Syscalls: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
(names)
No edit summary
(14 intermediate revisions by 6 users not shown)
Line 3: Line 3:
  http://fxr.watson.org/fxr/source/kern/syscalls.master?v=FREEBSD9
  http://fxr.watson.org/fxr/source/kern/syscalls.master?v=FREEBSD9
//-->
//-->
PS4 kernel is based on FreeBSD 9.0; a list of FreeBSD 9.0 system calls can be found [http://fxr.watson.org/fxr/source/kern/syscalls.master?v=FREEBSD9 here].
The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found [http://fxr.watson.org/fxr/source/kern/syscalls.master?v=FREEBSD9 here].


Compatibility system calls, and some others, have been disabled.
Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes at number 99, though most after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 672. Calling any system calls higher than 672 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.


The first custom Sony system call comes immediately after the last FreeBSD system call, wait6, and is number 533.
Of these 85 explored system calls in 1.76 (532 - 617):


The final custom Sony system call is 617.
* Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
* Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
* Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
* Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
* One explicitly requires a development kit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have.


Calling any system calls higher than 617 gives the same result as calling a compatibility or unimplemented system call, "There is not enough free system memory" error.
As of firmware version 3.55 there is evidence of new syscalls!


Of these 85 (617 - 532), 9 always return 0x4e, ENOSYS, leaving us with just 76 which are usable (the disabled 9 may only be callable from development units).
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png
 
You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel [http://pastebin.com/xch7pb2H here]
An updated, janky, hacky version by X41 can be found [https://pastebin.com/2UWVj1N3 here]


== Functions of custom Sony system calls ==
== Functions of custom Sony system calls ==
Line 26: Line 33:
# Mutexes
# Mutexes


Other operations, such as file IO and networking are handled through regular FreeBSD system calls.
Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above.


== Public system calls ==
== Public system calls ==
Line 32: Line 39:
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Number !! Prototype !! Notes !! Name
! # !! <abbr title="Firmware Type">FW Type</abbr> !! <abbr title="Firmware Version">FW Ver</abbr> !! Name !! Prototype !! Notes
|-
| 99 || ? || <=1.01? || sys_netcontrol || int sys_netcontrol(int fd, uint op, void *buf, uint nbuf) || -
|-
| 101 || ? || <=1.01? || sys_netabort || - || -
|-
| 102 || ? || <=1.01? || sys_netgetsockinfo || - || -
|-
| 113 || ? || <=1.01? || sys_socketex || int sys_socketex(const char *name, int domain, int type, int protocol) || Like existing socket syscall, but with the addition of a name argument.
|-
| 114 || ? || <=1.01? || sys_socketclose || - || -
|-
| 125 || ? || <=1.01? || sys_netgetiflist || - || -
|-
| 141 || ? || <=1.01? || sys_kqueueex || - || -
|-
| 379 || ? || >1.01 <=1.76? || sys_mtypeprotect || - || -
|-
| 532 || ? || <=1.76? || sys_regmgr_call || - || -
|-
| 533 || ? || <=1.01? || sys_jitshm_create || - || Only callable from a jit compiler process, else returns EPERM (0x1)
|-
| 534 || ? || <=1.01? || sys_jitshm_alias || - || Only callable from a jit compiler/application process, else returns EPERM (0x1)
|-
| 535 || ? || <=1.01? || sys_dl_get_list || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
|-
| 536 || ? || <=1.01? || sys_dl_get_info || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
|-
| 537 || ? || <=1.01? || sys_dl_notify_event || - || Always returns ENOSYS (0x4E) (may only be implemented in devkits)
|-
| 538 || ? || <=1.01? || sys_evf_create || int sys_evf_create(char* name, int flag, struct evFlag *evf) || -
|-
| 539 || ? || <=1.01? || sys_evf_delete || int sys_evf_delete(int id) || -
|-
| 540 || ? || <=1.01? || sys_evf_open || int sys_evf_open(struct evFlag *evf) || -
|-
| 541 || ? || <=1.01? || sys_evf_close || int sys_evf_close(int id) || -
|-
| 542 || ? || <=1.01? || sys_evf_wait || - || -
|-
| 543 || ? || <=1.01? || sys_evf_trywait || - || -
|-
| 544 || ? || <=1.01? || sys_evf_set || int sys_evf_set(int id) || -
|-
| 545 || ? || <=1.01? || sys_evf_clear || int sys_evf_clear(int id) || -
|-
| 546 || ? || <=1.01? || sys_evf_cancel || int sys_evf_cancel(int id) || -
|-
| 547 || ? || <=1.01? || sys_query_memory_protection || - || -
|-
| 548 || ? || <=1.01? || sys_batch_map || - || -
|-
| 549 || ? || <=1.01? || sys_osem_create || - || -
|-
| 550 || ? || <=1.01? || sys_osem_delete || - || -
|-
| 551 || ? || <=1.01? || sys_osem_open || - || -
|-
| 552 || ? || <=1.01? || sys_osem_close || - || -
|-
| 553 || ? || <=1.01? || sys_osem_wait || - || -
|-
| 554 || ? || <=1.01? || sys_osem_trywait || - || -
|-
| 555 || ? || <=1.01? || sys_osem_post || - || -
|-
| 556 || ? || <=1.01? || sys_osem_cancel || - || -
|-
|-
| 532 || - || - || sys_regmgr_call
| 557 || ? || <=1.01? || sys_namedobj_create || - || -
|-
|-
| 533 || - || - || sys_jitshm_create
| 558 || ? || <=1.01? || sys_namedobj_delete || - || -
|-
|-
| 534 || - || - || sys_jitshm_alias
| 559 || ? || <=1.01? || sys_set_vm_container || - || Successful call requires privileges (uid0), else returns EPERM (0x1)
|-
|-
| 535 || - || - || sys_dl_get_list
| 560 || ? || <=1.01? || sys_debug_init || - || -
|-
|-
| 536 || - || - || sys_dl_get_info
| 561 || ? || <=1.01? || sys_suspend_process || int sys_suspend_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
|-
|-
| 537 || disabled || always returns 0x4e || sys_dl_notify_event
| 562 || ? || <=1.01? || sys_resume_process || int sys_resume_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
|-
|-
| 538 || - || - || sys_evf_create
| 563 || ? || <=1.01? || sys_opmc_enable || - || -
|-
|-
| 539 || - || - || sys_evf_delete
| 564 || ? || <=1.01? || sys_opmc_disable || - || -
|-
|-
| 540 || - || - || sys_evf_open
| 565 || ? || <=1.01? || sys_opmc_set_ctl || - || -
|-
|-
| 541 || - || - || sys_evf_close
| 566 || ? || <=1.01? || sys_opmc_set_ctr || - || -
|-
|-
| 542 || - || - || sys_evf_wait
| 567 || ? || <=1.01? || sys_opmc_get_ctr || - || -
|-
|-
| 543 || - || - || sys_evf_trywait
| 568 || ? || <=1.01? || sys_budget_create || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 544 || - || - || sys_evf_set
| 569 || ? || <=1.01? || sys_budget_delete || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 545 || - || - || sys_evf_clear
| 570 || ? || <=1.01? || sys_budget_get || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 546 || - || - || sys_evf_cancel
| 571 || ? || <=1.01? || sys_budget_set || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 547 || - || - || sys_query_memory_protection
| 572 || ? || <=1.01? || sys_virtual_query || - || -
|-
|-
| 548 || - || - || sys_batch_map
| 573 || ? || <=1.01? || sys_mdbg_call || - || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 549 || - || - || sys_osem_create
| 574 || ? || <=1.01? || sys_sblock_create || - || -
|-
|-
| 550 || - || - || sys_osem_delete
| 575 || ? || <=1.01? || sys_sblock_delete || - || -
|-
|-
| 551 || - || - || sys_osem_open
| 576 || ? || <=1.01? || sys_sblock_enter || - || -
|-
|-
| 552 || - || - || sys_osem_close
| 577 || ? || <=1.01? || sys_sblock_exit || - || -
|-
|-
| 553 || - || - || sys_osem_wait
| 578 || ? || <=1.01? || sys_sblock_xenter || - || -
|-
|-
| 554 || - || - || sys_osem_trywait
| 579 || ? || <=1.01? || sys_sblock_xexit || - || -
|-
|-
| 555 || - || - || sys_osem_post
| 580 || ? || <=1.01? || sys_eport_create || - || -
|-
|-
| 556 || - || - || sys_osem_cancel
| 581 || ? || <=1.01? || sys_eport_delete || - || -
|-
|-
| 557 || - || - || sys_namedobj_create
| 582 || ? || <=1.01? || sys_eport_trigger || - || -
|-
|-
| 558 || - || - || sys_namedobj_delete
| 583 || ? || <=1.01? || sys_eport_open || - || -
|-
|-
| 559 || - || - || sys_set_vm_container
| 584 || ? || <=1.01? || sys_eport_close || - || -
|-
|-
| 560 || - || - || sys_debug_init
| 585 || ? || <=1.01? || sys_is_in_sandbox || - || -
|-
|-
| 561 || - || - || sys_suspend_process
| 586 || ? || <=1.01? || sys_dmem_container || - || Successful call requires privileges (uid0), else returns EPERM (0x1)
|-
|-
| 562 || - || - || sys_resume_process
| 587 || ? || <=1.01? || sys_get_authinfo || - || Some functionality requires privileges (uid0)
|-
|-
| 563 || - || - || sys_opmc_enable
| 588 || ? || <=1.01? || sys_mname || - || -
|-
|-
| 564 || - || - || sys_opmc_disable
| 589 || ? || <=1.01? || sys_dynlib_dlopen || - || Always returns ENOSYS (0x4E) (may only be implemented in devkits)
|-
|-
| 565 || - || - || sys_opmc_set_ctl
| 590 || ? || <=1.01? || sys_dynlib_dlclose || - || -
|-
|-
| 566 || - || - || sys_opmc_set_ctr
| 591 || ? || <=1.01? || sys_dynlib_dlsym || int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) || -
|-
|-
| 567 || - || - || sys_opmc_get_ctr
| 592 || ? || <=1.01? || sys_dynlib_get_list || int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) || -
|-
|-
| 568 || disabled || always returns 0x4e || sys_budget_create
| 593 || ? || <=1.01? || sys_dynlib_get_info || int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) || Sony has stripped module information since 1.76 FW (STO) *
|-
|-
| 569 || disabled || always returns 0x4e || sys_budget_delete
| 594 || ? || <=1.01? || sys_dynlib_load_prx || int sys_dynlib_load_prx(char* prxPath) || -
|-
|-
| 570 || disabled || always returns 0x4e || sys_budget_get
| 595 || ? || <=1.01? || sys_dynlib_unload_prx || int sys_dynlib_unload_prx(int prxID) || -
|-
|-
| 571 || disabled || always returns 0x4e || sys_budget_set
| 596 || ? || <=1.01? || sys_dynlib_do_copy_relocations || - || -
|-
|-
| 572 || - || - || sys_virtual_query
| 597 || ? || <=1.01? || sys_dynlib_prepare_dlclose || - || Contains an exploitable integer overflow FW <= 1.76, patched FW >= 2.00 **
|-
|-
| 573 || disabled || always returns 0x4e || sys_mdbg_call
| 598 || ? || <=1.01? || sys_dynlib_get_proc_param || - || -
|-
|-
| 574 || - || - || sys_sblock_create
| 599 || ? || <=1.01? || sys_dynlib_process_needed_and_relocate || - || -
|-
|-
| 575 || - || - || sys_sblock_delete
| 600 || ? || <=1.01? || sys_sandbox_path || - || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
|-
|-
| 576 || - || - || sys_sblock_enter
| 601 || ? || <=1.01? || sys_mdbg_service || - || -
|-
|-
| 577 || - || - || sys_sblock_exit
| 602 || ? || <=1.01? || sys_randomized_path || - || Some functionality requires privileges (uid0)
|-
|-
| 578 || - || - || sys_sblock_xenter
| 603 || ? || <=1.01? || sys_rdup || - || Successful call requires privileges (uid0), else returns EPERM (0x1)
|-
|-
| 579 || - || - || sys_sblock_xexit
| 604 || ? || <=1.01? || sys_dl_get_metadata || - || Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
|-
|-
| 580 || - || - || sys_eport_create
| 605 || ? || <=1.01? || sys_workaround8849 || - || -
|-
|-
| 581 || - || - || sys_eport_delete
| 606 || ? || <=1.01? || sys_is_development_mode || - || -
|-
|-
| 582 || - || - || sys_eport_trigger
| 607 || ? || <=1.01? || sys_get_self_auth_info || - || -
|-
|-
| 583 || - || - || sys_eport_open
| 608 || ? || <=1.01? || sys_dynlib_get_info_ex || int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) || -
|-
|-
| 584 || - || - || sys_eport_close
| 609 || ? || <=1.01? || sys_budget_getid || int sys_budget_getid() // no arguments || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 585 || - || - || sys_is_in_sandbox
| 610 || ? || <=1.01? || sys_budget_get_ptype || int sys_budget_get_ptype(int budgetID) || -
|-
|-
| 586 || - || - || sys_dmem_container
| 611 || ? || <=1.01? || sys_get_paging_stats_of_all_threads || - || Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
|-
|-
| 587 || - || - || sys_get_authinfo
| 612 || ? || <=1.01? || sys_get_proc_type_info || int sys_get_proc_type_info(int *destProcessInfo) || Only callable from certain processes mainly involving media and JiT
|-
|-
| 588 || - || - || sys_mname
| 613 || ? || >1.01 <=1.76? || sys_get_resident_count || int sys_get_resident_count(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 589 || disabled || always returns 0x4e || sys_dynlib_dlopen
| 614 || ? || <=1.76? || sys_prepare_to_suspend_process || int sys_prepare_to_suspend_process(int pid) || Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
|-
|-
| 590 || - || - || sys_dynlib_dlclose
| 615 || ? || <=1.76? || sys_get_resident_fmem_count || int sys_get_resident_fmem_count(int pid) || Some functionality requires privileges (uid0)
|-
|-
| 591 || - || - || sys_dynlib_dlsym
| 616 || ? || <=1.76? || sys_thr_get_name || int sys_thr_get_name(int threadID) || -
|-
|-
| 592 || - || - || sys_dynlib_get_list
| 617 || ? || <=1.76? || sys_set_gpo || - || Only callable on development kit (devkit) units
|-
|-
| 593 || - || - || sys_dynlib_get_info
| 618 || ? || >1.76? || sys_get_paging_stats_of_all_objects || - ||  
|-
|-
| 594 || - || - || sys_dynlib_load_prx
| 619 || ? || >1.76? || sys_test_debug_rwmem || - ||  
|-
|-
| 595 || - || - || sys_dynlib_unload_prx
| 620 || ? || >1.76? || sys_free_stack || - ||  
|-
|-
| 596 || - || - || sys_dynlib_do_copy_relocations
| 621 || ? || >1.76? || sys_suspend_system || - ||  
|-
|-
| 597 || - || - || sys_dynlib_prepare_dlclose
| 622 || ? || >1.76? || sys_ipmimgr_call || - ||  
|-
|-
| 598 || - || - || sys_dynlib_get_proc_param
| 623 || ? || >1.76? || sys_get_gpo || - ||  
|-
|-
| 599 || - || - || sys_dynlib_process_needed_and_relocate
| 624 || ? || >1.76? || sys_get_vm_map_timestamp || - ||  
|-
|-
| 600 || - || - || sys_sandbox_path
| 625 || ? || >1.76? || sys_opmc_set_hw || - ||  
|-
|-
| 601 || - || - || sys_mdbg_service
| 626 || ? || >1.76? || sys_opmc_get_hw || - ||  
|-
|-
| 602 || - || - || sys_randomized_path
| 627 || ? || >1.76? || sys_get_cpu_usage_all || - ||  
|-
|-
| 603 || - || - || sys_rdup
| 628 || ? || >1.76? || sys_mmap_dmem || - ||  
|-
|-
| 604 || - || - || sys_dl_get_metadata
| 629 || ? || >1.76? || sys_physhm_open || - ||  
|-
|-
| 605 || - || - || sys_workaround8849
| 630 || ? || >1.76? || sys_physhm_unlink || - ||  
|-
|-
| 606 || - || - || sys_is_development_mode
| 631 || ? || >1.76? || sys_resume_internal_hdd || - ||  
|-
|-
| 607 || - || - || sys_get_self_auth_info
| 632 || ? || >1.76? || sys_thr_suspend_ucontext || - ||  
|-
|-
| 608 || - || - || sys_dynlib_get_info_ex
| 633 || ? || >1.76? || sys_thr_resume_ucontext || - ||  
|-
|-
| 609 || disabled || always returns 0x4e || sys_budget_getid
| 634 || ? || >1.76? || sys_thr_get_ucontext || - ||  
|-
|-
| 610 || disabled || always returns 0x4e || sys_budget_get_ptype
| 635 || ? || >1.76? || sys_thr_set_ucontext || - ||  
|-
|-
| 611 || - || - || sys_get_paging_stats_of_all_threads
| 636 || ? || >1.76? || sys_set_timezone_info || - ||  
|-
|-
| 612 || - || - || sys_get_proc_type_info
| 637 || ? || >1.76? || sys_set_phys_fmem_limit || - ||  
|-
|-
| 613 || - || - || sys_get_resident_count
| 638 || ? || >1.76? || sys_utc_to_localtime || - ||  
|-
|-
| 614 || - || - || sys_prepare_to_suspend_process
| 639 || ? || >1.76? || sys_localtime_to_utc || - ||  
|-
|-
| 615 || - || - || sys_get_resident_fmem_count
| 640 || ? || >1.76? || sys_set_uevt || - ||  
|-
|-
| 616 || - || - || sys_thr_get_name
| 641 || ? || >1.76? || sys_get_cpu_usage_proc || - ||  
|-
|-
| 617 || - || - || sys_set_gpo
| 642 || ? || >1.76? || sys_get_map_statistics || - ||  
|-
|-
| 643 || ? || >1.76? || sys_set_chicken_switches || - ||
|-
| 644 || ? || >4.05>3.55? || sys_extend_page_table_pool || - ||
|-
| 645 || ? || >1.76? || sys_#645 || - ||
|-
| 646 || ? || >1.76? || sys_get_kernel_mem_statistics || - ||
|-
| 647 || ? || >1.76? || sys_get_sdk_compiled_version || - ||
|-
| 648 || ? || >1.76? || sys_app_state_change || - ||
|-
| 649 || ? || >1.76? || sys_dynlib_get_obj_member || - ||
|-
| 650 || ? || >1.76? || sys_budget_get_ptype_of_budget || - ||
|-
| 651 || ? || >1.76? || sys_prepare_to_resume_process || - ||
|-
| 652 || ? || >1.76? || sys_process_terminate || - ||
|-
| 653 || ? || >1.76? || sys_blockpool_open || - ||
|-
| 654 || ? || >1.76? || sys_blockpool_map || - ||
|-
| 655 || ? || >1.76? || sys_blockpool_unmap || - ||
|-
| 656 || ? || >1.76? || sys_dynlib_get_info_for_libdbg || - ||
|-
| 657 || ? || >1.76? || sys_blockpool_batch || - ||
|-
| 658 || ? || >1.76? || sys_fdatasync || - ||
|-
| 659 || ? || >1.76? || sys_dynlib_get_list2 || - ||
|-
| 660 || ? || >1.76? || sys_dynlib_get_info2 || - ||
|-
| 661 || ? || >1.76? || sys_aio_submit || - ||
|-
| 662 || ? || >1.76? || sys_aio_multi_delete || - ||
|-
| 663 || ? || >1.76? || sys_aio_multi_wait || - ||
|-
| 664 || ? || >1.76? || sys_aio_multi_poll || - ||
|-
| 665 || ? || >1.76? || sys_aio_get_data || - ||
|-
| 666 || ? || >1.76? || sys_aio_multi_cancel || - ||
|-
| 667 || ? || >1.76? || sys_get_bio_usage_all || - ||
|-
| 668 || ? || >1.76? || sys_aio_create || - ||
|-
| 669 || ? || >1.76? || sys_aio_submit_cmd || - ||
|-
| 670 || ? || >1.76? || sys_aio_init || - ||
|-
| 671 || ? || >1.76? || sys_get_page_table_stats || - ||
|-
| 672 || ? || >1.76? || sys_dynlib_get_list_for_libdbg || - ||
|}
|}
<nowiki>*</nowiki> Since 1.76, Sony has removed key information from the sys_dynlib_get_info() system call, eg. it does not return the module's code base address, data base address, code size, or the data size.
<nowiki>**</nowiki> The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.
<b>Note:</b> All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.


{{Reverse Engineering}}
{{Reverse Engineering}}
<noinclude>[[Category:Main]]</noinclude>
<noinclude>[[Category:Main]]</noinclude>

Revision as of 23:11, 26 August 2018

The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found here.

Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes at number 99, though most after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 672. Calling any system calls higher than 672 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.

Of these 85 explored system calls in 1.76 (532 - 617):

  • Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
  • Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
  • Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
  • Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
  • One explicitly requires a development kit (sys_set_gpo), as it sets output to debug LEDs that only development kit units have.

As of firmware version 3.55 there is evidence of new syscalls!

https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png

You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel here An updated, janky, hacky version by X41 can be found here

Functions of custom Sony system calls

Known calls include those relating to:

  1. Modules
  2. Memory
  3. Sandboxing
  4. Semaphores

Other potential calls could be for:

  1. Mutexes

Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above.

Public system calls

# FW Type FW Ver Name Prototype Notes
99 ? <=1.01? sys_netcontrol int sys_netcontrol(int fd, uint op, void *buf, uint nbuf) -
101 ? <=1.01? sys_netabort - -
102 ? <=1.01? sys_netgetsockinfo - -
113 ? <=1.01? sys_socketex int sys_socketex(const char *name, int domain, int type, int protocol) Like existing socket syscall, but with the addition of a name argument.
114 ? <=1.01? sys_socketclose - -
125 ? <=1.01? sys_netgetiflist - -
141 ? <=1.01? sys_kqueueex - -
379 ? >1.01 <=1.76? sys_mtypeprotect - -
532 ? <=1.76? sys_regmgr_call - -
533 ? <=1.01? sys_jitshm_create - Only callable from a jit compiler process, else returns EPERM (0x1)
534 ? <=1.01? sys_jitshm_alias - Only callable from a jit compiler/application process, else returns EPERM (0x1)
535 ? <=1.01? sys_dl_get_list - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
536 ? <=1.01? sys_dl_get_info - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
537 ? <=1.01? sys_dl_notify_event - Always returns ENOSYS (0x4E) (may only be implemented in devkits)
538 ? <=1.01? sys_evf_create int sys_evf_create(char* name, int flag, struct evFlag *evf) -
539 ? <=1.01? sys_evf_delete int sys_evf_delete(int id) -
540 ? <=1.01? sys_evf_open int sys_evf_open(struct evFlag *evf) -
541 ? <=1.01? sys_evf_close int sys_evf_close(int id) -
542 ? <=1.01? sys_evf_wait - -
543 ? <=1.01? sys_evf_trywait - -
544 ? <=1.01? sys_evf_set int sys_evf_set(int id) -
545 ? <=1.01? sys_evf_clear int sys_evf_clear(int id) -
546 ? <=1.01? sys_evf_cancel int sys_evf_cancel(int id) -
547 ? <=1.01? sys_query_memory_protection - -
548 ? <=1.01? sys_batch_map - -
549 ? <=1.01? sys_osem_create - -
550 ? <=1.01? sys_osem_delete - -
551 ? <=1.01? sys_osem_open - -
552 ? <=1.01? sys_osem_close - -
553 ? <=1.01? sys_osem_wait - -
554 ? <=1.01? sys_osem_trywait - -
555 ? <=1.01? sys_osem_post - -
556 ? <=1.01? sys_osem_cancel - -
557 ? <=1.01? sys_namedobj_create - -
558 ? <=1.01? sys_namedobj_delete - -
559 ? <=1.01? sys_set_vm_container - Successful call requires privileges (uid0), else returns EPERM (0x1)
560 ? <=1.01? sys_debug_init - -
561 ? <=1.01? sys_suspend_process int sys_suspend_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
562 ? <=1.01? sys_resume_process int sys_resume_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
563 ? <=1.01? sys_opmc_enable - -
564 ? <=1.01? sys_opmc_disable - -
565 ? <=1.01? sys_opmc_set_ctl - -
566 ? <=1.01? sys_opmc_set_ctr - -
567 ? <=1.01? sys_opmc_get_ctr - -
568 ? <=1.01? sys_budget_create - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
569 ? <=1.01? sys_budget_delete - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
570 ? <=1.01? sys_budget_get - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
571 ? <=1.01? sys_budget_set - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
572 ? <=1.01? sys_virtual_query - -
573 ? <=1.01? sys_mdbg_call - Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
574 ? <=1.01? sys_sblock_create - -
575 ? <=1.01? sys_sblock_delete - -
576 ? <=1.01? sys_sblock_enter - -
577 ? <=1.01? sys_sblock_exit - -
578 ? <=1.01? sys_sblock_xenter - -
579 ? <=1.01? sys_sblock_xexit - -
580 ? <=1.01? sys_eport_create - -
581 ? <=1.01? sys_eport_delete - -
582 ? <=1.01? sys_eport_trigger - -
583 ? <=1.01? sys_eport_open - -
584 ? <=1.01? sys_eport_close - -
585 ? <=1.01? sys_is_in_sandbox - -
586 ? <=1.01? sys_dmem_container - Successful call requires privileges (uid0), else returns EPERM (0x1)
587 ? <=1.01? sys_get_authinfo - Some functionality requires privileges (uid0)
588 ? <=1.01? sys_mname - -
589 ? <=1.01? sys_dynlib_dlopen - Always returns ENOSYS (0x4E) (may only be implemented in devkits)
590 ? <=1.01? sys_dynlib_dlclose - -
591 ? <=1.01? sys_dynlib_dlsym int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) -
592 ? <=1.01? sys_dynlib_get_list int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) -
593 ? <=1.01? sys_dynlib_get_info int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) Sony has stripped module information since 1.76 FW (STO) *
594 ? <=1.01? sys_dynlib_load_prx int sys_dynlib_load_prx(char* prxPath) -
595 ? <=1.01? sys_dynlib_unload_prx int sys_dynlib_unload_prx(int prxID) -
596 ? <=1.01? sys_dynlib_do_copy_relocations - -
597 ? <=1.01? sys_dynlib_prepare_dlclose - Contains an exploitable integer overflow FW <= 1.76, patched FW >= 2.00 **
598 ? <=1.01? sys_dynlib_get_proc_param - -
599 ? <=1.01? sys_dynlib_process_needed_and_relocate - -
600 ? <=1.01? sys_sandbox_path - Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
601 ? <=1.01? sys_mdbg_service - -
602 ? <=1.01? sys_randomized_path - Some functionality requires privileges (uid0)
603 ? <=1.01? sys_rdup - Successful call requires privileges (uid0), else returns EPERM (0x1)
604 ? <=1.01? sys_dl_get_metadata - Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1)
605 ? <=1.01? sys_workaround8849 - -
606 ? <=1.01? sys_is_development_mode - -
607 ? <=1.01? sys_get_self_auth_info - -
608 ? <=1.01? sys_dynlib_get_info_ex int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) -
609 ? <=1.01? sys_budget_getid int sys_budget_getid() // no arguments Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
610 ? <=1.01? sys_budget_get_ptype int sys_budget_get_ptype(int budgetID) -
611 ? <=1.01? sys_get_paging_stats_of_all_threads - Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1)
612 ? <=1.01? sys_get_proc_type_info int sys_get_proc_type_info(int *destProcessInfo) Only callable from certain processes mainly involving media and JiT
613 ? >1.01 <=1.76? sys_get_resident_count int sys_get_resident_count(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
614 ? <=1.76? sys_prepare_to_suspend_process int sys_prepare_to_suspend_process(int pid) Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E)
615 ? <=1.76? sys_get_resident_fmem_count int sys_get_resident_fmem_count(int pid) Some functionality requires privileges (uid0)
616 ? <=1.76? sys_thr_get_name int sys_thr_get_name(int threadID) -
617 ? <=1.76? sys_set_gpo - Only callable on development kit (devkit) units
618 ? >1.76? sys_get_paging_stats_of_all_objects -
619 ? >1.76? sys_test_debug_rwmem -
620 ? >1.76? sys_free_stack -
621 ? >1.76? sys_suspend_system -
622 ? >1.76? sys_ipmimgr_call -
623 ? >1.76? sys_get_gpo -
624 ? >1.76? sys_get_vm_map_timestamp -
625 ? >1.76? sys_opmc_set_hw -
626 ? >1.76? sys_opmc_get_hw -
627 ? >1.76? sys_get_cpu_usage_all -
628 ? >1.76? sys_mmap_dmem -
629 ? >1.76? sys_physhm_open -
630 ? >1.76? sys_physhm_unlink -
631 ? >1.76? sys_resume_internal_hdd -
632 ? >1.76? sys_thr_suspend_ucontext -
633 ? >1.76? sys_thr_resume_ucontext -
634 ? >1.76? sys_thr_get_ucontext -
635 ? >1.76? sys_thr_set_ucontext -
636 ? >1.76? sys_set_timezone_info -
637 ? >1.76? sys_set_phys_fmem_limit -
638 ? >1.76? sys_utc_to_localtime -
639 ? >1.76? sys_localtime_to_utc -
640 ? >1.76? sys_set_uevt -
641 ? >1.76? sys_get_cpu_usage_proc -
642 ? >1.76? sys_get_map_statistics -
643 ? >1.76? sys_set_chicken_switches -
644 ? >4.05>3.55? sys_extend_page_table_pool -
645 ? >1.76? sys_#645 -
646 ? >1.76? sys_get_kernel_mem_statistics -
647 ? >1.76? sys_get_sdk_compiled_version -
648 ? >1.76? sys_app_state_change -
649 ? >1.76? sys_dynlib_get_obj_member -
650 ? >1.76? sys_budget_get_ptype_of_budget -
651 ? >1.76? sys_prepare_to_resume_process -
652 ? >1.76? sys_process_terminate -
653 ? >1.76? sys_blockpool_open -
654 ? >1.76? sys_blockpool_map -
655 ? >1.76? sys_blockpool_unmap -
656 ? >1.76? sys_dynlib_get_info_for_libdbg -
657 ? >1.76? sys_blockpool_batch -
658 ? >1.76? sys_fdatasync -
659 ? >1.76? sys_dynlib_get_list2 -
660 ? >1.76? sys_dynlib_get_info2 -
661 ? >1.76? sys_aio_submit -
662 ? >1.76? sys_aio_multi_delete -
663 ? >1.76? sys_aio_multi_wait -
664 ? >1.76? sys_aio_multi_poll -
665 ? >1.76? sys_aio_get_data -
666 ? >1.76? sys_aio_multi_cancel -
667 ? >1.76? sys_get_bio_usage_all -
668 ? >1.76? sys_aio_create -
669 ? >1.76? sys_aio_submit_cmd -
670 ? >1.76? sys_aio_init -
671 ? >1.76? sys_get_page_table_stats -
672 ? >1.76? sys_dynlib_get_list_for_libdbg -

* Since 1.76, Sony has removed key information from the sys_dynlib_get_info() system call, eg. it does not return the module's code base address, data base address, code size, or the data size.

** The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.

Note: All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.

Reverse Engineering
Dumps & Strings
Dumps
Strings
Communication
USB
Wifi/LAN
Keys, Commands & Digests
Emulation
System Modules
Retrieved from "http://www.psdevwiki.com/ps4/index.php?title=Syscalls&oldid=278795"