[ale] help with LDE [linux disk editor]

Greg Freemyer greg.freemyer at gmail.com
Wed Nov 29 15:31:19 EST 2006


Courtney,

The easiest thing is just to test it.

I'm pretty sure all gpart touches is the partition table in the MBR.
(The below assumes your  old corrupted drive is /dev/hdc).

First save a copy of the MBR:
    dd if=/dev/hdc of=MBR-backup-file bs=512 count=1

Then have gpart recreate the partition table
    gpart -W /dev/hdc /dev/hdc

Then do a "fdisk -l /dev/hdc" and see if it looks right.

Then try to mount each of the partitions and see if they work.  I
normally do this read-only.

mount -r /dev/hdc1 /mnt
umount /mnt
etc.

Then finally try to boot off of it.  Normally Linux knows that the
drive was originally the Master drive on the first IDE channel, etc.
So before you try to boot off of it, be sure to set the Master / Slave
the way you think it was  and also put it on the correct IDE channel
for booting.  You may need to disconnect your current boot drive to
get things setup right.

If for some reason you have to restore the MBR, boot back to the way
you have things now and reverse the dd:

    dd if=MBR-backup-file of=/dev/hdc bs=512 count=1

Hope that helps
Greg

On 11/28/06, Courtney Thomas <courtneycthomas at bellsouth.net> wrote:
> Greg,
>
> Thank you for your followup.
>
> No, I've done no more than scan the drive with gpart, which did apparently
> and correctly find all the partitions, according to my previously recorded
> data.
>
> I was using LILO, so will that not be operable after restoring with gpart ?
> If not, why not ?
>
> If not, then is the solution to boot off another, mount the restored drive,
> and run LILO from the restored drive, or what ?
>
> Appreciatively,
>
> Courtney
>
>
> ----- Original Message -----
> From: "Greg Freemyer" <greg.freemyer at gmail.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Tuesday, November 28, 2006 5:43 PM
> Subject: Re: [ale] help with LDE [linux disk editor]
>
>
> > Courtney,
> >
> > Did you ever get it resolved.
> >
> > If not, reading "man gpart" is worth your time.
> >
> > And I think it has a -W arg to actually update the partition table in the
> MBR.
> >
> > Having that should allow you to mount the drives etc, but the drive
> > itself will not be bootable.
> >
> > If you want to boot off of the drive you have to install some boot
> > loader code into the MBR.  Personally I use grub  (via grub-install
> > IIRC).
> >
> > Hope you got it working
> > Greg
> >
> > On 11/26/06, Courtney Thomas <courtneycthomas at bellsouth.net> wrote:
> > > Greg,
> > >
> > > Thank you for the edifying commentary. I need all the help I can get
> :-)
> > >
> > > Based on your description, I have no MBR, apparently.
> > >
> > > But, based on a gpart scan, it has seemingly found the 3 primary
> partitions,
> > > /, /boot & /var; plus the swap segment.
> > >
> > > Incidentally, if it would be helpful in deciphering my comments, I'd be
> glad
> > > to
> > > forward the gpart scan file as an attachment.
> > >
> > > Fortunately, I do have the exact begin/end sizes for all partitions
> before
> > > this
> > > implosion, so I do have a numerically clear and accurate picture of the
> > > former
> > > layout, which I'd also be pleased to relay should you be willing to look
> it
> > > over.
> > >
> > > I may not have mentioned that the disk has Debian installed, using
> ext2fs.
> > >
> > > Cordially,
> > >
> > > Courtney
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Greg Freemyer" <greg.freemyer at gmail.com>
> > > To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> > > Sent: Sunday, November 26, 2006 2:40 PM
> > > Subject: Re: [ale] help with LDE [linux disk editor]
> > >
> > >
> > > > Courtney,
> > > >
> > > > I'm still unsure what your issue is.
> > > >
> > > > The Master Boot Record (MBR) (I think thats the right name) is
> > > > maintained in sector 0 of the entire drive.
> > > >
> > > > In the old Cylinder/Head/Sector addressing scheme it was Cyl 0, Head
> > > > 0, Sector 0.  In modern LBA terminology it is simply sector 0.  The
> > > > first partition traditionally starts at Cyl 0, Head 1, Sector 0.  With
> > > > most modern disks the internal drive electronics emulate a drive with
> > > > 63 sectors per head, so that works out to Sector 63 being the start of
> > > > the first partition.
> > > >
> > > > Anyway, I believe there is only one MBR per disk regardless of the
> > > > number of sectors.  With a standard Intel/Windows partition table a
> > > > small part of the MBR is used to hold the partition table.  I think
> > > > "man gpart" will tell you which bytes specifically hold the partition
> > > > table.
> > > >
> > > > If the partition table within the MBR becomes corrupt, then a tool
> > > > like gpart can be used to recreate it.
> > > >
> > > > Then for each filesystem there is a superblock.  The superblocks
> > > > reside within the partitions but the structure and layout is
> > > > filesystem dependent.  Some filesystems like XFS even maintain a
> > > > backup copy of the superblock.  Others like FAT32/NTFS don't call it a
> > > > superblock at all.
> > > >
> > > > Hope the helps with terminology as you read about and research your
> > > problem.
> > > > Greg
> > > >
> > > > On 11/26/06, Courtney Thomas <courtneycthomas at bellsouth.net> wrote:
> > > > > Thanks Greg, that's exactly, apparently, what I need, in that the
> > > superblock
> > > > > is seemingly gone.
> > > > >
> > > > > I'll try it.
> > > > >
> > > > > Sure will be glad when flashdisks are cheap and I never need to
> consider
> > > > > things that go round and round again  :-)
> > > > >
> > > > > Merry Christmas,
> > > > > Courtney
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Greg Freemyer" <greg.freemyer at gmail.com>
> > > > > To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> > > > > Sent: Saturday, November 25, 2006 7:40 PM
> > > > > Subject: Re: [ale] help with LDE [linux disk editor]
> > > > >
> > > > >
> > > > > > Courtney,
> > > > > >
> > > > > > I've never used LDE, but I suspect it works at the partition level
> not
> > > > > > the disk level.
> > > > > >
> > > > > > If that is the case you need to try "lde /dev/hda1" to edit the
> first
> > > > > > primary partition on the disk.
> > > > > >
> > > > > > "fdisk -l /dev/hda" will tell you what partitions you have to
> choose
> > > from.
> > > > > >
> > > > > > If for some reason your partition table is destroyed, you may want
> to
> > > > > > look into gpart as a tool to recreate the partition table.
> > > > > >
> > > > > > Hope that helps
> > > > > > Greg
> > > > > >
> > > > > > On 11/25/06, Courtney Thomas <courtneycthomas at bellsouth.net>
> wrote:
> > > > > > > I'm tryin' to learn to use LDE and am experimenting with an old
> > > outta
> > > > > whack
> > > > > > > disk.
> > > > > > >
> > > > > > > When I...
> > > > > > >    lde /dev/hda
> > > > > > > the first screen comes up with an error screen, reporting....
> > > > > > >
> > > > > > >    root inode is not a dir
> > > > > > >    first block  (0) != normal first blk (1)
> > > > > > >    found ext2fs on device
> > > > > > >
> > > > > > >        inodes 252416
> > > > > > >        blocks 504000
> > > > > > >        firstdatazone 0 (N=1)
> > > > > > >        zonesize 4096
> > > > > > >        max size 1074791436
> > > > > > >
> > > > > > > 1-since root inode is not a dir, how do I convert it to a dir ?
> > > > > > >
> > > > > > > 2-what is the significance of the normal first block being 1 and
> > > this
> > > > > one's
> > > > > > > 0
> > > > > > >
> > > > > > > 3-what do you make of the numbers in the second block of data [5
> > > lines]
> > > > > ?
> > > > > > >
> > > > > > > 4-by root inode, does LDE mean the superblock or block 1, I've
> > > assumed
> > > > > the
> > > > > > > superblock ?
> > > > > > >
> > > > > > > I hope that if I can resuscitate this disk, then when I run into
> > > > > real/active
> > > > > > > disk calamities,
> > > > > > > that I might be able to recover. Any suggestions for further
> > > information
> > > > >  on
> > > > > > > use of this tool ?
> > > > > > >
> > > > > > > Thank you,
> > > > > > > Courtney
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Greg Freemyer
> > > > > > The Norcross Group
> > > > > > Forensics for the 21st Century
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > >
> > > >
> > > > --
> > > > Greg Freemyer
> > > > The Norcross Group
> > > > Forensics for the 21st Century
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > >
> >
> >
> > --
> > Greg Freemyer
> > The Norcross Group
> > Forensics for the 21st Century
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>


-- 
Greg Freemyer
The Norcross Group
Forensics for the 21st Century



More information about the Ale mailing list