About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Developers Workshop

GDE Screenshots

Research is an art - not a science - because anyone who knows what they're doing can find the crumbs, the wheres, whats, and whos. The art is in the whys: the ability to read between the crumbs, not to mix metaphors. For every event there is a cause and effect; for every crime, a motive; and for every motive, a passion. The art of research is the ability to look at the details and see the passion.
 - Daryl Zero

Get It

Try It

If not revolutionary then it's highly interesting. But it's revolutionary.

Here's GDE starting up - in /Applications. It looks innocent enough.

This is easy enough to decipher. They're the official names of the fields returned in the directory search. d_ino is the inode (or CNID as the case may be on HFS volumes); d_reclen is the total length of the directory entry record; d_type is the item's type; d_namlen is the length of the item's name; and d_name is the name itself.

The names (d_name) are always zero terminated so d_namlen is somewhat redundant; alignment seems to be on doubleword boundaries; and the possible values for d_type are easy enough to figure out as well: in the above listing they're all directories.

Time to scoot up.

You're now in root - and notice GDE is telling you three items are cloaked. Two of the items are visible at the top: .journal and .journal_info_block. Note both are marked as DT_REG ('regular') and both have an inode of '0' (zero) indicating the items are slated for deletion. Actually they're not - this is just how the system is fooling with the system.

There's a third cloaked item but it has to be scrolled into view.

It's at the bottom. You can also see how other file types are marked. DT_LNK of course stands for 'symlink'. But the interesting one's at the bottom. That's Apple's secret stash of files they can't handle. If you pull up the info sheet you'll see a curious thing or two.

First, the mode is set to zero: no entering, no writing, no reading. Second, there are 1,161 files in there! And they're only files, not directories: hard links aren't allowed on directories. And they're all unique as shall be seen. The links to them are in the file system itself.

It's time to enter.

The number of items has grown (by three). All file names above seem to start with 'iNode' but there's more at the bottom of this long list.

'temp' items seem to be gone and ready for cleanup: they disappear on a boot. Note as well the inodes (d_ino) always match the numbers in the names. Those inodes are directly translatable to files in the 'real system'.

If you go with your terminal to your root directory and then into /.vol you'll see a subdirectory there. Its name is a number that's machine specific. Enter the directory, then pick an inode at random from GDE's list.

$ open -a TMI 2916

It's the file test in /bin. And sure enough it's double linked - with '['. Except your system can't see that. All it can see is one of the names. It can't see both because it can't conceive of the possibility there'd be more than one name (or path) to a file.

$ ls -ailoT [ test
2916 -r-xr-xr-x   2 root  wheel  - 38176 Aug 20 00:52:37 2006 [
2916 -r-xr-xr-x   2 root  wheel  - 38176 Aug 20 00:52:37 2006 test

And that's why iNode2916 lives in \342\220\200\342\220\200\342\220\200\342\220\200HFS+ Private Data.

You can get in there from Terminal.app too but it's a bit difficult without GDE.

$ cd /\342\220\200\342\220\200\342\220\200\342\220\200HFS+\ Private\ Data
$ ls -ailoT
total 28624
     16 drwx------   1161 rixstep   rixstep  -  39474 Feb  1 02:19:14 2007 .
      2 drwxrwxr-t     28 root      admin    -   1054 Sep  3 10:17:06 2007 ..
  11279 -r-xr-xr-x      2 root      wheel    -  30204 Aug 20 00:51:28 2006 iNode11279
  11293 -rwxr-xr-x      2 root      wheel    - 358228 Oct 17 07:02:00 2006 iNode11293
   2916 -r-xr-xr-x      2 root      wheel    -  38176 Aug 20 00:52:37 2006 iNode2916

Anyway: it's time to get out. You don't want to go messing with this stuff in here. Double click on '..' near the top of the list, reset the mode of \342\220\200\342\220\200\342\220\200\342\220\200HFS+ Private Data to '0000' - and skedaddle.

See Also
GDE: Peekaboo
Getting Around HFS+ Private Data

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.