Talk:LV2 Functions and Syscalls: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 632: | Line 632: | ||
sys_dbg_get_event_flag_information | sys_dbg_get_event_flag_information | ||
sys_dbg_disable_floating_point_enabled_exception | sys_dbg_disable_floating_point_enabled_exception | ||
== Custom Syscalls == | |||
This is a fself for testing that when started in 4.21 DEX CFW will add lv2_alloc as Syscall 32(Replaces: UNUSED_SYSCALL). It will then try to use it and printf the received pointer. Please test and report back. http://rghost.net/48803322 | |||
== firmware version offsets == | == firmware version offsets == | ||
Revision as of 15:23, 17 September 2013
Lv2 Syscall Services Usage
Documentation about syscalls with packet id
Syscall 621 (0x26D) Gamepad Ycon Interface
syscall(621,packet_id,r4,r5)
| Packet ID | Usage |
|---|---|
| 0 | sys_gamepad_ycon_initialize ( 0, 0) |
| 1 | sys_gamepad_ycon_finalize ( 0, 0) |
| 2 | sys_gamepad_ycon_has_input_ownership ( inout[8](if==0->autofill), out[1]) |
| 3 | sys_gamepad_ycon_enumerate_device ( 0, out[0x20]) |
| 4 | sys_gamepad_ycon_get_device_info ( in[8], out[0x1C]) |
| 5 | sys_gamepad_ycon_read_raw_report ( in[4], out[4]) |
| 6 | sys_gamepad_ycon_write_raw_report ( in[0x3C], out[]) |
| 7 | sys_gamepad_ycon_get_feature ( in[8], out[0x38?]) |
| 8 | sys_gamepad_ycon_set_feature (in[6+x](4Bytes+1Byte+1Byte[contains size x]+xBytes),0) |
| 9 | sys_gamepad_ycon_is_gem ( 0,out[1]) |
Syscall 726 (0x2D6) Gelic Device Eurus Post Command
syscall(726,uint16_t cmd, uint8_t *cmdbuf, uint64_t cmdbuf_size)
| Packet ID | Description |
|---|
Syscall 861 (0x35D)
syscall(861,packet_id, r4,r5,r6,r7,r8,r9,r10)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0 | not implemented |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 | |
| 8 | |
| 9 | not implemented |
| 10 | not implemented |
| 11 | |
| 12 | |
| 13 | |
| 14 | |
| 15 | |
| 16 | |
| 17 | |
| 18 | |
| 19 |
Syscall 862 (0x35E) Virtual TRM Manager Interface
syscall(862,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0x2001 | |
| 0x2002 | |
| 0x2003 | |
| 0x2004 | |
| 0x2005 | |
| 0x2006 | |
| 0x2007 | not implemented |
| 0x2008 | not implemented |
| 0x2009 | not implemented |
| 0x200A | |
| 0x200B | |
| 0x200C | |
| 0x200D | |
| 0x200E | vtrm_decrypt_master(uint8[0x10],uint8[0x40] |
| 0x200F | not implemented |
| 0x2010 | not implemented |
| 0x2011 | not implemented |
| 0x2012 | |
| 0x2013 | |
| 0x2014 | |
| 0x2015 | |
| 0x2016 | |
| 0x2017 |
Syscall 863 (0x35F) Update Manager Interface
syscall(863,packet_id, r4,r5,r6,r7,r8,r9)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0x6001 | update_mgr_update_package_tophalf( ,,,) |
| 0x6002 | update_manager_if::Inspect_Package(int package_type(1-9),sys_addr_tr * alloc_addr,size,r7=9(cex)/5(dex/tool),r8=out:uint64_t*) |
| 0x6003 | update_manager_if::Get_Package_Info(int package_type,out:uint64_t*) |
| 0x6004 | update_mgr_get_fix_instruction( ) |
| 0x6005 | update_mgr_extract_package_tophalf( ,,,,) |
| 0x6006 | update_mgr_get_extract_package(,,,,,) |
| 0x6007 | not implemented |
| 0x6008 | not implemented |
| 0x6009 | update_manager_if::get_token_seed( out:uint8[size1],size1,out:uint8[size2],size2) size>=0x50 |
| 0x600A | update_manager_if::set_token(in:token[size],int size), size>=0x80 |
| 0x600B | update_manager_if::read_eprom(uint32 offset,out:uint8[1]) |
| 0x600C | update_manager_if::write_eprom(uint32 offset,uint8 value) |
| 0x600D | update_mgr_get_status( ,,,,,) |
| 0x600E | update_manager_if::allocate_buffer(size,out:sys_addr_t * alloc_addr) |
| 0x600F | update_manager_if::release_buffer(in:sys_addr_t * alloc_addr) |
| 0x6010 | not implemented |
| 0x6011 | update_manager_if::get_applicable_version(1 ,out:uint8[0x20]) |
| 0x6012 |
Syscall 864 (0x360) Storage Manager Interface
syscall(864,packet_id, r4)
Note: access to this Syscall requries at least 0x20 Debug Control Flags, else 0x80010003
| Packet ID | Description | Notes |
|---|---|---|
| 0x5004 | sys_ss_auth_bd(int) | cellSsDrvPs2DiscInsert(0x52) |
| 0x5007 | sys_ss_hw_disc_auth_emu(in/out:uint8[0x18]) | use can be restricted to certain authentication id's |
| 0x5008 | sys_ss_hw_mc(in/out:uint8[0x38]) | use can be restricted to certain authentication id's |
Syscall 865 (0x361) Random Number Generator
syscall(865,packet_id, r4,r5)
| Packet ID | Description | Notes |
|---|---|---|
| 1 | syscall(865,1, out[0x18], 0x18) | size is static usage with this packet_id requires either 0x40 Root Flags or [0x1B]=8 and a certain authentication id |
| 2 | sys_get_random_number(out[size], size) |
Syscall 866 (0x362) Secure RTC Manager Interface
syscall(866,packet_id, r4, r5, r6)
| Packet ID | Description | Notes |
|---|---|---|
| 0x3001 | secure_rtc_set_rtc(r4,r5) | requries 0x40 root control flags |
| 0x3002 | secure_rtc_get_time(r4,r5,r6) | might be restricted to certain authentication id's |
| 0x3003 | secure_rtc_set_time(r4,r5) | requries 0x40 root control flags |
Syscall 867 (0x363) AIM Manager Interface
syscall(867,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x19002 | cellSsAimGetDeviceType(out:uint8[0x10]) |
| 0x19003 | cellSsAimGetDeviceId(out:uint8[0x10]) |
| 0x19004 | cellSsAimGetPsCode(out:uint8[8]) |
| 0x19005 | cellSsAimGetOpenPsId(out:uint8[0x10]) |
| 0x19006 | syscall(867,0x19006) |
Syscall 868 (0x364) Indi Info Manager Interface
syscall(868,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, but allows 0x20 Debug Flags and certain authentication id's for first packet_id
| Packet ID | Description |
|---|---|
| 0x17001 | |
| 0x17002 | |
| 0x17003 | |
| 0x17004 | |
| 0x17005 | |
| 0x17006 | |
| 0x17007 | |
| 0x17008 | |
| 0x17009 | |
| 0x1700A | |
| 0x1700B | |
| 0x1700C | |
| 0x1700D | |
| 0x1700E | |
| 0x1700F | |
| 0x17010 | |
| 0x17011 | |
| 0x17012 | |
| 0x17013 | |
| 0x17014 | |
| 0x17015 | |
| 0x17016 | |
| 0x17017 |
Syscall 869 (0x365) RTC? Manager Interface
syscall(869,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags and possibly restricted to certain authentication id's, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x22001 | syscall(869,0x22001, out:uint8[0x80]) |
| 0x22002 | syscall(869,0x22002, out:uint8[0x690]) |
| 0x22003 | syscall(869,0x22003, in:uint8[8]) |
| 0x22004 | syscall(869,0x22004, int) |
Syscall 871 (0x367) SS Access Control Engine
syscall(871,packet_id, r4)
| Packet ID | Usage | Notes |
|---|---|---|
| 1 | syscall(871,1,sys_pid_t id,out:uint8[8]) | this packet_id requires 0x20 Debug Control Flags or [0x1B]=8 and a certain authentication id, else 0x80010003 |
| 2 | syscall(871,2,out:uint8[8]) | returns authentication id? |
| 3 | syscall(871,3,sys_pid_t id) | this packet_id requries 0x20 Debug Control Flags, else 0x80010003, but returns 0x8001009 |
Syscall 876 (0x36C) Disc Access Control
syscall(876,packet_id, r4)
Note: accessing this Syscall is restricted to certain authentication id's
| Packet ID | Description |
|---|---|
| 0x20000 | sys_get_disc_access_control(out:uint8[4]) |
| 0x20001 | sys_set_disc_access_control(0 / 1) |
Syscall 877 (0x36D) User Token Interface
syscall(877,packet_id, r4,size)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x25003 | sys_ss_utoken_decrypt(uint8[0xC50], 0xC50) |
| 0x25004 | sys_ss_utoken_get?(out:uint8[0xC50], 0xC50) |
| 0x25005 | sys_ss_utoken_encrypt(uint8[0xC50], 0xC50) |
Syscall 878 (0x36E) Ad Sign
syscall(878,packet_id, r4,r5)
Note: access to this Syscall is restricted to certain authentication id's
| Packet ID | Description |
|---|---|
| 0x26001 | sys_ss_ad_sign(in:uint8[0x14],out:uint[0x80]) |
Syscall 879 (0x36F) Media ID
syscall(862,packet_id, r4)
Note: access to this Syscall is restricted to certain authentication id's
Note2: it uses Storage Service Id 0x5007, 0x4B
| Packet ID | Description |
|---|---|
| 0x10001 | sysBdMediaId(out:uint8[0x10]) |
not on the wiki yet
these lv2 syscalls are present, but neither ordinal nor branches are known yet
sys_usbbtaudio_start_recording_ex
sys_lwcond_attribute_name_set
sys_lwmutex_attribute_name_set
sys_event_flag_attribute_name_set
sys_semaphore_attribute_name_set
sys_cond_attribute_name_set
sys_mutex_attribute_name_set
sys_raw_spu_mmio_read_ls
sys_raw_spu_mmio_write_ls
sys_raw_spu_mmio_read
sys_raw_spu_mmio_write
sys_event_queue_attribute_name_set
sys_lwcond_signal
sys_lwcond_signal_all
sys_lwcond_signal_to
sys_lwcond_wait
sys_spu_elf_get_segments
sys_raw_spu_image_load
sys_mmapper_allocate_memory
sys_ppu_thread_unregister_atexit
sys_ppu_thread_once
sys_prx_exitspawn_with_level
sys_process_at_Exitspawn
sys_process_atexitspawn
sys_game_process_exitspawn2
sys_process_is_stack
debug syscalls sys_dbg_set_stacksize_ppu_exception_handler sys_dbg_get_spu_thread_group_ids sys_dbg_get_ppu_thread_ids sys_dbg_get_spu_thread_ids sys_dbg_register_ppu_exception_handler sys_dbg_mat_set_condition sys_dbg_read_spu_thread_context2 sys_dbg_enable_floating_point_enabled_exception sys_dbg_get_event_queue_information sys_dbg_get_spu_thread_name sys_dbg_get_ppu_thread_name sys_dbg_signal_to_ppu_exception_handler sys_dbg_get_mutex_information sys_dbg_vm_get_page_information sys_dbg_mat_get_condition sys_dbg_get_cond_information sys_dbg_get_ppu_thread_status sys_dbg_get_lwcond_information sys_dbg_get_rwlock_information sys_dbg_get_spu_thread_group_status sys_dbg_get_semaphore_information sys_dbg_set_mask_to_ppu_exception_handler sys_dbg_get_coredump_params sys_dbg_get_address_from_dabr sys_dbg_get_spu_thread_group_name sys_dbg_finalize_ppu_exception_handler sys_dbg_read_spu_thread_context sys_dbg_initialize_ppu_exception_handler sys_dbg_read_ppu_thread_context sys_dbg_unregister_ppu_exception_handler sys_dbg_get_lwmutex_information sys_dbg_signal_to_coredump_handler sys_dbg_set_address_to_dabr sys_dbg_get_event_flag_information sys_dbg_disable_floating_point_enabled_exception
Custom Syscalls
This is a fself for testing that when started in 4.21 DEX CFW will add lv2_alloc as Syscall 32(Replaces: UNUSED_SYSCALL). It will then try to use it and printf the received pointer. Please test and report back. http://rghost.net/48803322
firmware version offsets
| FW version | Offset | Value | Notes |
|---|---|---|---|
| 3.72 Retail | 0x9150 | ||
| 3.70 Retail | 0x9088 | ||
| 3.66 Retail | 0x8ef8 | ||
| 3.61 Retail | 0x8d04 | ||
| 3.60 Retail | 0x8ca0 | ||
| 3.56 Retail | 0x8b10 | ||
| 3.55 Retail | 0x3329b8 | 0x8aac | |
| 3.55 DEX | |||
| 3.50 Retail | 0x88b8 | ||
| 3.42 Retail | 0x8598 | ||
| 3.41 Retail | 0x2d7580 | 0x8534 | |
| 3.41 DEX | |||
| 3.41 KIOSK | 0x8534 | ||
| 3.40 Retail | 0x84d0 | ||
| 3.30 Retail | 0x80e8 | ||
| 3.21 Retail | 0x7d64 | ||
| 3.15 Retail | 0x2d6c00 | 0x7b0c | offset seems to be 6 further @ 0x002d6c06 (see below) |
| 3.10 Retail | 0x7918 | ||
| 3.01 Retail | 0x7594 | ||
| 2.85 Retail | 0x6f54 | ||
| 2.76 Retail | 0x6bd0 | ||
| 2.70 Retail | 0x6978 | ||
| 2.60 Retail | 0x6590 | ||
| 2.53 Retail | 0x62d4 | ||
| 2.43 Retail | 0x5eec | ||
| 1.02 Retail | 0x27d8 |
Note: the value is decimal '35500', '34100' and '31500' in hex.
Example
Example from 3.15 with 3.60 spoof:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
002D6C00 00 00 00 00 00 00 8C A0 00 00 00 00 00 00 00 00 ......Π........
^^ ^^
dec: 36000 spoofed