“Hacking” into MacBook Pro to Recover files

It’s quite often to receive requests for fixing and reinstalling computers from private clients which I’ll decline almost every time. This case was different, as the task was actually interesting. Clients problem was having blue screen right after the booting of the Mac:

Meaning it’s impossible to access any files on the computer, without removing hard drive (and thus, voiding warranty). I had done several tests before with Windows to access filesystem without any kind of authentication requirements, had never tried that on OS X… yet.

So, lets begin with the setup:

The Image has to be written to the flash, with the support of EFI. When done, insert the Flash in to the MacBook and turn it on while holding the Option key at the same time. This is what you should get in successful case scenario:

So, choose the EFI Boot and you’ll be in a wonderland looking like this:

Choose Failsafe (strong errors prevention) option from the menu and wait a moment till the system boots.

If you get into a graphical view of the MacBook, well congratulations – you’re luckier than me. For me, the joyride ended at this point:

At this point you’ll need key combination of Function (Fn) + Ctrl + Option + F2. To get into the terminal.

Next commands would be as follows:

  1. sudo su root
  2. fdisk -l

Getting the output of something like this:

So you can see the available partitions on the computer. Obviously, the interesting one is /dev/sda2, also known as Apple Core Storage.

So again, lets do commands as follows:

  1. fsck.hfsplus -f /dev/sda2
  2. mount -t hfsplus -o force,rw /dev/sda2 /mnt

And for my particular case, that was pretty much it.

You can see all of the folders and basis of the OS X at the bottom. In order to move the files out of the computer, all you need to do is connect an External HDD, mount it pretty much the same way you just did this one and just cp -r all of the files (for me it took around 40 minutes to finish).