jalavoui 97 Posted May 18, 2016 Share Posted May 18, 2016 Panic debug procedure: To debug the kernel/kext u need an Apple ethernet driver installed on the machine u're debugging (machine1) Then u can connect that machine to a router using a ethernet cable Boot the machine1 with flags -v keepsyms=1 pmuflags=1 debug=0x144 kdp_match_name=en1 The flag kcsuffix=debug will load the kernel.debug Booting without caches might help load the eth driver b4 other kexts. Replace en1 with ethernet card name (open a console and type ifconfig to check) On a 2nd machine (i used wifi to connect to the network) open a console and type "lldb" After machine1 boots to desktop press the magic keys: cmd+option+alt+shift+esc on my pc this is ctrl+windows key+alt+shift+esc U will see on screen a line with ip address (e.g 192.168.2.2) and a w8 4 debugger attach msg Go back to machine2 and on lldb type kdb-remote 192.168.2.2 (u entered kernel debug mode) if u got no kernel panic type c to unlock machine1 back u can redo this as need The above procedure can be done using a firewire cable, etc with some changes. Al this is now obsolete - welcome to xcode kernel debug. Debuging a kext on a remote kernel using the Xcode GUI This is a panic catch when loading brcm4360 Howto (using the root account) - Backup The existing Xcode LLDB framework and replace with the attached. - Unzip lldbinit. In terminal copy to /var/root. Edit and change the ip address. In terminal type "cp lldbinit .lldbinit" - Extract kdp.zip. It's a xcode project. Edit the xxx.xcscheme and change kernel path if need. - Open the Xcode project - Press Run if u get a kernel panic or if u used the kernel magic keys on the remote system. LLDB patch SBTarget::Launch (SBLaunchInfo &sb_launch_info, SBError& error) { (...) if (arch_spec.IsValid()) launch_info.GetArchitecture () = arch_spec; SBCommandInterpreter interp = GetDebugger().GetCommandInterpreter(); SBCommandReturnObject result; interp.SourceInitFileInHomeDirectory(result); sb_process.SetSP(GetDebugger().GetSelectedTarget().GetProcess().GetSP()); //error.SetError (target_sp->Launch (launch_info, NULL)); //sb_process.SetSP(target_sp->GetProcessSP()); } else { error.SetErrorString ("SBTarget is invalid"); (...) int PrivateResumeC=0; Error Process::ConnectRemote (Stream *strm, const char *remote_url) { m_abi_sp.reset(); m_process_input_reader.reset(); // Find the process and its architecture. Make sure it matches the architecture // of the current Target, and if not adjust it. //SetPublicState (eStateStopped, false); PrivateResumeC=0; Error error (DoConnectRemote (strm, remote_url)); (...) Error Process::PrivateResume () { if (!PrivateResumeC) { PrivateResumeC=1; SetPrivateState(eStateRunning); SetPrivateState(eStateStopped); return Error("Process is not running."); } Log *log(lldb_private::GetLogIfAnyCategoriesSet (LIBLLDB_LOG_PROCESS|LIBLLDB_LOG_STEP)); TODO: Write a xcode.plugin/patch 4 original lldb framework. This driver works on OS X 10.11.4 , tested on 1 AMD and 1 Intel cpus with a RTL8168 card. The patch was trivial - skip a basic hadrware probe check in code. Might work on other cards. Can be used as a normal eth driver or to allow debuging the kernel and most important new kexts. AppleRTL8169Ethernet.kext.zip LLDB.framework.zip kdp.zip lldbinit.zip TheRacerMaster, Rocky12 and MaLd0n 3 Link to post Share on other sites
jalavoui 97 Posted April 1, 2017 Author Share Posted April 1, 2017 Howto catch a opcode during kernel boot or after you load a driver u can get this Apr 1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 Apr 1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 Apr 1 17:50:57 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 Apr 1 17:50:58 localhost kernel[0]: invalid kernel opcode (64-bit): 96 e0 10 00 80 ff ff ff 08 00 00 00 00 00 00 00 the address in this case is ff ff ff + 80 00 10 e0 96 so in xcode after u use the magic keys to enter debug mode u type break 0xffffff800010e096 then u can resume the process (type c) the debugger will stop on the right function and show where the opcode bug is. if u use the kernel source code (or other apple source code) u get a very good trace of the opcode. To debug a graphic driver on the AMD7000 if u get a bug u can easily trace it using opcodes cause the driver breaks and u can catch it on logs AMD8000,9000 don't have this behavior - they just exit silently - this make debugging much harder more soon TheRacerMaster, MaLd0n and Rocky12 3 Link to post Share on other sites
Rocky12 511 Posted May 20, 2017 Share Posted May 20, 2017 Great news really appreciate your help and support Link to post Share on other sites
hackaudio 1 Posted August 28, 2017 Share Posted August 28, 2017 Panic debug procedure: To debug the kernel/kext u need an Apple ethernet driver installed on the mau're debugging (machine1) What do you mean `Apple ethernet driver'? Does debug kernel need specific hardware? $ ls -l /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns total 0 drwxr-xr-x 3 root wheel 102 4 15 07:44 AppleBCM5701Ethernet.kext drwxr-xr-x 3 root wheel 102 4 15 07:43 AppleIntel8254XEthernet.kext drwxr-xr-x 3 root wheel 102 4 15 07:44 AppleIntelI210Ethernet.kext drwxr-xr-x 3 root wheel 102 4 15 07:49 AppleVmxnet3Ethernet.kext drwxr-xr-x 3 root wheel 102 4 15 07:43 AppleYukon2.kext drwxr-xr-x 3 root wheel 102 4 15 07:35 IOEthernetAVBController.kext drwxr-xr-x 3 root wheel 102 4 15 07:43 Intel82574L.kext drwxr-xr-x 3 root wheel 102 4 15 07:35 mDNSOffloadUserClient.kext drwxr-xr-x 3 root wheel 102 4 15 07:52 nvenet.kext Is it possible to debug kernel panic which happen on a Hackintosh? reference: https://wikileaks.org/ciav7p1/cms/page_17760389.html Link to post Share on other sites
Recommended Posts