Syscalls
The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found here.
Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes immediately after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 651, the names, function, and signatures of system calls 618-651 are currently unknown as they were implemented > 1.76. Calling any system calls higher than 651 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.
Of these 85 explored system calls (532 - 617):
- Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
- Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
- Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
- Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
- One explicitly requires a development kit (sys_set_gpo), as it sets output to components that only development kit units have.
As of firmware version 3.55 there is evidence of new syscalls!
https://i.gyazo.com/aa2bceacf5e5f45a15495fcdb79585cb.png
You can find an IDA Pro .idc script made by Cloverleafswag3 to label system calls in libkernel here
Functions of custom Sony system calls
Known calls include those relating to:
- Modules
- Memory
- Sandboxing
- Semaphores
Other potential calls could be for:
- Mutexes
Other operations, such as file I/O and networking are handled through the standard FreeBSD 9.0 system calls which can be found linked above.
Public system calls
| Number | Name | Prototype | Notes |
|---|---|---|---|
| 532 | sys_regmgr_call | - | - |
| 533 | sys_jitshm_create | - | Only callable from a jit compiler process, else returns EPERM (0x1) |
| 534 | sys_jitshm_alias | - | Only callable from a jit compiler/application process, else returns EPERM (0x1) |
| 535 | sys_dl_get_list | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
| 536 | sys_dl_get_info | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
| 537 | sys_dl_notify_event | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
| 538 | sys_evf_create | int sys_evf_create(char* name, int flag, struct evFlag *evf) | - |
| 539 | sys_evf_delete | int sys_evf_delete(int id) | - |
| 540 | sys_evf_open | int sys_evf_open(struct evFlag *evf) | - |
| 541 | sys_evf_close | int sys_evf_close(int id) | - |
| 542 | sys_evf_wait | - | - |
| 543 | sys_evf_trywait | - | - |
| 544 | sys_evf_set | int sys_evf_set(int id) | - |
| 545 | sys_evf_clear | int sys_evf_clear(int id) | - |
| 546 | sys_evf_cancel | int sys_evf_cancel(int id) | - |
| 547 | sys_query_memory_protection | - | - |
| 548 | sys_batch_map | - | - |
| 549 | sys_osem_create | - | - |
| 550 | sys_osem_delete | - | - |
| 551 | sys_osem_open | - | - |
| 552 | sys_osem_close | - | - |
| 553 | sys_osem_wait | - | - |
| 554 | sys_osem_trywait | - | - |
| 555 | sys_osem_post | - | - |
| 556 | sys_osem_cancel | - | - |
| 557 | sys_namedobj_create | - | - |
| 558 | sys_namedobj_delete | - | - |
| 559 | sys_set_vm_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
| 560 | sys_debug_init | - | - |
| 561 | sys_suspend_process | int sys_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
| 562 | sys_resume_process | int sys_resume_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
| 563 | sys_opmc_enable | - | - |
| 564 | sys_opmc_disable | - | - |
| 565 | sys_opmc_set_ctl | - | - |
| 566 | sys_opmc_set_ctr | - | - |
| 567 | sys_opmc_get_ctr | - | - |
| 568 | sys_budget_create | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 569 | sys_budget_delete | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 570 | sys_budget_get | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 571 | sys_budget_set | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 572 | sys_virtual_query | - | - |
| 573 | sys_mdbg_call | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 574 | sys_sblock_create | - | - |
| 575 | sys_sblock_delete | - | - |
| 576 | sys_sblock_enter | - | - |
| 577 | sys_sblock_exit | - | - |
| 578 | sys_sblock_xenter | - | - |
| 579 | sys_sblock_xexit | - | - |
| 580 | sys_eport_create | - | - |
| 581 | sys_eport_delete | - | - |
| 582 | sys_eport_trigger | - | - |
| 583 | sys_eport_open | - | - |
| 584 | sys_eport_close | - | - |
| 585 | sys_is_in_sandbox | - | - |
| 586 | sys_dmem_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
| 587 | sys_get_authinfo | - | Some functionality requires privileges (uid0) |
| 588 | sys_mname | - | - |
| 589 | sys_dynlib_dlopen | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
| 590 | sys_dynlib_dlclose | - | - |
| 591 | sys_dynlib_dlsym | int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) | - |
| 592 | sys_dynlib_get_list | int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) | - |
| 593 | sys_dynlib_get_info | int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) | Sony has stripped module information since 1.76 FW (STO) * |
| 594 | sys_dynlib_load_prx | int sys_dynlib_load_prx(char* prxPath) | - |
| 595 | sys_dynlib_unload_prx | int sys_dynlib_unload_prx(int prxID) | - |
| 596 | sys_dynlib_do_copy_relocations | - | - |
| 597 | sys_dynlib_prepare_dlclose | - | Contains an exploitable integer overflow FW <= 1.76, patched FW >= 2.00 ** |
| 598 | sys_dynlib_get_proc_param | - | - |
| 599 | sys_dynlib_process_needed_and_relocate | - | - |
| 600 | sys_sandbox_path | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
| 601 | sys_mdbg_service | - | - |
| 602 | sys_randomized_path | - | Some functionality requires privileges (uid0) |
| 603 | sys_rdup | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
| 604 | sys_dl_get_metadata | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
| 605 | sys_workaround8849 | - | - |
| 606 | sys_is_development_mode | - | - |
| 607 | sys_get_self_auth_info | - | - |
| 608 | sys_dynlib_get_info_ex | int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) | - |
| 609 | sys_budget_getid | int sys_budget_getid() // no arguments | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 610 | sys_budget_get_ptype | int sys_budget_get_ptype(int budgetID) | - |
| 611 | sys_get_paging_stats_of_all_threads | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
| 612 | sys_get_proc_type_info | int sys_get_proc_type_info(int *destProcessInfo) | Only callable from certain processes mainly involving media and JiT |
| 613 | sys_get_resident_count | int sys_get_resident_count(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 614 | sys_prepare_to_suspend_process | int sys_prepare_to_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
| 615 | sys_get_resident_fmem_count | int sys_get_resident_fmem_count(int pid) | Some functionality requires privileges (uid0) |
| 616 | sys_thr_get_name | int sys_thr_get_name(int threadID) | - |
| 617 | sys_set_gpo | - | Only callable on development kit (devkit) units |
* Since 1.76, Sony has removed key information from the sys_dynlib_get_info() system call, eg. it does not return the module's code base address, data base address, code size, or the data size.
** The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.
Note: All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.
| |||||||||||||||||||||||||||||||||||||
