Blog

How to Extract initrd/initramfs to View Content in Linux

It takes a few simple steps to extract the initramfs files on your Linux system to view their contents.

There may be a couple of reasons why you need to extract initramfs or initrd images, such as to find the reason for boot issues or to explore what content is in them.

As of now, I want to fix my computer, which was not allowing me to use my laptop with the following error: “Failed to start VirtualBox Linux kernel module”.

After diagnosing, it’s a clear error that it’s missing the Linux header. Although you know, we can install Linux headers by reading this guide.

However, the installer failed to install and threw the error message “Unable to locate.”

Later on, I found that there was some issue with the kernel image. I moved the default initramfs and vmlinuz to another location and restarted the system.

Hopefully, the system has now restarted successfully.

And from that point, I thought to do an autopsy with initramfs and a vmlinuz file, and I will share with you the steps to extract initrd/initramfs files on Linux.

So before moving ahead, you should know what initramfs are and why the system requires this.

What is Initramfs?

Initramfs is a small RAM disk that contains the files required to load the system before the real root file system is mounted.

They provide the basic necessities for the system to startup and mount the real root file system (/) when booting is successful.

It is compressed with cpio format archives along with several other compression algorithms, which can be unpacked and loaded into memory during the boot process.

In a nutshell, if you want to understand, then the short answer is that it loads kernel modules and mounts filesystems in order to boot up the operating system.

So, from no onward whenever you see initramfs you will know what is it and why system requires it.

Method to Extract or View Initramfs Content Files

Here you will cover two methods to extract and inspect initramfs content, such as

  • Conventional way: To extract and view initramfs/initrd content
  • Simple & Convenient way: Another simple way to extract and view initramfs/initrd content

Conventional Way: To Extract and View Initramfs Files on Linux

As you may know, initramfs or initrd stores itself in the /boot directory, which is protected with write permission, and it is also not advisable to make any changes to this directory. 

So, first and foremost, we will create a temporary directory in /tmp with the init directory.

To make a temporary directory like mine, do copy-paste the following command.

$ mkdir /tmp/init
$ cd /tmp/init

Once it is done, copy the respective initramfs file to the current directory and make sure to replace the initrd file name with the available one.

$ ls /boot
$ cp -v /boot/initrd.img-5.10.0-9-amd64 .

After that check, the file type, usually initrd or initramfs, is compressed with multiple algorithms, so it’s better to check the file type using the file command.

$ file initrd.img-5.10.0-9-amd64 
Output:

initrd.img-5.10.0-9-amd64: gzip compressed data, was "mkinitramfs-MAIN_EYPHFu", last modified: Sat Oct 16 04:14:42 2021, from Unix, original size modulo 2^32 145369088

According to the above output, it says it is a gzipped file, but if you try to unzip it with the gunzip command, you will not be able to do so because gunzip requires the a .gz extension, which is not present at the moment.

So you need to rename the initramfs with the .gz extension.

$ mv initrd.img-5.10.0-9-amd64 initrd.img-5.10.0-9-amd64.gz

If initrd.img-x.x.x-x-arch is directly in cpio format, then skip the below command and run the last command of this section.

Anyway, let’s go back to the terminal and pass the subsequent command to extract the .gz file and check the result.

$ gunzip initrd.img-5.10.0-9-amd64.gz
$ file initrd.img-5.10.0-9-amd64
Output

initrd.img-5.10.0-9-amd64: ASCII cpio archive (SVR4 with no CRC)

Now we are almost done here.

After getting the “CPIO archive,” type the below command to extract the file in the current directory.

$ cpio -idv < initrd.img-5.10.0-9-amd64
Output

usr/bin/awk
usr/bin/ash
usr/bin/arch
cpio: usr/sbin/watchdog linked to usr/bin/[

*****[TRIMMED OUTPUT]******

var/cache/fontconfig/befa2b5d-41df-461b-8d18-246762b8c3e3-le64.cache-7
283924 blocks

The extraction part is over here. 

Now you can do whatever you want with an extracted initramfs image file.

Simple Method: Extract initramfs/initrd using lsinitrd

The above method may be slightly tricky for some users.

However, you can achieve the same result with a single command, which can be convenient and easy to use without memorizing the steps.

You can use the lsinitrd command to perform all the steps in one. Now open your system terminal window, type the following command, and replace the file name.

$ mkdir /tmp/init && cd /tmp/init
$ cd /tmp/init
$ cp -v /boot/initrd.img-5.10.0-9-amd64 .

$ lsinitrd --unpack /boot/initrd.img-5.10.0-9-amd64

Check whether the file was extracted successfully.

$ ls 
Output

bin@  conf/  etc/  init*  lib@  lib32@  lib64@  libx32@  run/  sbin@  scripts/  usr/  var/

If the lsinitrd command is not available in your system, then you can use the unmkinitramfs command to extract current kernel to a new directory called initramfs like shown below:

$ unmkinitramfs /boot/initrd.img-$(uname -r) initramfs/
or
$ unmkinitramfs /boot/initrd.img-5.10.0-9-amd64 initramfs/

How to Inspect or View Initramfs

All the above was to extract the image and then inspect the file content, but if you are not interested in the extraction part and just want to inspect the initrd/initramfs content, then what to do?

Simply you can use thelsinitrd  or lsinitramfs commands to view the content of an individual image file, as shown below:

$ lsinitrd initrd.img-5.10.0-9-amd64
Output

Image: initrd.img-5.10.0-9-amd64: 40M
========================================================================
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/syslogd
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/ubirename
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/udhcpc
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/udhcpd
-rwxr-xr-x 247 root     root            0 Jul 26  2021 usr/sbin/uevent

******(TRIMMED OUTPUT******

-rw-r--r--   1 root     root          200 Oct 16 09:44 var/cache/fontconfig/CACHEDIR.TAG
========================================================================

Here you can just view the content of the file, and on the latest Linux Mint I have not found the the lsinitrd so instead of that I used lsinitramfs command.

$ lsinitramfs /boot/initrd.img-5.10.0-9-amd64

Wrap up

That’s all to unpack or extract initrd/initramfs to view content in Linux.

We have covered conventional and simple ways to extract initrd/initramfs files. Along with that, you have learned to inspect content without extracting files.

If you face any difficulty while following our article, please let us know in the comment section.

Till then, enjoy it!

5 1 vote
Article Rating
Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Barry
Barry
3 years ago

EasyOS takes this to the logical conclusion, just single click on initrd to open it up in a file manager. Edit as required, then click on initrd to update. Completely graphical, super easy

0
Reply
Gagan Mishra
Gagan Mishra
Author
Reply to  Barry
3 years ago

This feature can be available in all Linux Distributions?

0
Reply
Barry
Barry
Reply to  Gagan Mishra
3 years ago

Yes, it could be very easily implemented on any Linux distro. It i just a matter of writing a handler script for the initrd mime-type. The script in EasyOS can be used as the basis.
EasyOS uses the ROX-Filer filemanager, and if you right-click on the initrd it will show the handler script assigned to that mime-type.

0
Reply
Farxial
Farxial
2 months ago

Thank you UwU cpio and lsinitramfs has extracted only AMD microcode from initrd.img_file/early directory, but seems unmkinitramfs has extracted all files.

0
Reply