A friend has seen his FAT partition in his USB key become unmountable. Here's how I recovered it.
Analysis:
-
Make a dump:
dd if=/dev/sdb1 of=partition.img
-
Have a look. I like
mcfor this, as it has a nice hex viewer and editor (F3to view, thenF4for hex view;F2would then allow hex edit, if needed). -
Turns out that the initial part of the partition has been completely overwritten by
0xffbytes. After some point (around block 224), the0xffbytes end and there seems to be a FAT structure (easy to identify because it contains sequences of increasing 16bit values).
It seems that the damage is only limited to filesystem structures. I should be able to recover most data by regenerating the filesystem data and hoping that at least the second FAT is still intact.
Solution:
# Make a copy of the partition
cp partition.img partition1.img
# Reformat it: that gives us the bits of filesystem structures we need
mkdosfs partition1.img
# Graft together the two parts
dd if=partition1.img of=partition2.img count=224
dd if=partition.img of=partition2.img seek=224 skip=224
# Tidy up the result, telling dosfsck to use the 2nd FAT.
dosfsck -rw partition2.img
# Mount and check what's available
mount -o loop,ro partition2.img /mnt
Yo! Everything was there again.
When I teach about standard Unix commands, it takes a while for people to realise all the powerful things you can easily do with them.