancel 801df73c T
333. __pthread_canceled   801df784 T
334. __semwait_signal     801df924 T
336. proc_info            80218618 T
338. stat64               800b25d4 T
339. fstat64              801cd028 T
340. lstat64              800b2720 T
341. stat64_extended      800b2624 T
342. lstat64_extended     800b2770 T
343. fstat64_extended     801cd00c T
344. getdirentries64      800b4340 T
345. statfs64             800b06e0 T
346. fstatfs64            800b0828 T
347. getfsstat64          800b0a38 T
348. __pthread_chdir      800b0d28 T
349. __pthread_fchdir     800b0c58 T
350. audit                801c1a74 T
351. auditon              801c1a78 T
353. getauid              801c1a7c T
354. setauid              801c1a80 T
357. getaudit_addr        801c1a84 T
358. setaudit_addr        801c1a88 T
359. auditctl             801c1a8c T
360. bsdthread_create     80216ab8 T
361. bsdthread_terminate  80216d30 T
362. kqueue               801cf594 T
363. kevent               801cf614 T
364. lchown               800b2d94 T
365. stack_snapshot       801c520c T
366. bsdthread_register   80216d94 T
367. workq_open           802179e8 T
368. workq_kernreturn     80217e50 T
369. kevent64             801cf8ac T
370. __old_semwait_signal 801df7f8 T
371. __old_semwait_signal_nocancel 801df82c T
372. thread_selfid        80218354 T
373. ledger               801ed70c T
380. __mac_execve         801d4468 T
381. __mac_syscall        8027d0a8 T
382. __mac_get_file       8027cd50 T
383. __mac_set_file       8027cf98 T
384. __mac_get_link       8027ce74 T
385. __mac_set_link       8027d098 T
386. __mac_get_proc       8027c844 T
387. __mac_set_proc       8027c904 T
388. __mac_get_fd         8027cbfc T
389. __mac_set_fd         8027ce84 T
390. __mac_get_pid        8027c778 T
391. __mac_get_lcid       8027c9b8 T
392. __mac_get_lctx       8027ca7c T
393. __mac_set_lctx       8027cb38 T
394. setlcid              801dd228 T
395. getlcid              801dd310 T
396. read_nocancel        801eb5a4 T
397. write_nocancel       801eb978 T
398. open_nocancel        800b1434 T
399. close_nocancel       801ccad0 T
400. wait4_nocancel       801d56dc T
401. recvmsg_nocancel     8020a91c T
402. sendmsg_nocancel     8020a464 T
403. recvfrom_nocancel    8020a548 T
404. accept_nocancel      80209b1c T
405. msync_nocancel       801d84e8 T
406. fcntl_nocancel       801cb440 T
407. select_nocancel      801ebfe4 T
408. fsync_nocancel       800b32a8 T
409. connect_nocancel     80209e34 T
410. sigsuspend_nocancel  801df6b4 T
411. readv_nocancel       801eb830 T
412. writev_nocancel      801ebbd0 T
413. sendto_nocancel      8020a188 T
414. pread_nocancel       801eb794 T
415. pwrite_nocancel      801ebaf0 T
416. waitid_nocancel      801d5ad0 T
417. poll_nocancel        801ec74c T
420. sem_wait_nocancel    8020e788 T
421. aio_suspend_nocancel 801c6350 T
422. __sigwait_nocancel   801dfb8c T
423. __semwait_signal_nocancel 801df958 T
424. __mac_mount          800af08c T
425. __mac_get_mount      8027d2a0 T
426. __mac_getfsstat      800b08b0 T
427. fsgetpath            800b5ce4 T
428. audit_session_self   801c1a68 T
429. audit_session_join   801c1a6c T
430. fileport_makeport    801ce2f0 T
431. fileport_makefd      801ce494 T
432. audit_session_port   801c1a70 T
433. pid_suspend          8021c180 T
434. pid_resume           8021c1f0 T
435. pid_hibernate        8021c268 T
436. pid_shutdown_sockets 8021c2c0 T
438. shared_region_map_and_slide_np 8021c954 T
439. kas_info             8021cb50 T   ; Provides ASLR information to user space 
                                       ; (intentionally crippled in iOS, works in ML)
440. memorystatus_control 801e62a0 T   ;; Controls JetSam - supersedes old sysctl interface
441. guarded_open_np      801cead0 T  
442. guarded_close_np     801cebdc T

Mach

XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap: 

_mach_msg_trap:
0001a8b4        e1a0c00d        mov     ip, sp
0001a8b8        e92d0170        push    {r4, r5, r6, r8}
0001a8bc        e89c0070        ldm     ip, {r4, r5, r6}
0001a8c0        e3e0c01e        mvn     ip, #30 @ 0x1e    ; Move NEGATIVE -30 into IP (R12)
0001a8c4        ef000080        svc     0x00000080        ; issue a supervisor call
0001a8c8        e8bd0170        pop     {r4, r5, r6, r8}
0001a8cc        e12fff1e        bx      lr
..
_semaphore_signal_all_trap:
0001a8f8        e3e0c021        mvn     ip, #33 @ 0x21   ; NEGATIVE -33 into IP (R12)
0001a8fc        ef000080        svc     0x00000080
0001a900        e12fff1e        bx      lr


Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.

mach_trap_table

In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table: 

$ ./joker -ls mach kernel.iPod4.iOS6.0b1
This is an ARM binary. Applying iOS kernel signatures
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
Kern invalid should be 0x80027ec1. Ignoring those
..This appears to be XNU 2107.1.78
 10 _kernelrpc_mach_vm_allocate_trap         80014460 T
 12 _kernelrpc_mach_vm_deallocate_trap       800144cc T
 14 _kernelrpc_mach_vm_protect_trap          80014510 T
 16 _kernelrpc_mach_port_allocate_trap       80014564 T
 17 _kernelrpc_mach_port_destroy_trap        800145b4 T
 18 _kernelrpc_mach_port_deallocate_trap     800145f0 T
 19 _kernelrpc_mach_port_mod_refs_trap       8001462c T
 20 _kernelrpc_mach_port_move_member_trap    8001466c T
 21 _kernelrpc_mach_port_insert_right_trap   800146b0 T
 22 _kernelrpc_mach_port_insert_member_trap  80014710 T
 23 _kernelrpc_mach_port_extract_member_trap 80014754 T
 26 mach_reply_port                          8001b5b4 T
 27 thread_self_trap                         8001b598 T
 28 task_self_trap                           8001b578 T
 29 host_self_trap                           80019910 T
 31 mach_msg_trap                            80014ec0 T
 32 mach_msg_overwrite_trap                  80014d20 T
 33 semaphore_signal_trap                    80027188 T
 34 semaphore_signal_all_trap                8002720c T
 35 semaphore_signal_thread_trap             80027114 T
 36 semaphore_wait_trap                      800274b0 T
 37 semaphore_wait_signal_trap               80027658 T
 38 semaphore_timedwait_trap                 80027598 T
 39 semaphore_timedwait_signal_trap          8002773c T
 44 task_name_for_pid                        8021a838 T
 45 task_for_pid                             8021a688 T
 46 pid_for_task                             8021a63c T
 48 macx_swapon                              8021b414 T
 49 macx_swapoff                             8021b668 T
 51 macx_triggers                            8021b3f4 T
 52 macx_backing_store_suspend               8021b370 T
 53 macx_backing_store_recovery              8021b318 T
 58 pfz_exit                                 80027818 T
 59 swtch_pri                                800278e4 T
 60 swtch                                    8002781c T
 61 thread_switch                            80027ad4 T
 62 clock_sleep_trap                         80017520 T
 89 mach_timebase_info_trap                  80016658 T
 90 mach_wait_until_trap                     80016d20 T
 91 mk_timer_create_trap                     8001f2f4 T
 92 mk_timer_destroy_trap                    8001f500 T
 93 mk_timer_arm_trap                        8001f544 T
 94 mk_timer_cancel_trap                     8001f5c8 T
100 iokit_user_client_trap                   8026c11c T

References

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Kernel_Syscalls&oldid=67771"