Kernel Syscalls

Note on these
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

Usage
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12 SVC 0x80  // Formerly, SWI (software interrupt)

For example:

(gdb) disass chown 0x30d2ad54 :	mov	r12, #16	      ; 0x10, being # of chown 0x30d2ad58 :	svc	0x00000080

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)

sysent
The system call table in XNU is known as "sysent", and is no longer a public symbol, for obvious reasons (e.g. syscall hooking). It is fairly straightforward, however, to find the sysent and its calls. While i0nic proposes a heuristic of finding the sysent based on the exported kdebug symbol, this is unreliable, as the symbol is no longer exported. A better way is to home in on the pattern of the struct sysent entries itself, i.e - as defined in bsd/sys/sysent.h:

struct sysent {        /* system call table */ int16_t        sy_narg;        /* number of args */ int8_t         sy_resv;        /* reserved  */ int8_t         sy_flags;       /* flags */ sy_call_t      *sy_call;       /* implementing function */ sy_munge_t     *sy_arg_munge32; /* system call arguments munger for 32-bit process */ sy_munge_t     *sy_arg_munge64; /* system call arguments munger for 64-bit process */ int32_t        sy_return_type; /* system call return types */ uint16_t       sy_arg_bytes;   /* Total size of arguments in bytes for * 32-bit system calls */ };

Because system calls arguments are set in stone, it is straightforward to write code to find the signature of the first few syscalls (syscall, exit, fork..), and from there calculate the other sysent entries. A program to do so reliable on iOS has, in fact, been written, and produces the following output for iOS 6.0b1:

List of system calls from iOS 6.0b3
'''note: Even though a syscall is present in the table, it does not in any way imply it is functional. Auditing, for example, is not enabled in iOS (no CONFIG_AUDIT in the XNU build). Most of these syscalls are the same as those of OS X, with the exception of ledger (which actually makes a comeback in OS X Mountain Lion), and 434+ (CONFIG_EMBEDDED).

A good reference on these can be found at Wiley's OS X and iOS Internals online appendix.

$ joker ~/Documents/projects/iOS.6.0b3.iPod4.kernel This is an ARM binary. Applying iOS kernel signatures Syscall names are @2780953 mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0) Sysent offset in file (for patching purposes): 3076288 (0x2ef0c0) ..This appears to be XNU 2107.2.9 Suppressing enosys (0x800b3429)

1. exit                801d4974 T 2. fork                 801d786c T 3. read                 801eb408 T 4. write                801eb7dc T 5. open                 800b13a4 T 6. close                801cc9b0 T 7. wait4                801d55a8 T 9. link                 800b18e8 T 10. unlink              800b1ff0 T 12. chdir               800b0c60 T 13. fchdir              800b0af0 T 14. mknod               800b14bc T 15. chmod               800b2b40 T 16. chown               800b2c9c T 18. getfsstat           800b088c T 20. getpid              801dc0f8 T 23. setuid              801dc3ac T 24. getuid              801dc17c T 25. geteuid             801dc18c T 26. ptrace              801e7fb0 T 27. recvmsg             8020a780 T 28. sendmsg             8020a2c8 T 29. recvfrom            8020a3ac T 30. accept              80209c80 T 31. getpeername         8020aa4c T 32. getsockname         8020a99c T 33. access              800b24ac T 34. chflags             800b2928 T 35. fchflags            800b29f0 T 36. sync                800b0320 T 37. kill                801dfcb8 T 39. getppid             801dc100 T 41. dup                 801caa00 T 42. pipe                801eda68 T 43. getegid             801dc204 T 46. sigaction           801dedd4 T 47. getgid              801dc1f4 T 48. sigprocmask         801df318 T 49. getlogin            801dcfd4 T 50. setlogin            801dd04c T 51. acct                801c53e8 T 52. sigpending          801df4bc T 53. sigaltstack         801dfbfc T 54. ioctl               801ebba0 T 55. reboot              801e7f14 T 56. revoke              800b43f8 T 57. symlink             800b1b58 T 58. readlink            800b282c T 59. execve              801d4348 T 60. umask               800b43d0 T 61. chroot              800b0d30 T 65. msync               801d83bc T 66. vfork               801d6f04 T 73. munmap              801d8468 T 74. mprotect            801d849c T 75. madvise             801d8554 T 78. mincore             801d85c0 T 79. getgroups           801dc214 T 80. setgroups           801dcf18 T 81. getpgrp             801dc108 T 82. setpgid             801dc2b4 T 83. setitimer           801e79fc T 85. swapon              8021bd00 T 86. getitimer           801e78b4 T 89. getdtablesize       801ca5d8 T 90. dup2                801cae50 T 92. fcntl               801cb31c T 93. select              801ebe4c T 95. fsync               800b3238 T 96. setpriority         801dd380 T 97. socket              80209728 T 98. connect             80209ca0 T 100. getpriority         801dd274 T 104. bind                802097f4 T 105. setsockopt          8020a8b4 T 106. listen              80209960 T 111. sigsuspend          801df4e4 T 116. gettimeofday        801e76c4 T 117. getrusage           801de118 T 118. getsockopt          8020a918 T 120. readv               801eb694 T 121. writev              801eba34 T 122. settimeofday        801e7720 T 123. fchown              800b2dac T 124. fchmod              800b2c70 T 126. setreuid            801dc6f8 T 127. setregid            801dca8c T 128. rename              800b3428 T 131. flock               801ce108 T 132. mkfifo              800b1798 T 133. sendto              80209fec T 134. shutdown            8020a884 T 135. socketpair          80209e90 T 136. mkdir               800b3d1c T 137. rmdir               800b3d5c T 138. utimes              800b2e60 T 139. futimes             800b3034 T 140. adjtime             801e7824 T 142. gethostuuid         801ed528 T 147. setsid              801dc270 T 151. getpgid             801dc110 T 152. setprivexec         801dc0e0 T 153. pread               801eb5f8 T 154. pwrite              801eb954 T 157. statfs              800b03c0 T 158. fstatfs             800b0678 T 159. unmount             800afe88 T 165. quotactl            800b03bc T 167. mount               800af068 T 169. csops               801daebc T 170. 170 old table       801db3a8 T 173. waitid              801d59a0 T 180. kdebug_trace        801c2cb0 T 181. setgid              801dc890 T 182. setegid             801dc99c T 183. seteuid             801dc5fc T 184. sigreturn           8021e67c T 185. chud                8021d38c T 187. fdatasync           800b32b0 T 188. stat                800b2588 T 189. fstat               801ccee8 T 190. lstat               800b26d4 T 191. pathconf            800b27c8 T 192. fpathconf           801ccf44 T 194. getrlimit           801ddf60 T 195. setrlimit           801dd828 T 196. getdirentries       800b3f94 T 197. mmap                801d7eac T 199. lseek               800b2068 T 200. truncate            800b30b4 T 201. ftruncate           800b3174 T 202. __sysctl            801e2364 T 203. mlock               801d870c T 204. munlock             801d8764 T 205. undelete            800b1cf0 T 216. mkcomplex           800b12c4 T 220. getattrlist         8009b060 T 221. setattrlist         8009b0d8 T 222. getdirentriesattr   800b44e0 T 223. exchangedata        800b469c T 225. searchfs            800b48dc T 226. delete              800b202c T 227. copyfile            800b32cc T 228. fgetattrlist        80098488 T 229. fsetattrlist        8009b7e0 T 230. poll                801ec5b0 T 231. watchevent          801eced8 T 232. waitevent           801ed07c T 233. modwatch            801ed1ec T 234. getxattr            800b5550 T 235. fgetxattr           800b568c T 236. setxattr            800b578c T 237. fsetxattr           800b5898 T 238. removexattr         800b5994 T 239. fremovexattr        800b5a5c T 240. listxattr           800b5b1c T 241. flistxattr          800b5c00 T 242. fsctl               800b4dd4 T 243. initgroups          801dcd94 T 244. posix_spawn         801d341c T 245. ffsctl              800b5474 T 250. minherit            801d851c T 266. shm_open            8020e9a8 T 267. shm_unlink          8020f488 T 268. sem_open            8020de04 T 269. sem_close           8020e59c T 270. sem_unlink          8020e364 T 271. sem_wait            8020e5f0 T 272. sem_trywait         8020e6b8 T 273. sem_post            8020e75c T 274. sem_getvalue        8020e800 T 275. sem_init            8020e7f8 T 276. sem_destroy         8020e7fc T 277. open_extended       800b11d8 T 278. umask_extended      800b4380 T 279. stat_extended       800b2530 T 280. lstat_extended      800b267c T 281. fstat_extended      801ccccc T 282. chmod_extended      800b2a30 T 283. fchmod_extended     800b2b74 T 284. access_extended     800b21a0 T 285. settid              801dcc18 T 286. gettid              801dc19c T 287. setsgroups          801dcf28 T 288. getsgroups          801dc268 T 289. setwgroups          801dcf2c T 290. getwgroups          801dc26c T 291. mkfifo_extended     800b16f4 T 292. mkdir_extended      800b3b30 T 294. shared_region_check_np 8021c23c T 296. vm_pressure_monitor 8021c9a0 T 297. psynch_rw_longrdlock 80215844 T 298. psynch_rw_yieldwrlock 80215af0 T 299. psynch_rw_downgrade 80215af8 T 300. psynch_rw_upgrade   80215af4 T 301. psynch_mutexwait    80212a5c T 302. psynch_mutexdrop    80213a20 T 303. psynch_cvbroad      80213a74 T 304. psynch_cvsignal     80214058 T 305. psynch_cvwait       802144e0 T 306. psynch_rw_rdlock    80214c18 T 307. psynch_rw_wrlock    80215848 T 308. psynch_rw_unlock    80215afc T 309. psynch_rw_unlock2   80215df4 T 310. getsid              801dc140 T 311. settid_with_pid     801dccb8 T 312. psynch_cvclrprepost 80214b18 T 313. aio_fsync           801c5dcc T 314. aio_return          801c5fa4 T 315. aio_suspend         801c622c T 316. aio_cancel          801c5944 T 317. aio_error           801c5d20 T 318. aio_read            801c5f84 T 319. aio_write           801c6440 T 320. lio_listio          801c6460 T 322. iopolicysys         801de30c T 323. 323                 8021a5c4 T 324. mlockall            801d87a0 T 325. munlockall          801d87a4 T 327. issetugid           801dc39c T 328. __pthread_kill      801df930 T 329. __pthread_sigmask   801df990 T 330. __sigwait           801dfa40 T 331. __disable_threadsignal 801df60c T 332. __pthread_markcancel 801df628 T 333. __pthread_canceled  801df670 T 334. __semwait_signal    801df810 T 336. proc_info           802184a8 T 338. stat64              800b25d4 T 339. fstat64             801ccf24 T 340. lstat64             800b2720 T 341. stat64_extended     800b2624 T 342. lstat64_extended    800b2770 T 343. fstat64_extended    801ccf08 T 344. getdirentries64     800b4340 T 345. statfs64            800b06e0 T 346. fstatfs64           800b0828 T 347. getfsstat64         800b0a38 T 348. __pthread_chdir     800b0d28 T 349. __pthread_fchdir    800b0c58 T 350. audit               801c1970 T 351. auditon             801c1974 T 353. getauid             801c1978 T 354. setauid             801c197c T 357. getaudit_addr       801c1980 T 358. setaudit_addr       801c1984 T 359. auditctl            801c1988 T 360. bsdthread_create    80216948 T 361. bsdthread_terminate 80216bc0 T 362. kqueue              801cf494 T 363. kevent              801cf514 T 364. lchown              800b2d94 T 365. stack_snapshot      801c5108 T 366. bsdthread_register  80216c24 T 367. workq_open          80217878 T 368. workq_kernreturn    80217ce0 T 369. kevent64            801cf7ac T 370. __old_semwait_signal 801df6e4 T 371. __old_semwait_signal_nocancel 801df718 T 372. thread_selfid       802181e4 T 373. ledger              801ed590 T 380. __mac_execve        801d4368 T 381. __mac_syscall       8027d008 T 382. __mac_get_file      8027ccb0 T 383. __mac_set_file      8027cef8 T 384. __mac_get_link      8027cdd4 T 385. __mac_set_link      8027cff8 T 386. __mac_get_proc      8027c7a4 T 387. __mac_set_proc      8027c864 T 388. __mac_get_fd        8027cb5c T 389. __mac_set_fd        8027cde4 T 390. __mac_get_pid       8027c6d8 T 391. __mac_get_lcid      8027c918 T 392. __mac_get_lctx      8027c9dc T 393. __mac_set_lctx      8027ca98 T 394. setlcid             801dd114 T 395. getlcid             801dd1fc T 396. read_nocancel       801eb428 T 397. write_nocancel      801eb7fc T 398. open_nocancel       800b1434 T 399. close_nocancel      801cc9cc T 400. wait4_nocancel      801d55c8 T 401. recvmsg_nocancel    8020a7a0 T 402. sendmsg_nocancel    8020a2e8 T 403. recvfrom_nocancel   8020a3cc T 404. accept_nocancel     802099a0 T 405. msync_nocancel      801d83d4 T 406. fcntl_nocancel      801cb33c T 407. select_nocancel     801ebe68 T 408. fsync_nocancel      800b32a8 T 409. connect_nocancel    80209cb8 T 410. sigsuspend_nocancel 801df5a0 T 411. readv_nocancel      801eb6b4 T 412. writev_nocancel     801eba54 T 413. sendto_nocancel     8020a00c T 414. pread_nocancel      801eb618 T 415. pwrite_nocancel     801eb974 T 416. waitid_nocancel     801d59bc T 417. poll_nocancel       801ec5d0 T 420. sem_wait_nocancel   8020e60c T 421. aio_suspend_nocancel 801c624c T 422. __sigwait_nocancel  801dfa78 T 423. __semwait_signal_nocancel 801df844 T 424. __mac_mount         800af08c T 425. __mac_get_mount     8027d200 T 426. __mac_getfsstat     800b08b0 T 427. fsgetpath           800b5ce4 T 428. audit_session_self  801c1964 T 429. audit_session_join  801c1968 T 430. fileport_makeport   801ce1ec T 431. fileport_makefd     801ce390 T 432. audit_session_port  801c196c T 433. pid_suspend         8021c018 T 434. pid_resume          8021c088 T 435. pid_hibernate       8021c100 T 436. pid_shutdown_sockets 8021c158 T 438. shared_region_map_and_slide_np 8021c7ec T 439. kas_info            8021c9e8 T   ; Provides ASLR information to user space ; (intentionally crippled in iOS, works in ML) 440. memorystatus_control 801e60f0 T  ; Controls memory status  (JetSam) 441. guarded_open_np     801ce9cc T   ; New in 6b3, maybe b2 442. guarded_close_np    801cead8 T   ; New in 6b3, maybe b2

Mach
XNU also supports the Mach personality, which is distinct from that of the UNIX syscalls discussed above. Mach syscalls (on 32-bit systems like iOS) are encoded as negative numbers, which is clever, since POSIX system calls are all non-negative. For example, consider mach_msg_trap:

_mach_msg_trap: 0001a8b4       e1a0c00d        mov     ip, sp 0001a8b8        e92d0170        push    {r4, r5, r6, r8} 0001a8bc       e89c0070        ldm     ip, {r4, r5, r6} 0001a8c0       e3e0c01e        mvn     ip, #30 @ 0x1e    ; Move NEGATIVE -30 into IP (R12) 0001a8c4       ef000080        svc     0x00000080        ; issue a supervisor call 0001a8c8       e8bd0170        pop     {r4, r5, r6, r8} 0001a8cc       e12fff1e        bx      lr .. _semaphore_signal_all_trap: 0001a8f8       e3e0c021        mvn     ip, #33 @ 0x21   ; NEGATIVE -33 into IP (R12) 0001a8fc       ef000080        svc     0x00000080 0001a900       e12fff1e        bx      lr

Mach system calls are commonly known as "traps", and are maintained in a Mach Trap table. iOS's fleh_swi handler (the kernel entry point on the other side of the "SWI" or "SVC" command) checks the system call number - if it is negative, it is flipped (2's complement), and interpreted as Mach trap instead.

mach_trap_table
In iOS 5.x, the mach_trap_table is not far from the page_size export, and right next to the trap names. kern_invalid is the equivalent of ENOSYS. All the traps are ARM Thumb. The joker binary can be used to find the Mach trap table, as well. The following shows iOS 6.0.b1's table:

$ ./joker -ls mach kernel.iPod4.iOS6.0b1 This is an ARM binary. Applying iOS kernel signatures mach_trap_table offset in file (for patching purposes): 3064992 (0x2ec4a0) Kern invalid should be 0x80027ec1. Ignoring those ..This appears to be XNU 2107.1.78 10 _kernelrpc_mach_vm_allocate_trap        80014460 T 12 _kernelrpc_mach_vm_deallocate_trap       800144cc T 14 _kernelrpc_mach_vm_protect_trap          80014510 T 16 _kernelrpc_mach_port_allocate_trap       80014564 T 17 _kernelrpc_mach_port_destroy_trap        800145b4 T 18 _kernelrpc_mach_port_deallocate_trap     800145f0 T 19 _kernelrpc_mach_port_mod_refs_trap       8001462c T 20 _kernelrpc_mach_port_move_member_trap    8001466c T 21 _kernelrpc_mach_port_insert_right_trap   800146b0 T 22 _kernelrpc_mach_port_insert_member_trap  80014710 T 23 _kernelrpc_mach_port_extract_member_trap 80014754 T 26 mach_reply_port                          8001b5b4 T 27 thread_self_trap                         8001b598 T 28 task_self_trap                           8001b578 T 29 host_self_trap                           80019910 T 31 mach_msg_trap                            80014ec0 T 32 mach_msg_overwrite_trap                  80014d20 T 33 semaphore_signal_trap                    80027188 T 34 semaphore_signal_all_trap                8002720c T 35 semaphore_signal_thread_trap             80027114 T 36 semaphore_wait_trap                      800274b0 T 37 semaphore_wait_signal_trap               80027658 T 38 semaphore_timedwait_trap                 80027598 T 39 semaphore_timedwait_signal_trap          8002773c T 44 task_name_for_pid                        8021a838 T 45 task_for_pid                             8021a688 T 46 pid_for_task                             8021a63c T 48 macx_swapon                              8021b414 T 49 macx_swapoff                             8021b668 T 51 macx_triggers                            8021b3f4 T 52 macx_backing_store_suspend               8021b370 T 53 macx_backing_store_recovery              8021b318 T 58 pfz_exit                                 80027818 T 59 swtch_pri                                800278e4 T 60 swtch                                    8002781c T 61 thread_switch                            80027ad4 T 62 clock_sleep_trap                         80017520 T 89 mach_timebase_info_trap                  80016658 T 90 mach_wait_until_trap                     80016d20 T 91 mk_timer_create_trap                     8001f2f4 T 92 mk_timer_destroy_trap                    8001f500 T 93 mk_timer_arm_trap                        8001f544 T 94 mk_timer_cancel_trap                     8001f5c8 T 100 iokit_user_client_trap                   8026c11c T