Reading a sector on the boot disk

Question

This is a continuation of my question about reading the superblock.

Let's say I want to target the HFS+ file system in Mac OS X. How could I read sector 2 of the boot disk? As far as I know Unix only provides system calls to read from files, which are never stored at that location.

Does this require either 1) the program to run kernel mode, or 2) the program to be written in Assembly? I would prefer to avoid either of these restrictions, particularly the latter.

Answer 1

I've done this myself on the Mac, see my disk editor tool: http://apps.tempel.org/iBored

You'd open the drive using the /dev/diskN or /dev/rdiskN (N is a disk index number starting from 0). Then you can use lseek (make sure to use the 64 bit range version!) and read/write calls on the opened file.

Also, use the shell command "ls /dev/disk*" to see which drives exist currently. And note that the drives also exist with a "sM" extension where M is the partition number. That way, could can also read partitions directly.

Or, you could just use the shell tool "xxd" or "dd" to read data and then use their output. Might be easier.

You'll not be able to read your root disk and other internal disks unless you run as root, though. You may be able to access other drives as long as they were mounted by the user, or have their permissions disabled. But you may also need to unmount the drive's volumes first. Look for the unmount command in the shell command "diskutil".

Hope this helps.

Update 2017: On OS X 10.11 and later SIP may also prevent you from directly accessing the disk sectors.