Talk:LV2 Functions and Syscalls
Jump to navigation
Jump to search
Lv2 Syscall Services Usage
Documentation about syscalls with packet id
Syscall 621 (0x26D) Gamepad Ycon Interface
syscall(621,packet_id,r4,r5)
| Packet ID | Usage |
|---|---|
| 0 | sys_gamepad_ycon_initialize ( 0, 0) |
| 1 | sys_gamepad_ycon_finalize ( 0, 0) |
| 2 | sys_gamepad_ycon_has_input_ownership ( inout[8](if==0->autofill), out[1]) |
| 3 | sys_gamepad_ycon_enumerate_device ( 0, out[0x20]) |
| 4 | sys_gamepad_ycon_get_device_info ( in[8], out[0x1C]) |
| 5 | sys_gamepad_ycon_read_raw_report ( in[4], out[4]) |
| 6 | sys_gamepad_ycon_write_raw_report ( in[0x3C], out[]) |
| 7 | sys_gamepad_ycon_get_feature ( in[8], out[0x38?]) |
| 8 | sys_gamepad_ycon_set_feature (in[6+x](4Bytes+1Byte+1Byte[contains size x]+xBytes),0) |
| 9 | sys_gamepad_ycon_is_gem ( 0,out[1]) |
Syscall 726 (0x2D6) Gelic Device Eurus Post Command
syscall(726,uint16_t cmd, uint8_t *cmdbuf, uint64_t cmdbuf_size)
| Packet ID | Description |
|---|
Syscall 861 (0x35D)
syscall(861,packet_id, r4,r5,r6,r7,r8,r9,r10)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0 | not implemented |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 | |
| 8 | |
| 9 | not implemented |
| 10 | not implemented |
| 11 | |
| 12 | |
| 13 | |
| 14 | |
| 15 | |
| 16 | |
| 17 | |
| 18 | |
| 19 |
Syscall 862 (0x35E) Virtual TRM Manager Interface
syscall(862,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0x2001 | |
| 0x2002 | |
| 0x2003 | |
| 0x2004 | |
| 0x2005 | |
| 0x2006 | |
| 0x2007 | not implemented |
| 0x2008 | not implemented |
| 0x2009 | not implemented |
| 0x200A | |
| 0x200B | |
| 0x200C | |
| 0x200D | |
| 0x200E | vtrm_decrypt_master(uint8[0x10],uint8[0x40] |
| 0x200F | not implemented |
| 0x2010 | not implemented |
| 0x2011 | not implemented |
| 0x2012 | |
| 0x2013 | |
| 0x2014 | |
| 0x2015 | |
| 0x2016 | |
| 0x2017 |
Syscall 863 (0x35F) Update Manager Interface
syscall(863,packet_id, r4,r5,r6,r7,r8,r9)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Usage |
|---|---|
| 0x6001 | update_mgr_update_package_tophalf( ,,,) |
| 0x6002 | update_manager_if::Inspect_Package(int package_type(1-9),sys_addr_tr * alloc_addr,size,r7=9(cex)/5(dex/tool),r8=out:uint64_t*) |
| 0x6003 | update_manager_if::Get_Package_Info(int package_type,out:uint64_t*) |
| 0x6004 | update_mgr_get_fix_instruction( ) |
| 0x6005 | update_mgr_extract_package_tophalf( ,,,,) |
| 0x6006 | update_mgr_get_extract_package(,,,,,) |
| 0x6007 | not implemented |
| 0x6008 | not implemented |
| 0x6009 | update_manager_if::get_token_seed( out:uint8[size1],size1,out:uint8[size2],size2) size>=0x50 |
| 0x600A | update_manager_if::set_token(in:token[size],int size), size>=0x80 |
| 0x600B | update_manager_if::read_eprom(uint32 offset,out:uint8[1]) |
| 0x600C | update_manager_if::write_eprom(uint32 offset,uint8 value) |
| 0x600D | update_mgr_get_status( ,,,,,) |
| 0x600E | update_manager_if::allocate_buffer(size,out:sys_addr_t * alloc_addr) |
| 0x600F | update_manager_if::release_buffer(in:sys_addr_t * alloc_addr) |
| 0x6010 | not implemented |
| 0x6011 | update_manager_if::get_applicable_version(1 ,out:uint8[0x20]) |
| 0x6012 |
Syscall 864 (0x360) Storage Manager Interface
syscall(864,packet_id, r4)
Note: access to this Syscall requries at least 0x20 Debug Control Flags, else 0x80010003
| Packet ID | Description | Notes |
|---|---|---|
| 0x5004 | sys_ss_auth_bd(int) | cellSsDrvPs2DiscInsert(0x52) |
| 0x5007 | sys_ss_hw_disc_auth_emu(in/out:uint8[0x18]) | use can be restricted to certain authentication id's |
| 0x5008 | sys_ss_hw_mc(in/out:uint8[0x38]) | use can be restricted to certain authentication id's |
Syscall 865 (0x361) Random Number Generator
syscall(865,packet_id, r4,r5)
| Packet ID | Description | Notes |
|---|---|---|
| 1 | syscall(865,1, out[0x18], 0x18) | size is static usage with this packet_id requires either 0x40 Root Flags or [0x1B]=8 and a certain authentication id |
| 2 | sys_get_random_number(out[size], size) |
Syscall 866 (0x362) Secure RTC Manager Interface
syscall(866,packet_id, r4, r5, r6)
| Packet ID | Description | Notes |
|---|---|---|
| 0x3001 | secure_rtc_set_rtc(r4,r5) | requries 0x40 root control flags |
| 0x3002 | secure_rtc_get_time(r4,r5,r6) | might be restricted to certain authentication id's |
| 0x3003 | secure_rtc_set_time(r4,r5) | requries 0x40 root control flags |
Syscall 867 (0x363) AIM Manager Interface
syscall(867,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x19002 | cellSsAimGetDeviceType(out:uint8[0x10]) |
| 0x19003 | cellSsAimGetDeviceId(out:uint8[0x10]) |
| 0x19004 | cellSsAimGetPsCode(out:uint8[8]) |
| 0x19005 | cellSsAimGetOpenPsId(out:uint8[0x10]) |
| 0x19006 | syscall(867,0x19006) |
Syscall 868 (0x364) Indi Info Manager Interface
syscall(868,packet_id, r4,r5,r6,r7)
Note: access to this Syscall requries 0x40 Root Control Flags, but allows 0x20 Debug Flags and certain authentication id's for first packet_id
| Packet ID | Description |
|---|---|
| 0x17001 | |
| 0x17002 | |
| 0x17003 | |
| 0x17004 | |
| 0x17005 | |
| 0x17006 | |
| 0x17007 | |
| 0x17008 | |
| 0x17009 | |
| 0x1700A | |
| 0x1700B | |
| 0x1700C | |
| 0x1700D | |
| 0x1700E | |
| 0x1700F | |
| 0x17010 | |
| 0x17011 | |
| 0x17012 | |
| 0x17013 | |
| 0x17014 | |
| 0x17015 | |
| 0x17016 | |
| 0x17017 |
Syscall 869 (0x365) RTC? Manager Interface
syscall(869,packet_id, r4)
Note: access to this Syscall requries 0x40 Root Control Flags and possibly restricted to certain authentication id's, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x22001 | syscall(869,0x22001, out:uint8[0x80]) |
| 0x22002 | syscall(869,0x22002, out:uint8[0x690]) |
| 0x22003 | syscall(869,0x22003, in:uint8[8]) |
| 0x22004 | syscall(869,0x22004, int) |
Syscall 871 (0x367) SS Access Control Engine
syscall(871,packet_id, r4)
| Packet ID | Usage | Notes |
|---|---|---|
| 1 | syscall(871,1,sys_pid_t id,out:uint8[8]) | this packet_id requires 0x20 Debug Control Flags or [0x1B]=8 and a certain authentication id, else 0x80010003 |
| 2 | syscall(871,2,out:uint8[8]) | returns authentication id? |
| 3 | syscall(871,3,sys_pid_t id) | this packet_id requries 0x20 Debug Control Flags, else 0x80010003, but returns 0x8001009 |
Syscall 876 (0x36C) Disc Access Control
syscall(876,packet_id, r4)
Note: accessing this Syscall is restricted to certain authentication id's
| Packet ID | Description |
|---|---|
| 0x20000 | sys_get_disc_access_control(out:uint8[4]) |
| 0x20001 | sys_set_disc_access_control(0 / 1) |
Syscall 877 (0x36D) User Token Interface
syscall(877,packet_id, r4,size)
Note: access to this Syscall requries 0x40 Root Control Flags, else 0x80010003
| Packet ID | Description |
|---|---|
| 0x25003 | sys_ss_utoken_decrypt(uint8[0xC50], 0xC50) |
| 0x25004 | sys_ss_utoken_get?(out:uint8[0xC50], 0xC50) |
| 0x25005 | sys_ss_utoken_encrypt(uint8[0xC50], 0xC50) |
Syscall 878 (0x36E) Ad Sign
syscall(878,packet_id, r4,r5)
Note: access to this Syscall is restricted to certain authentication id's
| Packet ID | Description |
|---|---|
| 0x26001 | sys_ss_ad_sign(in:uint8[0x14],out:uint[0x80]) |
Syscall 879 (0x36F) Media ID
syscall(862,packet_id, r4)
Note: access to this Syscall is restricted to certain authentication id's
Note2: it uses Storage Service Id 0x5007, 0x4B
| Packet ID | Description |
|---|---|
| 0x10001 | sysBdMediaId(out:uint8[0x10]) |
not on the wiki yet
these lv2 syscalls are present, but neither ordinal nor branches are known yet
sys_usbbtaudio_start_recording_ex
sys_lwcond_attribute_name_set
sys_lwmutex_attribute_name_set
sys_event_flag_attribute_name_set
sys_semaphore_attribute_name_set
sys_cond_attribute_name_set
sys_mutex_attribute_name_set
sys_raw_spu_mmio_read_ls (no real lv2 syscall, reading mmio address)
sys_raw_spu_mmio_write_ls (no real lv2 syscall, reading mmio address)
sys_raw_spu_mmio_read (no real lv2 syscall, reading mmio address)
sys_raw_spu_mmio_write (no real lv2 syscall, reading mmio address)
sys_event_queue_attribute_name_set
sys_lwcond_signal
sys_lwcond_signal_all
sys_lwcond_signal_to
sys_lwcond_wait
sys_spu_elf_get_segments
sys_raw_spu_image_load
sys_mmapper_allocate_memory
sys_ppu_thread_unregister_atexit
sys_ppu_thread_once
sys_prx_exitspawn_with_level
sys_process_at_Exitspawn
sys_process_atexitspawn
sys_game_process_exitspawn2
sys_process_is_stack
debug syscalls sys_dbg_set_stacksize_ppu_exception_handler sys_dbg_get_spu_thread_group_ids sys_dbg_get_ppu_thread_ids sys_dbg_get_spu_thread_ids sys_dbg_register_ppu_exception_handler sys_dbg_mat_set_condition sys_dbg_read_spu_thread_context2 sys_dbg_enable_floating_point_enabled_exception sys_dbg_get_event_queue_information sys_dbg_get_spu_thread_name sys_dbg_get_ppu_thread_name sys_dbg_signal_to_ppu_exception_handler sys_dbg_get_mutex_information sys_dbg_vm_get_page_information sys_dbg_mat_get_condition sys_dbg_get_cond_information sys_dbg_get_ppu_thread_status sys_dbg_get_lwcond_information sys_dbg_get_rwlock_information sys_dbg_get_spu_thread_group_status sys_dbg_get_semaphore_information sys_dbg_set_mask_to_ppu_exception_handler sys_dbg_get_coredump_params sys_dbg_get_address_from_dabr sys_dbg_get_spu_thread_group_name sys_dbg_finalize_ppu_exception_handler sys_dbg_read_spu_thread_context sys_dbg_initialize_ppu_exception_handler sys_dbg_read_ppu_thread_context sys_dbg_unregister_ppu_exception_handler sys_dbg_get_lwmutex_information sys_dbg_signal_to_coredump_handler sys_dbg_set_address_to_dabr sys_dbg_get_event_flag_information sys_dbg_disable_floating_point_enabled_exception
see also this pastebin: http://pastebin.com/w2xkNZ9T
Custom Syscalls
This is a fself for testing that when started in 4.21 DEX CFW will add lv2_alloc as Syscall 32(Replaces: UNUSED_SYSCALL). It will then try to use it and printf the received pointer. Please test and report back. http://rghost.net/48803322
firmware version offsets
| FW version | Offset | Value | Notes |
|---|---|---|---|
| 3.72 Retail | 0x9150 | ||
| 3.70 Retail | 0x9088 | ||
| 3.66 Retail | 0x8ef8 | ||
| 3.61 Retail | 0x8d04 | ||
| 3.60 Retail | 0x8ca0 | ||
| 3.56 Retail | 0x8b10 | ||
| 3.55 Retail | 0x3329b8 | 0x8aac | |
| 3.55 DEX | |||
| 3.50 Retail | 0x88b8 | ||
| 3.42 Retail | 0x8598 | ||
| 3.41 Retail | 0x2d7580 | 0x8534 | |
| 3.41 DEX | |||
| 3.41 KIOSK | 0x8534 | ||
| 3.40 Retail | 0x84d0 | ||
| 3.30 Retail | 0x80e8 | ||
| 3.21 Retail | 0x7d64 | ||
| 3.15 Retail | 0x2d6c00 | 0x7b0c | offset seems to be 6 further @ 0x002d6c06 (see below) |
| 3.10 Retail | 0x7918 | ||
| 3.01 Retail | 0x7594 | ||
| 2.85 Retail | 0x6f54 | ||
| 2.76 Retail | 0x6bd0 | ||
| 2.70 Retail | 0x6978 | ||
| 2.60 Retail | 0x6590 | ||
| 2.53 Retail | 0x62d4 | ||
| 2.43 Retail | 0x5eec | ||
| 1.02 Retail | 0x27d8 |
Note: the value is decimal '35500', '34100' and '31500' in hex.
Example
Example from 3.15 with 3.60 spoof:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
002D6C00 00 00 00 00 00 00 8C A0 00 00 00 00 00 00 00 00 ......Π........
^^ ^^
dec: 36000 spoofed
LV2 Process Structures
lv2::process is the same structure that can be found in CobraUSB source code (process.h). This version was reversed from 3.41 lv2_kernel.
struct proc_phys_mem_stat
{
u64 field_0;
u64 field_8;
u64 field_10;
u64 field_18;
u64 field_20;
u64 field_28;
u64 field_30;
};
struct unk_process_struct_1E8
{
u64 field_0;
u64 field_8;
u64 field_10;
u64 field_18;
};
struct unk_process_struct_3A0
{
u64 field_0;
u64 field_8;
};
namespace lv2
{
class wait_queue
{
u64 field_0;
u64 field_8;
u64 field_10;
};
class mutex
{
void *vtable;
u64 field_8;
u64 field_10;
lv2::wait_queue field_18;
u64 field_30;
u64 field_38;
};
class condition_variable
{
void *vtable;
u64 field_8;
lv2::wait_queue field_10;
u64 field_28;
u64 field_30;
};
class pu_thr
{
void *vtable;
char name[28];
int thr_id;
u64 field_28;
u64 field_30;
u64 field_38;
u64 prio;
u64 field_48;
u64 field_50;
u64 field_58;
u64 field_60;
u64 field_68;
u64 stack_address;
u64 stack_size;
lv2::process *my_proc;
u64 field_88;
u64 field_90;
u64 general_purpose_registers[32];
int condition_register;
u64 exception_register;
u64 link_register;
u64 count_register;
u64 save_restore_register_0;
u64 save_restore_register_1;
u64 field_1C8;
double floating_point_registers[32];
int field_2D0;
int floating_point_status_and_control_register;
u64 field_2D8;
u64 field_2E0;
u64 field_2E8;
u64 field_2F0;
u64 field_2F8;
u64 field_300;
u64 field_308;
u64 field_310;
u64 field_318;
u64 field_320;
u64 field_328;
u64 field_330;
u64 field_338;
u64 field_340;
u64 field_348;
u64 field_350;
u64 field_358;
u64 field_360;
u64 field_368;
u64 field_370;
u64 field_378;
u64 field_380;
u64 field_388;
u64 field_390;
u64 field_398;
u64 field_3A0;
u64 field_3A8;
u64 field_3B0;
u64 field_3B8;
u64 field_3C0;
u64 field_3C8;
u64 field_3D0;
u64 field_3D8;
u64 field_3E0;
u64 field_3E8;
u64 field_3F0;
u64 field_3F8;
u64 field_400;
u64 field_408;
u64 field_410;
u64 field_418;
u64 field_420;
u64 field_428;
u64 field_430;
u64 field_438;
u64 field_440;
u64 field_448;
u64 field_450;
u64 field_458;
u64 field_460;
u64 field_468;
u64 field_470;
u64 field_478;
u64 field_480;
u64 field_488;
u64 field_490;
u64 field_498;
u64 field_4A0;
u64 field_4A8;
u64 field_4B0;
u64 field_4B8;
u64 field_4C0;
u64 field_4C8;
u64 field_4D0;
u64 field_4D8;
u64 field_4E0;
u64 field_4E8;
u64 field_4F0;
u64 field_4F8;
u64 field_500;
u64 field_508;
u64 field_510;
u64 field_518;
u64 field_520;
u64 field_528;
u64 field_530;
u64 field_538;
u64 field_540;
u64 field_548;
int stop_info;
u64 field_558;
u64 field_560;
u64 field_568;
u64 field_570;
u64 field_578;
u64 field_580;
u64 field_588;
u64 field_590;
u64 field_598;
u64 field_5A0;
u64 field_5A8;
u64 field_5B0;
u64 field_5B8;
u64 field_5C0;
u64 field_5C8;
u64 field_5D0;
u64 field_5D8;
u64 field_5E0;
u64 field_5E8;
u64 field_5F0;
u64 field_5F8;
};
class id_table
{
u64 field_0[256];
u64 field_800;
lv2::wait_queue field_808;
u64 field_820;
};
class address_space
{
u64 field_0;
u64 field_8;
u64 field_10;
u64 field_18;
u64 field_20;
};
class process_as
{
lv2::address_space field_0;
u64 field_28;
u64 field_30;
u64 field_38;
u64 field_40;
u64 field_48;
u64 field_50;
u64 field_58;
u64 field_60;
u64 field_68;
u64 field_70;
u64 field_78;
u64 field_80;
u64 field_88;
u64 field_90;
u64 field_98;
u64 field_A0;
u64 field_A8;
u64 field_B0;
u64 field_B8;
u64 field_C0;
u64 field_C8;
u64 field_D0;
u64 field_D8;
u64 field_E0;
u64 field_E8;
u64 field_F0;
u64 field_F8;
u64 field_100;
u64 field_108;
u64 field_110;
u64 field_118;
u64 field_120;
u64 field_128;
u64 field_130;
u64 field_138;
u64 field_140;
u64 field_148;
u64 field_150;
u64 field_158;
u64 field_160;
u64 field_168;
u64 field_170;
u64 field_178;
u64 field_180;
u64 field_188;
u64 field_190;
u64 field_198;
u64 field_1A0;
u64 field_1A8;
u64 field_1B0;
u64 field_1B8;
u64 field_1C0;
u64 field_1C8;
u64 field_1D0;
u64 field_1D8;
u64 field_1E0;
u64 field_1E8;
u64 field_1F0;
u64 field_1F8;
u64 field_200;
u64 field_208;
u64 field_210;
u64 field_218;
u64 field_220;
u64 field_228;
u64 field_230;
u64 field_238;
u64 field_240;
u64 field_248;
u64 field_250;
u64 field_258;
u64 field_260;
u64 field_268;
u64 field_270;
u64 field_278;
u64 field_280;
u64 field_288;
u64 field_290;
u64 field_298;
u64 field_2A0;
u64 field_2A8;
u64 field_2B0;
u64 field_2B8;
u64 field_2C0;
u64 field_2C8;
u64 field_2D0;
u64 field_2D8;
u64 field_2E0;
u64 field_2E8;
u64 field_2F0;
u64 field_2F8;
u64 field_300;
u64 field_308;
u64 field_310;
u64 field_318;
u64 field_320;
u64 field_328;
u64 field_330;
u64 field_338;
u64 field_340;
u64 field_348;
u64 field_350;
u64 field_358;
u64 field_360;
u64 field_368;
u64 field_370;
u64 field_378;
u64 field_380;
u64 field_388;
u64 field_390;
u64 field_398;
u64 field_3A0;
u64 field_3A8;
u64 field_3B0;
u64 field_3B8;
u64 field_3C0;
u64 field_3C8;
u64 field_3D0;
u64 field_3D8;
u64 field_3E0;
u64 field_3E8;
u64 field_3F0;
u64 field_3F8;
u64 field_400;
u64 field_408;
u64 field_410;
u64 field_418;
u64 field_420;
u64 field_428;
u64 field_430;
u64 field_438;
u64 field_440;
u64 field_448;
u64 field_450;
u64 field_458;
u64 field_460;
u64 field_468;
u64 field_470;
u64 field_478;
u64 field_480;
u64 field_488;
u64 field_490;
u64 field_498;
u64 field_4A0;
lv2::mutex field_4A8;
u64 field_4E8;
u64 field_4F0;
u64 field_4F8;
u64 field_500;
u64 field_508;
u64 field_510;
u64 field_518;
u64 field_520;
u64 field_528;
};
class process
{
void *sc_table;
lv2::sc_trace *sc_trace;
u64 field_10;
u64 field_18;
u64 field_20;
int pid;
int status;
lv2::process_as *process_as;
lv2::pu_thr *primary_ppu_thread;
u64 field_40;
lv2::pu_thr *field_48;
u64 num_pu_threads_1;
u64 num_pu_threads_2;
u64 field_60;
u64 field_68;
u64 field_70;
u64 field_78;
u64 field_80;
u64 field_88;
u64 field_90;
u64 field_98;
u64 field_A0;
u64 size_of_memory;
lv2::process *parent;
lv2::process *first_child;
lv2::process *last_child;
u64 num_children;
lv2::mutex field_D0;
lv2::condition_variable field_110;
u64 field_148;
u64 field_150;
u64 field_158;
char *proc_image_filename;
lv2::mutex field_168;
u64 field_1A8;
proc_phys_mem_stat field_1B0;
unk_process_struct_1E8 field_1E8;
lv2::id_table *id_table;
u64 field_210;
u64 field_218;
u64 field_220;
u64 field_228;
u64 field_230;
u64 field_238;
u64 field_240;
u64 field_248;
u64 field_250;
u64 field_258;
u64 field_260;
char osabi_type;
int sdk_version;
u64 field_270;
u64 field_278;
u64 field_280;
u64 field_288;
u64 field_290;
u64 field_298;
u64 field_2A0;
u64 field_2A8;
u64 field_2B0;
u64 field_2B8;
u64 field_2C0;
u64 field_2C8;
u64 field_2D0;
u64 field_2D8;
u64 field_2E0;
u64 field_2E8;
u64 field_2F0;
u64 field_2F8;
u64 field_300;
u64 field_308;
u64 field_310;
u64 field_318;
u64 field_320;
u64 field_328;
u64 field_330;
u64 field_338;
u64 field_340;
u64 field_348;
u64 field_350;
u64 field_358;
u64 field_360;
u64 field_368;
u64 field_370;
u64 field_378;
u64 field_380;
u64 field_388;
u64 field_390;
u64 field_398;
unk_process_struct_3A0 field_3A0;
u64 field_3B0;
u64 field_3B8;
u64 field_3C0;
u64 field_3C8;
};
}