1LDE(8)                                                                  LDE(8)
2
3
4

NAME

6       lde - a curses based file system viewer/editor for Linux
7

SYNOPSIS

9       lde [options] device
10

DESCRIPTION

12       lde  supports  the  three  most popular file systems under Linux at the
13       time of its inception: ext2fs, minix, and xiafs.  It also  has  minimal
14       support  for msdos FAT file systems and a nofs system in which case lde
15       will function as a binary editor.  lde will  attempt  to  automatically
16       detect  the  file  system  present  on  the  device  or file when it is
17       started, if it does not  recognize  the  file  system  present  on  the
18       device, it will default to nofs.
19
20       lde  allows you to view and edit disk blocks in hex or ASCII mode, view
21       a block that contains directory entries in a readable fashion, and view
22       and edit formatted inodes.  lde is a great help when recovering deleted
23       files (see doc/UNERASE included with  the  lde  distribution  for  more
24       info).
25
26       The device parameter is a required option for lde.  If omitted, it will
27       print a warning and refuse to start.  The default mode for  lde  is  to
28       use  a  curses  interface; this can be overriden by some of the options
29       listed below.
30
31

OPTIONS

33       -a, --all
34              Indicates that searches should be performed on the entire  disk.
35              If  -a is not specified, only data zones which are marked not in
36              use will be searched.
37
38       --append
39              Always append data to existing recovery file.  If file does  not
40              exist, create new file.
41
42       -b (--block) block_number
43              Format  a  single  block  as hex and dump it to standard output.
44              Specify -N to dump more than one block.
45
46       -B block_number
47              Format all blocks after specifed block_number as hex and dump to
48              standard output.  You can use -N to specify the number of blocks
49              to display.
50
51       --blanked-indirects
52              Linux <= 2.0.33 blanks all the indirect blocks  when  truncating
53              an  inode.   The  inode  still knows where the 1x/2x/3x indirect
54              blocks are, but they're full of zeros.  This was  a  quick  hack
55              that  works  to  restore small (>12k <~500k) unfragmented files.
56              It can be toggled via the flags menu in the curses interface.
57
58       -d block_number
59              Dump a block's data to standard out as unformatted binary  data,
60              (  like  cat and faster than dd ).  Specify -N to dump more than
61              one block.
62
63       -D block_number
64              Dump all blocks after block_number to standard out as  unformat‐
65              ted binary data.  You can use -N to specify the number of blocks
66              to dump.
67
68       -f, --file recovery_file_name
69              Signal lde that we want to recover an inode to a file and  spec‐
70              ify  its name.  You should specify the inode number to be recov‐
71              ered with the -i option.
72
73       -g, --grep
74              This option was designed to work with grep output.  Grep a  file
75              for  lost  data,  pipe it through awk to yield just byte offsets
76              where the desired string lies.  lde will  then  find  the  block
77              corresponding  to  the  desired  offset and try to find an inode
78              which references this block.  A sample script is  included  with
79              the lde distribution (crash_recovery/grep-inode).
80
81       -h, --help
82              Display extended help.
83
84       -i (--inode) inode_number
85              Format  and  dump a single inode to standard output.  Specify -N
86              to dump more than one inode.
87
88       -I inode_number
89              Format and dump all inodes after inode_number to  standard  out‐
90              put.  You can use -N to specify the number of inodes to display.
91
92       --indirects
93              Search  the  filesystem  for  blocks  that  looks  like indirect
94              blocks.
95
96       --ilookup
97              When searching, if we find a match, activate this flag to lookup
98              the  inode which contains the matched block.  It might be easier
99              and faster to do this with paper and use  lde  to  interactively
100              lookup  only  the  blocks which have a high probability of being
101              the one you want.  --ilookup can also be used if the  -B  or  -b
102              option  is  specified  to try to find an inode reference for the
103              specifed blocks.  When using -B you may want to specify -N also.
104
105       --logtofile
106              Debugging option.  All of  lde's  messages  will  be  dumped  to
107              /tmp/ldeerrors.
108
109       -L --length
110              Sets search string length (when using -T with a filename).
111
112       -N --limit
113              Sets  the  number of blocks to display when using inode or block
114              dumps.  If unspecified, default is to the end of the  filesystem
115              ( -I -B -D ) or a single block ( -i -b -d ).
116
117              -N can also be used to specify a block to begin/resume searching
118              at.  If unspecified in this usage, it defaults to the first data
119              zone.
120
121       -O --offset
122              Sets  search string offset (when using -T with a filename).  The
123              first byte in the  template  file  is  0.   When  searching  for
124              matches, the block will be examined starting at this offset.
125
126       -p, -r, --paranoid, --safe, --read-only
127              Open  the  device  read  only.  Once set, this cannot be toggled
128              from within the program.
129
130       -q, --quiet
131              Turn off bell.
132
133       --recoverable
134              When searching, check that any inodes found  contain  a  deleted
135              file  that  may  be recovered.  --ilookup must also be activated
136              for this option to have any effect.  If  no  blocks  are  marked
137              used  by another inode, "recovery possible" will be printed.  If
138              blocks are used by another file "recovery NOT possible" will  be
139              printed  to  the screen.  You may still be able to get some data
140              back even when it reports that recovery is not possible.  To get
141              an  idea  of  how many blocks are in use, you will have to check
142              its recoverablilty  from  lde  via  its  curses  interface  (see
143              Recover mode below).
144
145              If  --recoverable  is  used  with  -I  1 , it will check all the
146              deleted inodes to see if they can be  recovered.   The  deletion
147              time  of the inode will be printed to the screen if it is recov‐
148              erable.
149
150       -s (--bs or --blocksize) block_size
151              Override blocksize which lde has detected.   The  blocksize  may
152              have  been  read from the information (superblock) stored on the
153              disk or is what lde would consider  the  default  blocksize  for
154              that  type  of  filesystem  (generally  1024  bytes).  With this
155              option, you can force lde to use a different blocksize.
156
157       --superscan
158              Try to find ext2 signature  on  device.  Supersedes  functionaly
159              previously provided by find_ext2_fs.
160
161       -S string
162              Search  disk  for  data  (of questionable usefulness).  This was
163              more for searching for a specific type of  file  (which  is  now
164              easier  with  -T ) rather than file data.  To search for data or
165              strings, use the --grep option.  If you insist on using -S which
166              might  be prudent occasionally, The offset of the string must be
167              specified with -O , and each block will  only  be  inspected  at
168              that  offset.  If -O is not specified, then 0 is assumed and the
169              string must lie at the start of a block.  You can  also  specify
170              the  block to begin/resume searching from with -N which defaults
171              to the first data zone.
172
173       -t fstype
174              Override the auto-detect. fstype = {no,  minix,  xiafs,  ext2fs,
175              msdos}
176
177       -T type
178              Search  disk  for data. This will search the start of each block
179              for numbers found in /etc/magic for certain types of files, cur‐
180              rently supported types are {gz, tgz, script}.
181
182              Note:  type  tgz only finds tar files that were created with gnu
183              tar using its cfz options.  Use gz to find tar files  that  were
184              compressed after creation (or through a pipe?).
185
186              If  you  specify a filename after the -T option, it will read in
187              the first block of the file and search the filesystem for  some‐
188              thing  which matches it exactly.  This may be useful for finding
189              deleted copies of files (i.e.  you've  found  version  1.0,  but
190              deleted  version  1.5 and now want to recover it) or with the -L
191              and -O options, you can pick off a  few  bytes  and  search  for
192              magic  numbers  in a certain file type.  When using the filename
193              option, you really should specify -L and -O or they will default
194              to  BLOCKSIZE  and  0.   You  can  also  specify  the  block  to
195              begin/resume searching from with -N which defaults to the  first
196              data zone.
197
198       -V, --version
199              Display version information.
200
201       -w, --write
202              Allow writes to the disk.
203
204
205

CURSES INTERFACE

207       The  lde  main  screen  displays  the  file  system's superblock in the
208       workspace window.  The header window will be the same for all modes and
209       indicates  the  program  name  and  version,  the  device,  the current
210       selected inode, and the current selected block.  There  are  also  nine
211       digits  (and  some  extra  characters shifted-12456 on an American key‐
212       board, sorry I  skip  '#'  which  is  reserved  for  another  function)
213       "0123456789!@$%^"  which indicate the status of a bogus inode which can
214       be used for file recovery.  A digit means the inode block entry has not
215       been filled yet, a minus sign indicates that it has been filled.
216
217       While  displaying  the superblock, you can use the following keys which
218       are valid in most modes:
219
220              b      to enter block mode
221
222              d      display the directory contents of the  current  inode  or
223                     block
224
225              f      menu of runtime flags
226
227              i      to enter inode mode
228
229              r      to enter recover mode
230
231              s      return  to super block mode ( only valid from other modes
232                     )
233
234              q      to quit
235
236              v      view the error/warning log
237
238              ^L     to repaint the screen
239
240              ^O     display menu of valid choices ( also F2 )
241
242              F1     display help screen ( also M-h or ?  )
243
244       I have tried to implement cursor motion modes similar to  both  vi  and
245       emacs  (M  =  meta  key, ^ = control key, ESC is recognized as the meta
246       key, M-ESC is recognized occasionally as ESC -- to exit menus).
247
248                        vi    emacs
249               UP       k      ^P
250              DOWN      j      ^N
251              LEFT      h      ^B
252              RIGHT     l      ^F
253              PG_UP     ^U     M-v
254              PG_DN     ^D     ^V
255
256
257       Inode mode:
258
259              Once in inode mode, the current inode will be displayed  in  the
260              workspace window.
261
262
263              PG_DOWN
264                     Make next inode the current inode.
265
266              PG_UP  Make previous inode the current inode.
267
268              arrows Move cursor to different fields of inode.  Up and left go
269                     back one field, down or right will go to the next field.
270
271              0123456789!@#$%^
272                     Add corresponding block entry  from  this  inode  to  the
273                     recovery list.
274
275              B      Switch to block mode, examining block under cursor.
276
277              b      Switch  to block mode, examining current block (displayed
278                     in status line).
279
280              c      Copy inode to inode copy buffer.
281
282              e      Edit inode information.  Use the  cursor  to  select  the
283                     field  you  want  to  edit, then hit RET ^M ^J or e and a
284                     line will pop up at the bottom of the screen,  enter  the
285                     new  value  here.   Entering  a blank line will leave the
286                     value unchanged.
287
288                     Dates can be entered in any format  other  than  the  one
289                     displayed  on the screen.  The year must be kept near the
290                     month and day.  Use formats like  "24SEP96  10:00:01"  or
291                     "10:00:01   Sep  24,  1996".   "12/24/96"  will  probably
292                     default to the American interpretation MM/DD/YY.   I  did
293                     not  write  the  date parser, so I don't want to hear any
294                     complaints about it.
295
296              p      Paste inode from inode copy buffer.
297
298              r      Switch to recover mode.
299
300              R      Switch to recover mode, copy current inode block informa‐
301                     tion into recovery inode.
302
303              #      This  will  prompt the user to enter a number and it will
304                     then make that the current  inode.   The  number  may  be
305                     entered as hexadecimal (leading 'x', '0x', or '$'), octal
306                     (leading '´), or decimal.
307
308              M-b    View inode in its raw block format.
309
310       Block Mode:
311
312       In block mode, the current block will be displayed in  hexadecimal  and
313       ASCII.  The numbers along the left hand side of the screen are hexadec‐
314       imal offsets from the beginning of the block.  As much of the block  as
315       possible will be displayed.  If the block is marked unused, the central
316       row of ':' will spell out NOT USED.
317
318
319              PG_DOWN
320                     Display next chunk of this block.
321
322              PG_UP  Display previous chunk of this block.
323
324              +      Make next block the current block.
325
326              -      Make previous block the current block.
327
328              arrow  Move cursor.
329
330              b      View block under cursor.  lde  will  interpret  the  byte
331                     under  the  cursor as the start of a block pointer (as if
332                     it were part of an indirect block).  This will be  a  two
333                     byte  pointer  for  the minix file system, four bytes for
334                     ext2fs and xiafs.
335
336              B      Interpret blocks under cursor as a block pointer and make
337                     it the current block.
338
339              c      Copy block to copy buffer.
340
341              d      Dump  block  as a directory (see directory popup descrip‐
342                     tion below).
343
344              e      Edit the data in hex or ascii mode.  TAB (  ^I)  switches
345                     between  hex  and  ascii editing.  While in hex edit, the
346                     keys A-F and 0123456789 will not perform their lde  func‐
347                     tions,  but  are  used to enter new data.  In ascii edit,
348                     most keys (chars 32-126) are  used  to  enter  new  data.
349                     Characters  outside  this  range  must  be entered in hex
350                     mode, they will be displayed on the ASCII  display  as  a
351                     period.
352
353                     Editing  will  exit  on  write  block ( ^W ) or a command
354                     which goes to another block or  leaves  block  mode.   To
355                     discard your changes and re-read the block use ^A or view
356                     another block and come back.  You will always be prompted
357                     [Yes/Discard   changes/Continue   edit]  before  a  write
358                     occurs.  Select y to save the block to disk, d to discard
359                     your  changes and re-read the data from disk, or c if you
360                     made a mistake and want to go back  and  make  some  more
361                     changes before saving this block.
362
363                     It  is  probably  a  good idea to unmount the file system
364                     before you do any writes to it.  My  guess  is  that  bad
365                     things  will  happen  if you try to write the inode/block
366                     tables while someone else is using the filesystem.
367
368              I      View inode under cursor.  lde  will  interpret  the  byte
369                     under  the cursor as the start of an inode pointer (as if
370                     it were part of an directory entry).  This will be a  two
371                     byte  pointer  for  the minix file system, four bytes for
372                     ext2fs and xiafs.
373
374              n, p   Next/previous block in file.  If the  displayed  file  is
375                     indexed by the current inode, you can step to the next or
376                     previous block in the chain.
377
378              p      Paste block from copy buffer.
379
380              w      Write the current block to the recovery file.
381
382              0123456789!@#$%^
383                     tag this block to be recovered.  Under Minix,  this  will
384                     display nine blocks which represent the block pointers in
385                     an inode.  0-6 are  direct  blocks,  7  is  the  indirect
386                     block, and 8 is the double indirect block.  One day there
387                     may be an option for more direct blocks to make  recovery
388                     easier.   When  a  block  is tagged, the status line will
389                     reflect this.  To untag a block, go to recover  mode  and
390                     set the block's pointer to zero.
391
392              #      This  will  prompt the user to enter a block number.  The
393                     numbers may be entered in the same  format  described  in
394                     inode mode (decimal, hex, or octal).
395
396              ^R     Look up inode which references this block.
397
398              /      Search  for  a  string.  You will be prompted for a case-
399                     sensative search string.  The search will  proceede  from
400                     the current block, if a match is found, the block pointer
401                     will be advanced and the  matching  block  will  be  dis‐
402                     played.
403
404       Recover Mode:
405
406       In  recover  mode, the tagged blocks are displayed and may be edited by
407       hand.  When they are correct the user can dump the file.  The  user  is
408       prompted  for  a  filename  which  can be 80 chars, the default file is
409       "./RECOVER.file".
410
411
412              0123456789!@#$%^
413                     Will prompt the user to enter a  numeric  value  for  the
414                     specified block index.  The format of the input should be
415                     the same as that described in inode mode.
416
417              c      Check that all the blocks marked for recovery are unused.
418                     Complete  recovery  will  be impossible if any blocks are
419                     reported in use, but you might be able to salvage a large
420                     chunk of your file.
421
422              r      Write out the recovered file.
423
424              u      Unmark  all  blocks.   The  recovery inode will be filled
425                     with zeroes.
426
427       Directory View
428
429       Accessable from inode and block mode.  In block mode,  it  formats  the
430       current  block  as  a  directory entry with no syntax checking (i.e. it
431       might not really be a directory block).  In inode  mode,  it  uses  the
432       block  pointers  to  determine what to display.  You can use the up and
433       down arrow keys to scroll the display if there are too many entries  to
434       display at once.
435
436
437       d      If  the  cursor  is  on a directory, it will follow the link and
438              display that directory. Use D to do the same and set the current
439              inode to the new directory inode.
440
441       i      Set the current inode to the inode under the cursor.
442
443       I      Set the current inode and immediately view it in inode mode.
444
445       n, p   Next/previous block in directory.  If the directory being viewed
446              is indexed by the current inode, you can step  to  the  next  or
447              previous block in the chain.
448
449

EXAMPLES (command line)

451       lde -I 1 -N 10 /dev/hda1
452              Display inodes 1-10 on the screen.
453
454       lde -b 34 /dev/hda1 | more
455              Display block 34 on the screen (formatted in hex and ascii).
456
457       lde -D 100 -N 51 /dev/hda1 > MyOuput
458              Cat  blocks 100-150 to stdout (binary data), which is equivalent
459              to
460
461              dd if=/dev/hda1 of=MyOutput bs=1024 count=51 skip=100
462
463       lde -I 1 --recoverable /dev/hda5
464              Display all inodes on /dev/hda5 which have been deleted, but can
465              be recovered.
466
467       lde -I 1 --recoverable /dev/hda5 | grep "Sep 23"
468              Display  all  inodes  on /dev/hda5 which have been deleted today
469              September 23, but can be recovered.  The date format is that  of
470              ctime(3):
471
472                     "Wed Jun 30 21:49:08 1993"
473
474              Note: the day will have a leading space if is less than 10.
475
476       lde -b 100 --ilookup /dev/hda1
477              Find  first  inode  that  references  block 100 on /dev/hda1 (to
478              search for multiple occurances, use the curses interface).
479
480       lde --paranoid -T tgz --ilookup --recoverable /dev/hda5
481              Find all tgz files which have  been  deleted,  display  possible
482              inodes  and  check  if it is possible to recover the files, open
483              the file system read only while searching.
484
485       See docs/UNERASE included with the lde distribution for  more  examples
486       and instructions for the best way to go about restoring files.
487
488

SEE ALSO

490       fsck(8), fsck.minix(8), e2fsck(8), xfsck(8), debugfs(8)
491

AUTHOR

493       Scott D. Heavner (sdh@po.cwru.edu)
494
495       For   more   info,   see   the   lde   project   page   at  sourceforge
496       <http://lde.sourceforge.net/>.
497
498
499
500                                  19 May 2005                           LDE(8)
Impressum