Page 1 of 1

Mount *OS root partition image on a Mac

PostPosted: Thu May 04, 2017 1:16 pm
by septium
I've backed up *OS "/" partition to raw image file, for the purposes of researching, quick finding/grepping, diffing between states, etc

Code: Select all
mac$ iproxy 22200 22
mac$ ssh -C -p 22200 root@localhost dd if=/dev/rdisk0s1s1 bs=4096k | dd of=iPad_system.dd


How can I mount it in macOS?

Code: Select all
mac$ hdiutil attach -readonly iPad_system.dd
mac$ mount -t hfs iPad_system.dd ~/Volumes/iPad_system

don't work.

At a first glance image looks good: size is 2GB, HFS+ signature is present.

Code: Select all
mac$ xxd -a -l 4096 iPad_system.dd
00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000400: 4858 0005 8000 2000 4846 534a 0000 0029  HX.... .HFSJ...)
00000410: d34f 33e4 d530 d47b 0000 0000 d34f 9654  .O3..0.{.....O.T
00000420: 0000 f7f2 0000 7044 0000 1000 0007 c322  ......pD......."
00000430: 0000 efb6 0001 ae10 0001 0000 0001 0000  ................
00000440: 0001 7f6b 0001 0def 0000 0000 0000 0001  ...k............
00000450: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000460: 0000 0000 0000 0000 aafa 407b 8d40 4489  ..........@{.@D.
00000470: 0000 0000 0002 8000 0001 0000 0000 0028  ...............(
00000480: 0000 0001 0000 0028 0000 0000 0000 0000  .......(........
00000490: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
000004c0: 0000 0000 0040 0000 0040 0000 0000 0400  .....@...@......
000004d0: 0000 082a 0000 0400 0000 0000 0000 0000  ...*............
000004e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000510: 0000 0000 0200 0000 0040 0000 0000 2000  .........@.... .
00000520: 0000 642a 0000 0800 0000 6c2f 0000 0800  ..d*......l/....
00000530: 0000 7446 0000 0800 0000 7c4d 0000 0800  ..tF......|M....
00000540: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000550: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000560: 0000 0000 0300 0000 0040 0000 0000 3000  .........@....0.
00000570: 0000 0c2a 0000 3000 0000 0000 0000 0000  ...*..0.........
00000580: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000ff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................


What transformation do I need to perform to obtain a mountable HFS+ image?

Re: Mount *OS root partition image on a Mac

PostPosted: Sat May 06, 2017 6:16 am
by backendbilly
I won't get into mounting a dd'd image here but I'll show you another way of backing up the entire file system. You should then be able to do your grepping, research, and even compare states when new files are added, deleted, modified, etc.

1- install rsync on device from Cydia
2- On the host machine, create a directory where you would like to save your file system and "cd" to it
3- On the host machine run the following command. My host machine is Windows here but could be macOS, Linux, etc.

rsync.exe -azPL -e "ssh -p 22200 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" root@127.0.0.1:/ .


The above command will recursively make a copy of your iOS file system (including transforming symlinks into actual files). If you don't want symlinks transformation, remove -L from options.

Re: Mount *OS root partition image on a Mac

PostPosted: Sat May 06, 2017 10:05 pm
by morpheus
... or, you could use HFSleuth, from the download page, because it was written for exactly that purpose. You can CD freely and then pull out files from a raw filesystem image.

Re: Mount *OS root partition image on a Mac

PostPosted: Mon May 08, 2017 10:49 am
by septium
backendbilly wrote:...rsync...

Thank you, but I suspect it will take eternity to make initial sync. Even continuous bulk transfer of root partition takes several minutes.

Re: Mount *OS root partition image on a Mac

PostPosted: Mon May 08, 2017 10:54 am
by septium
morpheus wrote:...HFSleuth...

Thank you morpheus, HFSleuth is a wonderful tool, and I use it actively. But HFSleuth is not the kind of tool I want for this task.
Extracting distinct file, or several files, from FS image for analysis is less convenient than performing massive ops on tens of thousands of files inside mounted FS. Even if it's possible to extract the whole tree of similar–typed files using HFSleuth (like all executables, or all plists), it'd still be an excessive and time–consuming step.

Re: Mount *OS root partition image on a Mac

PostPosted: Mon May 08, 2017 10:58 am
by septium
It occurs to be very easy after all. hdiutil pays attention to image filename ending. Strict anti–UNIX way, but who cares... ".dmg" is a key to success.

Code: Select all
mac$ iproxy 22200 22 &
mac$ ssh -C -p 22200 root@localhost dd if=/dev/rdisk0s1s1 bs=4096k | dd of=iPad_system.dmg
mac$ hdiutil attach ./iPad2_system.dmg