Syscalls

From PS4 Developer wiki
Revision as of 17:03, 25 November 2017 by Idc (talk | contribs) (Update some inaccuracies in the description.)
Jump to navigation Jump to search

The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found here.

Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes at number 99, though most after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 672. Calling any system calls higher than 672 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.

Of these 85 explored system calls in 1.76 (532 - 617):

  • Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
  • Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
  • Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
  • Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
  • One explicitly requires a development kit (sys_set_gpo), as it sets output to components that only development kit units have.

As of firmware version 3.55 there is evidence of new syscalls!

https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png

You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel here An updated, janky, hacky version by X41 can be found here

Functions of custom Sony system calls

Known calls include those relating to:

  1. Modules
  2. Memory
  3. Sandboxing
  4. Semaphores

Other potential calls could be for:

  1. Mutexes

Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above.

Public system calls

Number Name Prototype Notes
99 sys_netcontrol - -
101 sys_netabort - -
102 sys_netgetsockinfo - -
113 sys_socketex - -
114 sys_socketclose - -
125 sys_netgetiflist - -
141 sys_kqueueex - -
379 sys_mtypeprotect - -
532 sys_regmgr_call - -
533 sys_jitshm_create - Only callable from a jit compiler process, else returns EPERM (0x1)
534 sys_jitshm_alias - Only callable from a jit compiler/application process, else returns EPERM (0x1)
535 sys_dl_get_list - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
536 sys_dl_get_info - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
537 sys_dl_notify_event - Always returns ENOSYS (0x4E) (may only be implemented in devkits)
538 sys_evf_create int sys_evf_create(char* name, int flag, struct evFlag *evf) -
539 sys_evf_delete int sys_evf_delete(int id) -
540 sys_evf_open int sys_evf_open(struct evFlag *evf) -
541 sys_evf_close int sys_evf_close(int id) -
542 sys_evf_wait - -
543 sys_evf_trywait - -
544 sys_evf_set int sys_evf_set(int id) -
545 sys_evf_clear int sys_evf_clear(int id) -
546 sys_evf_cancel int sys_evf_cancel(int id) -
547 sys_query_memory_protection - -
548 sys_batch_map - -
549 sys_osem_create - -
550 sys_osem_delete - -
551 sys_osem_open - -
552 sys_osem_close - -
553 sys_osem_wait - -
554 sys_osem_trywait - -
555 sys_osem_post - -
556 sys_osem_cancel - -
557 sys_namedobj_create - -
558 sys_namedobj_delete - -
559 sys_set_vm_container - Successful call requires privileges (uid0), else returns EPERM (0x1)
560 sys_debug_init - -
561 sys_suspend_process int sys_suspend_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
562 sys_resume_process int sys_resume_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
563 sys_opmc_enable - -
564 sys_opmc_disable - -
565 sys_opmc_set_ctl - -
566 sys_opmc_set_ctr - -
567 sys_opmc_get_ctr - -
568 sys_budget_create - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
569 sys_budget_delete - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
570 sys_budget_get - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
571 sys_budget_set - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
572 sys_virtual_query - -
573 sys_mdbg_call - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
574 sys_sblock_create - -
575 sys_sblock_delete - -
576 sys_sblock_enter - -
577 sys_sblock_exit - -
578 sys_sblock_xenter - -
579 sys_sblock_xexit - -
580 sys_eport_create - -
581 sys_eport_delete - -
582 sys_eport_trigger - -
583 sys_eport_open - -
584 sys_eport_close - -
585 sys_is_in_sandbox - -
586 sys_dmem_container - Successful call requires privileges (uid0), else returns EPERM (0x1)
587 sys_get_authinfo - Some functionality requires privileges (uid0)
588 sys_mname - -
589 sys_dynlib_dlopen - Always returns ENOSYS (0x4E) (may only be implemented in devkits)
590 sys_dynlib_dlclose - -
591 sys_dynlib_dlsym int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) -
592 sys_dynlib_get_list int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) -
593 sys_dynlib_get_info int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) Sony has stripped module information since 1.76 FW (STO) *
594 sys_dynlib_load_prx int sys_dynlib_load_prx(char* prxPath) -
595 sys_dynlib_unload_prx int sys_dynlib_unload_prx(int prxID) -
596 sys_dynlib_do_copy_relocations - -
597 sys_dynlib_prepare_dlclose - Contains an exploitable integer overflow FW <= 1.76, patched FW >= 2.00 **
598 sys_dynlib_get_proc_param - -
599 sys_dynlib_process_needed_and_relocate - -
600 sys_sandbox_path - Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
601 sys_mdbg_service - -
602 sys_randomized_path - Some functionality requires privileges (uid0)
603 sys_rdup - Successful call requires privileges (uid0), else returns EPERM (0x1)
604 sys_dl_get_metadata - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
605 sys_workaround8849 - -
606 sys_is_development_mode - -
607 sys_get_self_auth_info - -
608 sys_dynlib_get_info_ex int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) -
609 sys_budget_getid int sys_budget_getid() // no arguments Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
610 sys_budget_get_ptype int sys_budget_get_ptype(int budgetID) -
611 sys_get_paging_stats_of_all_threads - Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
612 sys_get_proc_type_info int sys_get_proc_type_info(int *destProcessInfo) Only callable from certain processes mainly involving media and JiT
613 sys_get_resident_count int sys_get_resident_count(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
614 sys_prepare_to_suspend_process int sys_prepare_to_suspend_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
615 sys_get_resident_fmem_count int sys_get_resident_fmem_count(int pid) Some functionality requires privileges (uid0)
616 sys_thr_get_name int sys_thr_get_name(int threadID) -
617 sys_set_gpo - Only callable on development kit (devkit) units
618 sys_get_paging_stats_of_all_objects -
619 sys_test_debug_rwmem -
620 sys_free_stack -
621 sys_suspend_system -
622 sys_ipmimgr_call -
623 sys_get_gpo -
624 sys_get_vm_map_timestamp -
625 sys_opmc_set_hw -
626 sys_opmc_get_hw -
627 sys_get_cpu_usage_all -
628 sys_mmap_dmem -
629 sys_physhm_open -
630 sys_physhm_unlink -
631 sys_resume_internal_hdd -
632 sys_thr_suspend_ucontext -
633 sys_thr_resume_ucontext -
634 sys_thr_get_ucontext -
635 sys_thr_set_ucontext -
636 sys_set_timezone_info -
637 sys_set_phys_fmem_limit -
638 sys_utc_to_localtime -
639 sys_localtime_to_utc -
640 sys_set_uevt -
641 sys_get_cpu_usage_proc -
642 sys_get_map_statistics -
643 sys_set_chicken_switches -
644 sys_#644 -
645 sys_#645 -
646 sys_get_kernel_mem_statistics -
647 sys_get_sdk_compiled_version -
648 sys_app_state_change -
649 sys_dynlib_get_obj_member -
650 sys_budget_get_ptype_of_budget -
651 sys_prepare_to_resume_process -
652 sys_process_terminate -
653 sys_blockpool_open -
654 sys_blockpool_map -
655 sys_blockpool_unmap -
656 sys_dynlib_get_info_for_libdbg -
657 sys_blockpool_batch -
658 sys_fdatasync -
659 sys_dynlib_get_list2 -
660 sys_dynlib_get_info2 -
661 sys_aio_submit -
662 sys_aio_multi_delete -
663 sys_aio_multi_wait -
664 sys_aio_multi_poll -
665 sys_aio_get_data -
666 sys_aio_multi_cancel -
667 sys_get_bio_usage_all -
668 sys_aio_create -
669 sys_aio_submit_cmd -
670 sys_aio_init -
671 sys_get_page_table_stats -
672 sys_dynlib_get_list_for_libdbg -

* Since 1.76, Sony has removed key information from the sys_dynlib_get_info() system call, eg. it does not return the module's code base address, data base address, code size, or the data size.

** The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.

Note: All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.