goscuter1

Q: Can someone confirm the legitimacy of these "Unknown" restore images?

-bash-3.2# mount

/dev/disk3s3 on / (hfs, local, read-only)

devfs on /dev (devfs, local, nobrowse)

/dev/disk4 on /Volumes (hfs, local, union, nobrowse)

/dev/disk5 on /private/var/tmp (hfs, local, union, nobrowse)

/dev/disk6 on /private/var/run (hfs, local, union, nobrowse)

/dev/disk7 on /System/Installation (hfs, local, union, nobrowse)

/dev/disk8 on /private/var/db (hfs, local, union, nobrowse)

/dev/disk9 on /private/var/folders (hfs, local, union, nobrowse)

/dev/disk10 on /private/var/root/Library (hfs, local, union, nobrowse)

/dev/disk11 on /Library/ColorSync/Profiles/Displays (hfs, local, union, nobrowse)

/dev/disk12 on /Library/Preferences (hfs, local, union, nobrowse)

/dev/disk13 on /Library/Preferences/SystemConfiguration (hfs, local, union, nobrowse)

/dev/disk14 on /Library/Keychains (hfs, local, union, nobrowse)

/dev/disk0s2 on /Volumes/Untitled 1 (hfs, local, journaled)

/dev/disk1s3 on /Volumes/Image Volume (hfs, local, read-only, journaled)

-bash-3.2# diskutil list

/dev/disk0

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:      GUID_partition_scheme                        *121.3 GB   disk0

   1:                        EFI                         209.7 MB   disk0s1

   2:                  Apple_HFS Untitled 1              121.0 GB   disk0s2

   3:                 Apple_Boot                         134.2 MB   disk0s3

/dev/disk1

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:      GUID_partition_scheme                        *15.7 GB    disk1

   1:                        EFI                         209.7 MB   disk1s1

   2:                  Apple_HFS meh                     14.9 GB    disk1s2

   3:                 Apple_Boot Recovery HD             650.0 MB   disk1s3

/dev/disk3

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:     Apple_partition_scheme                        *1.4 GB     disk3

   1:        Apple_partition_map                         30.7 KB    disk3s1

   2:         Apple_Driver_ATAPI                         2.0 KB     disk3s2

   3:                  Apple_HFS Mac OS X Base System    1.4 GB     disk3s3

/dev/disk4

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk4

/dev/disk5

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk5

/dev/disk6

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk6

/dev/disk7

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk7

/dev/disk8

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk8

/dev/disk9

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *6.3 MB     disk9

/dev/disk10

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *2.1 MB     disk10

/dev/disk11

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *1.0 MB     disk11

/dev/disk12

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk12

/dev/disk13

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *524.3 KB   disk13

/dev/disk14

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:                            untitled               *1.0 MB     disk14

/dev/disk15

   #:                       TYPE NAME                    SIZE       IDENTIFIER

   0:      GUID_partition_scheme                        *500.1 GB   disk15

   1:                        EFI                         209.7 MB   disk15s1

   2:          Apple_CoreStorage                         499.7 GB   disk15s2

   3:                 Apple_Boot Boot OS X               134.2 MB   disk15s3

-bash-3.2#

 

--------------------

 

Something is messed up here, because the system is partitioning the Boot volumes non-sensically.

 

But when I boot from the Recovery Partition or the Internet recovery process, these images all get loaded up every time. I have reason to believe they're dubious, although with this new Apple, it's so hard to know - it might just be incompetence. But some of these images are rw, some are read-only.

 

Some can be dismounted. Some are IMPOSSIBLE to dismount (cleanly or otherwise).

 

And if they're legitimate, Apple could really do with not being so sloppy / lazy. "untitled" isn't exactly what people pay 2x market prices for.

 

nb. disk0 is my Apple SSD. disk1 is my 16GB USB HD. Neither of which boot, obviously. disk15 is my Time Machine with 30 completed backups on it. I've tried all 30. Looks like we won't be booting into an OS today. The rest of the disks ostensibly belong to disk2, which I have reason to believe is highly suspect.

 

And not just because it's a 1.4GB image, which comes out of 650MB Recovery partition.

MacBook Air, Mac OS X (10.7.2)

Posted on Nov 19, 2011 12:51 PM

Close

Q: Can someone confirm the legitimacy of these "Unknown" restore images?

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Nov 19, 2011 1:20 PM in response to goscuter1
    Level 10 (207,926 points)
    Applications
    Nov 19, 2011 1:20 PM in response to goscuter1

    A new MBA can netboot from Apple's data center and install the Mac OS, even if the internal drive is completely wiped. If you have reason to suspect that your recovery partition has been tampered with, that's what you should do.

  • by Camelot,

    Camelot Camelot Nov 19, 2011 7:38 PM in response to goscuter1
    Level 8 (47,243 points)
    Mac OS X
    Nov 19, 2011 7:38 PM in response to goscuter1

    But when I boot from the Recovery Partition or the Internet recovery process, these images all get loaded up every time. I have reason to believe they're dubious

     

    What's the basis for your fears?

     

    That looks like a typical Recovery Boot setup. I suspect it's due to the fact the various recovery mount points are stored as compressed disk images and are uncompressed on mount (which is why you get 1.4GB of data out of a 650MB partition.

     

    In short, I'm not worried about it. Why do you think it's wrong?

  • by goscuter1,

    goscuter1 goscuter1 Nov 24, 2011 5:42 AM in response to Linc Davis
    Level 1 (20 points)
    Nov 24, 2011 5:42 AM in response to Linc Davis

    Linc Davis wrote:

     

    A new MBA can netboot from Apple's data center and install the Mac OS, even if the internal drive is completely wiped. If you have reason to suspect that your recovery partition has been tampered with, that's what you should do.

    Unfortunately, the OP mounts are the result of the process you advise above. I've tried so many times now. That's the image that comes down, which boots into the virtual drive to download the 4gb phase. I'm unsure what more I can say, as there are house rules I've learned about recently - which I must respect.

     

    It's strange. I'm usually the most respectful person in the room and I never lie, and yet I'm subject to endless sanction. Very peculiar.

     

     

    What's the basis for your fears?

     

    Apple frontline CS say it's not standard, which seems to be the general consensus - although I see variations of this question (different sets of images, however) posted on forums - no answers, obviously. I can't get an answer from anyone to what I think is an incredibly simple and valid query: Why would my MacBook Air and another identical Intel Macbook Air have different firmware, kernels, driver packages, extensions, etc?

     

    It seems almost overwhelmingly peculiar that the process wouldn't be close to identical for all Intel Macbook Air laptops.

     

    It all seems incredibly queer to me, but not nearly as strange as no one being interested in being drawn into a discussion about it. Thoughts?

     

    Aside from that, the basis for my concerns are:

     

    10 months destroyed, 17 systems destroyed, 6 figures USD handed to creeps who really only freak me out when they get queer about accepting more of it (I'm not passing counterfeit bills around, but you could be forgiven for thinking I was the way people hate money suddenly), surely ~10,000 questions I've asked now, a tiny handful of unverifiable answers (the unknowns and the workarounds are just too horrific to contemplate, frankly), 1000 supplied lies which is sad - they seem to think I'm their enemy, I wonder why.

     

    I don't know why I'm in this mess, honestly. Creeps don't exactly put their hand up and claim responsibility like in the News. But my gut says it's related to child exploitation. I started to write about it, and the backlash was...whoa. I was still reeling when my world came crashing down. Spent most of the year just trying to get online, but then I'm pretty dull in many ways. I've mostly been OD'ing on creepy discoveries since then.

     

    I'm happy to supply more specific information, but if I'm gonna get out of this mess, I'm gonna need a lot of help with UEFI - that's where all the unanswered questions start. Apple don't seem to know anything about it. Intel aren't concerned, but they are sympathetic. Not enough to give answers to direct questions or look at evidence of BIOS / EFI partition corruption / manipulation, just sympathetic enough to offer me refunds and to tell me not to worry. I wasn't worried, until then. I have hundreds of non-default images, drivers, unknown's, my RAM is a god-awful mess I think...ah it's all a huge mess in there (and you can probably surmise my level of 'expertise').

     

    Secure Boot? I'm going to be sick.

     

    And it's mostly write-protected, attempts to delete especially peculiar handles come up as "unsupported function" or similar so...not sure how it works from this point, does Apple have an escalated Support number? Cause I can't keep on calling their frontline and going around in circles when they don't know anything about UEFI or the system boot process.

  • by Samurai184,

    Samurai184 Samurai184 May 18, 2013 4:53 PM in response to goscuter1
    Level 1 (0 points)
    May 18, 2013 4:53 PM in response to goscuter1

    Hey man, I feel your pain as I have been going through this same exact mess for 2 years now... Exact same symptoms to the letter... I have gone through 3 macbooks in 1.5 years.. I have posted to the forums to no avail... They are clueless man... My mac turns into a managed client.. WHat was the outcome for you finally? Have you been able to fix this... Any help or guidance would be greatly appreciated... Thinking of placing a suit against them..

     

     

    Thanks

  • by Samurai184,

    Samurai184 Samurai184 May 18, 2013 4:54 PM in response to goscuter1
    Level 1 (0 points)
    May 18, 2013 4:54 PM in response to goscuter1

    Hey man, I feel your pain as I have been going through this same exact mess for 2 years now... Exact same symptoms to the letter... I have gone through 3 macbooks in 1.5 years.. I have posted to the forums to no avail... They are clueless man... My mac turns into a managed client.. WHat was the outcome for you finally? Have you been able to fix this... Any help or guidance would be greatly appreciated... Thinking of placing a suit against them..

     

     

    Thanks

  • by snarez,

    snarez snarez May 24, 2013 12:51 AM in response to goscuter1
    Level 1 (0 points)
    May 24, 2013 12:51 AM in response to goscuter1

    Apple's customer service people know very little about the real inner workings of the OS and I'm not sure what you are expecting of them. You'd have to speak to one of their DTS or engineering support people (and pay) for someone who understands any of the detail of this.

     

    I am not an Apple staff member, but I do know quite a lot about the internals of the OS and firmware. I can confirm that those mounts you are seeing are part of a normal recovery boot. If you open up the BaseSystem.dmg on the recovery partition and look at /etc/rc.cdrom you'll see a section where it creates a bunch of RAM disks - these are virtual filesystems contained entirely in RAM that are basically used to make sure that a bunch of normal operating system services don't fail when they try to write to "disk" (e.g. for logging, etc). This is absolutely part of the normal recovery boot or boot from an install disk.

     

    I'm not saying that you do not have a reason to be concerned for your security, or that are not other things going on with your machine, but those are most certainly normal mounts.

  • by CreativeMachine,

    CreativeMachine CreativeMachine Jan 16, 2014 7:32 PM in response to goscuter1
    Level 1 (10 points)
    Jan 16, 2014 7:32 PM in response to goscuter1

    HAS anyone figured this out above.. and if it is only the basesystem ram disks let us know. Besides that

    I have had this same problem for 8 months. It has wrecked a 17" Macbook pro, an iMac, a iBook ( 6years old) Also, same thing happened to 2 brand new mac book pros I bought this month.

     

    First one I used wifi in another location to download all updates if necessary, and I put webroot on, and littlesnitch, but on a fairly reasonable mode.

     

    Anyway, it seems that any time, the computer gets attacked, watching it in the Console. It looks as though it is reaching out to a remote computer rather than callin in. I have many times copied the console code to paste here, to no avail. The computer usually crashes, by slowly not alowing me access to specific applications. Like text edit, then it blocks all apps. Till the point where you no longer have access to even your system preferences, because it askes for a password, or an SecurityAgent prompt shows up saying I don't have priveledges. Even though 2 minutes before I did have privledges.

     

    So from hard drive, to hard drive, swapping out memory, and booting externally. Using brand new retail disks, it looks as though while installing, it calls out to another source for some files. I watch it happen time and time again, after reinstalling the OS, either OS 10.6 to Mavericks or back. I watch the install logs as they look to access remote account or local filesystems that are malicious. Reason I say that, is because after it is installed, it appears to be fine, but the audio is accessed, as well as the camera. Then if left alone, the OS seems to try audio facetiming people in intervals. Now I have gone as far as removing my bluetooth chip and my WiFi to see if this could stop it. Doesn't seem to do the trick. All I am left with is possibly an EFI rewrite of some sort. I have been dealing with this since July 26 2013 when my computer was accessed, apps were uploaded to it, and all my accounts were accessed and passwords changed. (My Fault) I had same passwords for a few years, I became to confident macs didn't get rootkits or malware.... jeez was I slapped in the face with a major reality check.

     

    Not sure what to do, I am a Senior Visual Designer that can't work from home. I can install ubuntu and it works great... just no adobe apps. Also I tried the refit efi boot maintenance, but have no clue what to do.

     

    Well if anyone knows something, greatly appreciated.

  • by I hearyouretards,

    I hearyouretards I hearyouretards May 2, 2014 1:23 AM in response to CreativeMachine
    Level 1 (0 points)
    May 2, 2014 1:23 AM in response to CreativeMachine

    I have had all my electronics hijacked since 2008.  My macbook pro has had the exact same occurrences as described in this thread, and ultimately the system locks me by turning me into a read~only user.  The techs at apple cannot resolve my issues and the managers higher up flat out deny my claims and refuse to acknowledge them.  I have come to realize that every operating system is purposefully nested with military protocols to ensure that they have control over the security rights of all electronics.  By the time hackers find these specific weaknesses, a new version is released.  You might consider the possibility that you have been targetted by national security.  My own brother became an agent just to stalk me, and nobody believes what I know is true.  If you find a solution to your problems please let me know.  Davidofjerusalem@gmail.com

  • by SysBoris,

    SysBoris SysBoris Mar 30, 2016 10:32 PM in response to I hearyouretards
    Level 1 (4 points)
    Mar 30, 2016 10:32 PM in response to I hearyouretards

    I had the same problem and I believe this was caused because a rootKit virus....

     

    I used the installation dvd to get into terminal, then I had to "force" unmount each of those partitions

    then I converted each of those partitions into MBR and MS-DOS type because the size of the partitions where so small that it would not take the JHFS+ format

     

    I am still not able to merge all those little partitions into a single bigger one

     

    Can anyone please tell me if there is another way to handle this problem?

     

    I called the apple support and not even the "senior" support guys were able to help me.

     

    please advise,

     

    best regards,

     

    sysboris