Hi, David Christensen wrote: > # cmp --verbose debian-11.3.0-amd64-netinst.iso /dev/sdb
I got my copy from https://get.debian.org/images/archive/11.3.0/amd64/iso-cd/debian-11.3.0-amd64-netinst.iso SHA256 matches: 7892981e1da216e79fb3a1536ce5ebab157afdd20048fe458f2ae34fbc26c19b In a further mail: > https://cdimage.debian.org/cdimage/archive/11.3.0/amd64/iso-cd/ Same SHA256 there. > 2083201 0 377 Byte counting of cmp is decimal and starts at 1. xorriso can search for files which have their data in a block range. 2083201 / 2048 = block 1017. Range size in this case is just 1 block: $ xorriso -indev debian-11.3.0-amd64-netinst.iso -find / -lba_range 1017 1 -exec report_lba -- ... Report layout: xt , Startlba , Blocks , Filesize , ISO image path File data lba: 0 , 1016 , 1296 , 2654208 , '/boot/grub/efi.img' So it's indeed occupied by the FAT filesystem image which contains the EFI-specific boot equipment. > 4719105 0 56 Byte 4719105 is in block 2304, i.e. still in /boot/grub/efi.img, which has bytes up to the end of block 2311. I guess the bytes with the 2xxxxxx numbers are the directory change and the 4xxxxxx numbers are content of new files. You could mount both ISOs (e.g. at /mnt/iso1 and /mnt/iso2) and then the two FAT image files (e.g. /mnt/iso1/boot/grub/efi.img and /mnt/iso2/boot/grub/efi.img) in order to learn which files have emerged or changed in the USB stick's mounted FAT filesystem. Maybe we find a new ESP groper additionaly to Lenovo and Microsoft. Usually they leave traces for which one can search in the web. Have a nice day :) Thomas
