SceExcpmgr

SceExcpmgr is a kernel module that sets up exception handling and a version exists in both worlds. In non-secure world, after the kernel is booted up, the exception handlers pointed to by VBAR all jump into code in this module.

Module
This module exists in both non-secure and secure world. The non-secure world SELF can be found in.

Libraries
This module only exports kernel libraries.

sceKernelRegisterPriorityExceptionHandlerForKernel
Also named ksceExcpmgrRegisterHandler.

Installs an exception handler.

The function must be ARM and not thumb, and the allowed priority values are from 0 to 7 (including them).

Where excpcode can be:
 * Reset: excpcode = 0
 * Undefined Instruction: excpcode = 1
 * Supervisor Call: excpcode = 2
 * Prefetch Abort: excpcode = 3
 * Data Abort: excpcode = 4
 * Not used: excpcode = 5
 * IRQ interrupt: excpcode = 6
 * FIQ interrupt: excpcode = 7

Unknown functions
SceExcpmgrForKernel_00063675: 0x00063675 SceExcpmgrForKernel_1FBF5654: 0x1FBF5654 SceExcpmgrForKernel_293DFA04: 0x293DFA04 SceExcpmgrForKernel_3E55B5C3: 0x3E55B5C3 SceExcpmgrForKernel_416C0E20: 0x416C0E20 SceExcpmgrForKernel_4337DD78: 0x4337DD78 SceExcpmgrForKernel_44CE04B8: 0x44CE04B8 SceExcpmgrForKernel_5420ED8F: 0x5420ED8F SceExcpmgrForKernel_58F7212B: 0x58F7212B SceExcpmgrForKernel_64A057C7: 0x64A057C7 SceExcpmgrForKernel_96C2869C: 0x96C2869C SceExcpmgrForKernel_9EE59C6E: 0x9EE59C6E SceExcpmgrForKernel_B615A7DA: 0xB615A7DA SceExcpmgrForKernel_B7B10796: 0xB7B10796 SceExcpmgrForKernel_D195E55C: 0xD195E55C SceExcpmgrForKernel_DA7BB671: 0xDA7BB671 SceExcpmgrForKernel_E7487AFD: 0xE7487AFD

SVC
The Syscalls interface is defined in non-secure kernel as: On return, R1-R3 and R12 are cleared to 0x0 or 0xDEADBEEF to prevent any data leaks. All user pointers passed to syscalls are accessed with ARM instructions LDRT and STRT for hardware forced permission checks. Syscalls 0x0 - 0xFF are likely a "fastcall" interface that do not mask interrupts or set the DACR, however currently are no such fastcalls defined. Syscalls 0x100 - 0xFFF are made with IRQ interrupts masked and DACR set to 0xFFFF0000 (to prevent access to certain memory domains). Any other syscall numbers are invalid.

System calls are handled in "system" mode defined in ARMv7 (mode 0b11111).

User exported functions loaded by SceKernelModulemgr are exported as syscalls. The number assigned to the syscall are randomized with respect to each library but not within a library. That means, for example, two functions exported by a library will always be some syscall number apart even though that number will change on each boot.

There is no SVC in secure world because all code in secure world is running as kernel.

SMC
The SMC interface for making a non-secure kernel call to secure-kernel is: The SMC interface is very similar to SVC from userland to non-secure kernel. The SMC handler and MVBAR is set up in secure world by SceExcpmgrForTZS. 0x0 - 0xFF are fast service calls. 0x100 - 0xFFF are normal service calls ran with IRQs masked.

Secure services are ran in ARM system processor mode (0b11111) in the secure world.

SMC calls are registered by SceIntrmgrForTZS.

Aborts
On development units, data and prefetch aborts can handle BKPT instruction for software breakpoints. SceDebug uses this to handle usermode breakpoints. There is no built-in support for BKPT in kernel code.

SceSysmem uses data aborts with the  and   instructions to implement user pointer checking. When LDRT/STRT throws a MMU data exception because of an invalid access and the exception came from the  or   (or related functions), the data abort handler will resume execution.

IRQ
IRQs are only handled in non-secure world. An IRQ in secure world is fatal. See SceKernelIntrMgr.

FIQ
FIQs are only handled in secure world because of the bit set in the SCR. Because of this, it is likely that secure devices such as the F00D Processor use FIQs to communicate with the Cortex A9 cores. See SceKernelIntrMgr.