Kernel Debug
From xboxdevwiki
Revision as of 14:50, 18 April 2025 by Applesauce (talk | contribs)
Only enabled in debug kernels, a Xbox with serial port can be kernel debugged with windbg. only executables that have debugging switched on can be debugged over serial aswell(?) [citation needed] {FIXME| Explain with more details ;) }
Xqemu emulates this serial port, wich uses a [[Super_I/O | LPC chip ].
KD Commands
| Command | Description |
|---|---|
CTRL+B
|
Exit the kernel debugger. |
<ENTER>
|
Repeat the last command you entered. |
?
|
Display a quick reference of basic debugger commands. |
.help
|
List meta‑commands available in the debugger. |
!help
|
List the extension commands provided by debugger plugins. |
x MODULE!SYMBOL
|
Show symbols within a module (supports wildcards). e.g. Vidya!* lists all symbols starting with “Vidya”.
|
db ADDRESS
|
Dump raw bytes at the specified address, with any printable ASCII alongside. |
dd ADDRESS
|
Dump memory as 32‑bit words starting at the given address. |
df ADDRESS
|
Dump memory as floating‑point values from the given address. |
dds ADDRESS
|
Dump 32‑bit words and resolve any that match symbol names—handy for spotting return addresses on the stack. |
dt TYPE ADDRESS
|
Display the fields of a structure type at a memory address. Add -b to recurse into nested structures.
|
rM 54
|
Show FP/MMX/XMM register contents (note the uppercase “M”). |
rM 1fd
|
Show all CPU registers. |
p
|
Step over the next instruction (runs calls/interrupts without entering them). |
t
|
Step into the next instruction (enters calls and interrupts). |
bp ADDRESS
|
Set a breakpoint at the specified instruction address. |
bp ADDRESS "commands"
|
Create a breakpoint that executes a sequence of commands when hit (semicolon‑separated). |
ba w1 ADDRESS
|
Set a data breakpoint on writes to one byte at ADDRESS. Use “r” for reads, or “2”/“4” for word/dword sizes. |
bl
|
List all active breakpoints. |
bc INDEX
|
Clear the breakpoint with the given index (as shown by bl).
|
!memusage
|
Display a summary of free memory pages and usage by category. |
!heap 0 -a
|
Dump detailed heap entries for all heaps (can generate a lot of output). |
!handle 0 7
|
List all open handles in the system (files, threads, etc.). |
!poolused 3
|
Report how pool memory is allocated across different tags. |
!poolfind TAG
|
List every pool allocation marked with the four‑character TAG. |
.reboot
|
Restart the console. |
.sympath
|
Show the current symbol search paths. |
.sympath PATH
|
Change the symbol path to PATH; use .reload to apply.
|
.echotimestamps
|
Toggle timestamps on debug messages and break notifications. |
| Command | Description |
|---|---|
r
|
Shows the current register values. |
kp
|
Displays the call stack with function parameters and line numbers. If kp isn’t supported in your debugger version, use kb instead.
|
dd esp L80
|
Dumps raw stack memory as DWORDs starting at esp (the stack pointer). L80 specifies length 0x80 (128 DWORDs), letting you inspect local variables on the stack.
|
ln eipu xxxxxxxx xxxxxxxx
|
Lists symbols around the current instruction pointer (eip) so you can see where the crash happened, for example:
Then use those addresses with |
!process 0 7
|
Shows details about the current process and prints a call stack for each thread. |
dd nt!KeTickCount L1
|
Displays the kernel tick count (milliseconds since boot, excluding debugger pauses). Divide the result by 1,000 for seconds or by 3,600,000 for hours. |
