A road named NoNameUno

Last time we talked about how to get a kernel debug session between a natively running debugger machine (a.k.a. Host), and a OSX VM running under VMware Fusion. It was fun, right?

In fact, the fun part(s) is(are) yet to come!. First, my immidiate task is to get a XNU kernel built in a VM, and replace the off the shelf kernel ( named mach_kernel or kernel or kernel.debug ...). Then get a kernel debugging going between that VM and the Host. Building the kernel is fine. I can built the XNU package for 10.10 and 10.9 but running with or without kernel debug configuration is where I'm really challenged. With the same steps, as discussed in part I, I landed on Kernel waiting for Debugger connection, but the ip address as well as the mac address are all 0s with respective format. Clearly there is some problem!

On the otherhand, if I try to run the newly built kernel without debugger configuration, it hangs. And it does not matter if it is RELEASE or DEBUG built. Here comes the KDP, kernel debugging protocol. FreeBSD has basically the same idea. This protocol is based on TTCP over UDP. As far as I know this is not self contained when it comes to configuration side of the interfaces. This is Bridged interface of VMware virtualization feature. This I will tackle later. But what is really the problem ? AFAIK, KDP part initialized few ip related stuff to 0s, and there are outer layers that does not come with XNU source ( but some are in opensource.apple.com ) that keeps configurations in tact when it comes to full OSX buit.

One thing I did not mention in part I is that we need to map the syms and src when we need to debug kext. This is like external driver programming. For that, first thing to find out is what version of OSX you are running. It can be found from Apple icon. Also from tty, uname -a will give you bit more information. Once you know what version you are running, go to Apple site, and download respective "Kernel Debugging Kit" onto your Host. In most versions of Kernel Debugging Kits, installing the dmg file is nothing but mounting the package. Once mounted, you will see Readme xml file. That has information about how to invoke LLDB, and thats it. You have symbolic debugging. Just start the VM with kernel debugging configured as explained in part I, and invoke LLDB, and play with the instructions given in the Readme xml file.

Note that using Kernel Debugging Kit implies, you are still using off the shelf XNU kernel that comes with the OS image. This is a complete build of Mac OSX,not just the XNU kernel code. 

Next, we will get to bit more deeper side of Kernel hacking. For now Happy hacking !