콘텐츠로 건너뛰기

macOS 11.0.1+ Kernel Debugging on Windows

Environment

Windows 11 23H2
VMWare Workstation 17.6.2
DrDonk’s Unlocker

Guest

macOS 11.0.1, 4Core, 4G Ram

  • Boot recovery mode using recovery_vmdk.zip
  • Disable OS mitigations
    • $ csrutil disable
    • $ csrutil authenticated-root disable
  • Reboot back into macOS
  • Install Kernel Debug Kit 11.0.1 build 20B29
  • Mount RootFS and make modifiable
    • $ mkdir -p -m777 ~/mount
    • $ df -h
      If Mount on == “/” and Filesystem == “/dev/disk1s5s1“, then
      $ sudo mount -o nobrowse -t apfs /dev/disk1s5 ~/mount

      e.g.
seo@seos-Mac-2 ~ % df -h
Filesystem       Size   Used  Avail Capacity iused      ifree %iused  Mounted on
/dev/disk1s5s1  128Gi   15Gi   82Gi    16%  563940 1339564940    0%   /
devfs           187Ki  187Ki    0Bi   100%     648          0  100%   /dev
/dev/disk1s4    128Gi  1.0Mi   82Gi     1%       3 1340128877    0%   /System/Volumes/VM
/dev/disk1s2    128Gi  334Mi   82Gi     1%     688 1340128192    0%   /System/Volumes/Preboot
/dev/disk1s6    128Gi  688Ki   82Gi     1%      18 1340128862    0%   /System/Volumes/Update
/dev/disk1s1    128Gi   30Gi   82Gi    27%  773081 1339355799    0%   /System/Volumes/Data
map auto_home     0Bi    0Bi    0Bi   100%       0          0  100%   /System/Volumes/Data/home

  • Grab and patch kernel.development from /Library/Developer/KDKs/KDK_11.0.1_20B29.kdk/System/Library/Kernels
    • Analysis with IDA Pro and find string “Console I/O from interrupt-disabled context …”
    • Patch not to go panic with that string.
AddressLengthOriginal bytesPatched bytes
FFFFFF80004A0E980x60F 84 DE 02 00 0090 90 90 90 90 90
FFFFFF80004A13120x60F 84 24 02 00 0090 90 90 90 90 90

  • Put patched kernel.development to ~/mount/System/Library/Kernels and apply.
    • $ sudo kmutil install --volume-root / --update-all
    • $ sudo kmutil install --volume-root ~/mount --update-all
    • $ sudo bless --mount ~/mount -bootefi -create-snapshot

  • Set new boot-args to nvram
    • $ sudo nvram boot-args="debug=0x141 kdp_match_name=en0 wdt=-1 -v kcsuffix=development wlan.skywalk.enable=0 dk=0 tlbto_us=0 vti=9 slide=0"

  • Reboot, if went correctly, then would be able to get that string.
    • ethernet MAC address: 00:0c:29:e2:92:14
      ip address: 192.168.152.139

      Waiting for remote debugger connection.

Host

macOS 12.3.1, 16Core, 4G Ram

  • $ xcode-select –install
  • Install Kernel Debug Kit 11.0.1 build 20B29
  • Debugging to Guest VM
    • $ lldb
    • $ target create /Library/Developer/KDKs/KDK_11.0.1_20B29.kdk/System/Library/Kernels/kernel.development
    • $ kdp-remote 192.168.152.139

Happy Debugging!

Reference

https://apple.stackexchange.com/questions/395508/can-i-mount-the-root-system-filesystem-as-writable-in-big-sur

https://github.com/DrDonk/unlocker/wiki/Create-a-bootable-macOS-Recovery-virtual-disk

https://discord.com/channels/1279669879062003754/1279669879062003758/1342168812258201691

https://kernelshaman.blogspot.com/2021/02/building-xnu-for-macos-112-intel-apple.html

https://github.com/DrDonk/unlocker

태그:

답글 남기기