Hexpert, a sector utility by DIY Datarecovery

Current version: 1.0 build 0.9.9

Changes in version 0.9.9

Move/copy multiple sectors from one location to another
Read multiple sectors from disk and write to file
Read multiple sectors from file and write to disk
Undo file will be created only when in 'write enabled' mode.
Help can be called from all menu's now
Undo can be done from all menu's now

Known issues/ to do:

Search function progress counter shows incorrect values, still all sectors are searched.
Copy disk to disk: On some occasions the copy ended in an int13h error and the user found himself in a loop, where the only option was to okay the error, and the error occurred again. The only way out was ctrl+alt+del. Important to know is, that ALL sectors were copied except for the MBR. This can be copied with the 'copy sector to sector' option.
Help is not complete yet.
Undo log file is not created yet.
Undo only capable of undoing last action.
Automatic partition table recovery (will probably be added in Pt-tool, not in Hexpert)

version: 0.97b

Build 0.97b has the following features:

Move/copy sector from one location to another
Read sector from disk and write to file
Read sector from file and write to disk
Edit any sector on the harddrive
Support for four harddrives
An undo file will be created that allows you to recall changes.
Wizard for FAT32 / NTFS bootsector repair
Backup / restore your MBR (a utility for backing up the MBR, not included yet) >> Note: MBRtool is released as a separate utility. Backups created by MBRtool should be restored with MBRtool as well, reason: The backup files are not a plain copy of the sector, information is saved in a proprietary format. Apart from backing up to files, MBRtool can backup to 'spare' sectors as well.
Clone a drive (sector by sector)

Manual

Hexpert version 1.0 build 0.9.X, user manual, HTML version.

The contents of this document:

General information
Copyrights, disclaimer and distribution
Program description
How to use
- menus and options explained
Run errors
Tools used and copyrights
Version history
Known issues
Contact information

General information.

Please note : In this document we refer to the "recovery manual". This recovery manual is not yet finished.

Copyright, disclaimer, permission and distribution notices.

This program is conceived and written by Joep van Steen.
(C) 2000, DIYdatarecovery

You may not include (parts of) this program in your own code and/or programs. Please check below for redistribution notices.

This program does NOT perform any recovery by itself. This is by design. We can and will not be held responsible for any damage that might be inflicted by the user as he or she performs the recovery operations.

You, as the user, are not permitted to:

decompile, disassemble or change the program code in any way;
change the documentation or any text accompanying the program;
change the distribution in any way. No files may be removed from and no files may be added to the distribution;
use this program for commercial reasons or in environments (i.e. companies or persons) that (make a) profit from datarecovery;
(re)sell the program, or accept any fee for distributing or using the program;
redistribute the program. Distribution rules follow.

This program is distributed as Freeware. You are free to use this program, as long as you comply with the above mentioned rules. There is one restriction. You may NOT redistribute the program. This program may not be placed on bbs's, websites, FTP sites or any other location that facilitates download. If this is desired anyway, please contact us on one of the supplied e-mail addresses and we will get back to you.

We also ask that you supply us with feedback on what has been achieved with the program or what has gone wrong. Also, any suggestions for changes or improvements are welcome. Contact information can be found at the end of this document.

We try to provide as much support as we can, however, the number of support requests we receive forces us to be selective. We cannot guarantee a prompt reply to your support request. Registered users will always be helped before non registered users. Problems that are not real dataloss issues are ignored (my system won't boot but I can see all my files..) and will not even be replied.

If you do need our support please see the Help function on the website on where to mail and what information should be included. Incomplete support requests will be ignored and will not receive a reply at all.

Program description.

- In short

A tool that runs in real-mode win9x/DOS environment, that allows access to harddrives through BIOS int13h calls. By using the BIOS for access, it is not required that the OS can access information on the harddrive. Having direct access to raw information on the harddrive can aid in the recovery of the information on the harddisk.

- A little less short

Hexpert offers you powerful features that might aid in the recovery of 'lost' data of a harddrive. Where an OS depends on the integrity of logical structures on the harddrive, Hexpert bypasses these structures, and lets you work with raw data as it is found on the harddrive. Hexpert can be used in conjunction with RepoMan (c) DIYdatarecovery, where RepoMan can help you find 'anchors' or 'significant sectors' and where Hexpert can be used to manipulate these sectors, and by this gaining access to data again through the OS.

Hexpert uses int13H calls to access the harddisk through BIOS. In general this means, if FDISK detects your harddrive, Hexpert can work with it. NOTE: Do not write any information to the drive with FDISK when dataloss occurred!

The program has two modes of operation. These modes can be set in the preferences menu. The modes are:

READ ONLY MODE (default) - Hexpert is in read-only mode when you start the program. In this mode the following options are available; view raw HEX data as found on the harddrive, save sectors to a file (do NOT write to the corrupted harddrive!), search the harddrive for a ASCII string on a given offset within a sector. Searching on a specified offset will reduce the number of unwanted hits when searching for a string like 'MSWIN' (which can reveal the location of a bootsector)

READ/WRITE MODE - Apart from the above options the following are available as well; read a sector from a file and write it to disk, copy a sector from one location to another (the advanced options for FAT32/NTFS bootsector repair are based on this), edit a sector, copy a drive to another drive. The last option can be very useful when a drive is developing bad sectors and the data needs to be copied to a healthy drive. In these scenario's 'conventional' clone utilities might fail, while Hexpert can make several attempts to copy data from 'bad sectors', or if this fails, skip them. This option is also useful when the outcome of recovery interventions is unpredictable and a backup to another drive is required. All write operations will make Hexpert the data that is about to be overwritten back up first. This will allow you to undo your actions if they have unwanted results.

The program does NOT perform any recovery, the user performs the actual recovery operation. For this the user needs to be aware of how operating systems store information on a harddrive, for information on this, visit the DIYdatarecovery website which has information on this and also links to several other informative sites.

For gathering information on the harddrive that can be used for the recovery we suggest the use of RepoMan. RepoMan is a powerful utility that can dig up any information from a harddrive as long as it was not overwritten.

We call the files that RepoMan produces, the Recovery Output. It is advised to view the recovery output in a DOS text editor.
Please note that all hex that is displayed in the recovery output has not been modified in any way, no calculations are performed. The bytes you see are the bytes that are on the disk, as they are. See the Repoman documentation for more detailed information about this program.

How to use.

- Get started.

When performing recovery with Hexpert and when running Hexpert, it is best to do this from a real mode DOS/win9x bootdisk. We assume you know how to create one. When Hexpert can store its temporary files and undofiles on a RAMdrive it will speed up the actions considerably. Note that when the drive is full the temporary and undofiles will be overwritten, no warning is given. Make sure you have a large enough logical drive to hold the undo and temporary files. You should not use the harddisk that the recovery is performed on for this, even if it still contains a valid logical drive.

Include a compression utility on the bootdisk to transport the recovery output from the RAMdrive to any other machine, if so desired. We endorse the ARJ compressor, the best and most flexible commandline compressor available, which can be found here (http://www.arjsoftware.com).

- Starting the program.

Starting the program from the commandline with no parameters will display the main menu. Before the main menu is displayed some checks are performed: the target disk is checked to see if it exists and if it can be read; the disk is scanned for drive overlay signatures. If any errors occur during these checks the user is notified.

If the disk can not be found or read, the program exits with an int13H error code. Use the code to see which exit condition is the cause for the abort and see if you can fix the problem. The list with exit int13H error return codes can be found in the "run errors" section.

If a signature for drive overlay software is found the program will notify the user. The program will not abort. The user should check to see if the drive overlay software is loaded. If not, the CHS can be erratic and can not be used for recovery.

- The menus

When the program is ready for use it will display the main menu :

The left side of the screen contains the menu options, the right side contains information on the current disk geometry and the current settings. The black bar displays other options that are available from this menu.

The top line contains the program name and version information.

The bottom green line displays information on the menu you are in, the mode the program is in (ro-readonly, rw-readwrite), the number of undofiles that is kept (default is 5), and the value for retries in case a read/write error is encountered (default is 4). In the latest version it also displays the number of sectors that are read/written.

The bottom 3 lines are used for status information and for user input. During a search the location that is currently scanned is displayed. If a match is found you'll be notified in this area of the screen as well.

The basic screen layout is the same for all menus.

Main menu options :

[p] - use this option to enter the source sector(s) and destination values. Source values will be used for ALL read actions, and destination values for ALL write actions. Sectors are entered on a C/H/S (Cylinder / Head / Sector) bases.
[a] - Takes you to the advanced options menu; repair a FAT32/NTFS bootsector, search for phrase in specific offset and copy an entire disk to another drive.
[q] - Settings can be entered here, toggle read/write mode, number of retries and number of undofiles that should be kept.

[c] - Copy sector(s) from one location to another on same harddrive or another harddrive. Values that you have entered in the parameters menu are used.
[s] - Save sector(s) to a file. Values entered for source are used. You will be prompted to enter a filename.
[r] - Read sector(s) from a file and write them to disk, values entered as destination are used. You will be prompted to enter a filename where the information should be read from.
[e] - Edit the sector(s) that are specified as source. For this purpose, hexpert will start an external hexeditor. Here you can edit the sector, F12 exits the hexeditor and sectors will written to disk.

[i] - will show some info on the program.

Note: All actions that include write operations to the drive, will only actually write if the program is in 'rw' mode!

Note: All write actions will provoke Hexpert to create an undofile of the sector that is to be written to first. At this point Hexpert does not log these undofiles yet. It is therefor advised to keep a list of, which undofile was created during which actions!

Press Escape to exit the program.

[F1] - Displays generic help
[F7] - Resets ALL (!) values to defaults and rescans drive geometry.
[F8] - Undo the last write action. Note: The last values that were set as destination will be overwritten with the contents of the last created undofile. This implies, that is you have changed the destination values the wrong sector(s) will be corrected! If you make this mistake press F8.

The parameters menu:

[f] - Sets the source drive that sector(s) will be read from.
[t] - Sets the destination drive where sector(s) will written to.
[s] - The sector(s) that will be read into memory. You will be asked to specify the location in Cylinder/Head/sector
[e] - The sector(s) where will be written to. Location is to be entered in Cylinder/head/sector

The advanced options menu:

[f] - Repair a FAT32 bootsector by using the backup bootsector. You will be prompted to enter the start Cylinder/Head/Sector for the partition. These values can be read from a partinfo (included in distribution, syntax: 'partinfo>filename.ext [enter]'.
[n] - Repair a NTFS bootsector with the backup bootsector. You will be prompted to enter start CHS values and end CHS values for the partition. These values can be read from a partinfo.
[d] - Make a sector by sector copy from a harddrive to another harddrive. Important: The destination harddrive must have the same geometry as the source drive! The destination drive must be at least equal in size to the source drive! So, if we take the above screendump as an example, I can copy the first to the second drive, but not the 2nd drive to the 1st!
[s] - Search for ascii string on set offset within sectors. Example, to find a FAT32 (backup)bootsector enter MSWIN for search string and '4' for offset. The search is case sensitive and offset count is one based!

The preferences menu

Values set in this menu will be displayed in the green status bar.

[u] - Lets you specify the number of 'undo-files' to keep. When hexpert is in read/write mode, before dumping a sector from file/memory to drive, Hexpert will first read the sector that is to be written to and save the contents to a file. This not true for doing a drive to drive copy! It is up to you to keep track of which undofile was created for which sector(s). So a suggestion is to keep notes when you do write actions. Note down, the undofile.xxx was created when you wrote to X/X/X sector. If the number of undofiles is reached, Hexpert will start from undofile.001 again overwriting the existing one with the same name.
[c] - Hexpert uses the BIOS int13h routines for reading/writing to file. If an error occurs during a read/write operation the BIOS will put an error code in a specified CPU register. Hexpert will evaluate the code in this register to determine if the read/write was successful. If an error was encountered Hexpert will try to repeat the action for the number of times you set under this option. On a bad drive, where a lot of read errors occur you can specify a higher value than default to try to read as much information as possible.
[w] - Toggle readonly mode / readwrite mode. All actions that involve a write operation require the program to be in read/write mode. In read/write mode the undofile creation will be invoked as well.
[n] - Default, Hexpert will read / write one sector per action. If you want to read multiple sectors to save them to a file for instance, you can alter the number of sectors here (max 63).

Undoing unwanted changes.

If you by accident initiate a write action (and overwrite valid information with invalid information), you can undo this, as long as you didn't alter any parameters anywhere in the program! So do NOT change source destination values and above all do NOT press F7(reset)! Instead press function key 'F8'.

When pressing F8, Hexpert will read the latest undofile into memory and write the contents to the last chosen destination sector(s).

What if you discover unwanted changes later? You can manually copy the contents of any undofile with the option 'read sector(s) from file'. To do so the following information is required (and this is why I suggested to keep track of changes you make using a notepad), the location where the information is to written to, the number of sectors to be written and the undofile that holds the information. Hexpert does not yet keep a logfile from which this information can be determined.

1. So from your notes determine: On what location did I make a change that had unwanted consequences, how many sectors did I write there and what was the name of the undofile created during this write action?

2. Set the number of sectors in the preferences menu

3. Set the destination drive and sector in the source/destination menu

4. Select the option 'read sector(s) from file' and enter the undofile name when prompted for a filename.

Run errors.

If a problem occurs during a read/write action, the program will retry for the set value. A description of the error will be given unless the error is unknown, in which case the user will be given the errorcode. See contact information for info on how to deal with this. DOS level errors are handled by DOS at this time. So for instance, if the diskette is specified as location to save a file to, but the diskette is not ready, the standard DOS error will be displayed:

Drive not ready (a)bort,(i)gnore,(r)etry?

If at this point a diskette is inserted and the (r) option selected the program will recover gracefully.

If an error in an int13H function occurs, the program will not abort, unless the error occurred during the initialization phase. Instead it will retry the operations a number of times as was specified in 'retry'.

The error return codes for int13H functions that are passed on by Hexpert:

01h invalid function in AH or invalid parameter

02h address mark not found

03h disk write-protected

04h sector not found/read error

05h reset failed (hard disk)

07h drive parameter activity failed (hard disk)

08h DMA overrun

09h data boundary error (attempted DMA across 64K boundary or >80h sectors)

0Ah bad sector detected (hard disk)

0Bh bad track detected (hard disk)

0Ch unsupported track or invalid media

0Eh control data address mark detected (hard disk)

0Fh DMA arbitration level out of range (hard disk)

10h uncorrectable CRC or ECC error on read

11h data ECC corrected (hard disk)

20h controller failure

40h seek failed

80h timeout (not ready)

AAh drive not ready (hard disk)

BBh undefined error (hard disk)

CCh write fault (hard disk)

E0h status register error (hard disk)

FFh sense operation failed (hard disk)

Practical uses.

When writing this Hexpert has been used a lot of times already in practical situations. Just to give you some idea of the purpose of the program I'll give some examples.

Hepxert has already recovered a number of FAT32 and NTFS bootsectors. Hexpert doesn't actually 'fix' them, it simply uses the fact that on FAT32 and NTFS partitions a backup of the bootsector is kept. So, if a bootsector becomes corrupted, one can try if the backup bootsector is still valid, by simply copying the backup bootsector over the corrupted bootsector. This can be done by using the option 'copy sector to sector', the wizards in the advanced options menu just step you through this process.

Hexpert has been used to repair FAT16 bootsectors. Although it is possible to reconstruct a FAT16 bootsector from scratch, we simply created a 'dummy' FAT partition and formatted it it the same size as the corrupted FAT partition. Once this was done we saved the bootsector of the healthy partition as a file and restored it over the corrupted bootsector.

Hexpert has been used by us to have help requesters save sectors as file because we wanted to have a look at them and/or edit them. The modified sectors were sent by email and restored to the computer where data was lost.

Hexpert has been used to clone drives.

Based up on these experiences Hexpert will be enhanced in next versions: Copy to drive with different geometry - create image of partitions - fix bootsectors automatically - edit a sector as it were a bootsector/partition table (can also be done with Pt-tool right now) - support for large harddrives - move partitions. Feel free to submit enhancement requests!

Known issues.

The program does not give any feedback when the that Hexpert is run from is full. Hexpert needs free space on this drive, to store temporary information and log files.
The program is limited to the first 1024 cylinders of a harddisk.
Sometimes the (e) option in the main menu will not work. We are aware of this problem and are working on it. You can work around this by saving the sector you wish to edit as a file, the exit Hexpert and from the command line type 'patch filename.ext [enter]', where filename.ext represents the file you created.

Contact information.

DIYdatarecovery

website : DIY datarecovery, (http://diydatarecovery.sites.cc)
E-mail : webmaster (webmaster@diydatarecovery.sites.cc)

If you experience an unknown error or any other problems please mail us on one the above mentioned addresses. Please explain the situation in which the error occurred and note any codes or text the program displayed during the error. Also include a description of the machine the program is running on, try to be as specific as you can. Also include the Hexpert version number.