| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Simplifying things
There is a lot to do to get gdb setup to do live kernel debugging. One must download the correct kernel debug kit, create the correct symbols on the target machine, and move them to the debug machine. Following that, one must start gdb, import the symbols, generate a NMI on the target machine, and connect the debugger. These tasks should be automated as much as possible or one will be stuck typing the same commands repeatedly. On the target machine, the command to create the symbols for AirPortAtheros5424 is simple:
Kextload -A -s /tmp/symbols /System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AirPortAtheros5424.kext
This will create the required symbols in /tmp/symbols/. /tmp/symbols can be archived and transferred to the debugging machine. On the debugging machine a script will do most of the manual tasks and define a macro for connecting to the target machine. The contents of OS Xkernel_setup:
file /Volumes/KernelDebugKit/mach_kernel set architecture i386 source /Volumes/KernelDebugKit/kgmacros add-symbol-file /Users/dave/symbols/com.apple.driver.AirPortAtheros5424.sym add-symbol-file /Users/dave/symbols/com.apple.iokit.IOPCIFamily.sym add-symbol-file /Users/dave/symbols/com.apple.iokit.IO80211Family.sym add-symbol-file /Users/dave/symbols/com.apple.iokit.IONetworkingFamily.sym set disassembly-flavor intel define knock target remote-kdp attach $arg0 end
This script is sourced instead of running all the normal startup activities. The knock macro replaces having to type two commands every time one needs to connect to the target machine.
(gdb) knock 192.168.1.20 Connected. (gdb)
One thing to note about kernel debugging is that although the author has not observed this happening a lot, the module one is auditing can load at a different address which means new symbols should be generated otherwise nothing will match up correctly. From the author's experience, one can boot a machine 100 times and the module will be at the same address 99 out of 100 times, and the one time it is not a simple reboot should bring the module back to the expected address.