SceIofilemgr

SceIofilemgr is the primary interface for file IO. Read File Management for more information on file IO.

Module
This module exists in only in non-secure world. The SELF can be found in.

Libraries
This module is accessible by usermode.

Mount Points
This table is stored in data segment of SceIofilemgr as array of  elements.

When sceVfsMount is executed it finds vfs_add_data element by filesystem string and then selects appropriate mount scenario by devMinor and devMajor.


 * means random numeric string of length 13

Block Device Naming Rules
First level prefix


 * int
 * ext
 * gcd
 * mcd
 * uma
 * usd
 * xmc

Second level prefix


 * lp
 * pp

Third level prefix


 * ina
 * act
 * ign

Forth level prefix


 * unused
 * idstor
 * sloader
 * os
 * vsh
 * vshdata
 * vtrm
 * user
 * userext
 * gamero
 * gamerw
 * updater
 * sysdata
 * mediaid
 * pidata
 * entire

Partition Block Devices
Each partition has numeric alias (string) that looks like to be used to reference the partition.

Numeric names most likely follow order of partitions in MBR.

To access device node use  prefix (like  ).

In total there can be 16 aliases from 0 to 15 per physical device (eMMC, Game Card, Memory Card). Alias 16 is hardcoded and is called.

Aliases 0-15 correspond to eMMC.

Aliases 100-115 correspond to Game Card.

Aliases 200-215 correspond to Memory Card.

VFS Operations

 * implemented operation is marked as
 * not implemented is marked as
 * return 0 placeholder is marked as
 * return error is marked with corresponding error name

VFS Node Operations

 * implemented operation is marked as
 * not implemented is marked as
 * return 0 placeholder is marked as
 * return error is marked with corresponding error name

Typical i/o operation execution
This is a very brief desctiption for overall understanding of io  operations. Implementation of SceIofilemgr is quite solid and most of the functions are implemented in the same manner however there could be exceptions. When io operation like  is called here is what happens:
 * all user space arguments are copied to kernel space, usually onto the kernel stack. all user space uids are converted to kernel space uids
 * optionally control may be passed to wrapper function that also does conversion
 * then control is passed to kernel level function like
 * kernel level function checks 0x2198 (IoSchedulerDispatcher initialized) flag

if dispatcher is not initialized:
 * kernel level function updates 0x1964 (i/o dirty) and 0x1980 (i/o counter) flags
 * kernel level function spawns separate thread and passes all arguments in single structure
 * separate thread then unpacks all arguments, finds  and calls exported function like
 * exported function packs all arguments into single stucture and calls real callback since it has  with node operation table
 * callback routine should be located in generic device driver, like SceSdstor, SceExfatfs or ScePfsMgr. It unpacks the arguments and then does something. For example SceSdstor dispatches the call further to SceSdif, SceWlanBt, SceMsif and SceUsbMass.
 * kernel level function updates 0x1980 (i/o counter) flag

if dispatcher is initialized:
 * kernel level function passes arguments to wrapper
 * wrapper initializes  and assigns i/o operation index
 * wrapper updates 0x1964 (i/o dirty) and 0x1980 (i/o counter) flags
 * wrapper runs dispatcher function (offset 0x17C00) in separate thread. this function selects proper  function based on i/o operation index.
 * wrapper updates 0x1980 (i/o counter) flag

i/o operation index
Typically operations are dispatched from kernel functions.

However there are exceptions: sceIoLseek32, sceIoDopenAsync, sceIoDreadAsync, sceIoDcloseAsync user functions can be dispatched.

Typically operations have normal and async version - regulated by async flag in.

However there are exceptions: sceIoLseek32, sceIoIoctlForDriver, sceIoDevctlForDriver, sceIoGetstatForDriver_2, sceIoChstatForDriver_2, sceIoDreadForDriver_2 do not have async version.

sceIoMountForDriver
operation index 1 in

sceIoUmountForDriver
operation index 2 in

scePfsMgrVfsMountForDriver
operation index 3 in

scePfsMgrVfsUmountForDriver
operation index 4 in

sceVfsNodeWaitEventFlag
calls  using   from

sceVfsNodeSetEventFlag
calls  using   from

sceIoDreadForDriver
Call interface is same as

sceIoDreadForDriver_2
Derived from _vshIoDread

Implementation is completely the same as sceIoDreadForDriver. The only difference is that st_attr in SceIoStat is not set.

sceIoWriteForDriver
Call interface is same as

sceIoDopenForDriver
Call interface is same as

sceIoLseekForDriver
Call interface is same as

sceIoOpenForDriver
Call interface is same as

sceIoOpenForDriver_2
This is a wrapper for

Pid is used for

sceIoChstatForDriver
Call interface is same as

sceIoChstatForDriver_2
Derived from _vshIoChstat

Implementation is completely the same as sceIoChstatForDriver. The only difference is that (bits = bits & (~0x10000)) operation is not applied.

sceIoGetstatForDriver
Call interface is same as

sceIoGetstatForDriver_2
Derived from _vshIoGetstat

Implementation is completely the same as sceIoGetstatForDriver. The only difference is that st_attr in SceIoStat is not set.

sceIoMkdirForDriver
Call interface is same as

sceIoReadForDriver
Call interface is same as

sceIoCloseForDriver
Call interface is same as

sceIoRenameForDriver
Call interface is same as

sceIoRemoveForDriver
Call interface is same as

sceIoCancelForDriver
Derived from

sceIoChstatAsyncForDriver
Derived from

sceIoChstatByFdAsyncForDriver
Derived from

sceIoChstatByFdForDriver
Derived from

sceIoCloseAsyncForDriver
Derived from

sceIoDevctlAsyncForDriver
Derived from

sceIoDevctlForDriver
Derived from

sceIoDcloseForDriver
Derived from

sceIoFlockForDriver
Derived from

sceIoGetstatByFdAsyncForDriver
Derived from

sceIoGetstatByFdForDriver
Derived from

sceIoGetstatAsyncForDriver
Derived from

sceIoIoctlAsyncForDriver
Derived from

sceIoIoctlForDriver
Derived from

sceIoLseekAsyncForDriver
Derived from

sceIoMkdirAsyncForDriver
Derived from

sceIoOpenAsyncForDriver
Derived from

sceIoPreadAsyncForDriver
Derived from

sceIoPreadForDriver
Derived from

sceIoPwriteAsyncForDriver
Derived from

sceIoPwriteForDriver
Derived from

sceIoReadAsyncForDriver
Derived from

sceIoRemoveAsyncForDriver
Derived from

sceIoRenameAsyncForDriver
Derived from

sceIoRmdirAsyncForDriver
Derived from

sceIoRmdirForDriver
Derived from

sceIoSyncByFdAsyncForDriver
Derived from

sceIoSyncByFdForDriver
Derived from

sceIoSyncAsyncForDriver
Derived from

sceIoSyncForDriver
Derived from

sceIoWriteAsyncForDriver
Derived from

t_sceIoOpenForDriver
thread callback for

t_sceIoCloseForDriver
thread callback for

t_sceIoReadForDriver
thread callback for

t_sceIoWriteForDriver
thread callback for

t_sceIoIoctlForDriver
thread callback for

t_sceIoChstatForDriver
thread callback for

t_sceIoChstatByFdForDriver
thread callback for

t_sceIoPreadForDriver
thread callback for

t_sceIoPwriteForDriver
thread callback for

sceIoCreateMountEventForDriver
Derived from vshIoCreateMountEvent

sceIoCreateErrorEventForDriver
Derived from vshIoCreateErrorEvent

sceIoClearErrorEventForDriver
Derived from vshIoClearErrorEvent

sceIoDeleteMountEventForDriver
Derived from vshIoDeleteMountEvent

sceIoDeleteErrorEventForDriver
Derived from vshIoDeleteErrorEvent

SceIofilemgrForDriver vfs callbacks
Vfs callbacks are harder to reverse since it looks like not all of them are exported. Looks like some of them are not even exposed as subroutines.

Here will go an attempt to desctibe interface of actual callbacks with single ctx argument (as opposed to exported functions that pack arguments into ctx)

SceIofilemgrForDriver vfs node callbacks
It looks like vfs callbacks are exported. Callbacks can be identified using these steps:
 * Find all functions that contain indirect calls
 * Locate only calls that use address, taken from table, that is pointed by vfs_node (offset 0x40, then valid offset inside pointer table)
 * Trace back to first exported function (usually this is single export, not far away in call stack)
 * Turns out ScePfsMgr and SceExfatfs use these exports from their vfs node function callbacks, so this information can be mapped/matched.

vfs_node_func1
arguments are packed into  and passed to   callback

vfs_node_func2
arguments are packed into  and passed to   callback

vfs_node_func3
arguments are packed into  and passed to   callback

vfs_node_func4
arguments are packed into  and passed to   callback

vfs_node_func7
arguments are packed into  and passed to   callback

vfs_node_func8
arguments are packed into  and passed to   callback

vfs_node_func9
arguments are packed into  and passed to   callback

vfs_node_func10
arguments are packed into  and passed to   callback

vfs_node_func11
arguments are packed into  and passed to   callback

vfs_node_func12
arguments are packed into  and passed to   callback

vfs_node_func13
arguments are packed into  and passed to   callback

vfs_node_func14
arguments are packed into  and passed to   callback

vfs_node_func15
arguments are packed into  and passed to   callback

vfs_node_func16
arguments are packed into  and passed to   callback

vfs_node_func17
arguments are packed into  and passed to   callback

vfs_node_func21
arguments are packed into  and passed to   callback

vfs_node_func22
arguments are packed into  and passed to   callback

vfs_node_func23
arguments are packed into  and passed to   callback

vfs_node_func24
arguments are packed into  and passed to   callback

vfs_node_func25
arguments are packed into  and passed to   callback

vfs_node_func26
arguments are packed into  and passed to   callback

vfs_node_func27
arguments are packed into  and passed to   callback

vfs_node_func28
arguments are packed into  and passed to   callback

vfs_node_func29
arguments are packed into  and passed to   callback