IOS/Syscalls
< IOS
Internally, IOS uses a syscall table that is stored toward the end of the binary. The exact address varies with version of IOS; as a concrete example, boot2's syscall_base is at 0xFFFF7F60.
Syscalls are invoked by way of the invalid instruction handler; syscalls take the form 0xE6000010 | (syscall_num << 5). (E.g. E6000010 is syscall 0, E60006D0 is syscall 0x36, etc.)
(please feel free to contribute your own findings!)
| 0 | thread_create |
| 1 | thread_join |
| 2 | thread_cancel |
| 3 | get_tid |
| 4 | get_pid |
| 5 | thread_continue |
| 6 | thread_stop |
| 7 | thread_yield |
| 8 | thread_get_priority |
| 9 | thread_set_priority |
| a | message_queue_create |
| b | message_queue_destroy |
| c | message_queue_send |
| d | message_queue_send_now |
| e | message_queue_receive |
| f | RegisterEventHandler |
| 10 | UnregisterEventHandler |
| 11 | timer_create |
| 12 | timer_restart |
| 13 | timer_stop |
| 14 | timer_destroy |
| 15 | timer_now |
| 16 | heap_create |
| 17 | heap_destroy |
| 18 | heap_alloc |
| 19 | heap_alloc_aligned |
| 1a | heap_free |
| 1b | device_register |
| 1c | device_open |
| 1d | device_close |
| 1e | device_read |
| 1f | device_write |
| 20 | device_seek |
| 21 | device_ioctl |
| 22 | device_ioctlv |
| 23 | device_open_async |
| 24 | device_close_async |
| 25 | device_read_async |
| 26 | device_write_async |
| 27 | device_seek_async |
| 28 | device_ioctl_async |
| 29 | device_ioctlv_async |
| 2a | syscall_2a |
| 2b | SetUID |
| 2c | get_hmac_queue_for_pid |
| 2d | SetGID |
| 2e | lookup_GID_maybe |
| 2f | cc_ahbMemFlush |
| 30 | syscall_ahbMemFlush_wrapper |
| 31 | software_IRQ_31 |
| 32 | software_irq_18 |
| 33 | software_IRQ_7_or_8 |
| 34 | software_IRQ |
| 35 | _return_0 |
| 36 | syscall_36 |
| 37 | syscall_37 |
| 38 | iobuf_log_header_info |
| 39 | iobuf_log_buffer_info |
| 3a | syscall_3a |
| 3b | syscall_3b |
| 3c | syscall_3c |
| 3d | syscall_3d |
| 3e | syscall_3e |
| 3f | sync_before_read |
| 40 | sync_after_write |
| 41 | ppc_boot |
| 42 | ios_boot |
| 43 | syscall_43 |
| 44 | syscall_assert_di_reset |
| 45 | syscall_deassert_di_reset |
| 46 | syscall_46 |
| 47 | zero_r0_r1 |
| 48 | set_r0_1_r1_0 |
| 49 | get_boot_vector |
| 4a | syscall_4a |
| 4b | kernel_debug_print |
| 4c | kernel_set_version |
| 4d | kernel_get_version |
| 4e | poke_E0_1 |
| 4f | virt_to_phys |
| 50 | syscall_50 |
| 51 | syscall_51 |
| 52 | syscall_52 |
| 53 | syscall_53 |
| 54 | syscall_54 |
| 55 | get_bc_flag |
| 56 | poke_gpios |
| 57 | syscall_57 |
| 58 | call_poke_debug_port |
| 59 | create_key |
| 5a | destroy_key |
| 5b | es_syscall_5b |
| 5c | es_syscall_5c |
| 5d | set_public_key |
| 5e | es_syscall_5e |
| 5f | es_syscall_5f |
| 60 | es_syscall_60 |
| 61 | get_keyid |
| 62 | es_syscall_62 |
| 63 | es_syscall_63 |
| 64 | sha_async |
| 65 | sha |
| 66 | aes_async |
| 67 | aes |
| 68 | es_syscall_68 |
| 69 | es_syscall_69 |
| 6a | es_syscall_6a |
| 6b | hmac |
| 6c | hmac_async |
| 6d | es_syscall_6d |
| 6e | get_ng_cert |
| 6f | key_set_permission_mask |
| 70 | es_syscall_70 |
| 71 | es_syscall_71 |
| 72 | es_syscall_72 |
| 73 | es_syscall_73 |
| 74 | es_syscall_74 |