search

Wouter1 / PanicConverter

Converts a OSX Kernel Panic into a human readable stack trace
GNU General Public License v3.0
2 stars 1 forks source link

creating symbols for other kext's and kernel #1

Open Wouter1 opened 8 years ago

Wouter1 commented 8 years ago

Most kext's and mach kernel addresses are not translated.

Probably only modules that include the symbols are decoded properly.

Can we improve this?

Wouter1 commented 8 years ago

kextutil has a mechanism to generate symbols. Maybe these generated symbols can be hooked into atos?

kextutil -n IOUSBHostFamily.kext/ -s troep

kextutil will then prompt you for the load addresses of the modules (grep them from kextstat, not sure why it asks you instead of figuring out itself)

Wouter1 commented 8 years ago

For analysing crash reports, Apple apparently provides a tool already

https://possiblemobile.com/2015/03/symbolicating-your-ios-crash-reports/

For Xcode 7.3, you can find the tool at: /Applications/Xcode.app/Contents/SharedFrameworks/DVTFoundation.framework/Versions/A/Resources/symbolicatecrash

For Xcode 6 through 7.2, you can find the tool at: /Applications/Xcode.app/Contents/SharedFrameworks/DTDeviceKitBase.framework/Versions/Current/Resources/symbolicatecrash

Or if you're using Xcode 5: /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/PrivateFrameworks/DTDeviceKitBase.framework/Versions/Current/Resources/symbolicatecrash

but it only does .crash files, not panic files

Wouter1 commented 8 years ago

Yes I think this works manually: we create all symbols first, using

kextutil -n /System/Library/Extensions/EMUUSBAudio.kext/ -s [dir-to-store-all-symbols]

Then the kextutil will ask you a whole lot of load adresses, to be copied from the panic log file

Then, you can use atos using just the generated symbol file, and omitting the -l option and an -o option for each generated sym file:

 xcrun atos -arch x86_64 0 -o com.emu.driver.EMUUSBAudio.sym -o com.apple.driver.AppleUSBHostMergeProperties.sym -o com.apple.kec.Libm.sym -o com.apple.iokit.IOAudioFamily.sym -o com.apple.iokit.IOPCIFamily.sym -o com.apple.iokit.IOUSBHostFamily.sym   0xffffff80156dab12 0xffffff80157ce40a 0xffffff80157ec273 0xffffff7f9872f501 0xffffff7f9872f377 0xffffff7f9872e6c0 0xffffff7f9872e511 0xffffff7f97b5403f 0xffffff7f9872e48c 0xffffff8015c917dd 0xffffff8015c910a6  0xffffff8015c8bd7a 0xffffff8015c8ba11 0xffffff8015c8b856 0xffffff7f969a736b 0xffffff7f969a6840 0xffffff7f968b47f2 0xffffff801570f1ea 0xffffff80157c8e27
Wouter1 commented 8 years ago

The only disadvantage of this is that the generated symbols for the EMU driver itself are less precise than the original, we dont have the line numbers now anymore.

Wouter1 commented 8 years ago

There are still unresolved symbols even after that.

eg

Backtrace (CPU 6), Frame : Return Address
0xffffff80156dab12
0xffffff80157ce40a
0xffffff80157ec273
IOUSBInterface1::getDevice1() (in com.emu.driver.EMUUSBAudio.sym) + 33
EMUUSBAudioDevice::checkUHCI() (in com.emu.driver.EMUUSBAudio.sym) + 55
EMUUSBAudioDevice::protectedInitHardware(IOService*) (in com.emu.driver.EMUUSBAudio.sym) + 160
EMUUSBAudioDevice::initHardware(IOService*) (in com.emu.driver.EMUUSBAudio.sym) + 65
IOAudioDevice::start(IOService*) (in com.apple.iokit.IOAudioFamily.sym) + 197
EMUUSBAudioDevice::start(IOService*) (in com.emu.driver.EMUUSBAudio.sym) + 300
0xffffff8015c917dd
0xffffff8015c910a6
0xffffff8015c8bd7a
0xffffff8015c8ba11
0xffffff8015c8b856
0xffffff7f969a736b
0xffffff7f969a6840
AppleUSBHostResources::registerUSBHostServiceThreadCall(void*, void*) (in IOUSBHostFamily) + 30

0xffffff82006f3f00 : 0xffffff801570f1ea 
0xffffff82006f3fb0 : 0xffffff80157c8e27 
      Kernel Extensions in backtrace:
         com.apple.iokit.IOUSBHostFamily(1.0.1)[4C8B5BB6-6AE4-313E-B79C-AC07A4E31A2D]@0xffffff7f968af000->0xffffff7f96917fff
            dependency: com.apple.driver.AppleUSBHostMergeProperties(1.0.1)[9D5F86A1-76EF-3007-94CA-49652E62355C]@0xffffff7f968ab000
         com.apple.iokit.IOUSBFamily(900.4.1)[7B5AC81A-D0B6-3F3D-87C7-AFD78F4686DB]@0xffffff7f96955000->0xffffff7f969eefff
            dependency: com.apple.iokit.IOPCIFamily(2.9)[4FE41F9B-2849-322A-BBF8-A94816C003D6]@0xffffff7f95f2c000
            dependency: com.apple.iokit.IOUSBHostFamily(1.0.1)[4C8B5BB6-6AE4-313E-B79C-AC07A4E31A2D]@0xffffff7f968af000
         com.apple.iokit.IOAudioFamily(204.3)[79080C52-FC35-31BA-8C06-087B308D33D1]@0xffffff7f97b50000->0xffffff7f97b80fff
            dependency: com.apple.vecLib.kext(1.2.0)[2D9008E3-9EE8-30E4-844D-51CA4B093F03]@0xffffff7f97ad4000
         com.emu.driver.EMUUSBAudio(3.5.5)[B3C5395F-FA40-3B1B-94D0-296664D14924]@0xffffff7f9871d000->0xffffff7f9877ffff
            dependency: com.apple.iokit.IOAudioFamily(204.3)[79080C52-FC35-31BA-8C06-087B308D33D1]@0xffffff7f97b50000
            dependency: com.apple.iokit.IOUSBHostFamily(1.0.1)[4C8B5BB6-6AE4-313E-B79C-AC07A4E31A2D]@0xffffff7f968af000

BSD process name corresponding to current thread: kernel_task
Wouter1 commented 8 years ago

Tried to generate symbols for the System.kext but it doesnt work

kextutil -n /System/Library/Extensions/System.kext/ -s .
Notice: Using running kernel architecture x86_64 to generate symbols.
/System/Library/Extensions/System.kext appears to be loadable (not including linkage for on-disk libraries).
/System/Library/Extensions/System.kext is a kernel component; no symbols to generate.
Wouter1 commented 8 years ago

Also, the load address of none of the kexts shown by kextstat matches the range above 0xffffff8000000000, they are all in the 0xffffff7f80000000 range