[aklug] Re: Using DD to find partition table

My mind is blown, but I think I have a clue how to proceed. That is the
perfect balance of elegant and brute force. I need to try again to extract
the sda mbr and get 2048 this time. Then I think I can step by step through
the walkthrough. I got 1024 already, so this is doable.

Glad I have a 4day coming up. Think I'm going to need it.

If anyone is real proficient at this and willing to tutor a padawan, I'll
take the help.
On Nov 19, 2012 12:12 PM, "Leif Sawyer" <lsawyer@gci.com> wrote:

> Okay, so basically, for a normal disk:
>
> # dd if=/dev/sdb bs=1k count=2048 of=sdb.head
> 2048+0 records in
> 2048+0 records out
> 2097152 bytes (2.1 MB) copied, 0.0493305 s, 42.5 MB/s
>
> # file sdb.head
> sdb.head: x86 boot sector, Microsoft Windows XP MBR, Serial 0xf8000000;
> partition 1: ID=0xde, starthead 1, startsector 63, 96327 sectors; partition
> 2: ID=0x7, active, starthead 0, startsector 96390, 156135735 sectors, code
> offset 0xc0
>
> # fdisk -l sdb.head
> You must set cylinders.
> You can do this from the extra functions menu.
>
> Disk sdb.head: 2 MB, 2097152 bytes
> 255 heads, 63 sectors/track, 0 cylinders, total 4096 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disk identifier: 0xf8000000
>
> Device Boot Start End Blocks Id System
> sdb.head1 63 96389 48163+ de Dell Utility
> sdb.head2 * 96390 156232124 78067867+ 7 HPFS/NTFS/exFAT
>
> -----------
>
> But if there's garbage (i.e., a RAID header) at the beginning of the
> actual disk data, you want to skip ahead.
>
> # cat gparted-live-0.14.0-1.zip sdb.head > fake-sdb.head
>
> # file fake-sdb.head
> fake-sdb.head: Zip archive data, at least v1.0 to extract
>
> So my 'disk' is no longer a disk. But we can use dd to find the offset
> of the disk.
> This will take a while, depending on how large of a header you have. Yes,
> there's probably a faster way, but this is dirty and thorough.
>
> # i=1; while true; do dd if=fake-sdb.head bs=1 skip=$i count=512
> of=tempsdb.dd; echo $i; file tempsdb.dd; i=$((i+1)); done 2>&1 | grep -B1
> tempsdb.dd | grep -i -B1 'boot sector'
> 15796
> tempsdb.dd: x86 boot sector, code offset 0xc5
> --
> 63333
> tempsdb.dd: x86 boot sector, code offset 0xa0
> --
> 88251
> tempsdb.dd: x86 boot sector, code offset 0x7c
> --
> 172526
> tempsdb.dd: x86 boot sector, code offset 0x76
> --
> 178180
> tempsdb.dd: x86 boot sector, code offset 0xa4
> --
> 391124
> tempsdb.dd: x86 boot sector, code offset 0x30
> --
> 391236
> tempsdb.dd: x86 boot sector; partition 3: ID=0x51, starthead 205,
> startsector 1451942962, 3943943424 sectors, code offset 0x32
> --
> 391501
> tempsdb.dd: x86 boot sector, Microsoft Windows XP MBR, Serial 0xf8000000;
> partition 1: ID=0xde, starthead 1, startsector 63, 96327 sectors; partition
> 2: ID=0x7, active, starthead 0, startsector 96390, 156135735 sectors, code
> offset 0xc0
> --
> 423757
> tempsdb.dd: x86 boot sector, code offset 0x46, OEM-ID "Dell 4.1",
> sectors/cluster 4, root entries 512, Media descriptor 0xf8, sectors/FAT 94,
> heads 255, hidden sectors 63, sectors 96327 (volumes > 32 MB) , serial
> number 0x7d
> 3090b, label: "DellUtility", FAT (16 bit)
>
> ^c
> ---------------------------------
>
> Okay, so, we've got some options. The first few are fake, obviously,
> because there's no information about them.
>
> The last one is the start of a partition- this can also be useful, if you
> just want to grab partition data off of a drive and ignore the partition
> table entirely.
>
> The second-to-last is the winner, which we can prove thisaway:
>
> # dd if=fake-sdb.head bs=1 skip=391501 count=16384 of=tempsdb.dd
> 16384+0 records in
> 16384+0 records out
> 16384 bytes (16 kB) copied, 0.0272675 s, 601 kB/s
>
> # fdisk -l tempsdb.dd
> You must set cylinders.
> You can do this from the extra functions menu.
>
> Disk tempsdb.dd: 0 MB, 16384 bytes
> 255 heads, 63 sectors/track, 0 cylinders, total 32 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disk identifier: 0xf8000000
>
> Device Boot Start End Blocks Id System
> tempsdb.dd1 63 96389 48163+ de Dell Utility
> tempsdb.dd2 * 96390 156232124 78067867+ 7 HPFS/NTFS/exFAT
>
>
>
> if you're -lucky- you'll find the offset is power-of-two divisible, and
> you can set
> the block-size to something appropriate, and then skip+copy via dd.
>
>
> Enjoy!
>
>
>
> > -----Original Message-----
> > From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf
> > Of Jim
> > Sent: Monday, November 19, 2012 8:09 AM
> > To: aklug@aklug.org
> > Subject: [aklug] Using DD to find partition table
> >
> > Good Morning
> >
> > Leif, can you post a bit more about finding the partition table? I tried
> > to build binwalk, but no luck so far.
> >
> > Thanks
> >
> > ------------------------------ Date: Mon, 19 Nov 2012 00:19:57 -0900
> > (AKST) Subject: [aklug] Re: Wife's hard drive is failing From:
> > bryanm@acsalaska.net On Sun, November 18, 2012 6:44 pm, Leif Sawyer
> > wrote:
> > >> Use dd to grab the first meg or so of the drive, and put the
> > resulting file on
> > >> a usb key or different drive, so your not exercising the failed drive
> > during
> > >> the next process.
> > >>
> > >> Use dd on the extracted file to search for a partition table, using
> > seek to
> > >> skip ahead in the file 1 byte at a time until you find the correct
> > offset.
> > >>
> > >> Then you can dd the failing drive into a new drive, skipping ahead
> > that
> > >> offset, so that the partition table is written correctly on the new
> > drive.
> > >>
> > >> I've done this with a couple of failed raid'd drives, and it has
> > worked for
> > >> me.
> > > There is a utility called binwalk:
> > > https://code.google.com/p/binwalk/
> > >
> > > that will do the stepping-through for you, so you don't have to
> > > manually increment the seek. I haven't used it personally, but
> > > it's a great idea.
> > >
> > > --
> > > Bryan Medsker
> > > bryanm@acsalaska.net
> > >
> > >
> > > ------------------------------
> > >
> > > End of aklug Digest V11 #168
> > > ****************************
> > > ---------
> > > To unsubscribe, send email to <aklug-request@aklug.org>
> > > with 'unsubscribe' in the message body.
> > >
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Nov 19 21:04:08 2012