Difference between revisions of "Kernel Syscalls"

From The iPhone Wiki
Jump to: navigation, search
m (fixed markup)
(revamped page, explained sysent, method of finding, added addresses for iPod 4 5.1 kernel)
Line 24: Line 24:
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
   
=== List ===
+
=== sysent ===
* '''exit''': 1
 
* '''fork''': 2
 
* '''read''': 3
 
* '''write''': 4
 
* '''open''': 5
 
* '''close''': 6
 
* '''wait4''': 7
 
* '''link''': 9
 
* '''unlink''': 10
 
* '''chdir''': 12
 
* '''fchdir''': 13
 
* '''mknod''': 14
 
* '''chmod''': 15
 
* '''chown''': 16
 
* '''getfsstat''': 18
 
* '''getpid''': 20
 
* '''setuid''': 23
 
* '''getuid''': 24
 
* '''geteuid''': 25
 
* '''ptrace''': 26
 
* '''recvmsg''': 27
 
* '''sendmsg''': 28
 
* '''recvfrom''': 29
 
* '''accept''': 30
 
* '''getpeername''': 31
 
* '''getsockname''': 32
 
* '''access''': 33
 
* '''chflags''': 34
 
* '''fchflags''': 35
 
* '''sync''': 36
 
* '''kill''': 37
 
* '''getppid''': 39
 
* '''dup''': 41
 
* '''pipe''': 42
 
* '''getegid''': 43
 
* '''profil''': 44
 
* '''sigaction''': 46
 
* '''getgid''': 47
 
* '''sigprocmask''': 48
 
* '''getlogin''': 49
 
* '''setlogin''': 50
 
* '''acct''': 51
 
* '''sigpending''': 52
 
* '''signalstack''': 53
 
* '''ioctl''': 54
 
* '''reboot''': 55
 
* '''revoke''': 56
 
* '''symlink''': 57
 
* '''readlink''': 58
 
* '''execve''': 59
 
* '''umask''': 60
 
* '''chroot''': 61
 
* '''msync''': 65
 
* '''vfork''': 66
 
* '''munmap''': 73
 
* '''mprotect''': 74
 
* '''madvise''': 75
 
* '''mincore''': 78
 
* '''getgroups''': 79
 
* '''setgroups''': 80
 
* '''getpgrp''': 81
 
* '''setpgid''': 82
 
* '''setitimer''': 83
 
* '''swapon''': 85
 
* '''getitimer''': 86
 
* '''getdtablesize''': 89
 
* '''dup2''': 90
 
* '''fnctl''': 92
 
* '''select''': 93
 
* '''fsync''': 95
 
* '''setpriority''': 96
 
* '''socket''': 97
 
* '''connect''': 98
 
* '''getpriority''': 100
 
* '''bind''': 104
 
* '''setsockopt''': 105
 
* '''listen''': 106
 
* '''sigsuspend''': 111
 
* '''gettimeofday''': 116
 
* '''getrusage''': 117
 
* '''getsockopt''': 118
 
* '''readv''': 120
 
* '''writev''': 121
 
* '''settimeofday''': 122
 
* '''fchown''': 123
 
* '''fchmod''': 124
 
* '''setreuid''': 126
 
* '''setregid''': 127
 
* '''rename''': 128
 
* '''flock''': 131
 
* '''mkfifo''': 132
 
* '''sendto''': 133
 
* '''shutdown''': 134
 
* '''socketpair''': 135
 
* '''mkdir''': 136
 
* '''rmdir''': 137
 
* '''utimes''': 138
 
* '''futimes''': 139
 
* '''adjtime''': 140
 
* '''gethostuuid''': 142
 
* '''setsid''': 145
 
* '''getpgid''': 151
 
* '''setprivexec''': 152
 
* '''pread''': 153
 
* '''pwrite''': 154
 
* '''statfs''': 157
 
* '''fstatfs''': 158
 
* '''unmount''': 159
 
* '''quotactl''': 165
 
* '''mount''': 167
 
* '''csops''': 169
 
* '''waitid''': 173
 
* '''add_profil''': 176
 
* '''kdebug_trace''': 180
 
* '''setgid''': 181
 
* '''setegid''': 182
 
* '''seteuid''': 183
 
* '''sigreturn''': 184
 
* '''chod''': 185
 
* '''fdatasync''': 187
 
* '''stat''': 188
 
* '''fstat''': 189
 
* '''lstat''': 190
 
* '''pathconf''': 191
 
* '''fpathconf''': 192
 
* '''getrlimit''': 194
 
* '''setrlimit''': 195
 
* '''getdirentries''': 196
 
* '''mmap''': 197
 
* '''lseek''': 199
 
* '''truncate''': 200
 
* '''ftruncate''': 201
 
* '''__sysctl''': 202
 
* '''mlock''': 203
 
* '''munlock''': 204
 
* '''undelete''': 205
 
* '''mkcomplex''': 216
 
* '''statv''': 217
 
* '''lstatv''': 218
 
* '''fstatv''': 219
 
* '''getattrlist''': 220
 
* '''setattrlist''': 221
 
* '''getdirentriesattr''': 222
 
* '''exchangedata''': 223
 
* '''fsgetpath''': 224
 
* '''searchfs''': 225
 
* '''delete''': 226
 
* '''copyfile''': 227
 
* '''fgetattrlist''': 228
 
* '''fsetattrlist''': 229
 
* '''poll''': 230
 
* '''watchevent''': 231
 
* '''waitevent''': 232
 
* '''modwatch''': 233
 
* '''getxattr''': 234
 
* '''fgetxattr''': 235
 
* '''setxattr''': 236
 
* '''fsetxattr''': 237
 
* '''removexattr''': 238
 
* '''fremovexattr''': 239
 
* '''listxattr''': 240
 
* '''flistxattr''': 241
 
* '''fsctl''': 242
 
* '''initgroups''': 243
 
* '''posix_spawn''': 244
 
* '''ffsctl''': 245
 
* '''minherit''': 250
 
* '''shm_open''': 266
 
* '''shm_unlink''': 267
 
* '''sem_open''': 268
 
* '''sem_close''': 269
 
* '''sem_unlink''': 270
 
* '''sem_wait''': 271
 
* '''sem_trywait''': 272
 
* '''sem_post''': 273
 
* '''sem_getvalue''': 274
 
* '''sem_init''': 275
 
* '''sem_destroy''': 276
 
* '''open_extended''': 277
 
* '''umask_extended''': 278
 
* '''stat_extended''': 279
 
* '''lstat_extended''': 280
 
* '''fstat_extended''': 281
 
* '''chmod_extended''': 282
 
* '''fchmod_extended''': 283
 
* '''access_extended''': 284
 
* '''settid''': 285
 
* '''gettid''': 286
 
* '''setsgroups''': 287
 
* '''getsgroups''': 288
 
* '''setwgroups''': 289
 
* '''getwgroups''': 290
 
* '''mkfifo_extended''': 291
 
* '''mkdir_extended''': 292
 
* '''identitysvc''': 293
 
* '''shared_region_check_np''': 294
 
* '''shared_region_map_np''': 295
 
* '''vm_pressure_monitor''': 296
 
* '''__pthread_mutex_destroy''': 301
 
* '''__pthread_mutex_init''': 302
 
* '''__pthread_mutex_lock''': 303
 
* '''__pthread_mutex_trylock''': 304
 
* '''__pthread_mutex_unlock''': 305
 
* '''__pthread_cond_init''': 306
 
* '''__pthread_cond_destroy''': 307
 
* '''__pthread_cond_broadcast''': 308
 
* '''__pthread_cond_signal''': 309
 
* '''getsid''': 310
 
* '''settid_with_pid''': 311
 
* '''__pthread_cond_timedwait''': 312
 
* '''aio_fsync''': 313
 
* '''aio_return''': 314
 
* '''aio_suspend''': 315
 
* '''aio_cancel''': 316
 
* '''aio_error''': 317
 
* '''aio_read''': 318
 
* '''aio_write''': 319
 
* '''lio_listio''': 320
 
* '''__pthread_cond_wait''': 321
 
* '''iopolicysys''': 322
 
* '''mlockall''': 324
 
* '''munlockall''': 325
 
* '''issetugid''': 327
 
* '''__pthread_kill''': 328
 
* '''__pthread_sigmask''': 329
 
* '''__sigwait''': 330
 
* '''__disable_threadsignal''': 331
 
* '''__pthread_markcancel''': 332
 
* '''__pthread_canceled''': 333
 
* '''proc_info''': 336
 
* '''stat64''': 338
 
* '''fstat64''': 339
 
* '''lstat64''': 340
 
* '''stat64_extended''': 341
 
* '''lstat64_extended''': 342
 
* '''fstat64_extended''': 343
 
* '''getdirectories64''': 344
 
* '''statfs64''': 345
 
* '''fstatfs64''': 346
 
* '''getfsstat64''': 347
 
* '''__pthread_chdir''': 348
 
* '''__pthread_fchdir''': 349
 
* '''kqueue''': 362
 
* '''kevent''': 363
 
* '''lchown''': 364
 
* '''stack_snapshot''': 365
 
* '''kevent64''': 369
 
* '''__semwait_signal''': 370
 
* '''__semwait_signal_nocancel''': 371
 
* '''ledger''': 372 - This Syscall exists only in iOS, having been taken out of OS X a while ago.
 
   
  +
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
The following syscalls are for BSD's Mandatory Access Control, on top of which Apple's "SandBox" (sandbox.kext) is implemented
 
   
  +
<pre>
* '''__mac_execve''': 380
 
* '''__mac_syscall''': 381
 
* '''__mac_get_file''': 382
 
* '''__mac_set_file''': 383
 
* '''__mac_get_link''': 384
 
* '''__mac_set_link''': 385
 
* '''__mac_get_proc''': 386
 
* '''__mac_set_proc''': 387
 
* '''__mac_get_fd''': 388
 
* '''__mac_set_fd''': 389
 
* '''__mac_get_pid''': 390
 
* '''__mac_get_lcid''': 391
 
* '''__mac_get_lctx''': 392
 
* '''__mac_set_lctx''': 393
 
   
  +
struct sysent { /* system call table */
---------
 
  +
int16_t sy_narg; /* number of args */
  +
int8_t sy_resv; /* reserved */
  +
int8_t sy_flags; /* flags */
  +
sy_call_t *sy_call; /* implementing function */
  +
sy_munge_t *sy_arg_munge32; /* system call arguments munger for 32-bit process */
  +
sy_munge_t *sy_arg_munge64; /* system call arguments munger for 64-bit process */
  +
int32_t sy_return_type; /* system call return types */
  +
uint16_t sy_arg_bytes; /* Total size of arguments in bytes for
  +
* 32-bit system calls
  +
*/
  +
};
   
  +
</pre>
* '''setlcid''': 394
 
* '''getlcid''': 395
 
   
  +
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
The "nocancel"s are the same as their cancellable counterparts. In most cases, the latter are just wrappers, with a call to __pthread_testcancel(1);
 
 
* '''read_nocancel''': 396
 
* '''write_nocancel''': 397
 
* '''open_nocancel''': 398
 
* '''close_nocancel''': 399
 
* '''wait4_nocancel''': 400
 
* '''recvmsg_nocancel''': 401
 
* '''sendmsg_nocancel''': 402
 
* '''recvfrom_nocancel''': 403
 
* '''accept_nocancel''': 404
 
* '''msync_nocancel''': 405
 
* '''fnctl_nocancel''': 406
 
* '''select_nocancel''': 407
 
* '''fsync_nocancel''': 408
 
* '''connect_nocancel''': 409
 
* '''sigsuspend_nocancel''': 410
 
* '''readv_nocancel''': 411
 
* '''writev_nocancel''': 412
 
* '''sendto_nocancel''': 413
 
* '''pread_nocancel''': 414
 
* '''pwrite_nocancel''': 415
 
* '''waitid_nocancel''': 416
 
* '''poll_nocancel''': 417
 
* '''sem_wait_nocancel''': 420
 
* '''aio_suspend_nocancel''': 421
 
* '''__sigwait_nocancel''': 422
 
* '''__semwait_signal_nocancel''': 423
 
---------------------------------------------------------------------
 
* '''__mac_mount''': 424
 
* '''__mac_get_mount''': 425
 
* '''__mac_getfsstat''': 426
 
* '''fsgetpath_1''': 427
 
* '''_audit_session_self''': 428
 
* '''audit_session_join''': 429
 
* '''fileport_makeport''': 430
 
* '''fileport_makefd''': 431
 
* '''audit_session_port''': 432
 
* '''pid_suspend''': 433
 
* '''pid_resume''': 434
 
* '''pid_hibernate''': 435
 
* '''pid_shutdown_sockets''': 436
 
* '''(unused)''': 437
 
* '''shared_region_map_and_slide_np''': 438 (used in ASLR)
 
   
  +
=== List of system calls from iOS 5.1 ===
  +
  +
<pre>
  +
  +
$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel
  +
This is an ARM binary. Applying iOS kernel signatures
  +
Sysent offset in file (for patching purposes): 2931636 (0x2cbbb4)
  +
This appears to be XNU 1878.11.8
  +
syscall 801b3aa4 T
  +
exit 8019e924 T
  +
fork 801a15cc T
  +
read 801b3ac0 T
  +
write 801b3ea0 T
  +
open 800a1e64 T
  +
close 80197570 T
  +
wait4 8019f464 T
  +
8 old creat 801b3aa4 T
  +
link 800a23a4 T
  +
unlink 800a2aa8 T
  +
11 old execv 801b3aa4 T
  +
chdir 800a175c T
  +
fchdir 800a15f4 T
  +
mknod 800a1f64 T
  +
chmod 800a3598 T
  +
chown 800a3714 T
  +
17 old break 801b3aa4 T
  +
getfsstat 800a1390 T
  +
19 old lseek 801b3aa4 T
  +
getpid 801a5838 T
  +
21 old mount 801b3aa4 T
  +
22 old umount 801b3aa4 T
  +
setuid 801a5aec T
  +
getuid 801a58bc T
  +
geteuid 801a58cc T
  +
ptrace 801b0a9c T
  +
recvmsg 801cfde4 T
  +
sendmsg 801cf958 T
  +
recvfrom 801cfa40 T
  +
accept 801cf32c T
  +
getpeername 801d00a8 T
  +
getsockname 801cfff8 T
  +
access 800a2f14 T
  +
chflags 800a336c T
  +
fchflags 800a343c T
  +
sync 800a0e5c T
  +
kill 801a91b0 T
  +
38 old stat 801b3aa4 T
  +
getppid 801a5840 T
  +
40 old lstat 801b3aa4 T
  +
dup 80195890 T
  +
pipe 801b6a00 T
  +
getegid 801a5944 T
  +
profil 801b3400 T
  +
45 old ktrace 801b3aa4 T
  +
sigaction 801a8348 T
  +
getgid 801a5934 T
  +
sigprocmask 801a8868 T
  +
getlogin 801a66cc T
  +
setlogin 801a6728 T
  +
acct 801908f0 T
  +
sigpending 801a8a0c T
  +
sigaltstack 801a90f4 T
  +
ioctl 801b426c T
  +
reboot 801b0a2c T
  +
revoke 800a4d8c T
  +
symlink 800a2620 T
  +
readlink 800a328c T
  +
execve 8019e49c T
  +
umask 800a4d64 T
  +
chroot 800a1824 T
  +
62 old fstat 801b3aa4 T
  +
63 used internally , reserved 801b3aa4 T
  +
64 old getpagesize 801b3aa4 T
  +
msync 801a20c0 T
  +
vfork 801a0cfc T
  +
67 old vread 801b3aa4 T
  +
68 old vwrite 801b3aa4 T
  +
69 old sbrk 801b3aa4 T
  +
70 old sstk 801b3aa4 T
  +
71 old mmap 801b3aa4 T
  +
72 old vadvise 801b3aa4 T
  +
munmap 801a216c T
  +
mprotect 801a21a4 T
  +
madvise 801a2264 T
  +
76 old vhangup 801b3aa4 T
  +
77 old vlimit 801b3aa4 T
  +
mincore 801a22d0 T
  +
getgroups 801a5954 T
  +
setgroups 801a6610 T
  +
getpgrp 801a5848 T
  +
setpgid 801a59f4 T
  +
setitimer 801b0518 T
  +
84 old wait 801b3aa4 T
  +
swapon 801e0548 T
  +
getitimer 801b03c8 T
  +
87 old gethostname 801b3aa4 T
  +
88 old sethostname 801b3aa4 T
  +
getdtablesize 80195480 T
  +
dup2 80195bc4 T
  +
91 old getdopt 801b3aa4 T
  +
fcntl 80195fc4 T
  +
select 801b44fc T
  +
94 old setdopt 801b3aa4 T
  +
fsync 800a3c60 T
  +
setpriority 801a6a24 T
  +
socket 801cedc8 T
  +
connect 801cf34c T
  +
99 old accept 801b3aa4 T
  +
getpriority 801a6918 T
  +
101 old send 801b3aa4 T
  +
102 old recv 801b3aa4 T
  +
103 old sigreturn 801b3aa4 T
  +
bind 801cee98 T
  +
setsockopt 801cff10 T
  +
listen 801cf00c T
  +
107 old vtimes 801b3aa4 T
  +
108 old sigvec 801b3aa4 T
  +
109 old sigblock 801b3aa4 T
  +
110 old sigsetmask 801b3aa4 T
  +
sigsuspend 801a8a34 T
  +
112 old sigstack 801b3aa4 T
  +
113 old recvmsg 801b3aa4 T
  +
114 old sendmsg 801b3aa4 T
  +
115 old vtrace 801b3aa4 T
  +
gettimeofday 801b01d8 T
  +
getrusage 801a7798 T
  +
getsockopt 801cff74 T
  +
119 old resuba 801b3aa4 T
  +
readv 801b3d4c T
  +
writev 801b40f4 T
  +
settimeofday 801b0238 T
  +
fchown 800a3830 T
  +
fchmod 800a36dc T
  +
125 old recvfrom 801b3aa4 T
  +
setreuid 801a5e40 T
  +
setregid 801a61d8 T
  +
rename 800a3e34 T
  +
129 old truncate 801b3aa4 T
  +
130 old ftruncate 801b3aa4 T
  +
flock 801989e4 T
  +
mkfifo 800a2254 T
  +
sendto 801cf67c T
  +
shutdown 801cfee0 T
  +
socketpair 801cf534 T
  +
mkdir 800a46b4 T
  +
rmdir 800a46fc T
  +
utimes 800a38f0 T
  +
futimes 800a3a70 T
  +
adjtime 801b0338 T
  +
141 old getpeername 801b3aa4 T
  +
gethostuuid 801b5c44 T
  +
143 old sethostid 801b3aa4 T
  +
144 old getrlimit 801b3aa4 T
  +
145 old setrlimit 801b3aa4 T
  +
146 old killpg 801b3aa4 T
  +
setsid 801a59b0 T
  +
148 old setquota 801b3aa4 T
  +
149 old qquota 801b3aa4 T
  +
150 old getsockname 801b3aa4 T
  +
getpgid 801a5850 T
  +
setprivexec 801a5820 T
  +
pread 801b3ca4 T
  +
pwrite 801b4008 T
  +
nfssvc 801b3aa4 T
  +
156 old getdirentries 801b3aa4 T
  +
statfs 800a0eec T
  +
fstatfs 800a117c T
  +
unmount 800a09f0 T
  +
160 old async_daemon 801b3aa4 T
  +
getfh 801b3aa4 T
  +
162 old getdomainname 801b3aa4 T
  +
163 old setdomainname 801b3aa4 T
  +
164 801b3aa4 T
  +
quotactl 800a0ee8 T
  +
166 old exportfs 801b3aa4 T
  +
mount 8009fd10 T
  +
168 old ustat 801b3aa4 T
  +
csops 801a47bc T
  +
170 old table 801b3aa4 T
  +
171 old wait3 801b3aa4 T
  +
172 old rpause 801b3aa4 T
  +
waitid 8019f860 T
  +
174 old getdents 801b3aa4 T
  +
175 old gc_control 801b3aa4 T
  +
add_profil 801b3404 T
  +
177 801b3aa4 T
  +
178 801b3aa4 T
  +
179 801b3aa4 T
  +
kdebug_trace 8018e964 T
  +
setgid 801a5fe0 T
  +
setegid 801a60ec T
  +
seteuid 801a5d48 T
  +
sigreturn 801e2cb0 T
  +
chud 801e1acc T
  +
186 801b3aa4 T
  +
fdatasync 800a3cd8 T
  +
stat 800a2fec T
  +
fstat 801977f8 T
  +
lstat 800a3134 T
  +
pathconf 800a3228 T
  +
fpathconf 80197858 T
  +
193 801b3aa4 T
  +
getrlimit 801a75d4 T
  +
setrlimit 801a6eb8 T
  +
getdirentries 800a4928 T
  +
mmap 801a1b84 T
  +
198 __syscall 801b3aa4 T
  +
lseek 800a2b20 T
  +
truncate 800a3ac4 T
  +
ftruncate 800a3b90 T
  +
__sysctl 801ab798 T
  +
mlock 801a2418 T
  +
munlock 801a246c T
  +
undelete 800a27c8 T
  +
ATsocket 801b3aa4 T
  +
ATgetmsg 801b3aa4 T
  +
ATputmsg 801b3aa4 T
  +
ATPsndreq 801b3aa4 T
  +
ATPsndrsp 801b3aa4 T
  +
ATPgetreq 801b3aa4 T
  +
ATPgetrsp 801b3aa4 T
  +
213 Reserved for AppleTalk 801b3aa4 T
  +
214 801b3aa4 T
  +
215 801b3aa4 T
  +
mkcomplex 800a1d9c T
  +
statv 801b3aa4 T
  +
lstatv 801b3aa4 T
  +
fstatv 801b3aa4 T
  +
getattrlist 8008d1c4 T
  +
setattrlist 8008d23c T
  +
getdirentriesattr 800a4e80 T
  +
exchangedata 800a5018 T
  +
224 old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T
  +
searchfs 800a5258 T
  +
delete 800a2ae4 T
  +
copyfile 800a3cf4 T
  +
fgetattrlist 8008a6c8 T
  +
fsetattrlist 8008d904 T
  +
poll 801b4d04 T
  +
watchevent 801b5604 T
  +
waitevent 801b579c T
  +
modwatch 801b5914 T
  +
getxattr 800a6048 T
  +
fgetxattr 800a6160 T
  +
setxattr 800a6240 T
  +
fsetxattr 800a6328 T
  +
removexattr 800a6408 T
  +
fremovexattr 800a64b0 T
  +
listxattr 800a654c T
  +
flistxattr 800a6610 T
  +
fsctl 800a5964 T
  +
initgroups 801a64d0 T
  +
posix_spawn 8019d658 T
  +
ffsctl 800a5f78 T
  +
246 801b3aa4 T
  +
nfsclnt 801b3aa4 T
  +
fhopen 801b3aa4 T
  +
249 801b3aa4 T
  +
minherit 801a222c T
  +
semsys 801b3aa4 T
  +
msgsys 801b3aa4 T
  +
shmsys 801b3aa4 T
  +
semctl 801b3aa4 T
  +
semget 801b3aa4 T
  +
semop 801b3aa4 T
  +
257 801b3aa4 T
  +
msgctl 801b3aa4 T
  +
msgget 801b3aa4 T
  +
msgsnd 801b3aa4 T
  +
msgrcv 801b3aa4 T
  +
shmat 801b3aa4 T
  +
shmctl 801b3aa4 T
  +
shmdt 801b3aa4 T
  +
shmget 801b3aa4 T
  +
shm_open 801d3b34 T
  +
shm_unlink 801d45d0 T
  +
sem_open 801d3110 T
  +
sem_close 801d379c T
  +
sem_unlink 801d35cc T
  +
sem_wait 801d37f8 T
  +
sem_trywait 801d38bc T
  +
sem_post 801d395c T
  +
sem_getvalue 801d39fc T
  +
sem_init 801d39f4 T
  +
sem_destroy 801d39f8 T
  +
open_extended 800a1cb8 T
  +
umask_extended 800a4d14 T
  +
stat_extended 800a2f98 T
  +
lstat_extended 800a30e0 T
  +
fstat_extended 801975e4 T
  +
chmod_extended 800a347c T
  +
fchmod_extended 800a35d4 T
  +
access_extended 800a2c54 T
  +
settid 801a6358 T
  +
gettid 801a58dc T
  +
setsgroups 801a6620 T
  +
getsgroups 801a59a8 T
  +
setwgroups 801a6624 T
  +
getwgroups 801a59ac T
  +
mkfifo_extended 800a21a8 T
  +
mkdir_extended 800a44ac T
  +
identitysvc 801b3aa4 T
  +
shared_region_check_np 801e0a68 T
  +
shared_region_map_np 801b3aa4 T
  +
vm_pressure_monitor 801e1150 T
  +
psynch_rw_longrdlock 801da274 T
  +
psynch_rw_yieldwrlock 801da79c T
  +
psynch_rw_downgrade 801daa38 T
  +
psynch_rw_upgrade 801daa34 T
  +
psynch_mutexwait 801d77d0 T
  +
psynch_mutexdrop 801d85f8 T
  +
psynch_cvbroad 801d864c T
  +
psynch_cvsignal 801d8bb4 T
  +
psynch_cvwait 801d9020 T
  +
psynch_rw_rdlock 801d96ec T
  +
psynch_rw_wrlock 801da508 T
  +
psynch_rw_unlock 801daa3c T
  +
psynch_rw_unlock2 801dad10 T
  +
getsid 801a5880 T
  +
settid_with_pid 801a63f8 T
  +
312 old __pthread_cond_timedwait 801d95e8 T
  +
aio_fsync 80191278 T
  +
aio_return 8019143c T
  +
aio_suspend 801916a0 T
  +
aio_cancel 80190e24 T
  +
aio_error 801911d4 T
  +
aio_read 8019141c T
  +
aio_write 801918a4 T
  +
lio_listio 801918c4 T
  +
321 old __pthread_cond_wait 801b3aa4 T
  +
iopolicysys 801a795c T
  +
323 801df090 T
  +
mlockall 801a24ac T
  +
munlockall 801a24b0 T
  +
326 801b3aa4 T
  +
issetugid 801a5adc T
  +
__pthread_kill 801a8e34 T
  +
__pthread_sigmask 801a8e94 T
  +
__sigwait 801a8f38 T
  +
__disable_threadsignal 801a8b48 T
  +
__pthread_markcancel 801a8b64 T
  +
__pthread_canceled 801a8bac T
  +
__semwait_signal 801a8d30 T
  +
335 old utrace 801b3aa4 T
  +
proc_info 801dd524 T
  +
sendfile 801b3aa4 T
  +
stat64 800a3038 T
  +
fstat64 80197838 T
  +
lstat64 800a3180 T
  +
stat64_extended 800a3088 T
  +
lstat64_extended 800a31d0 T
  +
fstat64_extended 80197818 T
  +
getdirentries64 800a4cd0 T
  +
statfs64 800a11e4 T
  +
fstatfs64 800a132c T
  +
getfsstat64 800a1540 T
  +
__pthread_chdir 800a181c T
  +
__pthread_fchdir 800a1754 T
  +
; -----------------------
  +
; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)
  +
audit 8018d990 T
  +
auditon 8018d994 T
  +
352 801b3aa4 T
  +
getauid 8018d998 T
  +
setauid 8018d99c T
  +
getaudit 8018d9a0 T
  +
setaudit 8018d9a4 T
  +
getaudit_addr 8018d9a8 T
  +
setaudit_addr 8018d9ac T
  +
auditctl 8018d9b0 T
  +
; ---------------------
  +
bsdthread_create 801db740 T
  +
bsdthread_terminate 801db9b4 T
  +
kqueue 801998c4 T
  +
kevent 80199948 T
  +
lchown 800a3818 T
  +
stack_snapshot 8019066c T
  +
bsdthread_register 801dba18 T
  +
workq_open 801dc70c T
  +
workq_kernreturn 801dccac T
  +
kevent64 80199bd4 T
  +
__old_semwait_signal 801a8c1c T
  +
__old_semwait_signal_nocancel 801a8c54 T
  +
thread_selfid 801dd27c T
  +
373 801b5c98 T
  +
374 801b3aa4 T
  +
375 801b3aa4 T
  +
376 801b3aa4 T
  +
377 801b3aa4 T
  +
378 801b3aa4 T
  +
379 801b3aa4 T
  +
__mac_execve 8019e4bc T
  +
__mac_syscall 80244734 T
  +
__mac_get_file 802443d4 T
  +
__mac_set_file 80244628 T
  +
__mac_get_link 80244504 T
  +
__mac_set_link 80244724 T
  +
__mac_get_proc 80243eb0 T
  +
__mac_set_proc 80243f74 T
  +
__mac_get_fd 80244280 T
  +
__mac_set_fd 80244514 T
  +
__mac_get_pid 80243ddc T
  +
__mac_get_lcid 80244030 T
  +
__mac_get_lctx 802440fc T
  +
__mac_set_lctx 802441c0 T
  +
setlcid 801a67cc T
  +
getlcid 801a68ac T
  +
read_nocancel 801b3ae0 T
  +
write_nocancel 801b3ec0 T
  +
open_nocancel 800a1ee8 T
  +
close_nocancel 8019758c T
  +
wait4_nocancel 8019f484 T
  +
recvmsg_nocancel 801cfe04 T
  +
sendmsg_nocancel 801cf978 T
  +
recvfrom_nocancel 801cfa60 T
  +
accept_nocancel 801cf04c T
  +
msync_nocancel 801a20d8 T
  +
fcntl_nocancel 80195fe4 T
  +
select_nocancel 801b4518 T
  +
fsync_nocancel 800a3cd0 T
  +
connect_nocancel 801cf364 T
  +
sigsuspend_nocancel 801a8ae4 T
  +
readv_nocancel 801b3d6c T
  +
writev_nocancel 801b4114 T
  +
sendto_nocancel 801cf69c T
  +
pread_nocancel 801b3cc4 T
  +
pwrite_nocancel 801b4028 T
  +
waitid_nocancel 8019f87c T
  +
poll_nocancel 801b4d24 T
  +
msgsnd_nocancel 801b3aa4 T
  +
msgrcv_nocancel 801b3aa4 T
  +
sem_wait_nocancel 801d3814 T
  +
aio_suspend_nocancel 801916c0 T
  +
__sigwait_nocancel 801a8f70 T
  +
__semwait_signal_nocancel 801a8d68 T
  +
__mac_mount 8009fd34 T
  +
__mac_get_mount 80244900 T
  +
__mac_getfsstat 800a13b4 T
  +
fsgetpath 800a66d4 T
  +
audit_session_self 8018d984 T
  +
audit_session_join 8018d988 T
  +
fileport_makeport 80198ad4 T
  +
fileport_makefd 80198c58 T
  +
audit_session_port 8018d98c T
  +
pid_suspend 801e084c T
  +
pid_resume 801e08bc T
  +
pid_hibernate 801e0928 T
  +
pid_shutdown_sockets 801e0984 T
  +
437 old shared_region_slide_np 801b3aa4 T
  +
shared_region_map_and_slide_np 801e1008 T
  +
  +
</pre>
   
 
== CPU ==
 
== CPU ==

Revision as of 13:33, 20 March 2012

Note on these

Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).


Unix

Usage

MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
SVC 0x80   // Formerly, SWI (software interrupt)

For example:


(gdb) disass chown
0x30d2ad54 <chown>:	mov	r12, #16	       ; 0x10, being # of chown
0x30d2ad58 <chown+4>:	svc	0x00000080

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)

sysent

 The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:

struct sysent {         /* system call table */
        int16_t         sy_narg;        /* number of args */
        int8_t          sy_resv;        /* reserved  */
        int8_t          sy_flags;       /* flags */
        sy_call_t       *sy_call;       /* implementing function */
        sy_munge_t      *sy_arg_munge32; /* system call arguments munger for 32-bit process */
        sy_munge_t      *sy_arg_munge64; /* system call arguments munger for 64-bit process */
        int32_t         sy_return_type; /* system call return types */
        uint16_t        sy_arg_bytes;   /* Total size of arguments in bytes for
                                         * 32-bit system calls
                                         */
};

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:

List of system calls from iOS 5.1


$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel 
This is an ARM binary. Applying iOS kernel signatures
Sysent offset in file (for patching purposes):  2931636 (0x2cbbb4)
This appears to be XNU 1878.11.8
syscall              801b3aa4 T
exit                 8019e924 T
fork                 801a15cc T
read                 801b3ac0 T
write                801b3ea0 T
open                 800a1e64 T
close                80197570 T
wait4                8019f464 T
8  old creat         801b3aa4 T
link                 800a23a4 T
unlink               800a2aa8 T
11  old execv        801b3aa4 T
chdir                800a175c T
fchdir               800a15f4 T
mknod                800a1f64 T
chmod                800a3598 T
chown                800a3714 T
17  old break        801b3aa4 T
getfsstat            800a1390 T
19  old lseek        801b3aa4 T
getpid               801a5838 T
21  old mount        801b3aa4 T
22  old umount       801b3aa4 T
setuid               801a5aec T
getuid               801a58bc T
geteuid              801a58cc T
ptrace               801b0a9c T
recvmsg              801cfde4 T
sendmsg              801cf958 T
recvfrom             801cfa40 T
accept               801cf32c T
getpeername          801d00a8 T
getsockname          801cfff8 T
access               800a2f14 T
chflags              800a336c T
fchflags             800a343c T
sync                 800a0e5c T
kill                 801a91b0 T
38  old stat         801b3aa4 T
getppid              801a5840 T
40  old lstat        801b3aa4 T
dup                  80195890 T
pipe                 801b6a00 T
getegid              801a5944 T
profil               801b3400 T
45  old ktrace       801b3aa4 T
sigaction            801a8348 T
getgid               801a5934 T
sigprocmask          801a8868 T
getlogin             801a66cc T
setlogin             801a6728 T
acct                 801908f0 T
sigpending           801a8a0c T
sigaltstack          801a90f4 T
ioctl                801b426c T
reboot               801b0a2c T
revoke               800a4d8c T
symlink              800a2620 T
readlink             800a328c T
execve               8019e49c T
umask                800a4d64 T
chroot               800a1824 T
62  old fstat        801b3aa4 T
63  used internally , reserved 801b3aa4 T
64  old getpagesize  801b3aa4 T
msync                801a20c0 T
vfork                801a0cfc T
67  old vread        801b3aa4 T
68  old vwrite       801b3aa4 T
69  old sbrk         801b3aa4 T
70  old sstk         801b3aa4 T
71  old mmap         801b3aa4 T
72  old vadvise      801b3aa4 T
munmap               801a216c T
mprotect             801a21a4 T
madvise              801a2264 T
76  old vhangup      801b3aa4 T
77  old vlimit       801b3aa4 T
mincore              801a22d0 T
getgroups            801a5954 T
setgroups            801a6610 T
getpgrp              801a5848 T
setpgid              801a59f4 T
setitimer            801b0518 T
84  old wait         801b3aa4 T
swapon               801e0548 T
getitimer            801b03c8 T
87  old gethostname  801b3aa4 T
88  old sethostname  801b3aa4 T
getdtablesize        80195480 T
dup2                 80195bc4 T
91  old getdopt      801b3aa4 T
fcntl                80195fc4 T
select               801b44fc T
94  old setdopt      801b3aa4 T
fsync                800a3c60 T
setpriority          801a6a24 T
socket               801cedc8 T
connect              801cf34c T
99  old accept       801b3aa4 T
getpriority          801a6918 T
101  old send        801b3aa4 T
102  old recv        801b3aa4 T
103  old sigreturn   801b3aa4 T
bind                 801cee98 T
setsockopt           801cff10 T
listen               801cf00c T
107  old vtimes      801b3aa4 T
108  old sigvec      801b3aa4 T
109  old sigblock    801b3aa4 T
110  old sigsetmask  801b3aa4 T
sigsuspend           801a8a34 T
112  old sigstack    801b3aa4 T
113  old recvmsg     801b3aa4 T
114  old sendmsg     801b3aa4 T
115  old vtrace      801b3aa4 T
gettimeofday         801b01d8 T
getrusage            801a7798 T
getsockopt           801cff74 T
119  old resuba      801b3aa4 T
readv                801b3d4c T
writev               801b40f4 T
settimeofday         801b0238 T
fchown               800a3830 T
fchmod               800a36dc T
125  old recvfrom    801b3aa4 T
setreuid             801a5e40 T
setregid             801a61d8 T
rename               800a3e34 T
129  old truncate    801b3aa4 T
130  old ftruncate   801b3aa4 T
flock                801989e4 T
mkfifo               800a2254 T
sendto               801cf67c T
shutdown             801cfee0 T
socketpair           801cf534 T
mkdir                800a46b4 T
rmdir                800a46fc T
utimes               800a38f0 T
futimes              800a3a70 T
adjtime              801b0338 T
141  old getpeername 801b3aa4 T
gethostuuid          801b5c44 T
143  old sethostid   801b3aa4 T
144  old getrlimit   801b3aa4 T
145  old setrlimit   801b3aa4 T
146  old killpg      801b3aa4 T
setsid               801a59b0 T
148  old setquota    801b3aa4 T
149  old qquota      801b3aa4 T
150  old getsockname 801b3aa4 T
getpgid              801a5850 T
setprivexec          801a5820 T
pread                801b3ca4 T
pwrite               801b4008 T
nfssvc               801b3aa4 T
156  old getdirentries 801b3aa4 T
statfs               800a0eec T
fstatfs              800a117c T
unmount              800a09f0 T
160  old async_daemon 801b3aa4 T
getfh                801b3aa4 T
162  old getdomainname 801b3aa4 T
163  old setdomainname 801b3aa4 T
164                  801b3aa4 T
quotactl             800a0ee8 T
166  old exportfs    801b3aa4 T
mount                8009fd10 T
168  old ustat       801b3aa4 T
csops                801a47bc T
170  old table       801b3aa4 T
171  old wait3       801b3aa4 T
172  old rpause      801b3aa4 T
waitid               8019f860 T
174  old getdents    801b3aa4 T
175  old gc_control  801b3aa4 T
add_profil           801b3404 T
177                  801b3aa4 T
178                  801b3aa4 T
179                  801b3aa4 T
kdebug_trace         8018e964 T
setgid               801a5fe0 T
setegid              801a60ec T
seteuid              801a5d48 T
sigreturn            801e2cb0 T
chud                 801e1acc T
186                  801b3aa4 T
fdatasync            800a3cd8 T
stat                 800a2fec T
fstat                801977f8 T
lstat                800a3134 T
pathconf             800a3228 T
fpathconf            80197858 T
193                  801b3aa4 T
getrlimit            801a75d4 T
setrlimit            801a6eb8 T
getdirentries        800a4928 T
mmap                 801a1b84 T
198  __syscall       801b3aa4 T
lseek                800a2b20 T
truncate             800a3ac4 T
ftruncate            800a3b90 T
__sysctl             801ab798 T
mlock                801a2418 T
munlock              801a246c T
undelete             800a27c8 T
ATsocket             801b3aa4 T
ATgetmsg             801b3aa4 T
ATputmsg             801b3aa4 T
ATPsndreq            801b3aa4 T
ATPsndrsp            801b3aa4 T
ATPgetreq            801b3aa4 T
ATPgetrsp            801b3aa4 T
213  Reserved for AppleTalk 801b3aa4 T
214                  801b3aa4 T
215                  801b3aa4 T
mkcomplex            800a1d9c T
statv                801b3aa4 T
lstatv               801b3aa4 T
fstatv               801b3aa4 T
getattrlist          8008d1c4 T
setattrlist          8008d23c T
getdirentriesattr    800a4e80 T
exchangedata         800a5018 T
224  old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T
searchfs             800a5258 T
delete               800a2ae4 T
copyfile             800a3cf4 T
fgetattrlist         8008a6c8 T
fsetattrlist         8008d904 T
poll                 801b4d04 T
watchevent           801b5604 T
waitevent            801b579c T
modwatch             801b5914 T
getxattr             800a6048 T
fgetxattr            800a6160 T
setxattr             800a6240 T
fsetxattr            800a6328 T
removexattr          800a6408 T
fremovexattr         800a64b0 T
listxattr            800a654c T
flistxattr           800a6610 T
fsctl                800a5964 T
initgroups           801a64d0 T
posix_spawn          8019d658 T
ffsctl               800a5f78 T
246                  801b3aa4 T
nfsclnt              801b3aa4 T
fhopen               801b3aa4 T
249                  801b3aa4 T
minherit             801a222c T
semsys               801b3aa4 T
msgsys               801b3aa4 T
shmsys               801b3aa4 T
semctl               801b3aa4 T
semget               801b3aa4 T
semop                801b3aa4 T
257                  801b3aa4 T
msgctl               801b3aa4 T
msgget               801b3aa4 T
msgsnd               801b3aa4 T
msgrcv               801b3aa4 T
shmat                801b3aa4 T
shmctl               801b3aa4 T
shmdt                801b3aa4 T
shmget               801b3aa4 T
shm_open             801d3b34 T
shm_unlink           801d45d0 T
sem_open             801d3110 T
sem_close            801d379c T
sem_unlink           801d35cc T
sem_wait             801d37f8 T
sem_trywait          801d38bc T
sem_post             801d395c T
sem_getvalue         801d39fc T
sem_init             801d39f4 T
sem_destroy          801d39f8 T
open_extended        800a1cb8 T
umask_extended       800a4d14 T
stat_extended        800a2f98 T
lstat_extended       800a30e0 T
fstat_extended       801975e4 T
chmod_extended       800a347c T
fchmod_extended      800a35d4 T
access_extended      800a2c54 T
settid               801a6358 T
gettid               801a58dc T
setsgroups           801a6620 T
getsgroups           801a59a8 T
setwgroups           801a6624 T
getwgroups           801a59ac T
mkfifo_extended      800a21a8 T
mkdir_extended       800a44ac T
identitysvc          801b3aa4 T
shared_region_check_np 801e0a68 T
shared_region_map_np 801b3aa4 T
vm_pressure_monitor  801e1150 T
psynch_rw_longrdlock 801da274 T
psynch_rw_yieldwrlock 801da79c T
psynch_rw_downgrade  801daa38 T
psynch_rw_upgrade    801daa34 T
psynch_mutexwait     801d77d0 T
psynch_mutexdrop     801d85f8 T
psynch_cvbroad       801d864c T
psynch_cvsignal      801d8bb4 T
psynch_cvwait        801d9020 T
psynch_rw_rdlock     801d96ec T
psynch_rw_wrlock     801da508 T
psynch_rw_unlock     801daa3c T
psynch_rw_unlock2    801dad10 T
getsid               801a5880 T
settid_with_pid      801a63f8 T
312  old __pthread_cond_timedwait 801d95e8 T
aio_fsync            80191278 T
aio_return           8019143c T
aio_suspend          801916a0 T
aio_cancel           80190e24 T
aio_error            801911d4 T
aio_read             8019141c T
aio_write            801918a4 T
lio_listio           801918c4 T
321  old __pthread_cond_wait 801b3aa4 T
iopolicysys          801a795c T
323                  801df090 T
mlockall             801a24ac T
munlockall           801a24b0 T
326                  801b3aa4 T
issetugid            801a5adc T
__pthread_kill       801a8e34 T
__pthread_sigmask    801a8e94 T
__sigwait            801a8f38 T
__disable_threadsignal 801a8b48 T
__pthread_markcancel 801a8b64 T
__pthread_canceled   801a8bac T
__semwait_signal     801a8d30 T
335  old utrace      801b3aa4 T
proc_info            801dd524 T
sendfile             801b3aa4 T
stat64               800a3038 T
fstat64              80197838 T
lstat64              800a3180 T
stat64_extended      800a3088 T
lstat64_extended     800a31d0 T
fstat64_extended     80197818 T
getdirentries64      800a4cd0 T
statfs64             800a11e4 T
fstatfs64            800a132c T
getfsstat64          800a1540 T
__pthread_chdir      800a181c T
__pthread_fchdir     800a1754 T
; -----------------------
; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)
audit                8018d990 T
auditon              8018d994 T
352                  801b3aa4 T
getauid              8018d998 T
setauid              8018d99c T
getaudit             8018d9a0 T
setaudit             8018d9a4 T
getaudit_addr        8018d9a8 T
setaudit_addr        8018d9ac T
auditctl             8018d9b0 T
; ---------------------
bsdthread_create     801db740 T
bsdthread_terminate  801db9b4 T
kqueue               801998c4 T
kevent               80199948 T
lchown               800a3818 T
stack_snapshot       8019066c T
bsdthread_register   801dba18 T
workq_open           801dc70c T
workq_kernreturn     801dccac T
kevent64             80199bd4 T
__old_semwait_signal 801a8c1c T
__old_semwait_signal_nocancel 801a8c54 T
thread_selfid        801dd27c T
373                  801b5c98 T
374                  801b3aa4 T
375                  801b3aa4 T
376                  801b3aa4 T
377                  801b3aa4 T
378                  801b3aa4 T
379                  801b3aa4 T
__mac_execve         8019e4bc T
__mac_syscall        80244734 T
__mac_get_file       802443d4 T
__mac_set_file       80244628 T
__mac_get_link       80244504 T
__mac_set_link       80244724 T
__mac_get_proc       80243eb0 T
__mac_set_proc       80243f74 T
__mac_get_fd         80244280 T
__mac_set_fd         80244514 T
__mac_get_pid        80243ddc T
__mac_get_lcid       80244030 T
__mac_get_lctx       802440fc T
__mac_set_lctx       802441c0 T
setlcid              801a67cc T
getlcid              801a68ac T
read_nocancel        801b3ae0 T
write_nocancel       801b3ec0 T
open_nocancel        800a1ee8 T
close_nocancel       8019758c T
wait4_nocancel       8019f484 T
recvmsg_nocancel     801cfe04 T
sendmsg_nocancel     801cf978 T
recvfrom_nocancel    801cfa60 T
accept_nocancel      801cf04c T
msync_nocancel       801a20d8 T
fcntl_nocancel       80195fe4 T
select_nocancel      801b4518 T
fsync_nocancel       800a3cd0 T
connect_nocancel     801cf364 T
sigsuspend_nocancel  801a8ae4 T
readv_nocancel       801b3d6c T
writev_nocancel      801b4114 T
sendto_nocancel      801cf69c T
pread_nocancel       801b3cc4 T
pwrite_nocancel      801b4028 T
waitid_nocancel      8019f87c T
poll_nocancel        801b4d24 T
msgsnd_nocancel      801b3aa4 T
msgrcv_nocancel      801b3aa4 T
sem_wait_nocancel    801d3814 T
aio_suspend_nocancel 801916c0 T
__sigwait_nocancel   801a8f70 T
__semwait_signal_nocancel 801a8d68 T
__mac_mount          8009fd34 T
__mac_get_mount      80244900 T
__mac_getfsstat      800a13b4 T
fsgetpath            800a66d4 T
audit_session_self   8018d984 T
audit_session_join   8018d988 T
fileport_makeport    80198ad4 T
fileport_makefd      80198c58 T
audit_session_port   8018d98c T
pid_suspend          801e084c T
pid_resume           801e08bc T
pid_hibernate        801e0928 T
pid_shutdown_sockets 801e0984 T
437  old shared_region_slide_np 801b3aa4 T
shared_region_map_and_slide_np 801e1008 T

CPU

Note: the following are probably incorrect. These are carried out by ARM control registers (MRC, MCR commands) Who put these in, in the first place?

Usage

MOV R12, #x // number from list
swi 0x80
bx lr

List

  • Clear Instruction Cache: 0
  • Flush Data Cache: 1
  • _pthread_set_self: 2
  • Unknown: 3