Difference between revisions of "Kernel Syscalls"

From The iPhone Wiki
Jump to: navigation, search
(OSX ! OS X ! not iOS! Thanks..)
(Mach)
Line 506: Line 506:
   
 
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is interpreted as Mach trap instead.
 
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is interpreted as Mach trap instead.
  +
  +
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS.
  +
  +
<pre>
  +
__data:802BA684 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA688 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA68C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA690 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA694 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA698 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA69C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6A0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6A4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6A8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6AC DCD a_kernelrpc_mac ; "_kernelrpc_mach_vm_allocate_trap"
  +
__data:802BA6B0 DCD a_kernelrpc_vm_ ; "_kernelrpc_vm_allocate_trap"
  +
__data:802BA6B4 DCD a_kernelrpc_m_0 ; "_kernelrpc_mach_vm_deallocate_trap"
  +
__data:802BA6B8 DCD a_kernelrpc_v_0 ; "_kernelrpc_vm_deallocate_trap"
  +
__data:802BA6BC DCD a_kernelrpc_m_1 ; "_kernelrpc_mach_vm_protect_trap"
  +
__data:802BA6C0 DCD a_kernelrpc_v_1 ; "_kernelrpc_vm_protect_trap"
  +
__data:802BA6C4 DCD a_kernelrpc_m_2 ; "_kernelrpc_mach_port_allocate_trap"
  +
__data:802BA6C8 DCD a_kernelrpc_m_3 ; "_kernelrpc_mach_port_destroy_trap"
  +
__data:802BA6CC DCD a_kernelrpc_m_4 ; "_kernelrpc_mach_port_deallocate_trap"
  +
__data:802BA6D0 DCD a_kernelrpc_m_5 ; "_kernelrpc_mach_port_mod_refs_trap"
  +
__data:802BA6D4 DCD a_kernelrpc_m_6 ; "_kernelrpc_mach_port_move_member_trap"
  +
__data:802BA6D8 DCD a_kernelrpc_m_7 ; "_kernelrpc_mach_port_insert_right_trap"
  +
__data:802BA6DC DCD a_kernelrpc_m_8 ; "_kernelrpc_mach_port_insert_member_trap"...
  +
__data:802BA6E0 DCD a_kernelrpc_m_9 ; "_kernelrpc_mach_port_extract_member_tra"...
  +
__data:802BA6E4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6E8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA6EC DCD aMach_reply_por ; "mach_reply_port"
  +
__data:802BA6F0 DCD aThread_self_tr ; "thread_self_trap"
  +
__data:802BA6F4 DCD aTask_self_trap ; "task_self_trap"
  +
__data:802BA6F8 DCD aHost_self_trap ; "host_self_trap"
  +
__data:802BA6FC DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA700 DCD aMach_msg_trap ; "mach_msg_trap"
  +
__data:802BA704 DCD aMach_msg_overw ; "mach_msg_overwrite_trap"
  +
__data:802BA708 DCD aSemaphore_sign ; "semaphore_signal_trap"
  +
__data:802BA70C DCD aSemaphore_si_0 ; "semaphore_signal_all_trap"
  +
__data:802BA710 DCD aSemaphore_si_1 ; "semaphore_signal_thread_trap"
  +
__data:802BA714 DCD aSemaphore_wait ; "semaphore_wait_trap"
  +
__data:802BA718 DCD aSemaphore_wa_0 ; "semaphore_wait_signal_trap"
  +
__data:802BA71C DCD aSemaphore_time ; "semaphore_timedwait_trap"
  +
__data:802BA720 DCD aSemaphore_ti_0 ; "semaphore_timedwait_signal_trap"
  +
__data:802BA724 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA728 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA72C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA730 DCD aMap_fd ; "map_fd"
  +
__data:802BA734 DCD aTask_name_for_ ; "task_name_for_pid"
  +
__data:802BA738 DCD aTask_for_pid ; "task_for_pid"
  +
__data:802BA73C DCD aPid_for_task ; "pid_for_task"
  +
__data:802BA740 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA744 DCD aMacx_swapon ; "macx_swapon"
  +
__data:802BA748 DCD aMacx_swapoff ; "macx_swapoff"
  +
__data:802BA74C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA750 DCD aMacx_triggers ; "macx_triggers"
  +
__data:802BA754 DCD aMacx_backing_s ; "macx_backing_store_suspend"
  +
__data:802BA758 DCD aMacx_backing_0 ; "macx_backing_store_recovery"
  +
__data:802BA75C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA760 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA764 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA768 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA76C DCD aPfz_exit ; "pfz_exit"
  +
__data:802BA770 DCD aSwtch_pri ; "swtch_pri"
  +
__data:802BA774 DCD aSwtch ; "swtch"
  +
__data:802BA778 DCD aThread_switch ; "thread_switch"
  +
__data:802BA77C DCD aClock_sleep_tr ; "clock_sleep_trap"
  +
__data:802BA780 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA784 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA788 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA78C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA790 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA794 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA798 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA79C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7A0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7A4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7A8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7AC DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7B0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7B4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7B8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7BC DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7C0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7C4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7C8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7CC DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7D0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7D4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7D8 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7DC DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7E0 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7E4 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA7E8 DCD aMach_timebase_ ; "mach_timebase_info_trap"
  +
__data:802BA7EC DCD aMach_wait_unti ; "mach_wait_until_trap"
  +
__data:802BA7F0 DCD aMk_timer_creat ; "mk_timer_create_trap"
  +
__data:802BA7F4 DCD aMk_timer_destr ; "mk_timer_destroy_trap"
  +
__data:802BA7F8 DCD aMk_timer_arm_t ; "mk_timer_arm_trap"
  +
__data:802BA7FC DCD aMk_timer_cance ; "mk_timer_cancel_trap"
  +
__data:802BA800 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA804 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA808 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA80C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA810 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA814 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA818 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA81C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA820 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA824 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA828 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA82C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA830 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA834 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA838 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA83C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA840 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA844 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA848 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA84C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA850 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA854 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA858 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA85C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA860 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA864 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA868 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA86C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA870 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA874 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA878 DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA87C DCD aKern_invalid ; "kern_invalid"
  +
__data:802BA880 DCD aKern_invalid ; "kern_invalid"
  +
</pre>

Revision as of 19:07, 20 March 2012

Note on these

Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).


Unix

Usage

MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
SVC 0x80   // Formerly, SWI (software interrupt)

For example:


(gdb) disass chown
0x30d2ad54 <chown>:	mov	r12, #16	       ; 0x10, being # of chown
0x30d2ad58 <chown+4>:	svc	0x00000080

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)

sysent

The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:


struct sysent {         /* system call table */
        int16_t         sy_narg;        /* number of args */
        int8_t          sy_resv;        /* reserved  */
        int8_t          sy_flags;       /* flags */
        sy_call_t       *sy_call;       /* implementing function */
        sy_munge_t      *sy_arg_munge32; /* system call arguments munger for 32-bit process */
        sy_munge_t      *sy_arg_munge64; /* system call arguments munger for 64-bit process */
        int32_t         sy_return_type; /* system call return types */
        uint16_t        sy_arg_bytes;   /* Total size of arguments in bytes for
                                         * 32-bit system calls
                                         */
};

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:

List of system calls from iOS 5.1

note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).


$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel 
This is an ARM binary. Applying iOS kernel signatures
Sysent offset in file (for patching purposes):  2931636 (0x2cbbb4)
This appears to be XNU 1878.11.8
syscall              801b3aa4 T
exit                 8019e924 T
fork                 801a15cc T
read                 801b3ac0 T
write                801b3ea0 T
open                 800a1e64 T
close                80197570 T
wait4                8019f464 T
8  old creat         801b3aa4 T
link                 800a23a4 T
unlink               800a2aa8 T
11  old execv        801b3aa4 T
chdir                800a175c T
fchdir               800a15f4 T
mknod                800a1f64 T
chmod                800a3598 T
chown                800a3714 T
17  old break        801b3aa4 T
getfsstat            800a1390 T
19  old lseek        801b3aa4 T
getpid               801a5838 T
21  old mount        801b3aa4 T
22  old umount       801b3aa4 T
setuid               801a5aec T
getuid               801a58bc T
geteuid              801a58cc T
ptrace               801b0a9c T
recvmsg              801cfde4 T
sendmsg              801cf958 T
recvfrom             801cfa40 T
accept               801cf32c T
getpeername          801d00a8 T
getsockname          801cfff8 T
access               800a2f14 T
chflags              800a336c T
fchflags             800a343c T
sync                 800a0e5c T
kill                 801a91b0 T
38  old stat         801b3aa4 T
getppid              801a5840 T
40  old lstat        801b3aa4 T
dup                  80195890 T
pipe                 801b6a00 T
getegid              801a5944 T
profil               801b3400 T
45  old ktrace       801b3aa4 T
sigaction            801a8348 T
getgid               801a5934 T
sigprocmask          801a8868 T
getlogin             801a66cc T
setlogin             801a6728 T
acct                 801908f0 T
sigpending           801a8a0c T
sigaltstack          801a90f4 T
ioctl                801b426c T
reboot               801b0a2c T
revoke               800a4d8c T
symlink              800a2620 T
readlink             800a328c T
execve               8019e49c T
umask                800a4d64 T
chroot               800a1824 T
62  old fstat        801b3aa4 T
63  used internally , reserved 801b3aa4 T
64  old getpagesize  801b3aa4 T
msync                801a20c0 T
vfork                801a0cfc T
67  old vread        801b3aa4 T
68  old vwrite       801b3aa4 T
69  old sbrk         801b3aa4 T
70  old sstk         801b3aa4 T
71  old mmap         801b3aa4 T
72  old vadvise      801b3aa4 T
munmap               801a216c T
mprotect             801a21a4 T
madvise              801a2264 T
76  old vhangup      801b3aa4 T
77  old vlimit       801b3aa4 T
mincore              801a22d0 T
getgroups            801a5954 T
setgroups            801a6610 T
getpgrp              801a5848 T
setpgid              801a59f4 T
setitimer            801b0518 T
84  old wait         801b3aa4 T
swapon               801e0548 T
getitimer            801b03c8 T
87  old gethostname  801b3aa4 T
88  old sethostname  801b3aa4 T
getdtablesize        80195480 T
dup2                 80195bc4 T
91  old getdopt      801b3aa4 T
fcntl                80195fc4 T
select               801b44fc T
94  old setdopt      801b3aa4 T
fsync                800a3c60 T
setpriority          801a6a24 T
socket               801cedc8 T
connect              801cf34c T
99  old accept       801b3aa4 T
getpriority          801a6918 T
101  old send        801b3aa4 T
102  old recv        801b3aa4 T
103  old sigreturn   801b3aa4 T
bind                 801cee98 T
setsockopt           801cff10 T
listen               801cf00c T
107  old vtimes      801b3aa4 T
108  old sigvec      801b3aa4 T
109  old sigblock    801b3aa4 T
110  old sigsetmask  801b3aa4 T
sigsuspend           801a8a34 T
112  old sigstack    801b3aa4 T
113  old recvmsg     801b3aa4 T
114  old sendmsg     801b3aa4 T
115  old vtrace      801b3aa4 T
gettimeofday         801b01d8 T
getrusage            801a7798 T
getsockopt           801cff74 T
119  old resuba      801b3aa4 T
readv                801b3d4c T
writev               801b40f4 T
settimeofday         801b0238 T
fchown               800a3830 T
fchmod               800a36dc T
125  old recvfrom    801b3aa4 T
setreuid             801a5e40 T
setregid             801a61d8 T
rename               800a3e34 T
129  old truncate    801b3aa4 T
130  old ftruncate   801b3aa4 T
flock                801989e4 T
mkfifo               800a2254 T
sendto               801cf67c T
shutdown             801cfee0 T
socketpair           801cf534 T
mkdir                800a46b4 T
rmdir                800a46fc T
utimes               800a38f0 T
futimes              800a3a70 T
adjtime              801b0338 T
141  old getpeername 801b3aa4 T
gethostuuid          801b5c44 T
143  old sethostid   801b3aa4 T
144  old getrlimit   801b3aa4 T
145  old setrlimit   801b3aa4 T
146  old killpg      801b3aa4 T
setsid               801a59b0 T
148  old setquota    801b3aa4 T
149  old qquota      801b3aa4 T
150  old getsockname 801b3aa4 T
getpgid              801a5850 T
setprivexec          801a5820 T
pread                801b3ca4 T
pwrite               801b4008 T
nfssvc               801b3aa4 T
156  old getdirentries 801b3aa4 T
statfs               800a0eec T
fstatfs              800a117c T
unmount              800a09f0 T
160  old async_daemon 801b3aa4 T
getfh                801b3aa4 T
162  old getdomainname 801b3aa4 T
163  old setdomainname 801b3aa4 T
164                  801b3aa4 T
quotactl             800a0ee8 T
166  old exportfs    801b3aa4 T
mount                8009fd10 T
168  old ustat       801b3aa4 T
csops                801a47bc T
170  old table       801b3aa4 T
171  old wait3       801b3aa4 T
172  old rpause      801b3aa4 T
waitid               8019f860 T
174  old getdents    801b3aa4 T
175  old gc_control  801b3aa4 T
add_profil           801b3404 T
177                  801b3aa4 T
178                  801b3aa4 T
179                  801b3aa4 T
kdebug_trace         8018e964 T
setgid               801a5fe0 T
setegid              801a60ec T
seteuid              801a5d48 T
sigreturn            801e2cb0 T
chud                 801e1acc T
186                  801b3aa4 T
fdatasync            800a3cd8 T
stat                 800a2fec T
fstat                801977f8 T
lstat                800a3134 T
pathconf             800a3228 T
fpathconf            80197858 T
193                  801b3aa4 T
getrlimit            801a75d4 T
setrlimit            801a6eb8 T
getdirentries        800a4928 T
mmap                 801a1b84 T
198  __syscall       801b3aa4 T
lseek                800a2b20 T
truncate             800a3ac4 T
ftruncate            800a3b90 T
__sysctl             801ab798 T
mlock                801a2418 T
munlock              801a246c T
undelete             800a27c8 T
ATsocket             801b3aa4 T
ATgetmsg             801b3aa4 T
ATputmsg             801b3aa4 T
ATPsndreq            801b3aa4 T
ATPsndrsp            801b3aa4 T
ATPgetreq            801b3aa4 T
ATPgetrsp            801b3aa4 T
213  Reserved for AppleTalk 801b3aa4 T
214                  801b3aa4 T
215                  801b3aa4 T
mkcomplex            800a1d9c T
statv                801b3aa4 T
lstatv               801b3aa4 T
fstatv               801b3aa4 T
getattrlist          8008d1c4 T
setattrlist          8008d23c T
getdirentriesattr    800a4e80 T
exchangedata         800a5018 T
224  old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T
searchfs             800a5258 T
delete               800a2ae4 T
copyfile             800a3cf4 T
fgetattrlist         8008a6c8 T
fsetattrlist         8008d904 T
poll                 801b4d04 T
watchevent           801b5604 T
waitevent            801b579c T
modwatch             801b5914 T
getxattr             800a6048 T
fgetxattr            800a6160 T
setxattr             800a6240 T
fsetxattr            800a6328 T
removexattr          800a6408 T
fremovexattr         800a64b0 T
listxattr            800a654c T
flistxattr           800a6610 T
fsctl                800a5964 T
initgroups           801a64d0 T
posix_spawn          8019d658 T
ffsctl               800a5f78 T
246                  801b3aa4 T
nfsclnt              801b3aa4 T
fhopen               801b3aa4 T
249                  801b3aa4 T
minherit             801a222c T
semsys               801b3aa4 T
msgsys               801b3aa4 T
shmsys               801b3aa4 T
semctl               801b3aa4 T
semget               801b3aa4 T
semop                801b3aa4 T
257                  801b3aa4 T
msgctl               801b3aa4 T
msgget               801b3aa4 T
msgsnd               801b3aa4 T
msgrcv               801b3aa4 T
shmat                801b3aa4 T
shmctl               801b3aa4 T
shmdt                801b3aa4 T
shmget               801b3aa4 T
shm_open             801d3b34 T
shm_unlink           801d45d0 T
sem_open             801d3110 T
sem_close            801d379c T
sem_unlink           801d35cc T
sem_wait             801d37f8 T
sem_trywait          801d38bc T
sem_post             801d395c T
sem_getvalue         801d39fc T
sem_init             801d39f4 T
sem_destroy          801d39f8 T
open_extended        800a1cb8 T
umask_extended       800a4d14 T
stat_extended        800a2f98 T
lstat_extended       800a30e0 T
fstat_extended       801975e4 T
chmod_extended       800a347c T
fchmod_extended      800a35d4 T
access_extended      800a2c54 T
settid               801a6358 T
gettid               801a58dc T
setsgroups           801a6620 T
getsgroups           801a59a8 T
setwgroups           801a6624 T
getwgroups           801a59ac T
mkfifo_extended      800a21a8 T
mkdir_extended       800a44ac T
identitysvc          801b3aa4 T
shared_region_check_np 801e0a68 T
shared_region_map_np 801b3aa4 T
vm_pressure_monitor  801e1150 T
psynch_rw_longrdlock 801da274 T
psynch_rw_yieldwrlock 801da79c T
psynch_rw_downgrade  801daa38 T
psynch_rw_upgrade    801daa34 T
psynch_mutexwait     801d77d0 T
psynch_mutexdrop     801d85f8 T
psynch_cvbroad       801d864c T
psynch_cvsignal      801d8bb4 T
psynch_cvwait        801d9020 T
psynch_rw_rdlock     801d96ec T
psynch_rw_wrlock     801da508 T
psynch_rw_unlock     801daa3c T
psynch_rw_unlock2    801dad10 T
getsid               801a5880 T
settid_with_pid      801a63f8 T
312  old __pthread_cond_timedwait 801d95e8 T
aio_fsync            80191278 T
aio_return           8019143c T
aio_suspend          801916a0 T
aio_cancel           80190e24 T
aio_error            801911d4 T
aio_read             8019141c T
aio_write            801918a4 T
lio_listio           801918c4 T
321  old __pthread_cond_wait 801b3aa4 T
iopolicysys          801a795c T
323                  801df090 T
mlockall             801a24ac T
munlockall           801a24b0 T
326                  801b3aa4 T
issetugid            801a5adc T
__pthread_kill       801a8e34 T
__pthread_sigmask    801a8e94 T
__sigwait            801a8f38 T
__disable_threadsignal 801a8b48 T
__pthread_markcancel 801a8b64 T
__pthread_canceled   801a8bac T
__semwait_signal     801a8d30 T
335  old utrace      801b3aa4 T
proc_info            801dd524 T
sendfile             801b3aa4 T
stat64               800a3038 T
fstat64              80197838 T
lstat64              800a3180 T
stat64_extended      800a3088 T
lstat64_extended     800a31d0 T
fstat64_extended     80197818 T
getdirentries64      800a4cd0 T
statfs64             800a11e4 T
fstatfs64            800a132c T
getfsstat64          800a1540 T
__pthread_chdir      800a181c T
__pthread_fchdir     800a1754 T
; -----------------------
; The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)
audit                8018d990 T
auditon              8018d994 T
352                  801b3aa4 T
getauid              8018d998 T
setauid              8018d99c T
getaudit             8018d9a0 T
setaudit             8018d9a4 T
getaudit_addr        8018d9a8 T
setaudit_addr        8018d9ac T
auditctl             8018d9b0 T
; ---------------------
bsdthread_create     801db740 T
bsdthread_terminate  801db9b4 T
kqueue               801998c4 T
kevent               80199948 T
lchown               800a3818 T
stack_snapshot       8019066c T
bsdthread_register   801dba18 T
workq_open           801dc70c T
workq_kernreturn     801dccac T
kevent64             80199bd4 T
__old_semwait_signal 801a8c1c T
__old_semwait_signal_nocancel 801a8c54 T
thread_selfid        801dd27c T
373                  801b5c98 T
374                  801b3aa4 T
375                  801b3aa4 T
376                  801b3aa4 T
377                  801b3aa4 T
378                  801b3aa4 T
379                  801b3aa4 T
__mac_execve         8019e4bc T
__mac_syscall        80244734 T
__mac_get_file       802443d4 T
__mac_set_file       80244628 T
__mac_get_link       80244504 T
__mac_set_link       80244724 T
__mac_get_proc       80243eb0 T
__mac_set_proc       80243f74 T
__mac_get_fd         80244280 T
__mac_set_fd         80244514 T
__mac_get_pid        80243ddc T
__mac_get_lcid       80244030 T
__mac_get_lctx       802440fc T
__mac_set_lctx       802441c0 T
setlcid              801a67cc T
getlcid              801a68ac T
read_nocancel        801b3ae0 T
write_nocancel       801b3ec0 T
open_nocancel        800a1ee8 T
close_nocancel       8019758c T
wait4_nocancel       8019f484 T
recvmsg_nocancel     801cfe04 T
sendmsg_nocancel     801cf978 T
recvfrom_nocancel    801cfa60 T
accept_nocancel      801cf04c T
msync_nocancel       801a20d8 T
fcntl_nocancel       80195fe4 T
select_nocancel      801b4518 T
fsync_nocancel       800a3cd0 T
connect_nocancel     801cf364 T
sigsuspend_nocancel  801a8ae4 T
readv_nocancel       801b3d6c T
writev_nocancel      801b4114 T
sendto_nocancel      801cf69c T
pread_nocancel       801b3cc4 T
pwrite_nocancel      801b4028 T
waitid_nocancel      8019f87c T
poll_nocancel        801b4d24 T
msgsnd_nocancel      801b3aa4 T
msgrcv_nocancel      801b3aa4 T
sem_wait_nocancel    801d3814 T
aio_suspend_nocancel 801916c0 T
__sigwait_nocancel   801a8f70 T
__semwait_signal_nocancel 801a8d68 T
__mac_mount          8009fd34 T
__mac_get_mount      80244900 T
__mac_getfsstat      800a13b4 T
fsgetpath            800a66d4 T
audit_session_self   8018d984 T
audit_session_join   8018d988 T
fileport_makeport    80198ad4 T
fileport_makefd      80198c58 T
audit_session_port   8018d98c T
pid_suspend          801e084c T
pid_resume           801e08bc T
pid_hibernate        801e0928 T
pid_shutdown_sockets 801e0984 T
437  old shared_region_slide_np 801b3aa4 T
shared_region_map_and_slide_np 801e1008 T

Mach

XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is interpreted as Mach trap instead.

In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS.

__data:802BA684                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA688                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA68C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA690                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA694                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA698                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA69C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6A0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6A4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6A8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6AC                 DCD a_kernelrpc_mac     ; "_kernelrpc_mach_vm_allocate_trap"
__data:802BA6B0                 DCD a_kernelrpc_vm_     ; "_kernelrpc_vm_allocate_trap"
__data:802BA6B4                 DCD a_kernelrpc_m_0     ; "_kernelrpc_mach_vm_deallocate_trap"
__data:802BA6B8                 DCD a_kernelrpc_v_0     ; "_kernelrpc_vm_deallocate_trap"
__data:802BA6BC                 DCD a_kernelrpc_m_1     ; "_kernelrpc_mach_vm_protect_trap"
__data:802BA6C0                 DCD a_kernelrpc_v_1     ; "_kernelrpc_vm_protect_trap"
__data:802BA6C4                 DCD a_kernelrpc_m_2     ; "_kernelrpc_mach_port_allocate_trap"
__data:802BA6C8                 DCD a_kernelrpc_m_3     ; "_kernelrpc_mach_port_destroy_trap"
__data:802BA6CC                 DCD a_kernelrpc_m_4     ; "_kernelrpc_mach_port_deallocate_trap"
__data:802BA6D0                 DCD a_kernelrpc_m_5     ; "_kernelrpc_mach_port_mod_refs_trap"
__data:802BA6D4                 DCD a_kernelrpc_m_6     ; "_kernelrpc_mach_port_move_member_trap"
__data:802BA6D8                 DCD a_kernelrpc_m_7     ; "_kernelrpc_mach_port_insert_right_trap"
__data:802BA6DC                 DCD a_kernelrpc_m_8     ; "_kernelrpc_mach_port_insert_member_trap"...
__data:802BA6E0                 DCD a_kernelrpc_m_9     ; "_kernelrpc_mach_port_extract_member_tra"...
__data:802BA6E4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6E8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA6EC                 DCD aMach_reply_por     ; "mach_reply_port"
__data:802BA6F0                 DCD aThread_self_tr     ; "thread_self_trap"
__data:802BA6F4                 DCD aTask_self_trap     ; "task_self_trap"
__data:802BA6F8                 DCD aHost_self_trap     ; "host_self_trap"
__data:802BA6FC                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA700                 DCD aMach_msg_trap      ; "mach_msg_trap"
__data:802BA704                 DCD aMach_msg_overw     ; "mach_msg_overwrite_trap"
__data:802BA708                 DCD aSemaphore_sign     ; "semaphore_signal_trap"
__data:802BA70C                 DCD aSemaphore_si_0     ; "semaphore_signal_all_trap"
__data:802BA710                 DCD aSemaphore_si_1     ; "semaphore_signal_thread_trap"
__data:802BA714                 DCD aSemaphore_wait     ; "semaphore_wait_trap"
__data:802BA718                 DCD aSemaphore_wa_0     ; "semaphore_wait_signal_trap"
__data:802BA71C                 DCD aSemaphore_time     ; "semaphore_timedwait_trap"
__data:802BA720                 DCD aSemaphore_ti_0     ; "semaphore_timedwait_signal_trap"
__data:802BA724                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA728                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA72C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA730                 DCD aMap_fd             ; "map_fd"
__data:802BA734                 DCD aTask_name_for_     ; "task_name_for_pid"
__data:802BA738                 DCD aTask_for_pid       ; "task_for_pid"
__data:802BA73C                 DCD aPid_for_task       ; "pid_for_task"
__data:802BA740                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA744                 DCD aMacx_swapon        ; "macx_swapon"
__data:802BA748                 DCD aMacx_swapoff       ; "macx_swapoff"
__data:802BA74C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA750                 DCD aMacx_triggers      ; "macx_triggers"
__data:802BA754                 DCD aMacx_backing_s     ; "macx_backing_store_suspend"
__data:802BA758                 DCD aMacx_backing_0     ; "macx_backing_store_recovery"
__data:802BA75C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA760                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA764                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA768                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA76C                 DCD aPfz_exit           ; "pfz_exit"
__data:802BA770                 DCD aSwtch_pri          ; "swtch_pri"
__data:802BA774                 DCD aSwtch              ; "swtch"
__data:802BA778                 DCD aThread_switch      ; "thread_switch"
__data:802BA77C                 DCD aClock_sleep_tr     ; "clock_sleep_trap"
__data:802BA780                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA784                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA788                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA78C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA790                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA794                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA798                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA79C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7A0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7A4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7A8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7AC                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7B0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7B4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7B8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7BC                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7C0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7C4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7C8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7CC                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7D0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7D4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7D8                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7DC                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7E0                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7E4                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA7E8                 DCD aMach_timebase_     ; "mach_timebase_info_trap"
__data:802BA7EC                 DCD aMach_wait_unti     ; "mach_wait_until_trap"
__data:802BA7F0                 DCD aMk_timer_creat     ; "mk_timer_create_trap"
__data:802BA7F4                 DCD aMk_timer_destr     ; "mk_timer_destroy_trap"
__data:802BA7F8                 DCD aMk_timer_arm_t     ; "mk_timer_arm_trap"
__data:802BA7FC                 DCD aMk_timer_cance     ; "mk_timer_cancel_trap"
__data:802BA800                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA804                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA808                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA80C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA810                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA814                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA818                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA81C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA820                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA824                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA828                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA82C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA830                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA834                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA838                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA83C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA840                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA844                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA848                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA84C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA850                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA854                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA858                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA85C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA860                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA864                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA868                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA86C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA870                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA874                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA878                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA87C                 DCD aKern_invalid       ; "kern_invalid"
__data:802BA880                 DCD aKern_invalid       ; "kern_invalid"