SATA drive FAT recover

Applications Hardware
1

I had ACER aspiron one netbook with dual bootable (Windows XP and Debian). Recently I found XP is messy and Debian has new version published. I plan to recover XP and install new version of Debian. But I failed to recover XP from Hidden Partition.

I thought it is because I install GRUB in the harddrive which make the hidden partition not bootable. I hope I can remove the part. I remember I did this before using DOS command "fdisk /mbr", but I couldn't find fdisk any more. I want to see if there exist LINUX command equivalent to DOS command "fdisk /mbr". Terrible thing happens...

There exist one webpage talk about

dd if=/dev/sda of=/root/backup.bin count=1 bs=512
dd if=/dev/zero of=/dev/sda count=1 bs=512

I did so since I thought the first command is backup. But, but, the second command erase FAT. So that the machine can't find my /root folder in LINUX. Actually no partitions can be found in my hard drive!

Is there any way I can get FAT back? Or only solution is, ignore all data in the drive and install OS again?

Thanks in advance of any suggestions.

2

First three rules of data recovery are:

  1. Stop writing to the drive until you've found your data.
  2. No, really -- stop writing to it.
  3. Use these pliers on the fingers of those who would overwrite anything before they've found your data.

I have no idea if your data even still exists at this point, and would need shell access and a hex editor to find out. fdisk -l in a Linux recovery cd might be a good start, it'll show what your partition table is right now.

3

Thank you for your information.

Currently I just leave the netbook alone. I hope I can somehow find solution before I format the whole disk.

I have a bootable USB flash memory with GRUB such that I could boot the netbook in Windows, Debian. Now each part just tell me that the partition doesn't exist. It should be, because the Table of primary partitions are all zero now. I hope there exists one way such that I can get /root/backup.bin file from the disk and recover the Table of primary partitions...

4

You might be able to roughly find the beginning of the partition by looking for FAT32 in a hex editor. Compare how that looks to a real working FAT32 partition on a flashdrive or something to make it more precise. How to find the end I'm less sure, and how to translate that into a working partition layout, I'm also less sure, but fdisk -u may help as that will help you get it working in sectors instead of cylinders... I don't suppose you know what fdisk -l should show?

5

Corona688, Thank you for quick response.

Currently I just have grub with command grub>. Maybe I can make USB flush with base linux to run the command fdisk -l /dev/sda. But I believe the result should be the disk is not partitioned yet since the Table of primary partitions are all zeroes now...

I just read Wikipedia about MBR: http at en.wikipedia.org wiki Master_boot_record
and dd(UNIX): (sorry I can't post URL now, it should be wiki/Dd_(Unix))

6

You need a rescue CD of some sort to do anything.

7

You are absolutely right.

When I bought this netbook, there didn't exist rescue CD, but the first primary partition is Hidden recovery disk. I had erased the secondary primary partition (which is original C: drive), create a smaller secondary partition (new C: drive) and third partition as extended partition...

8

You've rendered your system unbootable, you need some sort of boot CD. Gentoo, Knoppix, DSL, it doesn't matter so much what but you have to boot something because your boot sector was wiped hence cannot boot.

10

Thank you for all your information.

Today I have time to generate KNOPPIX usb flash based linux system. I boot the system using the flash based KNOPPIX linux. I use the command to scan the whole disk (160G) for backup.img file:

grep -i -a -B10 -a100 'backup.img' /dev/sda > sdc1/myRecovertFile.txt

I am now waiting for the result. If I am luck, I may find the backup.img file and recover the FAT for /dev/sda... Crossing my finger...

After several minutes, the command stop with info:

grep: /dev/sda: Cannot allocate memory

and generate binary file myRecoveryFile.txt with size 500303...

11

That's not how grep works... or how FAT works, for that matter... The name and the contents are never in the same place.

You'd be better off looking for the string "FAT16" or "FAT32" in the drive with a hex editor. That'll help you find where the FAT partition begins.

---------- Post updated at 11:36 PM ---------- Previous update was at 11:30 PM ----------

Here's what my FAT32 USB drive looks like:

$ sudo dd if=/dev/sdc | hexdump -C | head -n 40
00000000  fa be 00 7c bf 00 7a b9  00 01 fc 0e 1f 0e 07 f3  |...|..z.........|
00000010  a5 ea 16 7a 00 00 bb be  7b 33 c9 80 3f 80 75 06  |...z....{3..?.u.|
00000020  fe c5 8b f3 eb 07 80 3f  00 75 02 fe c1 83 c3 10  |.......?.u......|
00000030  81 fb fe 7b 72 e5 83 f9  04 74 0b 81 f9 03 01 74  |...{r....t.....t|
00000040  0a bb a5 7a eb 2c bb 87  7a eb 27 8b 4c 02 8b 14  |...z.,..z.'.L...|
00000050  b8 01 02 bb 00 7c cd 13  73 05 bb bc 7a eb 13 2e  |.....|..s...z...|
00000060  a1 fe 7d 3d 55 aa 74 05  bb bc 7a eb 05 ea 00 7c  |..}=U.t...z....||
00000070  00 00 2e 8a 07 3c 00 74  0c 53 bb 07 00 b4 0e cd  |.....<.t.S......|
00000080  10 5b 43 eb ed eb fe 4e  6f 20 62 6f 6f 74 61 62  |.[C....No bootab|
00000090  6c 65 20 70 61 72 74 69  74 6f 6e 20 69 6e 20 74  |le partiton in t|
000000a0  61 62 6c 65 00 49 6e 76  61 6c 69 64 20 50 61 72  |able.Invalid Par|
000000b0  74 69 74 6f 6e 20 74 61  62 6c 65 00 49 6e 76 61  |titon table.Inva|
000000c0  6c 69 64 20 6f 72 20 64  61 6d 61 67 65 64 20 42  |lid or damaged B|
000000d0  6f 6f 74 61 62 6c 65 20  70 61 72 74 69 74 69 6f  |ootable partitio|
000000e0  6e 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |n...............|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 00 00 00 00  f4 f1 10 f0 00 00 00 01  |................|
000001c0  0c 0f 0c 04 e0 a0 80 1f  00 00 80 40 ef 00 00 00  |...........@....|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  55 53 42 20 54 65 73 74  65 72 20 32 30 30 38 2d  |USB Tester 2008-|
00000220  31 30 2d 33 30 20 31 2e  30 30 20 35 62 00 00 00  |10-30 1.00 5b...|
00000230  32 30 30 38 2f 31 31 2f  32 35 00 00 00 00 00 00  |2008/11/25......|
00000240  31 32 3a 33 33 3a 34 37  00 00 00 00 00 00 00 00  |12:33:47........|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
003f0000  eb 58 90 29 5e 76 56 4b  49 48 43 00 02 08 90 08  |.X.)^vVKIHC.....|
003f0010  02 00 00 00 00 f8 00 00  20 00 10 00 80 1f 00 00  |........ .......|
003f0020  80 40 ef 00 b8 3b 00 00  00 00 00 00 02 00 00 00  |.@...;..........|
003f0030  01 00 08 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
003f0040  00 01 29 53 6a af d5 20  20 20 20 20 20 20 20 20  |..)Sj..         |
003f0050  20 20 46 41 54 33 32 20  20 20 fa 33 c9 8e d1 bc  |  FAT32   .3....|
003f0060  f8 7b 8e c1 bd 78 00 c5  76 00 1e 56 16 55 bf 22  |.{...x..v..V.U."|
003f0070  05 89 7e 00 89 4e 02 b1  0b fc f3 a4 8e d9 bd 00  |..~..N..........|
003f0080  7c c6 45 fe 0f 8b 46 18  88 45 f9 38 4e 40 7d 25  ||.E...F..E.8N@}%|
003f0090  8b c1 99 bb 00 07 e8 97  00 72 1a 83 eb 3a 66 a1  |.........r...:f.|
003f00a0  1c 7c 66 3b 07 8a 57 fc  75 06 80 ca 02 88 56 02  |.|f;..W.u.....V.|
$ sudo dd if=/dev/sdc1 | hexdump -C | head
00000000  eb 58 90 29 5e 76 56 4b  49 48 43 00 02 08 90 08  |.X.)^vVKIHC.....|
00000010  02 00 00 00 00 f8 00 00  20 00 10 00 80 1f 00 00  |........ .......|
00000020  80 40 ef 00 b8 3b 00 00  00 00 00 00 02 00 00 00  |.@...;..........|
00000030  01 00 08 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 01 29 53 6a af d5 20  20 20 20 20 20 20 20 20  |..)Sj..         |
00000050  20 20 46 41 54 33 32 20  20 20 fa 33 c9 8e d1 bc  |  FAT32   .3....|
00000060  f8 7b 8e c1 bd 78 00 c5  76 00 1e 56 16 55 bf 22  |.{...x..v..V.U."|
00000070  05 89 7e 00 89 4e 02 b1  0b fc f3 a4 8e d9 bd 00  |..~..N..........|
00000080  7c c6 45 fe 0f 8b 46 18  88 45 f9 38 4e 40 7d 25  ||.E...F..E.8N@}%|
00000090  8b c1 99 bb 00 07 e8 97  00 72 1a 83 eb 3a 66 a1  |.........r...:f.|

...so you can see my FAT32 partition begins at offset 003f0000. The partition table this translates to:

$ sudo /sbin/fdisk -ul /dev/sdc

Disk /dev/sdc: 8032 MB, 8032092160 bytes
5 heads, 32 sectors/track, 98048 cylinders, total 15687680 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xf010f1f4

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1            8064    15687679     7839808    c  W95 FAT32 (LBA)
$

---------- Post updated at 11:37 PM ---------- Previous update was at 11:36 PM ----------

That start number is related:

$ printf "%x\n" $((8064*512))
3f0000
$ echo "$((0x3f0000/512))
8064
$

---------- Post updated at 11:49 PM ---------- Previous update was at 11:37 PM ----------

Then, if you know the offset of your vfat partition you can (as a special -o loop trick) mount part of a disk, letting you get at it without altering your partition table!

$ mount -t vfat -o loop,ro,offset=$((0x3f0000)) /dev/sdc /mnt/gentoo
ls /mnt/gentoo
BOOTEX.LOG                                montg.iaf
...
$
12

Thank you for your example. It looks there exist chance that I can find the backup.img file content if I understand the file storage methodology...

The file was stored in ext3 partition of /dev/sda. Even the FAT lost, I remember that, the first primary partition is ACER hidden recovery partition, the second primary partition is the C: drive, about 20G. The third partition is extention partition with several logical partitions. I remember I have NTFS data drive about 80G, NTFS paging partition about 10G, linux root partition about 10G, swap about 1G, one data partition for vmware, and one data partition for my personal data. The backup.img file should be under the root partition...

---------- Post updated at 11:01 PM ---------- Previous update was at 10:50 PM ----------

First, the output of

fdisk -l /dev/sda

is

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512  = 8225280 bytes

Disk /dev/sda doesn't contain a valid partition table

The last line is what I expect...

13

Gnnngh, that makes it a lot harder. There's no easy string to hunt for for ext3. I've compared dumps of three ext3 partitions and they have nearly nothing in common.

---------- Post updated at 12:55 AM ---------- Previous update was at 12:16 AM ----------

There's still the shotgun approach though. Try every possible partition starting location (cylinder). There's only a few thousand. But I can't figure out how to translate cylinders into sectors; there seems to be no rational pattern. It certainly doesn't seem to follow the 16065 units it illustrates when you list with fdisk -ul so I don't know how to generate them in a loop to try with that mount command. Maybe someone here does?

1 Like
14

I just found that, the GNU software TestDisk may help me to find partitions. And it was said belong to KNOPPIX linux distribution. I will try it tonight...

---------- Post updated at 10:41 PM ---------- Previous update was at 03:39 PM ----------

Log of using testdisk

  1. reboot system using KNOPPIX.
  2. link NTFS lib:
ln -s /usr/lib/libntfs.so.10.0.0 /usr/lib/libntfs.so.9
  1. run testdisk
testdisk /dev/sda
  1. Choose the disk, [Proceed]
  2. Choose [Intel ]
  3. Choose [Analyse ]
Partition sector doesn't have the endmark 0xAA55

which is expected...
7. choose [Proceed ]
8. Less than 3 second, TestDisk found my all partitions (not include extended partition, but include all logical partition). Hit ENTER.
9. Choose [Write ]
10. Hit [Y].
11. Choose [OK].
12. Choose [Quit ], and [Quit ].
13. reboot system.

15

:b:

I'll have to remember that tool.

16

Corona688,

Your information is always helpful.

Something helpful with data problem. Don't give up in several days. This time, I got recovered in one month. Discuss with expert like Corona688 :-). The period of solving problem is the best time to learn new technique...

17

That's flattering but for all my effort I didn't actually solve your problem, you did it by yourself :o