Posted by: kezhong | June 27, 2009

Linux EXT2/EXT3 Superblock Recovery

Each file system has one superblock, which contains information about file system such as file system type, size, status and information about other metadata structures. If it lost, you would be in trouble so Linux maintains multiple redundant copies of the superblock in every file system.

I read the article “Surviving a Linux Filesystem Failures” on nixCraft, and did the test that destroyed and also recovered the ext2 and ext3 filesystem superblock on Fedora 9. The following is the steps.

EXT2 filesystem

In my machine, there is an ext2 filesystem /dev/sda6 which its mount point is /fs2.

Firstly, I should know the location of superblocks and the size of block.
[root@localhost ~]# dumpe2fs /dev/sda6 | grep –i superblock
dumpe2fs 1.40.8 (13-Mar-2008)
  Primary superblock at 1, Group descriptors at 2-2
  Backup superblock at 8193, Group descriptors at 8194-8194
  Backup superblock at 24577, Group descriptors at 24578-24578
  Backup superblock at 40961, Group descriptors at 40962-40962
  Backup superblock at 57345, Group descriptors at 57346-57346
  Backup superblock at 73729, Group descriptors at 73730-73730
[root@localhost ~]# dumpe2fs /dev/sda6 | grep –i ‘block size’
dumpe2fs 1.40.8 (13-Mar-2008)
Block size:                               1024 

From the above, I knew there are 5 backup superblocks and the block size is 1024 bytes. The location of primary superblock is at 1. The locations of these 5 backup superblocks are at 8193,24577,40961,57345 and 73729 respectively. If you want to know the filesystem’s block size, there are another two ways that you can use tune2fs and ext3grep commands. For example,
[root@localhost ~]# tune2fs –l dev/sda6 | grep –i ‘block size’
[root@localhost ~]# ext3grep /dev/sda6 | grep –i ‘block size’ 

Then, I destroyed the superblock as below.
[root@localhost ~]# dd if=/dev/zero count=1 bs=1024 seek=1 of=/dev/sda6 

I checked the effect, and found I still could change to /fs2 directory. I could still list its contents. But the system gave me error messages when I tried to create a file or copy files.
[root@localhost ~]# cd /fs2
[root@localhost ~]# ll
total 19
drwx—— 2 root root 12288 2009-06-25 08:57 lost+found
-rw-r—r—1 root root   135 2009-06-25 18:15 qaz
 … … 

[root@localhost fs2]#cp qaz wsx
cp: overwrite  `wsx’? y
cp: writing `wsx’: No space left on device
 [root@localhost fs2]#cp qaz edc
cp: cannot create regular file `edc’: Input/output error 

When I run the dumpe2fs command, it told me the superblock had been destroyed.
[root@localhost fs2]#dumpe2fs /dev/sda6
dumpe2fs 1.40.8 (13-Mar-2008)
dumpe2fs: Bad magic number in super-block while trying to open /dev/sda6
Couldn’t find valid filesystem superblock. 

I recovered the superblock.
[root@localhost ~]# dd if=/dev/sda6 count=1 bs=1024 skip=8193 seek=1 of=/dev/sda5

After that, I checked if I can create and copy files. I found they worked. And the command dumpe2fs could display normally. 

EXT3 filesystem

In my machine, there is another ext3 filesystem /dev/sda5 which its mount point is /fs3.

Check the location of superblocks and the size of block.
[root@localhost ~]# dumpe2fs /dev/sda5 | grep –i superblock
dumpe2fs 1.40.8 (13-Mar-2008)
  Primary superblock at 0, Group descriptors at 1-1
  Backup superblock at 32768, Group descriptors at 32769-32769
  Backup superblock at 98304, Group descriptors at 98305-98305
  Backup superblock at 163840, Group descriptors at 163841-163841
  Backup superblock at 229376, Group descriptors at 229377-22937
[root@localhost ~]# dumpe2fs /dev/sda5 | grep –i ‘block size’
dumpe2fs 1.40.8 (13-Mar-2008)
Block size:                               4096 

From the above, I knew there are 4 backup superblocks and the block size is 4096 bytes. The location of primary superblock is at 0. The locations of these 4 backup superblocks are at 32768, 98304, 163840, and 229376.

Destroy the superblock.
[root@localhost ~]# dd if=/dev/zero count=1 bs=4096 seek=0 of=/dev/sda5 

I found I still can change to /fs3 directory. But when I listed its contents, there is nothing. I used dumpe2fs command to check, it told me the superblock has problem. Then I tried to recover the superblock like the above approach, however, it did not work. I restarted the system. The system displayed it unable to resolve the filesystem and could not boot up. I entered the maintenance mode and tried to recover using the method as below. It did not work.
(Repair filesystem) 1 # e2fsck –f –b 32768 /dev/sda5
e2fsck 1.40.8 (13-Mar-2008)
e2fsck: Device or resource busy while trying to open /dev/sda5
Filesystem mounted or opened exclusively by another program? 

Then I used another method, after I reboot the system it worded.
(Repair filesystem) 2 # e2fsck –f  /dev/sda5
(Repair filesystem) 3 # reboot 

From the test, I realized that the information of the filesystem’s superblock is very important. We’d better backup it to the root because we can still read it through maintenance mode even if the system can not boot up normally. Don’t forget run the following command.
#dumpe2fs /dev/sda5 > /dumpe2fs-sda5 

References
Surviving a Linux Filesystem Failures

About these ads

Responses

  1. Perfect!

  2. I can’t thank you enough :p

  3. hello All,

    I want to have general idea how to take bootable backup of RHEL 5 so that in disaster i can recover my server. I searched everywhere but did not get any luck. i found this blog good one so I’m posting my query. I’m very new to RHEL. in AIX I’ve mksysb tool take bootable backup and using that i can restore as well. if there is no such tool then please suggest me the whole steps. Thanks Priyank Saxena

  4. I cannot see block size in my ext3 filesystem.

    [root@box2 ~]# dumpe2fs /dev/mapper/rootvg-lvhome | grep -i superblock
    dumpe2fs 1.39 (29-May-2006)
    Primary superblock at 1, Group descriptors at 2-2
    Backup superblock at 8193, Group descriptors at 8194-8194
    Backup superblock at 24577, Group descriptors at 24578-24578
    Backup superblock at 40961, Group descriptors at 40962-40962
    Backup superblock at 57345, Group descriptors at 57346-57346
    Backup superblock at 73729, Group descriptors at 73730-73730
    [root@box2 ~]#
    [root@box2 ~]# dumpe2fs /dev/mapper/rootvg-lvhome | grep ‘block size’
    dumpe2fs 1.39 (29-May-2006)
    [root@box2 ~]#

  5. Thanks for the blog post, it prodded me in the direction I needed to go. I accidentally overwrote my superblock by a luksformat.

    If you’ve wiped your superblock, just issue “mkfs.ext3 -n /dev/sda1″, and it will dump the information you need.

  6. Hi guys I need your help
    I have a case where hard disk with linux ext3 file system was overwritten ( 100gb partition was created out of original 300Gb ) and OS was reinstalled. Is there any chances to recover original data?
    Thank You
    Sameer

    • Um, no, your data will be pretty much toast if you’ve overwritten it. You’d need to give your drive to someone who has forensic analysis hardware. And I bet that is very expensive.

  7. Dear kezhong,
    With your advises I could rescue my disk (Maxtor, 150Gb, ext3) and save my data. I first thought that the harddisk was definitely broken, then I started to search in the internet. The disk was seen by the bios but no acces, no mount, nothing. Finally your Ext2-procedure worked for my Ext3-disk. I put it in an old computer, booted with a Puppy live CD and made the manipulations from puppy linux.
    Thanks a lot, you’re great !
    steve

  8. Hi there, I spotted your blog on http://kezhong.wordpress.

    com/2009/06/27/linux-ext2ext3-superblock-recovery/
    while looking for a corresponding subject, your website came up, it seems good.
    I’ve bookmarked it in my google book marks.

  9. Hi, I came across your page on and although the writing looks
    great, I believe that your blog may be having a couple internet
    browser compatibility issues. Whenever I have a look at your page in Chrome, it looks fine however, when opening in Firefox,
    it has a bunch of overlapping difficulties.
    I simply wanted to provide you with a quick alert, that’s all.

  10. When I initially commented I clicked the “Notify me when new comments are added” checkbox
    and now each time a comment is added I get several emails
    with the same comment. Is there any way you can remove me from that service?
    Thanks!

  11. When I initially commented I appear to have clicked the -Notify me
    when new comments are added- checkbox and from now on whenever
    a comment is added I get four emails with the exact same comment.
    Is there an easy method you can remove me from that service?
    Thanks a lot!

  12. I read this piece of writing completely on the topic of the difference of
    most up-to-date and preceding technologies, it’s amazing article.

  13. Thanks for the marvelous posting! I certainly enjoyed reading it, you’re a great author.I will make certain to bookmark your blog and will eventually come back very soon. I want to encourage yourself to continue your great writing, have a nice holiday weekend!

  14. Greetings! This is my 1st comment here so I just wanted to give
    a quick shout out and tell you I truly enjoy reading your
    articles. Can you recommend any other blogs/websites/forums that
    deal with the same topics? Thank you!

  15. I usually do not leave many responses, but after reading through a bunch of responses here Linux EXT2/EXT3 Superblock Recovery | Kezhong’s Weblog. I actually do have a few questions for you if you tend not to mind. Could it be simply me or does it look as if like some of the responses come across like they are coming from brain dead people? :-P And, if you are posting on additional social sites, I would like to keep up with you. Could you list of all of all your public pages like your linkedin profile, Facebook page or twitter feed?

  16. Currently it looks like Expression Engine is the preferred blogging platform out there right now.

    (from what I’ve read) Is that what you’re using on your
    blog?

  17. Thanks for another great post. The place else may anyone get that kind of information in such a perfect approach of writing? I’ve a presentation subsequent week, and I am on the search for such information.

  18. Hi there, I discovered your blog via Google even as searching for a comparable subject,
    your site came up, it seems to be great. I’ve bookmarked it in my google bookmarks.

    Hello there, just turned into aware of your weblog thru Google,
    and found that it is really informative. I am going to watch out
    for brussels. I’ll appreciate in the event you continue this
    in future. Numerous folks might be benefited out of your
    writing. Cheers!

  19. They help refill your stomach and that means you wont feel like overeating and become fillers. The Bowtrol cleanse therapy also introduces probiotics within the body. The product is created to buttress the gut.

  20. I am actually happy to glance at this webpage posts
    which consists of plenty of valuable facts, thanks for providing these kinds of information.

  21. Wonderful beat ! I would like to apprentice while you amend
    your site, how could i subscribe for a blog website?
    The account aided me a applicable deal. I had been tiny bit acquainted of this
    your broadcast provided vivid transparent concept

  22. I’ve been exploring for a bit for any high qualiy articles or weblog posts in this sort of area .
    Exploring in Yahoo I at last stumbled upon this website.

    Studying this information So i’m satisfied to exhibit that I have an incredibly just right
    uncanny feeling I came upon just what I needed.
    I so much definitely will make sure to do not overlook this website and give it a glance regularly.

  23. Wheen some one searches fߋr his essential tɦing, tɦus ɦe/ѕhe wishes
    to be availablе thɑt inn ԁetail, so that
    ting is maintained օver Һere.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: