fdisk -l on an usb drive gives a very weird response
Today I nuked an old usb3 flash 8GB drive on a linux machine with:
dd if=/dev/random of=/dev/sdb
then I put it into a windows pc, it asked me to format it, I did an extended format with default values like 4k block size, fat32 and so on, copied some files I needed and put it on my new debian 12 installed machine and this is what fdisk says:
Disk /dev/sdb: 7.32 GiB, 7864320000 bytes, 15360000 sectors
Disk model: ****************
Units: sector of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minum/optimal): 512 bytes/ 512 bytes
Disklabel type: dos
Disk identifier: 0x********
Device Boot Start End Sectors Size Id Type
/dev/sdb1 778135908 1919645538 1141509631 544.3G 72 unknown
/dev/sdb2 168689522 2104717761 1936028240 923.2G 65 Novell Netware 386
/dev/sdb3 1869881465 3805909656 1936028192 923.2G 79 unknown
/dev/sdb4 2885681152 2885736650 55499 27.1M d unknown
Partition table entries are not in disk order.
Why there are 4 partitions on the usb drive with 2 of them about 900gigs and one of 500 on a 8GB usb drive? It’s a making of the windows machine? During the format in windows I asked explicitly for an extended format (zerofilling).
I tried to mount the drive with:
mount -t vfat /dev/sdb /mnt/flashdrive
and the content is mounted correctly, the files I copied from the windows pc are there.
Should I consider the drive damaged or hijacked by a virus of some kind? Can this drive be trusted or should I consider this a security issue? It could be a fdisk bug?
Thanks
I tought it could be something related to the fact that I wrote random data and maybe that random data in mbr sector could have caused the drive appear with multiple partitions but this is not the case. I have 3 identical flash drives and repeated the same procedure using this time dd if=/dev/zero instead of random and obtained the same result.
To me is Windows that format the drive in some weird fashion making the drive a working fat32 flash drive but making fdisk and gdisk go crazy.
Tried to put the drive inside Acronis Disk Director and it detects them correctly as fat32 flash drives, however because Acronis Disk Director is still a Linux Distro by switching in console and running fdisk -l the same weird partition scheme happens. While the Acronis GUI detects everything correctly the console fdisk doesn’t. Acronis GUI however even if allows the format of main partition doesn’t allow the disk to be cleaned up, create additional partitions or something like that also it calls it "Super Floppy"…
Could be a problem given by how the manifacturer created the usb drive?
EDIT: I added gdisk output
gdisk -l /dev/sdb
GPT fdisk (gdisk) version 1.0.9
Partition table scan:
MBR: MBR only
BSD: not present
APM: not present
GPT: not present
***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format
in memory.
***************************************************************
Exact type not match not found for type code 7200; assigning type code for
'Linux filesystem'
Exact type not match not found for type code 6500; assigning type code for
'Linux filesystem'
Exact type not match not found for type code 7900; assigning type code for
'Linux filesystem'
Exact type not match not found for type code 0D00; assigning type code for
'Linux filesystem'
Warning! Secondary partition table overlaps the last partition by
3790549690 blocks!
You will need to delete this partition or resize it in another utility.
Model: DataTraveler 3.0
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): *************************
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 15359966
Partitions will be aligned on 1-sector boundaries
Total free space is 15359933 sectors (7.3 GiB)
Number Start (sector) End(sector) Size Code Name
1 778135908 1919645538 544.3 GiB 8300 Linux filesystem
2 168689522 2104717761 923.2 GiB 8300 Linux filesystem
3 1869881465 3805909656 923.2 GiB 8300 Linux filesystem
4 2885681152 2885736650 21.7 MiB 8300 Linux filesystem
I don’t know Windows’ extended format but your saying that mount -t vfat /dev/sdb /mnt/flashdrive is mounted correctly gives a useful hint.
With that command, you are mounting the whole drive, not a partition of it (/dev/sdb1, /dev/sdb2, etc.). This means that Windows didn’t make a partition table on it and used every sector, from the first to the last, as a VFAT area.
If there is no partition table, then what fdisk (or gdisk) displays is not relevant at all.
Should I consider the drive damaged
No, unless you saved the "partition table" with fdisk (or gdisk).
or hijacked by a virus of some kind?
No.
Can this drive be trusted or should I consider this a security issue?
Nothing in your question suggests it can’t be trusted.
It could be a fdisk bug?
No. fdisk is a tool to manipulate a partition table. What it displays is what would be the partition table if there was one, but there is none. That’s why it’s important you didn’t modify/save the partition table with fdisk.
I tought it could be something related to the fact that I wrote random data (…)
No, it’s the way the disk was formatted.
A superfloppy (a drive with a filesystem on the entire device, without a parition table) still contains the fragment that otherwise defines a dos partition table.
The purpose of fdisk or gdisk is to work with partition tables. If there is none, either tool does not know this in advance and tries its best to interpret data as a partition table. In some cases they can tell for sure there is no partition table (e.g. when there are all zeros), in many cases they cannot.
The point is even random data can be interpreted as (more or less insane) partition table. This is what you see on your device. A similar setup is in this question: Windows does not mount USB NTFS superfloppy; you can get some insight from my answer there.
Seeing insane partition tables is one of the reasons to prefer creating a partition table even for a single filesystem. It seems your Windows knew better though. Windows and only Windows is to blame. The disk itself is fine (or rather there is no evidence it’s damaged).
As long as you can mount the filesystem in all the systems you use, there is no problem. I cannot tell if Windows won’t ever be fooled by the "mess" it made, but in Linux you can always explicitly mount /dev/sdb and simply not use /dev/sdb1 and such, if they appear.
But if you want to make the setup more sane, start anew. Use dd if=/dev/zero of=/dev/sdb bs=512 count=1, then fdisk /dev/sdb and create a dos partition table with exactly one primary partition (the default values of starting and ending sectors should be fine), its type should be 0C (W95 FAT32 (LBA)). Let the tool write the partition table. Then create a FAT32 filesystem in sdb1 (in Linux; or let Windows do it, hopefully it will respect the new partition table).