Talk:LV2 Functions and Syscalls

From PS3 Developer wiki
Revision as of 21:22, 29 August 2012 by Mysis (talk | contribs)
Jump to navigation Jump to search

Lv2 Syscall Services Usage

Documentation about syscalls with packet id

Syscall 621 (0x26D) Gamepad Ycon Interface

syscall(621,packet_id,r4,r5)

Packet ID Usage
0 sys_gamepad_ycon_initialize ( 0, 0)
1 sys_gamepad_ycon_finalize ( 0, 0)
2 sys_gamepad_ycon_has_input_ownership ( inout[8](if==0->autofill), out[1])
3 sys_gamepad_ycon_enumerate_device ( 0, out[0x20])
4 sys_gamepad_ycon_get_device_info ( in[8], out[0x1C])
5 sys_gamepad_ycon_read_raw_report ( in[4], out[4])
6 sys_gamepad_ycon_write_raw_report ( in[0x3C], out[])
7 sys_gamepad_ycon_get_feature ( in[8], out[0x38?])
8 sys_gamepad_ycon_set_feature (in[6+x](4Bytes+1Byte+1Byte[contains size x]+xBytes),0)
9 sys_gamepad_ycon_is_gem ( 0,out[1])

Syscall 726 (0x2D6) Gelic Device Eurus Post Command

syscall(726,uint16_t cmd, uint8_t *cmdbuf, uint64_t cmdbuf_size)

Packet ID Description

Syscall 861 (0x35D)

syscall(861,packet_id, r4,r5,r6,r7,r8,r9,r10)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003

Packet ID Usage
0 not implemented
1
2
3
4
5
6
7
8
9 not implemented
10 not implemented
11
12
13
14
15
16
17
18
19

Syscall 862 (0x35E) Virtual TRM Manager Interface

syscall(862,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003

Packet ID Usage
0x2001
0x2002
0x2003
0x2004
0x2005
0x2006
0x2007 not implemented
0x2008 not implemented
0x2009 not implemented
0x200A
0x200B
0x200C
0x200D
0x200E
0x200F not implemented
0x2010 not implemented
0x2011 not implemented
0x2012
0x2013
0x2014
0x2015
0x2016
0x2017

Syscall 863 (0x35F) Update Manager Interface

syscall(863,packet_id, r4,r5,r6,r7,r8,r9)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003

Packet ID Usage
0x6001
0x6002
0x6003
0x6004
0x6005
0x6006
0x6007
0x6008
0x6009
0x600A
0x600B
0x600C
0x600D
0x600E
0x600F
0x6010
0x6011
0x6012

Syscall 864 (0x360) Storage Manager Interface

syscall(864,packet_id, r4)
Note: access to this Syscall requries at least 0x20 Debug Control Flags, else 0x80010003

Packet ID Description Notes
0x5004 sys_ss_auth_bd(int) cellSsDrvPs2DiscInsert(0x52)
0x5007 sys_ss_hw_disc_auth_emu(in/out:uint8[0x18]) use can be restricted to certain authentication id's
0x5008 sys_ss_hw_mc(in/out:uint8[0x38]) use can be restricted to certain authentication id's

Syscall 865 (0x361) Random Number Generator

syscall(865,packet_id, r4,r5)

Packet ID Description Notes
1 syscall(865,1, out[0x18], 0x18) size is static
usage with this packet_id requires either 0x40 Root Flags or [0x1B]=8 and a certain authentication id
2 syscall(865,1, out[size], size)


Syscall 866 (0x362) Secure RTC Manager Interface

syscall(866,packet_id, r4, r5, r6)

Packet ID Description Notes
0x3001 secure_rtc_set_rtc(r4,r5) requries 0x40 root control flags
0x3002 secure_rtc_get_time(r4,r5,r6) might be restricted to certain authentication id's
0x3003 secure_rtc_set_time(r4,r5) requries 0x40 root control flags

Syscall 867 (0x63) AIM Manager Interface

syscall(867,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003

Packet ID Description
0x19002 sys_ss_aim_get_device_type(uint8[0x10])
0x19003 sys_ss_aim_get_device_id(uint8[0x10])
0x19004 sys_ss_aim_get_ps_code(uint8[8])
0x19005 sys_ss_aim_get_open_psid(uint8[0x10])
0x19006 syscall(867,0x19006)


Syscall 868 (0x364) Indi Info Manager Interface

syscall(868,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, but allows 0x20 Debug Flags and certain authentication id's for first packet_id

Packet ID Description
0x17001
0x17002
0x17003
0x17004
0x17005
0x17006
0x17007
0x17008
0x17009
0x1700A
0x1700B
0x1700C
0x1700D
0x1700E
0x1700F
0x17010
0x17011
0x17012
0x17013
0x17014
0x17015
0x17016
0x17017

Syscall 869 (0x365) RTC? Manager Interface

syscall(869,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags and possibly restricted to certain authentication id's, else 0x80010003

Packet ID Description
0x22001 syscall(869,0x22001, out:uint8[0x80])
0x22002 syscall(869,0x22002, out:uint8[0x690])
0x22003 syscall(869,0x22003, in:uint8[8])
0x22004 syscall(869,0x22004, int)

Syscall 871 (0x367) SS Access Control Engine

syscall(871,packet_id, r4)

Packet ID Usage Notes
1 syscall(871,1,sys_pid_t id,out:uint8[8]) this packet_id requires 0x20 Debug Control Flags or [0x1B]=8 and a certain authentication id, else 0x80010003
2 syscall(871,2,out:uint8[8]) returns authentication id?
3 syscall(871,3,sys_pid_t id) this packet_id requries 0x20 Debug Control Flags, else 0x80010003, but returns 0x8001009

Syscall 876 (0x36C) Disc Access Control

syscall(876,packet_id, r4)
Note: accessing this Syscall is restricted to certain authentication id's

Packet ID Description
0x20000 sys_get_disc_access_control(out:uint8[4])
0x20001 sys_set_disc_access_control(0 / 1)

Syscall 877 (0x36D) User Token Interface

syscall(877,packet_id, r4,size)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003

Packet ID Description
0x25003 sys_ss_utoken_decrypt(uint8[0xC50], 0xC50)
0x25004 sys_ss_utoken_get?(out:uint8[0xC50], 0xC50)
0x25005 sys_ss_utoken_encrypt(uint8[0xC50], 0xC50)

Syscall 878 (0x36E) Ad Sign

syscall(878,packet_id, r4,r5)
Note: access to this Syscall is restricted to certain authentication id's

Packet ID Description
0x26001 sys_ss_ad_sign(in:uint8[0x14],out:uint[0x80])

Syscall 879 (0x36F) Media ID

syscall(862,packet_id, r4)
Note: access to this Syscall is restricted to certain authentication id's
Note2: it uses Storage Service Id 0x5007, 0x4B

Packet ID Description
0x10001 sys_ss_media_id(out:uint8[0x10])

not on the wiki yet

these lv2 syscalls are present, but neither ordinal nor branches are known yet

  sys_usbbtaudio_start_recording_ex
  sys_lwcond_attribute_name_set
  sys_lwmutex_attribute_name_set
  sys_event_flag_attribute_name_set
  sys_semaphore_attribute_name_set
  sys_cond_attribute_name_set
  sys_mutex_attribute_name_set
  sys_raw_spu_mmio_read_ls
  sys_raw_spu_mmio_write_ls
  sys_raw_spu_mmio_read
  sys_raw_spu_mmio_write
  sys_event_queue_attribute_name_set
          
  sys_lwcond_signal
  sys_lwcond_signal_all
  sys_lwcond_signal_to
  sys_lwcond_wait
  sys_spu_elf_get_segments
  sys_raw_spu_image_load
  sys_mmapper_allocate_memory
  sys_ppu_thread_unregister_atexit
  sys_ppu_thread_once
  sys_prx_exitspawn_with_level
  sys_process_at_Exitspawn
  sys_process_atexitspawn
  sys_game_process_exitspawn2
  sys_process_is_stack
  debug syscalls
  sys_dbg_set_stacksize_ppu_exception_handler
  sys_dbg_get_spu_thread_group_ids
  sys_dbg_get_ppu_thread_ids
  sys_dbg_get_spu_thread_ids
  sys_dbg_register_ppu_exception_handler
  sys_dbg_mat_set_condition
  sys_dbg_read_spu_thread_context2
  sys_dbg_enable_floating_point_enabled_exception
  sys_dbg_get_event_queue_information
  sys_dbg_get_spu_thread_name
  sys_dbg_get_ppu_thread_name
  sys_dbg_signal_to_ppu_exception_handler
  sys_dbg_get_mutex_information
  sys_dbg_vm_get_page_information
  sys_dbg_mat_get_condition
  sys_dbg_get_cond_information
  sys_dbg_get_ppu_thread_status
  sys_dbg_get_lwcond_information
  sys_dbg_get_rwlock_information
  sys_dbg_get_spu_thread_group_status
  sys_dbg_get_semaphore_information
  sys_dbg_set_mask_to_ppu_exception_handler
  sys_dbg_get_coredump_params
  sys_dbg_get_address_from_dabr
  sys_dbg_get_spu_thread_group_name
  sys_dbg_finalize_ppu_exception_handler
  sys_dbg_read_spu_thread_context
  sys_dbg_initialize_ppu_exception_handler
  sys_dbg_read_ppu_thread_context
  sys_dbg_unregister_ppu_exception_handler
  sys_dbg_get_lwmutex_information
  sys_dbg_signal_to_coredump_handler
  sys_dbg_set_address_to_dabr
  sys_dbg_get_event_flag_information
  sys_dbg_disable_floating_point_enabled_exception

firmware version offsets

FW version Offset Value Notes
3.72 Retail 0x9150
3.70 Retail 0x9088
3.66 Retail 0x8ef8
3.61 Retail 0x8d04
3.60 Retail 0x8ca0
3.56 Retail 0x8b10
3.55 Retail 0x3329b8 0x8aac
3.55 DEX
3.50 Retail 0x88b8
3.42 Retail 0x8598
3.41 Retail 0x2d7580 0x8534
3.41 DEX
3.41 KIOSK 0x8534
3.40 Retail 0x84d0
3.30 Retail 0x80e8
3.21 Retail 0x7d64
3.15 Retail 0x2d6c00 0x7b0c offset seems to be 6 further @ 0x002d6c06 (see below)
3.10 Retail 0x7918
3.01 Retail 0x7594
2.85 Retail 0x6f54
2.76 Retail 0x6bd0
2.70 Retail 0x6978
2.60 Retail 0x6590
2.53 Retail 0x62d4
2.43 Retail 0x5eec
1.02 Retail 0x27d8

Note: the value is decimal '35500', '34100' and '31500' in hex.

Example

Example from 3.15 with 3.60 spoof:

   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   002D6C00  00 00 00 00 00 00 8C A0 00 00 00 00 00 00 00 00  ......Œ ........
                               ^^ ^^
                         dec: 36000 spoofed