How to recover Bootcamp NTFS Partition?

[iamandrebulatov]

diskutil list got me:

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            388.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             700.0 MB   disk0s3
   4:       Microsoft Basic Data                         50.2 GB    disk0s4

and this is the hexdump:

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ sudo dd if=/dev/rdisk0 of=~/ntfsguess2_4s.bin skip=782726216 count=262144
Password:
262144+0 records in
262144+0 records out
134217728 bytes transferred in 61.374466 secs (2186866 bytes/sec)
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ hexdump -C ~/ntfsguess2_4s.bin | grep "eb 52 90 4e 54 46 53 20"
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$

I might fall asleep but if I do, I'll be back on tomorrow.

[murphychris]

So in those 128MB the NTFS header wasn't found.

hexdump can't be told to start at a specific sector number, but you can add a partition for this blank space in gdisk (which of course removes the current hybrid MBR, although it's not working for you anyway so that wouldn't seem to matter). Once you have a partition for the blank space, you can point hexdump to that partition just like any file:

hexdump -C /dev/diskXsY | grep "eb 52 90 4e 54 46 53 20"

Where X is the disk, probably 0, and Y is the slice/partition, probably 5 (even though it will be in between 3 and 4).

[iamandrebulatov]

You mean, if I make a partition in the empty space, then I can write the NTFS hex header into it and that way I would have a start for the old NTFS partition which I will then be able to view?

Also, before I do that, I first wanted to try what you suggested before since I freed up 195GB:
-dumping the whole partition disk0s4 onto my current drive into a .bin
-search that for the NTFS header

I know that dumping 128MB took a minute so this will probably take 2 hours but I have time today and would really like to try to save as much as possible, considering I am don't know which files sit where on the drive.

----------------
The following could all be completely useless information...
Also, maybe this could be useful.... when I used a hexeditor to look thru the successful 128MB .bin we made, it started with a lot of empty space but then there were entries that appeared to be files that I remember (like Windows system files and Wordpress theme files and such), like.
The first thing in the mostly empty .bin is, starts at offset 124923904, and there are 3 such similar entries separated by some empty space:

Code:

FE AD A8 15 50 01 00 00 30 31 77 62 10 00 00 00 56 AF A8 15 50 01 00 00 30 30 64 63 00 00 00 00 AE B0 A8 15 07 00 00 00 30 31 77 62 10 00 00 00 BE B0 A8 15 50 01 00 00 30 30 64 63 00 00 00 00 16 B2 A8 15 7E 17 00 00 30 31 77 62 10 00 00 00 9C C9 A8 15 80 01 00 00 30 31 77 62 10 00 00 00 24 CB A8 15 50 01 00 00 30 30 64 63 00 00 00 00 7C CC A8 15 07 00 00 00 30 31 77 62 10 00 00 00 8C CC A8 15 50 01 00 00 30 31 77 62 10 00 00 00 E4 CD A8 15 50 01 00 00 30 30 64 63 00 00 00 00 3C CF A8 15 89 26 00 00 30 31 77 62 10 00 00 00 CE F5 A8 15 50 01 00 00 30 31 77 62 10 00 00 00 26 F7 A8 15 50 01 00 00 30 30 64 63 00 00 00 00 7E F8 A8 15 07 00 00 00 30 31 77 62 10 00 00 00 8E F8 A8 15 50 01 00 00 30 30 64 63 00 00 00 00 E6 F9 A8 15 DF 25 00 00 30 31 77 62 10 00 00 00 CE 1F A9 15 80 01 00 00 30 31 77 62 10 00 00 00 56 21 A9 15 50 01 00 00 30 30 64 63 00 00 00 00 AE 22 A9 15 07 00 00 00 30 31 77 62 10 00 00 00 BE 22 A9 15 80 01 00 00 30 31 77 62 10 00 00 00 46 24 A9 15 50 01 00 00 30 30 64 63 00 00 00 00 9E 25 A9 15 C1 24 00 00 30 31 77 62 10 00 00 00 68 4A A9 15 80 01 00 00 30 30 64 63 00 00 00 00 F0 4B A9 15 07 00 00 00 30 31 77 62 10 00 00 00 00 4C A9 15 80 01 00 00 30 31 77 62 10 00 00 00 88 4D A9 15 F0 00 00 00 30 30 64 63 00 00 00 00 80 4E A9 15 25 1A 00 00 30 31 77 62 10 00 00 00 AE 68 A9 15 60 00 00 00 30 31 77 62 10 00 00 00 16 69 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 7E 69 A9 15 07 00 00 00 30 31 77 62 10 00 00 00 8E 69 A9 15 60 00 00 00 30 31 77 62 10 00 00 00 F6 69 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 5E 6A A9 15 7E 28 00 00 30 31 77 62 10 00 00 00 E4 92 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 4C 93 A9 15 07 00 00 00 30 31 77 62 10 00 00 00 5C 93 A9 15 60 00 00 00 30 31 77 62 10 00 00 00 C4 93 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 2C 94 A9 15 24 25 00 00 30 31 77 62 10 00 00 00 58 B9 A9 15 60 00 00 00 30 31 77 62 10 00 00 00 C0 B9 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 28 BA A9 15 07 00 00 00 30 31 77 62 10 00 00 00 38 BA A9 15 60 00 00 00 30 31 77 62 10 00 00 00 A0 BA A9 15 60 00 00 00 30 30 64 63 00 00 00 00 08 BB A9 15 19 1B 00 00 30 31 77 62 10 00 00 00 2A D6 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 92 D6 A9 15 07 00 00 00 30 31 77 62 10 00 00 00 A2 D6 A9 15 60 00 00 00 30 31 77 62 10 00 00 00 0A D7 A9 15 60 00 00 00 30 30 64 63 00 00 00 00 72 D7 A9 15 03 2C 00 00 30 31 77 62 10 00 00 00 7E 03 AA 15 60 00 00 00 30 31 77 62 10 00 00 00 E6 03 AA 15 60 00 00 00 30 30 64 63 00 00 00 00 4E 04 AA 15 07 00 00 00 30 31 77 62 10 00 00 00 5E 04 AA 15 60 00 00 00 30 31 77 62 10 00 00 00 C6 04 AA 15 60 00 00 00 30 30 64 63 00 00 00 00 2E 05 AA 15 C5 25 00 00 30 31 77 62 10 00 00 00 FC 2A AA 15 60 00 00 00 30 30 64 63 00 00 00 00 64 2B AA 15 07 00 00 00 30 31 77 62 10 00 00 00 74 2B AA 15 60 00 00 00 30 31 77 62 10 00 00 00 DC 2B AA 15 60 00 00 00 30 30 64 63 00 00 00 00 44 2C AA 15 C7 17 00 00 30 31 77 62 10 00 00 00 14 44 AA 15 60 00 00 00 30 31 77 62 10 00 00 00 7C 44 AA 15 60 00 00 00 30 30 64 63 00 00 00 00 E4 44 AA 15 07 00 00 00 30 31 77 62 10 00 00 00 F4 44 AA 15 60 00 00 00 30 31 77 62 10 00 00 00 5C 45 AA 15 60 00 00 00 30 30 64 63 00 00 00 00 C4 45 AA 15 4F 28 00 00 30 31 77 62 10 00 00 00 1C 6E AA 15 60 00 00 00 30 30 64 63 00 00 00 00 84 6E AA 15 07 00 00 00 30 31 77 62 10 00 00 00 94 6E AA 15 60 00 00 00 30 31 77 62 10 00 00 00 FC 6E AA 15 60 00 00 00 30 30 64 63 00 00 00 00 64 6F AA 15 98 1E 00 00 30 31 77 62 10 00 00 00 04 8E AA 15 60 00 00 00 30 31 77 62 10 00 00 00 6C 8E AA 15 A0 02 00 00 30 30 64 63 00 00 00 00 14 91 AA 15 07 00 00 00 30 31 77 62 10 00 00 00 24 91 AA 15 A0 02 00 00 30 30 64 63 00 00 00 00 CC 93 AA 15 29 1E 00 00 30 31 77 62 10 00 00 00 FE B1 AA 15 A0 02 00 00 30 31 77 62 10 00 00 00 A6 B4 AA 15 E0 01 00 00 30 30 64 63 00 00 00 00 8E B6 AA 15 07 00 00 00 30 31 77 62 10 00 00 00 9E B6 AA 15 40 02 00 00 30 31 77 62 10 00 00 00 E6 B8 AA 15 80 01 00 00 30 30 64 63 00 00 00 00 6E BA AA 15 A2 12 00 00 30 31 77 62 10 00 00 00 18 CD AA 15 80 01 00 00 30 31 77 62 10 00 00 00 A0 CE AA 15 50 01 00 00 30 30 64 63 00 00 00 00 F8 CF AA 15 07 00 00 00 30 31 77 62 10 00 00 00 08 D0 AA 15 50 01 00 00 30 30 64 63 00 00 00 00 60 D1 AA 15 B0 1B 00 00 30 31 77 62 10 00 00 00 18 ED AA 15 80 01 00 00 30 31 77 62 10 00 00 00 A0 EE AA 15 50 01 00 00 30 30 64 63 00 00 00 00 F8 EF AA 15 07 00 00 00 30 31 77 62 10 00 00 00 08 F0 AA 15 50 01 00 00 30 31 77 62 10 00 00 00 60 F1 AA 15 50 01 00 00 30 30 64 63 00 00 00 00 B8 F2 AA 15 9C 15 00 00 30 31 77 62 10 00 00 00 5C 08 AB 15 50 01 00 00 30 31 77 62 10 00 00 00 B4 09 AB 15 80 01 00 00 30 30 64 63 00 00 00 00 3C 0B AB 15 07 00 00 00 30 31 77 62 10 00 00 00 4C 0B AB 15 80 01 00 00 30 30 64 63 00 00 00 00 D4 0C AB 15 AA 0D 00 00 30 31 77 62 10 00 00 00 86 1A AB 15 50 01 00 00 30 31 77 62 10 00 00 00 DE 1B AB 15 80 01 00 00 30 30 64 63 10 00 00 00 66 1D AB 15 51 79 00 00 30 31 77 62 10 00 00 00 C0 96 AB 15 50 01 00 00 30 31 77 62 10 00 00 00 18 98 AB 15 50 01 00 00 30 30 64 63 00 00 00 00 70 99 AB 15 EE 23 00 00 30 31 77 62 10 00 00 00 66 BD AB 15 50 01 00 00 30 31 77 62 10 00 00 00 BE BE AB 15 50 01 00 00 30 30 64 63 00 00 00 00 16 C0 AB 15 07 00 00 00 30 31 77 62 10 00 00 00 26 C0 AB 15 80 01 00 00 30 30 64 63 00 00 00 00 AE C1 AB 15 DF 04 00 00 30 31 77 62 10 00 00 00 96 C6 AB 15 50 01 00 00 30 31 77 62 10 00 00 00 EE C7 AB 15 50 01 00 00 30 30 64 63 00 00 00 00 46 C9 AB 15 07 00 00 00 30 31 77 62 10 00 00 00 56 C9 AB 15 50 01 00 00 30 31 77 62 10 00 00 00 AE CA AB 15 80 01 00 00 30 30 64 63 00 00 00 00 36 CC AB 15 70 1B 00 00 30 31 77 62 10 00 00 00 AE E7 AB 15 E0 01 00 00 30 31 77 62 10 00 00 00 96 E9 AB 15 80 01 00 00 30 30 64 63 00 00 00 00 1E EB AB 15 07 00 00 00 30 31 77 62 10 00 00 00 2E EB AB 15 E0 01 00 00 30 30 64 63 00 00 00 00 16 ED AB 15 0E 15 00 00 30 31 77 62 10 00 00 00 2C 02 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 84 03 AC 15 E0 01 00 00 30 30 64 63 00 00 00 00 6C 05 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 7C 05 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 04 07 AC 15 E0 01 00 00 30 30 64 63 00 00 00 00 EC 08 AC 15 E0 03 00 00 30 31 77 62 10 00 00 00 D4 0C AC 15 20 01 00 00 30 31 77 62 10 00 00 00 FC 0D AC 15 80 01 00 00 30 30 64 63 00 00 00 00 84 0F AC 15 07 00 00 00 30 31 77 62 10 00 00 00 94 0F AC 15 80 01 00 00 30 30 64 63 00 00 00 00 1C 11 AC 15 D9 18 00 00 30 31 77 62 10 00 00 00 FE 29 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 56 2B AC 15 50 01 00 00 30 30 64 63 00 00 00 00 AE 2C AC 15 07 00 00 00 30 31 77 62 10 00 00 00 BE 2C AC 15 80 01 00 00 30 31 77 62 10 00 00 00 46 2E AC 15 50 01 00 00 30 30 64 63 00 00 00 00 9E 2F AC 15 56 03 00 00 30 31 77 62 10 00 00 00 FC 32 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 84 34 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 94 34 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 EC 35 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 74 37 AC 15 72 11 00 00 30 31 77 62 10 00 00 00 EE 48 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 46 4A AC 15 80 01 00 00 30 30 64 63 00 00 00 00 CE 4B AC 15 07 00 00 00 30 31 77 62 10 00 00 00 DE 4B AC 15 50 01 00 00 30 31 77 62 10 00 00 00 36 4D AC 15 50 01 00 00 30 30 64 63 00 00 00 00 8E 4E AC 15 01 0D 00 00 30 31 77 62 10 00 00 00 98 5B AC 15 80 01 00 00 30 30 64 63 00 00 00 00 20 5D AC 15 07 00 00 00 30 31 77 62 10 00 00 00 30 5D AC 15 50 01 00 00 30 31 77 62 10 00 00 00 88 5E AC 15 50 01 00 00 30 30 64 63 00 00 00 00 E0 5F AC 15 BF 03 00 00 30 31 77 62 10 00 00 00 A8 63 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 00 65 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 58 66 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 68 66 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 F0 67 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 78 69 AC 15 F9 0E 00 00 30 31 77 62 10 00 00 00 7A 78 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 D2 79 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 E2 79 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 6A 7B AC 15 50 01 00 00 30 30 64 63 00 00 00 00 C2 7C AC 15 E5 0D 00 00 30 31 77 62 10 00 00 00 B0 8A AC 15 80 01 00 00 30 31 77 62 10 00 00 00 38 8C AC 15 80 01 00 00 30 30 64 63 00 00 00 00 C0 8D AC 15 07 00 00 00 30 31 77 62 10 00 00 00 D0 8D AC 15 80 01 00 00 30 31 77 62 10 00 00 00 58 8F AC 15 50 01 00 00 30 30 64 63 00 00 00 00 B0 90 AC 15 4D 03 00 00 30 31 77 62 10 00 00 00 06 94 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 8E 95 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 9E 95 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 F6 96 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 4E 98 AC 15 A0 0C 00 00 30 31 77 62 10 00 00 00 F6 A4 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 7E A6 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 D6 A7 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 E6 A7 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 3E A9 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 96 AA AC 15 02 0A 00 00 30 31 77 62 10 00 00 00 A0 B4 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 28 B6 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 38 B6 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 90 B7 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 E8 B8 AC 15 AF 0C 00 00 30 31 77 62 10 00 00 00 A0 C5 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 28 C7 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 80 C8 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 90 C8 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 E8 C9 AC 15 AE 0A 00 00 30 31 77 62 10 00 00 00 9E D4 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 F6 D5 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 4E D7 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 5E D7 AC 15 50 01 00 00 30 31 77 62 10 00 00 00 B6 D8 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 3E DA AC 15 42 03 00 00 30 31 77 62 10 00 00 00 88 DD AC 15 50 01 00 00 30 31 77 62 10 00 00 00 E0 DE AC 15 50 01 00 00 30 30 64 63 00 00 00 00 38 E0 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 48 E0 AC 15 50 01 00 00 30 30 64 63 00 00 00 00 A0 E1 AC 15 A0 0C 00 00 30 31 77 62 10 00 00 00 48 EE AC 15 80 01 00 00 30 31 77 62 10 00 00 00 D0 EF AC 15 50 01 00 00 30 30 64 63 00 00 00 00 28 F1 AC 15 07 00 00 00 30 31 77 62 10 00 00 00 38 F1 AC 15 80 01 00 00 30 31 77 62 10 00 00 00 C0 F2 AC 15 80 01 00 00 30 30 64 63 00 00 00 00 48 F4 AC 15 AF 09 00 00 30 31 77 62 10 00 00 00 00 FE AC 15 80 01 00 00 30 31 77 62 10 00 00 00 88 FF AC 15 50 01 00 00 30 30 64 63 00 00 00 00 E0 00 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 F0 00 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 78 02 AD 15 C5 08 00 00 30 31 77 62 10 00 00 00 46 0B AD 15 E0 01 00 00 30 31 77 62 10 00 00 00 2E 0D AD 15 20 01 00 00 30 30 64 63 00 00 00 00 56 0E AD 15 07 00 00 00 30 31 77 62 10 00 00 00 66 0E AD 15 80 01 00 00 30 31 77 62 10 00 00 00 EE 0F AD 15 80 01 00 00 30 30 64 63 00 00 00 00 76 11 AD 15 F8 0A 00 00 30 31 77 62 10 00 00 00 76 1C AD 15 80 01 00 00 30 31 77 62 10 00 00 00 FE 1D AD 15 80 01 00 00 30 30 64 63 00 00 00 00 86 1F AD 15 07 00 00 00 30 31 77 62 10 00 00 00 96 1F AD 15 50 01 00 00 30 30 64 63 00 00 00 00 EE 20 AD 15 E7 09 00 00 30 31 77 62 10 00 00 00 DE 2A AD 15 80 01 00 00 30 31 77 62 10 00 00 00 66 2C AD 15 50 01 00 00 30 30 64 63 00 00 00 00 BE 2D AD 15 07 00 00 00 30 31 77 62 10 00 00 00 CE 2D AD 15 80 01 00 00 30 31 77 62 10 00 00 00 56 2F AD 15 80 01 00 00 30 30 64 63 00 00 00 00 DE 30 AD 15 3F 03 00 00 30 31 77 62 10 00 00 00 26 34 AD 15 50 01 00 00 30 31 77 62 10 00 00 00 7E 35 AD 15 50 01 00 00 30 30 64 63 00 00 00 00 D6 36 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 E6 36 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 6E 38 AD 15 98 0A 00 00 30 31 77 62 10 00 00 00 0E 43 AD 15 50 01 00 00 30 31 77 62 10 00 00 00 66 44 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 EE 45 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 FE 45 AD 15 80 01 00 00 30 31 77 62 10 00 00 00 86 47 AD 15 50 01 00 00 30 30 64 63 00 00 00 00 DE 48 AD 15 34 09 00 00 30 31 77 62 10 00 00 00 1A 52 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 A2 53 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 B2 53 AD 15 50 01 00 00 30 31 77 62 10 00 00 00 0A 55 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 92 56 AD 15 FF 07 00 00 30 31 77 62 10 00 00 00 9A 5E AD 15 50 01 00 00 30 31 77 62 10 00 00 00 F2 5F AD 15 80 01 00 00 30 30 64 63 00 00 00 00 7A 61 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 8A 61 AD 15 50 01 00 00 30 31 77 62 10 00 00 00 E2 62 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 6A 64 AD 15 61 0A 00 00 30 31 77 62 10 00 00 00 D4 6E AD 15 80 01 00 00 30 30 64 63 00 00 00 00 5C 70 AD 15 07 00 00 00 30 31 77 62 10 00 00 00 6C 70 AD 15 50 01 00 00 30 31 77 62 10 00 00 00 C4 71 AD 15 80 01 00 00 30 30 64 63 00 00 00 00 3C 21 44 4F 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42 4C 49 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54 44 20 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 0A 3C 74 69 74 6C 65 3E 34 30 33 20 46 6F 72 62 69 64 64 65 6E 3C 2F 74 69 74 6C 65 3E 0A 3C 2F 68 65 61 64 3E 3C 62 6F 64 79 3E 0A 3C 68 31 3E 46 6F 72 62 69 64 64 65 6E 3C 2F 68 31 3E 0A 3C 70 3E 59 6F 75 20 64 6F 6E 27 74 20 68 61 76 65 20 70 65 72 6D 69 73 73 69 6F 6E 20 74 6F 20 61 63 63 65 73 73 20 2F 68 69 6E 74 2F 70 6C 61 79 2F 77 65 62 70 6C 61 79 65 72 2F 0A 6F 6E 20 74 68 69 73 20 73 65 72 76 65 72 2E 3C 2F 70 3E 0A 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E 0A 00 00

The translation on the right is:

Code:

˛≠®P
01wbVخP
00dcÆ∞®01wbæ∞®P
00dc≤®~01wbú…®Ä
01wb$˨P
00dc|î01wbåîP
01wb‰Õ®P
00dc<œ®â&01wbŒı®P
01wb&˜®P
00dc~¯®01wb鯮P
00dcÊ˘®fl%01wbŒ©Ä
01wbV!©P
00dcÆ"©01wbæ"©Ä
01wbF$©P
00dcû%©¡$01wbhJ©Ä
00dcK©01wbL©Ä
01wbàM©00dcÄN©%01wbÆh©`01wbi©`00dc~i©01wbéi©`01wbˆi©`00dc^j©~(01wb‰í©`00dcLì©01wb\ì©`01wbƒì©`00dc,î©$%01wbXπ©`01wb¿π©`00dc(∫©01wb8∫©`01wb†∫©`00dcª©01wb*÷©`00dcí÷©01wb¢÷©`01wb
◊©`00dcr◊©,01wb~™`01wbÊ™`00dcN™01wb^™`01wb∆™`00dc.™≈%01wb¸*™`00dcd+™01wbt+™`01wb‹+™`00dcD,™«01wbD™`01wb|D™`00dc‰D™01wbÙD™`01wb\E™`00dcƒE™O(01wbn™`00dcÑn™01wbîn™`01wb¸n™`00dcdo™ò01wbé™`01wbl陆00dcë™01wb$뙆00dcÃì™)01wb˛±™†01wb¶¥™‡
00dcé∂™01wbû∂™@01wbÊ∏™Ä
00dcn∫™¢01wbÕ™Ä
01wb†Œ™P
00dc¯œ™01wb–™P
00dc`—™∞01wbÌ™Ä
01wb†Ó™P
00dc¯Ô™01wb™P
01wb`Ò™P
00dc∏Ú™ú01wb\´P
01wb¥	´Ä
00dc<´01wbL´Ä
00dc‘´™
01wbÜ´P
01wbfi´Ä
00dcf´Qy01wb¿ñ´P
01wbò´P
00dcpô´Ó#01wbfΩ´P
01wbææ´P
00dc¿´01wb&¿´Ä
00dcÆ¡´fl01wbñ∆´P
01wbÓ«´P
00dcF…´01wbV…´P
01wbÆ*´Ä
00dc6ôp01wbÆÁ´‡
01wbñÈ´Ä
00dcδ01wb.δ‡
00dcÌ´01wb,¨P
01wbѨ‡
00dcl¨01wb|¨Ä
01wb¨‡
00dcϨ‡01wb‘¨ 
01wb¸
¨Ä
00dcѨ01wbî¨Ä
00dc¨Ÿ01wb˛)¨P
01wbV+¨P
00dcÆ,¨01wbæ,¨Ä
01wbF.¨P
00dcû/¨V01wb¸2¨Ä
00dcÑ4¨01wbî4¨P
01wbÏ5¨Ä
00dct7¨r01wbÓH¨P
01wbFJ¨Ä
00dcŒK¨01wbfiK¨P
01wb6M¨P
00dcéN¨

01wbò[¨Ä
00dc ]¨01wb0]¨P
01wbà^¨P
00dc‡_¨ø01wb®c¨P
01wbe¨P
00dcXf¨01wbhf¨Ä
01wbg¨Ä
00dcxi¨˘01wbzx¨P
00dc“y¨01wb‚y¨Ä
01wbj{¨P
00dc¬|¨Â
01wb∞ä¨Ä
01wb8å¨Ä
00dc¿ç¨01wb–ç¨Ä
01wbXè¨P
00dc∞ê¨M01wbî¨Ä
00dcéï¨01wbûï¨P
01wbˆñ¨P
00dcNò¨†01wbˆ§¨Ä
01wb~¶¨P
00dc÷ߨ01wbÊߨP
01wb>©¨P
00dcñ™¨
01wb†¥¨Ä
00dc(∂¨01wb8∂¨P
01wbê∑¨P
00dcË∏¨Ø01wb†≈¨Ä
01wb(ǬP
00dcÄ»¨01wb껨P
00dcË…¨Æ
01wbû‘¨P
01wbˆ’¨P
00dcN׬01wb^׬P
01wb∂ÿ¨Ä
00dc>⁄¨B01wbà›¨P
01wb‡fi¨P
00dc8‡¨01wbH‡¨P
00dc†·¨†01wbHÓ¨Ä
01wb–Ô¨P
00dc(Ò¨01wb8Ò¨Ä
01wb¿Ú¨Ä
00dcHÙ¨Ø	01wb˛¨Ä
01wbàˇ¨P
00dc‡≠01wb≠Ä
00dcx≠≈01wbF≠‡
01wb.
≠ 
00dcV≠01wbf≠Ä
01wb
00dcv≠¯
01wbv≠Ä
01wb˛≠Ä
00dcÜ≠01wbñ≠P
00dcÓ ≠Á	01wbfi*≠Ä
01wbf,≠P
00dcæ-≠01wbŒ-≠Ä
01wbV/≠Ä
00dcfi0≠?01wb&4≠P
01wb~5≠P
00dc÷6≠01wbÊ6≠Ä
00dcn8≠ò
01wbC≠P
01wbfD≠Ä
00dcÓE≠01wb˛E≠Ä
01wbÜG≠P
00dcfiH≠4	01wbR≠Ä
00dc¢S≠01wb≤S≠P
01wb
U≠Ä
00dcíV≠ˇ01wbö^≠P
01wbÚ_≠Ä
00dcza≠01wbäa≠P
01wb‚b≠Ä
00dcjd≠a
01wb‘n≠Ä
00dc\p≠01wblp≠P
01wbƒq≠Ä
00dc<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /hint/play/webplayer/
on this server.</p>
</body></html>

The files look like this

Code:

46 49 4C 45 30 00 03 00 30 17 24 3F 02 00 00 00 38 00 01 00 38 00 03 00 30 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 03 00 00 00 28 CF 01 00 02 00 53 00 00 00 00 00 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 00 EF F5 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AD 02 00 00 00 00 00 00 00 00 00 00 60 E9 00 67 00 00 00 00 30 00 00 00 60 00 00 00 00 00 00 00 00 00 02 00 46 00 00 00 18 00 01 00 B8 CE 01 00 00 00 11 00 00 EF F5 F6 E5 A0 CD 01 00 EF F5 F6 E5 A0 CD 01 00 EF F5 F6 E5 A0 CD 01 00 EF F5 F6 E5 A0 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 10 00 00 00 00 02 03 65 00 73 00 00 00 90 00 00 00 30 01 00 00 00 04 18 00 00 00 01 00 10 01 00 00 20 00 00 00 24 00 49 00 33 00 30 00 30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00 10 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 29 CF 01 00 00 00 21 00 70 00 5C 00 00 00 00 00 28 CF 01 00 00 00 38 00 20 3D F6 F6 E5 A0 CD 01 40 92 E0 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 00 10 00 00 00 00 00 00 A8 08 00 00 00 00 00 00 20 20 00 00 00 00 00 00 0D 01 6D 00 65 00 73 00 73 00 61 00 67 00 65 00 73 00 2E 00 6A 00 73 00 6F 00 6E 00 00 00 00 00 29 CF 01 00 00 00 21 00 70 00 5A 00 00 00 00 00 28 CF 01 00 00 00 38 00 20 3D F6 F6 E5 A0 CD 01 40 92 E0 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 20 3D F6 F6 E5 A0 CD 01 00 10 00 00 00 00 00 00 A8 08 00 00 00 00 00 00 20 20 00 00 00 00 00 00 0C 02 4D 00 45 00 02 00 53 00 41 00 47 00 7E 00 31 00 2E 00 4A 00 53 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 FF FF FF FF 82 79 47 11

Translation on the right is:

Code:

FILE00$?8
80(œ
S`HÔıˆÂ†Õ
 =ˆˆÂ†Õ
 =ˆˆÂ†Õ
 =ˆˆÂ†Õ
 ≠`Èg0`F
∏Œ
ÔıˆÂ†Õ
ÔıˆÂ†Õ
ÔıˆÂ†Õ
ÔıˆÂ†Õ
 esê0


 $I300



)œ
!p\(œ
8 =ˆˆÂ†Õ
@퇈†Õ
 =ˆˆÂ†Õ
 =ˆˆÂ†Õ
®  

messages.json)œ
!pZ(œ
8 =ˆˆÂ†Õ
@퇈†Õ
 =ˆˆÂ†Õ
 =ˆˆÂ†Õ
®  MESAG~1.JSOˇˇˇˇÇyG

[Rostu]

Hi all
I am new to this post and read a lot about Bootcamp Windows recovery.

Me too, I have lost the partition after a HD-swap, but the grayed partition was visisble and existing.

All I did, and this is a very simple and highly recommended solution:

Boot your Mac with the original licence CD from Windows (e.g. Windows 7)

Starting up (providing Win 7 is not completely destroyed) it will automatically discover the Win Partition.
Then select the Repair mode on the Win Boot Disk (you can either select install or repair)

And off you go, at least in my case it fully restored all whats needed including the missing special blank partition (GPT or whatever its called)

Re boot and everything is back to normal

Good luck

[murphychris]

Quote:

Originally Posted by iamandrebulatov

You mean, if I make a partition in the empty space, then I can write the NTFS hex header into it and that way I would have a start for the old NTFS partition which I will then be able to view?

No. You're adding a partition entry for the empty space soley for the purpose of getting hexdump to directly read and grep the entirety of that free space searching for the NTFS header, instead of dd'ing that free space plus Boocamp to a file onto an external disk and THEN using hexdump on the file.

You can't give hexdump a sector offset. By establishing a partition for that free space, you give a clear "file" like thing for hexdump to work on instead of the entire disk. You can of course hexdump + grep the entire disk instead. It'll just take a lot longer.

Nothing I've suggested calls for writing anything to free space or Boot camp regions of the disk. Creating a partition entry only modifies four sectors at the front and end of the disk, nowhere near the freespace. Writing anything in this freespace is high risk for damaging any chance at data recovery.

Code:

Also, before I do that, I first wanted to try what you suggested before since I freed up 195GB:
-dumping the whole partition disk0s4 onto my current drive into a .bin
-search that for the NTFS header

This will take a LOT longer because it's read and write to the same disk. If the data is worth making a sector copy of you should dump it to a separate drive. Obviously you need the drive anyway.

Quote:

Also, maybe this could be useful.... when I used a hexeditor to look thru the successful 128MB .bin we made, it started with a lot of empty space but then there were entries that appeared to be files that I remember (like Windows system files and Wordpress theme files and such), like.

The fact you're finding Windows related files BEFORE you've found the NTFS header implies the NTFS header has been squashed by something else. Or you've had more than one Windows installation on this disk and this is the remnant of an old one? *shrug*

[iamandrebulatov]

Quote:

Originally Posted by murphychris

The fact you're finding Windows related files BEFORE you've found the NTFS header implies the NTFS header has been squashed by something else. Or you've had more than one Windows installation on this disk and this is the remnant of an old one? *shrug*

No, this is the first and only W7 as far as I remember. So I think the former is correct, that I squashed the NTFS when I wrote empty OS X space into it with the stupid Disk Utility resizing slider. I remember I went up to about 420GB, which might have crossed over by a gig or two because in Bootcamp, I only had about 15-17gigs free. Even still regardless what I had free I imagine it's not all at the top or beginning of the volume anyways soooo, yeah, I probably destroyed it.

What's the command to search the whole drive? I'd like to try that moot'ness first before going onto something less hopeful lol

[murphychris]

Code:

hexdump -C /dev/disk0 | grep "eb 52 90 4e 54 46 53 20"

I'd start in a new terminal window, or control-k to delete the buffer that you have accumulated. Makes it easier to scroll around if it finds a lot of matches.

This is a read only command so while it will take a long time it doesn't write anything to disk. I'd do it overnight.

-----

In this case, the hex address on the far left is in sync with LBA. So there is no offset. You just convert from hex to decimal and device by 512 to get sectors.

[iamandrebulatov]

Ohhhh and I just understood what you were saying earlier! Duh! Why bother searching the 350-400GB OS X partition, it definitely is not there lol okayy I'm catching up.

I can choose to search the whole disc "disk0" or partition "disk0s4" but I can't search the empty space between disk0s3 and disk0s4 until I designate it something like disk0s5.... You're the man lol

Can you please explain again how to designate empty space on the table into a partition to make it searchable without having to make a hexdump file a .bin file for hexdump?

---------

Also, what about searching for the end of an NTFS volume - is it the same code "eb 52 90 4e 54 46 53 20"?
And, if I have an ending that is intact, and then I have a bunch of free space where the beginning should be, is it possible to write-in an "NTFS volume beginning" in order to give the partition a functioning and recognizable file system so that the partition can be viewable through OS X Finder (even though many of the files including the Windows7 operating system may be corrupt)?

[murphychris]

Quote:

Originally Posted by iamandrebulatov

I can choose to search the whole disc "disk0" or partition "disk0s4" but I can't search the empty space between disk0s3 and disk0s4 until I designate it something like disk0s5

Yep.

Quote:

Can you please explain again how to designate empty space on the table into a partition to make it searchable without having to make a hexdump file?

Use gdisk, it should by default find that first sector of the free space, but if not, you'll need to type it in. And by default it'll propose the last sector. The type doesn't matter. This is just a partition entry it has nothing to do with the format of that space and doesn't affect it.


Also note you might have to do this hexdump thing twice. Once for disk0s5 (empty space) and *possibly* disk0s4 the Boot Camp volume.

Quote:

Also, what about searching for the end of an NTFS volume - is it the same code "eb 52 90 4e 54 46 53 20"?

It is but there is a whole sector of redundant data after that, which is the same for the first and last, it's not until the very next sector that there is a difference between the first and last "header".

I think in your case it's easiest to assume that the last sector hasn't changed since the only way NTFS could have been expanded on your disk is if it were moved forward.

Quote:

And, if I have an ending that is intact, and then I have a bunch of free space where the beginning should be, is it possible to write-in an "NTFS volume beginning" in order to give the partition a functioning and recognizable file system so that the partition can be viewable through OS X Finder (even though many of the files including the Windows7 operating system may be corrupt)?

Nope. There are maybe a dozen other structures in NTFS that are all in specific locations from the header. So you can't just willy nilly insert the header and expect NTFS to find it's various pieces. You'd have to find the structure that's supposed to come after the header, and then write in a header the proper distance from that structure.

There are NTFS file system structure and recovery manuals online, you have to google them. It's way over my knowledge level at this point. But there are a lot of components to NTFS.

And purportedly NTFS fragments a lot. So even if you used something like ddrescue, which looks for filetype headers (i.e. it looks for word doc or jpeg headers), there's every reason to believe these files will actually be broken up into pieces, and won't be contiguous. So while you find their beginning, you'll have no idea where their middle and end is. If they are indeed fragmented. The smaller the file, the better your chances, probably.

[iamandrebulatov]

Quote:

Originally Posted by murphychris

Yep.
... The smaller the file, the better your chances, probably.

Sweet, Thanks Chris, you've been an amazing guide on this whole journey haha your help is much appreciated.

Here is what I got (and I know you said it doesn't matter what type but I took the liberty anyway ):

Code:

Command (? for help): p
Disk /dev/disk0: 976773168 sectors, 465.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 151C89F8-FD1C-42D3-A0A3-6AFC2AFDB104
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 976773134
Partitions will be aligned on 8-sector boundaries
Total free space is 21 sectors (10.5 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640       759212047   361.8 GiB   AF00  
   3       759212048       760579239   667.6 MiB   AB00  
   4       878731264       976773119   46.8 GiB    0700  
   5       760579240       878731263   56.3 GiB    0700  Microsoft basic data

---------------------

Quote:

Originally Posted by murphychris

...Also note you might have to do this hexdump thing twice. Once for disk0s5 (empty space) and *possibly* disk0s4 the Boot Camp volume....

I was actually also just going to ask you if I could possibly hexdump-search somehow through both disk0s4+disk0s5 somehow at the same time, like

Code:

hexdump -C /dev/disk0s4 + /dev/disk0s5 | grep "eb 52 90 4e 54 46 53 20"

lol, but I guess not.

I'll report the result when I am done.

[murphychris]

Quote:

Originally Posted by iamandrebulatov

I was actually also just going to ask you if I could possibly hexdump-search somehow through both disk0s4+disk0s5 somehow at the same time, like

Code:

hexdump -C /dev/disk0s4 + /dev/disk0s5 | grep "eb 52 90 4e 54 46 53 20"

lol, but I guess not.

Uhh that's a bash question you'd have to look up how to issue a 2nd command after the first one completes on the same line. It might be & at the end of the line then issue the second command, or &&, but I'm not sure.

You don't want them occurring concurrently, it will just cause the drive head to seek between the two partitions and slow it all down.

[iamandrebulatov]

Hmm, I rebooted after gdisk but this is what I get:

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            388.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             700.0 MB   disk0s3
   4:       Microsoft Basic Data                         50.2 GB    disk0s4
   5:       Microsoft Basic Data                         60.5 GB    disk0s5

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ hexdump -C /dev/disk0s5 | grep "eb 52 90 4e 54 46 53 20"
hexdump: /dev/disk0s5: Permission denied
hexdump: /dev/disk0s5: Bad file descriptor

and gdisk:

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ sudo gdisk /dev/disk0
Password:
GPT fdisk (gdisk) version 0.8.5

Partition table scan:
  MBR: hybrid
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with hybrid MBR; using GPT.

Command (? for help): p
Disk /dev/disk0: 976773168 sectors, 465.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 151C89F8-FD1C-42D3-A0A3-6AFC2AFDB104
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 976773134
Partitions will be aligned on 8-sector boundaries
Total free space is 21 sectors (10.5 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640       759212047   361.8 GiB   AF00  
   3       759212048       760579239   667.6 MiB   AB00  
   4       878731264       976773119   46.8 GiB    0700  
   5       760579240       878731263   56.3 GiB    0700  Microsoft basic data

Command (? for help):

What did I do wrong? What should I do?

-------------------------------
PS: Disk Utility is really confused, says there is
-a 388.51 Gb partition (OS X) which is expandable to 449.7GB,
-then it says I have partition disk0s4 which is 50.2GB
-disk0s5 which is 60.49GB (yet visually smaller on the DU resizing slider)
-and also "Free Space" equalling 50.06GB.

This is not physically possible as the disk is only theoretically 500GB. Image attached.

[murphychris]

Quote:

Originally Posted by iamandrebulatov

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ hexdump -C /dev/disk0s5 | grep "eb 52 90 4e 54 46 53 20"
hexdump: /dev/disk0s5: Permission denied
hexdump: /dev/disk0s5: Bad file descriptor

try sudo hexdump it may be that diskarbitrationd has it, trying to mount it for some reason. If that doesn't help post this:

mount | grep disk0s5

And this:

dmesg | disk0

Quote:

PS: Disk Utility is really confused,

In more ways than one, just leave it alone.

[iamandrebulatov]

Quote:

Originally Posted by murphychris

try sudo hexdump it may be that diskarbitrationd has it, trying to mount it for some reason. ...

That worked, and disk0s5 is a go!

[iamandrebulatov]

Oh, I got something...

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ sudo hexdump -C /dev/disk0s5 | grep "eb 52 90 4e 54 46 53 20"
Password:
309f6a530  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|

Gonna put on disk0s4 just in case now... Never mind, it's still going.

[murphychris]

Quote:

Originally Posted by iamandrebulatov

309f6a530

I'm a bit mystified by this value. It's not evenly divisible by x200 (512 decimal), meaning it's not in the first bytes of a sector. I'm unsure of the implication. Whether it's the first or last header of an NTFS volume that line should be in the first 8 bytes of the sector.

At LBA 786071546 from the start of disk0 you should find this sector. I'd sample 35 sectors from that point,

Code:

dd if=/dev/disk0 of=~/lba786071546_35s.bin skip=786071546 count=35

and look in it

Code:

hexdump -C ~/lba786071546_35s.bin

and see if you get something like this:

http://pastebin.com/ptKjYamF

Except your NTFS header won't start at zero. But what you want is to see a B.O.O.T.M.G.R reference, followed quickly be an NTLDR reference split on two lines, and closer to the end an $.M.F.T reference and $.M.F.T.M.i.r reference. Those are a few of the required structures for NTFS that are at the start of a valid NTFS volume. If those aren't there, then a.) it's not the true beginning; b.) they have a been squashed.

[murphychris]

I'm going to bed and traveling in the morning, but here's the math for finding that LBA.


x309f6a530 = 13052060976
divide by 512 (bytes per sector) to get sectors = 25492306.59375

So this byte is well inside 25492306s from the start of disk0s5

disk0s5 starts at LBA 760579240 so the target LBA is
25492306s + 760579240s = 786071546

hence skip=786071546 from the start of the *disk*. If this turned out to be a good candidate for the start of this missing NTFS volume, and you have a sufficient backup that you're prepared to obliterate it, you'd create a partition entry that starts at 786071546 and ends (?) probably where partition 4 currently ends. See if that mounts in OS X. If not, might be worth seeing if chkdsk can do anything with it.

You're almost certainly better off looking for better, more intact candidates. So you do the same thing as above. If you start working on partition 4, keep in mind that disk0s4 starts at LBA 878731264.

i.e. hexdump starts reporting bytes in the *.bin file from zero. Those hex values on the far left are byte offsets in 16 byte increments per row (they're row numbers basically).

[iamandrebulatov]

Whew! Chris... gentlemen... it's good to be back online!
My first minute on after Hurricane Sandy knocked out power/internet/3G service for 2+ days, since Monday afternoon.

Anyway, searching disk0s4 now, will report findings when complete.

[iamandrebulatov]

!! A hexdump search of disk0s4 produced considerably more results compared to disk0s5:

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ sudo hexdump -C /dev/disk0s4 | grep "eb 52 90 4e 54 46 53 20"
Password:
290d2980  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
5a6761b0  ff ff ff ff ff ff ff ff  eb 52 90 4e 54 46 53 20  |.........R.NTFS |
5d8f0ff0  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
13235f000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
132665000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
13296b000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
13a0bdf30  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
13a178f30  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
13f87bd50  00 00 00 00 00 00 55 aa  eb 52 90 4e 54 46 53 20  |......U..R.NTFS |
1408edb70  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
140d43b30  00 00 00 00 00 00 55 aa  eb 52 90 4e 54 46 53 20  |......U..R.NTFS |
144df3a00  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
168c3aa00  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
16b9488e0  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
174c655a0  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
181527a00  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
1c29eb000  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
1c29eda10  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
1d0bb5000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
356fc6340  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
56dfc1bb0  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
5e24a57a0  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
5fe459c00  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
642182e90  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
67eba39b0  00 00 00 00 00 00 02 00  eb 52 90 4e 54 46 53 20  |.........R.NTFS |
69d1581b0  ff ff ff ff ff ff ff ff  eb 52 90 4e 54 46 53 20  |.........R.NTFS |
7532c4a10  3c 00 75 f7 eb fe 55 aa  eb 52 90 4e 54 46 53 20  |<.u...U..R.NTFS |
753358d20  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
75338b300  3c 00 75 f7 eb fe 55 aa  eb 52 90 4e 54 46 53 20  |<.u...U..R.NTFS |
7533a39c0  3c 00 75 f7 eb fe 55 aa  eb 52 90 4e 54 46 53 20  |<.u...U..R.NTFS |
7533e8b60  61 6e 64 6c 69 6e 65 0a  eb 52 90 4e 54 46 53 20  |andline..R.NTFS |
7533eab60  00 00 00 00 00 00 00 00  eb 52 90 4e 54 46 53 20  |.........R.NTFS |
75342f560  3c 00 75 f7 eb fe 55 aa  eb 52 90 4e 54 46 53 20  |<.u...U..R.NTFS |
753552960  f6 f6 f6 f6 f6 f6 f6 f6  eb 52 90 4e 54 46 53 20  |.........R.NTFS |
753554970  3c 00 75 f7 eb fe 55 aa  eb 52 90 4e 54 46 53 20  |<.u...U..R.NTFS |
76560f930  00 00 00 00 00 00 55 aa  eb 52 90 4e 54 46 53 20  |......U..R.NTFS |
766549580  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
767e3cd50  00 00 00 00 00 00 55 aa  eb 52 90 4e 54 46 53 20  |......U..R.NTFS |
7ff96bf30  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
82384f000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
82cbf4970  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
83d840530  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
84c123f30  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
baffff000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
baffffe00  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$

[iamandrebulatov]

Quote:

Originally Posted by murphychris

I'm a bit mystified by this value. It's not evenly divisible by x200 (512 decimal), meaning it's not in the first bytes of a sector. I'm unsure of the implication. Whether it's the first or last header of an NTFS volume that line should be in the first 8 bytes of the sector.

At LBA 786071546 from the start of disk0 you should find this sector. I'd sample 35 sectors from that point,

Code:

dd if=/dev/disk0 of=~/lba786071546_35s.bin skip=786071546 count=35

and look in it

Code:

hexdump -C ~/lba786071546_35s.bin

and see if you get something like this:

http://pastebin.com/ptKjYamF

Except your NTFS header won't start at zero. But what you want is to see a B.O.O.T.M.G.R reference, followed quickly be an NTLDR reference split on two lines, and closer to the end an $.M.F.T reference and $.M.F.T.M.i.r reference. Those are a few of the required structures for NTFS that are at the start of a valid NTFS volume. If those aren't there, then a.) it's not the true beginning; b.) they have a been squashed.

Also, I completed this prior to the search of disk0s4 but completely forgot to post the results as Hurricane Sandy was already hitting us hard and I got all caught up with preparations.

Anyways, the results look promising because the BOOTMNGR reference is there, and the NTLDR also but I can't find the SMFT...

Code:

Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ dd if=/dev/disk0 of=~/lba786071546_35s.bin skip=786071546 count=35
dd: /dev/disk0: Permission denied
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ sudo dd if=/dev/disk0 of=~/lba786071546_35s.bin skip=786071546 count=35
Password:
35+0 records in
35+0 records out
17920 bytes transferred in 0.021124 secs (848319 bytes/sec)
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$ hexdump -C ~/lba786071546_35s.bin
00000000  0f 83 02 00 72 d0 8a 56  40 ea 00 00 00 20 66 c1  |....r..V@.... f.|
00000010  e0 02 e8 11 00 26 66 8b  01 66 25 ff ff ff 0f 66  |.....&f..f%....f|
00000020  3d f8 ff ff 0f c3 bf 00  7e 66 0f b7 4e 0b 66 33  |=.......~f..N.f3|
00000030  d2 66 f7 f1 66 3b 46 f4  74 3a 66 89 46 f4 66 03  |.f..f;F.t:f.F.f.|
00000040  46 1c 66 0f b7 4e 0e 66  03 c1 66 0f b7 5e 28 83  |F.f..N.f..f..^(.|
00000050  e3 0f 74 16 3a 5e 10 0f  83 c7 fb 52 66 8b c8 66  |..t.:^.....Rf..f|
00000060  8b 46 24 66 f7 e3 66 03  c1 5a 52 8b df b9 01 00  |.F$f..f..ZR.....|
00000070  e8 b9 fb 5a 8b da c3 00  00 00 00 00 00 00 00 00  |...Z............|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000130  eb 52 90 4e 54 46 53 20  20 20 20 00 00 00 00 00  |.R.NTFS    .....|
00000140  00 00 00 00 00 f8 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 80 00 00 00  00 00 00 00 00 00 00 00  |................|
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000180  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb 68 c0 07  |.....3.....|.h..|
00000190  1f 1e 68 66 00 cb 88 16  0e 00 66 81 3e 03 00 4e  |..hf......f.>..N|
000001a0  54 46 53 75 15 b4 41 bb  aa 55 cd 13 72 0c 81 fb  |TFSu..A..U..r...|
000001b0  55 aa 75 06 f7 c1 01 00  75 03 e9 dd 00 1e 83 ec  |U.u.....u.......|
000001c0  18 68 1a 00 b4 48 8a 16  0e 00 8b f4 16 1f cd 13  |.h...H..........|
000001d0  9f 83 c4 18 9e 58 1f 72  e1 3b 06 0b 00 75 db a3  |.....X.r.;...u..|
000001e0  0f 00 c1 2e 0f 00 04 1e  5a 33 db b9 00 20 2b c8  |........Z3... +.|
000001f0  66 ff 06 11 00 03 16 0f  00 8e c2 ff 06 16 00 e8  |f...............|
00000200  4b 00 2b c8 77 ef b8 00  bb cd 1a 66 23 c0 75 2d  |K.+.w......f#.u-|
00000210  66 81 fb 54 43 50 41 75  24 81 f9 02 01 72 1e 16  |f..TCPAu$....r..|
00000220  68 07 bb 16 68 70 0e 16  68 09 00 66 53 66 53 66  |h...hp..h..fSfSf|
00000230  55 16 16 16 68 b8 01 66  61 0e 07 cd 1a 33 c0 bf  |U...h..fa....3..|
00000240  28 10 b9 d8 0f fc f3 aa  e9 5f 01 90 90 66 60 1e  |(........_...f`.|
00000250  06 66 a1 11 00 66 03 06  1c 00 1e 66 68 00 00 00  |.f...f.....fh...|
00000260  00 66 50 06 53 68 01 00  68 10 00 b4 42 8a 16 0e  |.fP.Sh..h...B...|
00000270  00 16 1f 8b f4 cd 13 66  59 5b 5a 66 59 66 59 1f  |.......fY[ZfYfY.|
00000280  0f 82 16 00 66 ff 06 11  00 03 16 0f 00 8e c2 ff  |....f...........|
00000290  0e 16 00 75 bc 07 1f 66  61 c3 a0 f8 01 e8 09 00  |...u...fa.......|
000002a0  a0 fb 01 e8 03 00 f4 eb  fd b4 01 8b f0 ac 3c 00  |..............<.|
000002b0  74 09 b4 0e bb 07 00 cd  10 eb f2 c3 0d 0a 41 20  |t.............A |
000002c0  64 69 73 6b 20 72 65 61  64 20 65 72 72 6f 72 20  |disk read error |
000002d0  6f 63 63 75 72 72 65 64  00 0d 0a 42 4f 4f 54 4d  |occurred...BOOTM|
000002e0  47 52 20 69 73 20 6d 69  73 73 69 6e 67 00 0d 0a  |GR is missing...|
000002f0  42 4f 4f 54 4d 47 52 20  69 73 20 63 6f 6d 70 72  |BOOTMGR is compr|
00000300  65 73 73 65 64 00 0d 0a  50 72 65 73 73 20 43 74  |essed...Press Ct|
00000310  72 6c 2b 41 6c 74 2b 44  65 6c 20 74 6f 20 72 65  |rl+Alt+Del to re|
00000320  73 74 61 72 74 0d 0a 00  8c a9 be d6 00 00 55 aa  |start.........U.|
00000330  07 00 42 00 4f 00 4f 00  54 00 4d 00 47 00 52 00  |..B.O.O.T.M.G.R.|
00000340  04 00 24 00 49 00 33 00  30 00 00 d4 00 00 00 24  |..$.I.3.0......$|
00000350  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000380  00 00 00 00 00 00 eb 22  90 90 05 00 4e 00 54 00  |......."....N.T.|
00000390  4c 00 44 00 52 00 00 00  00 00 00 00 00 00 00 00  |L.D.R...........|
000003a0  00 00 00 00 00 00 00 00  00 00 66 0f b7 06 0b 00  |..........f.....|
000003b0  66 0f b6 1e 0d 00 66 f7  e3 66 a3 52 02 66 8b 0e  |f.....f..f.R.f..|
000003c0  40 00 80 f9 00 0f 8f 0e  00 f6 d9 66 b8 01 00 00  |@..........f....|
000003d0  00 66 d3 e0 eb 08 90 66  a1 52 02 66 f7 e1 66 a3  |.f.....f.R.f..f.|
000003e0  66 02 66 0f b7 1e 0b 00  66 33 d2 66 f7 f3 66 a3  |f.f.....f3.f..f.|
000003f0  56 02 e8 95 04 66 8b 0e  4e 02 66 89 0e 26 02 66  |V....f..N.f..&.f|
00000400  03 0e 66 02 66 89 0e 2a  02 66 03 0e 66 02 66 89  |..f.f..*.f..f.f.|
00000410  0e 2e 02 66 03 0e 66 02  66 89 0e 3e 02 66 03 0e  |...f..f.f..>.f..|
00000420  66 02 66 89 0e 46 02 66  b8 90 00 00 00 66 8b 0e  |f.f..F.f.....f..|
00000430  26 02 e8 83 09 66 0b c0  0f 84 5e fe 66 a3 32 02  |&....f....^.f.2.|
00000440  66 b8 a0 00 00 00 66 8b  0e 2a 02 e8 6a 09 66 a3  |f.....f..*..j.f.|
00000450  36 02 66 b8 b0 00 00 00  66 8b 0e 2e 02 e8 58 09  |6.f.....f.....X.|
00000460  66 a3 3a 02 66 a1 32 02  66 0b c0 0f 84 2b fe 67  |f.:.f.2.f....+.g|
00000470  80 78 08 00 0f 85 22 fe  67 66 8d 50 10 67 03 42  |.x....".gf.P.g.B|
00000480  04 67 66 0f b6 48 0c 66  89 0e 72 02 67 66 8b 48  |.gf..H.f..r.gf.H|
00000490  08 66 89 0e 6e 02 66 a1  6e 02 66 0f b7 0e 0b 00  |.f..n.f.n.f.....|
000004a0  66 33 d2 66 f7 f1 66 a3  76 02 66 a1 46 02 66 03  |f3.f..f.v.f.F.f.|
000004b0  06 6e 02 66 a3 4a 02 66  83 3e 36 02 00 0f 84 1d  |.n.f.J.f.>6.....|
000004c0  00 66 83 3e 3a 02 00 0f  84 cf fd 66 8b 1e 3a 02  |.f.>:......f..:.|
000004d0  1e 07 66 8b 3e 4a 02 66  a1 2e 02 e8 e0 01 66 0f  |..f.>J.f......f.|
000004e0  b7 0e 00 02 66 b8 02 02  00 00 e8 22 08 66 0b c0  |....f......".f..|
000004f0  0f 85 16 00 66 0f b7 0e  5a 02 66 b8 5c 02 00 00  |....f...Z.f.\...|
00000500  e8 0c 08 66 0b c0 0f 84  42 0c 67 66 8b 00 1e 07  |...f....B.gf....|
00000510  66 8b 3e 3e 02 e8 3f 06  66 a1 3e 02 66 bb 20 00  |f.>>..?.f.>.f. .|
00000520  00 00 66 b9 00 00 00 00  66 ba 00 00 00 00 e8 e4  |..f.....f.......|
00000530  00 66 85 c0 0f 85 23 00  66 a1 3e 02 66 bb 80 00  |.f....#.f.>.f...|
00000540  00 00 66 b9 00 00 00 00  66 ba 00 00 00 00 e8 c4  |..f.....f.......|
00000550  00 66 0b c0 0f 85 44 00  e9 f1 0b 66 33 d2 66 b9  |.f....D....f3.f.|
00000560  80 00 00 00 66 a1 3e 02  e8 ca 08 66 0b c0 0f 84  |....f.>....f....|
00000570  da 0b 1e 07 66 8b 3e 3e  02 e8 db 05 66 a1 3e 02  |....f.>>....f.>.|
00000580  66 bb 80 00 00 00 66 b9  00 00 00 00 66 ba 00 00  |f.....f.....f...|
00000590  00 00 e8 80 00 66 0b c0  0f 84 b0 0b 67 66 0f b7  |.....f......gf..|
000005a0  58 0c 66 81 e3 ff 00 00  00 0f 85 a5 0b 66 8b d8  |X.f..........f..|
000005b0  68 00 20 07 66 2b ff 66  a1 3e 02 e8 00 01 68 00  |h. .f+.f.>....h.|
000005c0  20 07 66 2b ff 66 a1 3e  02 e8 ac 0a 8a 16 0e 00  | .f+.f.>........|
000005d0  b8 e8 03 8e c0 8d 36 0b  00 2b c0 68 00 20 50 cb  |......6..+.h. P.|
000005e0  06 1e 66 60 66 8b da 66  0f b6 0e 0d 00 66 f7 e1  |..f`f..f.....f..|
000005f0  66 a3 11 00 66 8b c3 66  f7 e1 a3 16 00 8b df 83  |f...f..f........|
00000600  e3 0f 8c c0 66 c1 ef 04  03 c7 50 07 e8 3e fc 66  |....f.....P..>.f|
00000610  61 90 1f 07 c3 67 03 40  14 67 66 83 38 ff 0f 84  |a....g.@.gf.8...|
00000620  4c 00 67 66 39 18 0f 85  33 00 66 0b c9 0f 85 0a  |L.gf9...3.f.....|
00000630  00 67 80 78 09 00 0f 85  23 00 c3 67 3a 48 09 0f  |.g.x....#..g:H..|
00000640  85 1a 00 66 8b f0 67 03  70 0a e8 97 06 66 51 1e  |...f..g.p....fQ.|
00000650  07 66 8b fa f3 a7 66 59  0f 85 01 00 c3 67 66 83  |.f....fY.....gf.|
00000660  78 04 00 0f 84 07 00 67  66 03 40 04 eb ab 66 2b  |x......gf.@...f+|
00000670  c0 c3 66 8b f3 e8 6c 06  67 66 03 00 67 f7 40 0c  |..f...l.gf..g.@.|
00000680  02 00 0f 85 34 00 67 66  8d 50 10 67 3a 4a 40 0f  |....4.gf.P.g:J@.|
00000690  85 18 00 67 66 8d 72 42  e8 49 06 66 51 1e 07 66  |...gf.rB.I.fQ..f|
000006a0  8b fb f3 a7 66 59 0f 85  01 00 c3 67 83 78 08 00  |....fY.....g.x..|
000006b0  0f 84 06 00 67 03 40 08  eb c2 66 33 c0 c3 67 80  |....g.@...f3..g.|
000006c0  7b 08 00 0f 85 1c 00 06  1e 66 60 67 66 8d 53 10  |{........f`gf.S.|
000006d0  67 66 8b 0a 66 8b f3 67  03 72 04 f3 a4 66 61 90  |gf..f..g.r...fa.|
000006e0  1f 07 c3 66 50 67 66 8d  53 10 66 85 c0 0f 85 0a  |...fPgf.S.f.....|
000006f0  00 67 66 8b 4a 08 66 41  eb 11 90 67 66 8b 42 18  |.gf.J.fA...gf.B.|

... (code omitted - too long)

00004570  08 e5 07 00 98 e7 04 00  10 18 05 00 98 f9 07 00  |................|
00004580  18 18 05 00 f2 1a 05 00  f4 f5 07 00 f8 1a 05 00  |................|
00004590  96 1d 05 00 40 ef 07 00  9c 1d 05 00 1d 1f 05 00  |....@...........|
000045a0  70 ea 07 00 24 1f 05 00  9a 21 05 00 f0 ef 07 00  |p...$....!......|
000045b0  a0 21 05 00 ef 25 05 00  5c f8 07 00 f8 25 05 00  |.!...%..\....%..|
000045c0  14 27 05 00 f4 df 07 00  1c 27 05 00 93 2c 05 00  |.'.......'...,..|
000045d0  78 f9 07 00 9c 2c 05 00  61 2e 05 00 88 df 07 00  |x....,..a.......|
000045e0  68 2e 05 00 24 30 05 00  1c da 07 00 2c 30 05 00  |h...$0......,0..|
000045f0  73 36 05 00 d0 e7 07 00  7c 36 05 00 86 3a 05 00  |s6......|6...:..|
00004600
Andre-Bulatovs-MacBook-Pro:~ andrebulatov$

[iamandrebulatov]

Chris please don't abandon me man, please help!! What do I do next?

[ksk22]

May I intervene here?

I have a similar situation, but maybe of different causes.

I had a disk that was installed with Mac OS X 10.5.8 and Windows Vista, each allocated with the half size of a 500GB disk. The Windows Vista installment was done with the official Bootcamp utility.

One time, the Windows Vista had freezed, and as it didn't respond to any click or key, I shut it down by pressing the power button.

And immediately, I tried to restart it, but it didn't restart properly, and so I thought that something went wrong, and not understanding much, I followed some webpages' instruction without much thought, to boot up from the Windows Vista's RE disk, and run command, "bootrec /fixmrb, /fixboot, /rebuildbcd".

And it still didn't restart properly, and so I logged into the Mac OS X, and the situation is similar to the original poster, that is, from Disk Utility, the Windows partition is greyed out as "disk0s3", and cannot be mounted.

At that point, I felt that I wasn't sure of what situation I was in, and so, firstly, before I do anything further, I decided to clone the 2 partitions of the whole disk, and I used a commercial program that I had, Data Rescue 3. The cloning itself was successful, but, in the process, it gave me about 40 slow reading warnings, like taking many seconds just to read a sector. And I now think that the hardware was the original cause of the Windows Vista's freezing.

I didn't use any partition resizing tools, and the hybrid GPT/MBR partition seems still synched.

Could the bootrec commands have modified things wrongly? Or could it be the whole NTFS corruption?

As I'm not sure how much I'm in trouble and how to proceed, if someone more knowledged and experienced could shed light even just to where I am, I'm so very grateful.

Code:

sudo gpt -r -vv show disk0
Password:
gpt show: disk0: mediasize=500107862016; sectorsize=512; blocks=976773168
gpt show: disk0: Suspicious MBR at sector 0
gpt show: disk0: Pri GPT at sector 1
gpt show: disk0: Sec GPT at sector 976773167
      start       size  index  contents
          0          1         MBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6         
         40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
     409640  488386584      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  488796224     264128         
  489060352  487712768      3  GPT part - EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
  976773120         15         
  976773135         32         Sec GPT table
  976773167          1         Sec GPT header

Code:

sudo fdisk /dev/disk0
Password:
Disk: /dev/disk0	geometry: 60801/255/63 [976773168 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: EE 1023 254  63 - 1023 254  63 [         1 -     409639] <Unknown ID>
 2: AF 1023 254  63 - 1023 254  63 [    409640 -  488386584] HFS+        
*3: 07 1023 254  63 - 1023 254  63 [ 489060352 -  487712768] HPFS/QNX/AUX
 4: 00    0   0   0 -    0   0   0 [         0 -          0] unused

[mithriln]

Ok. I tried to read all but what is seems to me is that the solution is specific to what we have in hands.

I have Snow Leopard. I resized my windows 7 partition using a small program in windows (first resized mac partition in mac and then expanded in windows 7 using that unknown program) all was fine and the disk was recognized in Mac after several reboots until suddenly it wasn't.

disk utility displays:



which is listed having the original partition size (not the expanded one)

command results:



So, what do I do from here? Will I keep my windows 7 data intact? Thanks

[gigas65]

Quote:

Originally Posted by murphychris

Not that I can think of.

So i had my hd replaced, put all back via migration assistant, made a new Bootcamp partition (using Bootcamp assistant) and put my backed up winclone back successfully. It boots if i select it at start by pressing option key, but DOES NOT appear in Startup Disks at System Preferences. Can you please advise?
Thanks

Code:

sudo gpt -r -vv show disk0

gpt show: disk0: mediasize=1000204886016; sectorsize=512; blocks=1953525168
gpt show: disk0: Suspicious MBR at sector 0
gpt show: disk0: Pri GPT at sector 1
gpt show: disk0: Sec GPT at sector 1953525167
       start        size  index  contents
           0           1         MBR
           1           1         Pri GPT header
           2          32         Pri GPT table
          34           6         
          40      409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
      409640  1677721600      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  1678131240      264152         
  1678395392   275128320      3  GPT part - EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
  1953523712        1423         
  1953525135          32         Sec GPT table
  1953525167           1         Sec GPT header

Code:

sudo gdisk -l /dev/disk0

GPT fdisk (gdisk) version 0.8.5

Partition table scan:
  MBR: hybrid
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with hybrid MBR; using GPT.
Disk /dev/disk0: 1953525168 sectors, 931.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): A2DAC86A-B7E6-4182-B08E-EC1B42936DCF
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 1953525134
Partitions will be aligned on 8-sector boundaries
Total free space is 265581 sectors (129.7 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  EFI System Partition
   2          409640      1678131239   800.0 GiB   AF00  Macintosh HD
   3      1678395392      1953523711   131.2 GiB   0700  BOOTCAMP

Code:

sudo fdisk /dev/disk0

Disk: /dev/disk0	geometry: 121601/255/63 [1953525168 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: EE    0   0   2 -   25 127  14 [         1 -     409639] <Unknown ID>
 2: AF   25 127  15 - 1023 213  51 [    409640 - 1677721600] HFS+        
*3: 07 1023  71  45 - 1023  57  56 [1678395392 -  275128320] HPFS/QNX/AUX
 4: 00    0   0   0 -    0   0   0 [         0 -          0] unused

[murphychris]

Quote:

Originally Posted by iamandrebulatov

Chris please don't abandon me man, please help!! What do I do next?

I've been out of the country, my lack of participation was unavoidable. But your problem has exceeded my knowledge of NTFS in any case, so I don't see how I can help any further.