Realtek Ethernet Panic Debug Driver Using Xcode UI

[jalavoui 89]

Panic debug procedure:

 

 

To debug the kernel/kext u need an Apple ethernet driver installed on the machine u're debugging (machine1)

 

Then u can connect that machine to a router using a ethernet cable

 

Boot the machine1 with flags -v keepsyms=1 pmuflags=1 debug=0x144 kdp_match_name=en1

The flag kcsuffix=debug will load the kernel.debug

Booting without caches might help load the eth driver b4 other kexts.

Replace en1 with ethernet card name (open a console and type ifconfig to check)

 

 

On a 2nd machine (i used wifi to connect to the network) open a console and type "lldb"

After machine1 boots to desktop press the magic keys: cmd+option+alt+shift+esc

on my pc this is ctrl+windows key+alt+shift+esc

 

U will see on screen a line with ip address (e.g 192.168.2.2) and a w8 4 debugger attach msg

 

Go back to machine2 and on lldb type

kdb-remote 192.168.2.2 (u entered kernel debug mode)

 

if u got no kernel panic type

c

to unlock machine1 back

 

u can redo this as need

 

The above procedure can be done using a firewire cable, etc with some changes. Al this is now obsolete - welcome to xcode kernel debug.

 

 

 

Debuging a kext on a remote kernel using the Xcode GUI

 

 

This is a panic catch when loading brcm4360

 

Howto (using the root account)

 

- Backup The existing Xcode LLDB framework and replace with the attached.

- Unzip lldbinit. In terminal copy to /var/root. Edit and change the ip address. In terminal type "cp lldbinit .lldbinit"

- Extract kdp.zip. It's a xcode project. Edit the xxx.xcscheme and change kernel path if need.

- Open the Xcode project - Press Run if u get a kernel panic or if u used the kernel magic keys on the remote system.

 

LLDB patch

SBTarget::Launch (SBLaunchInfo &sb_launch_info, SBError& error)
{
(...)
        if (arch_spec.IsValid())
            launch_info.GetArchitecture () = arch_spec;

        
        SBCommandInterpreter interp = GetDebugger().GetCommandInterpreter();
        SBCommandReturnObject result;
        interp.SourceInitFileInHomeDirectory(result);
        sb_process.SetSP(GetDebugger().GetSelectedTarget().GetProcess().GetSP());
        
            //error.SetError (target_sp->Launch (launch_info, NULL));
            //sb_process.SetSP(target_sp->GetProcessSP());
        
    }
    else
    {
        error.SetErrorString ("SBTarget is invalid");


(...)


int PrivateResumeC=0;

Error
Process::ConnectRemote (Stream *strm, const char *remote_url)
{
    m_abi_sp.reset();
    m_process_input_reader.reset();
    
    // Find the process and its architecture.  Make sure it matches the architecture
    // of the current Target, and if not adjust it.
    //SetPublicState (eStateStopped, false);
    PrivateResumeC=0;
    Error error (DoConnectRemote (strm, remote_url));

(...)

Error
Process::PrivateResume ()
{
    
    if (!PrivateResumeC)
    {
        PrivateResumeC=1;
        SetPrivateState(eStateRunning);
        SetPrivateState(eStateStopped);
        return Error("Process is not running.");
    }
    
    Log *log(lldb_private::GetLogIfAnyCategoriesSet (LIBLLDB_LOG_PROCESS|LIBLLDB_LOG_STEP));

TODO: Write a xcode.plugin/patch 4 original lldb framework.

 

This driver works on OS X 10.11.4 , tested on 1 AMD and 1 Intel cpus with a RTL8168 card.

The patch was trivial - skip a basic hadrware probe check in code. Might work on other cards.

 

 

Can be used as a normal eth driver or to allow debuging the kernel and most important new kexts.

 

 

AppleRTL8169Ethernet.kext.zip

LLDB.framework.zip

kdp.zip

lldbinit.zip

[jalavoui 89]

Howto catch a opcode

 

during kernel boot or after you load a driver u can get this

Apr  1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 
Apr  1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 
Apr  1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 
Apr  1 17:50:58 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 

the address in this case is ff ff ff + 80 00 10 e0 96

 

so in xcode after u use the magic keys to enter debug mode u type 

 

break 0xffffff800010e096

 

then u can resume the process (type c)

 

the debugger will stop on the right function and show where the opcode bug is.

if u use the kernel source code (or other apple source code) u get a very good trace of the opcode.

 

 

To debug a graphic driver

 

on the AMD7000 if u get a bug u can easily trace it using opcodes cause the driver breaks and u can catch it on logs

AMD8000,9000 don't have this behavior - they just exit silently -  this make debugging much harder

 

more soon

[Rockey12 296]

Great news

really appreciate your help and support  

[hackaudio 1]

Panic debug procedure:

 

 

To debug the kernel/kext u need an Apple ethernet driver installed on the mau're debugging (machine1)

What do you mean `Apple ethernet driver'? Does debug kernel need specific hardware?

$ ls -l /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns
total 0
drwxr-xr-x  3 root  wheel  102  4 15 07:44 AppleBCM5701Ethernet.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:43 AppleIntel8254XEthernet.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:44 AppleIntelI210Ethernet.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:49 AppleVmxnet3Ethernet.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:43 AppleYukon2.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:35 IOEthernetAVBController.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:43 Intel82574L.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:35 mDNSOffloadUserClient.kext
drwxr-xr-x  3 root  wheel  102  4 15 07:52 nvenet.kext

Is it possible to debug kernel panic which happen on a Hackintosh?

 

reference:

https://wikileaks.org/ciav7p1/cms/page_17760389.html