demystifying the hidden partition

[LENOVO_DAVE]

Hey all, new to the forum, It is now 4:40am can't sleep and figured I share my knowledge on this matter.

So far I have sucessfully copied my hidden recovery partition to an image and dumped it to my desktop for examination.
Well as it turns out the factory image is not a real factory image, its a one key backup, same as the ones you can make using the software. The files are actually named factory.000 to factory.032 with a factory.wsi. I figure you can probably use the one key software to burn this to a disk and now have a bootable recovery. Since the machine has no drive I personally find this useless, unless you have a usb dvd drive. Also I recently came across cyberstink's website and have noticed a close resmeblence to thier power recovery software, it is not available for trial or demo download. So I cannot be certian that it is a version of the okr software, although some config files for okr suggest that it is. The reason I believe okr doesn't work after an hd swap is because the program (i think) records the size of the partition and perhaps the serial of the drive into the wsi file. So when you do a factory restore to a different drive it doesnt work because the partition or serial # is not the same, with that said I don't think the bios itself disables this function when the drive is removed.
Next observation I made is there are a few scattered tools, such as a setup.cmd. I opened it in a text editor and followed the commands to a few other programs. I believe this file actually is the beginning of creating the recovery partition itself. If so one could possible use this to restore the restore partition if you had saved it prior. Inside a folder called factory there are a few xml style files that have parameters for a tool called factorytool.exe. These files run diskpart and use the factory wsi to restore the partiton, these files also contain the partition size for the recovery disk and instruct diskpart to create 3 partitions. I have tried to execute this on a virtual machine but diskpart defaults to disk zero. I cannot force it to disk 1, and therefore cannot get the file process to continue. (I did this because I need my lenovo for school, so I cant use it to test, and I know even if I got the files to copy it probably wouldnt boot, I just wanted to see what the files do before I try this on my lenovo).
There is plenty more I can talk about here but i am finally getting tired, but this is what I think can be done and what I am going to try to accomplish:
1) Since the factory image doesnt work with a new drive and/or partition change due perhaps to the style of cyberstink okr, I will attempt to merge the two partitions install xp pro, create a backup with the okr program in windows, then rename the files to factory.wsi and so on place them in the recovery partition and see if I can get the recovery partition to boot and restore my own custom factory image. ( this would be sweet )
or
2) Copy the entire recovery partition to a dvd and boot it that way, I am actually in the process of doing that, I got vista bootmgr to hook but then it hangs and boots my to hd and winblows xp. I see that the bcd file points to D e v i c e \ H a r d d i s k V o l u m e 3 \ B o o t \ B C D so thats probably why, a generic bcd from another version of vista might cure this. (agian using a virtual machine, dont want to break my lenovo yet until I know more) Then I will proceed to make a bootable usb drive with my factory image.

I don't mind sharing tools that are avialable for free online, just don't ask me for any files from the machine itself especially the restore stuff. Also excuse any grammer or spelling, its late and I am exhausted.

[MalibuJack]

Your on the right track.. The utility that does the backups and restores is made by Cyberlink. The issue users are having is the nature of manipulating the partitions renders the one-key-recovery from running.. I can move that partition, set it as active, and add a line to the XP Boot.ini file, and it will boot and recover.. The damn button, if you mess with the partitions after resizing or manipulating it, that button then just basically boots up to the active partition.


Hopefully that gives you a little information and food for thought. Also, your right, the factory image is tucked away as a compressed backup file the hidden partition which has some sort of WinPE that it boots from.

If you were to prepare a bootable USB stick, you can copy the hidden partition to it and boot from it to restore your machine.

After I figured that out, I deleted and restructured my hard drive, and boot from a Expresscard32 SSD thats bootable with a version of GRUB on it to boot from UBCD4Win, another set of tools, a Linux minimal install, and the Lenovo Recovery partition.


I can't help but think there is something in the boot partition of Windows XP (a bootloader thats different than a retail windows install) that can read the state of which button was hit, and then loads the appropriate bootstrap.

[LENOVO_DAVE]

I think you are right after examining more of the file system I came across a file called HOTKEY_MBR.BIN, hmm could it be this is the 1kb file is responsible for possibly injecting an extension into the MBR to see a flag somewhere and boot the recovery!??! I will continue to explore and post when I learn more, any thoughts are welcome. As always don't bother asking me for any of these files.

[lvdoan]

I do had the same problem. When playing around with partitioning, I deleted the hidden partition. However, I recovered all files in there. Then I reformated the hidden partition and put these files back onto it. I shut down the Lenovo and press the OKR but the Laptop boot into the WinXP on Drive C:. Any one know what type of the hidden partition is?

[nkls]

I was looking at this a while ago, and I found that acer uses a very similar type of backup after some google searches. Here is a topic that talks about a backup system with the same extensions as the files in our machines. They are talking about some iitt.exe program that comes with their systems that can be used to mount the wsi file. Get hold of that program and I bet you'll be able to extract something from the backup files.

About the okr button I'm 99% sure it works this way:
1. When it works, the bios loads the service partition's boot loader instead of the MBR.
2. To work there must be a service partition, but it doesn't have to be at any specific place or be any specific size.
3. Some other (specific hdd sector?) check.

I managed to make my okr key boot linux for a while, but then it stopped and I think it was because the hdd check sector was overwritten. I haven't tried to get it working again, but restoring the service partition to it's original state could make it work again.

Another way to figure out how it really works would be to decompile the bios.
Anyone interested?

[lvdoan]

I think there is nothing to do with the bios. I put all the files, except the factory files, I recovered from the hidden partition into a bootable flash drive and I boot from that flash. The recovery prog did come up with options of either restore from backup files or factory files. I successfully restored my drive c: to its original state and got the WinXP running. The problem is that I do not know how to get the hidden partition (which I have re-partitioned) boot. If the the hidden partition can boot with all files in there, the problem will be solved. Any one know how to do it? What I know for sure is that that hidden partition boot by Vista Win PE.

[vaniii]

It's a real shame Lenovo doesn't provide a recovery DVD with the S10 for free. At least on my version of the S10, there wasn't an option to burn a recovery CD myself either. So I investigated a bit…

This might be useful for everyone who wants to migrate to a new hard disk (HD).

Since this has not been tested yet be sure to only try to recover on a new HD, not your original one.

0. BACKGROUND

When the S10 boots, it asks the user to press F11. This is achieved by a special MBR, which supposedly can be installed with the rnr31_rrd.exe tool. When you press F11, Windows RE (a special, minimal version based on Windows Vista) is launched from the first, hidden, non-active (type 0x27) NTFS partition "ServiceV002" (also called the "Service Partition - "SP"). Windows RE launches the "Rescue and Recovery 4" application, which can be used to restore the factory image to the second, active, NTFS partition "Preload". Apparently this is written in Python, so it should be possible to investigate

Note that I wasn't able yet to test whether the resulting DVD is really capable of restoring a system, since I don't have a spare HD. So it's best to try installing this to a new HD while still keeping your original HD, in case something doesn't work. Please post back here about your failures and/or successes.

1. CREATING BOOTABLE RESCUE DVD

The following instructions show you how to create a bootable DVD containing this Windows RE rescue system.

1. Download oscdimg.exe, put it to C:\

2. Reboot into the recovery system by pressing F11 during boot

3. Press the "help" screen. The opera browser will open up.

4. Choose "Open" from Opera's menu. Navigate to x:\Windows\System32. Open cmd.exe by right-clicking and choosing "Open".

5. Run the following command:

Code: Select all

c:\oscdimg.exe -n -m -bd:\boot\etfsboot.com d:\ c:\recovery.iso

This basically means "use oscdimg.exe to produce recovery.iso from the ServiceV002 partition using the etfsboot.com El Torito boot sector".

6. Reboot into regular Windows and burn c:\recovery.iso to a DVD

7. Insert blank new HD

8. Boot from the DVD you just created

Will it work? (I can verify that it does boot the recovery system, but due to the lack of a spare HD I wasn't able to test whether it actually restores the HD...)

2. CREATING BOOTABLE RESCUE PARTITION

Next, we'd like to find a method to re-create the bootable ServiceV002 partition on a new HD (if the above doesn't do this automatically... which I couldn't try yet). Maybe the following could work (this has NOT been tested):

1. Partition disk with 2 partitions, first one NOT flagged bootable, NTFS, name "ServiceV002"; second one flagged bootable, NTFS, name "Preload"

2. Copy all files from the DVD created above to ServiceV002

3. Change partition type from 0x07 to 0x27 (this hides it from the system)

4. Install special MBR that offers the F11 functionality using rnr31_rrd.exe

5. Boot into the recovery partition and restore system to C:\ from there

Note that THIS HAS NOT BEEN TESTED YET due to the lack of a spare HD.

3. MORE INVESTIGATIONS

The directory /RECOVERY/IUB/TOOLS32/NLS/ appears the restore software, written in Python.

The file /RECOVERY/*.CRI on the SP (with "*" being the specific name of the image (dependent on language, model etc.) contains information about the restore image. It is "Generated by GenCRI Version 4.7.1", which apparently is the software used by the "Lenovo Imaging Technology Center (ITC)" internally to generate recovery images.

The file /RECOVERY/*.MBR on the SP contains the MBR which contains the string "To boot to the Rescue and Recovery Environment, Press F11".

[keplenk]

Hey Vanii,

Thank for the guide on restoring the hidden partition image on the s10. However, HELP doesnt fire up Opera anymore. It is clickable and it you can see it click but nothing. Next and Cancel works. Do you think they fixed this vulnerability already? Do you know of a way on doing this differently? Like in Windows or Linux .. maybe dd? Acronis?

Thanks

UPDATE: I pressed F1 and it said that it "Failed to launch help."

EDIT:

Nevermind, It is not working .. I'll just delete the partition and make my own OEM CD using the i386 folder.

Thanks Vanii