IOCTL: Difference between revisions
Jump to navigation
Jump to search
m (→av_control) |
CelesteBlue (talk | contribs) No edit summary |
||
(29 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
= | In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give usermode access to kernel functions which are only used by core system software or still under development. | ||
See also [https://en.wikipedia.org/wiki/Ioctl wikipedia page about IOCTL]. | |||
See also [[Devices]] and [https://www.psdevwiki.com/ps5/IOCTL PS5 IOCTL]s. | |||
= Description = | |||
<pre> | <pre> | ||
Line 25: | Line 31: | ||
</pre> | </pre> | ||
== | = List of IOCTL by kernel device = | ||
== sbl == | |||
=== pup_update / sc_fw_update === | === pup_update / sc_fw_update === | ||
Line 35: | Line 43: | ||
C0184404 decrypt_pup_segment | C0184404 decrypt_pup_segment | ||
C0284405 decrypt_pup_segment_block | C0284405 decrypt_pup_segment_block | ||
80014406 set_partion_updated ?typo for partition? | |||
20004407 switch_bank | |||
C0104408 ?unknown name? | |||
C0284409 decrypt_pup_header_with_response | |||
C010440A generate_challenge | |||
C008440B get_syscon_key_type | |||
2000440C write_app_pup_info | |||
C010440D verify_bls_header | |||
</pre> | |||
=== crepo === | |||
<pre> | |||
400C4302 sceSblCryptReleaseContext | |||
C00C4303 crepo_get_sign_crypt_handle | |||
C00C4304 crepo_get_encdec_cryp_handle | |||
</pre> | |||
=== sealedkey / devact / idata === | |||
<pre> | |||
40845301 sceSblSsGenerateSealedKey | |||
C0845302 sceSblSsDecryptSealedKey | |||
40105303 sceSblDevActSetStatus | |||
C0205364 sceSblIdataGetCprm | |||
C0205365 sceSblIdataGetHddKey | |||
C0205366 sceSblIdataGetEapHddKey | |||
C0205367 sceSblIdataGetCprm | |||
C0205368 sceSblIdataGetChallenge | |||
C0205369 sceSblIdataVeriResponse | |||
C020536A manu_mode_sm_start | |||
C020536B sceSblIdataGetManuMode | |||
C020536C sceSblIdataSetManuMode | |||
C020536D manu_mode_sm_exit | |||
C020536E isSpecialWake | |||
</pre> | |||
=== encdec === | |||
<pre> | |||
C0284501 sceSblSsDecryptWithPortability | |||
</pre> | |||
=== manu_mode_mgr === | |||
<pre> | |||
C0205364 _sceSblIdataGetCprm | |||
C0205365 _sceSblIdataGetHddKey | |||
C0205366 _sceSblIdataGetEapHddKey | |||
C0205367 _sceSblIdataGetCprm | |||
C0205368 _sceSblIdataGetChallenge | |||
C0205369 _sceSblIdataVeriResponse | |||
C020536A manu_mode_sm_start | |||
C020536B _sceSblIdataGetManuMode | |||
C020536C _sceSblIdataSetManuMode | |||
C020536D manu_mode_sm_exit | |||
</pre> | |||
=== pfsctl === | |||
<pre> | |||
80709101 pfs_format | |||
80049102 pfs_sbram_clear_useflag | |||
80389103 pfs_img_compaction | |||
20009104 pfs_img_compaction_cancel | |||
80289105 pfs_sbram_write_metadata | |||
C0389106 pfs_img_clean | |||
80389107 pfs_img_clean_cancel | |||
C0309108 pfs_sbram_get_header | |||
20009109 pfs_sbram_init | |||
</pre> | |||
=== pfs === | |||
<pre> | |||
C03866A7 pfs_get_data_chunks | |||
80089167 | |||
80209168 pfs_allocate_full_icv_cache | |||
80089169 pfs_cmp_get_offset_aio | |||
8080916A | |||
</pre> | </pre> | ||
=== | == av_control == | ||
=== av_control === | |||
<pre> | <pre> | ||
C0089A01 enable_crtc_ioctl | |||
C0089A02 blank_crtc_ioctl | |||
C0089A03 enable_display_data_request_ioctl | |||
C0089A04 set_double_buff_cntl_ioctl | |||
C0089A05 set_master_update_lock_ioctl | |||
C0089A06 enable_dcfe_clock_ioctl | |||
C0189A07 set_crtc_timing_ioctl | |||
C0089A08 enable_crtc_prefetch_ioctl | |||
C0089A09 set_early_control_ioctl | |||
20009A0A cancel_vga_ioctl | |||
C0049A0C setup_audiopll_ioctl | |||
C0109A0D setup_pixelpll_ioctl | |||
C0109A0E setup_dispclk_ioctl | |||
C0189A0F dp_on_ioctl | |||
C0189A10 dp_off_ioctl | |||
C0089A13 set_pixel_encoding_ioctl | |||
C0089A14 set_subsampling_mode_ioctl | |||
C0089A15 set_truncation_depth_ioctl | |||
C0109A16 set_fmt_spatial_dither_ioctl | |||
C00C9A17 enable_fmt_crc_ioctl | |||
C0109A18 get_fmt_crc_ioctl | |||
C0109A19 set_clamp_ioctl | |||
C0089A1A enable_fmt_truncate_ioctl | |||
C0049A1B disable_fmt_truncate_ioctl | |||
C0089A1C set_formatter_src_ioctl | |||
C0089A1D set_truncation_mode_ioctl | |||
C0089A1E enable_pti_ioctl | |||
C0089A1F dvo_on_ioctl | |||
20009A20 dvo_off_ioctl | |||
</pre> | </pre> | ||
=== | == bt == | ||
=== bt_dev === | |||
<pre> | <pre> | ||
C0106206 bt_reg_name_lookup | |||
80206216 bt_audio_send_req | |||
80206217 bt_audio_recv_req | |||
20046204 sceBtStartInquiry | |||
20046205 sceBtStopInquiry | |||
80186201 get_registered_info | |||
80186207 reply_pin_code | |||
80106227 bt_get_jedi_vol_gain | |||
80106228 bt_set_jedi_vol_gain | |||
80106208 sceBtReplyUserConfirmation | |||
8004622A sceBtStartMode | |||
80086225 | |||
80086202 bt_reg_delete | |||
80086203 sceBtGetConnectingInfo | |||
8008620A sceBtStartConnect | |||
8008620B sceBtStartDisconnect | |||
80086213 bt_avctp_read_volume | |||
8008621A | |||
8008621D | |||
20046226 | |||
</pre> | </pre> | ||
== hdmi == | |||
=== hdmi === | === hdmi === | ||
Line 88: | Line 213: | ||
C0048D20 sceHdmiCecSetStandyResult | C0048D20 sceHdmiCecSetStandyResult | ||
</pre> | </pre> | ||
== camera == | |||
=== luke === | === luke === | ||
?none? | |||
== Unclassified == | |||
=== gbase === | |||
<pre> | |||
C0044507 sceKernelSetBaseModeClock | |||
C0044508 sceKernelSetGpuCu | |||
C0044511 sceKernelSetMemoryPstate | |||
40084516 sceKernelGetMemoryPstate | |||
</pre> | |||
=== dmem === | |||
<pre> | |||
C0288001 allocate_direct_memory | |||
80108002 release_direct_memory | |||
80188003 set_direct_memory_type | |||
C0208004 get_direct_memory_type | |||
2000800B clear_game_direct_memory | |||
C018800E (suspend/resume)_direct_memory_release | |||
C018800F protect_direct_memory | |||
C0288010 allocate_direct_memory_for_mini_app | |||
C0288011 allocate_main_direct_memory | |||
80288012 direct_memory_query | |||
80108015 checked_release_direct_memory | |||
</pre> | |||
=== dbggc === | |||
<pre> | |||
C0088500 gbase_read_register | |||
C0088501 gbase_write_register | |||
C0048502 gbase_dump_map | |||
</pre> | |||
=== twsi === | |||
<pre> | |||
C0188601 read_twsi | |||
C0188602 write_twsi | |||
</pre> | |||
=== metadbg === | |||
<pre> | |||
C0888763 metadbg_call0 | |||
</pre> | |||
=== dipsw_dev === | |||
<pre> | |||
20008800 sceKernelInitializeDipsw | |||
80028801 sceKernelSetDipsw | |||
80028802 sceKernelUnsetDipsw | |||
C0088803 sceKernelCheckDipsw | |||
80108804 sceKernelReadDipswData | |||
80108805 sceKernelWriteDipswData | |||
40048806 sceKernelCheckDipsw | |||
</pre> | |||
=== icc_fan === | === icc_fan === | ||
<pre> | <pre> | ||
C0168F01 eval_fan_id | |||
C0048F04 | |||
C0068F06 get_fan_manual_duty | C0068F06 get_fan_manual_duty | ||
C01C8F07 | |||
C01C8F08 | |||
C0148F09 | |||
</pre> | </pre> | ||
=== icc_thermal === | === icc_thermal === | ||
<pre> | <pre> | ||
C0169001 | |||
C0169002 | |||
</pre> | </pre> | ||
Line 118: | Line 303: | ||
C0029203 icc_configuration_get_cpu_info_bit | C0029203 icc_configuration_get_cpu_info_bit | ||
80029204 icc_configuration_set_cpu_info_bit | 80029204 icc_configuration_set_cpu_info_bit | ||
80019206 | 20009205 | ||
80019206 icc_configuration_set_download_mode | |||
40019207 icc_configuration_get_cp_mode | 40019207 icc_configuration_get_cp_mode | ||
80019208 icc_configuration_set_cp_mode | 80019208 icc_configuration_set_cp_mode | ||
</pre> | </pre> | ||
=== icc_indicator === | === icc_indicator === | ||
Line 139: | Line 323: | ||
2000950A icc_indicator_set_dynamic_led_standby_boot | 2000950A icc_indicator_set_dynamic_led_standby_boot | ||
</pre> | </pre> | ||
=== icc_nvs === | === icc_nvs === | ||
Line 157: | Line 339: | ||
C0109905 icc_power_get_operating_time | C0109905 icc_power_get_operating_time | ||
20009906 icc_power_set_bootup_at_poweron | 20009906 icc_power_set_bootup_at_poweron | ||
</pre> | </pre> | ||
Line 212: | Line 360: | ||
</pre> | </pre> | ||
= | === uipc_control === | ||
?none? | |||
=== sce_exfatfs_vop === | |||
?none? | |||
=== sbi === | |||
<pre> | <pre> | ||
SocraticBliss for the names | 4004A501 sceKernelGetCpuTemperature | ||
C008A502 sceKernelGetSocSensorTemperature | |||
</pre> | |||
* Thanks to SocraticBliss for the names. | |||
= Finding the IOCTL handler address for a device in kernel = | |||
# Find a string of the device name in kernel. | |||
# There should be only two cross-references from function: make_dev and mutex_init. make_dev is the interesting one. | |||
# The structure before the device string is what we want to look. | |||
# Follow the structure then go to the very last offset of the structure. It is the handler function in charge of IOCTLs for that device. | |||
</pre> | </pre> | ||
{{Reverse Engineering}} | |||
<noinclude> | |||
[[Category:Main]] | |||
</noinclude> |
Latest revision as of 19:42, 11 November 2024
In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give usermode access to kernel functions which are only used by core system software or still under development.
See also wikipedia page about IOCTL.
See also Devices and PS5 IOCTLs.
Description[edit | edit source]
int ioctl(int fd, unsigned long request, ...); The ioctl() system call manipulates the underlying device parameters of special files. In particular, many operating characteristics of character special files (e.g., terminals) may be controlled with ioctl() requests. The argument fd must be an open file descriptor. The second argument is a device-dependent request code. The third argument is an untyped pointer to memory. It's traditionally char *argp (from the days before void * was valid C), and will be so named for this discussion. An ioctl() request has encoded in it whether the argument is an in parameter or out parameter, and the size of the argument argp in bytes. Macros and defines used in specifying an ioctl() request are located in the file <sys/ioctl.h>. DIRECTION_INOUT = 0xC000000 DIRECTION_IN = 0x8000000 DIRECTION_OUT = 0x4000000 DIRECTION_NONE = 0x2000000
List of IOCTL by kernel device[edit | edit source]
sbl[edit | edit source]
pup_update / sc_fw_update[edit | edit source]
C0184401 decrypt_pup_header C0184402 verify_pup_additional_sign C0184403 verify_pup_watermark C0184404 decrypt_pup_segment C0284405 decrypt_pup_segment_block 80014406 set_partion_updated ?typo for partition? 20004407 switch_bank C0104408 ?unknown name? C0284409 decrypt_pup_header_with_response C010440A generate_challenge C008440B get_syscon_key_type 2000440C write_app_pup_info C010440D verify_bls_header
crepo[edit | edit source]
400C4302 sceSblCryptReleaseContext C00C4303 crepo_get_sign_crypt_handle C00C4304 crepo_get_encdec_cryp_handle
sealedkey / devact / idata[edit | edit source]
40845301 sceSblSsGenerateSealedKey C0845302 sceSblSsDecryptSealedKey 40105303 sceSblDevActSetStatus C0205364 sceSblIdataGetCprm C0205365 sceSblIdataGetHddKey C0205366 sceSblIdataGetEapHddKey C0205367 sceSblIdataGetCprm C0205368 sceSblIdataGetChallenge C0205369 sceSblIdataVeriResponse C020536A manu_mode_sm_start C020536B sceSblIdataGetManuMode C020536C sceSblIdataSetManuMode C020536D manu_mode_sm_exit C020536E isSpecialWake
encdec[edit | edit source]
C0284501 sceSblSsDecryptWithPortability
manu_mode_mgr[edit | edit source]
C0205364 _sceSblIdataGetCprm C0205365 _sceSblIdataGetHddKey C0205366 _sceSblIdataGetEapHddKey C0205367 _sceSblIdataGetCprm C0205368 _sceSblIdataGetChallenge C0205369 _sceSblIdataVeriResponse C020536A manu_mode_sm_start C020536B _sceSblIdataGetManuMode C020536C _sceSblIdataSetManuMode C020536D manu_mode_sm_exit
pfsctl[edit | edit source]
80709101 pfs_format 80049102 pfs_sbram_clear_useflag 80389103 pfs_img_compaction 20009104 pfs_img_compaction_cancel 80289105 pfs_sbram_write_metadata C0389106 pfs_img_clean 80389107 pfs_img_clean_cancel C0309108 pfs_sbram_get_header 20009109 pfs_sbram_init
pfs[edit | edit source]
C03866A7 pfs_get_data_chunks 80089167 80209168 pfs_allocate_full_icv_cache 80089169 pfs_cmp_get_offset_aio 8080916A
av_control[edit | edit source]
av_control[edit | edit source]
C0089A01 enable_crtc_ioctl C0089A02 blank_crtc_ioctl C0089A03 enable_display_data_request_ioctl C0089A04 set_double_buff_cntl_ioctl C0089A05 set_master_update_lock_ioctl C0089A06 enable_dcfe_clock_ioctl C0189A07 set_crtc_timing_ioctl C0089A08 enable_crtc_prefetch_ioctl C0089A09 set_early_control_ioctl 20009A0A cancel_vga_ioctl C0049A0C setup_audiopll_ioctl C0109A0D setup_pixelpll_ioctl C0109A0E setup_dispclk_ioctl C0189A0F dp_on_ioctl C0189A10 dp_off_ioctl C0089A13 set_pixel_encoding_ioctl C0089A14 set_subsampling_mode_ioctl C0089A15 set_truncation_depth_ioctl C0109A16 set_fmt_spatial_dither_ioctl C00C9A17 enable_fmt_crc_ioctl C0109A18 get_fmt_crc_ioctl C0109A19 set_clamp_ioctl C0089A1A enable_fmt_truncate_ioctl C0049A1B disable_fmt_truncate_ioctl C0089A1C set_formatter_src_ioctl C0089A1D set_truncation_mode_ioctl C0089A1E enable_pti_ioctl C0089A1F dvo_on_ioctl 20009A20 dvo_off_ioctl
bt[edit | edit source]
bt_dev[edit | edit source]
C0106206 bt_reg_name_lookup 80206216 bt_audio_send_req 80206217 bt_audio_recv_req 20046204 sceBtStartInquiry 20046205 sceBtStopInquiry 80186201 get_registered_info 80186207 reply_pin_code 80106227 bt_get_jedi_vol_gain 80106228 bt_set_jedi_vol_gain 80106208 sceBtReplyUserConfirmation 8004622A sceBtStartMode 80086225 80086202 bt_reg_delete 80086203 sceBtGetConnectingInfo 8008620A sceBtStartConnect 8008620B sceBtStartDisconnect 80086213 bt_avctp_read_volume 8008621A 8008621D 20046226
hdmi[edit | edit source]
hdmi[edit | edit source]
20008D01 sceHdmiInitVideoConfig C0108D02 sceHdmiSetVideoConfig C01C8D03 sceHdmiSetAudioConfig C0048D05 sceHdmiSetAudioMute C0108D07 sceHdmiSetGamutMetaData C0048D0A sceSetHdmiEventConfig C0088D0B sceHdmiGetMonitorInformation C0088D0C sceHdmiGetState C0088D0D getHdmiConnectState C0108D0E sceHdmiGetKsv C0088D0F sceHdmiGetKsvSize C0048D13 sceChangeEdidPassMode C0048D14 sceChangeHdcpMode C0108D15 sceHdmiGetAksv C0048D16 sceHdmiSetScrambleMode 20008D17 sceHdmiTransmitCecSignal C0048D1E sceChangeCecMode 20008D1F sceHdmiCecOneTouchPlay C0048D20 sceHdmiCecSetStandyResult
camera[edit | edit source]
luke[edit | edit source]
?none?
Unclassified[edit | edit source]
gbase[edit | edit source]
C0044507 sceKernelSetBaseModeClock C0044508 sceKernelSetGpuCu C0044511 sceKernelSetMemoryPstate 40084516 sceKernelGetMemoryPstate
dmem[edit | edit source]
C0288001 allocate_direct_memory 80108002 release_direct_memory 80188003 set_direct_memory_type C0208004 get_direct_memory_type 2000800B clear_game_direct_memory C018800E (suspend/resume)_direct_memory_release C018800F protect_direct_memory C0288010 allocate_direct_memory_for_mini_app C0288011 allocate_main_direct_memory 80288012 direct_memory_query 80108015 checked_release_direct_memory
dbggc[edit | edit source]
C0088500 gbase_read_register C0088501 gbase_write_register C0048502 gbase_dump_map
twsi[edit | edit source]
C0188601 read_twsi C0188602 write_twsi
metadbg[edit | edit source]
C0888763 metadbg_call0
dipsw_dev[edit | edit source]
20008800 sceKernelInitializeDipsw 80028801 sceKernelSetDipsw 80028802 sceKernelUnsetDipsw C0088803 sceKernelCheckDipsw 80108804 sceKernelReadDipswData 80108805 sceKernelWriteDipswData 40048806 sceKernelCheckDipsw
icc_fan[edit | edit source]
C0168F01 eval_fan_id C0048F04 C0068F06 get_fan_manual_duty C01C8F07 C01C8F08 C0148F09
icc_thermal[edit | edit source]
C0169001 C0169002
icc_configuration[edit | edit source]
C0029203 icc_configuration_get_cpu_info_bit 80029204 icc_configuration_set_cpu_info_bit 20009205 80019206 icc_configuration_set_download_mode 40019207 icc_configuration_get_cp_mode 80019208 icc_configuration_set_cp_mode
icc_indicator[edit | edit source]
80019501 icc_indicator_set_buzzer 801A9502 icc_indicator_set_led 401A9503 icc_indicator_get_led 80829504 icc_indicator_set_dynamic_led 40829505 icc_indicator_get_dynamic_led 20009506 icc_indicator_set_dynamic_led_boot 20009507 icc_indicator_set_dynamic_led_shutdown 20009508 indicator_standby 20009509 indicator_standby_shutdown 2000950A icc_indicator_set_dynamic_led_standby_boot
icc_nvs[edit | edit source]
20009701 nvs_flush
icc_power[edit | edit source]
C0019901 icc_notify_boot_status C0099902 icc_get_system_powerup_cause C1009903 icc_read_boot_message C00C9904 icc_power_get_number_of_boot_shutdown C0109905 icc_power_get_operating_time 20009906 icc_power_set_bootup_at_poweron
icc_sc_config[edit | edit source]
C0019B01 icc_sc_configuration_set_code_flash_sec
icc_device_power[edit | edit source]
80019C01 icc_device_power_control_wlan_bt_power_state 40019C02 icc_device_power_get_wlan_bt_power_state 80019C03 icc_device_power_control_usb_power_state 40019C04 icc_device_power_get_usb_power_state 80019C05 icc_device_power_control_hdd_power_state 40019C06 icc_device_power_get_hdd_power_state 80019C07 icc_device_power_control_bd_power_state 40019C08 icc_device_power_get_bd_power_state
uipc_control[edit | edit source]
?none?
sce_exfatfs_vop[edit | edit source]
?none?
sbi[edit | edit source]
4004A501 sceKernelGetCpuTemperature C008A502 sceKernelGetSocSensorTemperature
- Thanks to SocraticBliss for the names.
Finding the IOCTL handler address for a device in kernel[edit | edit source]
- Find a string of the device name in kernel.
- There should be only two cross-references from function: make_dev and mutex_init. make_dev is the interesting one.
- The structure before the device string is what we want to look.
- Follow the structure then go to the very last offset of the structure. It is the handler function in charge of IOCTLs for that device.
|