macOS内核调试指南<\/h1>

1. 准备工作<\/h2>

1.1 硬件要求<\/h3>

调试目标机(被调试机器)：如iMac 2011<\/li>
调试主机(运行调试器的机器)：如MacBook Pro 2009<\/li>

连接方式：Firewire电缆(或通过Thunderbolt适配器的Firewire)<\/li> <\/ul>

1.2 软件准备<\/h3>

下载与目标机macOS版本匹配的内核调试工具包(KDK)

访问Apple Developer Portal Downloads<\/li>

必须与目标机的macOS版本和构建编号完全匹配<\/li> <\/ul> <\/li> <\/ul>

1.3 确定系统版本<\/h3>

点击Apple logo > "About This Mac"查看版本号(如10.13.6)<\/li>

获取构建编号：

sw_vers | grep BuildVersion
<\/span><\/span><\/code><\/pre>输出示例：BuildVersion: 17G65<\/code><\/li>
<\/ol>
2. 配置调试目标机<\/h2>
2.1 安装KDK<\/h3>

挂载下载的DMG文件<\/li>
安装kerneldebugkit.pkg<\/li>
安装完成后，文件位于：\/Library\/Developer\/KDKs\/kdk_<version>_<build>.kdk<\/code><\/li>
<\/ol>
2.2 替换内核<\/h3>

将kernel.development<\/code>复制到系统目录：
cp \/Library\/Developer\/KDKs\/kdk_10.13.6_17G65.kdk\/System\/Library\/Kernels\/kernel.development \/System\/Library\/Kernels\/
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3 禁用SIP<\/h3>

重启进入恢复模式(开机时按CMD+R)<\/li>
在恢复终端中执行：
csrutil disable
<\/span><\/span><\/code><\/pre><\/li>
正常重启<\/li>
<\/ol>
2.4 设置引导参数<\/h3>
根据连接方式选择适当的boot-args：<\/p>
物理FireWire端口：<\/h4>
sudo nvram boot-args=<\/span>"debug=0x8146 kdp_match_name=firewire fwdebug=0x40 pmuflags=1 -v"<\/span>
<\/span><\/span><\/code><\/pre>Thunderbolt适配器的FireWire：<\/h4>
sudo nvram boot-args=<\/span>"debug=0x8146 kdp_match_name=firewire fwkdp=0x8000 fwdebug=0x40 pmuflags=1 -v"<\/span>
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

debug=0x8146<\/code>：启用调试，允许通过电源按钮触发NMI<\/li>
kdp_match_name=firewire<\/code>：允许通过Firewire调试<\/li>
fwkdp=0x8000<\/code>：使用Thunderbolt至FireWire适配器<\/li>
fwdebug=0x40<\/code>：启用详细输出<\/li>
pmuflags=1<\/code>：禁用看门狗定时器<\/li>
-v<\/code>：启用详细启动模式<\/li>
<\/ul>
3. 配置调试主机<\/h2>

在调试主机上安装相同的KDK(不修改主机内核)<\/li>
不需要设置引导参数<\/li>
<\/ol>
4. 开始调试会话<\/h2>
4.1 启动调试目标机<\/h3>

重启目标机，进入详细启动模式<\/li>
看到"DSMOS has arrived!"消息后，按一次电源按钮触发NMI<\/li>
<\/ol>
4.2 在调试主机上操作<\/h3>


启动FireWire KDP工具：<\/p>
fwkdp -v
<\/span><\/span><\/code><\/pre>输出应显示"Ready"并监听连接<\/p>
<\/li>

启动LLDB并加载开发版内核：<\/p>
xcrun lldb \/Library\/Developer\/KDKs\/KDK_10.13.6_17G65.kdk\/System\/Library\/Kernels\/kernel.development
<\/span><\/span><\/code><\/pre><\/li>

在LLDB中加载调试脚本：<\/p>
settings set target.load-script-from-symbol-file true
<\/code><\/pre>
<\/li>

连接到目标机：<\/p>
kdp-remote localhost
<\/code><\/pre>
<\/li>

继续执行内核(按'c'键)<\/p>
<\/li>
<\/ol>
5. 调试操作示例<\/h2>
5.1 寄存器操作<\/h3>


读取所有寄存器：<\/p>
register read --all
<\/code><\/pre>
<\/li>

写入寄存器：<\/p>
register write r13 0x4141414141414141
<\/code><\/pre>
<\/li>
<\/ul>
5.2 修改内核版本信息<\/h3>


查找version常量地址：<\/p>
print &(version)
<\/code><\/pre>
<\/li>

查看当前内容：<\/p>
x <address>
print version
<\/code><\/pre>
<\/li>

修改内存内容(示例修改为"GeoSn0w Kernel")：<\/p>
memory write 0xffffff802f0f68f0 0x47 0x65 0x6f 0x53 0x6e 0x30 0x77 0x20 0x4b 0x65 0x72 0x6e 0x65 0x6c 0x20 0x56
memory write 0xffffff802f0f6900 0x65 0x72 0x73 0x69 0x6f 0x6e 0x20 0x36 0x39 0x2e 0x30 0x30 0x20 0x57 0x65 0x65
<\/code><\/pre>
<\/li>

验证修改：<\/p>
uname -a
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 恢复原始配置<\/h2>


重置引导参数：<\/p>
sudo nvram boot-args=<\/span>""<\/span>
<\/span><\/span><\/code><\/pre><\/li>

删除开发版内核：<\/p>
rm \/System\/Library\/Kernels\/kernel.development
<\/span><\/span><\/code><\/pre><\/li>

使KextCache无效：<\/p>
sudo touch \/Library\/Extensions
<\/span><\/span>sudo touch \/System\/Library\/Extensions
<\/span><\/span><\/code><\/pre><\/li>

重新启用SIP(可选)：<\/p>

进入恢复模式<\/li>
执行：
csrutil enable
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
附录：调试标志位定义<\/h2>
参考\/osfmk\/kern\/debug.h<\/code>中的定义：<\/p>
#define DB_HALT 0x1
<\/span><\/span><\/span>#define DB_NMI 0x4
<\/span><\/span><\/span>#define DB_KPRT 0x8
<\/span><\/span><\/span>#define DB_KDB 0x10
<\/span><\/span><\/span>#define DB_ARP 0x40
<\/span><\/span><\/span>#define DB_KDP_BP_DIS 0x80
<\/span><\/span><\/span>#define DB_KDP_GETC_ENA 0x200
<\/span><\/span><\/span>#define DB_KERN_DUMP_ON_PANIC 0x400
<\/span><\/span><\/span>#define DB_KERN_DUMP_ON_NMI 0x800
<\/span><\/span><\/span>#define DB_DBG_POST_CORE 0x1000
<\/span><\/span><\/span>#define DB_PANICLOG_DUMP 0x2000
<\/span><\/span><\/span>#define DB_REBOOT_POST_CORE 0x4000
<\/span><\/span><\/span>#define DB_NMI_BTN_ENA 0x8000
<\/span><\/span><\/span>#define DB_PRT_KDEBUG 0x10000
<\/span><\/span><\/span>#define DB_DISABLE_LOCAL_CORE 0x20000
<\/span><\/span><\/span>#define DB_DISABLE_GZIP_CORE 0x40000
<\/span><\/span><\/span>#define DB_DISABLE_CROSS_PANIC 0x80000
<\/span><\/span><\/span>#define DB_REBOOT_ALWAYS 0x100000
<\/span><\/span><\/span><\/code><\/pre>通过组合这些标志位可以设置不同的调试行为。<\/p>

macOS内核调试指南<\/h1>

1. 准备工作<\/h2>

2. 配置调试目标机<\/h2>

2.4 设置引导参数<\/h3> 根据连接方式选择适当的boot-args：<\/p>

4. 开始调试会话<\/h2>

5. 调试操作示例<\/h2>

2.4 设置引导参数<\/h3>
根据连接方式选择适当的boot-args：<\/p>