Kernel Syscalls

Note on these
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

Usage
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 SVC 0x80  // Formerly, SWI (software interrupt)

For example:

(gdb) disass chown 0x30d2ad54 :	mov	r12, #16	      ; 0x10, being # of chown 0x30d2ad58 :	svc	0x00000080

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)

sysent
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the (still) exported kdebug symbol, this is unreliable, as the latter might change in the future (either be moved or no longer exported). A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:

struct sysent {        /* system call table */ int16_t        sy_narg;        /* number of args */ int8_t         sy_resv;        /* reserved  */ int8_t         sy_flags;       /* flags */ sy_call_t      *sy_call;       /* implementing function */ sy_munge_t     *sy_arg_munge32; /* system call arguments munger for 32-bit process */ sy_munge_t     *sy_arg_munge64; /* system call arguments munger for 64-bit process */ int32_t        sy_return_type; /* system call return types */ uint16_t       sy_arg_bytes;   /* Total size of arguments in bytes for * 32-bit system calls */ };

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 5.1:

List of system calls from iOS 5.1
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).

$ ./fsysent ~/Documents/projects/iOS.5.1.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures Sysent offset in file (for patching purposes): 2931636 (0x2cbbb4) This appears to be XNU 1878.11.8 syscall             801b3aa4 T exit                 8019e924 T fork                 801a15cc T read                 801b3ac0 T write                801b3ea0 T open                 800a1e64 T close                80197570 T wait4                8019f464 T 8  old creat         801b3aa4 T link                 800a23a4 T unlink               800a2aa8 T 11  old execv        801b3aa4 T chdir                800a175c T fchdir               800a15f4 T mknod                800a1f64 T chmod                800a3598 T chown                800a3714 T 17  old break        801b3aa4 T getfsstat            800a1390 T 19  old lseek        801b3aa4 T getpid               801a5838 T 21  old mount        801b3aa4 T 22  old umount       801b3aa4 T setuid               801a5aec T getuid               801a58bc T geteuid              801a58cc T ptrace               801b0a9c T recvmsg              801cfde4 T sendmsg              801cf958 T recvfrom             801cfa40 T accept               801cf32c T getpeername          801d00a8 T getsockname          801cfff8 T access               800a2f14 T chflags              800a336c T fchflags             800a343c T sync                 800a0e5c T kill                 801a91b0 T 38  old stat         801b3aa4 T getppid              801a5840 T 40  old lstat        801b3aa4 T dup                  80195890 T pipe                 801b6a00 T getegid              801a5944 T profil               801b3400 T 45  old ktrace       801b3aa4 T sigaction            801a8348 T getgid               801a5934 T sigprocmask          801a8868 T getlogin             801a66cc T setlogin             801a6728 T acct                 801908f0 T sigpending           801a8a0c T sigaltstack          801a90f4 T ioctl                801b426c T reboot               801b0a2c T revoke               800a4d8c T symlink              800a2620 T readlink             800a328c T execve               8019e49c T umask                800a4d64 T chroot               800a1824 T 62  old fstat        801b3aa4 T 63  used internally, reserved 801b3aa4 T 64  old getpagesize  801b3aa4 T msync                801a20c0 T vfork                801a0cfc T 67  old vread        801b3aa4 T 68  old vwrite       801b3aa4 T 69  old sbrk         801b3aa4 T 70  old sstk         801b3aa4 T 71  old mmap         801b3aa4 T 72  old vadvise      801b3aa4 T munmap               801a216c T mprotect             801a21a4 T madvise              801a2264 T 76  old vhangup      801b3aa4 T 77  old vlimit       801b3aa4 T mincore              801a22d0 T getgroups            801a5954 T setgroups            801a6610 T getpgrp              801a5848 T setpgid              801a59f4 T setitimer            801b0518 T 84  old wait         801b3aa4 T swapon               801e0548 T getitimer            801b03c8 T 87  old gethostname  801b3aa4 T 88  old sethostname  801b3aa4 T getdtablesize        80195480 T dup2                 80195bc4 T 91  old getdopt      801b3aa4 T fcntl                80195fc4 T select               801b44fc T 94  old setdopt      801b3aa4 T fsync                800a3c60 T setpriority          801a6a24 T socket               801cedc8 T connect              801cf34c T 99  old accept       801b3aa4 T getpriority          801a6918 T 101  old send        801b3aa4 T 102  old recv        801b3aa4 T 103  old sigreturn   801b3aa4 T bind                 801cee98 T setsockopt           801cff10 T listen               801cf00c T 107  old vtimes      801b3aa4 T 108  old sigvec      801b3aa4 T 109  old sigblock    801b3aa4 T 110  old sigsetmask  801b3aa4 T sigsuspend           801a8a34 T 112  old sigstack    801b3aa4 T 113  old recvmsg     801b3aa4 T 114  old sendmsg     801b3aa4 T 115  old vtrace      801b3aa4 T gettimeofday         801b01d8 T getrusage            801a7798 T getsockopt           801cff74 T 119  old resuba      801b3aa4 T readv                801b3d4c T writev               801b40f4 T settimeofday         801b0238 T fchown               800a3830 T fchmod               800a36dc T 125  old recvfrom    801b3aa4 T setreuid             801a5e40 T setregid             801a61d8 T rename               800a3e34 T 129  old truncate    801b3aa4 T 130  old ftruncate   801b3aa4 T flock                801989e4 T mkfifo               800a2254 T sendto               801cf67c T shutdown             801cfee0 T socketpair           801cf534 T mkdir                800a46b4 T rmdir                800a46fc T utimes               800a38f0 T futimes              800a3a70 T adjtime              801b0338 T 141  old getpeername 801b3aa4 T gethostuuid          801b5c44 T 143  old sethostid   801b3aa4 T 144  old getrlimit   801b3aa4 T 145  old setrlimit   801b3aa4 T 146  old killpg      801b3aa4 T setsid               801a59b0 T 148  old setquota    801b3aa4 T 149  old qquota      801b3aa4 T 150  old getsockname 801b3aa4 T getpgid              801a5850 T setprivexec          801a5820 T pread                801b3ca4 T pwrite               801b4008 T nfssvc               801b3aa4 T 156  old getdirentries 801b3aa4 T statfs               800a0eec T fstatfs              800a117c T unmount              800a09f0 T 160  old async_daemon 801b3aa4 T getfh                801b3aa4 T 162  old getdomainname 801b3aa4 T 163  old setdomainname 801b3aa4 T 164                  801b3aa4 T quotactl             800a0ee8 T 166  old exportfs    801b3aa4 T mount                8009fd10 T 168  old ustat       801b3aa4 T csops                801a47bc T 170  old table       801b3aa4 T 171  old wait3       801b3aa4 T 172  old rpause      801b3aa4 T waitid               8019f860 T 174  old getdents    801b3aa4 T 175  old gc_control  801b3aa4 T add_profil           801b3404 T 177                  801b3aa4 T 178                  801b3aa4 T 179                  801b3aa4 T kdebug_trace         8018e964 T setgid               801a5fe0 T setegid              801a60ec T seteuid              801a5d48 T sigreturn            801e2cb0 T chud                 801e1acc T 186                  801b3aa4 T fdatasync            800a3cd8 T stat                 800a2fec T fstat                801977f8 T lstat                800a3134 T pathconf             800a3228 T fpathconf            80197858 T 193                  801b3aa4 T getrlimit            801a75d4 T setrlimit            801a6eb8 T getdirentries        800a4928 T mmap                 801a1b84 T 198  __syscall       801b3aa4 T lseek                800a2b20 T truncate             800a3ac4 T ftruncate            800a3b90 T __sysctl             801ab798 T mlock                801a2418 T munlock              801a246c T undelete             800a27c8 T ATsocket             801b3aa4 T ATgetmsg             801b3aa4 T ATputmsg             801b3aa4 T ATPsndreq            801b3aa4 T ATPsndrsp            801b3aa4 T ATPgetreq            801b3aa4 T ATPgetrsp            801b3aa4 T 213  Reserved for AppleTalk 801b3aa4 T 214                  801b3aa4 T 215                  801b3aa4 T mkcomplex            800a1d9c T statv                801b3aa4 T lstatv               801b3aa4 T fstatv               801b3aa4 T getattrlist          8008d1c4 T setattrlist          8008d23c T getdirentriesattr    800a4e80 T exchangedata         800a5018 T 224  old checkuseraccess / fsgetpath ( which moved to 427 ) 801b3aa4 T searchfs             800a5258 T delete               800a2ae4 T copyfile             800a3cf4 T fgetattrlist         8008a6c8 T fsetattrlist         8008d904 T poll                 801b4d04 T watchevent           801b5604 T waitevent            801b579c T modwatch             801b5914 T getxattr             800a6048 T fgetxattr            800a6160 T setxattr             800a6240 T fsetxattr            800a6328 T removexattr          800a6408 T fremovexattr         800a64b0 T listxattr            800a654c T flistxattr           800a6610 T fsctl                800a5964 T initgroups           801a64d0 T posix_spawn          8019d658 T ffsctl               800a5f78 T 246                  801b3aa4 T nfsclnt              801b3aa4 T fhopen               801b3aa4 T 249                  801b3aa4 T minherit             801a222c T semsys               801b3aa4 T msgsys               801b3aa4 T shmsys               801b3aa4 T semctl               801b3aa4 T semget               801b3aa4 T semop                801b3aa4 T 257                  801b3aa4 T msgctl               801b3aa4 T msgget               801b3aa4 T msgsnd               801b3aa4 T msgrcv               801b3aa4 T shmat                801b3aa4 T shmctl               801b3aa4 T shmdt                801b3aa4 T shmget               801b3aa4 T shm_open             801d3b34 T shm_unlink           801d45d0 T sem_open             801d3110 T sem_close            801d379c T sem_unlink           801d35cc T sem_wait             801d37f8 T sem_trywait          801d38bc T sem_post             801d395c T sem_getvalue         801d39fc T sem_init             801d39f4 T sem_destroy          801d39f8 T open_extended        800a1cb8 T umask_extended       800a4d14 T stat_extended        800a2f98 T lstat_extended       800a30e0 T fstat_extended       801975e4 T chmod_extended       800a347c T fchmod_extended      800a35d4 T access_extended      800a2c54 T settid               801a6358 T gettid               801a58dc T setsgroups           801a6620 T getsgroups           801a59a8 T setwgroups           801a6624 T getwgroups           801a59ac T mkfifo_extended      800a21a8 T mkdir_extended       800a44ac T identitysvc          801b3aa4 T shared_region_check_np 801e0a68 T shared_region_map_np 801b3aa4 T vm_pressure_monitor  801e1150 T psynch_rw_longrdlock 801da274 T psynch_rw_yieldwrlock 801da79c T psynch_rw_downgrade  801daa38 T psynch_rw_upgrade    801daa34 T psynch_mutexwait     801d77d0 T psynch_mutexdrop     801d85f8 T psynch_cvbroad       801d864c T psynch_cvsignal      801d8bb4 T psynch_cvwait        801d9020 T psynch_rw_rdlock     801d96ec T psynch_rw_wrlock     801da508 T psynch_rw_unlock     801daa3c T psynch_rw_unlock2    801dad10 T getsid               801a5880 T settid_with_pid      801a63f8 T 312  old __pthread_cond_timedwait 801d95e8 T aio_fsync            80191278 T aio_return           8019143c T aio_suspend          801916a0 T aio_cancel           80190e24 T aio_error            801911d4 T aio_read             8019141c T aio_write            801918a4 T lio_listio           801918c4 T 321  old __pthread_cond_wait 801b3aa4 T iopolicysys          801a795c T 323                  801df090 T mlockall             801a24ac T munlockall           801a24b0 T 326                  801b3aa4 T issetugid            801a5adc T __pthread_kill       801a8e34 T __pthread_sigmask    801a8e94 T __sigwait            801a8f38 T __disable_threadsignal 801a8b48 T __pthread_markcancel 801a8b64 T __pthread_canceled   801a8bac T __semwait_signal     801a8d30 T 335  old utrace      801b3aa4 T proc_info            801dd524 T sendfile             801b3aa4 T stat64               800a3038 T fstat64              80197838 T lstat64              800a3180 T stat64_extended      800a3088 T lstat64_extended     800a31d0 T fstat64_extended     80197818 T getdirentries64      800a4cd0 T statfs64             800a11e4 T fstatfs64            800a132c T getfsstat64          800a1540 T __pthread_chdir      800a181c T __pthread_fchdir     800a1754 T audit                8018d990 T auditon              8018d994 T 352                  801b3aa4 T getauid              8018d998 T setauid              8018d99c T getaudit             8018d9a0 T setaudit             8018d9a4 T getaudit_addr        8018d9a8 T setaudit_addr        8018d9ac T auditctl             8018d9b0 T bsdthread_create     801db740 T bsdthread_terminate  801db9b4 T kqueue               801998c4 T kevent               80199948 T lchown               800a3818 T stack_snapshot       8019066c T bsdthread_register   801dba18 T workq_open           801dc70c T workq_kernreturn     801dccac T kevent64             80199bd4 T __old_semwait_signal 801a8c1c T __old_semwait_signal_nocancel 801a8c54 T thread_selfid        801dd27c T ledger               801b5c98 T 374                  801b3aa4 T 375                  801b3aa4 T 376                  801b3aa4 T 377                  801b3aa4 T 378                  801b3aa4 T 379                  801b3aa4 T __mac_execve         8019e4bc T __mac_syscall        80244734 T __mac_get_file       802443d4 T __mac_set_file       80244628 T __mac_get_link       80244504 T __mac_set_link       80244724 T __mac_get_proc       80243eb0 T __mac_set_proc       80243f74 T __mac_get_fd         80244280 T __mac_set_fd         80244514 T __mac_get_pid        80243ddc T __mac_get_lcid       80244030 T __mac_get_lctx       802440fc T __mac_set_lctx       802441c0 T setlcid              801a67cc T getlcid              801a68ac T read_nocancel        801b3ae0 T write_nocancel       801b3ec0 T open_nocancel        800a1ee8 T close_nocancel       8019758c T wait4_nocancel       8019f484 T recvmsg_nocancel     801cfe04 T sendmsg_nocancel     801cf978 T recvfrom_nocancel    801cfa60 T accept_nocancel      801cf04c T msync_nocancel       801a20d8 T fcntl_nocancel       80195fe4 T select_nocancel      801b4518 T fsync_nocancel       800a3cd0 T connect_nocancel     801cf364 T sigsuspend_nocancel  801a8ae4 T readv_nocancel       801b3d6c T writev_nocancel      801b4114 T sendto_nocancel      801cf69c T pread_nocancel       801b3cc4 T pwrite_nocancel      801b4028 T waitid_nocancel      8019f87c T poll_nocancel        801b4d24 T msgsnd_nocancel      801b3aa4 T msgrcv_nocancel      801b3aa4 T sem_wait_nocancel    801d3814 T aio_suspend_nocancel 801916c0 T __sigwait_nocancel   801a8f70 T __semwait_signal_nocancel 801a8d68 T __mac_mount          8009fd34 T __mac_get_mount      80244900 T __mac_getfsstat      800a13b4 T fsgetpath            800a66d4 T audit_session_self   8018d984 T audit_session_join   8018d988 T fileport_makeport    80198ad4 T fileport_makefd      80198c58 T audit_session_port   8018d98c T pid_suspend          801e084c T pid_resume           801e08bc T pid_hibernate        801e0928 T pid_shutdown_sockets 801e0984 T 437  old shared_region_slide_np 801b3aa4 T shared_region_map_and_slide_np 801e1008 T
 * The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)
 * The following are unused in iOS - symbols are stubs returning 0x4E (ENOSYS)

Mach
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:

_mach_msg_trap: 0001a8b4       e1a0c00d        mov     ip, sp 0001a8b8        e92d0170        push    {r4, r5, r6, r8} 0001a8bc       e89c0070        ldm     ip, {r4, r5, r6} 0001a8c0       e3e0c01e        mvn     ip, #30 @ 0x1e    ; Move NEGATIVE -30 into IP (R12) 0001a8c4       ef000080        svc     0x00000080        ; issue a supervisor call 0001a8c8       e8bd0170        pop     {r4, r5, r6, r8} 0001a8cc       e12fff1e        bx      lr .. _semaphore_signal_all_trap: 0001a8f8       e3e0c021        mvn     ip, #33 @ 0x21   ; NEGATIVE -33 into IP (R12) 0001a8fc       ef000080        svc     0x00000080 0001a900       e12fff1e        bx      lr

Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.

mach_trap_table
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The fsysent binary can be used to find the Mach trap table, as well.

$ ./fsysent -m ~/Documents/projects/iOS.5.1.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures mach_trap_table offset in file (for patching purposes): 2855556 (0x2b9284) Kern invalid detected at 0x80025f50 (+1). Ignoring those. ..This appears to be XNU 1878.11.8 // -- New in iOS 5 (and expect these in Mountain Lion) 10 _kernelrpc_mach_vm_allocate_trap        800132ac T 11 _kernelrpc_vm_allocate_trap              80013318 T 12 _kernelrpc_mach_vm_deallocate_trap       800133b4 T 13 _kernelrpc_vm_deallocate_trap            80013374 T 14 _kernelrpc_mach_vm_protect_trap          8001343c T 15 _kernelrpc_vm_protect_trap               800133f8 T 16 _kernelrpc_mach_port_allocate_trap       80013494 T 17 _kernelrpc_mach_port_destroy_trap        800134e4 T 18 _kernelrpc_mach_port_deallocate_trap     80013520 T 19 _kernelrpc_mach_port_mod_refs_trap       8001355c T 20 _kernelrpc_mach_port_move_member_trap    8001359c T 21 _kernelrpc_mach_port_insert_right_trap   800135e0 T 22 _kernelrpc_mach_port_insert_member_trap  8001363c T 23 _kernelrpc_mach_port_extract_member_trap 80013680 T // - 26 mach_reply_port                         800198ac T 27 thread_self_trap                         80019890 T 28 task_self_trap                           80019870 T 29 host_self_trap                           80017db8 T 31 mach_msg_trap                            80013c1c T 32 mach_msg_overwrite_trap                  80013ae4 T 33 semaphore_signal_trap                    800252d4 T 34 semaphore_signal_all_trap                80025354 T 35 semaphore_signal_thread_trap             80025260 T 36 semaphore_wait_trap                      800255e8 T 37 semaphore_wait_signal_trap               8002578c T 38 semaphore_timedwait_trap                 800256c8 T 39 semaphore_timedwait_signal_trap          8002586c T 44 task_name_for_pid                        801e0734 T 45 task_for_pid                             801e0598 T 46 pid_for_task                             801e054c T 48 macx_swapon                              801e127c T 49 macx_swapoff                             801e14cc T 51 macx_triggers                            801e1260 T 52 macx_backing_store_suspend               801e11f0 T 53 macx_backing_store_recovery              801e1198 T 58 pfz_exit                                 80025944 T 59 swtch_pri                                800259f4 T 60 swtch                                    80025948 T 61 thread_switch                            80025bb8 T 62 clock_sleep_trap                         800160f0 T 89 mach_timebase_info_trap                  80015318 T 90 mach_wait_until_trap                     80015934 T 91 mk_timer_create_trap                     8001d238 T 92 mk_timer_destroy_trap                    8001d428 T 93 mk_timer_arm_trap                        8001d46c T 94 mk_timer_cancel_trap                     8001d4f0 T 100 iokit_user_client_trap (probably)        80234aa0 T