IOS/Syscalls
< IOS
Jump to navigation
Jump to search
| This is an old revision of this page, as edited by Neimod (talk | contribs) at 20:19, 25 July 2008. It may differ significantly from the current revision. |
Internally, IOS uses a syscall table that is stored toward the end of the binary. The exact address varies with version of IOS; as a concrete example, boot2's syscall_base is at 0xFFFF7F60.
Syscalls are invoked by way of the invalid instruction handler; syscalls take the form 0xE6000010 | (syscall_num << 5). (E.g. E6000010 is syscall 0, E60006D0 is syscall 0x36, etc.)
tmbinc has written an IDAPython script which can take a database that has "syscall_base" defined, and transform the references to it into more meaningful things -- it is available here: IOS/Syscall_IDAPython
(please feel free to contribute your own findings!)
| ID # | Internal name | Description |
|---|---|---|
| 0 | thread_create | |
| 1 | thread_join | |
| 2 | thread_cancel | |
| 3 | get_tid | |
| 4 | get_pid | |
| 5 | thread_continue | |
| 6 | thread_stop | |
| 7 | thread_yield | |
| 8 | thread_get_priority | |
| 9 | thread_set_priority | |
| a | message_queue_create | |
| b | message_queue_destroy | |
| c | message_queue_send | |
| d | message_queue_send_now | |
| e | message_queue_receive | |
| f | RegisterEventHandler | |
| 10 | UnregisterEventHandler | |
| 11 | timer_create | |
| 12 | timer_restart | |
| 13 | timer_stop | |
| 14 | timer_destroy | |
| 15 | timer_now | |
| 16 | heap_create | |
| 17 | heap_destroy | |
| 18 | heap_alloc | |
| 19 | heap_alloc_aligned | |
| 1a | heap_free | |
| 1b | device_register | |
| 1c | device_open | |
| 1d | device_close | |
| 1e | device_read | |
| 1f | device_write | |
| 20 | device_seek | |
| 21 | device_ioctl | |
| 22 | device_ioctlv | |
| 23 | device_open_async | |
| 24 | device_close_async | |
| 25 | device_read_async | |
| 26 | device_write_async | |
| 27 | device_seek_async | |
| 28 | device_ioctl_async | |
| 29 | device_ioctlv_async | |
| 2a | syscall_2a | |
| 2b | SetUID | |
| 2c | get_hmac_queue_for_pid | |
| 2d | SetGID | |
| 2e | lookup_GID_maybe | |
| 2f | cc_ahbMemFlush | |
| 30 | syscall_ahbMemFlush_wrapper | |
| 31 | software_IRQ_31 | |
| 32 | software_irq_18 | |
| 33 | software_IRQ_7_or_8 | |
| 34 | software_IRQ | |
| 35 | _return_0 | |
| 36 | syscall_36 | |
| 37 | syscall_37 | |
| 38 | iobuf_log_header_info | |
| 39 | iobuf_log_buffer_info | |
| 3a | syscall_3a | |
| 3b | syscall_3b | |
| 3c | syscall_3c | |
| 3d | syscall_3d | |
| 3e | syscall_3e | |
| 3f | sync_before_read | |
| 40 | sync_after_write | |
| 41 | ppc_boot | |
| 42 | ios_boot | |
| 43 | syscall_43 | |
| 44 | syscall_assert_di_reset | clears bit 10 of 0xD800194 |
| 45 | syscall_deassert_di_reset | enables bit 10 of 0xD800194 |
| 46 | syscall_check_di_reset | returns 1 on reset asserted, 0 on deasserted |
| 47 | zero_r0_r1 | |
| 48 | set_r0_1_r1_0 | |
| 49 | get_boot_vector | |
| 4a | syscall_4a | |
| 4b | kernel_debug_print | |
| 4c | kernel_set_version | |
| 4d | kernel_get_version | |
| 4e | poke_E0_1 | |
| 4f | virt_to_phys | |
| 50 | syscall_50 | |
| 51 | syscall_51 | |
| 52 | syscall_52 | |
| 53 | syscall_53 | |
| 54 | syscall_54 | |
| 55 | get_bc_flag | |
| 56 | poke_gpios | |
| 57 | syscall_57 | |
| 58 | call_poke_debug_port | |
| 59 | create_key | |
| 5a | destroy_key | |
| 5b | es_syscall_5b | |
| 5c | es_syscall_5c | |
| 5d | set_public_key | |
| 5e | es_syscall_5e | |
| 5f | es_syscall_5f | |
| 60 | es_syscall_60 | |
| 61 | get_keyid | |
| 62 | es_syscall_62 | |
| 63 | es_syscall_63 | |
| 64 | sha_async | |
| 65 | sha | |
| 66 | aes_async | |
| 67 | aes | |
| 68 | es_syscall_68 | |
| 69 | es_syscall_69 | |
| 6a | es_syscall_6a | |
| 6b | hmac | |
| 6c | hmac_async | |
| 6d | es_syscall_6d | |
| 6e | get_ng_cert | |
| 6f | key_set_permission_mask | |
| 70 | es_syscall_70 | |
| 71 | es_syscall_71 | |
| 72 | es_syscall_72 | |
| 73 | es_syscall_73 | |
| 74 | es_syscall_74 |