Mount *OS root partition image on a Mac

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Mount *OS root partition image on a Mac

Postby septium » Thu May 04, 2017 1:16 pm

I've backed up *OS "/" partition to raw image file, for the purposes of researching, quick finding/grepping, diffing between states, etc

Code: Select all
mac$ iproxy 22200 22
mac$ ssh -C -p 22200 root@localhost dd if=/dev/rdisk0s1s1 bs=4096k | dd of=iPad_system.dd


How can I mount it in macOS?

Code: Select all
mac$ hdiutil attach -readonly iPad_system.dd
mac$ mount -t hfs iPad_system.dd ~/Volumes/iPad_system

don't work.

At a first glance image looks good: size is 2GB, HFS+ signature is present.

Code: Select all
mac$ xxd -a -l 4096 iPad_system.dd
00000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000400: 4858 0005 8000 2000 4846 534a 0000 0029  HX.... .HFSJ...)
00000410: d34f 33e4 d530 d47b 0000 0000 d34f 9654  .O3..0.{.....O.T
00000420: 0000 f7f2 0000 7044 0000 1000 0007 c322  ......pD......."
00000430: 0000 efb6 0001 ae10 0001 0000 0001 0000  ................
00000440: 0001 7f6b 0001 0def 0000 0000 0000 0001  ...k............
00000450: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000460: 0000 0000 0000 0000 aafa 407b 8d40 4489  ..........@{.@D.
00000470: 0000 0000 0002 8000 0001 0000 0000 0028  ...............(
00000480: 0000 0001 0000 0028 0000 0000 0000 0000  .......(........
00000490: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
000004c0: 0000 0000 0040 0000 0040 0000 0000 0400  .....@...@......
000004d0: 0000 082a 0000 0400 0000 0000 0000 0000  ...*............
000004e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000510: 0000 0000 0200 0000 0040 0000 0000 2000  .........@.... .
00000520: 0000 642a 0000 0800 0000 6c2f 0000 0800  ..d*......l/....
00000530: 0000 7446 0000 0800 0000 7c4d 0000 0800  ..tF......|M....
00000540: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000550: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000560: 0000 0000 0300 0000 0040 0000 0000 3000  .........@....0.
00000570: 0000 0c2a 0000 3000 0000 0000 0000 0000  ...*..0.........
00000580: 0000 0000 0000 0000 0000 0000 0000 0000  ................
*
00000ff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................


What transformation do I need to perform to obtain a mountable HFS+ image?
septium
 
Posts: 25
Joined: Thu May 04, 2017 10:04 am

Re: Mount *OS root partition image on a Mac

Postby backendbilly » Sat May 06, 2017 6:16 am

I won't get into mounting a dd'd image here but I'll show you another way of backing up the entire file system. You should then be able to do your grepping, research, and even compare states when new files are added, deleted, modified, etc.

1- install rsync on device from Cydia
2- On the host machine, create a directory where you would like to save your file system and "cd" to it
3- On the host machine run the following command. My host machine is Windows here but could be macOS, Linux, etc.

rsync.exe -azPL -e "ssh -p 22200 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" root@127.0.0.1:/ .


The above command will recursively make a copy of your iOS file system (including transforming symlinks into actual files). If you don't want symlinks transformation, remove -L from options.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Mount *OS root partition image on a Mac

Postby morpheus » Sat May 06, 2017 10:05 pm

... or, you could use HFSleuth, from the download page, because it was written for exactly that purpose. You can CD freely and then pull out files from a raw filesystem image.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Mount *OS root partition image on a Mac

Postby septium » Mon May 08, 2017 10:49 am

backendbilly wrote:...rsync...

Thank you, but I suspect it will take eternity to make initial sync. Even continuous bulk transfer of root partition takes several minutes.
Last edited by septium on Tue May 09, 2017 10:52 pm, edited 1 time in total.
septium
 
Posts: 25
Joined: Thu May 04, 2017 10:04 am

Re: Mount *OS root partition image on a Mac

Postby septium » Mon May 08, 2017 10:54 am

morpheus wrote:...HFSleuth...

Thank you morpheus, HFSleuth is a wonderful tool, and I use it actively. But HFSleuth is not the kind of tool I want for this task.
Extracting distinct file, or several files, from FS image for analysis is less convenient than performing massive ops on tens of thousands of files inside mounted FS. Even if it's possible to extract the whole tree of similar–typed files using HFSleuth (like all executables, or all plists), it'd still be an excessive and time–consuming step.
Last edited by septium on Tue May 09, 2017 11:02 pm, edited 2 times in total.
septium
 
Posts: 25
Joined: Thu May 04, 2017 10:04 am

Re: Mount *OS root partition image on a Mac

Postby septium » Mon May 08, 2017 10:58 am

It occurs to be very easy after all. hdiutil pays attention to image filename ending. Strict anti–UNIX way, but who cares... ".dmg" is a key to success.

Code: Select all
mac$ iproxy 22200 22 &
mac$ ssh -C -p 22200 root@localhost dd if=/dev/rdisk0s1s1 bs=4096k | dd of=iPad_system.dmg
mac$ hdiutil attach ./iPad2_system.dmg
septium
 
Posts: 25
Joined: Thu May 04, 2017 10:04 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests