Difference between revisions of "Kernel Syscalls"

From The iPhone Wiki
Jump to: navigation, search
(mach_trap_table updated for iOS 6b1)
(arm64)
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Note on these ==
 
== Note on these ==
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.
+
Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.
   
 
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
 
As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).
 
 
   
 
== Unix ==
 
== Unix ==
 
 
=== Usage ===
 
=== Usage ===
 
<pre>
 
<pre>
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
+
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
 
SVC 0x80 // Formerly, SWI (software interrupt)
 
SVC 0x80 // Formerly, SWI (software interrupt)
 
</pre>
 
</pre>
   
For example:
+
For example, arm32:
 
<pre>
 
<pre>
   
Line 20: Line 17:
 
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
 
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
 
0x30d2ad58 <chown+4>: svc 0x00000080
 
0x30d2ad58 <chown+4>: svc 0x00000080
  +
</pre>
  +
  +
And arm64:
  +
<pre>
  +
libsystem_kernel.dylib`chown:
  +
0x1866c6084 <+0>: mov x16, #0x10
  +
0x1866c6088 <+4>: svc #0x80
 
</pre>
 
</pre>
   
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
 
Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)
   
=== sysent ===
 
   
  +
=== sysent ===
 
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
+
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:
   
 
<pre>
 
<pre>
Line 46: Line 49:
 
</pre>
 
</pre>
   
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:
+
Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:
   
=== List of system calls from iOS 6.b1 ===
+
=== List of system calls from [[iOS]] 6.0 GM ===
   
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
+
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).
   
  +
A good reference on these can be found at [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]. The joker tool (shown below) can be downloaded from the same site.
<pre>
 
   
  +
<pre>
$ joker -ls unix -sup ~/Documents/projects/iOS.6.0b1.iPod4.kernel
 
  +
$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
 
  +
This is an ARM binary. Applying iOS kernel signatures
Sysent offset in file (for patching purposes): 3076288 (0x2ef0c0)
 
This appears to be XNU 2107.1.78
+
Entry point is 0x80085084....This appears to be XNU 2107.2.33
  +
Syscall names are @2a70f0
Suppressing enosys (801e9d5c)
 
  +
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0
   
  +
Suppressing enosys (0x800b3429) T = Thumb
1. exit 801d32dc T
 
2. fork 801d61d4 T
+
1. exit 801d4a74 T
3. read 801e9d7c T
+
2. fork 801d7980 T
4. write 801ea150 T
+
3. read 801eb584 T
5. open 800b12f0 T
+
4. write 801eb958 T
6. close 801cb904 T
+
5. open 800b13a4 T
7. wait4 801d3f10 T
+
6. close 801ccab4 T
9. link 800b1804 T
+
7. wait4 801d56bc T
10. unlink 800b1f0c T
+
9. link 800b18e8 T
12. chdir 800b0be0 T
+
10. unlink 800b1ff0 T
13. fchdir 800b0a70 T
+
12. chdir 800b0c60 T
14. mknod 800b13d8 T
+
13. fchdir 800b0af0 T
15. chmod 800b2a5c T
+
14. mknod 800b14bc T
16. chown 800b2bb8 T
+
15. chmod 800b2b40 T
18. getfsstat 800b080c T
+
16. chown 800b2c9c T
20. getpid 801daa60 T
+
18. getfsstat 800b088c T
23. setuid 801dad14 T
+
20. getpid 801dc20c T
24. getuid 801daae4 T
+
23. setuid 801dc4c0 T
25. geteuid 801daaf4 T
+
24. getuid 801dc290 T
26. ptrace 801e6924 T
+
25. geteuid 801dc2a0 T
27. recvmsg 802090f4 T
+
26. ptrace 801e812c T
28. sendmsg 80208c3c T
+
27. recvmsg 8020a8fc T
29. recvfrom 80208d20 T
+
28. sendmsg 8020a444 T
30. accept 802085f4 T
+
29. recvfrom 8020a528 T
31. getpeername 802093c0 T
+
30. accept 80209dfc T
32. getsockname 80209310 T
+
31. getpeername 8020abc8 T
33. access 800b23c8 T
+
32. getsockname 8020ab18 T
34. chflags 800b2844 T
+
33. access 800b24ac T
35. fchflags 800b290c T
+
34. chflags 800b2928 T
36. sync 800b02a0 T
+
35. fchflags 800b29f0 T
37. kill 801de620 T
+
36. sync 800b0320 T
39. getppid 801daa68 T
+
37. kill 801dfdcc T
41. dup 801c9a94 T
+
39. getppid 801dc214 T
42. pipe 801ec3dc T
+
41. dup 801cab04 T
43. getegid 801dab6c T
+
42. pipe 801edbe4 T
46. sigaction 801dd73c T
+
43. getegid 801dc318 T
47. getgid 801dab5c T
+
46. sigaction 801deee8 T
48. sigprocmask 801ddc80 T
+
47. getgid 801dc308 T
49. getlogin 801db93c T
+
48. sigprocmask 801df42c T
50. setlogin 801db9b4 T
+
49. getlogin 801dd0e8 T
51. acct 801c447c T
+
50. setlogin 801dd160 T
52. sigpending 801dde24 T
+
51. acct 801c54ec T
53. sigaltstack 801de564 T
+
52. sigpending 801df5d0 T
54. ioctl 801ea514 T
+
53. sigaltstack 801dfd10 T
55. reboot 801e6888 T
+
54. ioctl 801ebd1c T
56. revoke 800b4320 T
+
55. reboot 801e8090 T
57. symlink 800b1a74 T
+
56. revoke 800b43f8 T
58. readlink 800b2748 T
+
57. symlink 800b1b58 T
59. execve 801d2cb0 T
+
58. readlink 800b282c T
60. umask 800b42f8 T
+
59. execve 801d4448 T
61. chroot 800b0cb0 T
+
60. umask 800b43d0 T
65. msync 801d6d24 T
+
61. chroot 800b0d30 T
66. vfork 801d586c T
+
65. msync 801d84d0 T
73. munmap 801d6dd0 T
+
66. vfork 801d7018 T
74. mprotect 801d6e04 T
+
73. munmap 801d857c T
75. madvise 801d6ebc T
+
74. mprotect 801d85b0 T
78. mincore 801d6f28 T
+
75. madvise 801d8668 T
79. getgroups 801dab7c T
+
78. mincore 801d86d4 T
80. setgroups 801db880 T
+
79. getgroups 801dc328 T
81. getpgrp 801daa70 T
+
80. setgroups 801dd02c T
82. setpgid 801dac1c T
+
81. getpgrp 801dc21c T
83. setitimer 801e6370 T
+
82. setpgid 801dc3c8 T
85. swapon 8021a638 T
+
83. setitimer 801e7b78 T
86. getitimer 801e6228 T
+
85. swapon 8021be68 T
89. getdtablesize 801c966c T
+
86. getitimer 801e7a30 T
90. dup2 801c9ec0 T
+
89. getdtablesize 801ca6dc T
92. fcntl 801ca2d8 T
+
90. dup2 801caf54 T
93. select 801ea7c0 T
+
92. fcntl 801cb420 T
95. fsync 800b3154 T
+
93. select 801ebfc8 T
96. setpriority 801dbce8 T
+
95. fsync 800b3238 T
97. socket 8020809c T
+
96. setpriority 801dd494 T
98. connect 80208614 T
+
97. socket 802098a4 T
100. getpriority 801dbbdc T
+
98. connect 80209e1c T
104. bind 80208168 T
+
100. getpriority 801dd388 T
105. setsockopt 80209228 T
+
104. bind 80209970 T
106. listen 802082d4 T
+
105. setsockopt 8020aa30 T
111. sigsuspend 801dde4c T
+
106. listen 80209adc T
116. gettimeofday 801e6038 T
+
111. sigsuspend 801df5f8 T
117. getrusage 801dca80 T
+
116. gettimeofday 801e7840 T
118. getsockopt 8020928c T
+
117. getrusage 801de22c T
120. readv 801ea008 T
+
118. getsockopt 8020aa94 T
121. writev 801ea3a8 T
+
120. readv 801eb810 T
122. settimeofday 801e6094 T
+
121. writev 801ebbb0 T
123. fchown 800b2cc8 T
+
122. settimeofday 801e789c T
124. fchmod 800b2b8c T
+
123. fchown 800b2dac T
126. setreuid 801db060 T
+
124. fchmod 800b2c70 T
127. setregid 801db3f4 T
+
126. setreuid 801dc80c T
128. rename 800b3344 T
+
127. setregid 801dcba0 T
131. flock 801cce8c T
+
128. rename 800b3428 T
132. mkfifo 800b16b4 T
+
131. flock 801ce20c T
133. sendto 80208960 T
+
132. mkfifo 800b1798 T
134. shutdown 802091f8 T
+
133. sendto 8020a168 T
135. socketpair 80208804 T
+
134. shutdown 8020aa00 T
136. mkdir 800b3c38 T
+
135. socketpair 8020a00c T
137. rmdir 800b3c78 T
+
136. mkdir 800b3d1c T
138. utimes 800b2d7c T
+
137. rmdir 800b3d5c T
139. futimes 800b2f50 T
+
138. utimes 800b2e60 T
140. adjtime 801e6198 T
+
139. futimes 800b3034 T
142. gethostuuid 801ebe9c T
+
140. adjtime 801e79a0 T
147. setsid 801dabd8 T
+
142. gethostuuid 801ed6a4 T
151. getpgid 801daa78 T
+
147. setsid 801dc384 T
152. setprivexec 801daa48 T
+
151. getpgid 801dc224 T
153. pread 801e9f6c T
+
152. setprivexec 801dc1f4 T
154. pwrite 801ea2c8 T
+
153. pread 801eb774 T
157. statfs 800b0340 T
+
154. pwrite 801ebad0 T
158. fstatfs 800b05f8 T
+
157. statfs 800b03c0 T
159. unmount 800afe08 T
+
158. fstatfs 800b0678 T
165. quotactl 800b033c T
+
159. unmount 800afe88 T
167. mount 800aefe8 T
+
165. quotactl 800b03bc T
169. csops 801d9824 T
+
167. mount 800af068 T
170. 170 old table 801d9d10 T
+
169. csops 801dafd0 T
173. waitid 801d4308 T
+
170. 170 old table 801db4bc T
180. kdebug_trace 801c1d58 T
+
173. waitid 801d5ab4 T
181. setgid 801db1f8 T
+
180. kdebug_trace 801c2db4 T
182. setegid 801db304 T
+
181. setgid 801dc9a4 T
183. seteuid 801daf64 T
+
182. setegid 801dcab0 T
184. sigreturn 8021cfa8 T
+
183. seteuid 801dc710 T
185. chud 8021bcb8 T
+
184. sigreturn 8021e7e4 T
187. fdatasync 800b31cc T
+
185. chud 8021d4f4 T
188. stat 800b24a4 T
+
187. fdatasync 800b32b0 T
189. fstat 801cbb98 T
+
188. stat 800b2588 T
190. lstat 800b25f0 T
+
189. fstat 801ccfec T
191. pathconf 800b26e4 T
+
190. lstat 800b26d4 T
192. fpathconf 801cbbf4 T
+
191. pathconf 800b27c8 T
194. getrlimit 801dc8c8 T
+
192. fpathconf 801cd048 T
195. setrlimit 801dc190 T
+
194. getrlimit 801de074 T
196. getdirentries 800b3eb0 T
+
195. setrlimit 801dd93c T
197. mmap 801d6814 T
+
196. getdirentries 800b3f94 T
199. lseek 800b1f84 T
+
197. mmap 801d7fc0 T
200. truncate 800b2fd0 T
+
199. lseek 800b2068 T
201. ftruncate 800b3090 T
+
200. truncate 800b30b4 T
202. __sysctl 801e0ccc T
+
201. ftruncate 800b3174 T
203. mlock 801d7074 T
+
202. __sysctl 801e2478 T
204. munlock 801d70cc T
+
203. mlock 801d8820 T
205. undelete 800b1c0c T
+
204. munlock 801d8878 T
216. mkcomplex 800b1224 T
+
205. undelete 800b1cf0 T
220. getattrlist 8009afe0 T
+
216. mkcomplex 800b12c4 T
221. setattrlist 8009b058 T
+
220. getattrlist 8009b060 T
  +
221. setattrlist 8009b0d8 T
222. getdirentriesattr 800b4408 T
 
  +
222. getdirentriesattr 800b44e0 T
223. exchangedata 800b45c4 T
 
  +
292. mkdir_extended 800b3b30 T
294. shared_region_check_np 8021ab68 T
 
  +
294. shared_region_check_np 8021c3a4 T
296. vm_pressure_monitor 8021b2cc T
 
  +
296. vm_pressure_monitor 8021cb08 T
297. psynch_rw_longrdlock 8021415c T
 
  +
297. psynch_rw_longrdlock 802159ac T
298. psynch_rw_yieldwrlock 80214408 T
 
  +
298. psynch_rw_yieldwrlock 80215c60 T
299. psynch_rw_downgrade 80214410 T
 
  +
299. psynch_rw_downgrade 80215c68 T
300. psynch_rw_upgrade 8021440c T
 
  +
309. psynch_rw_unlock2 80215f64 T
310. getsid 801daaa8 T
 
  +
311. settid_with_pid 801dcdcc T
312. psynch_cvclrprepost 80213430 T
 
  +
312. psynch_cvclrprepost 80214c7c T
313. aio_fsync 801c4e60 T
 
  +
329. __pthread_sigmask 801dfaa4 T
330. __sigwait 801de3a8 T
 
  +
330. __sigwait 801dfb54 T
331. __disable_threadsignal 801ddf74 T
 
  +
331. __disable_threadsignal 801df720 T
332. __pthread_markcancel 801ddf90 T
 
  +
332. __pthread_markcancel 801df73c T
333. __pthread_canceled 801ddfd8 T
 
  +
333. __pthread_canceled 801df784 T
334. __semwait_signal 801de178 T
 
  +
349. __pthread_fchdir 800b0c58 T
350. audit 801c0a18 T
 
  +
360. bsdthread_create 80216ab8 T
361. bsdthread_terminate 802154d8 T
 
  +
361. bsdthread_terminate 80216d30 T
362. kqueue 801cddec T
 
  +
365. stack_snapshot 801c520c T
366. bsdthread_register 8021553c T
 
  +
366. bsdthread_register 80216d94 T
367. workq_open 80216190 T
 
  +
369. kevent64 801cf8ac T
370. __old_semwait_signal 801de04c T
 
  +
370. __old_semwait_signal 801df7f8 T
371. __old_semwait_signal_nocancel 801de080 T
 
  +
371. __old_semwait_signal_nocancel 801df82c T
372. thread_selfid 80216afc T
 
  +
409. connect_nocancel 80209e34 T
410. sigsuspend_nocancel 801ddf08 T
 
  +
410. sigsuspend_nocancel 801df6b4 T
411. readv_nocancel 801ea028 T
 
  +
417. poll_nocancel 801ec74c T
420. sem_wait_nocancel 8020cf24 T
 
  +
420. sem_wait_nocancel 8020e788 T
421. aio_suspend_nocancel 801c52e0 T
 
  +
421. aio_suspend_nocancel 801c6350 T
422. __sigwait_nocancel 801de3e0 T
 
  +
422. __sigwait_nocancel 801dfb8c T
423. __semwait_signal_nocancel 801de1ac T
 
  +
423. __semwait_signal_nocancel 801df958 T
424. __mac_mount 800af00c T
 
427. fsgetpath 800b5c0c T
+
426. __mac_getfsstat 800b08b0 T
  +
427. fsgetpath 800b5ce4 T
428. audit_session_self 801c0a0c T
 
  +
428. audit_session_self 801c1a68 T
429. audit_session_join 801c0a10 T
 
  +
429. audit_session_join 801c1a6c T
430. fileport_makeport 801ccf70 T
 
  +
431. fileport_makefd 801ce494 T
432. audit_session_port 801c0a14 T
 
  +
432. audit_session_port 801c1a70 T
433. pid_suspend 8021a950 T
 
434. pid_resume 8021a9c0 T
+
433. pid_suspend 8021c180 T
435. pid_hibernate 8021aa2c T
+
434. pid_resume 8021c1f0 T
  +
435. pid_hibernate 8021c268 T
436. pid_shutdown_sockets 8021aa84 T
 
  +
436. pid_shutdown_sockets 8021c2c0 T
438. shared_region_map_and_slide_np 8021b118 T
 
  +
438. shared_region_map_and_slide_np 8021c954 T
439. kas_info 8021b314 T ; Provides ASLR information to user space (JB: Hint, Hint!)
 
  +
439. kas_info 8021cb50 T ; Provides ASLR information to user space
440. memorystatus_control 801e4aa4 T ; Controls memory status (JetSam)
 
225. searchfs 800b4804 T
+
223. exchangedata 800b469c T
226. delete 800b1f48 T
+
225. searchfs 800b48dc T
227. copyfile 800b31e8 T
+
226. delete 800b202c T
228. fgetattrlist 80098408 T
+
227. copyfile 800b32cc T
229. fsetattrlist 8009b760 T
+
228. fgetattrlist 80098488 T
230. poll 801eaf24 T
+
229. fsetattrlist 8009b7e0 T
231. watchevent 801eb84c T
+
230. poll 801ec72c T
232. waitevent 801eb9f0 T
+
231. watchevent 801ed054 T
233. modwatch 801ebb60 T
+
232. waitevent 801ed1f8 T
234. getxattr 800b5478 T
+
233. modwatch 801ed368 T
235. fgetxattr 800b55b4 T
+
234. getxattr 800b5550 T
236. setxattr 800b56b4 T
+
235. fgetxattr 800b568c T
237. fsetxattr 800b57c0 T
+
236. setxattr 800b578c T
238. removexattr 800b58bc T
+
237. fsetxattr 800b5898 T
239. fremovexattr 800b5984 T
+
238. removexattr 800b5994 T
240. listxattr 800b5a44 T
+
239. fremovexattr 800b5a5c T
241. flistxattr 800b5b28 T
+
240. listxattr 800b5b1c T
242. fsctl 800b4cfc T
+
241. flistxattr 800b5c00 T
243. initgroups 801db6fc T
+
242. fsctl 800b4dd4 T
244. posix_spawn 801d1d74 T
+
243. initgroups 801dcea8 T
245. ffsctl 800b539c T
+
244. posix_spawn 801d351c T
250. minherit 801d6e84 T
+
245. ffsctl 800b5474 T
266. shm_open 8020d2c0 T
+
250. minherit 801d8630 T
267. shm_unlink 8020dda0 T
+
266. shm_open 8020eb24 T
268. sem_open 8020c718 T
+
267. shm_unlink 8020f604 T
269. sem_close 8020ceb0 T
+
268. sem_open 8020df80 T
270. sem_unlink 8020cc78 T
+
269. sem_close 8020e718 T
271. sem_wait 8020cf08 T
+
270. sem_unlink 8020e4e0 T
272. sem_trywait 8020cfd0 T
+
271. sem_wait 8020e76c T
273. sem_post 8020d074 T
+
272. sem_trywait 8020e834 T
274. sem_getvalue 8020d118 T
+
273. sem_post 8020e8d8 T
275. sem_init 8020d110 T
+
274. sem_getvalue 8020e97c T
276. sem_destroy 8020d114 T
+
275. sem_init 8020e974 T
277. open_extended 800b1144 T
+
276. sem_destroy 8020e978 T
278. umask_extended 800b42a8 T
+
277. open_extended 800b11d8 T
279. stat_extended 800b244c T
+
278. umask_extended 800b4380 T
280. lstat_extended 800b2598 T
+
279. stat_extended 800b2530 T
281. fstat_extended 801cb97c T
+
280. lstat_extended 800b267c T
282. chmod_extended 800b294c T
+
281. fstat_extended 801ccdd0 T
283. fchmod_extended 800b2a90 T
+
282. chmod_extended 800b2a30 T
284. access_extended 800b20bc T
+
283. fchmod_extended 800b2b74 T
285. settid 801db580 T
+
284. access_extended 800b21a0 T
286. gettid 801dab04 T
+
285. settid 801dcd2c T
287. setsgroups 801db890 T
+
286. gettid 801dc2b0 T
288. getsgroups 801dabd0 T
+
287. setsgroups 801dd03c T
289. setwgroups 801db894 T
+
288. getsgroups 801dc37c T
290. getwgroups 801dabd4 T
+
289. setwgroups 801dd040 T
291. mkfifo_extended 800b1610 T
+
290. getwgroups 801dc380 T
292. mkdir_extended 800b3a4c T
+
291. mkfifo_extended 800b16f4 T
301. psynch_mutexwait 80211374 T
+
300. psynch_rw_upgrade 80215c64 T
302. psynch_mutexdrop 80212338 T
+
301. psynch_mutexwait 80212bd8 T
303. psynch_cvbroad 8021238c T
+
302. psynch_mutexdrop 80213b9c T
304. psynch_cvsignal 80212970 T
+
303. psynch_cvbroad 80213bf0 T
305. psynch_cvwait 80212df8 T
+
304. psynch_cvsignal 802141c0 T
306. psynch_rw_rdlock 80213530 T
+
305. psynch_cvwait 80214648 T
307. psynch_rw_wrlock 80214160 T
+
306. psynch_rw_rdlock 80214d7c T
308. psynch_rw_unlock 80214414 T
+
307. psynch_rw_wrlock 802159b0 T
309. psynch_rw_unlock2 8021470c T
+
308. psynch_rw_unlock 80215c6c T
311. settid_with_pid 801db620 T
+
310. getsid 801dc254 T
314. aio_return 801c5038 T
+
313. aio_fsync 801c5ed0 T
315. aio_suspend 801c52c0 T
+
314. aio_return 801c60a8 T
316. aio_cancel 801c49d8 T
+
315. aio_suspend 801c6330 T
317. aio_error 801c4db4 T
+
316. aio_cancel 801c5a48 T
318. aio_read 801c5018 T
+
317. aio_error 801c5e24 T
319. aio_write 801c54d4 T
+
318. aio_read 801c6088 T
320. lio_listio 801c54f4 T
+
319. aio_write 801c6544 T
322. iopolicysys 801dcc74 T
+
320. lio_listio 801c6564 T
323. process_policy 80218edc T
+
322. iopolicysys 801de420 T
324. mlockall 801d7108 T
+
323. process_policy 8021a72c T
325. munlockall 801d710c T
+
324. mlockall 801d88b4 T
327. issetugid 801dad04 T
+
325. munlockall 801d88b8 T
328. __pthread_kill 801de298 T
+
327. issetugid 801dc4b0 T
329. __pthread_sigmask 801de2f8 T
+
328. __pthread_kill 801dfa44 T
336. proc_info 80216dc0 T
+
334. __semwait_signal 801df924 T
338. stat64 800b24f0 T
+
336. proc_info 80218618 T
339. fstat64 801cbbd4 T
+
338. stat64 800b25d4 T
340. lstat64 800b263c T
+
339. fstat64 801cd028 T
341. stat64_extended 800b2540 T
+
340. lstat64 800b2720 T
342. lstat64_extended 800b268c T
+
341. stat64_extended 800b2624 T
343. fstat64_extended 801cbbb8 T
+
342. lstat64_extended 800b2770 T
344. getdirentries64 800b4268 T
+
343. fstat64_extended 801cd00c T
345. statfs64 800b0660 T
+
344. getdirentries64 800b4340 T
346. fstatfs64 800b07a8 T
+
345. statfs64 800b06e0 T
347. getfsstat64 800b09b8 T
+
346. fstatfs64 800b0828 T
348. __pthread_chdir 800b0ca8 T
+
347. getfsstat64 800b0a38 T
349. __pthread_fchdir 800b0bd8 T
+
348. __pthread_chdir 800b0d28 T
351. auditon 801c0a1c T
+
350. audit 801c1a74 T
353. getauid 801c0a20 T
+
351. auditon 801c1a78 T
354. setauid 801c0a24 T
+
353. getauid 801c1a7c T
357. getaudit_addr 801c0a28 T
+
354. setauid 801c1a80 T
358. setaudit_addr 801c0a2c T
+
357. getaudit_addr 801c1a84 T
359. auditctl 801c0a30 T
+
358. setaudit_addr 801c1a88 T
360. bsdthread_create 80215260 T
+
359. auditctl 801c1a8c T
363. kevent 801cde6c T
+
362. kqueue 801cf594 T
364. lchown 800b2cb0 T
+
363. kevent 801cf614 T
365. stack_snapshot 801c41a0 T
+
364. lchown 800b2d94 T
368. workq_kernreturn 802165f8 T
+
367. workq_open 802179e8 T
369. kevent64 801ce104 T
+
368. workq_kernreturn 80217e50 T
373. ledger 801ebf04 T
+
372. thread_selfid 80218354 T
380. __mac_execve 801d2cd0 T
+
373. ledger 801ed70c T
381. __mac_syscall 8027b874 T
+
380. __mac_execve 801d4468 T
382. __mac_get_file 8027b51c T
+
381. __mac_syscall 8027d0a8 T
383. __mac_set_file 8027b764 T
+
382. __mac_get_file 8027cd50 T
384. __mac_get_link 8027b640 T
+
383. __mac_set_file 8027cf98 T
385. __mac_set_link 8027b864 T
+
384. __mac_get_link 8027ce74 T
386. __mac_get_proc 8027b010 T
+
385. __mac_set_link 8027d098 T
387. __mac_set_proc 8027b0d0 T
+
386. __mac_get_proc 8027c844 T
388. __mac_get_fd 8027b3c8 T
+
387. __mac_set_proc 8027c904 T
389. __mac_set_fd 8027b650 T
+
388. __mac_get_fd 8027cbfc T
390. __mac_get_pid 8027af44 T
+
389. __mac_set_fd 8027ce84 T
391. __mac_get_lcid 8027b184 T
+
390. __mac_get_pid 8027c778 T
392. __mac_get_lctx 8027b248 T
+
391. __mac_get_lcid 8027c9b8 T
393. __mac_set_lctx 8027b304 T
+
392. __mac_get_lctx 8027ca7c T
394. setlcid 801dba7c T
+
393. __mac_set_lctx 8027cb38 T
395. getlcid 801dbb64 T
+
394. setlcid 801dd228 T
396. read_nocancel 801e9d9c T
+
395. getlcid 801dd310 T
397. write_nocancel 801ea170 T
+
396. read_nocancel 801eb5a4 T
398. open_nocancel 800b1368 T
+
397. write_nocancel 801eb978 T
399. close_nocancel 801cb920 T
+
398. open_nocancel 800b1434 T
400. wait4_nocancel 801d3f30 T
+
399. close_nocancel 801ccad0 T
401. recvmsg_nocancel 80209114 T
+
400. wait4_nocancel 801d56dc T
402. sendmsg_nocancel 80208c5c T
+
401. recvmsg_nocancel 8020a91c T
403. recvfrom_nocancel 80208d40 T
+
402. sendmsg_nocancel 8020a464 T
404. accept_nocancel 80208314 T
+
403. recvfrom_nocancel 8020a548 T
405. msync_nocancel 801d6d3c T
+
404. accept_nocancel 80209b1c T
406. fcntl_nocancel 801ca2f8 T
+
405. msync_nocancel 801d84e8 T
407. select_nocancel 801ea7dc T
+
406. fcntl_nocancel 801cb440 T
408. fsync_nocancel 800b31c4 T
+
407. select_nocancel 801ebfe4 T
409. connect_nocancel 8020862c T
+
408. fsync_nocancel 800b32a8 T
412. writev_nocancel 801ea3c8 T
+
411. readv_nocancel 801eb830 T
413. sendto_nocancel 80208980 T
+
412. writev_nocancel 801ebbd0 T
414. pread_nocancel 801e9f8c T
+
413. sendto_nocancel 8020a188 T
415. pwrite_nocancel 801ea2e8 T
+
414. pread_nocancel 801eb794 T
416. waitid_nocancel 801d4324 T
+
415. pwrite_nocancel 801ebaf0 T
417. poll_nocancel 801eaf44 T
+
416. waitid_nocancel 801d5ad0 T
425. __mac_get_mount 8027ba6c T
+
424. __mac_mount 800af08c T
426. __mac_getfsstat 800b0830 T
+
425. __mac_get_mount 8027d2a0 T
431. fileport_makefd 801cd0f4 T
+
430. fileport_makeport 801ce2f0 T
  +
; (intentionally crippled in iOS, works in ML)
  +
440. memorystatus_control 801e62a0 T ;; Controls JetSam - supersedes old sysctl interface
  +
441. guarded_open_np 801cead0 T
  +
442. guarded_close_np 801cebdc T
   
 
</pre>
 
</pre>
Line 460: Line 468:
   
 
</pre>
 
</pre>
  +
  +
== References ==
  +
* [http://newosxbook.com/index.php?page=Appendix ''Wiley's OS X and iOS Internals'' online appendix]

Latest revision as of 21:48, 2 February 2018

Note on these

Args go in their normal registers, like arg1 in R0/X0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12/X16.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

Unix

Usage

MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 on arm32 and x16 on arm64
SVC 0x80   // Formerly, SWI (software interrupt)

For example, arm32:


(gdb) disass chown
0x30d2ad54 <chown>:	mov	r12, #16	       ; 0x10, being # of chown
0x30d2ad58 <chown+4>:	svc	0x00000080

And arm64:

libsystem_kernel.dylib`chown:
    0x1866c6084 <+0>:  mov    x16, #0x10
    0x1866c6088 <+4>:  svc    #0x80

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)


sysent

The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:


struct sysent {         /* system call table */
        int16_t         sy_narg;        /* number of args */
        int8_t          sy_resv;        /* reserved  */
        int8_t          sy_flags;       /* flags */
        sy_call_t       *sy_call;       /* implementing function */
        sy_munge_t      *sy_arg_munge32; /* system call arguments munger for 32-bit process */
        sy_munge_t      *sy_arg_munge64; /* system call arguments munger for 64-bit process */
        int32_t         sy_return_type; /* system call return types */
        uint16_t        sy_arg_bytes;   /* Total size of arguments in bytes for
                                         * 32-bit system calls
                                         */
};

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:

List of system calls from iOS 6.0 GM

note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).

A good reference on these can be found at Wiley's OS X and iOS Internals online appendix. The joker tool (shown below) can be downloaded from the same site.

$ joker -u ~/Documents/projects/iOS.6.0.iPod4.kernel 
This is an ARM binary. Applying iOS kernel signatures
Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T
10. unlink               800b1ff0 T
12. chdir                800b0c60 T
13. fchdir               800b0af0 T
14. mknod                800b14bc T
15. chmod                800b2b40 T
16. chown                800b2c9c T
18. getfsstat            800b088c T
20. getpid               801dc20c T
23. setuid               801dc4c0 T
24. getuid               801dc290 T
25. geteuid              801dc2a0 T
26. ptrace               801e812c T
27. recvmsg              8020a8fc T
28. sendmsg              8020a444 T
29. recvfrom             8020a528 T
30. accept               80209dfc T
31. getpeername          8020abc8 T
32. getsockname          8020ab18 T
33. access               800b24ac T
34. chflags              800b2928 T
35. fchflags             800b29f0 T
36. sync                 800b0320 T
37. kill                 801dfdcc T
39. getppid              801dc214 T
41. dup                  801cab04 T
42. pipe                 801edbe4 T
43. getegid              801dc318 T
46. sigaction            801deee8 T
47. getgid               801dc308 T
48. sigprocmask          801df42c T
49. getlogin             801dd0e8 T
50. setlogin             801dd160 T
51. acct                 801c54ec T
52. sigpending           801df5d0 T
53. sigaltstack          801dfd10 T
54. ioctl                801ebd1c T
55. reboot               801e8090 T
56. revoke               800b43f8 T
57. symlink              800b1b58 T
58. readlink             800b282c T
59. execve               801d4448 T
60. umask                800b43d0 T
61. chroot               800b0d30 T
65. msync                801d84d0 T
66. vfork                801d7018 T
73. munmap               801d857c T
74. mprotect             801d85b0 T
75. madvise              801d8668 T
78. mincore              801d86d4 T
79. getgroups            801dc328 T
80. setgroups            801dd02c T
81. getpgrp              801dc21c T
82. setpgid              801dc3c8 T
83. setitimer            801e7b78 T
85. swapon               8021be68 T
86. getitimer            801e7a30 T
89. getdtablesize        801ca6dc T
90. dup2                 801caf54 T
92. fcntl                801cb420 T
93. select               801ebfc8 T
95. fsync                800b3238 T
96. setpriority          801dd494 T
97. socket               802098a4 T
98. connect              80209e1c T
100. getpriority          801dd388 T
104. bind                 80209970 T
105. setsockopt           8020aa30 T
106. listen               80209adc T
 111. sigsuspend           801df5f8 T
116. gettimeofday         801e7840 T
117. getrusage            801de22c T
118. getsockopt           8020aa94 T
120. readv                801eb810 T
121. writev               801ebbb0 T
122. settimeofday         801e789c T
123. fchown               800b2dac T
124. fchmod               800b2c70 T
126. setreuid             801dc80c T
127. setregid             801dcba0 T
128. rename               800b3428 T
131. flock                801ce20c T
132. mkfifo               800b1798 T
133. sendto               8020a168 T
134. shutdown             8020aa00 T
135. socketpair           8020a00c T
136. mkdir                800b3d1c T
137. rmdir                800b3d5c T
138. utimes               800b2e60 T
139. futimes              800b3034 T
140. adjtime              801e79a0 T
142. gethostuuid          801ed6a4 T
147. setsid               801dc384 T
151. getpgid              801dc224 T
152. setprivexec          801dc1f4 T
153. pread                801eb774 T
154. pwrite               801ebad0 T
157. statfs               800b03c0 T
158. fstatfs              800b0678 T
159. unmount              800afe88 T
165. quotactl             800b03bc T
167. mount                800af068 T
169. csops                801dafd0 T
170. 170  old table       801db4bc T
173. waitid               801d5ab4 T
180. kdebug_trace         801c2db4 T
181. setgid               801dc9a4 T
182. setegid              801dcab0 T
183. seteuid              801dc710 T
184. sigreturn            8021e7e4 T
185. chud                 8021d4f4 T
187. fdatasync            800b32b0 T
188. stat                 800b2588 T
189. fstat                801ccfec T
190. lstat                800b26d4 T
191. pathconf             800b27c8 T
192. fpathconf            801cd048 T
194. getrlimit            801de074 T
195. setrlimit            801dd93c T
196. getdirentries        800b3f94 T
197. mmap                 801d7fc0 T
199. lseek                800b2068 T
200. truncate             800b30b4 T
201. ftruncate            800b3174 T
202. __sysctl             801e2478 T
203. mlock                801d8820 T
204. munlock              801d8878 T
205. undelete             800b1cf0 T
216. mkcomplex            800b12c4 T
220. getattrlist          8009b060 T
221. setattrlist          8009b0d8 T
222. getdirentriesattr    800b44e0 T
223. exchangedata         800b469c T
225. searchfs             800b48dc T
226. delete               800b202c T
227. copyfile             800b32cc T
228. fgetattrlist         80098488 T
229. fsetattrlist         8009b7e0 T
230. poll                 801ec72c T
231. watchevent           801ed054 T
232. waitevent            801ed1f8 T
233. modwatch             801ed368 T
234. getxattr             800b5550 T
235. fgetxattr            800b568c T
236. setxattr             800b578c T
237. fsetxattr            800b5898 T
238. removexattr          800b5994 T
239. fremovexattr         800b5a5c T
240. listxattr            800b5b1c T
241. flistxattr           800b5c00 T
242. fsctl                800b4dd4 T
243. initgroups           801dcea8 T
244. posix_spawn          801d351c T
245. ffsctl               800b5474 T
250. minherit             801d8630 T
266. shm_open             8020eb24 T
267. shm_unlink           8020f604 T
268. sem_open             8020df80 T
269. sem_close            8020e718 T
270. sem_unlink           8020e4e0 T
271. sem_wait             8020e76c T
272. sem_trywait          8020e834 T
273. sem_post             8020e8d8 T
274. sem_getvalue         8020e97c T
275. sem_init             8020e974 T
276. sem_destroy          8020e978 T
277. open_extended        800b11d8 T
278. umask_extended       800b4380 T
279. stat_extended        800b2530 T
280. lstat_extended       800b267c T
281. fstat_extended       801ccdd0 T
282. chmod_extended       800b2a30 T
283. fchmod_extended      800b2b74 T
284. access_extended      800b21a0 T
285. settid               801dcd2c T
286. gettid               801dc2b0 T
287. setsgroups           801dd03c T
288. getsgroups           801dc37c T
289. setwgroups           801dd040 T
290. getwgroups           801dc380 T
291. mkfifo_extended      800b16f4 T
292. mkdir_extended       800b3b30 T
294. shared_region_check_np 8021c3a4 T
296. vm_pressure_monitor  8021cb08 T
297. psynch_rw_longrdlock 802159ac T
298. psynch_rw_yieldwrlock 80215c60 T
299. psynch_rw_downgrade  80215c68 T
300. psynch_rw_upgrade    80215c64 T
301. psynch_mutexwait     80212bd8 T
302. psynch_mutexdrop     80213b9c T
303. psynch_cvbroad       80213bf0 T
304. psynch_cvsignal      802141c0 T
305. psynch_cvwait        80214648 T
306. psynch_rw_rdlock     80214d7c T
307. psynch_rw_wrlock     802159b0 T
308. psynch_rw_unlock     80215c6c T
309. psynch_rw_unlock2    80215f64 T
310. getsid               801dc254 T
311. settid_with_pid      801dcdcc T
312. psynch_cvclrprepost  80214c7c T
313. aio_fsync            801c5ed0 T
314. aio_return           801c60a8 T
315. aio_suspend          801c6330 T
316. aio_cancel           801c5a48 T
317. aio_error            801c5e24 T
318. aio_read             801c6088 T
319. aio_write            801c6544 T
320. lio_listio           801c6564 T
322. iopolicysys          801de420 T
323. process_policy       8021a72c T
324. mlockall             801d88b4 T
325. munlockall           801d88b8 T
327. issetugid            801dc4b0 T
328. __pthread_kill       801dfa44 T
329. __pthread_sigmask    801dfaa4 T
330. __sigwait            801dfb54 T
331. __disable_threadsignal 801df720 T
332. __pthread_markcancel 801df73c T
333. __pthread_canceled   801df784 T
334. __semwait_signal     801df924 T
336. proc_info            80218618 T
338. stat64               800b25d4 T
339. fstat64              801cd028 T
340. lstat64              800b2720 T
341. stat64_extended      800b2624 T
342. lstat64_extended     800b2770 T
343. fstat64_extended     801cd00c T
344. getdirentries64      800b4340 T
345. statfs64             800b06e0 T
346. fstatfs64            800b0828 T
347. getfsstat64          800b0a38 T
348. __pthread_chdir      800b0d28 T
349. __pthread_fchdir     800b0c58 T
350. audit                801c1a74 T
351. auditon              801c1a78 T
353. getauid              801c1a7c T
354. setauid              801c1a80 T
357. getaudit_addr        801c1a84 T
358. setaudit_addr        801c1a88 T
359. auditctl             801c1a8c T
360. bsdthread_create     80216ab8 T
361. bsdthread_terminate  80216d30 T
362. kqueue               801cf594 T
363. kevent               801cf614 T
364. lchown               800b2d94 T
365. stack_snapshot       801c520c T
366. bsdthread_register   80216d94 T
367. workq_open           802179e8 T
368. workq_kernreturn     80217e50 T
369. kevent64             801cf8ac T
370. __old_semwait_signal 801df7f8 T
371. __old_semwait_signal_nocancel 801df82c T
372. thread_selfid        80218354 T
373. ledger               801ed70c T
380. __mac_execve         801d4468 T
381. __mac_syscall        8027d0a8 T
382. __mac_get_file       8027cd50 T
383. __mac_set_file       8027cf98 T
384. __mac_get_link       8027ce74 T
385. __mac_set_link       8027d098 T
386. __mac_get_proc       8027c844 T
387. __mac_set_proc       8027c904 T
388. __mac_get_fd         8027cbfc T
389. __mac_set_fd         8027ce84 T
390. __mac_get_pid        8027c778 T
391. __mac_get_lcid       8027c9b8 T
392. __mac_get_lctx       8027ca7c T
393. __mac_set_lctx       8027cb38 T
394. setlcid              801dd228 T
395. getlcid              801dd310 T
396. read_nocancel        801eb5a4 T
397. write_nocancel       801eb978 T
398. open_nocancel        800b1434 T
399. close_nocancel       801ccad0 T
400. wait4_nocancel       801d56dc T
401. recvmsg_nocancel     8020a91c T
402. sendmsg_nocancel     8020a464 T
403. recvfrom_nocancel    8020a548 T
404. accept_nocancel      80209b1c T
405. msync_nocancel       801d84e8 T
406. fcntl_nocancel       801cb440 T
407. select_nocancel      801ebfe4 T
408. fsync_nocancel       800b32a8 T
409. connect_nocancel     80209e34 T
410. sigsuspend_nocancel  801df6b4 T
411. readv_nocancel       801eb830 T
412. writev_nocancel      801ebbd0 T
413. sendto_nocancel      8020a188 T
414. pread_nocancel       801eb794 T
415. pwrite_nocancel      801ebaf0 T
416. waitid_nocancel      801d5ad0 T
417. poll_nocancel        801ec74c T
420. sem_wait_nocancel    8020e788 T
421. aio_suspend_nocancel 801c6350 T
422. __sigwait_nocancel   801dfb8c T
423. __semwait_signal_nocancel 801df958 T
424. __mac_mount          800af08c T
425. __mac_get_mount      8027d2a0 T
426. __mac_getfsstat      800b08b0 T
427. fsgetpath            800b5ce4 T
428. audit_session_self   801c1a68 T
429. audit_session_join   801c1a6c T
430. fileport_makeport    801ce2f0 T
431. fileport_makefd      801ce494 T
432. audit_session_port   801c1a70 T
433. pid_suspend          8021c180 T
434. pid_resume           8021c1f0 T
435. pid_hibernate        8021c268 T
436. pid_shutdown_sockets 8021c2c0 T
438. shared_region_map_and_slide_np 8021c954 T
439. kas_info             8021cb50 T   ; Provides ASLR information to user space 
                                       ; (intentionally crippled in iOS, works in ML)
440. memorystatus_control 801e62a0 T   ;; Controls JetSam - supersedes old sysctl interface
441. guarded_open_np      801cead0 T  
442. guarded_close_np     801cebdc T

Mach

XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:

_mach_msg_trap:
0001a8b4        e1a0c00d        mov     ip, sp
0001a8b8        e92d0170        push    {r4, r5, r6, r8}
0001a8bc        e89c0070        ldm     ip, {r4, r5, r6}
0001a8c0        e3e0c01e        mvn     ip, #30 @ 0x1e    ; Move NEGATIVE -30 into IP (R12)
0001a8c4        ef000080        svc     0x00000080        ; issue a supervisor call
0001a8c8        e8bd0170        pop     {r4, r5, r6, r8}
0001a8cc        e12fff1e        bx      lr
..
_semaphore_signal_all_trap:
0001a8f8        e3e0c021        mvn     ip, #33 @ 0x21   ; NEGATIVE -33 into IP (R12)
0001a8fc        ef000080        svc     0x00000080
0001a900        e12fff1e        bx      lr


Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.

mach_trap_table

In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table:

$ ./joker -ls mach kernel.iPod4.iOS6.0b1
This is an ARM binary. Applying iOS kernel signatures
mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0)
Kern invalid should be 0x80027ec1. Ignoring those
..This appears to be XNU 2107.1.78
 10 _kernelrpc_mach_vm_allocate_trap         80014460 T
 12 _kernelrpc_mach_vm_deallocate_trap       800144cc T
 14 _kernelrpc_mach_vm_protect_trap          80014510 T
 16 _kernelrpc_mach_port_allocate_trap       80014564 T
 17 _kernelrpc_mach_port_destroy_trap        800145b4 T
 18 _kernelrpc_mach_port_deallocate_trap     800145f0 T
 19 _kernelrpc_mach_port_mod_refs_trap       8001462c T
 20 _kernelrpc_mach_port_move_member_trap    8001466c T
 21 _kernelrpc_mach_port_insert_right_trap   800146b0 T
 22 _kernelrpc_mach_port_insert_member_trap  80014710 T
 23 _kernelrpc_mach_port_extract_member_trap 80014754 T
 26 mach_reply_port                          8001b5b4 T
 27 thread_self_trap                         8001b598 T
 28 task_self_trap                           8001b578 T
 29 host_self_trap                           80019910 T
 31 mach_msg_trap                            80014ec0 T
 32 mach_msg_overwrite_trap                  80014d20 T
 33 semaphore_signal_trap                    80027188 T
 34 semaphore_signal_all_trap                8002720c T
 35 semaphore_signal_thread_trap             80027114 T
 36 semaphore_wait_trap                      800274b0 T
 37 semaphore_wait_signal_trap               80027658 T
 38 semaphore_timedwait_trap                 80027598 T
 39 semaphore_timedwait_signal_trap          8002773c T
 44 task_name_for_pid                        8021a838 T
 45 task_for_pid                             8021a688 T
 46 pid_for_task                             8021a63c T
 48 macx_swapon                              8021b414 T
 49 macx_swapoff                             8021b668 T
 51 macx_triggers                            8021b3f4 T
 52 macx_backing_store_suspend               8021b370 T
 53 macx_backing_store_recovery              8021b318 T
 58 pfz_exit                                 80027818 T
 59 swtch_pri                                800278e4 T
 60 swtch                                    8002781c T
 61 thread_switch                            80027ad4 T
 62 clock_sleep_trap                         80017520 T
 89 mach_timebase_info_trap                  80016658 T
 90 mach_wait_until_trap                     80016d20 T
 91 mk_timer_create_trap                     8001f2f4 T
 92 mk_timer_destroy_trap                    8001f500 T
 93 mk_timer_arm_trap                        8001f544 T
 94 mk_timer_cancel_trap                     8001f5c8 T
100 iokit_user_client_trap                   8026c11c T

References