Stephan Rickauer's Hacking Lab - Tag - SierraA random guy on IT Security, Hacking, Unix and Whatnot.2024-03-28T17:43:43+01:00urn:md5:47eb16560031d91589c6fada7256c7e0DotclearRecovery boot encrypted macOS Sierraurn:md5:e0375e48d45e0138c41af9f650fb50832017-01-30T20:08:00+01:002017-01-30T20:14:57+01:00Stephan RickauerMacOSSierra<p>While playing with <code>ulimit</code>, <code>launchd</code> and friends I've recently shot myself into the foot. But since it's Unix I did this very efficiently. You might know this old quote from Terry Lambert:</p>
<blockquote><p>
It is not UNIX’s job to stop you from shooting your foot. If you so
choose to do so, then it is UNIX’s job to deliver Mr. Bullet to Mr. Foot
in the most efficient way it knows.</p></blockquote> <p>So I ended up with a system that wouldn't finish to boot because I've successfully changed 'maxfiles' to ... zero - actually disallowing the operating system to open any files. And thus, having a hard time to do anything useful. Including being able to revert my most intelligent change ...</p>
<p>The usual way of undoing this unwanted change is to boot off some rescue system, mount the file system in question and <code>vi</code> into that file. The challenging part (for me) was to do this on a Mac with an encrypted root partition, instead of OpenBSD or Linux. To be honest, I am not much of a macOS hacker so all you read below is basically a list of successful Google searches.</p>
<h3>Step 1: Recovery mode</h3>
<p>To get into a console / terminal you need to boot into recovery mode first. Press COMMAND-R until the Apple logo appears. From the menu you can now run the Terminal.</p>
<h3>Step 2: Find the UUID of your encrypted volume</h3>
<p>Issueing the command <code>diskutil cs list</code> will show you all CoreStorage Volumes present. The Logical Volume in question is the last one, nested under Logical Volume Group => Logical Volume Family => Logical Volume. Note that each entry has a so called UUID.</p>
<h3>Step 3: Unlock / Mount drive</h3>
<p>The last volume in the hierarchy shown is the one you'll be wanting to mount. Issue the command <code>diskutil coreStorage unlockVolume <UUID></code> where UUID is the previously mentioned ID of your encrypted disk. This will prompt you for the decryption password, unlock and mount the drive.</p>
<h3>Step 4: Edit / Removes relevant files</h3>
<p>You'll now be able to access your root file system. You may want to issue <code>mount</code> in order to see under which directory it has been mounted. Fix it, reboot and you're done.</p>
<p>I was glad to learn that this SOP would also work under macOS. Some kind of a Unix, at last.</p>https://lab.rickauer.com/post/2017/01/30/Recovery-boot-encrypted-macOS-Sierra#comment-formhttps://lab.rickauer.com/feed/atom/comments/9