Since the PS4 3.55 Syscall Fun, PS4 4.05 Offsets and PS4 Syscall Kernel Patch Twitter user 3226:2143 passed along word that recently some newer PS4 syscalls have been added to the Developer Wiki alongside a PS4 Libkernel Syscall Labeler IDA Interactive Disassembler IDC script by X41 to complement the previously released symbols.idc.
Download: PS4 Syscall IDC Script by Cloverleafswag3 / PS4 Libkernel Syscall Labeler IDC Script by @X41
Also below are some updated PS4 Firmware 5.01 System Information button combo instructions following the recent Roxanne (roXyPS3) details.
From PSDevWiki.com to quote: PlayStation 4 Syscalls
The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found here.
Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes immediately after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 651, the names, function, and signatures of system calls 618-651 are currently unknown as they were implemented > 1.76. Calling any system calls higher than 651 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.
Of these 85 explored system calls (532 - 617):
Functions of custom Sony system calls
Known calls include those relating to:
Public system calls
* Since 1.76, Sony has removed key information from the sys_dynlib_get_info() system call, eg. it does not return the module's code base address, data base address, code size, or the data size.
** The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.
Note: All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.
Incomplete instructions for the button combo in System Information is being shared. Have more. Non-debug = ▲+L1+L3 for 5s then DPad Up+Start. Debug/Store = DPad Left+■+L1+R1 for 5s then Start.
Here's another button combo. In Web Browser settings, press, in sequence: L1→R1→L1→R1→L2→R2→L2→R2→■→▲→Start→L3→R3 Not too useful, on 5.01 it adds a "Font" setting. Perhaps other versions have more hidden settings?
For the System Information button combo, the "Debug/Store" button combo is used when any of the functions sceSblRcMgrIsAllowDebugMenuForSettings, sceSblRcMgrIsAllowMinimumDebugMenuForSettings, or sceSblRcMgrIsStoreMode return 1. Otherwise the normal button combo is used.
Download: PS4 Syscall IDC Script by Cloverleafswag3 / PS4 Libkernel Syscall Labeler IDC Script by @X41
Also below are some updated PS4 Firmware 5.01 System Information button combo instructions following the recent Roxanne (roXyPS3) details.
From PSDevWiki.com to quote: PlayStation 4 Syscalls
The PS4 kernel is based on FreeBSD 9.0; a list of standard FreeBSD 9.0 system calls can be found here.
Compatibility system calls, and some others, have been disabled. The first custom Sony system call comes immediately after the last FreeBSD system call, wait6, and is number 532. Currently, the last known custom Sony system call is 651, the names, function, and signatures of system calls 618-651 are currently unknown as they were implemented > 1.76. Calling any system calls higher than 651 gives the same result as calling a compatibility or unimplemented system call, a "There is not enough free system memory" error/segfault.
Of these 85 explored system calls (532 - 617):
- Two will not be implemented in retail units (possibly in devkits though) and return 0x4E ENOSYS, being sys_dynlib_dlopen and sys_dl_notify_event
- Eight will return 0x4E ENOSYS should the caller be lacking credentials (td->td_proc->p_ucred)
- Four will return 0x4E ENOSYS should the caller have insufficient privileges (uid0)
- Three will return 0x01 EPERM should the caller have insufficient privileges (uid0)
- One explicitly requires a development kit (sys_set_gpo), as it sets output to components that only development kit units have.
Functions of custom Sony system calls
Known calls include those relating to:
- Modules
- Memory
- Sandboxing
- Semaphores
- Mutexes
Public system calls
Number | Name | Prototype | Notes |
532 | sys_regmgr_call | - | - |
533 | sys_jitshm_create | - | Only callable from a jit compiler process, else returns EPERM (0x1) |
534 | sys_jitshm_alias | - | Only callable from a jit compiler/application process, else returns EPERM (0x1) |
535 | sys_dl_get_list | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
536 | sys_dl_get_info | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
537 | sys_dl_notify_event | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
538 | sys_evf_create | int sys_evf_create(char* name, int flag, struct evFlag *evf) | - |
539 | sys_evf_delete | int sys_evf_delete(int id) | - |
540 | sys_evf_open | int sys_evf_open(struct evFlag *evf) | - |
541 | sys_evf_close | int sys_evf_close(int id) | - |
542 | sys_evf_wait | - | - |
543 | sys_evf_trywait | - | - |
544 | sys_evf_set | int sys_evf_set(int id) | - |
545 | sys_evf_clear | int sys_evf_clear(int id) | - |
546 | sys_evf_cancel | int sys_evf_cancel(int id) | - |
547 | sys_query_memory_protection | - | - |
548 | sys_batch_map | - | - |
549 | sys_osem_create | - | - |
550 | sys_osem_delete | - | - |
551 | sys_osem_open | - | - |
552 | sys_osem_close | - | - |
553 | sys_osem_wait | - | - |
554 | sys_osem_trywait | - | - |
555 | sys_osem_post | - | - |
556 | sys_osem_cancel | - | - |
557 | sys_namedobj_create | - | - |
558 | sys_namedobj_delete | - | - |
559 | sys_set_vm_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
560 | sys_debug_init | - | - |
561 | sys_suspend_process | int sys_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
562 | sys_resume_process | int sys_resume_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
563 | sys_opmc_enable | - | - |
564 | sys_opmc_disable | - | - |
565 | sys_opmc_set_ctl | - | - |
566 | sys_opmc_set_ctr | - | - |
567 | sys_opmc_get_ctr | - | - |
568 | sys_budget_create | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
569 | sys_budget_delete | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
570 | sys_budget_get | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
571 | sys_budget_set | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
572 | sys_virtual_query | - | - |
573 | sys_mdbg_call | - | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
574 | sys_sblock_create | - | - |
575 | sys_sblock_delete | - | - |
576 | sys_sblock_enter | - | - |
577 | sys_sblock_exit | - | - |
578 | sys_sblock_xenter | - | - |
579 | sys_sblock_xexit | - | - |
580 | sys_eport_create | - | - |
581 | sys_eport_delete | - | - |
582 | sys_eport_trigger | - | - |
583 | sys_eport_open | - | - |
584 | sys_eport_close | - | - |
585 | sys_is_in_sandbox | - | - |
586 | sys_dmem_container | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
587 | sys_get_authinfo | - | Some functionality requires privileges (uid0) |
588 | sys_mname | - | - |
589 | sys_dynlib_dlopen | - | Always returns ENOSYS (0x4E) (may only be implemented in devkits) |
590 | sys_dynlib_dlclose | - | - |
591 | sys_dynlib_dlsym | int sys_dynlib_dlsym(int moduleHandle, char* functionName, int *destFuncOffset) | - |
592 | sys_dynlib_get_list | int sys_dynlib_get_list(int *destModuleHandles, int max, int *count) | - |
593 | sys_dynlib_get_info | int sys_dynlib_get_info(int moduleHandle, int *destModuleInfo) | Sony has stripped module information since 1.76 FW (STO) * |
594 | sys_dynlib_load_prx | int sys_dynlib_load_prx(char* prxPath) | - |
595 | sys_dynlib_unload_prx | int sys_dynlib_unload_prx(int prxID) | - |
596 | sys_dynlib_do_copy_relocations | - | - |
597 | sys_dynlib_prepare_dlclose | - | Contains an exploitable integer overflow FW <= 1.76, patched FW >= 2.00 ** |
598 | sys_dynlib_get_proc_param | - | - |
599 | sys_dynlib_process_needed_and_relocate | - | - |
600 | sys_sandbox_path | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
601 | sys_mdbg_service | - | - |
602 | sys_randomized_path | - | Some functionality requires privileges (uid0) |
603 | sys_rdup | - | Successful call requires privileges (uid0), else returns EPERM (0x1) |
604 | sys_dl_get_metadata | - | Only callable from a debugger, core dump, or syscore process, else returns EPERM (0x1) |
605 | sys_workaround8849 | - | - |
606 | sys_is_development_mode | - | - |
607 | sys_get_self_auth_info | - | - |
608 | sys_dynlib_get_info_ex | int sys_dynlib_get_info_ex(int moduleHandle, struct Unk *unk, int *destModuleInfoEx) | - |
609 | sys_budget_getid | int sys_budget_getid() // no arguments | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
610 | sys_budget_get_ptype | int sys_budget_get_ptype(int budgetID) | - |
611 | sys_get_paging_stats_of_all_threads | - | Successful call requires credentials (td->td_proc->p_ucred), else returns EPERM (0x1) |
612 | sys_get_proc_type_info | int sys_get_proc_type_info(int *destProcessInfo) | Only callable from certain processes mainly involving media and JiT |
613 | sys_get_resident_count | int sys_get_resident_count(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
614 | sys_prepare_to_suspend_process | int sys_prepare_to_suspend_process(int pid) | Successful call requires credentials (td->td_proc->p_ucred), else returns ENOSYS (0x4E) |
615 | sys_get_resident_fmem_count | int sys_get_resident_fmem_count(int pid) | Some functionality requires privileges (uid0) |
616 | sys_thr_get_name | int sys_thr_get_name(int threadID) | - |
617 | sys_set_gpo | - | Only callable on development kit (devkit) units |
618 | sys_get_paging_stats_of_all_objects | - | - |
619 | sys_test_debug_rwmem | - | - |
620 | sys_free_stack | - | - |
621 | sys_suspend_system | - | - |
622 | sys_ipmimgr_call | - | - |
623 | sys_get_gpo | - | - |
624 | sys_get_vm_map_timestamp | - | - |
625 | sys_opmc_set_hw | - | - |
626 | sys_opmc_get_hw | - | - |
627 | sys_get_cpu_usage_all | - | - |
628 | sys_mmap_dmem | - | - |
629 | sys_physhm_open | - | - |
630 | sys_physhm_unlink | - | - |
631 | sys_resume_internal_hdd | - | - |
632 | sys_thr_suspend_ucontext | - | - |
633 | sys_thr_resume_ucontext | - | - |
634 | sys_thr_get_ucontext | - | - |
635 | sys_thr_set_ucontext | - | - |
636 | sys_set_timezone_info | - | - |
637 | sys_set_phys_fmem_limit | - | - |
638 | sys_utc_to_localtime | - | - |
639 | sys_localtime_to_utc | - | - |
640 | sys_set_uevt | - | - |
641 | sys_get_cpu_usage_proc | - | - |
642 | sys_get_map_statistics | - | - |
643 | sys_set_chicken_switches | - | - |
644 | sys_#644 | - | - |
645 | sys_#645 | - | - |
646 | sys_get_kernel_mem_statistics | - | - |
647 | sys_get_sdk_compiled_version | - | - |
648 | sys_app_state_change | - | - |
649 | sys_dynlib_get_obj_member | - | - |
650 | sys_budget_get_ptype_of_budget | - | - |
651 | sys_prepare_to_resume_process | - | - |
652 | sys_process_terminate | - | - |
653 | sys_blockpool_open | - | - |
654 | sys_blockpool_map | - | - |
655 | sys_blockpool_unmap | - | - |
656 | sys_dynlib_get_info_for_libdbg | - | - |
657 | sys_blockpool_batch | - | - |
658 | sys_fdatasync | - | - |
659 | sys_dynlib_get_list2 | - | - |
660 | sys_dynlib_get_info2 | - | - |
661 | sys_aio_submit | - | - |
662 | sys_aio_multi_delete | - | - |
663 | sys_aio_multi_wait | - | - |
664 | sys_aio_multi_poll | - | - |
665 | sys_aio_get_data | - | - |
666 | sys_aio_multi_cancel | - | - |
667 | sys_get_bio_usage_all | - | - |
668 | sys_aio_create | - | - |
669 | sys_aio_submit_cmd | - | - |
670 | sys_aio_init | - | - |
671 | sys_get_page_table_stats | - | - |
672 | sys_dynlib_get_list_for_libdbg | - | - |
** The second copyin() function failed to check boundaries, and therefore could result in an integer overflow. This was patched after it's usage in 1.76.
Note: All system calls actually have the thread pointer as the first argument (struct thread *td), however since it's common among all system calls it's been omitted for readability.
Incomplete instructions for the button combo in System Information is being shared. Have more. Non-debug = ▲+L1+L3 for 5s then DPad Up+Start. Debug/Store = DPad Left+■+L1+R1 for 5s then Start.
Here's another button combo. In Web Browser settings, press, in sequence: L1→R1→L1→R1→L2→R2→L2→R2→■→▲→Start→L3→R3 Not too useful, on 5.01 it adds a "Font" setting. Perhaps other versions have more hidden settings?
For the System Information button combo, the "Debug/Store" button combo is used when any of the functions sceSblRcMgrIsAllowDebugMenuForSettings, sceSblRcMgrIsAllowMinimumDebugMenuForSettings, or sceSblRcMgrIsStoreMode return 1. Otherwise the normal button combo is used.