提取串联的 cpio 档案

提取串联的 cpio 档案

Linux 上的 initramfs 存档可以由一系列串联的、gzip 压缩的 cpio 文件组成。

给定这样一个档案,如何提取全部嵌入式档案,而不是第一个?

以下是一个模式示例,虽然它似乎有工作的潜力,但仅提取第一个存档:

while gunzip -c | cpio -i; do :; done <input.cgz

我也尝试过来自 dracut 的skipcpio 助手将文件指针移过第一个 cpio 图像,但以下结果会导致发送到 cpio 的损坏流(不在输入中的正确位置):

# this isn't ideal -- presumably would need to rerun with an extra skipcpio in the pipeline
# ...until all files in the archive have been reached.
gunzip -c <input.cgz | skipcpio /dev/stdin | cpio -i

答案1

/usr/lib/dracut/skipcpio $your-initrd-img | zcat | cpio -id --no-absolute-file-names

要不然

/usr/lib/dracut/skipcpio $your-img | gunzip -c | cpio -id

(在 FreeBSD 中,cpio 没有 --no-absolute-file-names 选项)

这个小程序skipcpio是 dracut 包的一部分。但您甚至可以在 FreeBSD 下下载代码 (skipcpio.c) 并编译它。

提取 dracut 创建的 initrd 映像时需要这个,至少在 RedHat 支持的发行版(例如 Fedora)下是这样。它将一个名为“early_cpio”的文件放入映像中,因此以以前已知的正常方式提取 initramfs 将不起作用。

答案2

gunzip 只需要运行一次(消耗所有输入),而 cpio 应为每个嵌入式存档运行一次,如下所示:

gunzip -c <input.cgz | while cpio -i; do :; done

答案3

您可以手动执行此操作dd skip=。在我的 Ubuntu 20.04 上,我可以使用以下命令查看第一部分(偏移 0 块)

# dd if=/boot/initrd.img-5.4.0-45-generic skip=0 | file -
/dev/stdin: ASCII cpio archive (SVR4 with no CRC)

然后查看内容

# dd if=/boot/initrd.img-5.4.0-45-generic skip=0 | cpio -it
.
kernel
kernel/x86
kernel/x86/microcode
kernel/x86/microcode/AuthenticAMD.bin
62 blocks

第二部分更远 62 个街区

# dd if=/boot/initrd.img-5.4.0-45-generic skip=62 | file -
/dev/stdin: ASCII cpio archive (SVR4 with no CRC)

再次只是一个简单的 cpio 存档,但这次更大

# dd if=/boot/initrd.img-5.4.0-45-generic skip=62 | cpio -it
kernel
kernel/x86
kernel/x86/microcode
kernel/x86/microcode/.enuineIntel.align.0123456789abc
kernel/x86/microcode/GenuineIntel.bin
5868 blocks

现在将5868 + 62块跳过到 initramfs 中

# dd if=/boot/initrd.img-5.4.0-45-generic skip=5930 | file -
/dev/stdin: LZ4 compressed data (v0.1-v0.9)

这次是压缩流,所以

# dd if=/boot/initrd.img-5.4.0-45-generic skip=5930 | lz4cat | file -
/dev/stdin: ASCII cpio archive (SVR4 with no CRC)

我们再次找到了下一个(也是最终的)cpio 存档

# dd if=/boot/initrd.img-5.4.0-45-generic skip=5930 | lz4cat | cpio -it
... lots of output
usr/share/plymouth/themes/spinner/watermark.png
usr/share/plymouth/ubuntu-logo.png
var
var/cache
var/cache/fontconfig
var/cache/fontconfig/383ee5b3-5437-4bdc-87f6-cf314658a7c0-le64.cache-7
var/cache/fontconfig/575cffd4-ae01-4067-914f-7545fe566c1b-le64.cache-7
var/cache/fontconfig/CACHEDIR.TAG
var/cache/fontconfig/c467a813-186f-476e-880a-3770402989a9-le64.cache-7
var/cache/fontconfig/d912fc4e-f5b6-456d-a86d-e4c3ccbbefe9-le64.cache-7
var/lib
var/lib/dhcp
450460 blocks

尽管如此,这仅在第一个流未压缩的情况下才有效。否则,cpio 不会将大小报告到 initramfs 中,而是报告未压缩部分的大小。

答案4

安装了软件包amd64-microcode/intel-microcode软件包的 Debian 似乎使用了某种混乱的未压缩cpio存档,其中包含 CPU 微代码,后跟包含实际 initrd 内容的gzip压缩存档。cpio我能够提取它的唯一方法是使用binwalk( apt install binwalk),它都可以正确列出结构:

binwalk /path/to/initrd

示例输出:

host ~ # binwalk /boot/initrd.img-5.10.0-15-amd64

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
120           0x78            ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
244           0xF4            ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
376           0x178           ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/.enuineIntel.align.0123456789abc", file name length: "0x00000036", file size: "0x00000000"
540           0x21C           ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/GenuineIntel.bin", file name length: "0x00000026", file size: "0x00455C00"
4546224       0x455EB0        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
4546560       0x456000        gzip compressed data, has original file name: "mkinitramfs-MAIN_dTZaRk", from Unix, last modified: 2022-06-14 14:02:57
37332712      0x239A6E8       MySQL ISAM compressed data file Version 9

并提取单独的部分:

binwalk -e /path/to/initrd

示例输出:

host ~ # binwalk -e /boot/initrd.img-5.10.0-15-amd64 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ASCII cpio archive (SVR4 with no CRC), file name: "kernel", file name length: "0x00000007", file size: "0x00000000"
120           0x78            ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86", file name length: "0x0000000B", file size: "0x00000000"
244           0xF4            ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode", file name length: "0x00000015", file size: "0x00000000"
376           0x178           ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/.enuineIntel.align.0123456789abc", file name length: "0x00000036", file size: "0x00000000"
540           0x21C           ASCII cpio archive (SVR4 with no CRC), file name: "kernel/x86/microcode/GenuineIntel.bin", file name length: "0x00000026", file size: "0x00455C00"
4546224       0x455EB0        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
4546560       0x456000        gzip compressed data, has original file name: "mkinitramfs-MAIN_dTZaRk", from Unix, last modified: 2022-06-14 14:02:57
37332712      0x239A6E8       MySQL ISAM compressed data file Version 9

这将为您提供单独文件中的单独部分,现在您终于可以提取正确的cpio存档:

host ~ # ls -l _initrd.img-5.10.0-15-amd64.extracted 
insgesamt 187M
drwxr-xr-x 3 root root 4,0K 14. Jun 17:53 cpio-root/
-rw-r--r-- 1 root root 114M 14. Jun 17:53 mkinitramfs-MAIN_dTZaRk
-rw-r--r-- 1 root root  39M 14. Jun 17:53 0.cpio
-rw-r--r-- 1 root root  35M 14. Jun 17:53 mkinitramfs-MAIN_dTZaRk.gz
host ~/_initrd.img-5.10.0-15-amd64.extracted # mkdir extracted
host ~/_initrd.img-5.10.0-15-amd64.extracted # cd extracted 
host ~/_initrd.img-5.10.0-15-amd64.extracted/extracted # cat ../mkinitramfs-MAIN_dTZaRk | cpio -idmv --no-absolute-filenames
[...]
host ~/_initrd.img-5.10.0-15-amd64.extracted/extracted # ll
insgesamt 28K
lrwxrwxrwx 1 root root    7 14. Jun 17:55 bin -> usr/bin/
drwxr-xr-x 3 root root 4,0K 14. Jun 17:55 conf/
drwxr-xr-x 7 root root 4,0K 14. Jun 17:55 etc/
lrwxrwxrwx 1 root root    7 14. Jun 17:55 lib -> usr/lib/
lrwxrwxrwx 1 root root    9 14. Jun 17:55 lib32 -> usr/lib32/
lrwxrwxrwx 1 root root    9 14. Jun 17:55 lib64 -> usr/lib64/
lrwxrwxrwx 1 root root   10 14. Jun 17:55 libx32 -> usr/libx32/
drwxr-xr-x 2 root root 4,0K 14. Jun 16:02 run/
lrwxrwxrwx 1 root root    8 14. Jun 17:55 sbin -> usr/sbin/
drwxr-xr-x 8 root root 4,0K 14. Jun 17:55 scripts/
drwxr-xr-x 8 root root 4,0K 14. Jun 17:55 usr/
-rwxr-xr-x 1 root root 6,2K 14. Jan 2021  init*

相关内容