How to Extract initrd/initramfs to View Content in Linux

It takes a few simple steps to extract the initramfs files on your Linux system to view their contents.

There may be a couple of reasons why you need to extract initramfs or initrd images, such as to find the reason for boot issues or to explore what content is in them.

As of now, I want to fix my computer, which was not allowing me to use my laptop with the following error: “Failed to start VirtualBox Linux kernel module”.

After diagnosing, it’s a clear error that it’s missing the Linux header. Although you know, we can install Linux headers by reading this guide.

However, the installer failed to install and threw the error message “Unable to locate.”

Later on, I found that there was some issue with the kernel image. I moved the default initramfs and vmlinuz to another location and restarted the system.

Hopefully, the system has now restarted successfully.

And from that point, I thought to do an autopsy with initramfs and a vmlinuz file, and I will share with you the steps to extract initrd/initramfs files on Linux.

So before moving ahead, you should know what initramfs are and why the system requires this.

Table of Contents

What is Initramfs?

Initramfs is a small RAM disk that contains the files required to load the system before the real root file system is mounted.

They provide the basic necessities for the system to startup and mount the real root file system (/) when booting is successful.

It is compressed with cpio format archives along with several other compression algorithms, which can be unpacked and loaded into memory during the boot process.

In a nutshell, if you want to understand, then the short answer is that it loads kernel modules and mounts filesystems in order to boot up the operating system.

So, from no onward whenever you see initramfs you will know what is it and why system requires it.

Method to Extract or View Initramfs Content Files

Here you will cover two methods to extract and inspect initramfs content, such as

Conventional way: To extract and view initramfs/initrd content
Simple & Convenient way: Another simple way to extract and view initramfs/initrd content

Conventional Way: To Extract and View Initramfs Files on Linux

As you may know, initramfs or initrd stores itself in the /boot directory, which is protected with write permission, and it is also not advisable to make any changes to this directory.

So, first and foremost, we will create a temporary directory in /tmp with the init directory.

To make a temporary directory like mine, do copy-paste the following command.

$ mkdir /tmp/init
$ cd /tmp/init

Once it is done, copy the respective initramfs file to the current directory and make sure to replace the initrd file name with the available one.

$ ls /boot
$ cp -v /boot/initrd.img-5.10.0-9-amd64 .

After that check, the file type, usually initrd or initramfs, is compressed with multiple algorithms, so it’s better to check the file type using the file command.

$ file initrd.img-5.10.0-9-amd64

Output:

initrd.img-5.10.0-9-amd64: gzip compressed data, was "mkinitramfs-MAIN_EYPHFu", last modified: Sat Oct 16 04:14:42 2021, from Unix, original size modulo 2^32 145369088

According to the above output, it says it is a gzipped file, but if you try to unzip it with the gunzip command, you will not be able to do so because gunzip requires the a .gz extension, which is not present at the moment.

So you need to rename the initramfs with the .gz extension.

$ mv initrd.img-5.10.0-9-amd64 initrd.img-5.10.0-9-amd64.gz

If initrd.img-x.x.x-x-arch is directly in cpio format, then skip the below command and run the last command of this section.

Anyway, let’s go back to the terminal and pass the subsequent command to extract the .gz file and check the result.

$ gunzip initrd.img-5.10.0-9-amd64.gz
$ file initrd.img-5.10.0-9-amd64

Output

initrd.img-5.10.0-9-amd64: ASCII cpio archive (SVR4 with no CRC)

Now we are almost done here.

After getting the “CPIO archive,” type the below command to extract the file in the current directory.

$ cpio -idv < initrd.img-5.10.0-9-amd64

Output

usr/bin/awk
usr/bin/ash
usr/bin/arch
cpio: usr/sbin/watchdog linked to usr/bin/[

*****[TRIMMED OUTPUT]******

var/cache/fontconfig/befa2b5d-41df-461b-8d18-246762b8c3e3-le64.cache-7
283924 blocks

The extraction part is over here.

Now you can do whatever you want with an extracted initramfs image file.

Simple Method: Extract initramfs/initrd using lsinitrd

The above method may be slightly tricky for some users.

However, you can achieve the same result with a single command, which can be convenient and easy to use without memorizing the steps.

You can use the lsinitrd command to perform all the steps in one. Now open your system terminal window, type the following command, and replace the file name.

$ mkdir /tmp/init && cd /tmp/init
$ cd /tmp/init
$ cp -v /boot/initrd.img-5.10.0-9-amd64 .

$ lsinitrd --unpack /boot/initrd.img-5.10.0-9-amd64

Check whether the file was extracted successfully.

$ ls

Output

bin@  conf/  etc/  init*  lib@  lib32@  lib64@  libx32@  run/  sbin@  scripts/  usr/  var/

If the lsinitrd command is not available in your system, then you can use the unmkinitramfs command to extract current kernel to a new directory called initramfs like shown below:

$ unmkinitramfs /boot/initrd.img-$(uname -r) initramfs/
or
$ unmkinitramfs /boot/initrd.img-5.10.0-9-amd64 initramfs/

How to Inspect or View Initramfs

All the above was to extract the image and then inspect the file content, but if you are not interested in the extraction part and just want to inspect the initrd/initramfs content, then what to do?

Simply you can use thelsinitrd or lsinitramfs commands to view the content of an individual image file, as shown below:

$ lsinitrd initrd.img-5.10.0-9-amd64

Output

Image: initrd.img-5.10.0-9-amd64: 40M
========================================================================
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/syslogd
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/ubirename
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/udhcpc
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/udhcpd
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/uevent

******(TRIMMED OUTPUT******

-rw-r--r--   1 root     root          200 Oct 16 09:44 var/cache/fontconfig/CACHEDIR.TAG
========================================================================

Here you can just view the content of the file, and on the latest Linux Mint I have not found the the lsinitrd so instead of that I used lsinitramfs command.

$ lsinitramfs /boot/initrd.img-5.10.0-9-amd64

Wrap up

That’s all to unpack or extract initrd/initramfs to view content in Linux.

We have covered conventional and simple ways to extract initrd/initramfs files. Along with that, you have learned to inspect content without extracting files.

If you face any difficulty while following our article, please let us know in the comment section.

Till then, enjoy it!

Gagan Mishra

A man with a tech effusive who has explored some of the amazing technology stuff and is exploring more. While moving towards, I had a chance to work on Android development, Linux, AWS, and DevOps with several open-source tools.

This Post Has 3 Comments

Barry January 31, 2022 Reply

EasyOS takes this to the logical conclusion, just single click on initrd to open it up in a file manager. Edit as required, then click on initrd to update. Completely graphical, super easy
1. Gagan Mishra February 2, 2022 Reply
  
  This feature can be available in all Linux Distributions?
  1. Barry February 3, 2022 Reply
    
    Yes, it could be very easily implemented on any Linux distro. It i just a matter of writing a handler script for the initrd mime-type. The script in EasyOS can be used as the basis.
    EasyOS uses the ROX-Filer filemanager, and if you right-click on the initrd it will show the handler script assigned to that mime-type.