[opensuse] Partition Recovery? Is it even missing to begin with or just shifted?
All,
My son came in and said "There's a problem with my computer can you come
look?", so I asked him to tell me what the problem was, to which he replied "No,
come look!"
Suffice it to say it was a grub error complaining about no partition being
found -- huh? How did that happened? Evidently, Counter-strike (Steam) froze
hard in windows requiring a power-off shutdown. The box is dual-boot, so I
booted Linux all is well there. I have run fdsisk, sfdisk, gpart and testdisk to
try and get a picture to what is going on and how to fix it. From memory, the
250G drive should have had:
sda
sda1 Primary/NTFS
sda2 Extended
sda5 swap
sda6 / ext3
sda7 /home ext4
However, it looks like something got inserted at the beginning of the disk (or
something like that) that has thrown the partition number/order information off.
I've never seen anything like it. My questions are: (1) does anybody recognize
what happened?; and (2) what can I do to attempt to recover? (which tool would
be best?)
Here is what the diagnostics show.
-----------
fdisk -l
-----------
Disk /dev/sda: 251.0 GB, 251000193024 bytes
255 heads, 63 sectors/track, 30515 cylinders, total 490234752 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00075d46
Device Boot Start End Blocks Id System
/dev/sda1 * 29 29 0 0 Empty
/dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT
/dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA)
/dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris
/dev/sda6 319195548 368017019 24410736 83 Linux
/dev/sda7 368017083 490223474 61103196 83 Linux
-----------
sfdisk -l
-----------
Disk /dev/sda: 30515 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sda1 * 0+ 0- 0 0 0 Empty
/dev/sda2 0+ 19625 19626- 157645813+ 7 HPFS/NTFS/exFAT
/dev/sda3 19626 30514 10889 87465892+ f W95 Ext'd (LBA)
sfdisk: start: (c,h,s) expected (1023,254,63) found (1023,0,1)
/dev/sda4 0 - 0 0 0 Empty
/dev/sda5 19626+ 19868 243- 1951866 82 Linux swap / Solaris
sfdisk: start: (c,h,s) expected (1023,254,63) found (1023,1,1)
/dev/sda6 19869+ 22907 3039- 24410736 83 Linux
sfdisk: start: (c,h,s) expected (1023,254,63) found (1023,1,1)
/dev/sda7 22908+ 30514 7607- 61103196 83 Linux
sfdisk: start: (c,h,s) expected (1023,254,63) found (1023,1,1)
-----------
sfdisk -d
-----------
# partition table of /dev/sda
unit: sectors
/dev/sda1 : start= 29, size= 0, Id= 0, bootable
/dev/sda2 : start= 63, size=315291627, Id= 7
/dev/sda3 : start=315291690, size=174931785, Id= f
/dev/sda4 : start= 0, size= 0, Id= 0
/dev/sda5 : start=315291753, size= 3903732, Id=82
/dev/sda6 : start=319195548, size= 48821472, Id=83
/dev/sda7 : start=368017083, size=122206392, Id=83
-----------
testdisk /list /dev/sda
-----------
TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER
On 2012-08-11 02:02, David C. Rankin wrote:
All,
My son came in and said "There's a problem with my computer can you come look?", so I asked him to tell me what the problem was, to which he replied "No, come look!"
Disaster night. I just lost my /var entirely of my main system.
250G drive should have had:
sda sda1 Primary/NTFS sda2 Extended sda5 swap sda6 / ext3 sda7 /home ext4
However, it looks like something got inserted at the beginning of the disk (or something like that) that has thrown the partition number/order information off. I've never seen anything like it. My questions are: (1) does anybody recognize what happened?;
Not really...
and (2) what can I do to attempt to recover? (which tool would be best?)
gpart or testdisk.
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux
At least sda1 got erased from the table. Dunno about sda2 if it is reliable. Ignore these:
sfdisk: start: (c,h,s) expected (1023,254,63) found (1023,0,1)
Now...
----------- testdisk /list /dev/sda -----------
TestDisk 6.13, Data Recovery Utility, November 2011 Christophe GRENIER
http://www.cgsecurity.org Please wait... Disk /dev/sda - 251 GB / 233 GiB - CHS 30515 255 63, sector size=512 Disk /dev/sda - 251 GB / 233 GiB - CHS 30515 255 63 Partition Start End Size in sectors 2 P HPFS - NTFS 0 1 1 19625 254 63 315291627 3 E extended LBA 19626 0 1 30514 254 63 174931785 No partition is bootable 5 L Linux Swap 19626 1 1 19868 254 63 3903732 X extended 19869 0 1 22907 254 63 48821535 6 L Linux 19869 1 1 22907 254 63 48821472 [root] X extended 22908 0 1 30514 254 63 122206455 7 L Linux 22908 1 1 30514 254 63 122206392 [home]
The problem is sda1, it is missing, and testdisk doesn't make a suggestion. fdisk said:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT
I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition. You can also try "gpart" to guess where the partitions would be. And do a good virus scan... some are nasty. -- Cheers / Saludos, Carlos E. R. (from 12.1 "Asparagus" GM (bombadillo))
Hello, On Sat, 11 Aug 2012, Carlos E. R. wrote:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB. DCR: do not do anything just yet. -dnh -- A Perl program is correct if it gets the job done before your boss fires you. -- Larry Wall -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2012 11:50 AM, David Haller wrote:
Hello,
On Sat, 11 Aug 2012, Carlos E. R. wrote:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux
[..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB.
DCR: do not do anything just yet.
-dnh
Just an idea if you haven't already done things to the disk. If you have another hard drive of the same size, and can mount it as an external drive, you can boot up from a live linux disk, and then you can use dd to clone everything at the data level from the corrupted drive to the 2nd drive. Then you can try any test you want to do to the copied drive to see if you can make it work, and if it doesn't work, then you will not have messed up the original drive beyond repair. You will be able to dd copy again and try something new. Once you figure out what will fix the partition table problem, then you will have your answer, and you can do it on the original drive. -- G.O. Box #1: 12.1 | KDE 4.8.4 | AMD Phenom IIX4 | 64 | ATI Radeon HD 3300 | 16GB Box #2: 12.1 | KDE 4.8.4 | AMD Athlon X3 | 64 | nVidia C61 GeForce 7025 | 4GB Laptop: 12.1 | KDE 4.8.4 | Core i7-2620M | 64 | Intel HD Graphics 3000 | 8GB learning openSUSE and loving it -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-08-11 05:50, David Haller wrote:
Hello,
On Sat, 11 Aug 2012, Carlos E. R. wrote:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB.
Where do you get that 31kb figure from? 63 blocks is a lot more than that. - -- Cheers / Saludos, Carlos E. R. (from 12.1 "Asparagus" GM (bombadillo)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAmQ4UACgkQU92UU+smfQUh9wCfY2CEUBaUAJis1IdLtH6g+9A8 A5AAoI8ry3yk7qN7OmNrLzouNXTT6t1h =MZFW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-08-11 05:50, David Haller wrote:
Hello,
On Sat, 11 Aug 2012, Carlos E. R. wrote:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB.
Where do you get that 31kb figure from? 63 blocks is a lot more than that.
1 block = 512byte (unless it's one of the newer disk with 4K blocks). -- Per Jessen, Zürich (22.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-08-11 05:50, David Haller wrote:
Hello,
On Sat, 11 Aug 2012, Carlos E. R. wrote:
Device Boot Start End Blocks Id System /dev/sda1 * 29 29 0 0 Empty /dev/sda2 63 315291689 157645813+ 7 HPFS/NTFS/exFAT /dev/sda3 315291690 490223474 87465892+ f W95 Ext'd (LBA) /dev/sda5 315291753 319195484 1951866 82 Linux swap / Solaris /dev/sda6 319195548 368017019 24410736 83 Linux /dev/sda7 368017083 490223474 61103196 83 Linux [..] I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB.
Where do you get that 31kb figure from? 63 blocks is a lot more than that.
1 block = 512byte (unless it's one of the newer disk with 4K blocks), but the number listed under fdisk:Blocks is number of 1k blocks. -- Per Jessen, Zürich (22.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-08-11 14:09, Per Jessen wrote:
Carlos E. R. wrote:
Where do you get that 31kb figure from? 63 blocks is a lot more than that.
1 block = 512byte (unless it's one of the newer disk with 4K blocks), but the number listed under fdisk:Blocks is number of 1k blocks.
I need more coffee. - -- Cheers / Saludos, Carlos E. R. (from 12.1 "Asparagus" GM (bombadillo)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAmTS0ACgkQU92UU+smfQUXSgCgiPZ4PkOwpublwoNK/GT5O9bs 73oAn2vb+LL+bk4OaOAGREBQSkco4viE =JfeV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, [... still up ...] @DCR: thought of some important points, see PS! On Sat, 11 Aug 2012, Carlos E. R. wrote:
On 2012-08-11 05:50, David Haller wrote:
[..]
I would erase it, then readd it, using fdisk, starting at 1 and ending at 62. Type I don't know, fat or ntfs. I think it may be a Windows boot partition.
Naaah. Those are a _LOT_ bigger than 31kB.
Where do you get that 31kb figure from? 63 blocks is a lot more than that.
Sectors, Carlos, sectors! And AFAIK virtually _all_ HDD and SSDs still work with 512 Byte sectors externally, even if they use 4k sectors internally. So, sector 0 is the MBR, sector 63 is the start of the first partition (at least in dcr's traditional case, nowadays, one tends to format on 1M or at least 4k boundaries, e.g.[0]). That leaves us sectors 1-62, each 512 B in size "unused", which is how I came up with the 31kB. And mind you: if there is space available (as is after the MBR, that 31k, but not, say, on a ext2 /-partition, there's only 1 unused sector, ext* starts at sector 2 of that partition), GRUB (and lilo) do install partly into that space. In dcr's case GRUB uses at least the space up to offset 0x274F, probably up to 0x27CF of the disk for its "stage1.5". Which translates to GRUB using ~18 sectors of space after the MBR, or sectors 1-19 inclusive, with the reiserfs "driver" taking up the last used sectors. See od -tx1z -Ax dcr-sda-0.img |less that dcr "mistakenly" sent to the ML instead of in a tarball via PM just to me ;) I hope the list can handle the traffic impact. And many other bootmanagers (used to) also use the unused space after the MBR. And some drainbamaged "dongling" stuff, much fun ensues if you need more than one of those that try to do that (I never did :). -dnh, you need more coffee? I'm up 24hrs and drained a number of beers, and I _still_ can remember and write about stuff like this somewhat coherently? Gah!! What's that say about me ... *sigh* ;) Well, that stuff _did_ stick in my memory :) Anyway, you know, read with a grain of .., ahhm, pounds of salt ... No, I will not "analyze" dcr's images "today" or give any advice but "wait for me to have slept"... (which should be some time on Sunday, UTC). Oh, but I do have something for dcr: PS@dcr: please run a antivirus check (total<something> online?) on that dcr-sda-0.img file[1]. There _is_ some code in sector 29 which looks fishy to me at a first glance. And as that partition is active and ISTR there are some "trojans"/"viruses" about that "kidnap" your disk by encrypting it, and a normal Winders MBR would just boot that fishy partition... "You" might've been *very* lucky to have Grub and not a normal DOS bootcode in your MBR ... Anyway: *DO NOT* boot from that "bogus" active partition or Winders until we've found out what's up. Oh, I guess it'd be safe to set the linux partition as "active" (or at least deactivate the bogus one) using fdisk (just toggle the "active" flag) or whatever from a linux system (rescue or whatever). That should help you not booting accidently from that fishy partition. *blebb* *burp* *yawn* .oO( need sleep ) *grins inanely* [0] # fdisk -l /dev/sda [..] /dev/sda1 2048 109053951 54525952 83 Linux /dev/sda2 109053952 218105855 54525952 83 Linux [1] I will too, "tomorrow", once I'm up and awake again. -- If you want me, I'll be under my desk in a foetal position, whimpering, and occasionally gently cursing. -- D. C. Staples -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2012 09:00 AM, David Haller wrote:
that dcr "mistakenly" sent to the ML instead of in a tarball via PM just to me ;)
I be guilty... Looking at the 0130 time on the message, that is explainable... Generally with all list mail I have to manually change the address to the ML address to avoid a direct reply to the sender. My intent was to simply reply and it go to your PM. We are creatures of habit -- because after going through that thought process -- I manually changed the address and sent it to the list anyway ;-) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2012 09:00 AM, David Haller wrote:
PS@dcr: please run a antivirus check (total<something> online?) on that dcr-sda-0.img file[1]. There _is_ some code in sector 29 which looks fishy to me at a first glance. And as that partition is active and ISTR there are some "trojans"/"viruses" about that "kidnap" your disk by encrypting it, and a normal Winders MBR would just boot that fishy partition... "You" might've been *very* lucky to have Grub and not a normal DOS bootcode in your MBR ...
WOW, Not this is strange. Only 3 of 42 virus scanners identified the file as infected. The virus scanners that flagged the file as infected were: Antivirus Result Update DrWeb Trojan.Tdlphaze.1 20120811 Kaspersky Rootkit.Boot.Pihar.b 20120811 Microsoft Trojan:DOS/Alureon.J 20120811 You can see the full results at: https://www.virustotal.com/file/8565f52c05d538dbe288cd83b63ec2fad0a6f11197b2... The remaining major scanner engines flagged it as clean. I don't know if this means we are dealing with a new variant of some virus, or if the other engines just missed it, or if it is a false positive on those three? Thank you for the link, that is a fantastic virus scanning tool! -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Carlos E. R.
-
Carlos E. R.
-
David C. Rankin
-
David Haller
-
George Olson
-
Per Jessen