The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel Syscalls"
(→sysent) |
(→sysent) |
||
Line 26: | Line 26: | ||
=== sysent === |
=== sysent === |
||
− | <pre></pre> |
||
− | + | The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h: |
|
<pre> |
<pre> |
Revision as of 13:40, 20 March 2012
Contents
Note on these
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
Unix
Usage
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 SVC 0x80 // Formerly, SWI (software interrupt)
For example:
(gdb) disass chown 0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown 0x30d2ad58 <chown+4>: svc 0x00000080
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
sysent
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
struct sysent { /* system call table */ int16_t sy_narg; /* number of args */ int8_t sy_resv; /* reserved */ int8_t sy_flags; /* flags */ sy_call_t *sy_call; /* implementing function */ sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */ sy_munge_t *sy_arg_munge64; /* system call arguments munger for 64-bit process */ int32_t sy_return_type; /* system call return types */ uint16_t sy_arg_bytes; /* Total size of arguments in bytes for * 32-bit system calls */ };
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
List of system calls from iOS 5.1
$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures Sysent offset in file (for patching purposes): 2931636 (0x2cbbb4) This appears to be XNU 1878.11.8 syscall 801b3aa4 T exit 8019e924 T fork 801a15cc T read 801b3ac0 T write 801b3ea0 T open 800a1e64 T close 80197570 T wait4 8019f464 T 8 old creat 801b3aa4 T link 800a23a4 T unlink 800a2aa8 T 11 old execv 801b3aa4 T chdir 800a175c T fchdir 800a15f4 T mknod 800a1f64 T chmod 800a3598 T chown 800a3714 T 17 old break 801b3aa4 T getfsstat 800a1390 T 19 old lseek 801b3aa4 T getpid 801a5838 T 21 old mount 801b3aa4 T 22 old umount 801b3aa4 T setuid 801a5aec T getuid 801a58bc T geteuid 801a58cc T ptrace 801b0a9c T recvmsg 801cfde4 T sendmsg 801cf958 T recvfrom 801cfa40 T accept 801cf32c T getpeername 801d00a8 T getsockname 801cfff8 T access 800a2f14 T chflags 800a336c T fchflags 800a343c T sync 800a0e5c T kill 801a91b0 T 38 old stat 801b3aa4 T getppid 801a5840 T 40 old lstat 801b3aa4 T dup 80195890 T pipe 801b6a00 T getegid 801a5944 T profil 801b3400 T 45 old ktrace 801b3aa4 T sigaction 801a8348 T getgid 801a5934 T sigprocmask 801a8868 T getlogin 801a66cc T setlogin 801a6728 T acct 801908f0 T sigpending 801a8a0c T sigaltstack 801a90f4 T ioctl 801b426c T reboot 801b0a2c T revoke 800a4d8c T symlink 800a2620 T readlink 800a328c T execve 8019e49c T umask 800a4d64 T chroot 800a1824 T 62 old fstat 801b3aa4 T 63 used internally , reserved 801b3aa4 T 64 old getpagesize 801b3aa4 T msync 801a20c0 T vfork 801a0cfc T 67 old vread 801b3aa4 T 68 old vwrite 801b3aa4 T 69 old sbrk 801b3aa4 T 70 old sstk 801b3aa4 T 71 old mmap 801b3aa4 T 72 old vadvise 801b3aa4 T munmap 801a216c T mprotect 801a21a4 T madvise 801a2264 T 76 old vhangup 801b3aa4 T 77 old vlimit 801b3aa4 T mincore 801a22d0 T getgroups 801a5954 T setgroups 801a6610 T getpgrp 801a5848 T setpgid 801a59f4 T setitimer 801b0518 T 84 old wait 801b3aa4 T swapon 801e0548 T getitimer 801b03c8 T 87 old gethostname 801b3aa4 T 88 old sethostname 801b3aa4 T getdtablesize 80195480 T dup2 80195bc4 T 91 old getdopt 801b3aa4 T fcntl 80195fc4 T select 801b44fc T 94 old setdopt 801b3aa4 T fsync 800a3c60 T setpriority 801a6a24 T socket 801cedc8 T connect 801cf34c T 99 old accept 801b3aa4 T getpriority 801a6918 T 101 old send 801b3aa4 T 102 old recv 801b3aa4 T 103 old sigreturn 801b3aa4 T bind 801cee98 T setsockopt 801cff10 T listen 801cf00c T 107 old vtimes 801b3aa4 T 108 old sigvec 801b3aa4 T 109 old sigblock 801b3aa4 T 110 old sigsetmask 801b3aa4 T sigsuspend 801a8a34 T 112 old sigstack 801b3aa4 T 113 old recvmsg 801b3aa4 T 114 old sendmsg 801b3aa4 T 115 old vtrace 801b3aa4 T gettimeofday 801b01d8 T getrusage 801a7798 T getsockopt 801cff74 T 119 old resuba 801b3aa4 T readv 801b3d4c T writev 801b40f4 T settimeofday 801b0238 T fchown 800a3830 T fchmod 800a36dc T 125 old recvfrom 801b3aa4 T setreuid 801a5e40 T setregid 801a61d8 T rename 800a3e34 T 129 old truncate 801b3aa4 T 130 old ftruncate 801b3aa4 T flock 801989e4 T mkfifo 800a2254 T sendto 801cf67c T shutdown 801cfee0 T socketpair 801cf534 T mkdir 800a46b4 T rmdir 800a46fc T utimes 800a38f0 T futimes 800a3a70 T adjtime 801b0338 T 141 old getpeername 801b3aa4 T gethostuuid 801b5c44 T 143 old sethostid 801b3aa4 T 144 old getrlimit 801b3aa4 T 145 old setrlimit 801b3aa4 T 146 old killpg 801b3aa4 T setsid 801a59b0 T 148 old setquota 801b3aa4 T 149 old qquota 801b3aa4 T 150 old getsockname 801b3aa4 T getpgid 801a5850 T setprivexec 801a5820 T pread 801b3ca4 T pwrite 801b4008 T nfssvc 801b3aa4 T 156 old getdirentries 801b3aa4 T statfs 800a0eec T fstatfs 800a117c T unmount 800a09f0 T 160 old async_daemon 801b3aa4 T getfh 801b3aa4 T 162 old getdomainname 801b3aa4 T 163 old setdomainname 801b3aa4 T 164 801b3aa4 T quotactl 800a0ee8 T 166 old exportfs 801b3aa4 T mount 8009fd10 T 168 old ustat 801b3aa4 T csops 801a47bc T 170 old table 801b3aa4 T 171 old wait3 801b3aa4 T 172 old rpause 801b3aa4 T waitid 8019f860 T 174 old getdents 801b3aa4 T 175 old gc_control 801b3aa4 T add_profil 801b3404 T 177 801b3aa4 T 178 801b3aa4 T 179 801b3aa4 T kdebug_trace 8018e964 T setgid 801a5fe0 T setegid 801a60ec T seteuid 801a5d48 T sigreturn 801e2cb0 T chud 801e1acc T 186 801b3aa4 T fdatasync 800a3cd8 T stat 800a2fec T fstat 801977f8 T lstat 800a3134 T pathconf 800a3228 T fpathconf 80197858 T 193 801b3aa4 T getrlimit 801a75d4 T setrlimit 801a6eb8 T getdirentries 800a4928 T mmap 801a1b84 T 198 __syscall 801b3aa4 T lseek 800a2b20 T truncate 800a3ac4 T ftruncate 800a3b90 T __sysctl 801ab798 T mlock 801a2418 T munlock 801a246c T undelete 800a27c8 T ATsocket 801b3aa4 T ATgetmsg 801b3aa4 T ATputmsg 801b3aa4 T ATPsndreq 801b3aa4 T ATPsndrsp 801b3aa4 T ATPgetreq 801b3aa4 T ATPgetrsp 801b3aa4 T 213 Reserved for AppleTalk 801b3aa4 T 214 801b3aa4 T 215 801b3aa4 T mkcomplex 800a1d9c T statv 801b3aa4 T lstatv 801b3aa4 T fstatv 801b3aa4 T getattrlist 8008d1c4 T setattrlist 8008d23c T getdirentriesattr 800a4e80 T exchangedata 800a5018 T 224 old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T searchfs 800a5258 T delete 800a2ae4 T copyfile 800a3cf4 T fgetattrlist 8008a6c8 T fsetattrlist 8008d904 T poll 801b4d04 T watchevent 801b5604 T waitevent 801b579c T modwatch 801b5914 T getxattr 800a6048 T fgetxattr 800a6160 T setxattr 800a6240 T fsetxattr 800a6328 T removexattr 800a6408 T fremovexattr 800a64b0 T listxattr 800a654c T flistxattr 800a6610 T fsctl 800a5964 T initgroups 801a64d0 T posix_spawn 8019d658 T ffsctl 800a5f78 T 246 801b3aa4 T nfsclnt 801b3aa4 T fhopen 801b3aa4 T 249 801b3aa4 T minherit 801a222c T semsys 801b3aa4 T msgsys 801b3aa4 T shmsys 801b3aa4 T semctl 801b3aa4 T semget 801b3aa4 T semop 801b3aa4 T 257 801b3aa4 T msgctl 801b3aa4 T msgget 801b3aa4 T msgsnd 801b3aa4 T msgrcv 801b3aa4 T shmat 801b3aa4 T shmctl 801b3aa4 T shmdt 801b3aa4 T shmget 801b3aa4 T shm_open 801d3b34 T shm_unlink 801d45d0 T sem_open 801d3110 T sem_close 801d379c T sem_unlink 801d35cc T sem_wait 801d37f8 T sem_trywait 801d38bc T sem_post 801d395c T sem_getvalue 801d39fc T sem_init 801d39f4 T sem_destroy 801d39f8 T open_extended 800a1cb8 T umask_extended 800a4d14 T stat_extended 800a2f98 T lstat_extended 800a30e0 T fstat_extended 801975e4 T chmod_extended 800a347c T fchmod_extended 800a35d4 T access_extended 800a2c54 T settid 801a6358 T gettid 801a58dc T setsgroups 801a6620 T getsgroups 801a59a8 T setwgroups 801a6624 T getwgroups 801a59ac T mkfifo_extended 800a21a8 T mkdir_extended 800a44ac T identitysvc 801b3aa4 T shared_region_check_np 801e0a68 T shared_region_map_np 801b3aa4 T vm_pressure_monitor 801e1150 T psynch_rw_longrdlock 801da274 T psynch_rw_yieldwrlock 801da79c T psynch_rw_downgrade 801daa38 T psynch_rw_upgrade 801daa34 T psynch_mutexwait 801d77d0 T psynch_mutexdrop 801d85f8 T psynch_cvbroad 801d864c T psynch_cvsignal 801d8bb4 T psynch_cvwait 801d9020 T psynch_rw_rdlock 801d96ec T psynch_rw_wrlock 801da508 T psynch_rw_unlock 801daa3c T psynch_rw_unlock2 801dad10 T getsid 801a5880 T settid_with_pid 801a63f8 T 312 old __pthread_cond_timedwait 801d95e8 T aio_fsync 80191278 T aio_return 8019143c T aio_suspend 801916a0 T aio_cancel 80190e24 T aio_error 801911d4 T aio_read 8019141c T aio_write 801918a4 T lio_listio 801918c4 T 321 old __pthread_cond_wait 801b3aa4 T iopolicysys 801a795c T 323 801df090 T mlockall 801a24ac T munlockall 801a24b0 T 326 801b3aa4 T issetugid 801a5adc T __pthread_kill 801a8e34 T __pthread_sigmask 801a8e94 T __sigwait 801a8f38 T __disable_threadsignal 801a8b48 T __pthread_markcancel 801a8b64 T __pthread_canceled 801a8bac T __semwait_signal 801a8d30 T 335 old utrace 801b3aa4 T proc_info 801dd524 T sendfile 801b3aa4 T stat64 800a3038 T fstat64 80197838 T lstat64 800a3180 T stat64_extended 800a3088 T lstat64_extended 800a31d0 T fstat64_extended 80197818 T getdirentries64 800a4cd0 T statfs64 800a11e4 T fstatfs64 800a132c T getfsstat64 800a1540 T __pthread_chdir 800a181c T __pthread_fchdir 800a1754 T ; ----------------------- ; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS) audit 8018d990 T auditon 8018d994 T 352 801b3aa4 T getauid 8018d998 T setauid 8018d99c T getaudit 8018d9a0 T setaudit 8018d9a4 T getaudit_addr 8018d9a8 T setaudit_addr 8018d9ac T auditctl 8018d9b0 T ; --------------------- bsdthread_create 801db740 T bsdthread_terminate 801db9b4 T kqueue 801998c4 T kevent 80199948 T lchown 800a3818 T stack_snapshot 8019066c T bsdthread_register 801dba18 T workq_open 801dc70c T workq_kernreturn 801dccac T kevent64 80199bd4 T __old_semwait_signal 801a8c1c T __old_semwait_signal_nocancel 801a8c54 T thread_selfid 801dd27c T 373 801b5c98 T 374 801b3aa4 T 375 801b3aa4 T 376 801b3aa4 T 377 801b3aa4 T 378 801b3aa4 T 379 801b3aa4 T __mac_execve 8019e4bc T __mac_syscall 80244734 T __mac_get_file 802443d4 T __mac_set_file 80244628 T __mac_get_link 80244504 T __mac_set_link 80244724 T __mac_get_proc 80243eb0 T __mac_set_proc 80243f74 T __mac_get_fd 80244280 T __mac_set_fd 80244514 T __mac_get_pid 80243ddc T __mac_get_lcid 80244030 T __mac_get_lctx 802440fc T __mac_set_lctx 802441c0 T setlcid 801a67cc T getlcid 801a68ac T read_nocancel 801b3ae0 T write_nocancel 801b3ec0 T open_nocancel 800a1ee8 T close_nocancel 8019758c T wait4_nocancel 8019f484 T recvmsg_nocancel 801cfe04 T sendmsg_nocancel 801cf978 T recvfrom_nocancel 801cfa60 T accept_nocancel 801cf04c T msync_nocancel 801a20d8 T fcntl_nocancel 80195fe4 T select_nocancel 801b4518 T fsync_nocancel 800a3cd0 T connect_nocancel 801cf364 T sigsuspend_nocancel 801a8ae4 T readv_nocancel 801b3d6c T writev_nocancel 801b4114 T sendto_nocancel 801cf69c T pread_nocancel 801b3cc4 T pwrite_nocancel 801b4028 T waitid_nocancel 8019f87c T poll_nocancel 801b4d24 T msgsnd_nocancel 801b3aa4 T msgrcv_nocancel 801b3aa4 T sem_wait_nocancel 801d3814 T aio_suspend_nocancel 801916c0 T __sigwait_nocancel 801a8f70 T __semwait_signal_nocancel 801a8d68 T __mac_mount 8009fd34 T __mac_get_mount 80244900 T __mac_getfsstat 800a13b4 T fsgetpath 800a66d4 T audit_session_self 8018d984 T audit_session_join 8018d988 T fileport_makeport 80198ad4 T fileport_makefd 80198c58 T audit_session_port 8018d98c T pid_suspend 801e084c T pid_resume 801e08bc T pid_hibernate 801e0928 T pid_shutdown_sockets 801e0984 T 437 old shared_region_slide_np 801b3aa4 T shared_region_map_and_slide_np 801e1008 T
CPU
Note: the following are probably incorrect. These are carried out by ARM control registers (MRC, MCR commands) Who put these in, in the first place?
Usage
MOV R12, #x // number from list swi 0x80 bx lr
List
- Clear Instruction Cache: 0
- Flush Data Cache: 1
- _pthread_set_self: 2
- Unknown: 3