3

I've followed the Creating a Generic Kernel Extension with Xcode tutorial.

MyKext.c:

#include <sys/systm.h>
#include <mach/mach_types.h>

kern_return_t MyKext_start (kmod_info_t * ki, void * d)
{
    printf("MyKext has started.\n");
    return KERN_SUCCESS;
}

kern_return_t MyKext_stop (kmod_info_t * ki, void * d)
{
    printf("MyKext has stopped.\n");
    return KERN_SUCCESS;
}

I've also disabled the csrutil, which allow me to load my own kext.

# csrutil disable

When I load my own kext into kernel

$ sudo kextload -v /tmp/MyKext.kext

The result of printf() not write into /var/log/system.log.

I've also set boot-args

$ sudo nvram boot-args="original_contents debug=0x4"

Can anyone help me out?

sleepy_dog
  • 277
  • 1
  • 2
  • 11
  • first, you need to use kernal functions. so `printf()` should be `printk()` – user3629249 Apr 11 '17 at 07:37
  • there are specific functions for writing to the system log. They are: `openlog()`, `syslog()`, `closelog()` – user3629249 Apr 11 '17 at 07:38
  • @user3629249: What gives you that idea? `printf()` should work fine. – l'L'l Apr 11 '17 at 07:50
  • 3
    `printf()` is correct in macOS/OS X kernel extensions. `IOLog()` works identically, but is more usual in device drivers. What OS version are you running? As of 10.12, /var/log/system.log is no longer the correct place to look, you now need to look in the new system logging service, which you can access with the `log` command. `printk()` is a Linux thing, `syslog()` is for user space. Does your kext show up in the output of `kextstat`? Please don't use `kextload`, use `kextutil` instead, it has much better diagnostics. – pmdj Apr 12 '17 at 01:51
  • you might have to look into console application and try putting your kernel extension name into the search textfield. all logs will be shown there for your application. – Vikram Sinha Nov 22 '18 at 11:58

2 Answers2

3

Apparently, since Sierra (10.12) at least, they reorganized the way the logs are written (iOS support?), so you cannot see it in system.log anymore. Still, in your Console application, you have in the sidebar a Devices section, where you can select your device (usually your Mac system) and see real-time log limited to "kernel" in the search box. So I can see these when using kext load/kextunload:

default 11:58:27.608228 +0200   kernel  MyKext has started.
default 11:58:34.446824 +0200   kernel  MyKext has stopped.
default 11:58:44.803350 +0200   kernel  MyKext has started.

There is no need for the csrutil and nvram changes.

Important For some freaky reason, I needed to restart the Console to reflect my messages changes, otherwise it has showing the ones (start & stop) from the previous build. Very strange indeed!

Later To recover old logs, try sudo log collect --last 1d and open the result with Console(more here).

Liviu
  • 1,859
  • 2
  • 22
  • 48
  • 2
    Comment about console just resolved the issue with my logs..... Still don't get why apple does not mention it anywhere... thanks for the info :) – J1and1 Oct 04 '17 at 08:07
1

Sorry to necro-post, but I found it useful to use log(1) with one of its many commands (as suggested by @pmdj in the comments above) rather than use Console. From the manual:

log -- Access system wide log messages created by os_log, os_trace and other log- ging systems.

For example, one can run:

log stream

to see real-time output of the system, including printf() from the MacOS kernel extension.

peachykeen
  • 4,143
  • 4
  • 30
  • 49