{"id":28,"date":"2012-03-12T00:12:36","date_gmt":"2012-03-11T20:12:36","guid":{"rendered":"http:\/\/pavlenko.net\/antony\/?p=28"},"modified":"2020-05-07T00:53:59","modified_gmt":"2020-05-06T20:53:59","slug":"ufs-internals","status":"publish","type":"post","link":"http:\/\/pavlenko.net\/antony\/2012\/03\/12\/ufs-internals\/","title":{"rendered":"UFS internals"},"content":{"rendered":"<p>I wrote about fsdb usage for vxfs some time ago. But now rather often questions about ufs asked, in spite of file system age and rather good manual. So I decide to write about fsdb for ufs.<\/p>\n<p>When you use fsdb you must be very accurate. One mistake and all your data lost.<br \/>\nRun fsdb with write permissions :<\/p>\n<pre>fsdb -o w \/dev\/rdsk\/_your_file_system_ <\/pre>\n<p>Fsdb syntax is rather unusual and similar to adb. All commands start with &#8220;:&#8221;.<br \/>\nFor example <\/p>\n<pre>:ls <\/pre>\n<p> command.<br \/>\nAlso will work <\/p>\n<pre> :ls \/ <\/pre>\n<p>But you must remember that \/ is a root of file system, which you open with fsdb, and if you, for example, open var, it will be root of var file system, not a root file system.<br \/>\n:ls have only 2 options. -l will return list of files with inode numbers and -R will do recursive listing.<br \/>\nYou can use :cd command to change directory.<br \/>\nVery useful command :base can change numeral system from hexadecimal ( by default) to octal :<\/p>\n<pre>:base=0t10 <\/pre>\n<p>In fsdb use concept of &#8220;dot&#8221; . First of all you must select an object, to work with, and so give to &#8220;dor&#8221; value &#8211; address of this object. And all following commands will work regarding value of &#8220;dot&#8221;.<br \/>\nSo if you decide to do something with inode 5, at first you must select it.<br \/>\nIt can be done so :<\/p>\n<pre>5:inode <\/pre>\n<p>And after this you can display info about this inode : <\/p>\n<pre> ?i <\/pre>\n<p>Or you can unite this to commands to one :<\/p>\n<pre>\r\n5:inode?i\r\n\r\n\/dev\/rdsk\/c1t3d0s0 > 5:inode?i\r\ni#: 5 md: d---rwxr-xr-x uid: 0 gid: 3\r\nln: 4 bs: 2 sz : c_flags : 0 200\r\n\r\ndb#0: 2fc\r\naccessed: Wed Apr 29 16:24:50 2009\r\nmodified: Wed Feb 25 13:40:05 2009\r\ncreated : Wed Feb 25 13:40:05 2009\r\n<\/pre>\n<p>I think that output is rather logical and can be easily understood. I&#8217;d like to look more attentively at the value of db field. DB is a direct block. Actually speaking in db you can find file data. I hope that everybody remember that inode in ufs consists of 12 direct blocks, 3 indirect blocks. IB, is a block, that consists as much as 2048 links to other blocks, and no data at all. It being known that only first one consists of links to db, and if it isn&#8217;t enough &#8211; second IB will be used. This IB also known as double indirect block. It consists of 2048 links to ib, which consists of links to db. As third ib is triple indirect block and I think you can understand what contains in it by yourself.<br \/>\nGoing back to my output we see, that inode contain only one db ( zero ) in block 2fc.,<br \/>\nBut we look aside.<br \/>\nType of inode, file or directory can be easily understood from md (<br \/>\nmode ) field. If it contains a flag than it is directory, if not &#8211; file.<br \/>\nIf it turn out that this is a directory, :ls will show it&#8217;s content.<\/p>\n<p>As everybody remember directory in ufs nothing else but array, where correspondence of inode to file name listed.<br \/>\nAfter you select inode, which prove to be a directory, you can list and modify these fields.<br \/>\nActually speaking :ls is showing them for you, but in another order. It can be done in the same order :<\/p>\n<pre>\r\n0:dir?d\r\n1:dir?d\r\n2:dir?d\r\n<\/pre>\n<p>If you are rather lazy to write next (3:dir?d) command you can just<br \/>\npress Enter and command :dir?d will be done for the next element.<br \/>\nIf you so lazy even to press Enter 20 times you can display 20 elements from 0 block from 2 inode using this command sequence :<\/p>\n<pre>2:ino; 0:db:block,20?d <\/pre>\n<p>Or just <\/p>\n<pre>308:fragment,20?d <\/pre>\n<p>If you decide that any field ( let it bee 5&#8217;th ) must link not to the 22<br \/>\ninode, but, for example, to the 66, you can change it yourself by this<br \/>\ncommand :<\/p>\n<pre>5:dir?d=42 <\/pre>\n<p>because 42 &#8211; 66 in hex<br \/>\nNote, that file name will stay the same.<\/p>\n<pre>5:dir:nm=\"test\"<\/pre>\n<p>will also change the name.<br \/>\nI think now you can do with directories everything you want. Lats go to files.<br \/>\nEverything pretty the same.<\/p>\n<pre>\r\n\/dev\/rdsk\/c1t3d0s0 > :ls -l \/etc\/passwd\r\n\/etc:\r\ni#: a317 passwd\r\n\/dev\/rdsk\/c1t3d0s0 > 0xa317:inode?i\r\ni#: a317 md: ----rw-r--r-- uid: 0 gid: 3\r\nln: 1 bs: 2 sz : c_flags : 0 395\r\n\r\ndb#0: 6a8db\r\naccessed: Wed Apr 29 16:20:06 2009\r\nmodified: Mon Apr 27 11:59:48 2009\r\ncreated : Mon Apr 27 11:59:48 2009\r\n\r\n\/dev\/rdsk\/c1t3d0s0 > 0:db:block,100\/c\r\n<\/pre>\n<p>And we have content of \/etc\/passwd on the screen. Now the question is how we can change it?<br \/>\nEasily!<br \/>\nIt can be done by some ways.<br \/>\nTo fill some pert of file with zero&#8217;s :<\/p>\n<pre>6a889:fragment,4=fill=0x0 <\/pre>\n<p>Or just to write some date to any address :<\/p>\n<pre>1aa22400=0xffff <\/pre>\n<p>If you like to write text, it can be done with this command :<\/p>\n<pre>1aa36c00=\"root\" <\/pre>\n<p>So, which way to remove inode at not mounted file system is the easiest one? Of cause by clri command \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I wrote about fsdb usage for vxfs some time ago. But now rather often questions about ufs asked, in spite of file system age and rather good manual. So I decide to write about fsdb for ufs. When you use fsdb you must be very accurate. One mistake and all your data lost. Run fsdb [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,3],"tags":[],"_links":{"self":[{"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/posts\/28"}],"collection":[{"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":3,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":31,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/posts\/28\/revisions\/31"}],"wp:attachment":[{"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/categories?post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pavlenko.net\/antony\/wp-json\/wp\/v2\/tags?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}