Need help from someone who's good with data recovery and knows cfdisk more than most!

[dav7]

Hey everyone...

I have a bit of an interesting situation here. Some time ago I got mad at my computer for various reasons (which are being fixed, yay) and did what you just *don't* do... I started flicking the thing off at the, uh, wall.

Uhhuh. :P

Well, I think it's safe to say I have definitely learned my lesson and won't be doing that again. Heh.

This story will unlikely end badly however since there is a ray of hope: thanks to my overcheerful chatterbox-like nature on IRC, I... whaddya know... pasted my disk partition structure to someone over IRC!!

So why haven't I fixed my disk already, you ask? Well, I have a slight problem. You see, the values that I got from the IRC log look like this:

Code:

     sda1                           Primary      FAT16                 [           ]           24.68
     sda2                           Primary      Linux JFS                                     41.13
     sda5                           Logical      Linux JFS                                  16105.10
                                    Logical      Free Space                                     0.04    *
     sda6            NC             Logical      Linux JFS                                   2146.77    *
                                    Logical      Free Space                                     0.04    *
     sda7            NC             Logical      Linux swap / Solaris                        1077.48    *
                                    Logical      Free Space                                     0.04    *
     sda8            NC             Logical      Linux JFS                                  32210.17    *
                                    Logical      Free Space                                     0.04    *
     sda9            NC             Logical      Linux JFS                                    509.94    *
     sda4                           Primary      Linux swap / Solaris                        2048.10
                                    Logical      Free Space                                     0.04    *
     sda10           NC             Logical      Unknown (2A)                                5116.10    *
     sda11                          Logical      Unknown (2A)                                 509.97
     sda12                          Logical      FAT16                 [           ]         1019.94
     sda13                          Logical      Linux JFS                                  19214.26

Yup, that's a paste from cfdisk. And to reiterate, that's the old one. FYI, NC means "not compatible with DOS or OS/2", and 2A is the unspecified identifier for the AFS filesystem, used in AtheOS and its fork, Syllable (which I have installed).

A dump from cfdisk now shows:

Code:

     sda1           Boot            Primary      FAT16 <32M            [           ]          24.68     
     sda2                           Primary      Linux JFS                                    41.13
     sda5                           Logical      Linux JFS                                 16105.10
     sda6                           Logical      Linux JFS                                  2146.80
     sda7                           Logical      Linux swap / Solaris                       1077.52
     sda8                           Logical      Linux JFS                                 32210.20
     sda9                           Logical      Linux JFS                                   509.97
                                    Logical      Free Space                                 7674.19
     sda10                          Logical      W95 FAT16 (LBA)       [           ]        1019.94
     sda11                          Logical      Linux JFS                                 19214.26

Whoa!

The difference at first is obvious; I don't have those 40kb free-space-fluffballs over my drive - the partitions seem to have "eaten" them and are ever so slightly bigger. Despite this, Arch Linux appears to startup correctly and I can access my data okay. Should I be concerned? This just happened one day out of the blue and I just left it alone. They've gone away now so yeah... hmmm.

If you take a closer look, however, you'll notice a "free space" hole 3 entries from the bottom of the list. This is the major problem. Until I searched my IRC logs I had no hope of recreating the partition structure that previously occupied that hole.

Now I can move onto the next step; recreating the partition structure. Which in itself is also quite a challenge. You see, in the first list you'll notice a lone Primary partition - this is marked as swap, but is used for data (don't ask why; I couldn't answer. Must've been an accident of some sort). I don't remember the filesystem that was on this partition, unfortunately, but the point is that it's primary, in amongst a handful of Logical partitions. Both gparted and cfdisk refuse to create a primary partition in that hole. :S

So what do I do now? Has my partition structure managed to irreparibly alter itself?

My biggest setback right now is that I don't have a spare 80GB disk (or disk with ~8GB space) on it at the moment, so all changes would be final. Would my best bet be for me to wait for me to get my next computer (which is likely around 1-2 years from now) with a new hard disk and so forth (since I don't want to keep buying tiny IDE HDDs anymore >.> and my PC's case is half height ("low profile" my FOOT) meaning a SATA card would probably cost two handfuls of cash instead of just one)...or... or what? What I'm really asking is whether I can have a fair amount of confidence in whether what I'm doing will make the situation worse, as opposed to a solution that may possibly work, but can be reversed if not.

Thanks in advance...

-dav7

[Lakshmipathi]

I don't know whether I understood your issue correct.

Can you access all your OS without any problem? If so then
From your output ,only swap is missing.

sda4 Primary Linux swap / Solaris 2048.10
Logical Free Space 0.04 *
sda10 NC Logical Unknown (2A) 5116.10 *
sda11 Logical Unknown (2A) 509.97

You can always create a new swap from the free space and mount it on your file system. check this : Adding Swap Space


Though gparted could be used to modify partition-http://gparted.sourceforge.net/features.php.
I haven't tried it.So please wait for suggestiom from any other Linux Forums member

[Lostfarmer]

Can not tell for sure just where the "swap" partition is , need to see output that shows start/stop sector #'s (fdisk -l -u ,I think). If it is within the boundary of the extended partition then that is not permitted and I do not think any partition program would do it. It might be possible to manually enter the correct data into the MBR partition slot #4, but must know the start sector , total sector size, and correct partition type.

I don't remember the filesystem that was on this partition, unfortunately,

Its likely possible to figure out the partition type by looking at its first 2 sectors. If it is a MS type partition it would be indicated in first sector, for Linux would be in second sector.

[dav7]

I don't know whether I understood your issue correct.

Can you access all your OS without any problem? If so then
From your output ,only swap is missing.



You can always create a new swap from the free space and mount it on your file system. check this : Adding Swap Space


Though gparted could be used to modify partition-http://gparted.sourceforge.net/features.php.
I haven't tried it.So please wait for suggestiom from any other Linux Forums member

Thanks, Lakshmipathi, you're right; only that swap partition (which had non-swap data on it) has gone but it was a Primary partition, in amongst a bunch of Logical partitions, something that I simply don't seem able to recreate on my disk.

Can not tell for sure just where the "swap" partition is , need to see output that shows start/stop sector #'s (fdisk -l -u ,I think).

Since the old structure is, as you know, all gone, that's not possible. However here's the current structure as reported by the command you mentioned:

Code:

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders, total 156301488 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x00099b7d

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63       48194       24066    4  FAT16 <32M
/dev/sda2           48195      128519       40162+  83  Linux
/dev/sda3          128520   156296384    78083932+   f  W95 Ext'd (LBA)
/dev/sda5          128583    31583789    15727603+  83  Linux
/dev/sda6        31583853    35776754     2096451   83  Linux
/dev/sda7        35776818    37881269     1052226   82  Linux swap / Solaris
/dev/sda8        37881333   100791809    31455238+  83  Linux
/dev/sda9       100791873   101787839      497983+  83  Linux
/dev/sda10      116776548   118768544      995998+   e  W95 FAT16 (LBA)
/dev/sda11      118768608   156296384    18763888+  83  Linux

If it is within the boundary of the extended partition then that is not permitted and I do not think any partition program would do it.

Yeah, I think the same thing. I've been playing around with cfdisk since changes aren't committed unless explicitly requested, and it doesn't seem possible to create "Primary, Logical, Primary, Logical", which is what my original structure basically was. GParted is silly and requires all one's partitions to be unmounted before you can play, so I haven't tried with that (for obvious reasons).

It might be possible to manually enter the correct data into the MBR partition slot #4, but must know the start sector , total sector size, and correct partition type.

Heheheh... lol, right. :P

Its likely possible to figure out the partition type by looking at its first 2 sectors. If it is a MS type partition it would be indicated in first sector, for Linux would be in second sector.

And how might I do that?

Thanks for your replies, and thanks, once again, in advance.

-dav7

[Lostfarmer]

/dev/sda9 100791873 101787839 497983+ 83 Linux
/dev/sda10 116776548 118768544 995998+ e W95 FAT16 (LBA)

There are 14988709 sectors between sda9 and sda10.
It is not all your lost primary partition, 63 sectors will be an Extended Partition Table (EPT) but it could be at the beginning or end of the lost partition space.

The EPT will look just like the Master Partition Table but will only have 2 entries in it.

The first step will be to find the EPT that points to the next EPT and lists sda10, it will be in the lost space. The best way will likely be to use "dd" command to read the first unused sector '101787840' and then look and see if it is a EPT sector. (I do not use linux enough to give exact command for dd or just how to convert the hex data to text).

I must go work now but will try to post more info on just what you need to look for and how.

[Lostfarmer]

Let me say this first, I use mostly MS Windows so my linux commands are very limited. Just because I give some 'dd' command you had better look at it and be sure, or if you know of a better way to get needed info, use it.

At sector # 101787840 could be the EPT or the first sector of lost partition ,so you need to look at its data. Look at 3 sectors, if it is a linux partition the 3rd sector is important to see.

Code:

dd if=/dev/sda of=testept bs=512 count=3 skip=101787840

the command will read 3 sectors starting at #101787840 to file named testept.

To look at the saved file "testept" can use 'od -xa testept',
or if installed 'xxd testept'
there are other commands but can not use a text editor, the file will be hex data.

If the file testept is of the EPT it will look like:

Code:

0x1B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
0x1C0: C1 FF 0B FE FF FF 3F 00 00 00 FC 8A 38 01 00 00
0x1D0: C1 FF 05 FE FF FF EE C7 45 04 C1 3E 00 00 00 00
0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA

the begaining of sector should be all zero's.

If the file is for FATxx partition then you will see FAT listed at line 0x050.

If the file is for linux the first 2 sectors will be all zeros unless you install grub to the partition, the 3 sector will have the header data (not sure of proper name) for the linux partition.

If you determan the data at sector 101787840 is that of a EPT next is to look at 3 sector from sector #101787903 to determan if it is the start of a fat or linux partition.

Code:

dd if=/dev/sda of=testept bs=512 count=3 skip=101787903

can give 'of' a different name so not to over write testept. See above to display saved file.

If the sector at 101787840 is indeed the start of the lost partition , will need to find the EPT and would likely be at sector #116776485, use dd as above with skip=116776485

After you find the EPT , start of lost partition and if it linux or fatxx then we are close.

I'm not good at writting so you will have to suffer. If you can not understand say so, is you can not determine what you are seeing just post the data.

The main problem, I know that the partition setup is not normal but if you say it worked then I guess it will. Have never seen a primary partition with in the boarders of a extended partition, and would say it will not work but will take you word for it.

[dav7]

Hey. :P

I am indeed having a bit of a hard time understanding all this... it's all slightly over my head

Running your first command - or at least a slightly quicker version of it that doesn't involve a temporary file - produces the following output.

Code:

dd if=/dev/sda bs=512 count=3 skip=101787840 2>/dev/null | od -Ax -t x1 | sed 's/000/0x/'
0x000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0x600

FYI:

• Skipping the "of" parameter with dd makes it use stdout.
• "2>/dev/null" redirects pipe 2, or stderr, to /dev/null, hiding dd's transfer statistics.
• sed just translates eg "0002eb" to "0x2eb" for asthetics

Oh, and the "*" in the output is od's way of saying "everything between 0x000 and 0x600 is the same".

Which is a problem...?!?! :S

Okay, moving on. That was sector 101787840.

The next two sectors actually have data in them, so I contrived to also display what ASCII data I could, and discovered hexdump. So, after switching to that, guess what I found?

Sector 101787903:

Code:

hexdump -C testept
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200  4a 46 53 31 01 00 00 00  a0 c7 3c 00 00 00 00 00  |JFS1......<.....|
00000210  00 10 00 00 0c 00 03 00  00 02 00 00 09 00 00 00  |................|
00000220  00 20 00 00 00 09 20 10  01 00 00 00 00 00 00 00  |. .... .........|
00000230  04 00 00 00 54 00 00 00  02 00 00 00 52 00 00 00  |....T.......R...|
00000240  04 08 00 00 08 00 00 00  00 08 00 00 37 99 07 00  |............7...|
00000250  43 00 00 00 f4 98 07 00  41 72 6b 48 00 00 00 00  |C.......ArkH....|
00000260  32 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |2...............|
00000270  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000280  00 00 00 00 00 00 00 00  11 15 e0 78 93 db 43 01  |...........x..C.|
00000290  8b 1e 6c 49 89 b1 e2 51  00 00 00 00 00 00 00 00  |..lI...Q........|
000002a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000600

A JFS filesystem!!!111 \o/

(The -C option is what makes hexdump print both hexadecimal and ASCII, btw.)

Sector 116776485, again with hexdump. My filesystem attributes to my enjoyment of IRC :

Code:

hexdump -C testept
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 fe  |................|
000001c0  ff ff 0e fe ff ff 3f 00  00 00 3d 65 1e 00 00 fe  |......?...=e....|
000001d0  ff ff 05 fe ff ff 99 4d  12 07 20 a1 3c 02 00 00  |.......M.. .<...|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  31 2e 6d 61 2e 63 6f 6d  63 61 73 74 2e 6e 65 74  |1.ma.comcast.net|
00000210  20 50 52 49 56 4d 53 47  20 23 23 6c 69 6e 75 78  | PRIVMSG ##linux|
00000220  20 3a 6f 6e 6c 79 20 34  32 20 6b 20 6d 69 6c 65  | :only 42 k mile|
00000230  73 20 61 6e 64 20 74 68  65 20 65 6e 67 69 6e 65  |s and the engine|
00000240  20 73 75 63 6b 73 20 74  68 61 74 20 6d 75 63 68  | sucks that much|
00000250  20 6f 69 6c 3f 22 0a 54  68 75 20 4d 61 79 20 31  | oil?".Thu May 1|
00000260  30 20 30 35 3a 31 36 3a  31 31 20 32 30 30 37 20  |0 05:16:11 2007 |
00000270  2d 20 53 4f 43 4b 45 54  20 2d 20 53 6f 63 6b 65  |- SOCKET - Socke|
00000280  74 20 52 65 63 65 69 76  65 64 20 31 36 36 20 62  |t Received 166 b|
00000290  79 74 65 73 3a 20 22 3a  44 61 6e 69 5f 21 6e 3d  |ytes: ":Dani_!n=|
000002a0  63 68 61 74 7a 69 6c 6c  40 43 50 45 30 30 32 30  |chatzill@CPE0020|
000002b0  65 64 37 33 30 62 33 31  2d 43 4d 30 30 31 32 63  |ed730b31-CM0012c|
000002c0  39 39 39 65 65 61 30 2e  63 70 65 2e 6e 65 74 2e  |999eea0.cpe.net.|
000002d0  63 61 62 6c 65 2e 72 6f  67 65 72 73 2e 63 6f 6d  |cable.rogers.com|
000002e0  20 50 52 49 56 4d 53 47  20 23 43 53 53 20 3a 74  | PRIVMSG #CSS :t|
000002f0  68 6f 73 65 20 61 72 65  20 73 75 70 70 6f 73 65  |hose are suppose|
00000300  64 20 74 6f 20 62 65 20  75 70 20 61 74 20 74 68  |d to be up at th|
00000310  65 20 74 6f 70 20 62 65  73 69 64 65 20 74 68 65  |e top beside the|
00000320  20 6e 61 76 61 67 61 74  69 6f 6e 20 62 61 72 2e  | navagation bar.|
00000330  20 61 6e 79 20 69 64 65  61 73 3f 0d 0a 22 0a 54  | any ideas?..".T|
00000340  68 75 20 4d 61 79 20 31  30 20 30 35 3a 31 36 3a  |hu May 10 05:16:|
00000350  31 31 20 32 30 30 37 20  2d 20 53 4f 43 4b 45 54  |11 2007 - SOCKET|
00000360  20 2d 20 50 72 6f 63 65  73 73 69 6e 67 20 22 3a  | - Processing ":|
00000370  44 61 6e 69 5f 21 6e 3d  63 68 61 74 7a 69 6c 6c  |Dani_!n=chatzill|
00000380  40 43 50 45 30 30 32 30  65 64 37 33 30 62 33 31  |@CPE0020ed730b31|
00000390  2d 43 4d 30 30 31 32 63  39 39 39 65 65 61 30 2e  |-CM0012c999eea0.|
000003a0  63 70 65 2e 6e 65 74 2e  63 61 62 6c 65 2e 72 6f  |cpe.net.cable.ro|
000003b0  67 65 72 73 2e 63 6f 6d  20 50 52 49 56 4d 53 47  |gers.com PRIVMSG|
000003c0  20 23 43 53 53 20 3a 74  68 6f 73 65 20 61 72 65  | #CSS :those are|
000003d0  20 73 75 70 70 6f 73 65  64 20 74 6f 20 62 65 20  | supposed to be |
000003e0  75 70 20 61 74 20 74 68  65 20 74 6f 70 20 62 65  |up at the top be|
000003f0  73 69 64 65 20 74 68 65  20 6e 61 76 61 67 61 74  |side the navagat|
00000400  69 6f 6e 20 62 61 72 2e  20 61 6e 79 20 69 64 65  |ion bar. any ide|
00000410  61 73 3f 22 0a 54 68 75  20 4d 61 79 20 31 30 20  |as?".Thu May 10 |
00000420  30 35 3a 31 36 3a 31 33  20 32 30 30 37 20 2d 20  |05:16:13 2007 - |
00000430  53 4f 43 4b 45 54 20 2d  20 53 6f 63 6b 65 74 20  |SOCKET - Socket |
00000440  52 65 63 65 69 76 65 64  20 36 34 20 62 79 74 65  |Received 64 byte|
00000450  73 3a 20 22 3a 78 65 64  32 21 6e 3d 58 65 64 32  |s: ":xed2!n=Xed2|
00000460  40 63 70 65 2d 37 35 2d  38 33 2d 38 31 2d 31 38  |@cpe-75-83-81-18|
00000470  34 2e 73 6f 63 61 6c 2e  72 65 73 2e 72 72 2e 63  |4.socal.res.rr.c|
00000480  6f 6d 20 4a 4f 49 4e 20  3a 23 23 77 69 6e 64 6f  |om JOIN :##windo|
00000490  77 73 0d 0a 22 0a 54 68  75 20 4d 61 79 20 31 30  |ws..".Thu May 10|
000004a0  20 30 35 3a 31 36 3a 31  33 20 32 30 30 37 20 2d  | 05:16:13 2007 -|
000004b0  20 53 4f 43 4b 45 54 20  2d 20 50 72 6f 63 65 73  | SOCKET - Proces|
000004c0  73 69 6e 67 20 22 3a 78  65 64 32 21 6e 3d 58 65  |sing ":xed2!n=Xe|
000004d0  64 32 40 63 70 65 2d 37  35 2d 38 33 2d 38 31 2d  |d2@cpe-75-83-81-|
000004e0  31 38 34 2e 73 6f 63 61  6c 2e 72 65 73 2e 72 72  |184.socal.res.rr|
000004f0  2e 63 6f 6d 20 4a 4f 49  4e 20 3a 23 23 77 69 6e  |.com JOIN :##win|
00000500  64 6f 77 73 22 0a 54 68  75 20 4d 61 79 20 31 30  |dows".Thu May 10|
00000510  20 30 35 3a 31 36 3a 31  36 20 32 30 30 37 20 2d  | 05:16:16 2007 -|
00000520  20 53 4f 43 4b 45 54 20  2d 20 53 65 6e 64 69 6e  | SOCKET - Sendin|
00000530  67 20 22 50 49 4e 47 20  64 61 76 37 0a 22 0a 54  |g "PING dav7.".T|
00000540  68 75 20 4d 61 79 20 31  30 20 30 35 3a 31 36 3a  |hu May 10 05:16:|
00000550  31 37 20 32 30 30 37 20  2d 20 53 4f 43 4b 45 54  |17 2007 - SOCKET|
00000560  20 2d 20 53 6f 63 6b 65  74 20 52 65 63 65 69 76  | - Socket Receiv|
00000570  65 64 20 36 31 20 62 79  74 65 73 3a 20 22 3a 6d  |ed 61 bytes: ":m|
00000580  65 6c 62 6f 75 72 6e 65  2e 6d 6f 6f 66 73 70 65  |elbourne.moofspe|
00000590  61 6b 2e 6e 65 74 20 50  4f 4e 47 20 6d 65 6c 62  |ak.net PONG melb|
000005a0  6f 75 72 6e 65 2e 6d 6f  6f 66 73 70 65 61 6b 2e  |ourne.moofspeak.|
000005b0  6e 65 74 20 3a 64 61 76  37 0d 0a 22 0a 54 68 75  |net :dav7..".Thu|
000005c0  20 4d 61 79 20 31 30 20  30 35 3a 31 36 3a 31 37  | May 10 05:16:17|
000005d0  20 32 30 30 37 20 2d 20  53 4f 43 4b 45 54 20 2d  | 2007 - SOCKET -|
000005e0  20 50 72 6f 63 65 73 73  69 6e 67 20 22 3a 6d 65  | Processing ":me|
000005f0  6c 62 6f 75 72 6e 65 2e  6d 6f 6f 66 73 70 65 61  |lbourne.moofspea|
00000600

Thanks a heap for your help... hopefully this all makes some more sense :)

-dav7

[Lostfarmer]

The display for sector 101787903 is very important, it tells linux every thing about its partition {Header data ?}, the only problem I expected the data to start at 0400 not 0200. That could put us off one sector # for start of that partition. Need for you to look as a good linux partition to verify if the 'Header data' starts at 0200 or 0400.

Code:

dd if=/dev/sda of=sda6ept bs=512 count=3 skip=31583853
hexdump -C  sda6ept

or fastest , looking at first 3 sectors of sda6 {header data}

Code:

dd if=/dev/sda6 of=sda6ept bs=512 count=3
hexdump -C sda6ept

Next Must find the EPT for sda10 {every logical volume has a EPT normally 63 sector proceeding it, in your case [?]}. Each EPT will point to it's logical volume and the next EPT. I guess the best way is to look at EPT for sda9.

Code:

dd if=/dev/sda of=sda9ept bs=512 count=1 skip=100791810
hexdump -C sda9ept

post output and I will try to explan just what it is all showing, and what must be looked at next.

[dav7]

I didn't have much time on my PC today so didn't analyze all 3 commands fully (I was over here - http://hardforum.com/showthread.php?p=1034581755#post1034581755), but here is the output to them - yes, I know I'm being a bit redundant by posting the output of both the 1st and 2nd commands but hey :P

Code:

/Users/dav7/ + dd if=/dev/sda of=sda6ept bs=512 count=3 skip=31583853
3+0 records in
3+0 records out
1536 bytes (1.5 kB) copied, 0.000132405 s, 11.6 MB/s
/Users/dav7/ + hexdump -C  sda6ept
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000600

Code:

/Users/dav7/ + dd if=/dev/sda6 of=sda6ept bs=512 count=3
3+0 records in
3+0 records out
1536 bytes (1.5 kB) copied, 0.0166979 s, 92.0 kB/s
/Users/dav7/ + hexdump -C sda6ept
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000600

Code:

/Users/dav7/ + dd if=/dev/sda of=sda9ept bs=512 count=1 skip=100791810
1+0 records in
1+0 records out
512 bytes (512 B) copied, 8.872e-05 s, 5.8 MB/s
/Users/dav7/ + hexdump -C sda9ept
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 fe  |................|
000001c0  ff ff 83 fe ff ff 3f 00  00 00 7f 32 0f 00 00 fe  |......?....2....|
000001d0  ff ff 05 fe ff ff 1d e8  f3 06 7c 65 1e 00 00 00  |..........|e....|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200

Thanks for your help, really

PS. I renamed /home/ to /Users/ for the lulz one day and it kinda stuck. I am really on Linux

I was wondering earlier - if I gave dd the right skip= or offset=, perhaps I could mount the partition directly, without it being in my partition table? The same method is used to mount virtual machine hard disk partitions. Try googling "dd mount partition" or similar for info :P

Thanks again!

-dav7

[Lostfarmer]

The display of 'sda9ept' is an EPT, so will decode it for you.

Code:

000001b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe  
000001c0  ff ff 83 fe ff ff 3f 00 00 00 7f 32 0f 00 00 fe  
000001d0  ff ff 0f fe ff ff 1d e8 f3 06 7c 65 1e 00

Boot Flag

File Type: 83=Linux of=extended partition
Start Sector --
1)If partition , the reference point is start sector of this EPT.

2)If points to EPT, the reference point is sector # of first EPT, (if it is the first EPT then reference point is MBR)

Total Number of Sectors--
if EPT then total sectors left in the whole extend partition (logical volumes sda9+10+11 and there EPT's)

The Start Sector & Total Sectors are in 'little endian' format where :'start sector' "1d e8 f3 06" = 06f3e81d =116647965.

So the next EPT for sda10 starts at sector 116647965+128520(first EPT location)=116776484

(You need to verify if indeed an EPT so use skip=116776484)

Now we know your lost partition Must stop at sector 116776484.

What we do not know yet is just where partition start.

00000200 4a 46 53 31 01 00 00 00 a0 c7 3c 00 00 00 00 00 |JFS1......<.....|
00000210 00 10 00 00 0c 00 03 00 00 02 00 00 09 00 00 00 |................|

Must find basic data as above on sda6 ,so we know how many pri sectors must be included. On an ext2 it would be the third sector '0x400 -0x5ff' but on a JFS1 it is not there.
(dd if=/dev/sda6 of=sda6ept bs=512 count=3) You will have to search till you find it. Can use 'count=64 ,if still not found use skip=64 count=64, ect. 'First try with skip=64 count=3'

If linux has a hdd partition search command , search for 'JFS1'.

I was wondering earlier - if I gave dd the right skip= or offset=, perhaps I could mount the partition directly, without it being in my partition table?

?? have never used a virtual machine , but give it a try only after we have the start sector # and report back.