The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Kernel Syscalls"
(→List of system calls from iOS 5.1: corrected ledger) |
(→Mach: Added mach trap usage) |
||
Line 505: | Line 505: | ||
== Mach == |
== Mach == |
||
− | XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach |
+ | XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap: |
+ | <pre> |
||
− | In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. |
||
+ | _mach_msg_trap: |
||
+ | 0001a8b4 e1a0c00d mov ip, sp |
||
+ | 0001a8b8 e92d0170 push {r4, r5, r6, r8} |
||
+ | 0001a8bc e89c0070 ldm ip, {r4, r5, r6} |
||
+ | 0001a8c0 e3e0c01e mvn ip, #30 @ 0x1e ; Move NEGATIVE -30 into IP (R12) |
||
+ | 0001a8c4 ef000080 svc 0x00000080 ; issue a supervisor call |
||
+ | 0001a8c8 e8bd0170 pop {r4, r5, r6, r8} |
||
+ | 0001a8cc e12fff1e bx lr |
||
+ | .. |
||
+ | _semaphore_signal_all_trap: |
||
+ | 0001a8f8 e3e0c021 mvn ip, #33 @ 0x21 ; NEGATIVE -33 into IP (R12) |
||
+ | 0001a8fc ef000080 svc 0x00000080 |
||
+ | 0001a900 e12fff1e bx lr |
||
+ | </pre> |
||
+ | |||
+ | |||
+ | Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead. |
||
+ | |||
+ | == mach_trap_table == |
||
+ | In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The fsysent binary can be used to find the Mach trap table, as well. |
||
<pre> |
<pre> |
Revision as of 18:43, 24 March 2012
Contents
Note on these
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
Unix
Usage
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 SVC 0x80 // Formerly, SWI (software interrupt)
For example:
(gdb) disass chown 0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown 0x30d2ad58 <chown+4>: svc 0x00000080
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
sysent
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
struct sysent { /* system call table */ int16_t sy_narg; /* number of args */ int8_t sy_resv; /* reserved */ int8_t sy_flags; /* flags */ sy_call_t *sy_call; /* implementing function */ sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */ sy_munge_t *sy_arg_munge64; /* system call arguments munger for 64-bit process */ int32_t sy_return_type; /* system call return types */ uint16_t sy_arg_bytes; /* Total size of arguments in bytes for * 32-bit system calls */ };
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
List of system calls from iOS 5.1
note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures Sysent offset in file (for patching purposes): 2931636 (0x2cbbb4) This appears to be XNU 1878.11.8 syscall 801b3aa4 T exit 8019e924 T fork 801a15cc T read 801b3ac0 T write 801b3ea0 T open 800a1e64 T close 80197570 T wait4 8019f464 T 8 old creat 801b3aa4 T link 800a23a4 T unlink 800a2aa8 T 11 old execv 801b3aa4 T chdir 800a175c T fchdir 800a15f4 T mknod 800a1f64 T chmod 800a3598 T chown 800a3714 T 17 old break 801b3aa4 T getfsstat 800a1390 T 19 old lseek 801b3aa4 T getpid 801a5838 T 21 old mount 801b3aa4 T 22 old umount 801b3aa4 T setuid 801a5aec T getuid 801a58bc T geteuid 801a58cc T ptrace 801b0a9c T recvmsg 801cfde4 T sendmsg 801cf958 T recvfrom 801cfa40 T accept 801cf32c T getpeername 801d00a8 T getsockname 801cfff8 T access 800a2f14 T chflags 800a336c T fchflags 800a343c T sync 800a0e5c T kill 801a91b0 T 38 old stat 801b3aa4 T getppid 801a5840 T 40 old lstat 801b3aa4 T dup 80195890 T pipe 801b6a00 T getegid 801a5944 T profil 801b3400 T 45 old ktrace 801b3aa4 T sigaction 801a8348 T getgid 801a5934 T sigprocmask 801a8868 T getlogin 801a66cc T setlogin 801a6728 T acct 801908f0 T sigpending 801a8a0c T sigaltstack 801a90f4 T ioctl 801b426c T reboot 801b0a2c T revoke 800a4d8c T symlink 800a2620 T readlink 800a328c T execve 8019e49c T umask 800a4d64 T chroot 800a1824 T 62 old fstat 801b3aa4 T 63 used internally , reserved 801b3aa4 T 64 old getpagesize 801b3aa4 T msync 801a20c0 T vfork 801a0cfc T 67 old vread 801b3aa4 T 68 old vwrite 801b3aa4 T 69 old sbrk 801b3aa4 T 70 old sstk 801b3aa4 T 71 old mmap 801b3aa4 T 72 old vadvise 801b3aa4 T munmap 801a216c T mprotect 801a21a4 T madvise 801a2264 T 76 old vhangup 801b3aa4 T 77 old vlimit 801b3aa4 T mincore 801a22d0 T getgroups 801a5954 T setgroups 801a6610 T getpgrp 801a5848 T setpgid 801a59f4 T setitimer 801b0518 T 84 old wait 801b3aa4 T swapon 801e0548 T getitimer 801b03c8 T 87 old gethostname 801b3aa4 T 88 old sethostname 801b3aa4 T getdtablesize 80195480 T dup2 80195bc4 T 91 old getdopt 801b3aa4 T fcntl 80195fc4 T select 801b44fc T 94 old setdopt 801b3aa4 T fsync 800a3c60 T setpriority 801a6a24 T socket 801cedc8 T connect 801cf34c T 99 old accept 801b3aa4 T getpriority 801a6918 T 101 old send 801b3aa4 T 102 old recv 801b3aa4 T 103 old sigreturn 801b3aa4 T bind 801cee98 T setsockopt 801cff10 T listen 801cf00c T 107 old vtimes 801b3aa4 T 108 old sigvec 801b3aa4 T 109 old sigblock 801b3aa4 T 110 old sigsetmask 801b3aa4 T sigsuspend 801a8a34 T 112 old sigstack 801b3aa4 T 113 old recvmsg 801b3aa4 T 114 old sendmsg 801b3aa4 T 115 old vtrace 801b3aa4 T gettimeofday 801b01d8 T getrusage 801a7798 T getsockopt 801cff74 T 119 old resuba 801b3aa4 T readv 801b3d4c T writev 801b40f4 T settimeofday 801b0238 T fchown 800a3830 T fchmod 800a36dc T 125 old recvfrom 801b3aa4 T setreuid 801a5e40 T setregid 801a61d8 T rename 800a3e34 T 129 old truncate 801b3aa4 T 130 old ftruncate 801b3aa4 T flock 801989e4 T mkfifo 800a2254 T sendto 801cf67c T shutdown 801cfee0 T socketpair 801cf534 T mkdir 800a46b4 T rmdir 800a46fc T utimes 800a38f0 T futimes 800a3a70 T adjtime 801b0338 T 141 old getpeername 801b3aa4 T gethostuuid 801b5c44 T 143 old sethostid 801b3aa4 T 144 old getrlimit 801b3aa4 T 145 old setrlimit 801b3aa4 T 146 old killpg 801b3aa4 T setsid 801a59b0 T 148 old setquota 801b3aa4 T 149 old qquota 801b3aa4 T 150 old getsockname 801b3aa4 T getpgid 801a5850 T setprivexec 801a5820 T pread 801b3ca4 T pwrite 801b4008 T nfssvc 801b3aa4 T 156 old getdirentries 801b3aa4 T statfs 800a0eec T fstatfs 800a117c T unmount 800a09f0 T 160 old async_daemon 801b3aa4 T getfh 801b3aa4 T 162 old getdomainname 801b3aa4 T 163 old setdomainname 801b3aa4 T 164 801b3aa4 T quotactl 800a0ee8 T 166 old exportfs 801b3aa4 T mount 8009fd10 T 168 old ustat 801b3aa4 T csops 801a47bc T 170 old table 801b3aa4 T 171 old wait3 801b3aa4 T 172 old rpause 801b3aa4 T waitid 8019f860 T 174 old getdents 801b3aa4 T 175 old gc_control 801b3aa4 T add_profil 801b3404 T 177 801b3aa4 T 178 801b3aa4 T 179 801b3aa4 T kdebug_trace 8018e964 T setgid 801a5fe0 T setegid 801a60ec T seteuid 801a5d48 T sigreturn 801e2cb0 T chud 801e1acc T 186 801b3aa4 T fdatasync 800a3cd8 T stat 800a2fec T fstat 801977f8 T lstat 800a3134 T pathconf 800a3228 T fpathconf 80197858 T 193 801b3aa4 T getrlimit 801a75d4 T setrlimit 801a6eb8 T getdirentries 800a4928 T mmap 801a1b84 T 198 __syscall 801b3aa4 T lseek 800a2b20 T truncate 800a3ac4 T ftruncate 800a3b90 T __sysctl 801ab798 T mlock 801a2418 T munlock 801a246c T undelete 800a27c8 T ATsocket 801b3aa4 T ATgetmsg 801b3aa4 T ATputmsg 801b3aa4 T ATPsndreq 801b3aa4 T ATPsndrsp 801b3aa4 T ATPgetreq 801b3aa4 T ATPgetrsp 801b3aa4 T 213 Reserved for AppleTalk 801b3aa4 T 214 801b3aa4 T 215 801b3aa4 T mkcomplex 800a1d9c T statv 801b3aa4 T lstatv 801b3aa4 T fstatv 801b3aa4 T getattrlist 8008d1c4 T setattrlist 8008d23c T getdirentriesattr 800a4e80 T exchangedata 800a5018 T 224 old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T searchfs 800a5258 T delete 800a2ae4 T copyfile 800a3cf4 T fgetattrlist 8008a6c8 T fsetattrlist 8008d904 T poll 801b4d04 T watchevent 801b5604 T waitevent 801b579c T modwatch 801b5914 T getxattr 800a6048 T fgetxattr 800a6160 T setxattr 800a6240 T fsetxattr 800a6328 T removexattr 800a6408 T fremovexattr 800a64b0 T listxattr 800a654c T flistxattr 800a6610 T fsctl 800a5964 T initgroups 801a64d0 T posix_spawn 8019d658 T ffsctl 800a5f78 T 246 801b3aa4 T nfsclnt 801b3aa4 T fhopen 801b3aa4 T 249 801b3aa4 T minherit 801a222c T semsys 801b3aa4 T msgsys 801b3aa4 T shmsys 801b3aa4 T semctl 801b3aa4 T semget 801b3aa4 T semop 801b3aa4 T 257 801b3aa4 T msgctl 801b3aa4 T msgget 801b3aa4 T msgsnd 801b3aa4 T msgrcv 801b3aa4 T shmat 801b3aa4 T shmctl 801b3aa4 T shmdt 801b3aa4 T shmget 801b3aa4 T shm_open 801d3b34 T shm_unlink 801d45d0 T sem_open 801d3110 T sem_close 801d379c T sem_unlink 801d35cc T sem_wait 801d37f8 T sem_trywait 801d38bc T sem_post 801d395c T sem_getvalue 801d39fc T sem_init 801d39f4 T sem_destroy 801d39f8 T open_extended 800a1cb8 T umask_extended 800a4d14 T stat_extended 800a2f98 T lstat_extended 800a30e0 T fstat_extended 801975e4 T chmod_extended 800a347c T fchmod_extended 800a35d4 T access_extended 800a2c54 T settid 801a6358 T gettid 801a58dc T setsgroups 801a6620 T getsgroups 801a59a8 T setwgroups 801a6624 T getwgroups 801a59ac T mkfifo_extended 800a21a8 T mkdir_extended 800a44ac T identitysvc 801b3aa4 T shared_region_check_np 801e0a68 T shared_region_map_np 801b3aa4 T vm_pressure_monitor 801e1150 T psynch_rw_longrdlock 801da274 T psynch_rw_yieldwrlock 801da79c T psynch_rw_downgrade 801daa38 T psynch_rw_upgrade 801daa34 T psynch_mutexwait 801d77d0 T psynch_mutexdrop 801d85f8 T psynch_cvbroad 801d864c T psynch_cvsignal 801d8bb4 T psynch_cvwait 801d9020 T psynch_rw_rdlock 801d96ec T psynch_rw_wrlock 801da508 T psynch_rw_unlock 801daa3c T psynch_rw_unlock2 801dad10 T getsid 801a5880 T settid_with_pid 801a63f8 T 312 old __pthread_cond_timedwait 801d95e8 T aio_fsync 80191278 T aio_return 8019143c T aio_suspend 801916a0 T aio_cancel 80190e24 T aio_error 801911d4 T aio_read 8019141c T aio_write 801918a4 T lio_listio 801918c4 T 321 old __pthread_cond_wait 801b3aa4 T iopolicysys 801a795c T 323 801df090 T mlockall 801a24ac T munlockall 801a24b0 T 326 801b3aa4 T issetugid 801a5adc T __pthread_kill 801a8e34 T __pthread_sigmask 801a8e94 T __sigwait 801a8f38 T __disable_threadsignal 801a8b48 T __pthread_markcancel 801a8b64 T __pthread_canceled 801a8bac T __semwait_signal 801a8d30 T 335 old utrace 801b3aa4 T proc_info 801dd524 T sendfile 801b3aa4 T stat64 800a3038 T fstat64 80197838 T lstat64 800a3180 T stat64_extended 800a3088 T lstat64_extended 800a31d0 T fstat64_extended 80197818 T getdirentries64 800a4cd0 T statfs64 800a11e4 T fstatfs64 800a132c T getfsstat64 800a1540 T __pthread_chdir 800a181c T __pthread_fchdir 800a1754 T ; ----------------------- ; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS) audit 8018d990 T auditon 8018d994 T 352 801b3aa4 T getauid 8018d998 T setauid 8018d99c T getaudit 8018d9a0 T setaudit 8018d9a4 T getaudit_addr 8018d9a8 T setaudit_addr 8018d9ac T auditctl 8018d9b0 T ; --------------------- bsdthread_create 801db740 T bsdthread_terminate 801db9b4 T kqueue 801998c4 T kevent 80199948 T lchown 800a3818 T stack_snapshot 8019066c T bsdthread_register 801dba18 T workq_open 801dc70c T workq_kernreturn 801dccac T kevent64 80199bd4 T __old_semwait_signal 801a8c1c T __old_semwait_signal_nocancel 801a8c54 T thread_selfid 801dd27c T ledger 801b5c98 T 374 801b3aa4 T 375 801b3aa4 T 376 801b3aa4 T 377 801b3aa4 T 378 801b3aa4 T 379 801b3aa4 T __mac_execve 8019e4bc T __mac_syscall 80244734 T __mac_get_file 802443d4 T __mac_set_file 80244628 T __mac_get_link 80244504 T __mac_set_link 80244724 T __mac_get_proc 80243eb0 T __mac_set_proc 80243f74 T __mac_get_fd 80244280 T __mac_set_fd 80244514 T __mac_get_pid 80243ddc T __mac_get_lcid 80244030 T __mac_get_lctx 802440fc T __mac_set_lctx 802441c0 T setlcid 801a67cc T getlcid 801a68ac T read_nocancel 801b3ae0 T write_nocancel 801b3ec0 T open_nocancel 800a1ee8 T close_nocancel 8019758c T wait4_nocancel 8019f484 T recvmsg_nocancel 801cfe04 T sendmsg_nocancel 801cf978 T recvfrom_nocancel 801cfa60 T accept_nocancel 801cf04c T msync_nocancel 801a20d8 T fcntl_nocancel 80195fe4 T select_nocancel 801b4518 T fsync_nocancel 800a3cd0 T connect_nocancel 801cf364 T sigsuspend_nocancel 801a8ae4 T readv_nocancel 801b3d6c T writev_nocancel 801b4114 T sendto_nocancel 801cf69c T pread_nocancel 801b3cc4 T pwrite_nocancel 801b4028 T waitid_nocancel 8019f87c T poll_nocancel 801b4d24 T msgsnd_nocancel 801b3aa4 T msgrcv_nocancel 801b3aa4 T sem_wait_nocancel 801d3814 T aio_suspend_nocancel 801916c0 T __sigwait_nocancel 801a8f70 T __semwait_signal_nocancel 801a8d68 T __mac_mount 8009fd34 T __mac_get_mount 80244900 T __mac_getfsstat 800a13b4 T fsgetpath 800a66d4 T audit_session_self 8018d984 T audit_session_join 8018d988 T fileport_makeport 80198ad4 T fileport_makefd 80198c58 T audit_session_port 8018d98c T pid_suspend 801e084c T pid_resume 801e08bc T pid_hibernate 801e0928 T pid_shutdown_sockets 801e0984 T 437 old shared_region_slide_np 801b3aa4 T shared_region_map_and_slide_np 801e1008 T
Mach
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:
_mach_msg_trap: 0001a8b4 e1a0c00d mov ip, sp 0001a8b8 e92d0170 push {r4, r5, r6, r8} 0001a8bc e89c0070 ldm ip, {r4, r5, r6} 0001a8c0 e3e0c01e mvn ip, #30 @ 0x1e ; Move NEGATIVE -30 into IP (R12) 0001a8c4 ef000080 svc 0x00000080 ; issue a supervisor call 0001a8c8 e8bd0170 pop {r4, r5, r6, r8} 0001a8cc e12fff1e bx lr .. _semaphore_signal_all_trap: 0001a8f8 e3e0c021 mvn ip, #33 @ 0x21 ; NEGATIVE -33 into IP (R12) 0001a8fc ef000080 svc 0x00000080 0001a900 e12fff1e bx lr
Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.
mach_trap_table
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The fsysent binary can be used to find the Mach trap table, as well.
$ ./fsysent -m ~/Documents/projects/iOS.5.1.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures mach_trap_table offset in file (for patching purposes): 2855556 (0x2b9284) Kern invalid detected at 0x80025f50 (+1). Ignoring those. ..This appears to be XNU 1878.11.8 // -- New in iOS 5 (and expect these in Mountain Lion) 10 _kernelrpc_mach_vm_allocate_trap 800132ac T 11 _kernelrpc_vm_allocate_trap 80013318 T 12 _kernelrpc_mach_vm_deallocate_trap 800133b4 T 13 _kernelrpc_vm_deallocate_trap 80013374 T 14 _kernelrpc_mach_vm_protect_trap 8001343c T 15 _kernelrpc_vm_protect_trap 800133f8 T 16 _kernelrpc_mach_port_allocate_trap 80013494 T 17 _kernelrpc_mach_port_destroy_trap 800134e4 T 18 _kernelrpc_mach_port_deallocate_trap 80013520 T 19 _kernelrpc_mach_port_mod_refs_trap 8001355c T 20 _kernelrpc_mach_port_move_member_trap 8001359c T 21 _kernelrpc_mach_port_insert_right_trap 800135e0 T 22 _kernelrpc_mach_port_insert_member_trap 8001363c T 23 _kernelrpc_mach_port_extract_member_trap 80013680 T // ----------------------------------------- 26 mach_reply_port 800198ac T 27 thread_self_trap 80019890 T 28 task_self_trap 80019870 T 29 host_self_trap 80017db8 T 31 mach_msg_trap 80013c1c T 32 mach_msg_overwrite_trap 80013ae4 T 33 semaphore_signal_trap 800252d4 T 34 semaphore_signal_all_trap 80025354 T 35 semaphore_signal_thread_trap 80025260 T 36 semaphore_wait_trap 800255e8 T 37 semaphore_wait_signal_trap 8002578c T 38 semaphore_timedwait_trap 800256c8 T 39 semaphore_timedwait_signal_trap 8002586c T 44 task_name_for_pid 801e0734 T 45 task_for_pid 801e0598 T 46 pid_for_task 801e054c T 48 macx_swapon 801e127c T 49 macx_swapoff 801e14cc T 51 macx_triggers 801e1260 T 52 macx_backing_store_suspend 801e11f0 T 53 macx_backing_store_recovery 801e1198 T 58 pfz_exit 80025944 T 59 swtch_pri 800259f4 T 60 swtch 80025948 T 61 thread_switch 80025bb8 T 62 clock_sleep_trap 800160f0 T 89 mach_timebase_info_trap 80015318 T 90 mach_wait_until_trap 80015934 T 91 mk_timer_create_trap 8001d238 T 92 mk_timer_destroy_trap 8001d428 T 93 mk_timer_arm_trap 8001d46c T 94 mk_timer_cancel_trap 8001d4f0 T 100 iokit_user_client_trap (probably) 80234aa0 T