d8apzl

need to recover mbr on ST950032 5AS seagate from HP HDX w/ Vista 32-bi

47 posts in this topic

Hi, I'm trying to fix my cousins gf laptop. She needs to get at the data and back it up.

I don't know how it originally occurred, but the laptop can get pretty hot, maybe an abrupt shutdown from overheating caused the original error.

Boots directly to the error:

"A Disk Read Error Occurred Press Ctrl-Alt-Del to Reboot"

I tried the Vista DVD, repair, Bootrec.exe to no avail.

Also numerous partition recovery sw w/o success.

I figured I tried the rest and now I'll try the best, you folks at msfn.

The file system is currently in the RAW state.

As far as I know I did not completely delete or format the partition w/ the Vista OS from using any tools. (diskpart, trial versions of recovery sw, acronis, etc.) The OS should still exist on the drive.

This is what I would like to find out and potentially overwrite/rewrite the MBR (to get Vista to function normally again).

I saw a post w/ jaclaz using tools like TESTDISK to help solve the issue but I do not want to further complicate the matter if I happen to make an unreversible change. Can you help diagnose and recover the Vista OS Boot Record? Please let me know of any information I can provide to help w/ this problem/resolution.

Thank you kindly in advance. :)

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

I saw a post w/ jaclaz using tools like TESTDISK to help solve the issue but I do not want to further complicate the matter if I happen to make an unreversible change. Can you help diagnose and recover the Vista OS Boot Record? Please let me know of any information I can provide to help w/ this problem/resolution.

Before test disk, it would be interesting to understand what actually is on the disk.

What are you running (I mean which os on which machine) to access that disk?

Best would be a "plainer" OS, like XP, and use Hdhacker:

http://dimio.altervista.org/eng/index.html

and use it to save as files:

  1. First sector of Physicaldrive
  2. First sector of LogicalDrive

You are saying that you see a drive as RAW, this should mean that at least the Magic Bytes in the MBR are there and that *something* is mapped as a partition (otherwise you would have a prompt asking to "initialize the disk" and you would see NO volumes in Explorer).

Once you get the two sectors above, compress them to a .zip file and attach them to your next post.

jaclaz

0

Share this post


Link to post
Share on other sites

First off, I would just like to say you are THE Man jaclaz and thank you because I saw some other posts in which you helped folks recover their data/drives.

Attached is the zip containing the .dat results from hdhacker.

I used XP 32-bit w/ hdhacker

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

hmm, thought I attached the zip to the previous post.. here it is.

0

Share this post


Link to post
Share on other sites

Attached is the zip containing the .dat results from hdhacker.

I used XP 32-bit w/ hdhacker

Good. :)

There are THREE (separate) issues

  1. the (only one, NTFS ID) partition in the MBR partition table is NOT active <-trivial to solve :)
  2. the partition has data #0 07 00 0 32 33 1023 254 63 2048 3907024896 (which means that it is an almost 2 Tb partition) :w00t:
  3. the bootsector (VBR) is strange: the WHOLE BPB has been wiped out with a a B7 02 + a number of 00's (82 of them) <. I wonder what could have caused this, any possibility of a Virus? :unsure: )

Let's leave #1 alone for the moment (as it is a non-problem).

Important question:

How big is the actual hard disk?

Explanation:

the data in the MBR is seemingly senseless, the data in the VBR is non-existing, if we know what is the total size of the hard disk we should be able to find "quickly" the second (or backup) copy of the VBR.

In this case TESTDISK is of little use as it has only "wrong" or "missing" information to work with, I prefere to chack for that sector manually.

Additionally:

How familiar are you with a hex/disk editor?

Get TinyHexer (and possibly my scripts for it, so that you will be able to "view" the same things I do)

http://reboot.pro/8734/

Can you find another disk bigger than this one so that you can make a DD-like copy of the disk (better be safe than sorry) before starting fiddling with the failed disk?

jaclaz

0

Share this post


Link to post
Share on other sites

The failing drive is 500GB, there possibly could've been a virus, but I cannot say for sure.

not very familiar with hex but I can hack it.

Luckily I have a 750GB :D I never opened. It better not be DOA. :unsure:

What can I use to duplicate the drive?

Technically, I have 908GB free on my XP drive, can I make an image of the 500GB drive using some tool(s)? Ghost?

DL'd:

  • tinyhex 1.8.1.6 (installed on the XP)
  • BSview.zip
  • MBRview.zip
  • PTview.zip

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

Sure :), as long as the disk is around 500 Gb, a dd-like image will take 500 Gb.

Since I presume that the disk is fully functional, you can do a single image, in any case I recommend using this app:

http://reboot.pro/7783/

so that in case of *need* :ph34r: you can use it to do a set of "separate images", as in here:

http://reboot.pro/15040/#entry133567

Try with imaging the whole disk drive, and if you have issues, you can adopt "plan B" ;).

Open the files you posted in tinyhexer (after having added to it's installation the structure viewer scripts).

Try looking at the MBR (first sector of Physicaldrive) with both MBRview and PTview.

Try looking at the VBR (first sector of LogicalDrive) with BSview (you will see something a lot like "a suffusion of yellow" :w00t:) and with the built-in "NTFS boot structure" (you will see a number of 0 values)

jaclaz

0

Share this post


Link to post
Share on other sites

Not sure if this information helps but, on the failing disk I have a drive letter that shows up "System Reserved" 70MB free of 99.9MB, it could be windows PE when I tried bootrec before.

Looks like ddrd found errors but it's slowly still in progress and continues to find errors of the same type.

Running this with admin rights. Should I be running this on the XP? I'm using W7.

see attached png.

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

Not sure if this information helps but, on the failing disk I have a drive letter that shows up "System Reserved" 70MB free of 99.9MB, it could be windows PE when I tried bootrec.

NO. (meaning not that it doesn't help, meaning that I do not believe you :w00t:)

There is no corresponding entry in the partition table of the MBR, so that thingy must be a "leftover" of some kind, or it belongs to ANOTHER disk, that looks a lot like the Windows 7 "default install on new media" partition, nothing to do with the XP you are running and the Vista :ph34r: that should have been on the failed disk.

Looks like ddrd found errors but it's slowly still in progress and continues to find errors of the same type.

see attached png.

Let's see how it evolves :unsure:

jaclaz

0

Share this post


Link to post
Share on other sites

I swear, I'm not kidding you.

Please see the pngs.

I will let ddrd continue.

0

Share this post


Link to post
Share on other sites

I swear, I'm not kidding you.

Please see the pngs.

Yep :), but that is diskpart on disk 4.

You are seemingly using ddrescue on disk 5

The difference between 4 and 5 is ALMOST as important as the one between 5 and 6

motivational-poster-%20(1368).jpg

unless diskpart and ddrescue use a different numbering scheme which - from memory - I doubt, but in any case you should always test two different items with the SAME tool, to see differences, or the SAME item with two different tools, as is, it seems to me like you are comparing diferent items with different tools....

EDIT:

Are you positive that the MBR you posted was from the actual disk in question?

and is it disk 4 or disk 5 (or what)?

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

unless diskpart and ddrescue use a different numbering scheme which - from memory - I doubt, but in any case you should always test two different items with the SAME tool, to see differences, or the SAME item with two different tools, as is, it seems to me like you are comparing diferent items with different tools....

It must be a different schema because I only have one 500GB drive connected. Maybe diskpart starts from disk 0

ddrd was still reading errors and stopped erroring about 10 minutes ago, but the 750GB has more than 17GB written so far.

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

EDIT:

Are you positive that the MBR you posted was from the actual disk in question?

and is it disk 4 or disk 5 (or what)?

Yes, the MBR was posted from the disk in question. 500GB using hdhacker on WinXP.

I started the ddrd w/ the 500GB & 750GB on a W7 system because I thought it would be faster using USB 3.0

It looks like ddrd picked it up as Drive 5, but diskpart picked it up as Disk 4.

p.s. nice spoiler :yes:

Edited by d8apzl
0

Share this post


Link to post
Share on other sites

It looks like ddrd picked it up as Drive 5, but diskpart picked it up as Disk 4.

Again, NO.

The MBR you posted DOES NOT contain info about two partitions, one around 100 Mb and one around 465 Mb, the one you posted, that I have NO WAY to verify it belongs to the "problematic" disk, has a SINGLE partition, evidently with a wrong size (around 2 Tb) OR it is the MBR of ANOTHER DISK!

I cannot say if the disk that ddrescue is imaging is the SAME disk that you accessed first with diskpart and then with disk management, what I can tell you is that these latter tools BOTH show a VALID partition table WHILST the MBR you posted did not.

You have right now:

  • too many OS's (XP and 7)
  • too many disks (seemingly 8 of them)
  • and you are using too many different tools (possibly under the two different OS's)

this is likely to create confusion :ph34r: .

Let's do it like this :unsure::

  1. STOP whatever you are doing. (of course let datarescuedd finish the image)
  2. use ONLY the XP (and NOT the Windows 7)
  3. run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
  4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
  5. run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
  6. compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

The MBR you posted DOES NOT contain info about two partitions, one around 100 Mb and one around 465 Mb, the one you posted, that I have NO WAY to verify it belongs to the "problematic" disk, has a SINGLE partition, evidently with a wrong size (around 2 Tb) OR it is the MBR of ANOTHER DISK!

Ok, you are right on this. I do have a 2TB on the XP. hdhacker may have saved the results from the 2TB not the failing 500GB. I was sure I selected the 500GB but I may have made a mistake.

Let's do it like this :unsure::

  1. STOP whatever you are doing. (of course let datarescuedd finish the image)
  2. use ONLY the XP (and NOT the Windows 7)
  3. run again Hdhacker to save the MBR (first sector of PhysicalDrive) of the disk that you think is the failed one, save it like MBR_disk_n.hdh
  4. run ddrescue on the disk that you think is the failed one, saving only 1 sector (lower fields Start=0, Size=1, End=1) to file image[0-512].dd
  5. run tiny hexer, use the file->disk->open drive to open the disk that you think is the failed one (it will auto-set to load one sector at the time and will open on the first sector) choose File-> Save as and save it like MBR_disk_n.thx
  6. compress the three resulting files into a zip and post it as attachment. (if the three files are not IDENTICAL there is an issue of some kind)

Again you're right and sorry for the confusion. Thank you for being patient, as soon as the drdd finishes I will follow the steps you outlined and post back.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.