Editing Syscalls

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 3: Line 3:
//-->
//-->


The PS4 kernel is based on FreeBSD 9, hence why PS4 has many syscalls in common with standard FreeBSD. However, some syscalls from FreeBSD are missing or disabled, and some custom syscalls have been added. A list of standard FreeBSD 9.1 syscalls can be found on[http://fxr.watson.org/fxr/source/sys/syscall.h?v=FREEBSD-9-1 watson.org FreeBSD headers].
The PS4 kernel is based on FreeBSD 9. A list of standard FreeBSD 9.1 system calls can be found [http://fxr.watson.org/fxr/source/sys/syscall.h?v=FREEBSD-9-1 here].


Compatibility (for 32-bit on 64-bit) syscalls, and some others, have been disabled. The first custom Sony syscall comes at number 99. But PS4 specific syscalls come after the last FreeBSD 9.1 syscall, posix_fadvise, syscall 531. Currently, the last custom Sony syscall ID is 677 (as of FW 6.51). Calling any syscall with ID higher than 677 gives the same result as calling a compatibility or unimplemented syscall: a "There is not enough free system memory" error/segfault.
Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes at number 99. But PS4 specific syscalls come after the last FreeBSD 9.1 system call, posix_fadvise, syscall 531. Currently, the last custom Sony system call is 677 (FW 6.51). Calling any system calls higher than 677 gives the same result as calling a compatibility or unimplemented system call: a "There is not enough free system memory" error/segfault.


As of FW 1.76, of the 85 explored sony syscalls (532 - 617):
As of FW 1.76, of the 85 explored sony system calls (532 - 617):
* Two will not be implemented in retail units (possibly in DevKits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
* Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
* Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
* Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
* Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
* Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
* Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
* Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
* One explicitly requires to run a PS4 DevKit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have.
* One explicitly requires a development kit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have.


== Reverse engineering ==
As of firmware version 3.55 there is evidence of new syscalls!
 
Syscalls are mostly called by libkernel.sprx that exports wrappers to application. For example libkernel exports sceIoOpen function that is a wrapper to sys_open syscall.


https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png


You can find an IDA Pro .idc script made by Cloverleafswag3 to label syscalls in libkernel [http://pastebin.com/xch7pb2H here]
You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel [http://pastebin.com/xch7pb2H here]
An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here]
An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here]


== Functions of PS4 custom syscalls ==
== Functions of PS4 custom system calls ==


Known calls include those relating to:
# Modules
# Modules
# Memory
# Memory
# Process sandbox
# Sandboxing
# Semaphores, ?mutexes?
# Semaphores


Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 syscalls.
Other potential calls could be for:
# Mutexes


== PS4 custom syscalls ==
Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above.


* Syscalls prototypes in the following table are for usermode interface. If it was kernel interface, the prototypes would have a thread pointer and a uap pointer:
== PS4 custom system calls ==
<source>sys_xxx(struct thread* td, struct xxx_args* uap);</source>


{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Syscall ID !! <abbr title="Firmware Version">PS4 FW Version</abbr> !! Syscall name !! Syscall usermode prototype !! Notes
! #syscall ID !! <abbr title="Firmware Version">FW Ver</abbr> !! Name !! Prototype !! Notes
|-
|-
| 99 || <=1.01? || sys_netcontrol || int sys_netcontrol(int ifindex, uint op, void *buf, uint nbuf) || Using invalid ifindex, ifp is null. Before PS4 12.00, the lack of mutexes allowed double free as fdrop is called unconditionally in bnet_netevent_unset_queue. See also PS Vita SceNetPs kernel module that uses similar bnet functions.
| 99 || <=1.01? || sys_netcontrol || int sys_netcontrol(int fd, uint op, void *buf, uint nbuf) || -
|-
|-
| 101 || <=1.01? || sys_netabort || - || -
| 101 || <=1.01? || sys_netabort || - || -
Line 137: Line 136:
| 571 || <=1.01? || sys_budget_set || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
| 571 || <=1.01? || sys_budget_set || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 572 || <=1.01? || sys_virtual_query || int sys_virtual_query(uint64_t addr, uint64_t unk, void *info, uint64_t info_size) || -
| 572 || <=1.01? || sys_virtual_query || - || -
|-
|-
| 573 || <=1.01? || sys_mdbg_call || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
| 573 || <=1.01? || sys_mdbg_call || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
Line 175: Line 174:
| 590 || <=1.01? || sys_dynlib_dlclose || - || -
| 590 || <=1.01? || sys_dynlib_dlclose || - || -
|-
|-
| 591 || <=1.01? || sys_dynlib_dlsym || int sys_dynlib_dlsym(SceKernelModule handle, const char *symbol, void **addrp) || -
| 591 || <=1.01? || sys_dynlib_dlsym || int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) || -
|-
|-
| 592 || <=1.01? || sys_dynlib_get_list || int sys_dynlib_get_list(SceKernelModule *pArray, size_t numArray, size_t * pActualNum) || -
| 592 || <=1.01? || sys_dynlib_get_list || int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) || -
|-
|-
| 593 || <=1.01? || sys_dynlib_get_info || int sys_dynlib_get_info(SceKernelModule handle, SceDbgModuleInfo *pInfo) || Sony has stripped module information since 1.76 FW (STO) *
| 593 || <=1.01? || sys_dynlib_get_info || int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) || Sony has stripped module information since 1.76 FW (STO) *
|-
|-
| 594 || <=1.01? || sys_dynlib_load_prx || int sys_dynlib_load_prx(const char *moduleFileName, size_t args, const void *argp, uint32_t flags, const SceKernelLoadModuleOpt *pOpt, int *pRes) || -
| 594 || <=1.01? || sys_dynlib_load_prx || int sys_dynlib_load_prx(char* prxPath) || -
|-
|-
| 595 || <=1.01? || sys_dynlib_unload_prx || int sys_dynlib_unload_prx(SceKernelModule handle, size_t args, const void *argp, uint32_t flags, const SceKernelUnloadModuleOpt *pOpt, int *pRes) || -
| 595 || <=1.01? || sys_dynlib_unload_prx || int sys_dynlib_unload_prx(int prxID) || -
|-
|-
| 596 || <=1.01? || sys_dynlib_do_copy_relocations || - || -
| 596 || <=1.01? || sys_dynlib_do_copy_relocations || - || -
Line 281: Line 280:
| 643 || >1.76? || sys_set_chicken_switches || - ||  
| 643 || >1.76? || sys_set_chicken_switches || - ||  
|-
|-
| 644 || ?>4.05>3.55? || sys_extend_page_table_pool || int sys_extend_page_table_pool(void) ||  
| 644 || >4.05>3.55? || sys_extend_page_table_pool || - ||  
|-
|-
| 645 || ?>4.05>3.55?? || sys_extend_page_table_pool2 || int sys_extend_page_table_pool2(void) || Duplicate of sys_extend_page_table_pool.
| 645 || >1.76? || sys_#645 || - ||  
|-
|-
| 646 || >1.76? || sys_get_kernel_mem_statistics || - ||  
| 646 || >1.76? || sys_get_kernel_mem_statistics || - ||  
Line 339: Line 338:
| 672 || >1.76? || sys_dynlib_get_list_for_libdbg || - ||  
| 672 || >1.76? || sys_dynlib_get_list_for_libdbg || - ||  
|-
|-
| 673 || ?> 5.07? || sys_blockpool_move || - ||  
| 673 || ?> 5.07? || unk || - ||  
|-
|-
| 674 || ?> 5.07? || sys_virtual_query_all || - ||  
| 674 || ?> 5.07? || unk || - ||  
|-
|-
| 675 || ?> 5.07? || sys_reserve_2mb_page || - ||  
| 675 || ?> 5.07? || unk || - ||  
|-
|-
| 676 || ?> 5.07? || sys_cpumode_yield || - ||  
| 676 || ?> 5.07? || unk || - ||  
|-
|-
| 677 || ?>= 6.50? (not present on 6.20) || sys_get_phys_page_size || - || Not present in PS5 PS4EMU on PS5 FW 2.20.
| 677 || ?> 6.00? (not present on 5.55) || unk || - ||  
|}
|}


<nowiki>*</nowiki> Since FW 1.76, Sony has removed key information from sys_dynlib_get_info() (syscall 593), eg. it does not return the module's code base address, data base address, code size, nor the data size.
<nowiki>*</nowiki> Since 1.76, Sony has removed key information from sys_dynlib_get_info() (syscall 593), eg. it does not return the module's code base address, data base address, code size, or the data size.


<b>Note:</b> All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.


{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)