-   Linux - General (
-   -   Recovering data from an ext3 fs with no superblocks (

UncleTaz 03-03-2004 09:46 PM

Recovering data from an ext3 fs with no superblocks
Hi all, big problems, hopefully you can help. I accidently killed my HD and am trying to recover some important files <scorn>insert comment about no backup = stupid</scorn>.

Computer: is a 686 with 150GB dual boot: mandrake and winxp.
1: winxp (ntfs)
2: fat32 transfer between linux and winxp
3: winxp (ntfs)
4: Extended....
4a: ext3 (/)
4b: swap
4c: ext3 (/home)

Symptom: One day I booted, the fsck squawked and locked up. It then said something to the effect of "do you want to try to rescue the partition?" Like a dope (second time this post) I said "sure." It popped up some sort of tool (diskdrake?) to fix the partition. I selected the root partition and said ok. The root partition is fine, but all the others were killed. So far so bad. I need data off the /home partition. I have not written to the disk since (first smart thing I did all day!) I made an image and that's what I've been trying things on (I used dd with noerror,sync,notrunc to make the image).

I tried to e2fsck and fsck.ext3 the image. Both bailed out with a message about no superblock and bad magic numbers. I tried the standard backup superblocks with the -b option. No luck. It didn't seem reasonable that I should have lost all my superblocks, so I figured that I must have somehow "slid" the start of the partition and that the superblock was not 1024 bytes into the record but somewhere else. I tried e2salvage. nada. I tried e2 superblock find (e2sbf) which basically tries every possible location for the superblock with e2fsck. nothing. I tried mke2fs -S to write a superblock on the image and then e2fsck. no data. The kicker is if I hex edit the image, I can very clearly see the data and directories. I have used the strings command to dump all the text in the partition, but since its a 50GB partition, that is going to be a lot of editing, and Im not sure what file was what without the filenames (which of course aren't in the files).

Other programs I've tried: Acronis recovery expert, Stellar Phoenix, R-Studio, R-Linux, FileScavenger 2.1, Recover2000. No luck

I have come to the conclusion that all my superblocks are trashed or at least so corrupted that e2fsck doesn't recognize them. I have also come to the conclusion that most of my data is still in there if I could only get it out.

Basically my question is this: is there a program that will read the partition without a superblock, or that I can tell what the superblock values should be? If I can figure out the inode for my file, is there a program that will read the inode for me (again without a superblock). If I can't find the inode table, is there a program/script that can find it for me?

I know I should have backed up the disk sooner. Lifes tough, its tougher if your stupid. Please help me make life stop sucking!


Qzukk 03-06-2004 01:34 PM

Try specifying one of the backup manpages. e2fsck's manpage tells how to do this with -b (such as where to try looking for the backup). Since you're working with an image, you may also need to specify the blocksize with -B.

Other possibility is that after using diskdrake, your partition table is just wrong. Do you remember what the settings originally were? try comparing them to whats in fdisk now (try the verify option in fdisk too).

UncleTaz 03-07-2004 01:22 PM

Thanks for replying! I've tried the backup blocks, no luck. I've actually looked at them in hexedit and they are trashed. I've done some more digging and I think the following is what happened.

1. Disk drake killed the partition table for all partitions except linux root
2. the partition I labeled 2, above, was not a primary, but a *logical* partition
3. When this partition disappeared, the partition table was no longer valid, and the swap space which was /dev/hdc8 was now /dev/hdc7, and my /home partition which was /dev/hdc9 was now /dev/hdc8
4. Linux used my /home partition as a swap partition. I think this shouldn't have happened (obviously) but I think it did. The whole beginning of my old /home partition is overwritten with stuff from proc such as the status of the ethernet rx and tx packets, disks mounted, etc.
5. Somehow, (maybe fsck) the corrupted superblock was written over the good ones.

So the problem remains, reading a disk without using the superblock. In pricinipal this should be doable, and I can get the values from mke2fs -S -n on my old /home partition. I can see the directories in the /home partition, although some of the directory block is corrupted. I can actually see the directory listing for the backup of my important files and I can get its inode number. If I can find the inode table, I could find out the blocks where the data are actually written.

In principle, I could do all this with a calculator and dd, but oh the pain. Hopefully someones already written something.


All times are GMT -5. The time now is 08:56 AM.