search

cugu / afro

File recovery for APFS
159 stars 15 forks source link

readme - tips for newbs / fyi - AttributeError: 'Node' object has no attribute 'root' #4

Closed johndpope closed 6 years ago

johndpope commented 6 years ago

I spent a day creating an image using dd eg. dd if=/dev/sda of=/mnt/nfs/backup/harddrive.img https://major.io/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/

I think it's important users check that the image is valid before hitting any snags with afro I noticed the test folder has some complex building of images / managed to spit out this one / the tests reference a data folder which fails and no files are added which is a pity. otherwise flawless. It would be neat just to have a one liner to create image.

file image_2G_4.dmg _image_2G4.dmg: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 4194303 sectors, extended partition table (last)

running this command file will dump diagostics of image. unfortunately for my cloned drive - it doesn't read this data.

Instead I hit this

 afro -e files parse /Volumes/4TB-WD/1tb-SAM.dmg

Traceback (most recent call last):
  File "/usr/local/bin/afro", line 11, in <module>
    load_entry_point('afro==0.1', 'console_scripts', 'afro')()
  File "/usr/local/lib/python3.6/site-packages/afro-0.1-py3.6.egg/afro/__init__.py", line 139, in main
  File "/usr/local/lib/python3.6/site-packages/afro-0.1-py3.6.egg/afro/__init__.py", line 72, in extract
  File "/usr/local/lib/python3.6/site-packages/afro-0.1-py3.6.egg/afro/parse.py", line 69, in parse
  File "/usr/local/lib/python3.6/site-packages/afro-0.1-py3.6.egg/afro/parse.py", line 52, in parse_nxsb
  File "/usr/local/lib/python3.6/site-packages/afro-0.1-py3.6.egg/afro/libapfs/low.py", line 11, in get_nxsb_objects
AttributeError: 'Node' object has no attribute 'root'

have to go back to drawing board. current status of my drive is ERROR -69808

reading the article above - it seems expert deleted partition then recreated it exactly. I'll need to look into this further. 


diskutil ap list
APFS Containers (2 found)
|
+-- Container disk1 18635C24-A6E3-4EE4-914C-1477D9C821C8
|   ====================================================
|   APFS Container Reference:     disk1
|   Size (Capacity Ceiling):      249485074432 B (249.5 GB)
|   Minimum Size:                 236677918720 B (236.7 GB)
|   Capacity In Use By Volumes:   229208588288 B (229.2 GB) (91.9% used)
|   Capacity Not Allocated:       20276486144 B (20.3 GB) (8.1% free)
|   |
|   +-< Physical Store disk0s2 6F10FF5B-2195-4DF3-B545-FD2A8255CBB5
|   |   -----------------------------------------------------------
|   |   APFS Physical Store Disk:   disk0s2
|   |   Size:                       249485074432 B (249.5 GB)
|   |
|   +-> Volume disk1s1 4D6A5824-3A80-3C11-88CB-376C8B035BF6
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s1 (No specific role)
|   |   Name:                      Macintosh HD (Case-insensitive)
|   |   Mount Point:               /
|   |   Capacity Consumed:         226377547776 B (226.4 GB)
|   |   FileVault:                 Yes (Unlocked)
|   |
|   +-> Volume disk1s2 52836323-51FD-46D8-ABB5-B6FE206680F9
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s2 (Preboot)
|   |   Name:                      Preboot (Case-insensitive)
|   |   Mount Point:               Not Mounted
|   |   Capacity Consumed:         22970368 B (23.0 MB)
|   |   FileVault:                 No
|   |
|   +-> Volume disk1s3 F857EBE5-4C37-479D-8332-DD3529AFBB9B
|   |   ---------------------------------------------------
|   |   APFS Volume Disk (Role):   disk1s3 (Recovery)
|   |   Name:                      Recovery (Case-insensitive)
|   |   Mount Point:               Not Mounted
|   |   Capacity Consumed:         519090176 B (519.1 MB)
|   |   FileVault:                 No
|   |
|   +-> Volume disk1s4 29185EDF-C4B2-47DB-AF0B-141744407A0B
|       ---------------------------------------------------
|       APFS Volume Disk (Role):   disk1s4 (VM)
|       Name:                      VM (Case-insensitive)
|       Mount Point:               /private/var/vm
|       Capacity Consumed:         2150735872 B (2.2 GB)
|       FileVault:                 No
|
**+-- Container ERROR -69808
    ======================
    APFS Container Reference:     disk4
    Size (Capacity Ceiling):      ERROR -69620
    Capacity In Use By Volumes:   ERROR -69524
    Capacity Not Allocated:       ERROR -69524
    |
    +-< Physical Store disk3s2 B8843099-2B4F-4D1B-909A-DB5B1B516B9C
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk3s2
    |   Size:                       999666946048 B (999.7 GB)
    |
    +-> No Volumes**
sudo gpt -r show disk3
      start       size  index  contents
          0  244059313

incidentally - I'm using a cloned backup drive - so happy to run reckless commands to blow stuff up. looking into fdisk 

diskutil verifyVolume disk3
Started file system verification on disk3
Verifying storage system
Performing fsck_apfs -n -x /dev/disk2s2
Checking volume
Checking the container superblock
Checking the EFI jumpstart record
Checking the space manager
error: (oid 0x8790) cib: invalid o_xid (0x63f69)
error: failed to read spaceman cib 0x8790
Space manager is invalid
The volume /dev/disk2s2 could not be verified completely
Storage system check exit code is 0
Finished file system verification on disk3
cugu commented 6 years ago

Did you extract the partition, like described in the README, #1 or #2 ?

johndpope commented 6 years ago

it's not extractable - I tried with mmcat / mmls but no joy.

I'm following this article on blowing partition table away - I think I will get there just need to triple check all the values / otherwise have to wait a day to reclone.

https://apple.stackexchange.com/questions/318082/how-can-i-fix-my-partition-table


sudo dd if=/dev/disk3 bs=512  count=1 | hexdump
Password:
1+0 records in
1+0 records out
512 bytes transferred in 5.933349 secs (86 bytes/sec)
0000000 77 ce 08 f8 09 93 e1 a5 01 00 00 00 00 00 00 00
0000010 f9 38 06 00 00 00 00 00 01 00 00 80 00 00 00 00
0000020 **4e 58 53 42** 00 10 00 00 b1 0c 8c 0e 00 00 00 00
0000030 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000040 02 00 00 00 00 00 00 00 a8 bc 54 98 84 a7 48 91
0000050 a4 6b c7 a1 91 1c f1 ba 0e 3f 37 00 00 00 00 00
0000060 fa 38 06 00 00 00 00 00 18 01 00 00 5c 6c 00 00
0000070 01 00 00 00 00 00 00 00 19 01 00 00 00 00 00 00
0000080 0e 00 00 00 57 56 00 00 0c 00 00 00 02 00 00 00
0000090 4f 56 00 00 08 00 00 00 00 04 00 00 00 00 00 00
00000a0 6f 8c 14 00 00 00 00 00 01 04 00 00 00 00 00 00
00000b0 00 00 00 00 64 00 00 00 02 04 00 00 00 00 00 00
00000c0 06 04 00 00 00 00 00 00 08 04 00 00 00 00 00 00
00000d0 a7 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*

4e 58 53 42: magic string of an APFS container
00 10 00 00: APFS block size: 4096
b1 0c 8c 0e - APFS container size in APFS blocks
flipping inverse -> 0e 8c 0c b1
http://manderc.com/concepts/umrechner/index.php // then pasting into hex
yeilds n = 244 059 313 
times 8  //(8=4096/512)
= 1952474504 blocks

diskutil umountDisk disk3
sudo gpt remove  /dev/disk3 // this will blow partition away ???
sudo gpt add  -s 1952474504 -t B8843099-2B4F-4D1B-909A-DB5B1B516B9C /dev/disk3
johndpope commented 6 years ago

unfortunately - this botched attempt didn't work.

(tensorflow) ➜  4TB-WD sudo gpt destroy /dev/disk2
(tensorflow) ➜  4TB-WD sudo dd if=/dev/disk2 bs=512  count=1 | hexdump
1+0 records in
1+0 records out
512 bytes transferred in 0.000298 secs (1717987 bytes/sec)
0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000200
(tensorflow) ➜  4TB-WD diskutil ap list
APFS Container (1 found)
|
+-- Container disk1 18635C24-A6E3-4EE4-914C-1477D9C821C8
    ====================================================
    APFS Container Reference:     disk1
    Size (Capacity Ceiling):      249485074432 B (249.5 GB)
    Minimum Size:                 244462755840 B (244.5 GB)
    Capacity In Use By Volumes:   236756189184 B (236.8 GB) (94.9% used)
    Capacity Not Allocated:       12728885248 B (12.7 GB) (5.1% free)
    |
    +-< Physical Store disk0s2 6F10FF5B-2195-4DF3-B545-FD2A8255CBB5
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       249485074432 B (249.5 GB)
    |
    +-> Volume disk1s1 4D6A5824-3A80-3C11-88CB-376C8B035BF6
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         231777611776 B (231.8 GB)
    |   FileVault:                 Yes (Unlocked)
    |
    +-> Volume disk1s2 52836323-51FD-46D8-ABB5-B6FE206680F9
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s2 (Preboot)
    |   Name:                      Preboot (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         22970368 B (23.0 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s3 F857EBE5-4C37-479D-8332-DD3529AFBB9B
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s3 (Recovery)
    |   Name:                      Recovery (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         519090176 B (519.1 MB)
    |   FileVault:                 No
    |
    +-> Volume disk1s4 29185EDF-C4B2-47DB-AF0B-141744407A0B
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s4 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:               /private/var/vm
        Capacity Consumed:         4298272768 B (4.3 GB)
        FileVault:                 No
(tensorflow) ➜  4TB-WD diskutil verifyVolume disk2
Error starting file system verification for disk2: Unrecognized file system (-69846)
(tensorflow) ➜  4TB-WD diskutil verifyVolume disk2
(tensorflow) ➜  4TB-WD sudo gpt add -i 1  -s 1952474504 -t B8843099-2B4F-4D1B-909A-DB5B1B516B9C /dev/disk2
Password:
gpt add: /dev/disk2: error: no primary GPT header; run create or recover
(tensorflow) ➜  4TB-WD lsblk
zsh: command not found: lsblk
(tensorflow) ➜  4TB-WD diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                 Apple_APFS Container disk1         249.5 GB   disk0s2
   3:       Apple_KernelCoreDump                         1.3 GB     disk0s3

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +249.5 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            231.8 GB   disk1s1
   2:                APFS Volume Preboot                 23.0 MB    disk1s2
   3:                APFS Volume Recovery                519.1 MB   disk1s3
   4:                APFS Volume VM                      4.3 GB     disk1s4

/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                                                   *4.0 TB     disk2

(tensorflow) ➜  4TB-WD sudo gpt create -f /dev/disk2
(tensorflow) ➜  4TB-WD sudo gpt create -f /dev/disk2
gpt create: /dev/disk2: error: device already contains a GPT
(tensorflow) ➜  4TB-WD diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                 Apple_APFS Container disk1         249.5 GB   disk0s2
   3:       Apple_KernelCoreDump                         1.3 GB     disk0s3

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +249.5 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            231.8 GB   disk1s1
   2:                APFS Volume Preboot                 23.0 MB    disk1s2
   3:                APFS Volume Recovery                519.1 MB   disk1s3
   4:                APFS Volume VM                      4.3 GB     disk1s4

/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk2

(tensorflow) ➜  4TB-WD sudo gpt add -i 1  -s 1952474504 -t B8843099-2B4F-4D1B-909A-DB5B1B516B9C /dev/disk2
/dev/disk2s1 added
(tensorflow) ➜  4TB-WD diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                 Apple_APFS Container disk1         249.5 GB   disk0s2
   3:       Apple_KernelCoreDump                         1.3 GB     disk0s3

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +249.5 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            231.8 GB   disk1s1
   2:                APFS Volume Preboot                 23.0 MB    disk1s2
   3:                APFS Volume Recovery                519.1 MB   disk1s3
   4:                APFS Volume VM                      4.3 GB     disk1s4

/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk2
   1: B8843099-2B4F-4D1B-909A-DB5B1B516B9C               999.7 GB   disk2s1

(tensorflow) ➜  4TB-WD diskutil verifyVolume disk2
Error starting file system verification for disk2: Invalid request (-69886)
(tensorflow) ➜  4TB-WD diskutil verifyVolume disk2s1
Error starting file system verification for disk2s1: Unrecognized file system (-69846)
(tensorflow) ➜  4TB-WD sudo dd if=/dev/disk2 bs=512  count=1 | hexdump
Password:
1+0 records in
1+0 records out
512 bytes transferred in 5.608600 secs (91 bytes/sec)
0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff
00001c0 ff ff ee ff ff ff 01 00 00 00 ff ff ff ff 00 00
00001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa
0000200
johndpope commented 6 years ago

sorry for dump here- been digging into articles. This guy apparently recovered drive by deleting and recreating partition. https://www.gillware.com/blog/data-recovery-case/apfs-data-recovery-case-study/

I tried and failed to recreate the partition successfully - I thought I could skip the bytes / EFI and that didn't work. I needed to also create an efi partition which takes 409600 - then add the skip corresponding bytes. 

Partition Type              MBR ID              UEFI GUID
--------------------------------------  ------  ------------------------------------
Apple Mac OS Extended (HFS+ or JHFS+)     AF    48465300-0000-11AA-AA11-00306543ECAC
Apple Boot (Recovery HD)                  AB    426F6F74-0000-11AA-AA11-00306543ECAC
Apple Core Storage                        AC    53746F72-6167-11AA-AA11-00306543ECAC
Apple File System (APFS)                  FF    7C3457EF-0000-11AA-AA11-00306543ECAC
Extensible Firmware Interface (EFI)       EE    C12A7328-F81F-11D2-BA4B-00A0C93EC93B
Linux Filesystem Data                     83    0FC63DAF-8483-4772-8E79-3D69D8477DE4
Linux Swap                                82    0657FD6D-A4AB-43C4-84E5-0933C84B4F4F
Linux Logical Volume Manager (LVM)        8E    E6D6D379-F507-44C2-A23C-238F2A3DF928
Microsoft File Attribute Table (FAT32)    0C    EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
Microsoft Windows NT (NTFS) or ExFAT      07    EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
Microsoft Windows Recovery Environment    27    DE94BBA4-06D1-4D40-A16A-BFD50179D6AC

https://apple.stackexchange.com/questions/280405/create-an-efi-partition

//WARNING THIS WILL BLOW AWAY DESTROY PARTITION (/dev/disk2 is my external usb) sudo gpt destroy /dev/disk2 sudo gpt create -f /dev/disk2 gpt add -i 1 -b 40 -s 409600 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B /dev/disk2 gpt add -i 2 -b 409640 -s 1952474504 -t B8843099-2B4F-4D1B-909A-DB5B1B516B9C /dev/disk2

diskutil


/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *4.0 TB     disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2: B8843099-2B4F-4D1B-909A-DB5B1B516B9C               999.7 GB   disk2s2

 sudo dd if=/dev/disk2 bs=512 skip=409640 count=1 | hexdump
1+0 records in
1+0 records out
512 bytes transferred in 0.366217 secs (1398 bytes/sec)
0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000200

but as you see in the hexdump I lose the magic apfs strings - so back to the drawing board/going to need to reclone drive - this time will dump straight to image from clonezilla. I also think the cloned image became corrupt from running pc software on it.