How to get the position of LUKS header by `bgrep`
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I tried to get the position of LUKS header:
grep -a -b -P --only-matching 'LUKSxbaxbe' /dev/sdb
It is out of memory.
Some sugest me use 'bgrep' instead, but I don't how to make it work.
bgrep -A 20 'LUKSxbaxbe' /dev/sda./bgrep: invalid 2-hex-digit byte value: 'LU'
So how to make this work?
grep luks
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
add a comment |
I tried to get the position of LUKS header:
grep -a -b -P --only-matching 'LUKSxbaxbe' /dev/sdb
It is out of memory.
Some sugest me use 'bgrep' instead, but I don't how to make it work.
bgrep -A 20 'LUKSxbaxbe' /dev/sda./bgrep: invalid 2-hex-digit byte value: 'LU'
So how to make this work?
grep luks
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
add a comment |
I tried to get the position of LUKS header:
grep -a -b -P --only-matching 'LUKSxbaxbe' /dev/sdb
It is out of memory.
Some sugest me use 'bgrep' instead, but I don't how to make it work.
bgrep -A 20 'LUKSxbaxbe' /dev/sda./bgrep: invalid 2-hex-digit byte value: 'LU'
So how to make this work?
grep luks
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
I tried to get the position of LUKS header:
grep -a -b -P --only-matching 'LUKSxbaxbe' /dev/sdb
It is out of memory.
Some sugest me use 'bgrep' instead, but I don't how to make it work.
bgrep -A 20 'LUKSxbaxbe' /dev/sda./bgrep: invalid 2-hex-digit byte value: 'LU'
So how to make this work?
grep luks
grep luks
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
asked Mar 10 at 11:10
MaggicmuojetMaggicmuojet
113
113
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
grep tends to run out of memory since it reads until end-of-line, but in binary data there might not be an end-of-line for a long time. You could still use grep by grepping chunks of smaller-than-memory size, roughly:
# dd bs=1M iflag=fullblock if=/dev/sdb skip=X count=Y | grep ...
Rinse and repeat for all chunks. If you're not sure about whether the data will be aligned properly, make the chunks overlap some (next X=X+Y-1).
Alternatively, strings would probably avoid the running out of memory part (very long lines of printable ASCII are unlikely to appear). Then you have a list of offsets to check. These can be false matches since strings excludes the xbaxbe part.
# strings -t d -n 4 /dev/sdb | grep 'LUKS$'
11534336 LUKS
23068672 LUKS
34603008 LUKS
# losetup --find --show --offset=23068672 /dev/sdb
/dev/loop9
# cryptsetup luksDump /dev/loop9
Tools like testdisk or binwalk (with a custom magic signature) might be able to locate LUKS headers more efficiently. But for a quick hack, strings usually works well enough.
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
No,strings -t d -n 4 /dev/sdb | grep LUKSlists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?
– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.grep -B 1 xts-plain(for luks1 headers, for luks2 you wantstrings -t d -n 100 | grep '"type":"luks2"'and substract 4096).
– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdbThen a message:Binary file /dev/sdb matches
– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb tostrings -t d -n 100 | grep '"type":"luks2"'?
– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505450%2fhow-to-get-the-position-of-luks-header-by-bgrep%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
grep tends to run out of memory since it reads until end-of-line, but in binary data there might not be an end-of-line for a long time. You could still use grep by grepping chunks of smaller-than-memory size, roughly:
# dd bs=1M iflag=fullblock if=/dev/sdb skip=X count=Y | grep ...
Rinse and repeat for all chunks. If you're not sure about whether the data will be aligned properly, make the chunks overlap some (next X=X+Y-1).
Alternatively, strings would probably avoid the running out of memory part (very long lines of printable ASCII are unlikely to appear). Then you have a list of offsets to check. These can be false matches since strings excludes the xbaxbe part.
# strings -t d -n 4 /dev/sdb | grep 'LUKS$'
11534336 LUKS
23068672 LUKS
34603008 LUKS
# losetup --find --show --offset=23068672 /dev/sdb
/dev/loop9
# cryptsetup luksDump /dev/loop9
Tools like testdisk or binwalk (with a custom magic signature) might be able to locate LUKS headers more efficiently. But for a quick hack, strings usually works well enough.
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
No,strings -t d -n 4 /dev/sdb | grep LUKSlists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?
– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.grep -B 1 xts-plain(for luks1 headers, for luks2 you wantstrings -t d -n 100 | grep '"type":"luks2"'and substract 4096).
– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdbThen a message:Binary file /dev/sdb matches
– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb tostrings -t d -n 100 | grep '"type":"luks2"'?
– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
|
show 1 more comment
grep tends to run out of memory since it reads until end-of-line, but in binary data there might not be an end-of-line for a long time. You could still use grep by grepping chunks of smaller-than-memory size, roughly:
# dd bs=1M iflag=fullblock if=/dev/sdb skip=X count=Y | grep ...
Rinse and repeat for all chunks. If you're not sure about whether the data will be aligned properly, make the chunks overlap some (next X=X+Y-1).
Alternatively, strings would probably avoid the running out of memory part (very long lines of printable ASCII are unlikely to appear). Then you have a list of offsets to check. These can be false matches since strings excludes the xbaxbe part.
# strings -t d -n 4 /dev/sdb | grep 'LUKS$'
11534336 LUKS
23068672 LUKS
34603008 LUKS
# losetup --find --show --offset=23068672 /dev/sdb
/dev/loop9
# cryptsetup luksDump /dev/loop9
Tools like testdisk or binwalk (with a custom magic signature) might be able to locate LUKS headers more efficiently. But for a quick hack, strings usually works well enough.
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
No,strings -t d -n 4 /dev/sdb | grep LUKSlists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?
– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.grep -B 1 xts-plain(for luks1 headers, for luks2 you wantstrings -t d -n 100 | grep '"type":"luks2"'and substract 4096).
– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdbThen a message:Binary file /dev/sdb matches
– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb tostrings -t d -n 100 | grep '"type":"luks2"'?
– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
|
show 1 more comment
grep tends to run out of memory since it reads until end-of-line, but in binary data there might not be an end-of-line for a long time. You could still use grep by grepping chunks of smaller-than-memory size, roughly:
# dd bs=1M iflag=fullblock if=/dev/sdb skip=X count=Y | grep ...
Rinse and repeat for all chunks. If you're not sure about whether the data will be aligned properly, make the chunks overlap some (next X=X+Y-1).
Alternatively, strings would probably avoid the running out of memory part (very long lines of printable ASCII are unlikely to appear). Then you have a list of offsets to check. These can be false matches since strings excludes the xbaxbe part.
# strings -t d -n 4 /dev/sdb | grep 'LUKS$'
11534336 LUKS
23068672 LUKS
34603008 LUKS
# losetup --find --show --offset=23068672 /dev/sdb
/dev/loop9
# cryptsetup luksDump /dev/loop9
Tools like testdisk or binwalk (with a custom magic signature) might be able to locate LUKS headers more efficiently. But for a quick hack, strings usually works well enough.
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
grep tends to run out of memory since it reads until end-of-line, but in binary data there might not be an end-of-line for a long time. You could still use grep by grepping chunks of smaller-than-memory size, roughly:
# dd bs=1M iflag=fullblock if=/dev/sdb skip=X count=Y | grep ...
Rinse and repeat for all chunks. If you're not sure about whether the data will be aligned properly, make the chunks overlap some (next X=X+Y-1).
Alternatively, strings would probably avoid the running out of memory part (very long lines of printable ASCII are unlikely to appear). Then you have a list of offsets to check. These can be false matches since strings excludes the xbaxbe part.
# strings -t d -n 4 /dev/sdb | grep 'LUKS$'
11534336 LUKS
23068672 LUKS
34603008 LUKS
# losetup --find --show --offset=23068672 /dev/sdb
/dev/loop9
# cryptsetup luksDump /dev/loop9
Tools like testdisk or binwalk (with a custom magic signature) might be able to locate LUKS headers more efficiently. But for a quick hack, strings usually works well enough.
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
edited Mar 15 at 18:21
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
answered Mar 10 at 11:47
frostschutzfrostschutz
27.7k15790
27.7k15790
No,strings -t d -n 4 /dev/sdb | grep LUKSlists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?
– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.grep -B 1 xts-plain(for luks1 headers, for luks2 you wantstrings -t d -n 100 | grep '"type":"luks2"'and substract 4096).
– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdbThen a message:Binary file /dev/sdb matches
– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb tostrings -t d -n 100 | grep '"type":"luks2"'?
– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
|
show 1 more comment
No,strings -t d -n 4 /dev/sdb | grep LUKSlists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?
– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.grep -B 1 xts-plain(for luks1 headers, for luks2 you wantstrings -t d -n 100 | grep '"type":"luks2"'and substract 4096).
– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdbThen a message:Binary file /dev/sdb matches
– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb tostrings -t d -n 100 | grep '"type":"luks2"'?
– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
No,
strings -t d -n 4 /dev/sdb | grep LUKS lists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?– Maggicmuojet
Mar 11 at 7:52
No,
strings -t d -n 4 /dev/sdb | grep LUKS lists too many iterms about LUKS even out of the number Terminal window can contain, how can I make it print only LUKS header for LUKS partition?– Maggicmuojet
Mar 11 at 7:52
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.
grep -B 1 xts-plain (for luks1 headers, for luks2 you want strings -t d -n 100 | grep '"type":"luks2"' and substract 4096).– frostschutz
Mar 11 at 9:24
@Maggicmuojet Not really possible with strings... Terminal window? Redirect output to a file, and script it. Otherwise, if you're sure about the cipher, you could also e.g.
grep -B 1 xts-plain (for luks1 headers, for luks2 you want strings -t d -n 100 | grep '"type":"luks2"' and substract 4096).– frostschutz
Mar 11 at 9:24
sudo grep -B 1 xts-plain /dev/sdb Then a message: Binary file /dev/sdb matches– Maggicmuojet
Mar 12 at 12:42
sudo grep -B 1 xts-plain /dev/sdb Then a message: Binary file /dev/sdb matches– Maggicmuojet
Mar 12 at 12:42
Where to bit /dev/sdb to
strings -t d -n 100 | grep '"type":"luks2"'?– Maggicmuojet
Mar 12 at 12:44
Where to bit /dev/sdb to
strings -t d -n 100 | grep '"type":"luks2"'?– Maggicmuojet
Mar 12 at 12:44
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
Is there any1 in, and any1 help?
– Maggicmuojet
Mar 14 at 5:55
|
show 1 more comment
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505450%2fhow-to-get-the-position-of-luks-header-by-bgrep%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
