本文详细介绍了如何解压Ubuntu的initrd文件以查看其内部结构和文件,包括使用binwalk定位压缩格式,dd和zcat或lzcat进行解压,以及如何重新压缩initrd文件。
最近在解决一个问题,需要解压ubuntu的initrd来查看启动脚本。
$ file /boot/initrd.img-4.15.0-32-generic
/boot/initrd.img-4.15.0-32-generic: ASCII cpio archive (SVR4 with no CRC)
$mkdir rootfs
$cd rootfs
$cpio -idvm < /boot/initrd.img-4.15.0-32-generic
$ tree
.
└── kernel
└── x86
└── microcode
└── AuthenticAMD.bin
3 directories, 1 file
奇怪,没有根文件的目录和文件,只有一个微码的文件。通过Google了解,目前的initrd方式有了变化。通过反复的验证,正确的步骤如下:
步骤一:可以通过lsinitramfs命名来查看initrd含有的文件
$lsinitramfs /boot/initrd.img-4.15.0-32-generic
…
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/amd/amdgpu
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/amd/amdgpu/amdgpu.ko
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/amd/lib
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/amd/lib/chash.ko
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/ast
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/ast/ast.ko
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/i915
lib/modules/4.15.0-32-generic/kernel/drivers/gpu/drm/i915/i915.ko
^C
…..
$ binwalk /boot/initrd.img-4.15.0-32-generic
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ASCII cpio archive (SVR4 with no CRC), file name: ".", file name length: "0x00000002", file size: "0x00000000"
112 0x70 ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
232 0xE8 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
356 0x164 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
488 0x1E8 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/AuthenticAMD.bin", file name length: "0x00000026", file size: "0x00006B2A"
28072 0x6DA8 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
28672 0x7000 ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
28792 0x7078 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
28916 0x70F4 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
29048 0x7178 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/.enuineIntel.align.0123456789abc", file name length: "0x00000036", file size: "0x00000000"
29212 0x721C ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/GenuineIntel.bin", file name length: "0x00000026", file size: "0x00170C00"
1539760 0x177EB0 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
1540096 0x178000 gzip compressed data, from Unix, last modified: 2018-08-21 22:23:29
通过binwalk能够看到“ gzip compressed data,”的字段,说明从1540096 字节段开始是gzip压缩的格式。从这开始是根文件系统。之前的microcode的文件。说明是microcode文件和根文件是压缩到一起的文件
$ binwalk -y gzip /boot/initrd.img-4.15.0-32-generic
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1540096 0x178000 gzip compressed data, from Unix, last modified: 2018-08-21 22:23:29
这里有个数字“1540096 ”,下面开始解压文件
$dd if=/boot/initrd.img-4.15.0-32-generic bs=1540096 skip=1 | zcat | cpio -id --no-absolute-filenames -v
$ls
bin conf etc init kernel lib lib64 run sbin scripts usr var
这里有个注意的地方,如果binwalk显示不都是gzip格式的。比如:
$ binwalk /mnt/casper/initrd
(binwalk工具https://github.com/ReFirmLabs/binwalk)
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ASCII cpio archive (SVR4 with no CRC), file name: ".", file name length: "0x00000002", file size: "0x00000000"
112 0x70 ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
232 0xE8 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
356 0x164 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
488 0x1E8 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/AuthenticAMD.bin", file name length: "0x00000026", file size: "0x00006B2A"
28072 0x6DA8 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
28672 0x7000 ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
28792 0x7078 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
28916 0x70F4 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
29048 0x7178 ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/GenuineIntel.bin", file name length: "0x0000002A", file size: "0x00170C00"
1539600 0x177E10 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
1540096 0x178000 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: -1 bytes
这个initrd使用lzma压缩的。那么解压时候就不能用zcat命令了。应该使用如下命令:
dd if=/mnt/casper/initrd bs=1540096 skip=1 | lzcat | cpio -id --no-absolute-filenames -v
lzcat=xz --format=lzma --decompress --stdout(参见https://www.computerhope.com/unix/xz.htm)
至此,解压结束。
如何重新压缩回去呢?参见:https://askubuntu.com/questions/777260/how-to-repack-initrd-img
find kernel/ | cpio -o -H newc > new_initrd.img
cd rootfs
find . | cpio -o | gzip -9 >> ../new_initrd.img
扫一扫
1315
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
