MacBook Pro Retina 256GB SSD Recovery
February 4th, 2016, 13:06
Trying to recover data from a 256GB MacBook Pro Retina SSD drive. According to the user shortly after installing the El Capitan upgrade the computer froze, and after rebooting it would hang on a gray screen. Supposedly they did not reformat or otherwise fiddle with the drive after that but of course that should be taken with a handful of salt. I have made a clean DD image of the drive and it did not report any bad sectors. However when the image is mounted in R-Studio it detects the EFI System partition, the Recovery Volume, and a 232GB volume but can only detect contents of the recovery volume and reports a GPT tables error 0x103. Scan for lost HFS file system in both R-Studio and UFS Explorer turns up only the recovery volume and a RAW scan for file types finds only two junk files. When the disk image is opened in hex editor the first information that shows up is this:
which goes on and ends with
followed by a gap and then again starts with this
ending here
After that there is another gap and then what appears to be blocks of encrypted data starting and ending at the following offsets with gaps between them:
0000320000 thru 00003FFFC0
0000420000 thru 00004FFFC0
0000520000 thru 00005FFFC0
0000620000 thru 00006FFFC0
0000720000 etc etc
all the way to
3A01020000
thru 3A010FFFC0
followed by whitespace and finally
which goes on and ends with
followed by a gap and then again starts with this
ending here
After that there is another gap and then what appears to be blocks of encrypted data starting and ending at the following offsets with gaps between them:
0000320000 thru 00003FFFC0
0000420000 thru 00004FFFC0
0000520000 thru 00005FFFC0
0000620000 thru 00006FFFC0
0000720000 etc etc
all the way to
3A01020000
thru 3A010FFFC0
followed by whitespace and finally
Re: MacBook Pro Retina 256GB SSD Recovery
February 4th, 2016, 13:18
My initial suspicion is that perhaps following El Capitan update the user was prompted to enable FileVault encryption on the disk and when they did so the computer may have frozen or slowed down to the point that they thought it was frozen, prompting them to force power off which resulted in a corrupt partition table and partially or wholely encrypted drive.
Last item of interest, R-Studio detects 232GB partition and shows the name Macintosh HD partition and appears to show the expected partition offset but under HFS information is only detects a 619.89MB vol size, this also mirrors what Testdisk found when scanning partition. See pic:
Last item of interest, R-Studio detects 232GB partition and shows the name Macintosh HD partition and appears to show the expected partition offset but under HFS information is only detects a 619.89MB vol size, this also mirrors what Testdisk found when scanning partition. See pic:
Re: MacBook Pro Retina 256GB SSD Recovery
February 8th, 2016, 21:24
Anybody? Other people out there coming across mysterious data loss issues with these retina SSDs?
Re: MacBook Pro Retina 256GB SSD Recovery
February 8th, 2016, 22:06
Text dumps are not useful. I speak hex and expect that most others would prefer this format, too. Without seeing the hex, ISTM that the first screenshots could be 32-bit FATs.
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 17:30
HEX DUMP attached of offset 0x00027040 thru 0x00055450
- Attachments
-
- hexdump01.zip
- (64.1 KiB) Downloaded 514 times
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 17:36
0X001B0E40 thru 0x001DF250
- Attachments
-
- hexdump02.zip
- (64.1 KiB) Downloaded 549 times
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 17:40
0x00320000 thru 0x003FFFF0
- Attachments
-
- hexdump03.zip
- (882.71 KiB) Downloaded 639 times
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 19:44
hexdump01 and hexdump02 are identical. They do look like part of a 32-bit FAT. ISTM that the first small 200MB partition (Recovery Volume) is just a FAT32 volume.
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 21:29
Those are probably the EFI System partition which is apparently FAT-like: https://en.wikipedia.org/wiki/EFI_system_partition
Here's another partial dump of the next chunk that shows up
Here's another partial dump of the next chunk that shows up
- Attachments
-
- hexdump04.zip
- (573.83 KiB) Downloaded 557 times
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 21:34
I'm assuming encryption since running RAW file scans in R-Studio, UFS Explorer and PhotoRec turned up almost nothing (and OS upgrade does sometimes ask to enable File Vault) but I supposed some sort of controller error or logic board problem could have just scrambled the data so badly that it is completely unrecognizable.
Re: MacBook Pro Retina 256GB SSD Recovery
February 10th, 2016, 23:05
I have no experience with HFS/HFS+, but searching for "Mac" and "619.89" turns up quite a few discussions.
For example ...
http://webcache.googleusercontent.com/s ... p?id=21435
Therefore, ISTM that you should have 3 partitions -- a 200MiB EFI FAT32 partition, a 233GiB "Macintosh HD" partition, and a 619.89 MiB Recovery partition.
I would start by examining sectors 0,1,2 in hex mode.
For example ...
http://webcache.googleusercontent.com/s ... p?id=21435
- Code:
Partition File System Label Size Flag
/dev/sda1 fat32 EFI 200.00 MiB boot
/dev/sda2 hfs+ Macintosh HD 232.48 GiB
/dev/sda3 hfs+ Recovery HD 619.89 MiB
/dev/sda4 ext3 204.77 GiB boot
unallocated 128.00 MiB
/dev/sda5 linux-swap 7.33 GiB
unallocated 20.26 GiB
Therefore, ISTM that you should have 3 partitions -- a 200MiB EFI FAT32 partition, a 233GiB "Macintosh HD" partition, and a 619.89 MiB Recovery partition.
I would start by examining sectors 0,1,2 in hex mode.
Powered by phpBB © phpBB Group.