A Model Context Protocol (MCP) server for managing LLDB kernel debugging sessions. This server connects LLDB to kernel debug ports (typically forwarded from Corellium devices) and provides a clean MCP interface for kernel debugging workflows.
- PTY-based LLDB session management - Proper terminal emulation for interactive LLDB
- MCP resource exposure - Sessions are discoverable as MCP resources
- Multiple concurrent sessions - Debug multiple kernels simultaneously
- Clean error handling - Clear feedback when connections fail
- Stateless design - No coupling to specific device management systems
python3.12 -m venv venv/
source venv/bin/activate # On Windows: venv\Scripts\activatepip install -e .After completing the setup steps above, add the MCP server to Claude Code:
claude mcp add --scope user kernel-lldb -- <path-to-this-repo>/venv/bin/corellium-kernel-lldb-mcpReplace <path-to-this-repo> with the actual path to this repository.
corellium-kernel-lldb-mcpcorellium-kernel-lldb-mcp --http --host 127.0.0.1 --port 8000 --path /mcpnpx @modelcontextprotocol/inspector --cli corellium-kernel-lldb-mcpThis server is designed to work alongside the Corellium MCP server for complete kernel debugging workflows.
First, establish an SSH tunnel to the kernel debug port:
# Using Corellium MCP tools
start_kernel_debug_port_forward(
instance_id="your-device-id",
local_port=4000 # Default kernel debug port
)This creates a tunnel: localhost:4000 -> device_services_ip:4000
Download the kernel binary for symbol resolution:
# Using Corellium MCP tools
download_kernel_binary(
instance_id="your-device-id",
model="iPhone8,1",
ios_version="19A404",
filepath="/tmp/kernel-iPhone8,1-19A404"
)Connect LLDB to the forwarded port:
session_id = lldb_start(
port=4000,
kernel_path="/tmp/kernel-iPhone8,1-19A404"
)
# Returns: "LLDB session started: abc-123-def-456"Execute LLDB commands through the session:
# Get backtrace
lldb_command(session_id, "bt")
# Read registers
lldb_command(session_id, "register read")
# Examine memory
lldb_command(session_id, "memory read 0xfffffff007a04000")
# Lookup symbols
lldb_command(session_id, "image lookup --address 0xfffffff007a04000")
# Disassemble
lldb_command(session_id, "disassemble --start-address 0xfffffff007a04000 --count 20")
# Set breakpoints (if kernel supports it)
lldb_command(session_id, "breakpoint set --name panic")
# View threads
lldb_command(session_id, "thread list")lldb_terminate(session_id)Start an LLDB kernel debugging session.
Parameters:
port(int, optional): Local port where kernel debug server is listening (default: 4000)kernel_path(str): Path to kernel Mach-O binary for symbols
Returns: Session ID string (UUID)
Example:
{
"port": 4000,
"kernel_path": "/tmp/kernel-iPhone8,1-19A404"
}Execute an LLDB command in an active session.
Parameters:
session_id(str): Session ID from lldb_startcommand(str): LLDB command to execute
Returns: Command output
Example:
{
"session_id": "abc-123-def-456",
"command": "bt"
}Close an LLDB session and clean up resources.
Parameters:
session_id(str): Session ID to terminate
Example:
{
"session_id": "abc-123-def-456"
}List all active LLDB debugging sessions.
Returns: Array of session objects with metadata
Example Response:
[
{
"session_id": "abc-123-def-456",
"port": 4000,
"kernel_path": "/tmp/kernel-iPhone8,1-19A404",
"status": "debugging",
"target": "localhost:4000",
"created": "2025-09-30T12:34:56.789Z",
"ready": true
}
]Active LLDB sessions are exposed as MCP resources for discoverability:
Resource URI Format: lldb-session://{session_id}
Resource Content:
{
"session_id": "abc-123-def-456",
"port": 4000,
"kernel_path": "/tmp/kernel-iPhone8,1-19A404",
"status": "debugging",
"target": "localhost:4000",
"created": "2025-09-30T12:34:56.789Z",
"ready": true
}target list # Show current target info
image list # List loaded images/modules
thread list # List all threads
bt # Backtrace (call stack)
frame info # Current frame information
memory read 0xaddr # Read memory at address
memory read --size 4 --format x --count 16 # Formatted memory read
x/20xg 0xaddr # Examine 20 giant words (hex)
register read # Read all registers
register read pc sp lr # Read specific registers
register write pc 0xaddr # Write to register
image lookup --address 0xaddr # Find symbol at address
image lookup --name symbol_name # Find address of symbol
image lookup --type type_name # Find type definition
disassemble --start-address 0xaddr --count 20
disassemble --name function_name
breakpoint set --name panic
breakpoint set --address 0xaddr
breakpoint list
breakpoint delete 1
continue # Continue execution
step # Step into
next # Step over
finish # Step out
If you see error: Connection refused, it means:
- Port forwarding is not set up
- The kernel debug port is not listening
- Wrong port number specified
Solution: Set up port forwarding first using Corellium MCP tools.
If symbols don't load properly:
- Verify kernel binary path is correct
- Ensure kernel binary matches the running kernel version
- Check file permissions on kernel binary
This server is built using FastMCP and uses PTY-based LLDB process management for proper terminal emulation.
- lldb_session.py - PTY-based LLDB session manager
- server.py - MCP tool definitions and resource management
- Resources - Active sessions exposed as
lldb-session://URIs