The OS X/iOS KDebug facility is an incredibly powerful tracing mechanism I touched on in the first edition of MOXiI. It is second only to DTrace, and - on iOS (where DTrace is unavailable) - is second to none. It has nonetheless gone unnoticed by many (not unlike other useful stuff I pointed out ;-).
Apple's own utilities - fs_usage(1), sc_usage(1), latency(1) and trace(1) - all part of the system_cmds package, use this facility. The Apple utilities impose filters on KDebug, and don't tap the full power of this amazing facility. The fabulous Instruments.app also uses kdebug, which it also invokes on the device with the help of iprofiler(1), present both in OS X and in iOS (in the DeveloperDiskImage)
You can compile the Apple tools for iOS as well, but to get rid of the filters (and customize my own) I concocted my own KDebug viewer tool, which I call KDebugView*. The tool has actually been available for a while, released on the Website forum to answer a specific question, but that version was really unstable and rough. This one is more stable, though arguably still very basic. The tool follows the same pattern of Apple's own tools (with a snippet I lazily cut/pasted), and I am providing the full (short) source for it, along with a universal binary (OSX/iOS32/iOS64) here. If you want to compile it for iOS, you'll need to copy headers from the OS X SDK to the iOS SDK, because Apple tries to "hide" the APIs.
This tool traces EVERYTHING. And by EVERYTHING, I mean E-V-E-R-Y-T-H-I-N-G happening in both OS X AND iOS. The XNU kernel is laced with KERNEL_DEBUG macro calls, and quite a few user mode subsystems (notably my adversary, launchd, and libxpc.dylib) use it from user mode by invoking kdebug_trace (syscall #180). Apple seems committed to this facility, and has added syscall #179 and (recently) #178 - kdebug_trace_string. So this isn't going away. The bad news: Root access is required (alas), and I'm willing to bet good money that AAPL will further restrict this by slapping an entitlement on it as well**. So use it while you can :-)
A sample of the tool is shown here:
And, on iOS (filtering)
Note, you get a TON of information - Scheduler events, interrupts(!!!), system calls, Mach traps, Mach Messages, and every little hiccup of the kernel. A plethora of information, maybe even TMI - You'll get tens of MB output per second. I'll add some of the filters in a later release, but for now I recommend grep(1) as your friend.
The version (and source) of the tool provided is very raw - I removed the filtering logic because the latest version is unstable. Expect a beefed up version soon.
How this works
The full detail of kdebug is in Chapter 5 of MOXiI's first edition, but do not buy that book. Seriously, it's paltry in comparison to the second edition, which provides a lot more detail (and yes, it's coming soon). The gist of it is, you use sysctl(2) to interface with the facility, set up filters (which I don't), provide a buffer, and gulp down tons of info. The kdebug messages are simple 32-bit constants, defined in sys/kdebug.h
Pre 10-10 the CoreProfile framework had a nice XML formatting of the codes in /System/Library/PrivateFrameworks/CorePorfile.framework/Resources/Devices/osx-13.0.0.xml. This has since been removed. Fortunately, Apple still provides /usr/share/misc/trace.codes to support their own tools. This is a pretty comprehensive file, though a lot of the really interesting codes have been "omitted". I wouldn't be surprised if this file, too, disappears, but rest assured I'm compiling a full list of all codes - both documented and undocumented - which will remain open. On iOS, this file is not present, so just use the one I've packaged with the tar file.
Each debug code has 5 arguments, depending on the caller, but in general arg5 is the thread ID, and args1-4 are the arguments to the event (usually a syscall, or Mach event). I make no attempt to parse or make sense of the arguments in this version of the tool, but I'll add support for that sometime soon, as well.
In other cases, kdebug can log strings (in place of the 4 args). That's handled.
I'm sure this - being powerful yet incomplete - will bring feature requests. Please use the Book's Forum to let me know - I'll be glad to oblige. The enclosed tar file also has the open source of the tool, so you can tweak/customize by yourself.
TG Annoucement - The upcoming MOXiI training in NYC (December 11th, 2017) is open for registration! KDebug is only one of the many cool tracing/RE methods we demonstrate. You might want to follow @Technologeeks for announcements! You can drop i/n/f/o at TG an email if you want more details or to register.
12/25/2015 - First public release. Merry XMas, everyone
* - Paying homage to SysInternals' DbgView, though hardly similar.
** - And considering the horrid info-leaks and KASLR snafu kdebug provides, I wouldn't blame them if/when they do..