Difference between revisions of "Kernel Debug"
From xboxdevwiki
(Created page with "Only enabled in debug kernels, a Xbox with serial port can be kernel debugged with windbg. only executables that have debugging switched on can be debugged over serial aswell(...") |
Applesauce (talk | contribs) |
||
| Line 5: | Line 5: | ||
Xqemu emulates this serial port, wich uses a [[Super_I/O | LPC chip ]. | Xqemu emulates this serial port, wich uses a [[Super_I/O | LPC chip ]. | ||
| − | { | + | == KD Commands == |
| + | |||
| + | {| class="wikitable" | ||
| + | ! Command | ||
| + | ! Description | ||
| + | |- | ||
| + | | <code>CTRL+B</code> | ||
| + | | Exit the kernel debugger. | ||
| + | |- | ||
| + | | <code><ENTER></code> | ||
| + | | Repeat the last command you entered. | ||
| + | |- | ||
| + | | <code>?</code> | ||
| + | | Display a quick reference of basic debugger commands. | ||
| + | |- | ||
| + | | <code>.help</code> | ||
| + | | List meta‑commands available in the debugger. | ||
| + | |- | ||
| + | | <code>!help</code> | ||
| + | | List the extension commands provided by debugger plugins. | ||
| + | |- | ||
| + | | <code>x MODULE!SYMBOL</code> | ||
| + | | Show symbols within a module (supports wildcards). e.g. <code>Vidya!*</code> lists all symbols starting with “Vidya”. | ||
| + | |- | ||
| + | | <code>db ADDRESS</code> | ||
| + | | Dump raw bytes at the specified address, with any printable ASCII alongside. | ||
| + | |- | ||
| + | | <code>dd ADDRESS</code> | ||
| + | | Dump memory as 32‑bit words starting at the given address. | ||
| + | |- | ||
| + | | <code>df ADDRESS</code> | ||
| + | | Dump memory as floating‑point values from the given address. | ||
| + | |- | ||
| + | | <code>dds ADDRESS</code> | ||
| + | | Dump 32‑bit words and resolve any that match symbol names—handy for spotting return addresses on the stack. | ||
| + | |- | ||
| + | | <code>dt TYPE ADDRESS</code> | ||
| + | | Display the fields of a structure type at a memory address. Add <code>-b</code> to recurse into nested structures. | ||
| + | |- | ||
| + | | <code>rM 54</code> | ||
| + | | Show FP/MMX/XMM register contents (note the uppercase “M”). | ||
| + | |- | ||
| + | | <code>rM 1fd</code> | ||
| + | | Show all CPU registers. | ||
| + | |- | ||
| + | | <code>p</code> | ||
| + | | Step over the next instruction (runs calls/interrupts without entering them). | ||
| + | |- | ||
| + | | <code>t</code> | ||
| + | | Step into the next instruction (enters calls and interrupts). | ||
| + | |- | ||
| + | | <code>bp ADDRESS</code> | ||
| + | | Set a breakpoint at the specified instruction address. | ||
| + | |- | ||
| + | | <code>bp ADDRESS "commands"</code> | ||
| + | | Create a breakpoint that executes a sequence of commands when hit (semicolon‑separated). | ||
| + | |- | ||
| + | | <code>ba w1 ADDRESS</code> | ||
| + | | Set a data breakpoint on writes to one byte at ADDRESS. Use “r” for reads, or “2”/“4” for word/dword sizes. | ||
| + | |- | ||
| + | | <code>bl</code> | ||
| + | | List all active breakpoints. | ||
| + | |- | ||
| + | | <code>bc INDEX</code> | ||
| + | | Clear the breakpoint with the given index (as shown by <code>bl</code>). | ||
| + | |- | ||
| + | | <code>!memusage</code> | ||
| + | | Display a summary of free memory pages and usage by category. | ||
| + | |- | ||
| + | | <code>!heap 0 -a</code> | ||
| + | | Dump detailed heap entries for all heaps (can generate a lot of output). | ||
| + | |- | ||
| + | | <code>!handle 0 7</code> | ||
| + | | List all open handles in the system (files, threads, etc.). | ||
| + | |- | ||
| + | | <code>!poolused 3</code> | ||
| + | | Report how pool memory is allocated across different tags. | ||
| + | |- | ||
| + | | <code>!poolfind TAG</code> | ||
| + | | List every pool allocation marked with the four‑character TAG. | ||
| + | |- | ||
| + | | <code>.reboot</code> | ||
| + | | Restart the console. | ||
| + | |- | ||
| + | | <code>.sympath</code> | ||
| + | | Show the current symbol search paths. | ||
| + | |- | ||
| + | | <code>.sympath PATH</code> | ||
| + | | Change the symbol path to PATH; use <code>.reload</code> to apply. | ||
| + | |- | ||
| + | | <code>.echotimestamps</code> | ||
| + | | Toggle timestamps on debug messages and break notifications. | ||
| + | |} | ||
| + | {| class="wikitable" | ||
| + | ! Command | ||
| + | ! Description | ||
| + | |- | ||
| + | | <code>r</code> | ||
| + | | Shows the current register values. | ||
| + | |- | ||
| + | | <code>kp</code> | ||
| + | | Displays the call stack with function parameters and line numbers. If <code>kp</code> isn’t supported in your debugger version, use <code>kb</code> instead. | ||
| + | |- | ||
| + | | <code>dd esp L80</code> | ||
| + | | Dumps raw stack memory as DWORDs starting at <code>esp</code> (the stack pointer). <code>L80</code> specifies length 0x80 (128 DWORDs), letting you inspect local variables on the stack. | ||
| + | |- | ||
| + | | <code>ln eip</code><br><code>u xxxxxxxx xxxxxxxx</code> | ||
| + | | Lists symbols around the current instruction pointer (<code>eip</code>) so you can see where the crash happened, for example: | ||
| + | :<code>(00011050) YourGame!main+0x9</code><br> | ||
| + | :<code>(0001109d) YourGame!DebugBreak.Next</code> | ||
| + | Then use those addresses with <code>u</code> to disassemble that code range (e.g. <code>u 00011050 0001109d</code>). | ||
| + | |- | ||
| + | | <code>!process 0 7</code> | ||
| + | | Shows details about the current process and prints a call stack for each thread. | ||
| + | |- | ||
| + | | <code>dd nt!KeTickCount L1</code> | ||
| + | | Displays the kernel tick count (milliseconds since boot, excluding debugger pauses). Divide the result by 1,000 for seconds or by 3,600,000 for hours. | ||
| + | |} | ||
Latest revision as of 14:50, 18 April 2025
Only enabled in debug kernels, a Xbox with serial port can be kernel debugged with windbg. only executables that have debugging switched on can be debugged over serial aswell(?) [citation needed] {FIXME| Explain with more details ;) }
Xqemu emulates this serial port, wich uses a [[Super_I/O | LPC chip ].
KD Commands
| Command | Description |
|---|---|
CTRL+B
|
Exit the kernel debugger. |
<ENTER>
|
Repeat the last command you entered. |
?
|
Display a quick reference of basic debugger commands. |
.help
|
List meta‑commands available in the debugger. |
!help
|
List the extension commands provided by debugger plugins. |
x MODULE!SYMBOL
|
Show symbols within a module (supports wildcards). e.g. Vidya!* lists all symbols starting with “Vidya”.
|
db ADDRESS
|
Dump raw bytes at the specified address, with any printable ASCII alongside. |
dd ADDRESS
|
Dump memory as 32‑bit words starting at the given address. |
df ADDRESS
|
Dump memory as floating‑point values from the given address. |
dds ADDRESS
|
Dump 32‑bit words and resolve any that match symbol names—handy for spotting return addresses on the stack. |
dt TYPE ADDRESS
|
Display the fields of a structure type at a memory address. Add -b to recurse into nested structures.
|
rM 54
|
Show FP/MMX/XMM register contents (note the uppercase “M”). |
rM 1fd
|
Show all CPU registers. |
p
|
Step over the next instruction (runs calls/interrupts without entering them). |
t
|
Step into the next instruction (enters calls and interrupts). |
bp ADDRESS
|
Set a breakpoint at the specified instruction address. |
bp ADDRESS "commands"
|
Create a breakpoint that executes a sequence of commands when hit (semicolon‑separated). |
ba w1 ADDRESS
|
Set a data breakpoint on writes to one byte at ADDRESS. Use “r” for reads, or “2”/“4” for word/dword sizes. |
bl
|
List all active breakpoints. |
bc INDEX
|
Clear the breakpoint with the given index (as shown by bl).
|
!memusage
|
Display a summary of free memory pages and usage by category. |
!heap 0 -a
|
Dump detailed heap entries for all heaps (can generate a lot of output). |
!handle 0 7
|
List all open handles in the system (files, threads, etc.). |
!poolused 3
|
Report how pool memory is allocated across different tags. |
!poolfind TAG
|
List every pool allocation marked with the four‑character TAG. |
.reboot
|
Restart the console. |
.sympath
|
Show the current symbol search paths. |
.sympath PATH
|
Change the symbol path to PATH; use .reload to apply.
|
.echotimestamps
|
Toggle timestamps on debug messages and break notifications. |
| Command | Description |
|---|---|
r
|
Shows the current register values. |
kp
|
Displays the call stack with function parameters and line numbers. If kp isn’t supported in your debugger version, use kb instead.
|
dd esp L80
|
Dumps raw stack memory as DWORDs starting at esp (the stack pointer). L80 specifies length 0x80 (128 DWORDs), letting you inspect local variables on the stack.
|
ln eipu xxxxxxxx xxxxxxxx
|
Lists symbols around the current instruction pointer (eip) so you can see where the crash happened, for example:
Then use those addresses with |
!process 0 7
|
Shows details about the current process and prints a call stack for each thread. |
dd nt!KeTickCount L1
|
Displays the kernel tick count (milliseconds since boot, excluding debugger pauses). Divide the result by 1,000 for seconds or by 3,600,000 for hours. |
