Archive for the ‘Uncategorized’ Category

How to Kernel Debug Connected Standby/Modern Standby systems?

October 24, 2016

Premise:

Debugging a Modern Standby (Connected Standby earlier) scenario can be challenging as there are some smaller subtle things to keep in mind. Most modern standby/connected Standby systems are newer systems with USB 3.0 xHCI controllers so this blog post only focuses on systems which support USB 3.0 debugging.

What you need:

  1. USB 3 cable – http://www.datapro.net/products/usb-3-0-super-speed-a-a-debugging-cable.html
  2. USB Type C to type A adapter – Needed only if the device doesn’t have a USB Type A port
  3. Windbg Bits – Many sources including the Kits —  WDK or ADK

Methodology to setup Kernel Mode debugging

  1. Setup the machine for USB 3.0 debug  as mentioned here: https://msdn.microsoft.com/en-us/library/windows/hardware/hh439372(v=vs.85).aspx
  2. Make sure you Disable Secure Boot in the BIOS menu
  3. Hook up the cable as follows  setup
  4. Check the USB device hierarchy and turn  off all the components. You can do this from device manager, usb tools usb_hierarcy
  5. Disable Turning off  USB stack components – Hubs and controllers on target Disable Powersaving on USb controller For the uSB hub, Uncheck the box to allow the computer to turn off the debice to save power  usb_hub_power
  6. Disable Powersaving on USB HUB/s — For the uSB xHCXI controller, Uncheck the box to allow the computer to turn off the device to save power usb_hub_power
  7. If there are multiple controllers or Hubs make sure you pick the right one where you plan to debug . Also if there is another level of hub in between do the same for that as well.
  8. Debug away!!

 

Advertisements

Decrypting wdf01000.sys interrupts with WPA

June 13, 2014

If you are trying to figure out which WDF driver is the source of all interrupts there is a way out. Since wdf01000.sys fields all interrupts and then calls the actual driver, it is difficult to figure out which driver caused the interrupts. Fortunately, there is a way out: You need to use the trace flags in the kernel – WDF_INTERRUPT and WDF_DPC. You can find all Kernel trace flags by the following command: “xperf -providers KF” .

You can trace as follows: ”

xperf -on diageasy+WDF_DPC+WDF_INTERRUPT+0x48000000+PROC_THREAD+LOADER+INTERRUPT+DPC+CSWITCH+TIMER+CLOCKINT -stackwalk TimerSetPeriodic+TimerSetOneShot+CSwitch+readythread+profile -clocktype perfcounter -buffersize 1024 -minbuffers 1024

xperf -d test.etl