Tuesday, 6 December 2016

Recovering a Deleted Partition Table


Below are instructions for manually recovering a deleted partition table. There are utilities such as gpart or TestDisk which can make this task considerably easier. If you are reading this, however, because you have run out of luck, this is what you will have to do:

  1. Make a partition that is at least as big as your first partition was. You can make it larger than the original partition by any amount. If you underestimate, there will be much wailing and gnashing of teeth. 
    Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-23361, default 1): <RETURN>
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-22800, default 22800): 13032

Command (m for help): w
  2. Run dumpe2fs on the first partition and grep out the block count.
    Example: 
               % dumpe2fs /dev/sda1 | grep "Block count:"
           Block count:              41270953
    If you are uncertain about this value, repeat Step 1 with a bigger partition size. If the block count changes, then you underestimated the size of the original partition. Repeat Step 1 until you get a stable block count.
  3. Remove the partition you just created 
             Command (m for help): d
         Partition number (1-4): 1
  4. Make a new partition with the exact size you got from the block count. Since you cannot enter block size in fdisk, you need to figure out how many cylinders to request. Here is the formula: 
      (number of needed cylinders) = (number of blocks) / (block size)

  (block size) = (unit size) / 1024

  (unit size) = (number of heads) * (number of sectors/cylinder) * (number of bytes/sector)
    Consider the following example, where a hard drive has been partitioned into four primary partitions of 1, 2, 4, and 8 cylinders. 
    disk /dev/sda: 16 heads, 63 sectors, 23361 cylinders
Units = cylinders of 1008 * 512 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/sda1             1         2       976+  83  Linux
/dev/sda2             3         5      1512   83  Linux
/dev/sda3             6        10      2520   83  Linux
/dev/sda4            11        19      4536   83  Linux
    fdisk provides the configuration information I need in the head of the output. The unit size is 516096 ( 16 heads * 63 sectors/cyl * 512 bytes/sector ). The block size is 504 ( 516096 / 1024 ). The number of needed cylinders for the second partition is therefore 3 ( 1512 blocks / 504 ). The partition table shows that this is indeed the case: the first cylinder is 3, the second 4, and the last is 5, for a total of three cylinders. The number of needed cylinders for the third partition is calculated similarly: 2520 blocks / 504 = 5, which corresponds to blocks 6,7,8,9,10 . Notice that this calculation does not work for the first partition because the block count is wrong ( 976 instead of 1008 ). The plus sign indicates that not all the blocks are included in the fdisk value. When you try the calculation ( 976 / 504 ) you get 1.937. Knowing that the number of cylinders must be an integer, you can simply round up.
  5. Run e2fsck on it to verify that you can read the new partition.
  6. Repeat Steps 1-5 on remaining partitions.
Remount your partitions. Amazingly, all of your data will be there. Credit goes to: Mike Vevea, jedi sys admin, for providing the basic strategy.
Posted by at No comments:
Subscribe to: Posts (Atom)