FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Wed Nov 25, 2020 10:05



Post new topic Reply to topic  [ 7 posts ] 
GPT 2TB automagic ntfsresize $MFTMirr 
Author Message

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post GPT 2TB automagic ntfsresize $MFTMirr
So... biting the apple and just checking if this could have something to do with a 2 TB disk.

Scenario: gpt disk with a 170 GB partition , ntfs, which also had 32ish gb unused space after.

10 gb free, and I think, ya let's expand.

1. gdisk /dev/sdc

del partition, new, to the new boundary, fine.

silly me, no bother doing any -n options nothing.. :
sudo ntfsresize /dev/sdc2 (mixed up with usual resize , thinking it would automatically expand).

error, no change in cluster, sector size.. ah ok...

Seems to be something stale .. so I reboot.

Log in, and try again, error: is mounted.. and HERE I made my mistake... it was already mounted and with the new size...hehe

But I was in a rush, thinking oh.. ye. clicked unmount and ran ntfsresize -x, or so... are you sure.. (hell ye)

and from then on, it corrupted the $MftMirr.. output on any ntfsfix,ntfsck,ntfswhatever:
Failed to open inode $MFTMirr: No such file or directory
Failed to load $MFTMirr: No such file or directory

I removed windows eons ago.. have only an efi winpe embedded into the EFI part, so using that, chkdsk foobars but does recognise it is NTFS at least.

Have a feeling $MFT is fine.. so should be able to dump $MFT? then locate the inode for $MFTMirr? and whack on 4 records.. or?
(cluster size standard 4k, sector size standard 512b).

I had no personal important files, but in my rush , I forgot I had 100 GB of virtual machines on there.. which ye... is a nightmare to rebuild sigh, so have to make sure I can recover after all.

I just happened to see an old entry on some 'forensic tool' which could dump the $MFTMirr and saw some comments on it failing on large 2TB disks, so now I feel unsure if that could be the case.

Can add testdisk calls the MFT foul, as expected.


Sun Jan 19, 2014 17:01
Profile

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
oops, can't edit.. I didn't think either way, even if it had been resized... that running it would do anything, which is why as well, I just went ahead. I can find the $MFT, and know other tools can fix $MFT possibly? (GetDataBack?)... and have a tool lying around from some other time to get files back but the annoyance is they are all in random names/locations and all that mess.




by the way.. from
git://linux-ntfs.git.sourceforge.net/gi ... ntfsmaster

ntfsfix.c <- seems in git there is some code which attempts handling these things... I can't find those options in my ntfsprogs (even if I am a bleeding edge user on arch)... Would there be some relevant code for me in the git repo? ..



/**
* fix_mftmirr
*/
static int fix_mftmirr(ntfs_volume *vol)
{
s64 l, br;
unsigned char *m, *m2;
int i, ret = -1; /* failure */
BOOL done;

ntfs_log_info("\nProcessing $MFT and $MFTMirr...\n");

/* Load data from $MFT and $MFTMirr and compare the contents. */
m = (u8*)malloc(vol->mftmirr_size << vol->mft_record_size_bits);
if (!m) {
ntfs_log_perror("Failed to allocate memory");
return -1;
}
m2 = (u8*)malloc(vol->mftmirr_size << vol->mft_record_size_bits);
if (!m2) {
ntfs_log_perror("Failed to allocate memory");
free(m);
return -1;
}

ntfs_log_info("Reading $MFT... ");
l = ntfs_attr_mst_pread(vol->mft_na, 0, vol->mftmirr_size,
vol->mft_record_size, m);
if (l != vol->mftmirr_size) {
ntfs_log_info(FAILED);
if (l != -1)
errno = EIO;
ntfs_log_perror("Failed to read $MFT");
goto error_exit;
}
ntfs_log_info(OK);

ntfs_log_info("Reading $MFTMirr... ");
l = ntfs_attr_mst_pread(vol->mftmirr_na, 0, vol->mftmirr_size,
vol->mft_record_size, m2);
if (l != vol->mftmirr_size) {
ntfs_log_info(FAILED);
if (l != -1)
errno = EIO;
ntfs_log_perror("Failed to read $MFTMirr");
goto error_exit;
}
ntfs_log_info(OK);

/*
* FIXME: Need to actually check the $MFTMirr for being real. Otherwise
* we might corrupt the partition if someone is experimenting with
* software RAID and the $MFTMirr is not actually in the position we
* expect it to be... )-:
* FIXME: We should emit a warning it $MFTMirr is damaged and ask
* user whether to recreate it from $MFT or whether to abort. - The
* warning needs to include the danger of software RAID arrays.
* Maybe we should go as far as to detect whether we are running on a
* MD disk and if yes then bomb out right at the start of the program?
*/

ntfs_log_info("Comparing $MFTMirr to $MFT... ");
done = FALSE;
for (i = 0; i < vol->mftmirr_size; ++i) {
MFT_RECORD *mrec, *mrec2;
const char *ESTR[12] = { "$MFT", "$MFTMirr", "$LogFile",
"$Volume", "$AttrDef", "root directory", "$Bitmap",
"$Boot", "$BadClus", "$Secure", "$UpCase", "$Extend" };
const char *s;
BOOL use_mirr;

if (i < 12)
s = ESTR[i];
else if (i < 16)
s = "system file";
else
s = "mft record";

use_mirr = FALSE;
mrec = (MFT_RECORD*)(m + i * vol->mft_record_size);
if (mrec->flags & MFT_RECORD_IN_USE) {
if (ntfs_is_baad_record(mrec->magic)) {
ntfs_log_info(FAILED);
ntfs_log_error("$MFT error: Incomplete multi "
"sector transfer detected in "
"%s.\nCannot handle this yet. "
")-:\n", s);
goto error_exit;
}
if (!ntfs_is_mft_record(mrec->magic)) {
ntfs_log_info(FAILED);
ntfs_log_error("$MFT error: Invalid mft "
"record for %s.\nCannot "
"handle this yet. )-:\n", s);
goto error_exit;
}
}
mrec2 = (MFT_RECORD*)(m2 + i * vol->mft_record_size);
if (mrec2->flags & MFT_RECORD_IN_USE) {
if (ntfs_is_baad_record(mrec2->magic)) {
ntfs_log_info(FAILED);
ntfs_log_error("$MFTMirr error: Incomplete "
"multi sector transfer "
"detected in %s.\n", s);
goto error_exit;
}
if (!ntfs_is_mft_record(mrec2->magic)) {
ntfs_log_info(FAILED);
ntfs_log_error("$MFTMirr error: Invalid mft "
"record for %s.\n", s);
goto error_exit;
}
/* $MFT is corrupt but $MFTMirr is ok, use $MFTMirr. */
if (!(mrec->flags & MFT_RECORD_IN_USE) &&
!ntfs_is_mft_record(mrec->magic))
use_mirr = TRUE;
}
if (memcmp(mrec, mrec2, ntfs_mft_record_get_data_size(mrec))) {
if (!done) {
done = TRUE;
ntfs_log_info(FAILED);
}
ntfs_log_info("Correcting differences in $MFT%s "
"record %d...", use_mirr ? "" : "Mirr",
i);
br = ntfs_mft_record_write(vol, i,
use_mirr ? mrec2 : mrec);
if (br) {
ntfs_log_info(FAILED);
ntfs_log_perror("Error correcting $MFT%s",
use_mirr ? "" : "Mirr");
goto error_exit;
}
ntfs_log_info(OK);
}
}
if (!done)
ntfs_log_info(OK);
ntfs_log_info("Processing of $MFT and $MFTMirr completed "
"successfully.\n");
ret = 0;
error_exit:
free(m);
free(m2);
return ret;
}


Sun Jan 19, 2014 17:20
Profile

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
Ok.. so no.. git didn't prove anything extra in particulaire...

so doing some lame hacking: deleted the partition and made it soemwhere along the old size (so now the ntfs fs will be too large):

Trying the alternate boot sector
$MFT LCN (1612) or $MFTMirr LCN (45056002) is greater than the number of clusters (44826623).
Unrecoverable error
Volume is corrupt. You should run chkdsk.

so above, LCN is cluster location? so in sectors: 360448016 ?

lets dd and check around?

dd if=/dev/sdc2 skip=360448016 | hexdump -C | less


000000f0 04 03 24 00 4d 00 46 00 54 00 00 00 00 00 00 00 |..$.M.F.T.......|
00000100 80 00 00 00 58 00 00 00 01 00 40 00 00 00 06 00 |....X.....@.....|

Also...
dd if=/dev/sdc2 skip=62 | hexdump -C | less

006444f0 04 03 24 00 4d 00 46 00 54 00 00 00 00 00 00 00 |..$.M.F.T.......|

so.. I am pretty noobish at this... any advice on how I might either
A) update the inode location of the $MFTMirr,
B) rebuild the $MFTMirr from the $MFT,
C) both of above, or
D) something else?

:)


Sun Jan 19, 2014 18:06
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
Hi,
Quote:
so above, LCN is cluster location? so in sectors: 360448016 ?

Yes.
Quote:
dd if=/dev/sdc2 skip=62 | hexdump -C | less

Where did you get this number 62 from ? This is an impossible value (not a multiple of 8 - hence not cluster aligned). In the error message, the cluster 1612 (sector 12896) is mentioned, this might be correct, though it is an unusual value (the usual clusters for the MFT are 786432 and 4).
Quote:
A) update the inode location of the $MFTMirr,

Too difficult, the value is mentioned at several locations.
Quote:
B) rebuild the $MFTMirr from the $MFT,

It would still be ignored while it is outside the file system.
Quote:
C) both of above, or

You have to do A) for that.
Quote:
D) something else?

Well, you were able to dump the cluster 45056002, so it must be located within the currently defined partition, and I would try to make the file system big enough to hold the MFTMirr. The file system size is located in the first sector, at offset 0x38 (8 bytes). First check the current value is a few sectors above 44826623*8 = 358612984 or 0x155ffff8 (you will probably get 0x15600000), and replace the value by at least (45056002+8)*8 or 0x157c0050, which I would round up to 0x15800000 provided the partition is big enough.

If you still have a MFT vs MFTMirr mismatch, try a recent version of ntfsfix. Better use option -n to assess the chances you get through. In this kind of situation, things easily get worse after each unsuccessful try....

Good luck

Regards

Jean-Pierre


Sun Jan 19, 2014 20:29
Profile

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
Heya.. ok , I will look into the option of the filesize entry.

In the meantime, I did all kinds of rebuild of boot sector, the $MFTMirr got reset to 2 hehe and so on.

I managed to use getdataback to finally find one entry, which was not reocmmended but had the current files, but recovery is so slow, I just want to throw eggs off a wall and see if I can get them to bounce back at me.

The partition should be large enough to hold all resizings so will try that before the long trip home.

ntfsfix and the other tools no matter what I do just exit instantly with the $MFTMirr error thrown.

Thanks for input. I'll try the fs thing and if that fails, nvm.. it's the long way round.


Mon Jan 20, 2014 11:58
Profile

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
Hi again Jean Pierre.

Ok, so double checking the ntfs structure... 0x38 seems to be the cluster location of MFT mirror it seems.

0x28 however, is the sector fs size, right?

At least it seems sane on my dump.

So... another question from a noob. I don't know if I added it to posts above (can't see now when I am writing this),

but here is the current structure (from gdisk, gtp, 2 tb):
2 6965248 428853247 201.2 GiB 0700 Microsoft basic data

fs size is reported by testdisk as 421888000 and one less in ntfs (I read that ntfs doesn't count the last backup sector in it).

Calculating, it seems the fs might be 1 sector to large for partition, although I doubt it (probably more due to the thing I just mentioned).

However, I also purposefully yesterday shrunk the partition again to get some debug info hopefully. Anyway, with a lot of stuff, I overwrote the original MFTMirror location with a backup through testdisk :p now it is in cluster 2 I think..

So here are two silly questions:

A) I have this from testdisk:

filesystem size 421888000 360448024
sectors_per_cluster 8 8
mft_lcn 1612 1612
mftmirr_lcn 2 45056002
clusters_per_mft_record -10 -10
clusters_per_index_record 1 1
Extrapolated boot sector and current boot sector are different.

set sector count to 414922752 instead of 421887999

Since I havent written any new files, could I literally try and set this value to either first 414922752 , or 360448024 and try run ntfsfix or so?

B) Editing 0x28: 8 bytes... in ghex (first time ever), I notice the correct value is only present when flipping little/big endian... Erm... the computer itself will automatically read the byte order correctly, right?

Just wondering.. unfortunately I kept overwriting, resizing, rebuilding boot sectors yet and so on, but if I slap fown original size or just make the ntfs volume smaller than partition it should be ok (as long as MFTmirr is onboard?)

Malina


Mon Jan 20, 2014 14:50
Profile

Joined: Wed Oct 10, 2012 13:34
Posts: 15
Post Re: GPT 2TB automagic ntfsresize $MFTMirr
just adding... I got the vms off through the other prog so all good.

I will keep playing a lil bit to test if I can recover from this, but at least now it can be formatted and used as a proper linux fs :)

thanks... I learned a lot about the little endian and all that.. changing stuff didn't help so far btw, but I didn't get a chance to try editing to what looks like original values before resizing anything.

:roll:


Mon Jan 20, 2014 21:32
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.