Dismantling the Kernel

You can skip this step if your initramfs is a separate cpio archive already. Otherwise, you'll have to get the built-in cpio archive out of the kernel image. To do that, you have to dismantle it, which isn't easy, since the kernel image is a combination of boot sector and compressed archive itself. It also depends on the compression you are using for your kernel and for your initramfs. For simplicity, this example assumes bzip2 - however, the principle is the same for other compression methods.

First, you have to search for the compression signature in the kernel image. For bzip2, this is BZh. For gzip, you can use $'\x1F\x8B\x08'. You can also use app-misc/binwalk to find offsets of compression signatures in files.

grep -a -b --only-matching BZh bzImage

For me, this prints 12888:BZh, so the offset is 12888 bytes. Now you can extract the kernel image:

dd if=bzImage bs=1 skip=12888 | bunzip2 > Image

Now, you have the uncompressed kernel image. Somewhere within this image resides the compressed initramfs archive, so just iterate the previous process to find it.

grep -a -b --only-matching BZh Image

For me, this prints 171424:BZh, so the offset is 171424 bytes this time. Now you can extract the initramfs cpio archive:

dd if=Image bs=1 skip=171424 | bunzip2 > initramfs.cpio

If you want to verify that you actually got a cpio archive from that, use file:

file initramfs.cpio

Extracting the cpio archive

If your initramfs cpio archive was a separate file, you have to uncompress it first.

gunzip initramfs.cpio.gz

To extract the uncompressed initramfs.cpio, you can do so with the following command. Please note that this overwrites files in the directory you're currently in:

cpio -i -d -H newc --no-absolute-filenames < initramfs.cpio

With this, you should have successfully recovered your initramfs structure.