A friend has seen his FAT partition in his USB key become unmountable. Here's how I recovered it.
Analysis:
-
Make a dump:
dd if=/dev/sdb1 of=partition.img
-
Have a look. I like
mcfor this, as it has a nice hex viewer and editor (F3to view, thenF4for hex view;F2would then allow hex edit, if needed). -
Turns out that the initial part of the partition has been completely overwritten by
0xffbytes. After some point (around block 224), the0xffbytes end and there seems to be a FAT structure (easy to identify because it contains sequences of increasing 16bit values).
It seems that the damage is only limited to filesystem structures. I should be able to recover most data by regenerating the filesystem data and hoping that at least the second FAT is still intact.
Solution:
# Make a copy of the partition cp partition.img partition1.img # Reformat it: that gives us the bits of filesystem structures we need mkdosfs partition1.img # Graft together the two parts dd if=partition1.img of=partition2.img count=224 dd if=partition.img of=partition2.img seek=224 skip=224 # Tidy up the result, telling dosfsck to use the 2nd FAT. dosfsck -rw partition2.img # Mount and check what's available mount -o loop,ro partition2.img /mnt
Yo! Everything was there again.
When I teach about standard Unix commands, it takes a while for people to realise all the powerful things you can easily do with them.