MacOS – Recovering HFS+ partition

data-recoveryhfs+macospartition

I have 2TB Toshiba 3.0 HDD. (1863 GiB). I have rewritten accidentally the GPT partition table and I need to recover it.

Old partition table. I need to recover it

It had FOUR partitions. GPT table with

1) EFI 200 MB

2) HFS+ 1844 GB (with data) ☜ I need to recover this one

3) HFS+ 10 GB (not important)

4) HFS+ 10 GB (not important)

New partition table (accidentally written)

P EFI System 40 409639 409600 [EFI System Partition] [EFI]
P Mac HFS 409640 3906766983 3906357344 (1862.70GiB)

gpt output

iMac-Wrona:~ Wrona$ sudo gpt -r show disk1
       start        size  index  contents
           0           1         PMBR
           1           1         Pri GPT header
           2          32         Pri GPT table
          34           6         
          40      409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
      409640  3906357344      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  3906766984      262147         
  3907029131          32         Sec GPT table
  3907029163           1         Sec GPT header

I used Testdisk, "Deep search" and I found this partition entries.

TestDisk 7.2-WIP, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/rdisk4 - 2000 GB / 1863 GiB - 3907029168 sectors
     Partition               Start        End    Size in sectors
 D EFI System                    40     409639     409600 [EFI System Partition] [EFI]
 D EFI System                    46     409645     409600 [EFI System Partition] [EFI]
>P MS Data                     2048 3867961343 3867959296 [T2_B]
 D Mac HFS                   409640 3906766983 3906357344  
 D Mac HFS                   528920 3906886263 3906357344
 D Mac HFS                   528992 3906886335 3906357344
 D Mac HFS                   529096 3906886439 3906357344
 D Mac HFS                   529128 3906886471 3906357344
 D Mac HFS                   529168 3906886511 3906357344
 D Mac HFS                   529248 3906886591 3906357344
 D Mac HFS                   529376 3906886719 3906357344
 D Mac HFS                   529456 3906886799 3906357344
 D Mac HFS                   529536 3906886879 3906357344
 D Mac HFS                   529648 3906886991 3906357344
 D Mac HFS                   529704 3906887047 3906357344
 D Mac HFS                   529768 3906887111 3906357344
 D Mac HFS                   529832 3906887175 3906357344
 D Mac HFS                   529888 3906887231 3906357344
 D Mac HFS                   530000 3906887343 3906357344
 D Mac HFS                   530112 3906887455 3906357344
 D Mac HFS                   530216 3906887559 3906357344
 D Mac HFS                   530256 3906887599 3906357344
 D Mac HFS                   530368 3906887711 3906357344
 D Mac HFS                   530432 3906887775 3906357344
 D Mac HFS                   530528 3906887871 3906357344
 D Mac HFS                   530592 3906887935 3906357344
 D Mac HFS                   530680 3906888023 3906357344
 D Mac HFS                   530736 3906888079 3906357344
 D Mac HFS                   530824 3906888167 3906357344
 D Mac HFS                   530936 3906888279 3906357344
 D Mac HFS                   531072 3906888415 3906357344
 D Mac HFS                   531104 3906888447 3906357344
 D Mac HFS                   531120 3906888463 3906357344
 D Mac HFS                   531296 3906888639 3906357344
 D Mac HFS                   531376 3906888719 3906357344
 D Mac HFS                   531440 3906888783 3906357344
 D Mac HFS                   531480 3906888823 3906357344
 D Mac HFS                   531552 3906888895 3906357344
 D Mac HFS                   531672 3906889015 3906357344
 D Mac HFS                   531712 3906889055 3906357344
 D Mac HFS                   531840 3906889183 3906357344
 D Mac HFS                   531960 3906889303 3906357344
 D Mac HFS                   532000 3906889343 3906357344
 D Mac HFS                   532016 3906889359 3906357344
 D Mac HFS                   532184 3906889527 3906357344
 D Mac HFS                   532264 3906889607 3906357344
 D Mac HFS                   532360 3906889703 3906357344
 D Mac HFS                   532400 3906889743 3906357344
 D Mac HFS                   532520 3906889863 3906357344
 D Mac HFS                   532632 3906889975 3906357344
 D Mac HFS                   532936 3906890279 3906357344
 D Mac HFS                   533048 3906890391 3906357344
 D Mac HFS                   533232 3906890575 3906357344
 D Mac HFS                   533272 3906890615 3906357344
 D Mac HFS                   533352 3906890695 3906357344
 D Mac HFS                   533560 3906890903 3906357344
 D Mac HFS                   533664 3906891007 3906357344
 D Mac HFS                   533744 3906891087 3906357344
 D Mac HFS                   533824 3906891167 3906357344
 D Mac HFS                   533840 3906891183 3906357344
Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
                P=Primary  D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
     Enter: to continue
NTFS found using backup sector, blocksize=4096, 1980 GB / 1844 GiB

I need to recover this entry:
>P MS Data 2048 3867961343 3867959296 [T2_B]

IMPORTANT NOTE: The partition It shoul be "Mac HFS", but it appears as "MS Data". I do not know why

I have tried to rewite the partition table with gpt on Mac:

diskutil unmountDisk /dev/disk1
sudo gpt destroy /dev/disk1
sudo gpt create /dev/disk1
sudo gpt add -b 2048 -i 1 -s 3867959296 /dev/disk1

But it does not work!!!!!

This is the status now

iMac-Wrona:~ Wrona$ sudo gpt -r show disk1
       start        size  index  contents
           0           1         PMBR
           1           1         Pri GPT header
           2          32         Pri GPT table
          34        2014         
        2048  3867959296      1  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  3867961344    39067791         
  3907029135          32         Sec GPT table
  3907029167           1         Sec GPT header

sudo dd if=/dev/disk1 skip=409640 bs=512 count=3 | hexdump

This is the output

iMac-Wrona:~ Wrona$ diskutil umountDisk disk1
Unmount of all volumes on disk1 was successful
iMac-Wrona:~ Wrona$ sudo dd if=/dev/disk1 skip=409640 bs=512 count=3 | hexdump

3+0 records in
3+0 records out
1536 bytes transferred in 0.298440 secs (5147 bytes/sec)
0000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000400 48 2b 00 04 80 00 21 00 48 46 53 4a 00 00 3a 37
0000410 d9 b2 93 73 da 14 65 c2 00 00 00 00 d9 b2 77 53
0000420 00 00 00 ad 00 00 00 13 00 00 10 00 1d 1a c9 0c
0000430 1d 17 9b 2f 00 84 80 00 00 01 00 00 00 01 00 00
0000440 00 00 06 5c 00 00 0d a1 00 00 00 00 00 00 00 01
0000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000460 00 00 00 00 00 00 00 00 15 0e 8e 2a 36 83 cc ce
0000470 00 00 00 00 03 a3 60 00 03 a3 60 00 00 00 3a 36
0000480 00 00 00 01 00 00 3a 36 00 00 00 00 00 00 00 00
0000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00004c0 00 00 00 00 00 e0 00 00 00 e0 00 00 00 00 0e 00
00004d0 00 00 d2 38 00 00 0e 00 00 00 00 00 00 00 00 00
00004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000510 00 00 00 00 12 60 00 00 12 60 00 00 00 01 26 00
0000520 00 0d 82 38 00 01 26 00 00 00 00 00 00 00 00 00
0000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000560 00 00 00 00 12 60 00 00 12 60 00 00 00 01 26 00
0000570 00 00 e0 38 00 01 26 00 00 00 00 00 00 00 00 00
0000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000600

What I have to do to recover 1844 partition T2_B?

P MS Data 2048 3867961343 3867959296 [T2_B]

Best Answer

Usually the original size of the file system (apart from the partition size in the partition table) is saved in the volume header - the 3rd block(512) of an HFS+-partition/volume (considering the old partition scheme). It's based on the allocation block size and the allocation block number. A "resulting volume" of a falsely applied partition table entry mustn't be initialized or repaired though.

To get the device number and the first three blocks unmount the disk and enter:

diskutil list
sudo dd if=/dev/diskX skip=409640 bs=512 count=3 | hexdump #replace diskX with the device no. found in the previous command; below I assume it's disk1

The allocation block size is an UInt32 starting at 0x0000428

0000400 48 2b 00 04 80 00 21 00 48 46 53 4a 00 00 3a 37
0000410 d9 b2 93 73 da 14 65 c2 00 00 00 00 d9 b2 77 53
0000420 00 00 00 ad 00 00 00 13→00 00 10 00←1d 1a c9 0c
0000430 1d 17 9b 2f 00 84 80 00 00 01 00 00 00 01 00 00

The allocation block number is an UInt32 starting at 0x000042C

0000400 48 2b 00 04 80 00 21 00 48 46 53 4a 00 00 3a 37
0000410 d9 b2 93 73 da 14 65 c2 00 00 00 00 d9 b2 77 53
0000420 00 00 00 ad 00 00 00 13 00 00 10 00→1d 1a c9 0c←
0000430 1d 17 9b 2f 00 84 80 00 00 01 00 00 00 01 00 00

To convert hex to decimal use echo "obase=10; ibase=16; (uppercase hex)" | bc

So the allocation block size of the above example is:

echo "obase=10; ibase=16; 00001000" | bc #(=4096 byte)

and the number of allocation blocks is:

echo "obase=10; ibase=16; 1D1AC90C" | bc #(=488294668)

The total size of the volume is allocation block size x allocation block number: 488294668 x 4096 Byte (= 2000054960128 Byte or 3906357344 blocks(512)).

The resulting partition table looks theoretically like this then:

sudo gpt -r show disk1
       start        size  index  contents
           0           1         PMBR
           1           1         Pri GPT header
           2          32         Pri GPT table
          34           6         
          40      409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
      409640  3906357344      2  GPT part - 48465300-0000-11AA-AA11-00306543ECAC
  3906766984      262147         
  3907029131          32         Sec GPT table
  3907029163           1         Sec GPT header

To get this partition table you'd have to execute:

diskutil unmountDisk /dev/disk1
sudo gpt destroy /dev/disk1
sudo gpt create /dev/disk1
sudo gpt add -i 1 -b 40 -s 409600 -t C12A7328-F81F-11D2-BA4B-00A0C93EC93B /dev/disk1
sudo gpt add -i 2 -b 409640 -s 3906357344 -t 48465300-0000-11AA-AA11-00306543ECAC /dev/disk1

Considering the given command/volume/partition table history either the volume was initialized or some other (human) error occured because the result doesn't fit with the presumed original partition table.

Related Solutions

MacOS – Resetting MBR on iMac

Boot from an install DVD or USB key (If you have one).

From the first installer page choose Disk Utility from the Tools menu.

Check to see if it finds your partition.

Verify/Repair it.

Then, from Tools, choose Startup Disk, and see if you can set your system partition.

If you don't have an install DVD or USB key there are plenty of instructions around on how to do it.

iPartition can change partition schemes without wiping the disk if it comes to that. It's a great tool to have, I've used it a lot for various disk activities over the years, with Linux, Windows, and OSX partitions.

You need a GUID disk to boot OSX normally, not sure how you had it working with an MBR. Disk Utility will normally tell you what you have and how to correct it, if it can.

Long story short - make sure you back up your disk, you're probably going to be reformatting it.

I think I messed up the Fusion Drive on the 1TB iMac (with BootCamp)

Theoretically everything is fine with your Fusion Drive. Fusion Drives look like this. Disk0 is your SSD with 121 GB and disk1 is your HDD with ~1 TB (~1.121 TB summed up).

The larger parts of your SSD (disk0s2) and your HDD (disk1s2) are pooled to a CoreStorage LVG (Fusion Drive: disk3) with a size of 967.8 GB. The rest is reserved for EFIs, a Recovery HD (alltogether ~1.3 GB) and your old Windows partition - now probably free space (~152 GB).

The logical volume 'Macintosh HD' (967.8 GB) spans disk0s2 and disk1s2. This is the first 'Macintosh HD' in picture 1. The volume 'Macintosh HD' - it's the one visible on the desktop - should ideally also have about 967.8 GB. This is the second 'Macintosh HD' in picture 1.
In fact it has only 852.67 GB (see picture 3).

In the second picture the logical volume 'Macintosh HD' is the first listed in black, the volume 'Macintosh HD' is the second listed in black, the other two 'Macintosh HD's listed in grey are the parts of your SSD and HDD dedicated to the logical volume 'Macintosh HD'.

In my opinion something went wrong after deleting various partitions with the Bootcamp Assistant/Disk Utility or in Windows.

Preparation:

Detach any external drive (especially your external Time Machine backup drive)
Restart to Internet Recovery Mode by pressing alt cmd R at startup.
The prerequisites are the latest firmware update installed, either ethernet or WLAN (WPA/WPA2) and a router with DHCP activated.
On a 50 Mbps-line it takes about 4 min (presenting a small animated globe) to boot into a recovery netboot image which usually is loaded from an apple/akamai server.

I recommend ethernet because it's more reliable. If you are restricted to WIFI and the boot process fails, just restart your Mac until you succeed booting.

Alternatively you may start from a bootable installer thumb drive (preferably Mavericks or Yosemite) or a thumb drive containing a full system (preferably Mavericks or Yosemite).

Now you may either repair CoreStorage or rebuild your Fusion Drive:

'Repair CoreStorage' (not recommended):

First i would try to check the volume 'Macintosh HD' with Disk Utility. If the volume is corrupted consider a reinstall of Mac OS X.
If the volume is ok quit Disk Utility
Open Terminal and enter diskutil unmountDisk /dev/LVIdentifier and both diskutil unmountDisk /dev/DiskContainingApple_CoreStorageIdentifier
In your case: first diskutil unmountDisk /dev/disk3 then diskutil unmountDisk /dev/disk0 and diskutil unmountDisk /dev/disk1
remove the EFI NO NAME partition with gpt remove -i IndexNumberOfEFINoName DiskIdentifier:
gpt remove -i 4 disk1
Remount the CoreStorage disks and then the Logical Volume:
In your case: first diskutil mountDisk /dev/disk0 and diskutil mountDisk /dev/disk1 and then diskutil mount /dev/disk3.

enter gpt -r -vvv show /dev/diskIdentfierOfApple_CoreStorage to get infos of your HDD CoreStorage disk.
In your case: gpt -r -vvv show /dev/disk1
It should look like this:

-bash-3.2# gpt -r -vvv show /dev/disk1
gpt show: /dev/disk1: mediasize=1000204886016; sectorsize=512;         blocks=1953525168
gpt show: /dev/disk1: PMBR at sector 0
gpt show: /dev/disk1: Pri GPT at sector 1
gpt show: /dev/disk1: GPT partition: type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, start=40, size=409600
gpt show: /dev/disk1: GPT partition: type=53746F72-6167-11AA-AA11-00306543ECAC, start=409640, size=1671210848
gpt show: /dev/disk1: GPT partition: type=426F6F74-0000-11AA-AA11-00306543ECAC, start=1671620488, size=1269760
gpt show: /dev/disk1: Sec GPT at sector 1953525167                               
     start          size  index contents                                        
         0             1        PMBR                                            
         1             1        Pri GPT header                                  
         2            32        Pri GPT table                                   
        34             6
        40        409600      1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
    409640    1671210848      2 GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
1671620488       1269760      3 GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
1672890248     280634887
1953525135            32        Sec GPT table
1953525167             1        Sec GPT header

The free space on your HDD has 280634887 blocks. Please calculate the biggest block number dividable through 8. That's 280634880 blocks (á 512 bytes) which equals 143685058560 B or ~143.7 GB. Add the size of your HDD CoreStorage Physical Volume (852666400768 B) The result is 143685058560 B + 852666400768 B = 996351459328 B
Resize your HDD CoreStorage physical volume with diskutil cs resizeDisk HDDPVUUID newsize
In your case: diskutil cs resizeDisk 93892BE8-2B7F-4ABD-A4C3-984495DCD98D 996351459328b
Calculate the maximal size of your CoreStorage Logical Volume in diskutil cs list: (size disk0s2) + (size disk1s2) In your case that's 120988852224 B + 996351459328 B = 1117340311552 B. That should be the size of your refreshed Logical Volume Group.
Resize your Logical Volume with diskutil cs resizeVolume LVUUID LVGSize-128 MB In your case that's diskutil cs resizeVolume D237FFDC-7DA4-41D7-AC13-4CC7E5E8C0A0 1117212311552b. If you get an error (There is not enough free space...) choose a smaller size like 1117148311552b.
Quit Terminal and open Disk Utility.
Check your expanded CoreStorage Volume for errors.
Quit Disk Utility, choose your CS volume as startup disk and restart your Mac

'Rebuild Fusion Drive' (recommended if you have a Time Machine backup)

Booted to Internet Recovery Mode open Utilities → Terminal in the menubar and enter:
diskutil cs list to get the CoreStorage listing.
Copy the Logical Volume UUID, it's the fifth listed.
Now delete the Logical Volume with diskutil cs deleteVolume LVUUID.
In your case: diskutil cs deleteVolume D237FFDC-7DA4-41D7-AC13-4CC7E5E8C0A0.
Copy the Logical Volume Group UUID, it's the first listed in the listing of diskutil cs list.
Then delete the Logical Volume Group with diskutil cs delete LVGUUID.
In your case: diskutil cs delete 1EFE58BC-3613-44C4-86EE-D816F3B66E3E
Enter exit and quit 'Terminal'
Open 'Disk Utility'. Enter 'Ignore' if you are asked to fix the drives.
Choose your SSD and partition it: 1 Partition Mac OS X Extended (Journaled), hit the Options button and choose GUID Partiton table and hit OK and Apply.
Please check that the size is ~121 GB

Example:
Choose your HDD and partition it: 1 Partition Mac OS X Extended (Journaled), hit the Options button and choose GUID Partiton table and hit OK and Apply.
Please check that the size is ~1 TB

Example:
Quit Disk Utility and open Terminal
Enter diskutil list

Example (your disk identifiers and sizes are different of course: Your volume SSD probably has the Identifier disk0s2 and the size 121 GB and your volume HDD probably has the Identifier disk1s2 and the size 1.0 TB):
Enter diskutil cs create "Name" IdentifierSSD IdentifierHDD
In your case probably diskutil cs create "Macintosh HD" disk0s2 disk1s2.

Copy the resulting LVGUUID

Example:
Enter diskutil cs CreateVolume LVGUUID jhfs+ "Macintosh HD" 100%.

Example:
Enter diskutil cs list
Check the size of your Logical Volume. It should have the size ~1.121 TB

Example:
Quit Terminal
Open 'Disk Utility' and check your newly created volume for errors
Quit 'Disk Utility'
Attach your external Time Machine backup drive or check this answer if you use NAS or another network share.
Open 'Restore from Time Machine Backup'
Choose the appropriate Time Machine backup and restore your system
Reboot to your restored system.
Unmount and detach your Time Machine backup drive
Open 'Terminal' and enter 'diskutil list'
Check if your 'Recovery HD' is listed.
If your 'Recovery HD' is missing, usually reinstalling your current system with the latest available system installer (e.g. 'Install OS X Mavericks (10.9.5)' if Mavericks is currently installed) will recreate it without loosing any data. AFAIK Recovery Partition Creator 3.8 will NOT create a Recovery HD on CoreStorage volumes.
After reinstalling the system with the latest available system installer open App Store and install the latest security fixes.