fsdb - File system debugger
/usr/sbin/fsdb [options] special
Display usage Override some error conditions Set prompt to
string Open for write
Since fsdb reads the disk raw, it is able to circumvent
normal file system security. Extreme caution is advised
in determining its availability on the system. Suggested
permissions are 500, owned by bin.
You must root to use this command.
The fsdb command can be used to repair a damaged file system
after a crash. It has conversions to translate block
and i-numbers into their corresponding disk addresses.
Also included are mnemonic offsets to access different
parts of an inode. These greatly simplify the process of
correcting control block entries or descending the file
The fsdb command contains several error-checking routines
to verify inode and block addresses. These can be disabled
if necessary by invoking fsdb with the -o option.
The fsdb command reads a block at a time and works with
raw as well as block I/O. A buffer management routine is
used to retain commonly used blocks of data in order to
reduce the number of read system calls. All assignment
operations result in an immediate write-through of the
corresponding block. Note that in order to modify any portion
of the disk, fsdb must be invoked with the -w option.
Wherever possible, adb-like syntax was adopted to promote
the use of fsdb through familiarity.
Numbers are considered hexadecimal by default. However,
you have control over how data is to be displayed or
accepted. The base command displays or sets the input/output
base. Once set, all input will default to this base
and all output will be shown in this base. The base can be
overridden temporarily for input by preceding hexadecimal
numbers with '0x', preceding decimal numbers with '0t', or
octal numbers with '0'. Hexadecimal numbers beginning with
a-f or A-F must be preceded with '0x' to distinguish them
Disk addressing by fsdb is at the byte level. However,
fsdb offers many commands to convert a desired inode,
directory entry, block, superblock etc. to a byte address.
Once the address has been calculated, fsdb will record the
result in dot.
Several global values are maintained by fsdb: The current
base (referred to as base); the current address (referred
to as dot); the current inode (referred to as inode); the
current count (referred to as count); and the current type
(referred to as type). Most commands use the preset value
of dot in their execution. For example: > 2:inode
will first set the value of dot to 2, ':' will alert the
start of a command, and the inode command will set inode
to 2. A count is specified after a ','. Once set, count
will remain at this value until a new command is encountered
which will then reset the value back to 1 (the
default). So, if > 2000,400/X
is typed, 400 hex longs are listed from 2000, and when
completed, the value of dot will be 2000 + 400 * sizeof
(long). If you press the Return key, the output routine
uses the current values of dot, count, and type and displays
400 more hex longs. An asterisk (*) causes the
entire block to be displayed.
End of fragment, block and file are maintained by fsdb.
When displaying data as fragments or blocks, an error message
is displayed when the end of fragment or block is
reached. When displaying data using the db, ib, directory,
or file commands, an error message is displayed if the end
of file is reached. This is mainly needed to avoid passing
the end of a directory or file and getting unknown and
An example showing several commands and the use of Return
follows: > 2:ino; 0:dir?d
or > 2:ino; 0:db:block?d
The two examples are synonymous for getting to the first
directory entry of the root of the file system. Once
there, subsequent use of the Return key ( or +, -)
advances to subsequent entries. The following display is
again synonymous: > 2:inode; :ls /
or > :ls /
displays 2010 in decimal (use of fsdb as a calculator for
complex arithmetic). displays i-number 386 in an inode
format. This now becomes the current inode. changes the
link count for the current inode to 4. increments the
link count by 1. displays the creation time as a hexadecimal
long. displays the modification time in time format.
displays, in ASCII, block zero of the file associated with
the current inode. displays the first blocks worth of
directory entries for the root inode of this file system.
It will stop prematurely if the eof is reached. changes
the current inode to that associated with the 5th directory
entry (numbered from zero) of the current inode. The
first logical block of the file is then displayed in
ASCII. displays the superblock of this file system. displays
cylinder group information and summary for cylinder
group 1. changes the i-number for the seventh directory
slot in the root directory to 3. changes the name field
in the directory slot to name. displays the third block
of the current inode as directory entries. gets fragment
3c3 and fill 20 type elements with 0x20. sets the contents
of address 2050 to 0xffffffff. 0xffffffff may be
truncated depending on the current type. places the ASCII
for the string at 1c92434.
Expressions [Toc] [Back]
The symbols recognized by fsdb are: update the value of
dot by the current value of type and display using the
current value of count. numeric expressions may be composed
of +, -, *, and % operators (evaluated left to
right) and may use parentheses. Once evaluated, the value
of dot is updated. count indicator. The global value of
count will be updated to count. The value of count remains
until a new command is run. A count specifier of '*' will
attempt to show the information of a block. The default
for count is 1. display in structured style with format
specifier f. display in unstructured style with format
specifier f. the value of dot. increment the value of
dot by the expression e. The amount actually incremented
is dependent on the size of type: dot = dot + e * sizeof
The default for e is 1. decrement the value of dot
by the expression e (see +). multiply the value of
dot by the expression e. Multiplication and division
do not use type. In the above calculation of
dot, consider the size of (type) to be 1. divide
the value of dot by the expression e (see *).
restore an address saved in register name. name
must be a single letter or digit. save an address
in register name. name must be a single letter or
digit. display indicator. If f is a legitimate
format specifier, then the value of dot is displayed
using format specifier f. Otherwise, assignment
is assumed. assignment indicator. The
address pointed to by dot has its contents changed
to the value of the expression e or to the ASCII
representation of the quoted (" ") string s. This
may be useful for changing directory names or ASCII
file information. incremental assignment. The
address pointed to by dot has its contents incremented
by expression e. decremental assignment.
The address pointed to by dot has its contents
decremented by expression e.
Commands [Toc] [Back]
A command must be prefixed by a ':' character. Only enough
letters of the command to uniquely distinguish it are
needed. Multiple commands may be entered on one line by
separating them by a space, tab or ';'.
In order to view a potentially unmounted disk in a reasonable
manner, fsdb offers the cd, pwd, ls, and find commands.
The functionality of these commands substantially
matches those of its UNIX counterparts. The '*', '?', and
'[-]' wild card characters are available. display or set
base. As stated above, all input and output is governed
by the current base. If the '=b' is left off, the current
base is displayed. Otherwise, the current base is set to
b. Note that this is interpreted using the old value of
base, so to ensure correctness use the '0', '0t', or '0x'
prefix when changing the base. The default for base is
hexadecimal. convert the value of dot to a block address.
change the current directory to directory dir. The current
values of inode and dot are also updated. If no dir
is specified, then change directories to inode 2 ("/").
convert the value of dot to a cylinder group. If the current
inode is a directory, then the value of dot is converted
to a directory slot offset in that directory and
dot now points to this entry. the value of dot is taken
as a relative block count from the beginning of the file.
The value of dot is updated to the first byte of this
block. find files by name or i-number. find recursively
searches directory dir and below for filenames whose inumber
matches i or whose name matches pattern n. Note
that only one of the two options (-name or -inum) may be
used at one time. Also, the -print is not needed or
accepted. fill an area of disk with pattern p. The area
of disk is delimited by dot and count. convert the value
of dot to a fragment address. The only difference between
the fragment command and the block command is the amount
that is able to be displayed. convert the value of dot to
an inode address. If successful, the current value of
inode will be updated as well as the value of dot. As a
convenient shorthand, if ':inode' appears at the beginning
of the line, the value of dot is set to the current inode
and that inode is displayed in inode format. list directories
or files. If no file is specified, the current
directory is assumed. Either or both of the options may be
used (but, if used, must be specified before the filename
specifiers). Also, as stated above, wild card characters
are available and multiple arguments may be given. The
long listing shows only the i-number and the name; use the
inode command with '?i' to get more information. toggle
the value of override. Some error conditions may be overridden
if override is toggled on. change the fsdb prompt
to p. p must be surrounded by (")s. display the current
working directory. quit fsdb. the value of dot is taken
as a cylinder group number and then converted to the
address of the superblock in that cylinder group. As a
shorthand, ':sb' at the beginning of a line will set the
value of dot to the superblock and display it in
superblock format. escape to shell
Inode Commands [Toc] [Back]
In addition to the above commands, there are several commands
that deal with inode fields and operate directly on
the current inode (they still require the ':'). They may
be used to more easily display or change the particular
The value of dot is only used by the ':db' and ':db' commands.
Upon completion of the command, the value of dot is
changed to point to that particular field. For example,
would increment the link count of the current inode and
set the value of dot to the address of the link count
field. access time. block size. creation time. use the
current value of dot as a direct block index, where direct
blocks number from 0 - 11. In order to display the block
itself, you need to 'pipe' this result into the block or
fragment command. For example, >1:db:block,20/X
would get the contents of data block field 1 from
the inode and convert it to a block address. 20
longs are then displayed in hexadecimal (see Formatted
Output section). group id. use the current
value of dot as an indirect block index where indirect
blocks number from 0 - 2. This will only get
the indirect block itself (the block containing the
pointers to the actual blocks). Use the file command
and start at block 12 to get to the actual
blocks. link count. modification time. mode.
major device number. minor device number.
although listed here, this command actually
operates on the directory name field. Once poised
at the desired directory entry (using the directory
command), this command will allow you to change or
display the directory name. For example, >
will get the 7th directory entry of the current
inode and change its name to foo. Note that names
cannot be made larger than the field is set up for.
If an attempt is made, the string is truncated to
fit and a warning message to this effect is displayed.
file size. user id.
Formatted Output [Toc] [Back]
There are two styles and many format types. The two styles
are structured and unstructured. Structured output is used
to display inodes, directories, superblocks and the like.
Unstructured just displays raw data. The following table
shows the different ways of displaying: Format specifier,
followed by one of: display as cylinder groups display as
inodes display as directories display as superblocks Format
specifier, followed by one of: display as bytes display
as characters display as octal shorts or longs display
as decimal shorts or longs display as hexadecimal
shorts or longs
The format specifier immediately follows the '/' or '?'
character. The values displayed by '/b' and all '?' formats
are displayed in the current base. Also, type is
appropriately updated upon completion.
Specifies the command path
[ Back ]