Editing Syscalls
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 3: | Line 3: | ||
//--> | //--> | ||
The PS4 kernel is based on FreeBSD 9 | The PS4 kernel is based on FreeBSD 9. A list of standard FreeBSD 9.1 system calls can be found [http://fxr.watson.org/fxr/source/sys/syscall.h?v=FREEBSD-9-1 here]. | ||
Compatibility | Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes at number 99. But PS4 specific syscalls come after the last FreeBSD 9.1 system call, posix_fadvise, syscall 531. Currently, the last custom Sony system call is 677 (FW 6.51). Calling any system calls higher than 677 gives the same result as calling a compatibility or unimplemented system call: a "There is not enough free system memory" error/segfault. | ||
As of FW 1.76, of the 85 explored sony | As of FW 1.76, of the 85 explored sony system calls (532 - 617): | ||
* Two will not be implemented in retail units (possibly in | * Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event | ||
* Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred) | * Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred) | ||
* Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0) | * Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0) | ||
* Three will return 0x01 EPERM should the caller have insufficient privileges (uid0) | * Three will return 0x01 EPERM should the caller have insufficient privileges (uid0) | ||
* One explicitly requires | * One explicitly requires a development kit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have. | ||
== Reverse engineering == | == Reverse engineering == | ||
Line 20: | Line 20: | ||
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png | https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png | ||
You can find an IDA Pro .idc script made by Cloverleafswag3 to label | You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel [http://pastebin.com/xch7pb2H here] | ||
An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here] | An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here] | ||
== Functions of PS4 custom | == Functions of PS4 custom system calls == | ||
Known calls include those relating to: | |||
# Modules | # Modules | ||
# Memory | # Memory | ||
# | # Sandboxing | ||
# Semaphores | # Semaphores | ||
Other | Other potential calls could be for: | ||
# Mutexes | |||
Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above. | |||
== PS4 custom system calls == | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! | ! #syscall ID !! <abbr title="Firmware Version">FW Ver</abbr> !! Name !! Prototype !! Notes | ||
|- | |- | ||
| 99 || <=1.01? || sys_netcontrol || int sys_netcontrol(int ifindex, uint op, void *buf, uint nbuf) || Using invalid ifindex, ifp is null. Before PS4 12.00, the lack of mutexes allowed double free as fdrop is called unconditionally in bnet_netevent_unset_queue. See also PS Vita SceNetPs kernel module that uses similar bnet functions. | | 99 || <=1.01? || sys_netcontrol || int sys_netcontrol(int ifindex, uint op, void *buf, uint nbuf) || Using invalid ifindex, ifp is null. Before PS4 12.00, the lack of mutexes allowed double free as fdrop is called unconditionally in bnet_netevent_unset_queue. See also PS Vita SceNetPs kernel module that uses similar bnet functions. | ||
Line 281: | Line 282: | ||
| 643 || >1.76? || sys_set_chicken_switches || - || | | 643 || >1.76? || sys_set_chicken_switches || - || | ||
|- | |- | ||
| 644 || | | 644 || >4.05>3.55? || sys_extend_page_table_pool || - || | ||
|- | |- | ||
| 645 || | | 645 || >1.76? || sys_#645 || - || | ||
|- | |- | ||
| 646 || >1.76? || sys_get_kernel_mem_statistics || - || | | 646 || >1.76? || sys_get_kernel_mem_statistics || - || | ||
Line 339: | Line 340: | ||
| 672 || >1.76? || sys_dynlib_get_list_for_libdbg || - || | | 672 || >1.76? || sys_dynlib_get_list_for_libdbg || - || | ||
|- | |- | ||
| 673 || ?> 5.07? || | | 673 || ?> 5.07? || unk || - || | ||
|- | |- | ||
| 674 || ?> 5.07? || | | 674 || ?> 5.07? || unk || - || | ||
|- | |- | ||
| 675 || ?> 5.07? || | | 675 || ?> 5.07? || unk || - || | ||
|- | |- | ||
| 676 || ?> 5.07? || | | 676 || ?> 5.07? || unk || - || | ||
|- | |- | ||
| 677 || ?> | | 677 || ?> 6.00? (not present on 5.55) || unk || - || | ||
|} | |} | ||
<nowiki>*</nowiki> Since | <nowiki>*</nowiki> Since 1.76, Sony has removed key information from sys_dynlib_get_info() (syscall 593), eg. it does not return the module's code base address, data base address, code size, or the data size. | ||
<b>Note:</b> All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability. | |||
{{Reverse Engineering}} | {{Reverse Engineering}} | ||
<noinclude>[[Category:Main]]</noinclude> | <noinclude>[[Category:Main]]</noinclude> |