|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel Syscalls"
(Moved CPU calls to the end. Put warning. I finally got what i0nic was saying :-P. The UNIX part is accurate, though. Who put this in here, in the first place?) |
|||
| Line 1: | Line 1: | ||
| − | WARNING: i0nic just [http://twitter.com/i0n1c/status/175258824360476672 tweeted]: |
||
| − | The CPU system call description on theiphonewiki is wrong |
||
| − | After asking, he answered[http://twitter.com/i0n1c/status/175281084936888320 1][http://twitter.com/i0n1c/status/175281257633165313 2][http://twitter.com/i0n1c/status/175322765925158912 3] |
||
| − | Yes, the CPU syscall part is completely bogus. |
||
| − | |||
| − | as in: CPU syscalls are not called as described there |
||
| − | |||
| − | I think R12 must be 0x80000000, R3 is code and R0-R2 are parameters?!? |
||
| − | |||
| − | -- This doesn't make sense. Please see talk page. |
||
| − | |||
== Note on these == |
== Note on these == |
||
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12. |
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12. |
||
| Line 16: | Line 5: | ||
| − | == CPU == |
||
| − | + | == Unix == |
|
| − | <pre> |
||
| − | MOV R12, #x // number from list |
||
| − | swi 0x80 |
||
| − | bx lr |
||
| − | </pre> |
||
| − | === List === |
||
| − | * '''Clear Instruction Cache''': 0 |
||
| − | * '''Flush Data Cache''': 1 |
||
| − | * '''_pthread_set_self''': 2 |
||
| − | * '''Unknown''': 3 |
||
| − | |||
| − | == Unix == |
||
=== Usage === |
=== Usage === |
||
<pre> |
<pre> |
||
| Line 366: | Line 342: | ||
* '''(unused)''': 437 |
* '''(unused)''': 437 |
||
* '''shared_region_map_and_slide_np''': 438 (used in ASLR) |
* '''shared_region_map_and_slide_np''': 438 (used in ASLR) |
||
| + | |||
| + | |||
| + | == CPU == - |
||
| + | Note: the following are probably incorrect. These are carried out by ARM control registers (MRC, MCR commands) |
||
| + | Who put these in, in the first place? |
||
| + | === Usage === |
||
| + | <pre> |
||
| + | MOV R12, #x // number from list |
||
| + | swi 0x80 |
||
| + | bx lr |
||
| + | </pre> |
||
| + | <del> |
||
| + | === List === |
||
| + | * '''Clear Instruction Cache''': 0 |
||
| + | * '''Flush Data Cache''': 1 |
||
| + | * '''_pthread_set_self''': 2 |
||
| + | * '''Unknown''': 3 |
||
| + | </del> |
||
Revision as of 02:08, 2 March 2012
Note on these
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
Unix
Usage
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 SVC 0x80 // Formerly, SWI (software interrupt)
For example:
(gdb) disass chown 0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown 0x30d2ad58 <chown+4>: svc 0x00000080
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
List
- exit: 1
- fork: 2
- read: 3
- write: 4
- open: 5
- close: 6
- wait4: 7
- link: 9
- unlink: 10
- chdir: 12
- fchdir: 13
- mknod: 14
- chmod: 15
- chown: 16
- getfsstat: 18
- getpid: 20
- setuid: 23
- getuid: 24
- geteuid: 25
- ptrace: 26
- recvmsg: 27
- sendmsg: 28
- recvfrom: 29
- accept: 30
- getpeername: 31
- getsockname: 32
- access: 33
- chflags: 34
- fchflags: 35
- sync: 36
- kill: 37
- getppid: 39
- dup: 41
- pipe: 42
- getegid: 43
- profil: 44
- sigaction: 46
- getgid: 47
- sigprocmask: 48
- getlogin: 49
- setlogin: 50
- acct: 51
- sigpending: 52
- signalstack: 53
- ioctl: 54
- reboot: 55
- revoke: 56
- symlink: 57
- readlink: 58
- execve: 59
- umask: 60
- chroot: 61
- msync: 65
- vfork: 66
- munmap: 73
- mprotect: 74
- madvise: 75
- mincore: 78
- getgroups: 79
- setgroups: 80
- getpgrp: 81
- setpgid: 82
- setitimer: 83
- swapon: 85
- getitimer: 86
- getdtablesize: 89
- dup2: 90
- fnctl: 92
- select: 93
- fsync: 95
- setpriority: 96
- socket: 97
- connect: 98
- getpriority: 100
- bind: 104
- setsockopt: 105
- listen: 106
- sigsuspend: 111
- gettimeofday: 116
- getrusage: 117
- getsockopt: 118
- readv: 120
- writev: 121
- settimeofday: 122
- fchown: 123
- fchmod: 124
- setreuid: 126
- setregid: 127
- rename: 128
- flock: 131
- mkfifo: 132
- sendto: 133
- shutdown: 134
- socketpair: 135
- mkdir: 136
- rmdir: 137
- utimes: 138
- futimes: 139
- adjtime: 140
- gethostuuid: 142
- setsid: 145
- getpgid: 151
- setprivexec: 152
- pread: 153
- pwrite: 154
- statfs: 157
- fstatfs: 158
- unmount: 159
- quotactl: 165
- mount: 167
- csops: 169
- waitid: 173
- add_profil: 176
- kdebug_trace: 180
- setgid: 181
- setegid: 182
- seteuid: 183
- sigreturn: 184
- chod: 185
- fdatasync: 187
- stat: 188
- fstat: 189
- lstat: 190
- pathconf: 191
- fpathconf: 192
- getrlimit: 194
- setrlimit: 195
- getdirentries: 196
- mmap: 197
- lseek: 199
- truncate: 200
- ftruncate: 201
- __sysctl: 202
- mlock: 203
- munlock: 204
- undelete: 205
- mkcomplex: 216
- statv: 217
- lstatv: 218
- fstatv: 219
- getattrlist: 220
- setattrlist: 221
- getdirentriesattr: 222
- exchangedata: 223
- fsgetpath: 224
- searchfs: 225
- delete: 226
- copyfile: 227
- fgetattrlist: 228
- fsetattrlist: 229
- poll: 230
- watchevent: 231
- waitevent: 232
- modwatch: 233
- getxattr: 234
- fgetxattr: 235
- setxattr: 236
- fsetxattr: 237
- removexattr: 238
- fremovexattr: 239
- listxattr: 240
- flistxattr: 241
- fsctl: 242
- initgroups: 243
- posix_spawn: 244
- ffsctl: 245
- minherit: 250
- shm_open: 266
- shm_unlink: 267
- sem_open: 268
- sem_close: 269
- sem_unlink: 270
- sem_wait: 271
- sem_trywait: 272
- sem_post: 273
- sem_getvalue: 274
- sem_init: 275
- sem_destroy: 276
- open_extended: 277
- umask_extended: 278
- stat_extended: 279
- lstat_extended: 280
- fstat_extended: 281
- chmod_extended: 282
- fchmod_extended: 283
- access_extended: 284
- settid: 285
- gettid: 286
- setsgroups: 287
- getsgroups: 288
- setwgroups: 289
- getwgroups: 290
- mkfifo_extended: 291
- mkdir_extended: 292
- identitysvc: 293
- shared_region_check_np: 294
- shared_region_map_np: 295
- vm_pressure_monitor: 296
- __pthread_mutex_destroy: 301
- __pthread_mutex_init: 302
- __pthread_mutex_lock: 303
- __pthread_mutex_trylock: 304
- __pthread_mutex_unlock: 305
- __pthread_cond_init: 306
- __pthread_cond_destroy: 307
- __pthread_cond_broadcast: 308
- __pthread_cond_signal: 309
- getsid: 310
- settid_with_pid: 311
- __pthread_cond_timedwait: 312
- aio_fsync: 313
- aio_return: 314
- aio_suspend: 315
- aio_cancel: 316
- aio_error: 317
- aio_read: 318
- aio_write: 319
- lio_listio: 320
- __pthread_cond_wait: 321
- iopolicysys: 322
- mlockall: 324
- munlockall: 325
- issetugid: 327
- __pthread_kill: 328
- __pthread_sigmask: 329
- __sigwait: 330
- __disable_threadsignal: 331
- __pthread_markcancel: 332
- __pthread_canceled: 333
- proc_info: 336
- stat64: 338
- fstat64: 339
- lstat64: 340
- stat64_extended: 341
- lstat64_extended: 342
- fstat64_extended: 343
- getdirectories64: 344
- statfs64: 345
- fstatfs64: 346
- getfsstat64: 347
- __pthread_chdir: 348
- __pthread_fchdir: 349
- kqueue: 362
- kevent: 363
- lchown: 364
- stack_snapshot: 365
- kevent64: 369
- __semwait_signal: 370
- __semwait_signal_nocancel: 371
- ledger: 372 - This Syscall exists only in iOS, having been taken out of OS X a while ago.
The following syscalls are for BSD's Mandatory Access Control, on top of which Apple's "SandBox" (sandbox.kext) is implemented
- __mac_execve: 380
- __mac_syscall: 381
- __mac_get_file: 382
- __mac_set_file: 383
- __mac_get_link: 384
- __mac_set_link: 385
- __mac_get_proc: 386
- __mac_set_proc: 387
- __mac_get_fd: 388
- __mac_set_fd: 389
- __mac_get_pid: 390
- __mac_get_lcid: 391
- __mac_get_lctx: 392
- __mac_set_lctx: 393
- setlcid: 394
- getlcid: 395
The "nocancel"s are the same as their cancellable counterparts. In most cases, the latter are just wrappers, with a call to __pthread_testcancel(1);
- read_nocancel: 396
- write_nocancel: 397
- open_nocancel: 398
- close_nocancel: 399
- wait4_nocancel: 400
- recvmsg_nocancel: 401
- sendmsg_nocancel: 402
- recvfrom_nocancel: 403
- accept_nocancel: 404
- msync_nocancel: 405
- fnctl_nocancel: 406
- select_nocancel: 407
- fsync_nocancel: 408
- connect_nocancel: 409
- sigsuspend_nocancel: 410
- readv_nocancel: 411
- writev_nocancel: 412
- sendto_nocancel: 413
- pread_nocancel: 414
- pwrite_nocancel: 415
- waitid_nocancel: 416
- poll_nocancel: 417
- sem_wait_nocancel: 420
- aio_suspend_nocancel: 421
- __sigwait_nocancel: 422
- __semwait_signal_nocancel: 423
- __mac_mount: 424
- __mac_get_mount: 425
- __mac_getfsstat: 426
- fsgetpath_1: 427
- _audit_session_self: 428
- audit_session_join: 429
- fileport_makeport: 430
- fileport_makefd: 431
- audit_session_port: 432
- pid_suspend: 433
- pid_resume: 434
- pid_hibernate: 435
- pid_shutdown_sockets: 436
- (unused): 437
- shared_region_map_and_slide_np: 438 (used in ASLR)
== CPU == -
Note: the following are probably incorrect. These are carried out by ARM control registers (MRC, MCR commands)
Who put these in, in the first place?
Usage
MOV R12, #x // number from list swi 0x80 bx lr
List
- Clear Instruction Cache: 0
- Flush Data Cache: 1
- _pthread_set_self: 2
- Unknown: 3
