Syscalls: Difference between revisions
(sys_socketex) |
CelesteBlue (talk | contribs) |
||
(22 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
<!--// todo : needs to be tabled like the PS3 one | <!--// todo : needs to be tabled like the PS3 one | ||
http://fxr.watson.org/fxr/source/sys/syscall.h?v= | http://fxr.watson.org/fxr/source/sys/syscall.h?v=FREEBSD-9-1 | ||
//--> | //--> | ||
The PS4 kernel is based on FreeBSD 9, hence why PS4 has many syscalls in common with standard FreeBSD. However, some syscalls from FreeBSD are missing or disabled, and some custom syscalls have been added. A list of standard FreeBSD 9.1 syscalls can be found on[http://fxr.watson.org/fxr/source/sys/syscall.h?v=FREEBSD-9-1 watson.org FreeBSD headers]. | |||
Compatibility (for 32-bit on 64-bit) syscalls, and some others, have been disabled. The first custom Sony syscall comes at number 99. But PS4 specific syscalls come after the last FreeBSD 9.1 syscall, posix_fadvise, syscall 531. Currently, the last custom Sony syscall ID is 677 (as of FW 6.51). Calling any syscall with ID higher than 677 gives the same result as calling a compatibility or unimplemented syscall: a "There is not enough free system memory" error/segfault. | |||
* Two will not be implemented in retail units (possibly in | As of FW 1.76, of the 85 explored sony syscalls (532 - 617): | ||
* Two will not be implemented in retail units (possibly in DevKits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event | |||
* Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred) | * Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred) | ||
* Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0) | * Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0) | ||
* Three will return 0x01 EPERM should the caller have insufficient privileges (uid0) | * Three will return 0x01 EPERM should the caller have insufficient privileges (uid0) | ||
* One explicitly requires a | * One explicitly requires to run a PS4 DevKit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have. | ||
== Reverse engineering == | |||
Syscalls are mostly called by libkernel.sprx that exports wrappers to application. For example libkernel exports sceIoOpen function that is a wrapper to sys_open syscall. | |||
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png | https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png | ||
You can find an IDA Pro .idc script made by Cloverleafswag3 to label | You can find an IDA Pro .idc script made by Cloverleafswag3 to label syscalls in libkernel [http://pastebin.com/xch7pb2H here] | ||
An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here] | An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here] | ||
== Functions of custom | == Functions of PS4 custom syscalls == | ||
# Modules | # Modules | ||
# Memory | # Memory | ||
# | # Process sandbox | ||
# Semaphores | # Semaphores, ?mutexes? | ||
Other | Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 syscalls. | ||
== PS4 custom syscalls == | |||
* Syscalls prototypes in the following table are for usermode interface. If it was kernel interface, the prototypes would have a thread pointer and a uap pointer: | |||
<source>sys_xxx(struct thread* td, struct xxx_args* uap);</source> | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! | ! Syscall ID !! <abbr title="Firmware Version">PS4 FW Version</abbr> !! Syscall name !! Syscall usermode prototype !! Notes | ||
|- | |||
| 99 || <=1.01? || sys_netcontrol || int sys_netcontrol(int ifindex, uint op, void *buf, uint nbuf) || Using invalid ifindex, ifp is null. Before PS4 12.00, the lack of mutexes allowed double free as fdrop is called unconditionally in bnet_netevent_unset_queue. See also PS Vita SceNetPs kernel module that uses similar bnet functions. | |||
|- | |||
| 101 || <=1.01? || sys_netabort || - || - | |||
|- | |- | ||
| | | 102 || <=1.01? || sys_netgetsockinfo || - || - | ||
|- | |- | ||
| | | 113 || <=1.01? || sys_socketex || int sys_socketex(const char *name, int domain, int type, int protocol) || Like existing socket syscall, but with the addition of a name argument. | ||
|- | |- | ||
| | | 114 || <=1.01? || sys_socketclose || - || - | ||
|- | |- | ||
| | | 125 || <=1.01? || sys_netgetiflist || - || - | ||
|- | |- | ||
| | | 141 || <=1.01? || sys_kqueueex || - || - | ||
|- | |- | ||
| | | 379 || >1.01 <=1.76? || sys_mtypeprotect || - || - | ||
|- | |- | ||
| | | 532 || <=1.76? || sys_regmgr_call || - || - | ||
|- | |- | ||
| | | 533 || <=1.01? || sys_jitshm_create || - || Only callable from a jit compiler process, else returns EPERM (0x1) | ||
|- | |- | ||
| | | 534 || <=1.01? || sys_jitshm_alias || - || Only callable from a jit compiler/application process, else returns EPERM (0x1) | ||
|- | |- | ||
| | | 535 || <=1.01? || sys_dl_get_list || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) | ||
|- | |- | ||
| | | 536 || <=1.01? || sys_dl_get_info || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) | ||
|- | |- | ||
| | | 537 || <=1.01? || sys_dl_notify_event || - || Always returns ENOSYS (0x4E) (may only be implemented in devkits) | ||
|- | |- | ||
| | | 538 || <=1.01? || sys_evf_create || int sys_evf_create(char* name, int flag, struct evFlag *evf) || - | ||
|- | |- | ||
| | | 539 || <=1.01? || sys_evf_delete || int sys_evf_delete(int id) || - | ||
|- | |- | ||
| | | 540 || <=1.01? || sys_evf_open || int sys_evf_open(struct evFlag *evf) || - | ||
|- | |- | ||
| | | 541 || <=1.01? || sys_evf_close || int sys_evf_close(int id) || - | ||
|- | |- | ||
| | | 542 || <=1.01? || sys_evf_wait || - || - | ||
|- | |- | ||
| | | 543 || <=1.01? || sys_evf_trywait || - || - | ||
|- | |- | ||
| | | 544 || <=1.01? || sys_evf_set || int sys_evf_set(int id) || - | ||
|- | |- | ||
| | | 545 || <=1.01? || sys_evf_clear || int sys_evf_clear(int id) || - | ||
|- | |- | ||
| | | 546 || <=1.01? || sys_evf_cancel || int sys_evf_cancel(int id) || - | ||
|- | |- | ||
| | | 547 || <=1.01? || sys_query_memory_protection || - || - | ||
|- | |- | ||
| | | 548 || <=1.01? || sys_batch_map || - || - | ||
|- | |- | ||
| | | 549 || <=1.01? || sys_osem_create || - || - | ||
|- | |- | ||
| | | 550 || <=1.01? || sys_osem_delete || - || - | ||
|- | |- | ||
| | | 551 || <=1.01? || sys_osem_open || - || - | ||
|- | |- | ||
| | | 552 || <=1.01? || sys_osem_close || - || - | ||
|- | |- | ||
| | | 553 || <=1.01? || sys_osem_wait || - || - | ||
|- | |- | ||
| | | 554 || <=1.01? || sys_osem_trywait || - || - | ||
|- | |- | ||
| | | 555 || <=1.01? || sys_osem_post || - || - | ||
|- | |- | ||
| | | 556 || <=1.01? || sys_osem_cancel || - || - | ||
|- | |- | ||
| | | 557 || <=1.01? || sys_namedobj_create || - || - | ||
|- | |- | ||
| | | 558 || <=1.01? || sys_namedobj_delete || - || - | ||
|- | |- | ||
| | | 559 || <=1.01? || sys_set_vm_container || - || Successful call requires privileges (uid0), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 560 || <=1.01? || sys_debug_init || - || - | ||
|- | |- | ||
| | | 561 || <=1.01? || sys_suspend_process || int sys_suspend_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 562 || <=1.01? || sys_resume_process || int sys_resume_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 563 || <=1.01? || sys_opmc_enable || - || - | ||
|- | |- | ||
| | | 564 || <=1.01? || sys_opmc_disable || - || - | ||
|- | |- | ||
| | | 565 || <=1.01? || sys_opmc_set_ctl || - || - | ||
|- | |- | ||
| | | 566 || <=1.01? || sys_opmc_set_ctr || - || - | ||
|- | |- | ||
| | | 567 || <=1.01? || sys_opmc_get_ctr || - || - | ||
|- | |- | ||
| | | 568 || <=1.01? || sys_budget_create || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 569 || <=1.01? || sys_budget_delete || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 570 || <=1.01? || sys_budget_get || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 571 || <=1.01? || sys_budget_set || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 572 || <=1.01? || sys_virtual_query || int sys_virtual_query(uint64_t addr, uint64_t unk, void *info, uint64_t info_size) || - | ||
|- | |- | ||
| | | 573 || <=1.01? || sys_mdbg_call || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 574 || <=1.01? || sys_sblock_create || - || - | ||
|- | |- | ||
| | | 575 || <=1.01? || sys_sblock_delete || - || - | ||
|- | |- | ||
| | | 576 || <=1.01? || sys_sblock_enter || - || - | ||
|- | |- | ||
| | | 577 || <=1.01? || sys_sblock_exit || - || - | ||
|- | |- | ||
| | | 578 || <=1.01? || sys_sblock_xenter || - || - | ||
|- | |- | ||
| | | 579 || <=1.01? || sys_sblock_xexit || - || - | ||
|- | |- | ||
| | | 580 || <=1.01? || sys_eport_create || - || - | ||
|- | |- | ||
| | | 581 || <=1.01? || sys_eport_delete || - || - | ||
|- | |- | ||
| | | 582 || <=1.01? || sys_eport_trigger || - || - | ||
|- | |- | ||
| | | 583 || <=1.01? || sys_eport_open || - || - | ||
|- | |- | ||
| | | 584 || <=1.01? || sys_eport_close || - || - | ||
|- | |- | ||
| | | 585 || <=1.01? || sys_is_in_sandbox || - || - | ||
|- | |- | ||
| | | 586 || <=1.01? || sys_dmem_container || - || Successful call requires privileges (uid0), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 587 || <=1.01? || sys_get_authinfo || - || Some functionality requires privileges (uid0) | ||
|- | |- | ||
| | | 588 || <=1.01? || sys_mname || - || - | ||
|- | |- | ||
| | | 589 || <=1.01? || sys_dynlib_dlopen || - || Always returns ENOSYS (0x4E) (may only be implemented in devkits) | ||
|- | |- | ||
| | | 590 || <=1.01? || sys_dynlib_dlclose || - || - | ||
|- | |- | ||
| | | 591 || <=1.01? || sys_dynlib_dlsym || int sys_dynlib_dlsym(SceKernelModule handle, const char *symbol, void **addrp) || - | ||
|- | |- | ||
| | | 592 || <=1.01? || sys_dynlib_get_list || int sys_dynlib_get_list(SceKernelModule *pArray, size_t numArray, size_t * pActualNum) || - | ||
|- | |- | ||
| | | 593 || <=1.01? || sys_dynlib_get_info || int sys_dynlib_get_info(SceKernelModule handle, SceDbgModuleInfo *pInfo) || Sony has stripped module information since 1.76 FW (STO) * | ||
|- | |- | ||
| | | 594 || <=1.01? || sys_dynlib_load_prx || int sys_dynlib_load_prx(const char *moduleFileName, size_t args, const void *argp, uint32_t flags, const SceKernelLoadModuleOpt *pOpt, int *pRes) || - | ||
|- | |- | ||
| | | 595 || <=1.01? || sys_dynlib_unload_prx || int sys_dynlib_unload_prx(SceKernelModule handle, size_t args, const void *argp, uint32_t flags, const SceKernelUnloadModuleOpt *pOpt, int *pRes) || - | ||
|- | |- | ||
| | | 596 || <=1.01? || sys_dynlib_do_copy_relocations || - || - | ||
|- | |- | ||
| | | 597 || <=1.01? || sys_dynlib_prepare_dlclose || - || Contains an exploitable integer overflow on FWs <= 1.76 | ||
|- | |- | ||
| | | 598 || <=1.01? || sys_dynlib_get_proc_param || - || - | ||
|- | |- | ||
| | | 599 || <=1.01? || sys_dynlib_process_needed_and_relocate || - || - | ||
|- | |- | ||
| | | 600 || <=1.01? || sys_sandbox_path || - || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 601 || <=1.01? || sys_mdbg_service || - || - | ||
|- | |- | ||
| | | 602 || <=1.01? || sys_randomized_path || - || Some functionality requires privileges (uid0) | ||
|- | |- | ||
| | | 603 || <=1.01? || sys_rdup || - || Successful call requires privileges (uid0), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 604 || <=1.01? || sys_dl_get_metadata || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) | ||
|- | |- | ||
| | | 605 || <=1.01? || sys_workaround8849 || - || - | ||
|- | |- | ||
| | | 606 || <=1.01? || sys_is_development_mode || - || - | ||
|- | |- | ||
| | | 607 || <=1.01? || sys_get_self_auth_info || - || - | ||
|- | |- | ||
| | | 608 || <=1.01? || sys_dynlib_get_info_ex || int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) || - | ||
|- | |- | ||
| | | 609 || <=1.01? || sys_budget_getid || int sys_budget_getid(void) || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 610 || <=1.01? || sys_budget_get_ptype || int sys_budget_get_ptype(int budgetID) || - | ||
|- | |- | ||
| | | 611 || <=1.01? || sys_get_paging_stats_of_all_threads || - || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) | ||
|- | |- | ||
| | | 612 || <=1.01? || sys_get_proc_type_info || int sys_get_proc_type_info(int *destProcessInfo) || Only callable from certain processes mainly involving media and JiT | ||
|- | |- | ||
| | | 613 || >1.01 <=1.76? || sys_get_resident_count || int sys_get_resident_count(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 614 || <=1.76? || sys_prepare_to_suspend_process || int sys_prepare_to_suspend_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) | ||
|- | |- | ||
| | | 615 || <=1.76? || sys_get_resident_fmem_count || int sys_get_resident_fmem_count(int pid) || Some functionality requires privileges (uid0) | ||
|- | |- | ||
| | | 616 || <=1.76? || sys_thr_get_name || int sys_thr_get_name(int threadID) || - | ||
|- | |- | ||
| | | 617 || <=1.76? || sys_set_gpo || - || Only callable on development kit (devkit) units | ||
|- | |- | ||
| | | 618 || >1.76? || sys_get_paging_stats_of_all_objects || - || | ||
|- | |- | ||
| | | 619 || >1.76? || sys_test_debug_rwmem || - || | ||
|- | |- | ||
| | | 620 || >1.76? || sys_free_stack || - || | ||
|- | |- | ||
| | | 621 || >1.76? || sys_suspend_system || - || | ||
|- | |- | ||
| | | 622 || >1.76? || sys_ipmimgr_call || - || | ||
|- | |- | ||
| | | 623 || >1.76? || sys_get_gpo || - || | ||
|- | |- | ||
| | | 624 || >1.76? || sys_get_vm_map_timestamp || - || | ||
|- | |- | ||
| | | 625 || >1.76? || sys_opmc_set_hw || - || | ||
|- | |- | ||
| | | 626 || >1.76? || sys_opmc_get_hw || - || | ||
|- | |- | ||
| | | 627 || >1.76? || sys_get_cpu_usage_all || - || | ||
|- | |- | ||
| | | 628 || >1.76? || sys_mmap_dmem || - || | ||
|- | |- | ||
| | | 629 || >1.76? || sys_physhm_open || - || | ||
|- | |- | ||
| | | 630 || >1.76? || sys_physhm_unlink || - || | ||
|- | |- | ||
| | | 631 || >1.76? || sys_resume_internal_hdd || - || | ||
|- | |- | ||
| | | 632 || >1.76? || sys_thr_suspend_ucontext || - || | ||
|- | |- | ||
| | | 633 || >1.76? || sys_thr_resume_ucontext || - || | ||
|- | |- | ||
| | | 634 || >1.76? || sys_thr_get_ucontext || - || | ||
|- | |- | ||
| | | 635 || >1.76? || sys_thr_set_ucontext || - || | ||
|- | |- | ||
| | | 636 || >1.76? || sys_set_timezone_info || - || | ||
|- | |- | ||
| | | 637 || >1.76? || sys_set_phys_fmem_limit || - || | ||
|- | |- | ||
| | | 638 || >1.76? || sys_utc_to_localtime || - || | ||
|- | |- | ||
| | | 639 || >1.76? || sys_localtime_to_utc || - || | ||
|- | |- | ||
| | | 640 || >1.76? || sys_set_uevt || - || | ||
|- | |- | ||
| | | 641 || >1.76? || sys_get_cpu_usage_proc || - || | ||
|- | |- | ||
| | | 642 || >1.76? || sys_get_map_statistics || - || | ||
|- | |- | ||
| | | 643 || >1.76? || sys_set_chicken_switches || - || | ||
|- | |- | ||
| | | 644 || ?>4.05>3.55? || sys_extend_page_table_pool || int sys_extend_page_table_pool(void) || | ||
|- | |- | ||
| | | 645 || ?>4.05>3.55?? || sys_extend_page_table_pool2 || int sys_extend_page_table_pool2(void) || Duplicate of sys_extend_page_table_pool. | ||
|- | |- | ||
| | | 646 || >1.76? || sys_get_kernel_mem_statistics || - || | ||
|- | |- | ||
| | | 647 || >1.76? || sys_get_sdk_compiled_version || - || | ||
|- | |- | ||
| | | 648 || >1.76? || sys_app_state_change || - || | ||
|- | |- | ||
| | | 649 || >1.76? || sys_dynlib_get_obj_member || - || | ||
|- | |- | ||
| | | 650 || >1.76? || sys_budget_get_ptype_of_budget || - || | ||
|- | |- | ||
| | | 651 || >1.76? || sys_prepare_to_resume_process || - || | ||
|- | |- | ||
| | | 652 || >1.76? || sys_process_terminate || - || | ||
|- | |- | ||
| | | 653 || >1.76? || sys_blockpool_open || - || | ||
|- | |- | ||
| | | 654 || >1.76? || sys_blockpool_map || - || | ||
|- | |- | ||
| | | 655 || >1.76? || sys_blockpool_unmap || - || | ||
|- | |- | ||
| | | 656 || >1.76? || sys_dynlib_get_info_for_libdbg || - || | ||
|- | |- | ||
| | | 657 || >1.76? || sys_blockpool_batch || - || | ||
|- | |- | ||
| | | 658 || >1.76? || sys_fdatasync || - || | ||
|- | |- | ||
| | | 659 || >1.76? || sys_dynlib_get_list2 || - || | ||
|- | |- | ||
| | | 660 || >1.76? || sys_dynlib_get_info2 || - || | ||
|- | |- | ||
| | | 661 || >1.76? || sys_aio_submit || - || | ||
|- | |- | ||
| | | 662 || >1.76? || sys_aio_multi_delete || - || | ||
|- | |- | ||
| | | 663 || >1.76? || sys_aio_multi_wait || - || | ||
|- | |- | ||
| | | 664 || >1.76? || sys_aio_multi_poll || - || | ||
|- | |- | ||
| | | 665 || >1.76? || sys_aio_get_data || - || | ||
|- | |- | ||
| | | 666 || >1.76? || sys_aio_multi_cancel || - || | ||
|- | |- | ||
| | | 667 || >1.76? || sys_get_bio_usage_all || - || | ||
|- | |- | ||
| | | 668 || >1.76? || sys_aio_create || - || | ||
|- | |- | ||
| | | 669 || >1.76? || sys_aio_submit_cmd || - || | ||
|- | |- | ||
| | | 670 || >1.76? || sys_aio_init || - || | ||
|- | |- | ||
| | | 671 || >1.76? || sys_get_page_table_stats || - || | ||
|- | |- | ||
| | | 672 || >1.76? || sys_dynlib_get_list_for_libdbg || - || | ||
|- | |- | ||
| | | 673 || ?> 5.07? || sys_blockpool_move || - || | ||
|- | |- | ||
| | | 674 || ?> 5.07? || sys_virtual_query_all || - || | ||
|- | |||
| 675 || ?> 5.07? || sys_reserve_2mb_page || - || | |||
|- | |||
| 676 || ?> 5.07? || sys_cpumode_yield || - || | |||
|- | |||
| 677 || ?>= 6.50? (not present on 6.20) || sys_get_phys_page_size || - || Not present in PS5 PS4EMU on PS5 FW 2.20. | |||
|} | |} | ||
<nowiki>*</nowiki> Since 1.76, Sony has removed key information from | <nowiki>*</nowiki> Since FW 1.76, Sony has removed key information from sys_dynlib_get_info() (syscall 593), eg. it does not return the module's code base address, data base address, code size, nor the data size. | ||
{{Reverse Engineering}} | {{Reverse Engineering}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> |
Latest revision as of 23:32, 8 October 2024
The PS4 kernel is based on FreeBSD 9, hence why PS4 has many syscalls in common with standard FreeBSD. However, some syscalls from FreeBSD are missing or disabled, and some custom syscalls have been added. A list of standard FreeBSD 9.1 syscalls can be found onwatson.org FreeBSD headers.
Compatibility (for 32-bit on 64-bit) syscalls, and some others, have been disabled. The first custom Sony syscall comes at number 99. But PS4 specific syscalls come after the last FreeBSD 9.1 syscall, posix_fadvise, syscall 531. Currently, the last custom Sony syscall ID is 677 (as of FW 6.51). Calling any syscall with ID higher than 677 gives the same result as calling a compatibility or unimplemented syscall: a "There is not enough free system memory" error/segfault.
As of FW 1.76, of the 85 explored sony syscalls (532 - 617):
- Two will not be implemented in retail units (possibly in DevKits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
- Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
- Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
- Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
- One explicitly requires to run a PS4 DevKit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have.
Reverse engineering[edit | edit source]
Syscalls are mostly called by libkernel.sprx that exports wrappers to application. For example libkernel exports sceIoOpen function that is a wrapper to sys_open syscall.
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png
You can find an IDA Pro .idc script made by Cloverleafswag3 to label syscalls in libkernel here An updated, janky, hacky version by X41 can be found here
Functions of PS4 custom syscalls[edit | edit source]
- Modules
- Memory
- Process sandbox
- Semaphores, ?mutexes?
Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 syscalls.
PS4 custom syscalls[edit | edit source]
- Syscalls prototypes in the following table are for usermode interface. If it was kernel interface, the prototypes would have a thread pointer and a uap pointer:
sys_xxx(struct thread* td, struct xxx_args* uap);
Syscall ID | PS4 FW Version | Syscall name | Syscall usermode prototype | Notes |
---|---|---|---|---|
99 | <=1.01? | sys_netcontrol | int sys_netcontrol(int ifindex, uint op, void *buf, uint nbuf) | Using invalid ifindex, ifp is null. Before PS4 12.00, the lack of mutexes allowed double free as fdrop is called unconditionally in bnet_netevent_unset_queue. See also PS Vita SceNetPs kernel module that uses similar bnet functions. |
101 | <=1.01? | sys_netabort | - | - |
102 | <=1.01? | sys_netgetsockinfo | - | - |
113 | <=1.01? | sys_socketex | int sys_socketex(const char *name, int domain, int type, int protocol) | Like existing socket syscall, but with the addition of a name argument. |
114 | <=1.01? | sys_socketclose | - | - |
125 | <=1.01? | sys_netgetiflist | - | - |
141 | <=1.01? | sys_kqueueex | - | - |
379 | >1.01 <=1.76? | sys_mtypeprotect | - | - |
532 | <=1.76? | sys_regmgr_call | - | - |
533 | <=1.01? | sys_jitshm_create | - | Only callable from a jit compiler process, else returns EPERM (0x1) |
534 | <=1.01? | sys_jitshm_alias | - | Only callable from a jit compiler/application process, else returns EPERM (0x1) |
535 | <=1.01? | sys_dl_get_list | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
536 | <=1.01? | sys_dl_get_info | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
537 | <=1.01? | sys_dl_notify_event | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
538 | <=1.01? | sys_evf_create | int sys_evf_create(char* name, int flag, struct evFlag *evf) | - |
539 | <=1.01? | sys_evf_delete | int sys_evf_delete(int id) | - |
540 | <=1.01? | sys_evf_open | int sys_evf_open(struct evFlag *evf) | - |
541 | <=1.01? | sys_evf_close | int sys_evf_close(int id) | - |
542 | <=1.01? | sys_evf_wait | - | - |
543 | <=1.01? | sys_evf_trywait | - | - |
544 | <=1.01? | sys_evf_set | int sys_evf_set(int id) | - |
545 | <=1.01? | sys_evf_clear | int sys_evf_clear(int id) | - |
546 | <=1.01? | sys_evf_cancel | int sys_evf_cancel(int id) | - |
547 | <=1.01? | sys_query_memory_protection | - | - |
548 | <=1.01? | sys_batch_map | - | - |
549 | <=1.01? | sys_osem_create | - | - |
550 | <=1.01? | sys_osem_delete | - | - |
551 | <=1.01? | sys_osem_open | - | - |
552 | <=1.01? | sys_osem_close | - | - |
553 | <=1.01? | sys_osem_wait | - | - |
554 | <=1.01? | sys_osem_trywait | - | - |
555 | <=1.01? | sys_osem_post | - | - |
556 | <=1.01? | sys_osem_cancel | - | - |
557 | <=1.01? | sys_namedobj_create | - | - |
558 | <=1.01? | sys_namedobj_delete | - | - |
559 | <=1.01? | sys_set_vm_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
560 | <=1.01? | sys_debug_init | - | - |
561 | <=1.01? | sys_suspend_process | int sys_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
562 | <=1.01? | sys_resume_process | int sys_resume_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
563 | <=1.01? | sys_opmc_enable | - | - |
564 | <=1.01? | sys_opmc_disable | - | - |
565 | <=1.01? | sys_opmc_set_ctl | - | - |
566 | <=1.01? | sys_opmc_set_ctr | - | - |
567 | <=1.01? | sys_opmc_get_ctr | - | - |
568 | <=1.01? | sys_budget_create | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
569 | <=1.01? | sys_budget_delete | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
570 | <=1.01? | sys_budget_get | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
571 | <=1.01? | sys_budget_set | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
572 | <=1.01? | sys_virtual_query | int sys_virtual_query(uint64_t addr, uint64_t unk, void *info, uint64_t info_size) | - |
573 | <=1.01? | sys_mdbg_call | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
574 | <=1.01? | sys_sblock_create | - | - |
575 | <=1.01? | sys_sblock_delete | - | - |
576 | <=1.01? | sys_sblock_enter | - | - |
577 | <=1.01? | sys_sblock_exit | - | - |
578 | <=1.01? | sys_sblock_xenter | - | - |
579 | <=1.01? | sys_sblock_xexit | - | - |
580 | <=1.01? | sys_eport_create | - | - |
581 | <=1.01? | sys_eport_delete | - | - |
582 | <=1.01? | sys_eport_trigger | - | - |
583 | <=1.01? | sys_eport_open | - | - |
584 | <=1.01? | sys_eport_close | - | - |
585 | <=1.01? | sys_is_in_sandbox | - | - |
586 | <=1.01? | sys_dmem_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
587 | <=1.01? | sys_get_authinfo | - | Some functionality requires privileges (uid0) |
588 | <=1.01? | sys_mname | - | - |
589 | <=1.01? | sys_dynlib_dlopen | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
590 | <=1.01? | sys_dynlib_dlclose | - | - |
591 | <=1.01? | sys_dynlib_dlsym | int sys_dynlib_dlsym(SceKernelModule handle, const char *symbol, void **addrp) | - |
592 | <=1.01? | sys_dynlib_get_list | int sys_dynlib_get_list(SceKernelModule *pArray, size_t numArray, size_t * pActualNum) | - |
593 | <=1.01? | sys_dynlib_get_info | int sys_dynlib_get_info(SceKernelModule handle, SceDbgModuleInfo *pInfo) | Sony has stripped module information since 1.76 FW (STO) * |
594 | <=1.01? | sys_dynlib_load_prx | int sys_dynlib_load_prx(const char *moduleFileName, size_t args, const void *argp, uint32_t flags, const SceKernelLoadModuleOpt *pOpt, int *pRes) | - |
595 | <=1.01? | sys_dynlib_unload_prx | int sys_dynlib_unload_prx(SceKernelModule handle, size_t args, const void *argp, uint32_t flags, const SceKernelUnloadModuleOpt *pOpt, int *pRes) | - |
596 | <=1.01? | sys_dynlib_do_copy_relocations | - | - |
597 | <=1.01? | sys_dynlib_prepare_dlclose | - | Contains an exploitable integer overflow on FWs <= 1.76 |
598 | <=1.01? | sys_dynlib_get_proc_param | - | - |
599 | <=1.01? | sys_dynlib_process_needed_and_relocate | - | - |
600 | <=1.01? | sys_sandbox_path | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
601 | <=1.01? | sys_mdbg_service | - | - |
602 | <=1.01? | sys_randomized_path | - | Some functionality requires privileges (uid0) |
603 | <=1.01? | sys_rdup | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
604 | <=1.01? | sys_dl_get_metadata | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
605 | <=1.01? | sys_workaround8849 | - | - |
606 | <=1.01? | sys_is_development_mode | - | - |
607 | <=1.01? | sys_get_self_auth_info | - | - |
608 | <=1.01? | sys_dynlib_get_info_ex | int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) | - |
609 | <=1.01? | sys_budget_getid | int sys_budget_getid(void) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
610 | <=1.01? | sys_budget_get_ptype | int sys_budget_get_ptype(int budgetID) | - |
611 | <=1.01? | sys_get_paging_stats_of_all_threads | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
612 | <=1.01? | sys_get_proc_type_info | int sys_get_proc_type_info(int *destProcessInfo) | Only callable from certain processes mainly involving media and JiT |
613 | >1.01 <=1.76? | sys_get_resident_count | int sys_get_resident_count(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
614 | <=1.76? | sys_prepare_to_suspend_process | int sys_prepare_to_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
615 | <=1.76? | sys_get_resident_fmem_count | int sys_get_resident_fmem_count(int pid) | Some functionality requires privileges (uid0) |
616 | <=1.76? | sys_thr_get_name | int sys_thr_get_name(int threadID) | - |
617 | <=1.76? | sys_set_gpo | - | Only callable on development kit (devkit) units |
618 | >1.76? | sys_get_paging_stats_of_all_objects | - | |
619 | >1.76? | sys_test_debug_rwmem | - | |
620 | >1.76? | sys_free_stack | - | |
621 | >1.76? | sys_suspend_system | - | |
622 | >1.76? | sys_ipmimgr_call | - | |
623 | >1.76? | sys_get_gpo | - | |
624 | >1.76? | sys_get_vm_map_timestamp | - | |
625 | >1.76? | sys_opmc_set_hw | - | |
626 | >1.76? | sys_opmc_get_hw | - | |
627 | >1.76? | sys_get_cpu_usage_all | - | |
628 | >1.76? | sys_mmap_dmem | - | |
629 | >1.76? | sys_physhm_open | - | |
630 | >1.76? | sys_physhm_unlink | - | |
631 | >1.76? | sys_resume_internal_hdd | - | |
632 | >1.76? | sys_thr_suspend_ucontext | - | |
633 | >1.76? | sys_thr_resume_ucontext | - | |
634 | >1.76? | sys_thr_get_ucontext | - | |
635 | >1.76? | sys_thr_set_ucontext | - | |
636 | >1.76? | sys_set_timezone_info | - | |
637 | >1.76? | sys_set_phys_fmem_limit | - | |
638 | >1.76? | sys_utc_to_localtime | - | |
639 | >1.76? | sys_localtime_to_utc | - | |
640 | >1.76? | sys_set_uevt | - | |
641 | >1.76? | sys_get_cpu_usage_proc | - | |
642 | >1.76? | sys_get_map_statistics | - | |
643 | >1.76? | sys_set_chicken_switches | - | |
644 | ?>4.05>3.55? | sys_extend_page_table_pool | int sys_extend_page_table_pool(void) | |
645 | ?>4.05>3.55?? | sys_extend_page_table_pool2 | int sys_extend_page_table_pool2(void) | Duplicate of sys_extend_page_table_pool. |
646 | >1.76? | sys_get_kernel_mem_statistics | - | |
647 | >1.76? | sys_get_sdk_compiled_version | - | |
648 | >1.76? | sys_app_state_change | - | |
649 | >1.76? | sys_dynlib_get_obj_member | - | |
650 | >1.76? | sys_budget_get_ptype_of_budget | - | |
651 | >1.76? | sys_prepare_to_resume_process | - | |
652 | >1.76? | sys_process_terminate | - | |
653 | >1.76? | sys_blockpool_open | - | |
654 | >1.76? | sys_blockpool_map | - | |
655 | >1.76? | sys_blockpool_unmap | - | |
656 | >1.76? | sys_dynlib_get_info_for_libdbg | - | |
657 | >1.76? | sys_blockpool_batch | - | |
658 | >1.76? | sys_fdatasync | - | |
659 | >1.76? | sys_dynlib_get_list2 | - | |
660 | >1.76? | sys_dynlib_get_info2 | - | |
661 | >1.76? | sys_aio_submit | - | |
662 | >1.76? | sys_aio_multi_delete | - | |
663 | >1.76? | sys_aio_multi_wait | - | |
664 | >1.76? | sys_aio_multi_poll | - | |
665 | >1.76? | sys_aio_get_data | - | |
666 | >1.76? | sys_aio_multi_cancel | - | |
667 | >1.76? | sys_get_bio_usage_all | - | |
668 | >1.76? | sys_aio_create | - | |
669 | >1.76? | sys_aio_submit_cmd | - | |
670 | >1.76? | sys_aio_init | - | |
671 | >1.76? | sys_get_page_table_stats | - | |
672 | >1.76? | sys_dynlib_get_list_for_libdbg | - | |
673 | ?> 5.07? | sys_blockpool_move | - | |
674 | ?> 5.07? | sys_virtual_query_all | - | |
675 | ?> 5.07? | sys_reserve_2mb_page | - | |
676 | ?> 5.07? | sys_cpumode_yield | - | |
677 | ?>= 6.50? (not present on 6.20) | sys_get_phys_page_size | - | Not present in PS5 PS4EMU on PS5 FW 2.20. |
* Since FW 1.76, Sony has removed key information from sys_dynlib_get_info() (syscall 593), eg. it does not return the module's code base address, data base address, code size, nor the data size.
|