1,189
edits
Changes
m
Robot: Cosmetic changes
Line 6:
Line 6:
−
== Syscalls (via undefined instructions) ==
== Syscalls (via undefined instructions) ==
−Internally, IOS uses a syscall table that is stored toward the end of the binary. The exact address varies with version of IOS, but there are two methods to locate it:
+Internally, IOS uses a syscall table that is stored toward the end of the binary. The exact address varies with version of IOS, but there are two methods to locate it:
ELF header:
ELF header:
−The second-to-last program header is the syscall table. For example:
+The second-to-last program header is the syscall table. For example:
$ arm-eabi-readelf -l ~/wii/system_updates/boot2.elf | tail -2
$ arm-eabi-readelf -l ~/wii/system_updates/boot2.elf | tail -2
LOAD 0x0230d5 0xffff7f60 0xffff7f60 0x00a88 0x00a88 RW 0x10
LOAD 0x0230d5 0xffff7f60 0xffff7f60 0x00a88 0x00a88 RW 0x10
Line 85:
Line 85:
kernel:FFFF1960 ; End of function starlet_syscall_handler
kernel:FFFF1960 ; End of function starlet_syscall_handler
Syscalls are invoked by way of the invalid instruction handler; syscalls take the form 0xE6000010 | (syscall_num << 5). (E.g. E6000010 is syscall 0, E60006D0 is syscall 0x36, etc.)
+Syscalls are invoked by way of the invalid instruction handler; syscalls take the form 0xE6000010 | (syscall_num << 5). (E.g. E6000010 is syscall 0, E60006D0 is syscall 0x36, etc.)
−tmbinc has written an IDAPython script which can take a database that has "syscall_base" defined, and transform the references to it into more meaningful things -- it is available here: [[IOS/Syscall_IDAPython]]
+tmbinc has written an IDAPython script which can take a database that has "syscall_base" defined, and transform the references to it into more meaningful things -- it is available here: [[IOS/Syscall IDAPython]]
(please feel free to contribute your own findings!)
(please feel free to contribute your own findings!)
Line 179:
Line 179:
| 29 || s32 device_ioctlv_async(s32 fd, u32 request, u32 bytes_in, u32 bytes_out, [[IOS/struct iovec|struct iovec]] *vector, void *callback)
| 29 || s32 device_ioctlv_async(s32 fd, u32 request, u32 bytes_in, u32 bytes_out, [[IOS/struct iovec|struct iovec]] *vector, void *callback)
|-
|-
−| 2a || int IOS_ResourceReply([[IOS/ressource_request| struct ios_ressource_request]] *request, int retval) || return from a cmd on a [[IOS| ressource]]
+| 2a || int IOS_ResourceReply( [[IOS/ressource request|struct ios_ressource_request]] *request, int retval) || return from a cmd on a [[IOS|ressource]]
|-
|-
| 2b || SetUID
| 2b || SetUID