Extracting initramfs

From The Power of Many
Revision as of 00:30, 1 August 2020 by Snowshi (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
$ file /boot/initramfs-XXX.img
/boot/initramfs-XXX.img: ASCII cpio archive (SVR4 with no CRC)

It could indicate that there is a type of compression in place (gzip, xz or the like) in which case this initramfs has likely not been generated by a modern version of Dracut. Let's extract the contents into a new temporary directory:

$ pwd
/tmp
$ mkdir init_tmp && cd init_tmp
$ cpio -idmv < /boot/initramfs-XXX.img 
kernel
kernel/x86
kernel/x86/microcode
kernel/x86/microcode/GenuineIntel.bin
5784 blocks

You can see here, it just contains the microcode.

To get to the real initramfs we simply need to skip the first one using dd command.

Previously when we extracted the CPIO archive it told us how large it was (5784 blocks at the end).

We simply need to skip those then we should be able to decode the inner archive.

$ dd if=/boot/initramfs-XXX.img bs=512 skip=5784 of=/tmp/init_tmp/inner-initramfs.img
128304+1 records in
128304+1 records out
65691829 bytes (66 MB, 63 MiB) copied, 0.488113 s, 135 MB/s

We can identify if compression is present:

$ file inner-initramfs.img 
inner-initramfs.img: gzip compressed data, last modified: Wed Jul 29 09:42:47 2020, from Unix, original size 218558976

Now we can decompress it and extract the inner archive 

$ pwd
/tmp/init_tmp
$ zcat inner-initramfs.img | cpio -idmv
.
bin
conf
conf/arch.conf
conf/conf.d
...<contents remove for brevity>...
var
var/lock
var/run
var/tmp
426873 blocks

It's all. NOW you get what you want.


Additional: dracut ships with a utility called skipcpio which you can pipe one of these initramfs files throught to skip the extra dd step.

Additional: lsinitramfs will list all contents

Retrieved from "https://wiki.snowfrs.com/index.php?title=Extracting_initramfs&oldid=192"