There may be a couple of reasons why you need to extract initramfs or initrd images. As of now, I want to fix my computer, which was not allowing me to use my laptop with the following error: “Failed to start VirtualBox Linux kernel module”.
After diagnosing, it’s a clear error that it’s missing the Linux header. Although you know, we can install Linux headers using uname-r. However, the installer failed to install and threw the error message “Unable to locate.”
Later on, I found that there was some issue with the kernel image. I moved the default initramfs and vmlinuz to another location and restarted the system.
Hopefully, the system restarted successfully.
And from here, I thought to do an autopsy with initramfs and a vmlinuz file. In this guided article, you will see the steps to extract initrd/initramfs.
Before moving ahead, you should know what initramfs are and why the system requires this.
What is initramfs?
To put it simply, initramfs is a small RAM disk that contains the files required to load the system before the real root file system is mounted. They provide the basic necessities for the system to startup and mount the real root file system (/) when booting is successful.
The short answer is that it loads kernel modules and mounts filesystems as RAM.
Moreover, it is compressed with cpio format archives along with several other compression algorithms, which we will see later.
How to know which Linux Kernel Version is installed in my System
Method to Inspect or view initramfs content
You will see two methods to inspect initramfs content, such as
- [Conventional way] Extract and view initramfs/initrd content
- [Simple & Convenient way] Extract and view initramfs/initrd content
- Inspect initramfs
How to extract and view initramfs file in Linux
Although you know that initramfs or initrd stores in the /boot directory, which is protected with write permission, and basically it’s not an absolute way to work here. So first and foremost, create a temporary directory in /tmp with the init directory.
To make a temporary directory like mine, do copy-paste the following command.
$ mkdir /tmp/init
$ cd /tmp/init
Once it is done, copy the respective initramfs file to the current directory and make sure to replace the initrd file name with the available one.
$ ls /boot
$ cp -v /boot/initrd.img-5.10.0-9-amd64 .
After that check, the file type, usually initrd or initramfs is compressed with multiple algorithms. To check the file type, use file command.
$ file initrd.img-5.10.0-9-amd64
Output
initrd.img-5.10.0-9-amd64: gzip compressed data, was "mkinitramfs-MAIN_EYPHFu", last modified: Sat Oct 16 04:14:42 2021, from Unix, original size modulo 2^32 145369088
The output says it is a gzipped file, but if you try to unzip it with the gunzip command, you will not be able to do so because gunzip requires a.gz extension, which is not present. So you will rename the initramfs with the .gz extension.
$ mv initrd.img-5.10.0-9-amd64 initrd.img-5.10.0-9-amd64.gz
Once it’s done, pass the subsequent command and check the file type.
$ gunzip initrd.img-5.10.0-9-amd64.gz
$ file initrd.img-5.10.0-9-amd64
Output
initrd.img-5.10.0-9-amd64: ASCII cpio archive (SVR4 with no CRC)
We are almost done here. After getting the “CPIO archive,” type the below command to extract the file in the current directory.
$ cpio -idv < initrd.img-5.10.0-9-amd64
Output
usr/bin/awk
usr/bin/ash
usr/bin/arch
cpio: usr/sbin/watchdog linked to usr/bin/[
*****[TRIMMED OUTPUT]******
var/cache/fontconfig/befa2b5d-41df-461b-8d18-246762b8c3e3-le64.cache-7
283924 blocks
The extraction part is over here, and you can do what you want with an extracted initramfs image file.
The above method is slightly tricky. You can achieve the same result with a single command, which can be convenient and easy to use without memorizing the steps.
You can use the lsinitrd command to perform all the steps in one. Open your terminal window, type the following command, and replace the file name.
$ mkdir init && cd init
$ lsinitrd --unpack /boot/initrd.img-5.10.0-9-amd64
Check whether the file was extracted successfully.
$ ls
Output
bin@ conf/ etc/ init* lib@ lib32@ lib64@ libx32@ run/ sbin@ scripts/ usr/ var/
How to Inspect or view initramfs
All the above was to extract the image and then inspect the file content, but if you are not interested in the extraction part and just want to inspect the initrd/initramfs content, then what to do?
Simple again, you can use the lsinitrd command to view the content of an individual image file, and the output is similar to the ls -l command.
$ lsinitrd initrd.img-5.10.0-9-amd64
Output
Image: initrd.img-5.10.0-9-amd64: 40M
========================================================================
-rwxr-xr-x 247 root root 0 Jul 26 2021 usr/sbin/syslogd
-rwxr-xr-x 247 root root 0 Jul 26 2021 usr/sbin/ubirename
-rwxr-xr-x 247 root root 0 Jul 26 2021 usr/sbin/udhcpc
-rwxr-xr-x 247 root root 0 Jul 26 2021 usr/sbin/udhcpd
-rwxr-xr-x 247 root root 0 Jul 26 2021 usr/sbin/uevent
******(TRIMMED OUTPUT******
-rw-r--r-- 1 root root 200 Oct 16 09:44 var/cache/fontconfig/CACHEDIR.TAG
========================================================================
I’m not sure whether we can make any changes here. If you know, please let us know.
Wrap up
That’s all to unpack initrd/initramfs to view content in Linux. We have covered conventional and simple ways to extract initrd/initramfs files. Along with that, you have learned to inspect content without extracting files.
If you face any difficulty while following our article, please let us know in the comment section.
Till then, enjoy it!
A man with a tech effusive who has explored some of the amazing technology stuff and is exploring more. While moving towards, I had a chance to work on Android development, Linux, AWS, and DevOps with several open-source tools.
