Macbook Air Capture Fail
-
@Sebastian-Roth
I apologize because I’ve been having to do all this remotely which means I’m relying on the onsite man to do what I say and relay the correct info and I think something was misunderstood/miscommunicated the last time around. After going through the steps with him again, he was able to mount without an issue the dmesg came up clean:[ 26.552219] IPv6: ADDRCONF(NETDEV_UP): ens9: link is not ready [ 26.718968] IPv6: ADDRCONF(NETDEV_UP): ens9: link is not ready [ 28.265629] tg3 0000:0a:00.0 ens9: Link is up at 100 Mbps, full duplex [ 28.265630] tg3 0000:0a:00.0 ens9: Flow control is off for TX and off for RX [ 28.265631] tg3 0000:0a:00.0 ens9: EEE is disabled [ 28.265657] IPv6: ADDRCONF(NETDEV_CHANGE): ens9: link becomes ready [ 35.767864] Bluetooth: RFCOMM TTY layer initialized [ 35.767871] Bluetooth: RFCOMM socket layer initialized [ 35.767875] Bluetooth: RFCOMM ver 1.11 [ 246.250685] aufs may_rename_srcdir:453:appstreamcli[2980]: renaming dir who has child(ren) on multiple branches, is not supported
I immediately had him shutdown and scheduled a new capture and same results
Just weird in my opinion.
-
@SlimJim Ok, I think we need to tackle this straight ahead and get more information from partclone.
Please schedule a debug capture task for this client and boot it up. When you get to the shell, run the following commands:mount -t nfs -o nolock ip.of.fog.srv:/images/dev /mnt/ partclone.hfsplus -d2 -N -L /mnt/partclone.log -c -s /dev/sda2 -o /mnt/sda2.img umount /mnt
You should have a
partclone.log
in the/images/dev
directory of your FOG server now. Please upload the full log here.Just so I don’t forget: Here is a log with shows a similar issue - forum post.
-
@Sebastian-Roth Here you go:
root@HAR-FOG-01:/images/dev# cat partclone.log Using Ncurses User Interface mode. Partclone v0.2.89 http://partclone.org Starting to clone device (/dev/sda2) to image (/mnt/sda2.img) UID is root. source=/dev/sda2, target=/mnt/sda2.img open source file/device /dev/sda2 open target file/device /mnt/sda2.img Initial image hdr - get Super Block from partition Reading Super Block hfsplusclone.c: blockSize:4096 hfsplusclone.c: totalBlocks:29379602 hfsplusclone.c: freeBlocks:24969607 hfsplusclone.c: logicalSize: 0x10380000000000 hfsplusclone.c: clumpSize: 3674112 hfsplusclone.c: totalBlocks: 897 hfsplusclone.c: exten 0 startBlock: 3867215 hfsplusclone.c: exten 0 blockCount: 897 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0x500000000000 hfsplusclone.c: clumpSize: 7340032 hfsplusclone.c: totalBlocks: 1280 hfsplusclone.c: exten 0 startBlock: 2193 hfsplusclone.c: exten 0 blockCount: 1280 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0x1000000000 hfsplusclone.c: clumpSize: 77594624 hfsplusclone.c: totalBlocks: 65536 hfsplusclone.c: exten 0 startBlock: 183697 hfsplusclone.c: exten 0 blockCount: 8192 hfsplusclone.c: exten 1 startBlock: 538885 hfsplusclone.c: exten 1 blockCount: 8192 hfsplusclone.c: exten 2 startBlock: 727429 hfsplusclone.c: exten 2 blockCount: 8192 hfsplusclone.c: exten 3 startBlock: 1933295 hfsplusclone.c: exten 3 blockCount: 8192 hfsplusclone.c: exten 4 startBlock: 2430382 hfsplusclone.c: exten 4 blockCount: 8192 hfsplusclone.c: exten 5 startBlock: 2994540 hfsplusclone.c: exten 5 blockCount: 8192 hfsplusclone.c: exten 6 startBlock: 3311900 hfsplusclone.c: exten 6 blockCount: 8192 hfsplusclone.c: exten 7 startBlock: 3747860 hfsplusclone.c: exten 7 blockCount: 8192 hfsplusclone.c: logicalSize: 0x1000000000 hfsplusclone.c: clumpSize: 116391936 hfsplusclone.c: totalBlocks: 65536 hfsplusclone.c: exten 0 startBlock: 3473 hfsplusclone.c: exten 0 blockCount: 16384 hfsplusclone.c: exten 1 startBlock: 2016988 hfsplusclone.c: exten 1 blockCount: 16384 hfsplusclone.c: exten 2 startBlock: 2938511 hfsplusclone.c: exten 2 blockCount: 16384 hfsplusclone.c: exten 3 startBlock: 3290318 hfsplusclone.c: exten 3 blockCount: 16384 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0 hfsplusclone.c: clumpSize: 0 hfsplusclone.c: totalBlocks: 0 hfsplusclone.c: exten 0 startBlock: 0 hfsplusclone.c: exten 0 blockCount: 0 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 we need memory: 3680716 bytes image head 4160, bitmap 3672456, crc 4100 bytes initial main bitmap pointer 0x842440 Initial image hdr - read bitmap table Calculating bitmap... Please wait... hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 0 hfsplusclone.c: allocation_exten = 0 hfsplusclone.c: allocation_start_block = 2955210752 hfsplusclone.c: allocation_block_size = 3674112 hfsplusclone.c: next exten hfsplusclone.c: extent_bitmap:12332496 hfsplusclone.c: bfree:16320096 hfsplusclone.c: bused:13059506 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 1 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 2 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 3 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 4 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 5 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 6 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 7 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: bitmap count error, used:13059506, mbitmap:4409995
-
Just adding another to see if the 2 are consistent errors:
root@HAR-FOG-01:/images/dev# cat partclone.log Using Ncurses User Interface mode. Partclone v0.2.89 http://partclone.org Starting to clone device (/dev/sda2) to image (/mnt/sda2.img) UID is root. source=/dev/sda2, target=/mnt/sda2.img open source file/device /dev/sda2 open target file/device /mnt/sda2.img Initial image hdr - get Super Block from partition Reading Super Block hfsplusclone.c: blockSize:4096 hfsplusclone.c: totalBlocks:29379602 hfsplusclone.c: freeBlocks:24953979 hfsplusclone.c: logicalSize: 0x10380000000000 hfsplusclone.c: clumpSize: 3674112 hfsplusclone.c: totalBlocks: 897 hfsplusclone.c: exten 0 startBlock: 3867215 hfsplusclone.c: exten 0 blockCount: 897 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0x500000000000 hfsplusclone.c: clumpSize: 7340032 hfsplusclone.c: totalBlocks: 1280 hfsplusclone.c: exten 0 startBlock: 2193 hfsplusclone.c: exten 0 blockCount: 1280 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0x1000000000 hfsplusclone.c: clumpSize: 77594624 hfsplusclone.c: totalBlocks: 65536 hfsplusclone.c: exten 0 startBlock: 183697 hfsplusclone.c: exten 0 blockCount: 8192 hfsplusclone.c: exten 1 startBlock: 538885 hfsplusclone.c: exten 1 blockCount: 8192 hfsplusclone.c: exten 2 startBlock: 727429 hfsplusclone.c: exten 2 blockCount: 8192 hfsplusclone.c: exten 3 startBlock: 1933295 hfsplusclone.c: exten 3 blockCount: 8192 hfsplusclone.c: exten 4 startBlock: 2430382 hfsplusclone.c: exten 4 blockCount: 8192 hfsplusclone.c: exten 5 startBlock: 2994540 hfsplusclone.c: exten 5 blockCount: 8192 hfsplusclone.c: exten 6 startBlock: 3311900 hfsplusclone.c: exten 6 blockCount: 8192 hfsplusclone.c: exten 7 startBlock: 3747860 hfsplusclone.c: exten 7 blockCount: 8192 hfsplusclone.c: logicalSize: 0x1000000000 hfsplusclone.c: clumpSize: 116391936 hfsplusclone.c: totalBlocks: 65536 hfsplusclone.c: exten 0 startBlock: 3473 hfsplusclone.c: exten 0 blockCount: 16384 hfsplusclone.c: exten 1 startBlock: 2016988 hfsplusclone.c: exten 1 blockCount: 16384 hfsplusclone.c: exten 2 startBlock: 2938511 hfsplusclone.c: exten 2 blockCount: 16384 hfsplusclone.c: exten 3 startBlock: 3290318 hfsplusclone.c: exten 3 blockCount: 16384 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 hfsplusclone.c: logicalSize: 0 hfsplusclone.c: clumpSize: 0 hfsplusclone.c: totalBlocks: 0 hfsplusclone.c: exten 0 startBlock: 0 hfsplusclone.c: exten 0 blockCount: 0 hfsplusclone.c: exten 1 startBlock: 0 hfsplusclone.c: exten 1 blockCount: 0 hfsplusclone.c: exten 2 startBlock: 0 hfsplusclone.c: exten 2 blockCount: 0 hfsplusclone.c: exten 3 startBlock: 0 hfsplusclone.c: exten 3 blockCount: 0 hfsplusclone.c: exten 4 startBlock: 0 hfsplusclone.c: exten 4 blockCount: 0 hfsplusclone.c: exten 5 startBlock: 0 hfsplusclone.c: exten 5 blockCount: 0 hfsplusclone.c: exten 6 startBlock: 0 hfsplusclone.c: exten 6 blockCount: 0 hfsplusclone.c: exten 7 startBlock: 0 hfsplusclone.c: exten 7 blockCount: 0 we need memory: 3680716 bytes image head 4160, bitmap 3672456, crc 4100 bytes initial main bitmap pointer 0x842440 Initial image hdr - read bitmap table Calculating bitmap... Please wait... hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 0 hfsplusclone.c: allocation_exten = 0 hfsplusclone.c: allocation_start_block = 2955210752 hfsplusclone.c: allocation_block_size = 3674112 hfsplusclone.c: next exten hfsplusclone.c: extent_bitmap:12332496 hfsplusclone.c: bfree:16320096 hfsplusclone.c: bused:13059506 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 1 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 2 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 3 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 4 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 5 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 6 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: tb = 29379602 hfsplusclone.c: extent_block = 29379602 hfsplusclone.c: allocation_exten = 7 hfsplusclone.c: allocation_start_block = 0 hfsplusclone.c: allocation_block_size = 0 hfsplusclone.c: bitmap count error, used:13059506, mbitmap:4425623
-
So here is the diff of those two just in case this might help at some point:
diff 01.txt 02.txt 13c13 < hfsplusclone.c: freeBlocks:24969607 --- > hfsplusclone.c: freeBlocks:24953979 157c157 < hfsplusclone.c: bitmap count error, used:13059506, mbitmap:4409995 --- > hfsplusclone.c: bitmap count error, used:13059506, mbitmap:4425623
Not identical but pretty close.
-
@sebastian-roth Sebastian, have you had a chance to look at the logs or is there any other info I can get you that may help? I’m actually going to have a man onsite today, but will not have anyone there tomorrow.
Thanks in Advance,
James
-
@SlimJim I started to compare the logs (as well with my successful imaging from a HPF+ partition I formated using the linux hfsutils) but haven’t found anything in particular yet. I am still trying to understand exactly what partclone is doing when calculating the bitmap by reading the code and HFS+ specs. Won’t be a quick win I am afraid.
Could you get me a dump of the volume header of that client’s disk? Boot it up into a debug capture task, plug in a USB stick and run the following commands:
mkdir /usb mount /dev/sdb1 /usb dd if=/dev/sda2 of=/usb/volheader_sda2 bs=4096 count=1 gzip /usb/volheader_sda2 umount /usb
Please upload that file (volheader_sda2.gz) to your google drive/dropbox/etc. and post a link here.
Note to myself: http://sysforensics.org/2016/09/mac-dfir-hfs-filesystem-volume-header/ and http://dubeiko.com/development/FileSystems/HFSPLUS/tn1150.html
-
@sebastian-roth Trying to get my onsite guy to get this info for you now, I’ll post when I have it.
-
@sebastian-roth I’m sorry for the delay, haven’t been in the office for a few days, but got the requested info and uploaded here https://drive.google.com/file/d/0B3UbxG_W0mD9UFo3TFdyMDNfRjg/view?usp=sharing
Please let me know if there is anything else you find or require.
Thanks in Advance,
James
-
@SlimJim Ok, here is what I’ve found so far. The values for total blocks in the hfs_header image file (29288960) don’t really match the values in the log files (29379602). As I don’t fully understand HFS+ yet I am not sure what that means. Maybe the header was taken from a different disk/partition?
Understanding the HFS+ header is actually not too hard with the documentation from the links I posted earlier. So I was able to kind of replicate the issue by saving the header data of my test system (using dd), changing the used blocks value in that header data image (using hexedit) and writing it back to disk. After that I got the same error message saying “hfsplusclone.c: bitmap count error…”.
Looking at the numbers of your logs again things start to make sense. The differences of the two log files I posted show that freeBlocks values differ exactly by the same amount as mbitmap values do (24969607 - 24953979 = 15628 = 4425623 - 4409995). From my understanding the freeBlocks value (which is used to calculate the usedBlocks/mbitmap value) in the HFS+ header looks like it’s being changed properly in the HFS header on disk.
What does that mean? I am not sure yet but I thing partclone finds some invalid allocation information on that partition and/or does the calculation wrong. I am going to look into the partclone code to learn more about how the maths is done. But it will take some more time I am afraid.
Do you have this issue on just one system (your master) or is this happening on several different machines?
-
@sebastian-roth This has happened on a the few that I’ve tested.
-
@slimjim After reading through the specs and source code again and again I think I might have found out what’s wrong - seems to be a simple integer overflow.
@Tom-Elliott The variable allocation_start_block is defined as
UInt32
(see here. This is fine as long as the allocation extend file is stored somewhere not that far from the beginning of the drive. But HFS+ allows to have it anywhere on disk really. In the examples posted it starts at block 3867215. Multiplied by blocksize 4096 it simply overflows theUInt32
and partclone finds wrong information.
Would you mind changing line 133 toUInt64 allocation_start_block;
and build fresh init’s that have the patched partclone included? I think that should fix the issue here. -
Init’s have been updated with the patch, as well as I fixed a compiling issue with partclone-0.2.89 in case anybody else was at all trying to build their own inits. (Sorry I fixed it manually once, and had forgotten that I had to do that. Found appropriate fix though and it is now a part of the source scripts for building the inits.)
Please give a try for them.
Init’s can be downloaded as:
wget -O /var/www/fog/service/ipxe/init.xz https://fogproject.org/inits/init.xz wget -O /var/www/fog/service/ipxe/init_32.xz https://fogproject.org/inits/init_32.xz
Hopefully it fixes the issue you were seeing.
-
If this works, I’ll push a pull request against partclone so future versions shouldn’t hit this problem.
@Sebastian-Roth thanks for taking the time to look this over and hopefully this is the solution. If I had to guess, this was just a simple oversite on Thomas Tsai’s part.
@SlimJim Thanks for the patience and understanding on this.
-
Any word?
-
I’m sorry guys, school started and things got a bit hectic and therefore, I was not able to use my onsite guys to test this yet, but I will be able today.
James
-
@tom-elliott @Sebastian-Roth AWESOME! Looks like that worked, capture completed successfully! As always you guys have been so helpful and patient, I really appreciate you guys taking the time to assist me in my times of need!!
James
-
@SlimJim You are welcome. Thanks to you too for patiently delivering information and waiting for results!
For now please keep those init files in place while using FOG 1.4.4. The fix will be in the next release!
-
I also sent a pull request the the official partclone developer so hopefully this will be fixed as well.
EDIT: Done… https://github.com/Thomas-Tsai/partclone/commit/c0629e1a8e73dbdd165d7ac102b8bc9f6f44dac7