Archive for January, 2007

Kill and Resurrect the Master Boot Record

Thursday, January 25th, 2007

The MBR is a 512-byte segment at the very beginning (the first sector) of a hard drive. This segment contains two major parts: the boot code in the first 446 bytes and the partition table (plus a 2-byte signature) in the remaining 66 bytes. When you run

lilo, grub-install, or fdisk /mbr in DOS, it writes to these first 446 bytes. When you run

cfdisk or some other disk-partition program, it writes to the remaining 66 bytes.

Writing directly to your MBR can be dangerous. One typo or mistake can make your entire system unbootable or even erase your entire partition table. Make sure you have a complete backup of your MBR, if not your full hard drive, on other media (like a floppy or anything other than the hard drive itself) before you try any potentially destructive commands.

The MBR is very important and crucial for booting your system, and in the case of your partition table, crucial for accessing your data; however, many people never back up their MBR. Use Knoppix to easily create backups of your MBR, which you can later restore in case you ever accidentally overwrite your partition table or boot code. It is important to double-check each command you type, as typing 466 instead of 446 can mean the difference between blanking the boot code and partially destroying your partition table.

6.4.1 Save the MBR

First, before you attempt anything potentially destructive, back up the current MBR. Boot into Knoppix, and type the following command into a terminal:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/hda 

of=/home/knoppix/mbr_backup  bs=512 count=1

Change /dev/hda to match the drive you wish to back up. In your home directory, you should now see a 512-byte file called mbr_backup.Dd is used to create images of entire hard drives [Hack #48], and in this case, a similar command is used; however, it contains two new options: bs and count. The bs (byte size) option tells dd to input and output 512 bytes at a time, and the count option tells dd to do this only once. The result of the command is that the first 512 bytes of the drive (the MBR) are copied into the file. If for some reason you only want to back up the boot sector (although it’s wise to always back up the partition table as well), replace 512 with 446. Now that you have backed up the MBR, copy it to a safe location, such as another computer or a CD-ROM.

The full 512-byte copy of the MBR contains the partition table, so it gets out of sync whenever you change partitions on your drive. If you back up the full MBR, be sure to update your backup whenever you make partition changes.

6.4.2 Kill the MBR

Now that you know how to back up, you should know how to totally destroy the MBR. To do this, simply use the same command you use to back up an MBR, but replace the input file with /dev/zero and the output file with the drive, overwriting each byte of the MBR with zero. If you only want to blank your boot code, type:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=446 count=1

To clear the complete MBR, including the partition table, type:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=512 count=1

While blanking the partition table in effect prevents you from accessing files on the drive, it isn’t a replacement for proper wiping of the complete drive, because the files are still potentially retrievable from the drive. Even the partition table itself is recoverable with the right tools [Hack #55] .

6.4.3 Resurrect the MBR

If you

deleted your boot sector in the last section, you probably want to

restore it now. To do this, copy the backup you made earlier to your

home directory in Knoppix and run:

knoppix@ttyp0[knoppix]$ sudo dd if=/home/knoppix/mbr_backup of=/dev/hda 

bs=446 count=1

Because of the bs=446 element, this command

only restores the boot code in the MBR. I purposely left out the last

66 bytes of the file so the partition table would not be overwritten

(just in case you have repartitioned or changed any partition sizes

since your last MBR backup). If you have accidentally corrupted or

deleted your partition table, restore the full 512 bytes to the MBR

with:

knoppix@ttyp0[knoppix]$ sudo dd if=mbr_backup of=/dev/hda 

bs=512 count=1

6.4.4 How Do I fdisk/mbr?

Knoppix also provides a useful tool called

install-mbr

that allows you to manipulate the MBR in many ways. The most useful

feature of this tool is that it can install a

“default” master boot record on a

drive, which is useful if you want to remove lilo

or grub completely from the MBR so

Windows can boot by itself, or so you can install Windows to a hard

drive that previously used Linux. The results are the same as if you

were to type fdisk /mbr

in DOS. To remove the traces of lilo or

grub from your MBR, run:

knoppix@ttyp0[knoppix]$ sudo install-mbr /dev/hda

Replace /dev/hda with your drive.

6.4.5 See Also

The install-mbr manpage by typing man

install-mbr in a console.]]>

Tags: ,
Posted in Uncategorized | 2 Comments »

Find Lost Partitions (from Knoppix Hacks)

Tuesday, January 23rd, 2007

If you have ever made a typo when deleting or

restoring the MBR, you probably also have trashed your partition

table. Use gpart, included on the Knoppix disc, to restore lost

partition tables.

OK, so

you had a little too much fun with the previous hack, ignored the

warnings, accidentally typed 512 when you should have typed 446, and

now your partition table is gone. Or maybe you accidentally ran

fdisk on the wrong drive. No problem. Just

restore from the backup you made before you started. You did back up

your MBR, right? Don’t worry; it happens to the best

of us. The last time I trashed my partition table, I was trying to

update grub on my laptop using

dd. Like an idiot, I followed the instructions

to create a grub boot floppy and applied them to

install grub on my laptop’s

hard drive. Overwriting the first 512 bytes of a

floppy with the grub boot

sector is fine; overwriting the first 512 bytes of my hard

drive is not. I was unable to boot and had no partition

table. For many people, this might have been the time to reinstall,

but I knew the files and partitions were thereā€”I just

couldn’t get to them. If only I had a tool to figure

out where the partitions began and ended, I could then recreate my

partition table and everything would be back to normal.

Lucky for me, there is such a tool:

gpart

(short for “guess partition”).

Gpart scans a hard drive for signs of a

partition’s start by comparing a list of

filesystem-recognition modules it has with the sectors it is

scanning, and then creates a partition table based on these guesses.

Doubly lucky for me, gpart comes included with

Knoppix, so I was able to restore my laptop’s MBR

without having to take apart the laptop and hook the drive to a

desktop machine. I ran gpart, checked over its

guesses, which matched my drive, and voila! My partitions were back.

Gpart is an incredibly useful tool, and I am

grateful for it; however, it does have its limitations.

Gpart works best when you are restoring a

partition table of primary partitions. In the case of extended

partitions, gpart tries its best to recover the

partition information, but there is less of a chance of recovery.

To recover your partition table, run gpart, and

then tell it to scan your drive:

knoppix@ttyp0[knoppix]$ sudo gpart /dev/hda

By default, gpart only scans the drive and

outputs results; it does not actually write to the drive or overwrite

your MBR. This is important because gpart may

not correctly guess all of your partitions, so you should check its

guesses before you actually write them to disk.

Gpart scans through the hard drive and outputs

possible partition tables as it finds them. When it is finished

scanning the drive, gpart outputs a complete

list of partition tables it has found. Read through this list of

partitions and make sure that it reflects the partitions you have

created on the disk. It might be that gpart can

recover only some of the partitions on the drive. Once you have

reviewed the partitions that gpart has guessed,

run gpart again but with the

-W option to write the guessed partition table to

the disk:

knoppix@ttyp0[knoppix]$ sudo gpart -W /dev/hda /dev/hda

This isn’t a typo; you do actually put

/dev/hda twice in the command. You can

potentially tell gpart to write the partition

table to a second drive, based on what it detected on the first

drive. Once the partition table has been written, reboot and attempt

to access the drives again. If you get errors when mounting the

drives, check the partitioning within Knoppix with a tool like

fdisk, cfdisk, or

qtparted to see whether

gpart has incorrectly guessed where your

partition ends. I’ve had to modify a partition that

gpart ended 4 MB too early, but afterwards, the

filesystem mounted correctly, and I was able to access all of my

files.

It is scary to be in a position where you must think about

partition-table recovery. At least with Knoppix and

gpart, it’s possible to recover

the partition table without completely reinstalling the operating

system.]]>

Posted in Uncategorized | No Comments »