SceExcpmgr: Difference between revisions

SceExcpmgr is a kernel module that sets up exception handling. A version exists in both worlds. In non-secure world, after the kernel is booted up, the exception handlers pointed to by VBAR all jump into code in this module.

Module

This module exists in both non-secure and secure world. The non-secure world SELF can be found in os0:kd/excpmgr.skprx.

Known NIDs

Libraries

This module only exports kernel libraries.

Known NIDs

To find

   sceKernelDefaultHandlerCfunc
   sceKernelDefaultHandlerSvcCfunc
   sceKernelDefaultHandlerIrqCfunc
   sceKernelDefaultHandlerReservedCfunc
   
   sceKernelPanicHandlerUndefCfunc
   sceKernelPanicHandlerDabtCfunc
   sceKernelPanicHandlerUndefCfunc
   sceKernelPanicHandlerPabtCfunc

These 8 function names must be of the following NIDs:

         sceExcpmgrGetDataForKernel: 0x08CB30E6
         SceExcpmgrForKernel_3AE9AEE1: 0x3AE9AEE1
         SceExcpmgrForKernel_4FF90618: 0x4FF90618
         SceExcpmgrForKernel_7ADF11DB: 0x7ADF11DB
         SceExcpmgrForKernel_8D223205: 0x8D223205
         SceExcpmgrForKernel_A66DDFA3: 0xA66DDFA3
         SceExcpmgrForKernel_C45C0D3D: 0xC45C0D3D
         SceExcpmgrForKernel_D464A9A7: 0xD464A9A7

SceExcpmgrForKernel

sceKernelRegisterExceptionHandlerForKernel

Wrong name was ksceExcpmgrRegisterHandler.

Installs an exception handler.

int sceKernelRegisterExceptionHandlerForKernel(int excpcode, int priority, void *function);

The function must be ARM and not thumb, and the allowed priority values are from 0 to 7 (including them).

Where excpcode can be:

• Reset: excpcode = 0
• Undefined Instruction: excpcode = 1
• Supervisor Call: excpcode = 2
• Prefetch Abort: excpcode = 3
• Data Abort: excpcode = 4
• Not used: excpcode = 5
• IRQ interrupt: excpcode = 6
• FIQ interrupt: excpcode = 7

The syscall handler at 1.50 is SceExcpmgr_func_0x81000E40

sceKernelRegisterDefaultExceptionHandlerForKernel

sceKernelReleaseExceptionHandlerForKernel

sceKernelReleaseDefaultExceptionHandlerForKernel

sceKernelInitialHandlerDebugUndefCfuncForKernel

sceKernelInitialHandlerDebugPabtCfuncForKernel

sceKernelInitialHandlerDebugDabtCfuncForKernel

sceKernelPanicHandlerReturnFromNestedExceptionCfuncForKernel

void sceKernelRegisterExceptionHandlerForKernel(int a1);

sceKernelDefaultHandlerResetCfuncForKernel

sceKernelGetExcpStackBottomForKernel

sceExcpmgrGetDataForKernel

SceExcpmgrForTZS

SceExcpmgrForTZS_get_default_excp_handler

sceKernelReleaseExceptionHandlerForTZS

sceKernelReleaseDefaultExceptionHandlerForTZS

sceKernelRegisterDefaultExceptionHandlerForTZS

sceKernelRegisterMonitorEntryForTZS

// some_id must be in the 0-7 range
int sceKernelRegisterMonitorEntryForTZS(int some_id, void *pParam);

sceKernelRegisterExceptionHandlerForTZS

Exceptions

SVC

SVC (Supervisor Call), more commonly called Syscalls (system calls), is what allows to interact with non-secure kernel from usermode.

The SVC interface is defined in non-secure kernel as:

On return, R1-R3 and R12 are cleared to 0x0 or 0xDEADBEEF to prevent any data leaks. All user pointers passed to syscalls are accessed with ARM instructions LDRT and STRT for hardware forced permission checks. Syscalls 0x0 - 0xFF are likely a "fastcall" interface that do not mask interrupts or set the DACR, however currently are no such fastcalls defined. Syscalls 0x100 - 0xFFF are made with IRQ interrupts masked and DACR set to 0xFFFF0000 (to prevent access to certain memory domains). Any other syscall numbers are invalid.

System calls are handled in "system" mode defined in ARMv7 (mode 0b11111).

User exported functions loaded by SceKernelModulemgr are exported as syscalls. The number assigned to the syscall are randomized with respect to each library but not within a library. That means, for example, two functions exported by a library will always be some syscall number apart even though that number will change on each boot.

There is no SVC in secure world because all code in secure world is running as kernel.

SMC

SMC (Secure Monitor Call) is what allows to interact with ARM TrustZone from non-secure kernel.

The SMC interface for making a non-secure kernel call to secure kernel is:

The SMC interface is very similar to SVC interface. The SMC handler and MVBAR is set up in Secure World by SceExcpmgrForTZS.

0x0 - 0xFF are fast service calls. 0x100 - 0xFFF are normal service calls ran with IRQs masked.

Secure services are ran in ARM system processor mode (0b11111) in the Secure World.

SMC calls are registered by SceIntrmgrForTZS functions.

SMC calls

int smc_set_sce_shared_memory_block_s(unsigned int paddr, unsigned int size);

int smc_disable_virtual_ranges(void);

int smc_ple_flush_kill_and_l1_dcache_clean_invalidate_all(void);

int smc_compat_set_state(int a1, int command);

int smc_bus_freq_op(int operation, unsigned int freq);

int smc_cdram_enable(void);

int smc_reset_device(int type, int mode);

int smc_compat_set_memory_bank_start_paddr(int bank, unsigned int paddr);

int smc_compat_set_state_ex(int command, int ex);

int smc_compat_get_memory_bank_start_paddr(int bank);

int smc_intr_crash(int type, void *pTTBR0, void *pVBAR, void *pSysbase);

int smc_sm_sched_proxy_invoke(SceBool priority, void *sm_self_paddr, SceUInt32 num_pairs, SceUInt32 block_index);

int smc_sm_sched_proxy_wait(SmOperationHandle handle, SceUInt32 block_index);

int smc_sm_sched_proxy_get_status(SmOperationHandle handle, SceUInt32 block_index);

int smc_sm_sched_proxy_kill(SmOperationHandle handle);

int smc_set_command_F00D_register(SmOperationHandle handle, int f00d_fifo_register_index, int f00d_fifo_register_value);

int smc_get_command_F00D_register(SmOperationHandle handle, int f00d_fifo_register_index, SceUInt32 block_index);

int smc_set_unknown_F00D_register(SmOperationHandle handle, int f00d_fifo_register_index, int f00d_fifo_register_value);

int smc_sm_sched_proxy_write_cry2arm(SmOperationHandle handle, int f00d_fifo_register_index, int f00d_fifo_register_value);

int smc_sm_sched_proxy_read_cry2arm(SmOperationHandle handle, int f00d_fifo_register_index, SceUInt32 block_index);

int smc_sm_sched_proxy_register_intr_handler(SmOperationHandle handle, SmOperationId req_id);

int smc_sm_sched_proxy_release_intr_handler(SmOperationHandle handle, SmOperationId req_id);

int smc_enable_all_cry2arm_interrupts(SmOperationHandle handle, SmOperationId req_id, SceUInt32 block_index);

int smc_sm_sched_proxy_uninitialize(void);

int smc_execute_f00d_command(F00D_cmd_index cmd_index);

int smc_0x168_dmac(int index, int value);

int smc_0x169_dmac(int index, int value);

int smc_l2_write_control_register(int value);

int smc_l2_write_auxiliary_control_register(int value);

Aborts

On development units, data and prefetch aborts can handle BKPT instruction for software breakpoints. SceDebug uses this to handle usermode breakpoints. There is no built-in support for BKPT in kernel code.

SceSysmem uses data aborts with the LDRT and STRT instructions to implement user pointer checking. When LDRT/STRT throws a MMU data exception because of an invalid access and the exception came from SceSysmem#sceKernelCopyFromUserForDriver or SceSysmem#sceKernelCopyToUserForDriver or related functions, the data abort handler will resume execution.

IRQ

IRQs are only handled in non-secure world. An IRQ in secure world is fatal. See SceKernelIntrMgr.

FIQ

FIQs are only handled in secure world because of the bit set in the SCR. Because of this, it is likely that secure devices such as the F00D Processor use FIQs to communicate with the Cortex A9 cores. See SceKernelIntrMgr.