macOS – Why Can’t I dd an Entire APFS Disk?

apfsdisk-utilityhard drivemacospartition

I've received a new Mac that has come preconfigured with lots of junk.

Naturally, my first order of business is to wipe the disk and clean install macOS. But first, I want to create a bit-perfect, bootable clone of the disk (which is formatted APFS Encrypted) and keep it on a flash drive, in the unlikely event that I ever need to boot into the original environment.

I tried to create this clone by booting the machine into Recovery mode, attaching a flash drive of the exact same capacity as the disk and running dd if=/dev/rdisk0 of=/dev/rdiskX bs=64k. I expected this to create an exact clone, especially reading at a raw level via /dev/rdisk. However, the resulting drive is not only unbootable, but none of the APFS structure is preserved – I'm left with an FDisk_partition_scheme partition type and a 0xEE volume.

Nothing in this answer proved useful in making this bootable.

More than "how can I do this," I'm wondering "why can't I do this."

Why doesn't dd perform the low-level, bit-by-bit replication that I'm looking for? Or, is it doing what I'm telling it to, but there's another factor at play that I'm not aware of?

Best Answer

I am going to go out on a limb and assume the OP's new Mac has a boot drive with a 4096 byte sector size and the flash drive has a 512 byte sector size. Using the dd command (as the OP has described) would result in a flash drive, where the Master Boot Record (MBR) partition table could be read, because this occurs in the same place regardless of sector size. This would be the first sector (also known as sector 0). However, the GUID Partition Table (GPT) starts at the beginning of the second sector (also known as sector 1). The second sector on the Mac boot drive has a byte offset of 4096. When you used the dd command, the GPT would be placed starting at byte offset 4096, but the actual location should have been at byte offset 512. The result is documented in the OP's question.

BTW, the same type of problem would occur with the backup (also known as the secondary) of the GPT stored at the end of the flash drive. Although, it would seem unlikely that Mac boot drive and the flash drive have exactly the same total size in bytes. I assume this is what the OP meant by the use of the phrase "a flash drive of the exact same capacity as the disk".

Related Solutions

Disk Utility vs Carbon Copy Cloner – How to clone your drive with Apple’s built-in app

DiskUtility is pretty bare-bones when it comes to duplication. You can use it to create a clone, but you have to kick it off manually, and that's about the limit of its features.

Both CCC and SuperDuper have a pretty similar feature set, which includes a lot of features required for convenient backups, like:

Scheduling
Filtering files
Support for bootable volumes
Scripting before and after the run (do something more custom)
Mount/unmount the drives so they don't normally appear on your desktop
Smart copying - only copies changes, not the whole drive. This makes it much quicker.
Block-copy of the drive - available in certain cases. Identical copy, not file based.

Under the covers both are very much like (or perhaps implement) rsync. This is a free command-line tool included with OS X which you can use to duplicate drives. But, requires you to use the command line and learn the options. Not all that obvious or intuitive, but works very well.

Anyway, to answer the question:

Be aware - this will wipe the target drive

Find the target drive you want in Disk Utility
Click onto the Restore tab
Drag the source drive over to where it says Source (drive you're backing up)
Drag the Target drive to Destination (drive you're writing the backup TO).
- THIS DRIVE GETS WIPED
Click Restore

As you can see, for each back-up, you have to do it all manually. With CCC, and other tools, you can schedule it to happen when you're away, as often as you want. eg. every night at 2am. You can also have multiple backups of different data to different place. eg. Whole drive weekly, and your important docs nightly.

MacOS – Hard drive no longer accessible

I suspect Windows` chkdsk or another Microsoft tool to erroneously repairing the partition table of your device containing the EXFAT volume.

The result of sudo gpt -r -vv show /dev/disk2 of my 4 TB device created in a VM and formatted with Disk Utility in comparison looks like this:

gpt -r -vv show /dev/disk2
gpt show: /dev/disk2: mediasize=4000655081472; sectorsize=512; blocks=7813779456
gpt show: /dev/disk2: PMBR at sector 0
gpt show: /dev/disk2: Pri GPT at sector 1
gpt show: /dev/disk2: Sec GPT at sector 7813779455
       start        size  index  contents
           0           1         PMBR
           1           1         Pri GPT header
           2          32         Pri GPT table
          34           6         
          40      409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
      409640        2008         
      411648  7813365760      2  GPT part - EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
  7813777408        2015         
  7813779423          32         Sec GPT table
  7813779455           1         Sec GPT header

(Please consider that the mediasize, the blocks and some other values are different to yours, because i use a slightly smaller example disk here.)

The differences to your finding are obvious: the first partition of your disk isn't aligned properly to the 4096 byte sector size and is smaller. The second partition starts too early and is probably too big.

You probably have to fix both partition. This will only work if you partitioned the drive with Disk Utility in Mac OS X.

Preparation:

Backup your Mac and then detach all external drives.
Download and install wxHexEditor. Enable the root user and log-in as root.

Hint: While working with wxHexEditor don't use copy and paste. Enter everything manually! You might accidentally write directly to your disk.

Where does the EXFAT partition start and end?

First you have to determine the starting block of your EXFAT volume:

Open Terminal and enter diskutil list. Get the Identifier of the disk to repair.
Open Calculator. Open wxHexEditor. Check that you work in read-only mode ("Options" -> "File mode" -> "Read only"). In the menubar go to "Devices" -> "Open disk device" -> choose the appropriate diskNumber.
Hit the search button (marked with the red circle in the picture below) and enter EXFAT (exactly like in the picture). Please try to arrange the wxHexEditor window like in the examples below with straight red lines.
My EXFAT entry (see picture below) is at offset 210763776. Now you can calculate the start block of the volume with: OffsetBytes/512 = NewStartBlockEXFAT. The start block in my example is 411648.

If you get a significantly smaller starting block (=<409639) stop here, because you probably didn't partition your disk with Disk Utility previously.
The ending block of the EXFAT volume can't be determined easily; we have to guess it (somehow). The problem is the variable gap between partition 2 and the second GPT table. In your case it has 1679 blocks, in my example it has 2015 blocks.
- Method 1 (maximal size in the "unallocated space" between the block containing the EXFAT string and the second GPT table):
  The maximal volume size is StartBlock2ndGPT-NewStartBlockEXFAT. The size has to be dividable through 8. Reduce the size until you get a size dividable through 8. Example: In my case the maximal size would be 7813779423 (StartBlock2ndGPT) - 411648 (StartBlockEXFAT) = 7813367775 (which isn't dividable through 8). The biggest size dividable through 8 is 7813367768.
- Method 2 (minimum size containing all occupied blocks between the block containing the EXFAT string and the second GPT table):
  You might jump to sector 7814037135 (the first block of your secondary GPT table) with the arrow button (the second button left of the search button) and search backwards and match case disabled with "Find some bytes" to get the last occupied sector. This may take a while. Make a note of your finding (if you have one in a reasonable timeframe). Divide the offset through 512 to get the sector number. The sector number should be smaller than 7814037135. Now calculate the provisional minimal size of your volume: StartBlockEXFAT+1-LastOccupiedSector. The result must be dividable through 8. To get size add blocks until the size is dividable through 8.
  You may stop the process after 5 minutes without result because then the last occupied block number is probably smaller than 7807917625 assuming the process searches 10 MByte/s (the last ~3 GB of your disk). Use Method 1 then.
Both results probably lead to a wrong size of the EXFAT volume, but this should be repairable. It's more important to get the proper start block. Additionally method 2 may deliver incorrect results if the disk has been completely filled with data previously using a different partition layout and hasn't been zero-filled afterwards.

Restoring the "old" GPT

Here i assume the identifier of the disk containing the EXFAT volume is disk0.

First you have to unmount the disk
```
diskutil umountDisk disk0
```

Check the partition layout, then remove the two partitions:

gpt -r -vv show /dev/disk0

gpt remove -i 2 disk0
gpt remove -i 1 disk0

Since the (Apple-)EFI usually has a fixed size we can easily add it with:

gpt add -b 40 -i 1 -s 409600 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B disk0

With the start block of the EXFAT partition and Size (the volume size found with Method 1 or 2 above) we can also add it:
```
gpt add -b NewStartBlockEXFAT -i 2 -s Size -t EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 disk0
```
Remount disk0 with:
```
diskutil mountDisk disk0
```
Quit Terminal, Calculator and wxHexEdit and open Disk Utility.
Check your EXFAT volume for errors.

If you run into problems (e.g you can't find the proper EXFAT volume size), have doubts or questions immediately stop and contact me with a comment @klanomath!

Best Answer

Related Solutions

Disk Utility vs Carbon Copy Cloner – How to clone your drive with Apple’s built-in app

MacOS – Hard drive no longer accessible

Related Question