{"id":2767,"date":"2025-02-21T09:40:45","date_gmt":"2025-02-21T00:40:45","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2767"},"modified":"2025-02-25T02:07:11","modified_gmt":"2025-02-24T17:07:11","slug":"macos-11-0-1-kernel-debugging-on-windows","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2767","title":{"rendered":"macOS 11.0.1+ Kernel Debugging on Windows"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Environment<\/h2>\n\n\n\n<p>Windows 11 23H2<br>VMWare Workstation 17.6.2<br><a href=\"https:\/\/github.com\/DrDonk\/unlocker\">DrDonk&#8217;s Unlocker<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Guest<\/h2>\n\n\n\n<p><strong>macOS 11.0.1, 4Core, 4G Ram<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Boot recovery mode using <a href=\"https:\/\/github.com\/DrDonk\/unlocker\/wiki\/Create-a-bootable-macOS-Recovery-virtual-disk\" data-type=\"link\" data-id=\"https:\/\/github.com\/DrDonk\/unlocker\/wiki\/Create-a-bootable-macOS-Recovery-virtual-disk\">recovery_vmdk.zip<\/a><\/li>\n\n\n\n<li>Disable OS mitigations \n<ul class=\"wp-block-list\">\n<li>$<code> csrutil disable<\/code><\/li>\n\n\n\n<li>$ <code>csrutil authenticated-root disable<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reboot back into macOS <\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Kernel Debug Kit 11.0.1 build 20B29<\/li>\n\n\n\n<li>Mount RootFS and make modifiable\n<ul class=\"wp-block-list\">\n<li>$ <code>mkdir -p -m777 ~\/mount<\/code><\/li>\n\n\n\n<li>$ <code>df -h<\/code><br>If Mount on == &#8220;\/&#8221; and Filesystem == &#8220;\/dev\/<strong>disk1s5s1<\/strong>&#8220;, then<br>$ <code>sudo mount -o nobrowse -t apfs \/dev\/<strong>disk1s5<\/strong> ~\/mount<\/code><br><br>e.g.<br><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seos-Mac-2 ~ % df -h\nFilesystem       Size   Used  Avail Capacity iused      ifree %iused  Mounted on\n\/dev\/disk1s5s1  128Gi   15Gi   82Gi    16%  563940 1339564940    0%   \/\ndevfs           187Ki  187Ki    0Bi   100%     648          0  100%   \/dev\n\/dev\/disk1s4    128Gi  1.0Mi   82Gi     1%       3 1340128877    0%   \/System\/Volumes\/VM\n\/dev\/disk1s2    128Gi  334Mi   82Gi     1%     688 1340128192    0%   \/System\/Volumes\/Preboot\n\/dev\/disk1s6    128Gi  688Ki   82Gi     1%      18 1340128862    0%   \/System\/Volumes\/Update\n\/dev\/disk1s1    128Gi   30Gi   82Gi    27%  773081 1339355799    0%   \/System\/Volumes\/Data\nmap auto_home     0Bi    0Bi    0Bi   100%       0          0  100%   \/System\/Volumes\/Data\/home<\/pre>\n<\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Grab and patch kernel.development from \/Library\/Developer\/KDKs\/KDK_11.0.1_20B29.kdk\/System\/Library\/Kernels\n<ul class=\"wp-block-list\">\n<li>Analysis with IDA Pro and find string &#8220;Console I\/O from interrupt-disabled context &#8230;&#8221;<\/li>\n\n\n\n<li>Patch <strong>not<\/strong> to go panic with that string.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Address<\/td><td>Length<\/td><td>Original bytes<\/td><td>Patched bytes<\/td><\/tr><tr><td>FFFFFF80004A0E98<\/td><td>0x6<\/td><td>0F 84 DE 02 00 00<\/td><td>90 90 90 90 90 90<\/td><\/tr><tr><td>FFFFFF80004A1312<\/td><td>0x6<\/td><td>0F 84 24 02 00 00<\/td><td>90 90 90 90 90 90<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put patched kernel.development to ~\/mount\/System\/Library\/Kernels and apply.\n<ul class=\"wp-block-list\">\n<li>$ <code>sudo kmutil install --volume-root \/ --update-all<\/code><\/li>\n\n\n\n<li>$ <code>sudo kmutil install --volume-root ~\/mount --update-all<\/code><\/li>\n\n\n\n<li>$ <code>sudo bless --mount ~\/mount -bootefi -create-snapshot<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set new boot-args to nvram\n<ul class=\"wp-block-list\">\n<li>$ <code>sudo nvram boot-args=\"debug=0x141 kdp_match_name=en0 wdt=-1 -v kcsuffix=development wlan.skywalk.enable=0 dk=0 tlbto_us=0 vti=9 slide=0\"<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reboot, if went correctly, then would be able to get that string.\n<ul class=\"wp-block-list\">\n<li>ethernet MAC address: 00:0c:29:e2:92:14<br>ip address: <strong>192.168.152.139<\/strong><br><br>Waiting for remote debugger connection.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Host<\/h2>\n\n\n\n<p><strong>macOS 12.3.1, 16Core, 4G Ram<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$ xcode-select &#8211;install<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Kernel Debug Kit 11.0.1 build 20B29<\/li>\n\n\n\n<li>Debugging to Guest VM\n<ul class=\"wp-block-list\">\n<li>$ <code>lldb<\/code><\/li>\n\n\n\n<li>$ <code>target create \/Library\/Developer\/KDKs\/KDK_11.0.1_20B29.kdk\/System\/Library\/Kernels\/kernel.development<\/code><\/li>\n\n\n\n<li>$ <code>kdp-remote <strong>192.168.152.139<\/strong><\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Happy Debugging!<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image-1024x576.png\" alt=\"\" class=\"wp-image-2768\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image-1024x576.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image-300x169.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image-768x432.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image-1536x864.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/02\/image.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Reference<\/h2>\n\n\n\n<p><a href=\"https:\/\/apple.stackexchange.com\/questions\/395508\/can-i-mount-the-root-system-filesystem-as-writable-in-big-sur\">https:\/\/apple.stackexchange.com\/questions\/395508\/can-i-mount-the-root-system-filesystem-as-writable-in-big-sur<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/DrDonk\/unlocker\/wiki\/Create-a-bootable-macOS-Recovery-virtual-disk\">https:\/\/github.com\/DrDonk\/unlocker\/wiki\/Create-a-bootable-macOS-Recovery-virtual-disk<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/discord.com\/channels\/1279669879062003754\/1279669879062003758\/1342168812258201691\">https:\/\/discord.com\/channels\/1279669879062003754\/1279669879062003758\/1342168812258201691<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kernelshaman.blogspot.com\/2021\/02\/building-xnu-for-macos-112-intel-apple.html\">https:\/\/kernelshaman.blogspot.com\/2021\/02\/building-xnu-for-macos-112-intel-apple.html<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/DrDonk\/unlocker\">https:\/\/github.com\/DrDonk\/unlocker<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Environment Windows 11 23H2VMWare Workstation 17.6.2DrDonk&#8217;s Unlocker Guest macOS 11.0.1, 4Core, 4G Ram Address Length Original bytes Patched bytes FFFFFF80004A0E98 0x6 0F 84 DE 02 00 00 90 90 90 90 90 90 FFFFFF80004A1312 0x6 0F 84 24 02 00 00 90 90 90 90 90 90 Host macOS 12.3.1, 16Core, 4G Ram Happy Debugging!&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=2767\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">macOS 11.0.1+ Kernel Debugging on Windows<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[13],"class_list":["post-2767","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-macos"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2767"}],"version-history":[{"count":7,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2767\/revisions"}],"predecessor-version":[{"id":2939,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2767\/revisions\/2939"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}