About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Developers Workshop


Now a few words on looking for things. When you go looking for something specific, your chances of finding it are very bad. Because of all the things in the world you're only looking for one of them. When you go looking for anything at all your chances of finding it are very good. Because of all the things in the world you're sure to find some of them.
 - Daryl Zero

Get It

Try It

Q. What exactly have you done?
A. We've uncovered HFS+ Private Data.

Q. What's that?
A. That's the secret stash of hard linked files on an HFS disk.

Q. Why's that important?
A. Why is climbing Mount Everest important?

Q. It's never been done before?
A. Sure. Apple do it all the time. They hide files in there all the time. And occasionally punters see the files when they copy and paste from disk to disk. But no one's found a way to methodically programmatically access the stash outside of Apple. Not that we know. It's one of the last secrets on the system.

Q. You've been researching this a long time?
A. Not really. On and off interest. It's like the Zero Effect. If you look for one thing then in all the world you can only find one thing. But if you go poking about you're bound to find a few things. We found this.

Q. It was by accident?
A. Somewhat. We were digging inside directories, trying to get lower and lower - and then this turned up.

Q. So what's this tool GDE?
A. It's a sort of file manager. More a file browser. You can look and see things like never before and change a few things and interact with most any program but you are not going to use it to copy, delete, move, or rename files. You use a file manager for that.

Q. Such as Xfile?
A. Yes. Preferably.

Q. Do GDE and Xfile work together?
A. All the ACP applications work together. There's no more to it than that. GDE can produce all file information, information on the current mount, take and give drags and so forth. You can use it to start Xscan, initialise an Xfind window, change the current working directory of Xfile, open new Xscan and Xfile windows, open any of your apps in the dock, etc. You can also drag/export any listing to a text editor. You can toggle between UTF-8 display and 'raw' display.

Q. And you can get into HFS+ Private Data?
A. Yes. Surprisingly enough. Everything is done to keep it out of reach. It has Finder flags so it's positioned way out there - window coordinates 21,000 x 21,000 or some sort of wacky thing like that. It's owned by 501:501 - whoever the current user is in other words - but it's marked with a mode of 0000 - no read, no write, no entry.

Q. So you can't get in?
A. Yes of course we can. As it's owned by 501 we can reset the mode. For example to 0700. Which is good enough. Then it's just to double-click and you're in.

Q. What's in there?
A. Heaps! One thousand one hundred sixty one files last we checked on one machine.

Q. What are the files doing there?
A. They're banished. They have a different mojo because they're hard linked. They never return.

Q. What do you mean they never return?
A. As soon as any ordinary file is hard linked it gets moved to this secret location. There are no facilities for ever moving it back again even if the hard links should some day disappear.

Q. So HFS+ Private Data has hard links?
A. No. HFS+ Private Data has the actual files. Even though they appear to be in your file system they're not there. They've a pointer into HFS+ Private Data and that's where they are. The file system HFS takes care of all that invisibly.

Q. So why is HFS+ Private Data used?
A. Because hard links are endemically incompatible with HFS. HFS can't handle them. By putting a caveat in the system they're able to get around all that. Sort of. It can never be a replacement for compatible file systems. You can access hard links fine from the command line but not from within NSDocumentController. If you try you're told you can't save the files.

Q. This happens even if you have permissions to write to the file?
A. Yes of course. HFS/Apple can't deal with hard links. So they stop you.

Q. But if you unlink the hard links again?
A. Doesn't help. Files banished to HFS+ Private Data never return.

Q. So what do you do?
A. You either do nothing or you copy the file and then delete the original. Then the file that was in HFS+ Private Data will finally be gone. Not right away but sooner or later. First it gets renamed with the 'temp' prefix and keeps the same inode number. Then after a boot it's gone completely.

Q. Why do Apple persist with such a strange file system?
A. Good question. They've tried to downplay the incompatibilities all along. But they're there. And now we can see them. They change the name and the method to hide the secret stash now and again. The method we now use to uncover it should work on all future attempts by Apple. Sooner or later the inconsistencies come out and when that happens we'll be there.

Q. So this is big?
A. This is big.

See Also
GDE: Peekaboo
GDE Screenshots
Getting Around HFS+ Private Data

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.