IOCTL: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
 
(22 intermediate revisions by 8 users not shown)
Line 1: Line 1:
In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give usermode access to kernel functions which are only used by core system software or still under development.
See also [https://en.wikipedia.org/wiki/Ioctl wikipedia page about IOCTL].
See also [[Devices]] and [https://www.psdevwiki.com/ps5/IOCTL PS5 IOCTL]s.
= Description =
= Description =


Line 25: Line 31:
</pre>
</pre>


= List =
= List of IOCTL by kernel device =
 
== npdrm ==
 
<pre>
C0404E03 npdrm_decrypt_isolated_rif
C0404E02 npdrm_decrypt_disc_rif
C0404E01 npdrm_decrypt_kds_rif
</pre>


* Thanks to SocraticBliss for the names.
== sbl ==


=== pup_update / sc_fw_update ===
=== pup_update / sc_fw_update ===
Line 37: Line 51:
C0184404 decrypt_pup_segment
C0184404 decrypt_pup_segment
C0284405 decrypt_pup_segment_block
C0284405 decrypt_pup_segment_block
80014406 set_partion_updated
80014406 set_partion_updated ?typo for partition?
20004407 switch_bank
20004407 switch_bank
C0104408 ?unknown name?
C0284409 decrypt_pup_header_with_response
C0284409 decrypt_pup_header_with_response
C010440A generate_challenge
C010440A generate_challenge
Line 46: Line 61:
</pre>
</pre>


=== dmem ===
=== crepo ===
 
<pre>
400C4302 sceSblCryptReleaseContext
C00C4303 crepo_get_sign_crypt_handle
C00C4304 crepo_get_encdec_cryp_handle
</pre>
 
=== sealedkey / devact / idata ===
 
<pre>
40845301 sceSblSsGenerateSealedKey
C0845302 sceSblSsDecryptSealedKey
40105303 sceSblDevActSetStatus
C0205364 sceSblIdataGetCprm
C0205365 sceSblIdataGetHddKey
C0205366 sceSblIdataGetEapHddKey
C0205367 sceSblIdataGetCprm
C0205368 sceSblIdataGetChallenge
C0205369 sceSblIdataVeriResponse
C020536A manu_mode_sm_start
C020536B sceSblIdataGetManuMode
C020536C sceSblIdataSetManuMode
C020536D manu_mode_sm_exit
C020536E isSpecialWake
</pre>
 
=== encdec ===
 
<pre>
C0284501 sceSblSsDecryptWithPortability
</pre>
 
=== manu_mode_mgr ===
 
<pre>
C0205364 _sceSblIdataGetCprm
C0205365 _sceSblIdataGetHddKey
C0205366 _sceSblIdataGetEapHddKey
C0205367 _sceSblIdataGetCprm
C0205368 _sceSblIdataGetChallenge
C0205369 _sceSblIdataVeriResponse
C020536A manu_mode_sm_start
C020536B _sceSblIdataGetManuMode
C020536C _sceSblIdataSetManuMode
C020536D manu_mode_sm_exit
</pre>
 
=== pfsctl ===
 
<pre>
80709101 pfs_format
80049102 pfs_sbram_clear_useflag
80389103 pfs_img_compaction
20009104 pfs_img_compaction_cancel
80289105 pfs_sbram_write_metadata
C0389106 pfs_img_clean
80389107 pfs_img_clean_cancel
C0309108 pfs_sbram_get_header
20009109 pfs_sbram_init
</pre>
 
=== pfs ===
 
<pre>
C03866A7 pfs_get_data_chunks
80089167
80209168 pfs_allocate_full_icv_cache
80089169 pfs_cmp_get_offset_aio
8080916A
</pre>
 
== av_control ==
 
=== av_control ===


<pre>
<pre>
C0288001 allocate_direct_memory
C0089A01 enable_crtc_ioctl
80108002 release_direct_memory
C0089A02 blank_crtc_ioctl
80188003 set_direct_memory_type
C0089A03 enable_display_data_request_ioctl
C0208004 get_direct_memory_type
C0089A04 set_double_buff_cntl_ioctl
2000800B clear_game_direct_memory
C0089A05 set_master_update_lock_ioctl
C018800E (suspend/resume)_direct_memory_release
C0089A06 enable_dcfe_clock_ioctl
C018800F protect_direct_memory
C0189A07 set_crtc_timing_ioctl
C0288010 allocate_direct_memory_for_mini_app
C0089A08 enable_crtc_prefetch_ioctl
C0288011 allocate_main_direct_memory
C0089A09 set_early_control_ioctl
80288012 direct_memory_query
20009A0A cancel_vga_ioctl
80108015 checked_release_direct_memory
C0049A0C setup_audiopll_ioctl
C0109A0D setup_pixelpll_ioctl
C0109A0E setup_dispclk_ioctl
C0189A0F dp_on_ioctl
C0189A10 dp_off_ioctl
C0089A13 set_pixel_encoding_ioctl
C0089A14 set_subsampling_mode_ioctl
C0089A15 set_truncation_depth_ioctl
C0109A16 set_fmt_spatial_dither_ioctl
C00C9A17 enable_fmt_crc_ioctl
C0109A18 get_fmt_crc_ioctl
C0109A19 set_clamp_ioctl
C0089A1A enable_fmt_truncate_ioctl
C0049A1B disable_fmt_truncate_ioctl
C0089A1C set_formatter_src_ioctl
C0089A1D set_truncation_mode_ioctl
C0089A1E enable_pti_ioctl
C0089A1F dvo_on_ioctl
20009A20 dvo_off_ioctl
</pre>
</pre>


=== dipsw_dev ===
== bt ==
 
=== bt_dev ===


<pre>
<pre>
20008800 sceKernelInitializeDipsw
C0106206 bt_reg_name_lookup
80028801 sceKernelSetDipsw
80206216 bt_audio_send_req
80028802 sceKernelUnsetDipsw
80206217 bt_audio_recv_req
C0088803 sceKernelCheckDipsw
20046204 sceBtStartInquiry
80108804 sceKernelReadDipswData
20046205 sceBtStopInquiry
80108805 sceKernelWriteDipswData
80186201 get_registered_info
40048806 sceKernelCheckDipsw
80186207 reply_pin_code
80106227 bt_get_jedi_vol_gain
80106228 bt_set_jedi_vol_gain
80106208 sceBtReplyUserConfirmation
8004622A sceBtStartMode
80086225
80086202 bt_reg_delete
80086203 sceBtGetConnectingInfo
8008620A sceBtStartConnect
8008620B sceBtStartDisconnect
80086213 bt_avctp_read_volume
8008621A
8008621D
20046226
</pre>
</pre>
== hdmi ==


=== hdmi ===
=== hdmi ===
Line 97: Line 221:
C0048D20 sceHdmiCecSetStandyResult
C0048D20 sceHdmiCecSetStandyResult
</pre>
</pre>
== camera ==


=== luke ===
=== luke ===
?none?
== Unclassified ==
=== gbase ===
<pre>
C0044507 sceKernelSetBaseModeClock
C0044508 sceKernelSetGpuCu
C0044511 sceKernelSetMemoryPstate
40084516 sceKernelGetMemoryPstate
</pre>
=== dmem ===
<pre>
C0288001 allocate_direct_memory
80108002 release_direct_memory
80188003 set_direct_memory_type
C0208004 get_direct_memory_type
2000800B clear_game_direct_memory
C018800E (suspend/resume)_direct_memory_release
C018800F protect_direct_memory
C0288010 allocate_direct_memory_for_mini_app
C0288011 allocate_main_direct_memory
80288012 direct_memory_query
80108015 checked_release_direct_memory
</pre>
=== dbggc ===
<pre>
C0088500 gbase_read_register
C0088501 gbase_write_register
C0048502 gbase_dump_map
</pre>
=== twsi ===
<pre>
C0188601 read_twsi
C0188602 write_twsi
</pre>
=== metadbg ===
<pre>
C0888763 metadbg_call0
</pre>
=== dipsw_dev ===
<pre>
20008800 sceKernelInitializeDipsw
80028801 sceKernelSetDipsw
80028802 sceKernelUnsetDipsw
C0088803 sceKernelCheckDipsw
80108804 sceKernelReadDipswData
80108805 sceKernelWriteDipswData
40048806 sceKernelCheckDipsw
</pre>


=== icc_fan ===
=== icc_fan ===


<pre>
<pre>
C0168F01 eval_fan_id
C0048F04
C0068F06 get_fan_manual_duty
C0068F06 get_fan_manual_duty
C01C8F07
C01C8F08
C0148F09
</pre>
</pre>


=== icc_thermal ===
=== icc_thermal ===
=== pfs ===


<pre>
<pre>
80709101 pfs_format
C0169001
80049102 pfs_sbram_clear_useflag
C0169002
80389103 pfs_img_compaction
20009104 pfs_img_compaction_cancel
80289105 pfs_sbram_write_metadata
C0389106 pfs_img_clean
80389107 pfs_img_clean_cancel
C0309108 pfs_sbram_get_header
20009109 pfs_sbram_init
</pre>
</pre>


Line 127: Line 311:
C0029203 icc_configuration_get_cpu_info_bit
C0029203 icc_configuration_get_cpu_info_bit
80029204 icc_configuration_set_cpu_info_bit
80029204 icc_configuration_set_cpu_info_bit
80019206 set_download_mode
20009205
80019206 icc_configuration_set_download_mode
40019207 icc_configuration_get_cp_mode
40019207 icc_configuration_get_cp_mode
80019208 icc_configuration_set_cp_mode
80019208 icc_configuration_set_cp_mode
</pre>
</pre>
=== uipc_control ===


=== icc_indicator ===
=== icc_indicator ===
Line 148: Line 331:
2000950A icc_indicator_set_dynamic_led_standby_boot
2000950A icc_indicator_set_dynamic_led_standby_boot
</pre>
</pre>
=== sce_exfatfs_vop ===


=== icc_nvs ===
=== icc_nvs ===
Line 166: Line 347:
C0109905 icc_power_get_operating_time
C0109905 icc_power_get_operating_time
20009906 icc_power_set_bootup_at_poweron
20009906 icc_power_set_bootup_at_poweron
</pre>
=== av_control ===
<pre>
C0089A01 enable_crtc_ioctl
C0089A02 blank_crtc_ioctl
C0089A03 enable_display_data_request_ioctl
C0089A04 set_double_buff_cntl_ioctl
C0089A05 set_master_update_lock_ioctl
C0089A06 enable_dcfe_clock_ioctl
C0189A07 set_crtc_timing_ioctl
C0089A08 enable_crtc_prefetch_ioctl
C0089A09 set_early_control_ioctl
20009A0A cancel_vga_ioctl
C0049A0C setup_audiopll_ioctl
C0109A0D setup_pixelpll_ioctl
C0109A0E setup_dispclk_ioctl
C0189A0F dp_on_ioctl
C0189A10 dp_off_ioctl
C0089A13 set_pixel_encoding_ioctl
C0089A14 set_subsampling_mode_ioctl
C0089A15 set_truncation_depth_ioctl
C0109A16 set_fmt_spatial_dither_ioctl
C00C9A17 enable_fmt_crc_ioctl
C0109A18 get_fmt_crc_ioctl
C0109A19 set_clamp_ioctl
C0089A1A enable_fmt_truncate_ioctl
C0049A1B disable_fmt_truncate_ioctl
C0089A1C set_formatter_src_ioctl
C0089A1D set_truncation_mode_ioctl
C0089A1E enable_pti_ioctl
C0089A1F dvo_on_ioctl
20009A20 dvo_off_ioctl
</pre>
</pre>


Line 220: Line 367:
40019C08 icc_device_power_get_bd_power_state
40019C08 icc_device_power_get_bd_power_state
</pre>
</pre>
=== uipc_control ===
?none?
=== sce_exfatfs_vop ===
?none?


=== sbi ===
=== sbi ===
Line 228: Line 383:
</pre>
</pre>


=== gbase ===
* Thanks to SocraticBliss for the names.
 
= Finding the IOCTL handler address for a device in kernel =


<pre>
# Find a string of the device name in kernel.
C0044507 sceKernelSetBaseModeClock
# There should be only two cross-references from function: make_dev and mutex_init. make_dev is the interesting one.
C0044508 sceKernelSetGpuCu
# The structure before the device string is what we want to look.
C0044511 sceKernelSetMemoryPstate
# Follow the structure then go to the very last offset of the structure. It is the handler function in charge of IOCTLs for that device.
</pre>
</pre>


{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>
[[Category:Main]]
</noinclude>

Latest revision as of 03:30, 16 November 2024

In computing, ioctl (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give usermode access to kernel functions which are only used by core system software or still under development.

See also wikipedia page about IOCTL.

See also Devices and PS5 IOCTLs.

Description[edit | edit source]

       int ioctl(int fd, unsigned long request, ...);

       The ioctl() system call manipulates the underlying device parameters
       of special files.  In particular, many operating characteristics of
       character special files (e.g., terminals) may be controlled with
       ioctl() requests.  The argument fd must be an open file descriptor.

       The second argument is a device-dependent request code.  The third
       argument is an untyped pointer to memory.  It's traditionally char
       *argp (from the days before void * was valid C), and will be so named
       for this discussion.

       An ioctl() request has encoded in it whether the argument is an in
       parameter or out parameter, and the size of the argument argp in
       bytes.  Macros and defines used in specifying an ioctl() request are
       located in the file <sys/ioctl.h>.

       DIRECTION_INOUT = 0xC000000
       DIRECTION_IN    = 0x8000000
       DIRECTION_OUT   = 0x4000000
       DIRECTION_NONE  = 0x2000000

List of IOCTL by kernel device[edit | edit source]

npdrm[edit | edit source]

C0404E03 npdrm_decrypt_isolated_rif
C0404E02 npdrm_decrypt_disc_rif
C0404E01 npdrm_decrypt_kds_rif

sbl[edit | edit source]

pup_update / sc_fw_update[edit | edit source]

C0184401 decrypt_pup_header
C0184402 verify_pup_additional_sign
C0184403 verify_pup_watermark
C0184404 decrypt_pup_segment
C0284405 decrypt_pup_segment_block
80014406 set_partion_updated ?typo for partition?
20004407 switch_bank
C0104408 ?unknown name?
C0284409 decrypt_pup_header_with_response
C010440A generate_challenge
C008440B get_syscon_key_type
2000440C write_app_pup_info
C010440D verify_bls_header

crepo[edit | edit source]

400C4302 sceSblCryptReleaseContext
C00C4303 crepo_get_sign_crypt_handle
C00C4304 crepo_get_encdec_cryp_handle

sealedkey / devact / idata[edit | edit source]

40845301 sceSblSsGenerateSealedKey
C0845302 sceSblSsDecryptSealedKey
40105303 sceSblDevActSetStatus
C0205364 sceSblIdataGetCprm
C0205365 sceSblIdataGetHddKey
C0205366 sceSblIdataGetEapHddKey
C0205367 sceSblIdataGetCprm
C0205368 sceSblIdataGetChallenge
C0205369 sceSblIdataVeriResponse
C020536A manu_mode_sm_start
C020536B sceSblIdataGetManuMode
C020536C sceSblIdataSetManuMode
C020536D manu_mode_sm_exit
C020536E isSpecialWake

encdec[edit | edit source]

C0284501 sceSblSsDecryptWithPortability

manu_mode_mgr[edit | edit source]

C0205364 _sceSblIdataGetCprm
C0205365 _sceSblIdataGetHddKey
C0205366 _sceSblIdataGetEapHddKey
C0205367 _sceSblIdataGetCprm
C0205368 _sceSblIdataGetChallenge
C0205369 _sceSblIdataVeriResponse
C020536A manu_mode_sm_start
C020536B _sceSblIdataGetManuMode
C020536C _sceSblIdataSetManuMode
C020536D manu_mode_sm_exit

pfsctl[edit | edit source]

80709101 pfs_format
80049102 pfs_sbram_clear_useflag
80389103 pfs_img_compaction
20009104 pfs_img_compaction_cancel
80289105 pfs_sbram_write_metadata
C0389106 pfs_img_clean
80389107 pfs_img_clean_cancel
C0309108 pfs_sbram_get_header
20009109 pfs_sbram_init

pfs[edit | edit source]

C03866A7 pfs_get_data_chunks
80089167
80209168 pfs_allocate_full_icv_cache
80089169 pfs_cmp_get_offset_aio
8080916A

av_control[edit | edit source]

av_control[edit | edit source]

C0089A01 enable_crtc_ioctl
C0089A02 blank_crtc_ioctl
C0089A03 enable_display_data_request_ioctl
C0089A04 set_double_buff_cntl_ioctl
C0089A05 set_master_update_lock_ioctl
C0089A06 enable_dcfe_clock_ioctl
C0189A07 set_crtc_timing_ioctl
C0089A08 enable_crtc_prefetch_ioctl
C0089A09 set_early_control_ioctl
20009A0A cancel_vga_ioctl
C0049A0C setup_audiopll_ioctl
C0109A0D setup_pixelpll_ioctl
C0109A0E setup_dispclk_ioctl
C0189A0F dp_on_ioctl
C0189A10 dp_off_ioctl
C0089A13 set_pixel_encoding_ioctl
C0089A14 set_subsampling_mode_ioctl
C0089A15 set_truncation_depth_ioctl
C0109A16 set_fmt_spatial_dither_ioctl
C00C9A17 enable_fmt_crc_ioctl
C0109A18 get_fmt_crc_ioctl
C0109A19 set_clamp_ioctl
C0089A1A enable_fmt_truncate_ioctl
C0049A1B disable_fmt_truncate_ioctl
C0089A1C set_formatter_src_ioctl
C0089A1D set_truncation_mode_ioctl
C0089A1E enable_pti_ioctl
C0089A1F dvo_on_ioctl
20009A20 dvo_off_ioctl

bt[edit | edit source]

bt_dev[edit | edit source]

C0106206 bt_reg_name_lookup
80206216 bt_audio_send_req
80206217 bt_audio_recv_req
20046204 sceBtStartInquiry
20046205 sceBtStopInquiry
80186201 get_registered_info
80186207 reply_pin_code
80106227 bt_get_jedi_vol_gain
80106228 bt_set_jedi_vol_gain
80106208 sceBtReplyUserConfirmation
8004622A sceBtStartMode
80086225
80086202 bt_reg_delete
80086203 sceBtGetConnectingInfo
8008620A sceBtStartConnect
8008620B sceBtStartDisconnect
80086213 bt_avctp_read_volume
8008621A 
8008621D 
20046226 

hdmi[edit | edit source]

hdmi[edit | edit source]

20008D01 sceHdmiInitVideoConfig
C0108D02 sceHdmiSetVideoConfig
C01C8D03 sceHdmiSetAudioConfig
C0048D05 sceHdmiSetAudioMute
C0108D07 sceHdmiSetGamutMetaData
C0048D0A sceSetHdmiEventConfig
C0088D0B sceHdmiGetMonitorInformation
C0088D0C sceHdmiGetState
C0088D0D getHdmiConnectState
C0108D0E sceHdmiGetKsv
C0088D0F sceHdmiGetKsvSize
C0048D13 sceChangeEdidPassMode
C0048D14 sceChangeHdcpMode
C0108D15 sceHdmiGetAksv
C0048D16 sceHdmiSetScrambleMode
20008D17 sceHdmiTransmitCecSignal
C0048D1E sceChangeCecMode
20008D1F sceHdmiCecOneTouchPlay
C0048D20 sceHdmiCecSetStandyResult

camera[edit | edit source]

luke[edit | edit source]

?none?

Unclassified[edit | edit source]

gbase[edit | edit source]

C0044507 sceKernelSetBaseModeClock
C0044508 sceKernelSetGpuCu
C0044511 sceKernelSetMemoryPstate
40084516 sceKernelGetMemoryPstate

dmem[edit | edit source]

C0288001 allocate_direct_memory
80108002 release_direct_memory
80188003 set_direct_memory_type
C0208004 get_direct_memory_type
2000800B clear_game_direct_memory
C018800E (suspend/resume)_direct_memory_release
C018800F protect_direct_memory
C0288010 allocate_direct_memory_for_mini_app
C0288011 allocate_main_direct_memory
80288012 direct_memory_query
80108015 checked_release_direct_memory

dbggc[edit | edit source]

C0088500 gbase_read_register
C0088501 gbase_write_register
C0048502 gbase_dump_map

twsi[edit | edit source]

C0188601 read_twsi
C0188602 write_twsi

metadbg[edit | edit source]

C0888763 metadbg_call0

dipsw_dev[edit | edit source]

20008800 sceKernelInitializeDipsw
80028801 sceKernelSetDipsw
80028802 sceKernelUnsetDipsw
C0088803 sceKernelCheckDipsw
80108804 sceKernelReadDipswData
80108805 sceKernelWriteDipswData
40048806 sceKernelCheckDipsw

icc_fan[edit | edit source]

C0168F01 eval_fan_id
C0048F04
C0068F06 get_fan_manual_duty
C01C8F07
C01C8F08
C0148F09

icc_thermal[edit | edit source]

C0169001
C0169002

icc_configuration[edit | edit source]

C0029203 icc_configuration_get_cpu_info_bit
80029204 icc_configuration_set_cpu_info_bit
20009205
80019206 icc_configuration_set_download_mode
40019207 icc_configuration_get_cp_mode
80019208 icc_configuration_set_cp_mode

icc_indicator[edit | edit source]

80019501 icc_indicator_set_buzzer
801A9502 icc_indicator_set_led
401A9503 icc_indicator_get_led
80829504 icc_indicator_set_dynamic_led
40829505 icc_indicator_get_dynamic_led
20009506 icc_indicator_set_dynamic_led_boot
20009507 icc_indicator_set_dynamic_led_shutdown
20009508 indicator_standby
20009509 indicator_standby_shutdown
2000950A icc_indicator_set_dynamic_led_standby_boot

icc_nvs[edit | edit source]

20009701 nvs_flush

icc_power[edit | edit source]

C0019901 icc_notify_boot_status
C0099902 icc_get_system_powerup_cause
C1009903 icc_read_boot_message
C00C9904 icc_power_get_number_of_boot_shutdown
C0109905 icc_power_get_operating_time
20009906 icc_power_set_bootup_at_poweron

icc_sc_config[edit | edit source]

C0019B01 icc_sc_configuration_set_code_flash_sec

icc_device_power[edit | edit source]

80019C01 icc_device_power_control_wlan_bt_power_state
40019C02 icc_device_power_get_wlan_bt_power_state
80019C03 icc_device_power_control_usb_power_state
40019C04 icc_device_power_get_usb_power_state
80019C05 icc_device_power_control_hdd_power_state
40019C06 icc_device_power_get_hdd_power_state
80019C07 icc_device_power_control_bd_power_state
40019C08 icc_device_power_get_bd_power_state

uipc_control[edit | edit source]

?none?

sce_exfatfs_vop[edit | edit source]

?none?

sbi[edit | edit source]

4004A501 sceKernelGetCpuTemperature
C008A502 sceKernelGetSocSensorTemperature
  • Thanks to SocraticBliss for the names.

Finding the IOCTL handler address for a device in kernel[edit | edit source]

  1. Find a string of the device name in kernel.
  2. There should be only two cross-references from function: make_dev and mutex_init. make_dev is the interesting one.
  3. The structure before the device string is what we want to look.
  4. Follow the structure then go to the very last offset of the structure. It is the handler function in charge of IOCTLs for that device.