This manual is for Lziprecover (version 1.25, 8 January 2025).
Copyright © 2009-2025 Antonio Diaz Diaz.
This manual is free documentation: you have unlimited permission to copy, distribute, and modify it.
Lziprecover is a data recovery tool and decompressor for files in the lzip compressed data format (.lz). Lziprecover also provides Forward Error Correction (FEC) able to repair any kind of file.
Lziprecover is able to repair slightly damaged lzip files (up to one single-byte error per member), produce a correct file by merging the good parts of two or more damaged copies, reproduce a missing (zeroed) sector using a reference file, extract data from damaged files, decompress files, and test integrity of files.
Lziprecover can remove the damaged members from multimember files, for example multimember tar.lz archives.
Lziprecover provides random access to the data in multimember files; it only decompresses the members containing the desired data.
Lziprecover is not a replacement for regular backups, but a last line of defense for the case where the backups are also damaged.
Lziprecover is able to provide unique data recovery capabilities because the lzip format is extraordinarily safe. The simple and safe design of the file format complements the embedded error detection provided by the LZMA data stream. Any distance larger than the dictionary size acts as a forbidden symbol, allowing the decompressor to detect the approximate position of errors, and leaving little work for the check sequence (CRC and data sizes) in the detection of errors. Lzip is usually able to detect all possible bit flips in the compressed data without resorting to the check sequence. It would be difficult to write an automatic recovery tool like lziprecover for the gzip format. And, as far as I know, it has never been written.
A nice feature of the lzip format is that a corrupt byte is easier to repair the nearer it is from the beginning of the file. Therefore, with the help of lziprecover, losing an entire archive just because of a corrupt byte near the beginning is a thing of the past.
Compression may be good for long-term archiving. For compressible data, multiple compressed copies may provide redundancy in a more useful form and may have a better chance of surviving intact than one uncompressed copy using the same amount of storage space. This is especially true if the format provides recovery capabilities like those of lziprecover, which is able to find and combine the good parts of several damaged copies.
Lziprecover is able to recover or decompress files produced by any of the compressors in the lzip family: lzip, plzip, minilzip/lzlib, clzip, and pdlzip.
GNU ddrescue provides data recovery capabilities which nicely complement those of lziprecover. If the cause of file corruption is a damaged medium, the combination GNU ddrescue + lziprecover is the recommended option for recovering data from damaged files. See ddrescue-example, ddrescue-example2, and ddrescue-example3, for examples. See the ddrescue manual for details about ddrescue.
If a file is too damaged for lziprecover to repair it, all the recoverable data in all members of the file can be extracted with the following command (the resulting file may contain errors and some garbage data may be produced at the end of each damaged member):
lziprecover -cd --ignore-errors file.lz > file
When recovering data, lziprecover takes as arguments the names of the damaged files and writes zero or more recovered files depending on the operation selected and whether the recovery succeeded or not. The damaged files themselves are kept unchanged.
When decompressing or testing file integrity, lziprecover behaves like lzip or lunzip.
LANGUAGE NOTE: Uncompressed = not compressed = plain data; it may never have been compressed. Decompressed is used to refer to data which have undergone the process of decompression.
The format for running lziprecover is:
lziprecover [options] [files]
When decompressing or testing, a hyphen '-' used as a file argument means standard input. It can be mixed with other files and is read just once, the first time it appears in the command line. If no file names are specified, lziprecover decompresses from standard input to standard output. Remember to prepend ./ to any file name beginning with a hyphen, or use '--'.
lziprecover supports the following options: See Argument syntax.
-h
--help
-V
--version
-a
--trailing-error
-A
--alone-to-lz
The name of the converted lzip file is derived from that of the original lzma-alone file as follows:
filename.lzma | becomes | filename.lz
|
filename.tlz | becomes | filename.tar.lz
|
anyothername | becomes | anyothername.lz
|
-b
bytes--block-size=
bytes-B
--byte-repair
-c
--stdout
-d
--decompress
-D
range--range-decompress=
rangeFour formats of range are recognized, 'begin', 'begin-end', 'begin,size', and ',size'. If only begin is specified, end is taken as the end of the file. If only size is specified, begin is taken as the beginning of the file.
-e
--reproduce
--lzip-level=
digit|a|m[
length]
--lzip-name=
name--reference-file=
file-f
--force
-F create[
n]|repair|test|list
--fec=create[
n]|repair|test|list
n is the number of FEC blocks to be created. The amount of FEC data to be created may also be specified as a percentage from 0.003% to 100%, or as a number of bytes followed by a 'B' (4096B, 16KiB, etc). If n is not specified, it defaults to '8' (8 FEC blocks). (Because, when was the last time you saw more than 8 bad sectors affecting the same file?)
--fec=create writes the FEC data created to file.fec unless option -c or -o is specified. If a fec file can't be created, lziprecover exits immediately with error status 1 without trying to create the rest of the files.
--fec=repair and --fec=test read the FEC data from
file.fec unless --fec-file is specified. --fec=repair
writes the repaired file to file_fixed unless option -c or
-o is specified. See File names. If a file fails to repair,
lziprecover exits immediately with error status 2 without repairing the rest
of the files.
-0 .. -9
--fec-file=
file[/]
-i
--ignore-errors
Make --fec=repair and --fec=test ignore errors in the fec file and return with exit status 0 if the repaired/protected file passes the test, even if corrupt packets or trailing garbage are found in the fec file. Make --fec=list ignore errors in the fec files.
Make --list, --dump, --remove, and --strip
ignore format errors. The sizes of the members with errors (especially the
last) may be wrong.
-k
--keep
-l
--list
If any file is damaged, does not exist, can't be opened, or is not regular,
the final exit status is > 0. -lq can be used to check quickly
(without decompressing) the structural integrity of the files specified.
(Use --test to check the data integrity). -alq
additionally checks that none of the files specified contain trailing data.
-m
--merge
-n
n--threads=
n-o
file[/]
--output=
file[/]
If creating FEC data and -c has not been also specified, write the FEC data to file. If file ends with a slash, it is interpreted as the name of a directory where the fec file(s) will be written to. In this case, the fec file names are composed by replacing the prefix preceding the last slash of each file name specified in the command line with file (or prepending file if the file name does not contain a slash), and appending the extension .fec.
Else, if -c has not been also specified, write the (de)compressed
output to file, automatically creating any missing parent directories;
keep input files unchanged. This option (or -c) is needed when
reading from a named pipe (fifo) or from a device. -o - is
equivalent to -c. -o has no effect when testing or listing.
-q
--quiet
-r
--recursive
-R
--dereference-recursive
-s
--split
The names of the files produced are in the form rec1file,
rec2file, etc, and are designed so that the use of wildcards
in subsequent processing, for example,
'lziprecover -cd rec*file > recovered_data', processes the
files in the correct order. The number of digits used in the names varies
depending on the number of members in file.
-t
--test
-v
--verbose
--dump=[
member_list][:damaged][:empty][:tdata]
The argument to --dump is a colon-separated list of the following element specifiers; a member list (1,3-6), a reverse member list (r1,3-6), and the strings "damaged", "empty", and "tdata" (which may be shortened to 'd', 'e', and 't' respectively). A member list selects the members (or gaps) listed, whose numbers coincide with those shown by --list. A reverse member list selects the members listed counting from the last member in the file (r1). Negated versions of both kinds of lists exist (^1,3-6:r^1,3-6) which select all the members except those in the list. The strings "damaged", "empty", and "tdata" select the damaged members, the empty members (those with a data size = 0), and the trailing data respectively. If the same member is selected more than once, for example by '1:r1' in a single-member file, it is dumped just once. See the following examples:
--dump argument | Elements dumped
|
---|---|
1,3-6 | members 1, 3, 4, 5, 6
|
r1-3 | last 3 members in file
|
^13,15 | all but 13th and 15th members in file
|
r^1 | all but last member in file
|
damaged | all damaged members in file
|
empty | all empty members in file
|
tdata | trailing data
|
1-5:r1:tdata | members 1 to 5, last member, trailing data
|
damaged:tdata | damaged members, trailing data
|
3,12:damaged:tdata | members 3, 12, damaged members, trailing data
|
--remove=[
member_list][:damaged][:empty][:tdata]
This option may be dangerous even if only the trailing data are being
removed because the file may be corrupt or the trailing data may contain a
forbidden combination of characters. See Trailing data. It is safer to
send the output of --strip to a temporary file, check it, and then
copy it over the original file. But if you prefer --remove because of
its more efficient in-place removal, it is advisable to make a backup before
attempting the removal. At least check that 'lzip -cd file.lz | wc -c'
and the uncompressed size shown by 'lzip -l file.lz' match before
attempting the removal of trailing data.
--strip=[
member_list][:damaged][:empty][:tdata]
--loose-trailing
--nonzero-repair
lziprecover also supports the following debug options (for experts):
-E
range[,
sector_size]
--debug-reproduce=
range[,
sector_size]
-F dc
n--fec=dc
n-F dz
range[:
range]...
--fec=dz
range[:
range]...
-F dZ
size[,
delta]
--fec=dZ
size[,
delta]
-M
--md5sum
-S[
value]
--nrep-stats[=
value]
-U 1|B
size--unzcrash=1|B
sizeWith argument 'B', test zeroed sectors (blocks of bytes) in the LZMA stream of the compressed input file like the command 'unzcrash --block=size -d1 -p7 -s-(size+20) 'lzip -t' file' but in memory, and therefore much faster. Testing and comparisons work just like with the argument '1' explained above.
By default --unzcrash only prints the interesting cases; CRC
mismatches, size mismatches, unsupported marker codes, unexpected EOFs,
apparently successful decompressions, and decoder errors detected 50_000 or
more bytes beyond the byte (or the start of the block) being tested. At
verbosity level 1 (-v) it also prints decoder errors detected 10_000 or more
bytes beyond the byte being tested. At verbosity level 2 (-vv) it prints all
cases for 1-bit errors or the decoder errors detected beyond the end of the
block for zeroed blocks.
-W
position,
value--debug-decompress=
position,
value-X[
position,
value]
--show-packets[=
position,
value]
-Y
range--debug-delay=
range-Z
position,
value--debug-byte-repair=
position,
value--gf16
Numbers given as arguments to options may be expressed in decimal, hexadecimal, or octal (using the same syntax as integer constants in C++), and may be followed by a multiplier and an optional 'B' for "byte".
Table of SI and binary prefixes (unit multipliers):
Prefix | Value | | | Prefix | Value
|
---|---|---|---|---|
k | kilobyte (10^3 = 1000) | | | Ki | kibibyte (2^10 = 1024)
|
M | megabyte (10^6) | | | Mi | mebibyte (2^20)
|
G | gigabyte (10^9) | | | Gi | gibibyte (2^30)
|
T | terabyte (10^12) | | | Ti | tebibyte (2^40)
|
P | petabyte (10^15) | | | Pi | pebibyte (2^50)
|
E | exabyte (10^18) | | | Ei | exbibyte (2^60)
|
Z | zettabyte (10^21) | | | Zi | zebibyte (2^70)
|
Y | yottabyte (10^24) | | | Yi | yobibyte (2^80)
|
R | ronnabyte (10^27) | | | Ri | robibyte (2^90)
|
Q | quettabyte (10^30) | | | Qi | quebibyte (2^100)
|
Exit status: 0 for a normal exit, 1 for environmental problems (file not found, invalid command-line options, I/O errors, etc), 2 to indicate a corrupt or invalid input file, 3 for an internal consistency error (e.g., bug) which caused lziprecover to panic.
POSIX recommends these conventions for command-line arguments.
GNU adds long options to these conventions:
The syntax of options with an optional argument is -<short_option><argument> (without whitespace), or --<long_option>=<argument>.
Perfection is reached, not when there is no longer anything to add, but
when there is no longer anything to take away.
-- Antoine de Saint-Exupery
In the diagram below, a box like this:
+---+ | | <-- the vertical bars might be missing +---+
represents one byte; a box like this:
+==============+ | | +==============+
represents a variable number of bytes.
A lzip file consists of one or more independent "members" (compressed data sets). The members simply appear one after another in the file, with no additional information before, between, or after them. Each member can encode in compressed form up to 16 EiB - 1 byte of uncompressed data. The size of a multimember file is unlimited. Empty members (data size = 0) are not allowed in multimember files.
Each member has the following structure:
+--+--+--+--+----+----+=============+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ID string | VN | DS | LZMA stream | CRC32 | Data size | Member size | +--+--+--+--+----+----+=============+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
All multibyte values are stored in little endian order.
It is a fact of life that sometimes data becomes corrupt. Software has errors. Hardware may misbehave or fail. RAM may be struck by a cosmic ray. This is why a safe enough integrity checking is needed in compressed formats, and the reason why a data recovery tool is sometimes needed.
There are 3 main types of data corruption that may cause data loss: single-byte errors, multibyte errors (generally affecting a whole sector in a block device), and total device failure.
The two methods most effective to protect data from accidental loss are backup copies and Forward Error Correction (FEC). Both methods can be used simultaneously, and both are supported by lziprecover.
Lziprecover protects natively against single-byte errors as long as file integrity is checked frequently enough that a second single-byte error does not develop in the same member before the first one is repaired. See Repairing one byte.
Lziprecover protects against multibyte errors in 3 cases: if a fec file is available (see Fec files), if at least one backup copy of the file is available (see Merging files), or if the error is a zeroed sector and the uncompressed data corresponding to the zeroed sector are available (see Reproducing one sector). FEC is best. Else, if you can choose between merging and reproducing, try merging first because it is usually faster, easier to use, and has a high probability of success.
Lziprecover can't help in case of device failure. The only remedy for total device failure is storing backup copies in separate media.
The extraordinary safety of the lzip format allows lziprecover to use the redundance that occurs naturally when making compressed backups. Lziprecover can recover data that would not be recoverable from files compressed in other formats. See these two examples of the data recovery capabilities offered by lziprecover:
Let's suppose that you made a compressed backup of your valuable scientific data and stored two copies on separate media. Years later you notice that both copies are corrupt.
If you compressed the data with gzip and both copies suffer any damage in the data stream, even if it is just one altered bit, the original data can only be recovered by an expert, if at all.
If you used bzip2, and if the file is large enough to contain more than one compressed data block (usually larger than 900 kB uncompressed), and if no block is damaged in both files, then the data can be manually recovered by splitting the files with bzip2recover, checking every block, and then copying the right blocks in the right order into another file.
But if you used lzip, the data can be automatically recovered with 'lziprecover --merge' as long as the damaged areas don't overlap.
Note that each error in a bzip2 file makes a whole block unusable, but each error in a lzip file only affects the damaged bytes, making it possible to recover a file with thousands of errors.
Let's suppose that you make periodic backups of your email messages stored in one or more mailboxes. (A mailbox is a file containing a possibly large number of email messages). New messages are appended to the end of each mailbox, therefore the initial part of two consecutive backups is identical unless some messages have been changed or deleted in the meantime. The new messages added to each backup are usually a small part of the whole mailbox.
+============================================+ | Older backup containing some messages | +============================================+ +============================================+========================+ | Newer backup containing the messages above | plus some new messages | +============================================+========================+
One day you discover that your mailbox has disappeared because you deleted it inadvertently or because of a bug in your email reader. Not only that. You need to recover a recent message, but the last backup you made of the mailbox (the newer backup above) has lost the data corresponding to a whole sector because of an I/O error in the part containing the old messages.
If you compressed the mailbox with gzip, usually none of the new messages can be recovered even if they are intact because all the data beyond the missing sector can't be decoded.
If you used bzip2, and if the newer backup is large enough that the new messages are in a different compressed data block than the one damaged (usually larger than 900 kB uncompressed), then you can recover the new messages manually with bzip2recover. If the backups are identical except for the new messages appended, you may even recover the whole newer backup by combining the good blocks from both backups.
But if you used lzip, the whole newer backup can be automatically recovered with 'lziprecover --reproduce' as long as the missing bytes can be recovered from the older backup, even if other messages in the common part have been changed or deleted. Mailboxes seem to be especially easy to reproduce. The probability of reproducing a mailbox (see performance-of-reproduce) is almost as high as that of merging two identical backups (see performance-of-merge).
Forward Error Correction (FEC) is any way of protecting data from corruption by creating redundant data that can be used later to repair errors in the protected data. Lziprecover uses a Hilbert-based Reed-Solomon code to create one fec file (with extension .fec) for each file that needs to be protected. The fec files created by lziprecover are reproducible.
Reed-Solomon is the most space-efficient Error Correcting Code (ECC) for data stored in block devices. It creates redundant FEC blocks in such a way that X FEC blocks allow the recuperation of any combination of up to X lost data blocks. All the blocks (data and FEC) are of the same size, which in fec files must be a multiple of 512 bytes. Reed-Solomon is not optimum for corruption affecting random single bits in a file because each corrupt bit invalidates the whole block containing it.
Usually, a corrupt file does not provide an indication of where the corruption is located. Therefore, each fec file stores one or two arrays of CRCs to detect the corrupt blocks in the protected file and mark them as erasures (missing data blocks). Thus, a fec file creates its own Binary Erasure Channel (BEC) for the protected file.
Lziprecover's FEC algorithm can repair any kind of file, but its ability to repair lzip files is greater than for other kinds of files. Lziprecover can use the statistical properties of lzip data to repair a lzip file rescued with ddrescue, even if the fec file is so damaged that it has lost both CRC arrays. Lzip data helps to locate the corrupt parts of the file even without a BEC. For this to work, at least one chksum packet header must be intact to provide 'prodata_size', 'prodata_md5', and 'gf16'.
To illustrate how Reed-Solomon works on the BEC, we will use an example with standard arithmetic on integers. Note that in lziprecover's FEC each variable is a (potentialy large) block of data, not a single value.
Given variables x, y, and z (the protected data) whose values are known, an equation system can be created where the values of three FEC variables p, q, and r can be computed from the values of x, y, and z:
x + y + z = p (1) x + 2y + 3z = q (2) x + 3y + 2z = r (3)
If we have that x = 1, y = 2, and z = 3, then p = 6, q = 14, and r = 13:
1 + 2 + 3 = 6 (1a) 1 + 4 + 9 = 14 (2a) 1 + 6 + 6 = 13 (3a)
Now, if the values of x and y are lost because of data corruption, they can be recomputed by using any two of the three equations above. For example, if we replace the known values of z, p, and q in equations (1) and (2) we get:
x + y + 3 = 6 (1b) x + 2y + 9 = 14 (2b)
In order to solve the two equations above, we first reduce them by subtracting the values of the known data variables from the values of the FEC variables:
x + y = 6 - 3 (1c) x + 2y = 14 - 9 (2c)
which gives the reduced FEC values P = 3 and Q = 5.
Then we create a square matrix 'A' with the coefficients of x and y in the equations above, and invert it. 'A' must be invertible and must not have any zero element. We also create the column vector D with the missing data variables x and y, and the column vector F with the reduced FEC values P and Q:
D = x A = 1 1 A^-1 = 2 -1 F = P y 1 2 -1 1 Q
Then we multiply the inverse matrix 'A^-1' by the column vector F to obtain the values of x and y (D = A^-1 * F):
x = 2P - Q (1d) y = -P + Q (2d)
which finally gives us the lost values x = 1 and y = 2:
x = 2 * 3 - 5 (1e) y = -3 + 5 (2e)
Lziprecover's implementation of Reed-Solomon can manage up to 128 data blocks + 128 FEC blocks when using a Galois Field of size 256 (GF(2^8)), or up to 32768 data blocks + 32768 FEC blocks when using a Galois Field of size 65536 (GF(2^16)). GF(2^8) is included because it is faster for files up to about 1 MB. The number of FEC blocks is currently limited to 2048 because of memory and time limits. Inverting a matrix for 32768 FEC blocks would take a week and require 2 GiB of RAM.
The file is repaired in memory. Therefore, enough virtual memory (RAM + swap) to contain the protected file and the FEC data is required. The file size is limited to less than 2 GiB on 32-bit systems. The repaired file is checked with a MD5 digest.
Lziprecover divides the input file in 1 to 32768 data blocks of the same size, which ranges from 512 bytes to 128 TiB, for a total protected file size of up to 4 EiB. It then uses a Hilbert matrix 'A' to create up to 2048 FEC blocks of the same size as the data blocks. Lziprecover corrects errors in the data blocks by first reducing the equation system to M equations with M unknowns each, where M is the number of missing data blocks. Then it multiplies the inverse of the relevant submatrix of 'A' by the vector of results of the M equations to recompute the values of the missing data blocks.
Lziprecover implements GF(2^8) with polynomial 0x11D and GF(2^16) with polynomial 0x1100B.
A Hilbert matrix is defined as A[i][j] = 1 / (i + j + 1) for i,j >= 0. But, as in a Galois Field the addition is the exclusive or operation, applying the Hilbert definition produces a singular (non invertible) matrix. To avoid this problem, lziprecover uses a Hilbert matrix starting at row r0 = gf_size / 2. I.e., A[i][j] = 1 / (i + j + r0) for 0 <= i,j < r0. ('gf_size' is the size of the Galois Field).
Example 1: Create the fec file archive.tar.lz.fec and store it in the same directory where archive.tar.lz is.
lziprecover -v -Fc archive.tar.lz
Example 2: Create the fec file archive.tar.lz.fec and store it in the directory fec.
lziprecover -v -Fc -o fec/ archive.tar.lz
Example 3: Create recursively one fec file for each file in the directory datadir and store them in the tree under the directory fec.
lziprecover -v -r -Fc -o fec/ datadir
Example 4: Create fec files for a collection of photos stored in directory photos and store them in the directory photos-fec.
lziprecover -v -Fc -o photos-fec/ photos/*
Example 1: Test the integrity of archive.tar.lz using the fec file archive.tar.lz.fec from the same directory.
lziprecover -v -Ft archive.tar.lz
Example 2: Test the integrity of the files foo.lz and bar.lz using the corresponding fec files stored in the directory fec.
lziprecover -v -Ft --fec-file=fec/ foo.lz bar.lz
Example 3: Test recursively the integrity of all the files in the directory datadir using the fec files stored in the directory tree under the directory fec.
lziprecover -v -r -Ft --fec-file=fec/ datadir
Example 4: Test the integrity of a collection of photos stored in directory photos using fec files from directory photos-fec.
lziprecover -v -Ft --fec-file=photos-fec/ photos/*
Example 1: Repair the file archive.tar.lz using the fec file archive.tar.lz.fec from the same directory. The repaired file is written to archive_fixed.tar.lz in the same directory.
lziprecover -v -Fr archive.tar.lz
Example 2: Repair the files foo.lz and bar.lz using the corresponding fec files stored in the directory fec.
lziprecover -v -Fr --fec-file=fec/ foo.lz bar.lz
Example 3: Repair recursively all the damaged files in the directory datadir using the fec files stored in the directory tree under the directory fec.
lziprecover -v -r -Fr --fec-file=fec/ datadir
Example 4: Recover a collection of photos from a damaged external drive (/dev/sdc1). The photos are in directory photos, and the fec files are in directory photos-fec.
ddrescue -b4096 -r10 /dev/sdc1 hdimage mapfile
mount -o loop,ro hdimage /mnt/hdimage
cp -a /mnt/hdimage/photos photos
cp -a /mnt/hdimage/photos-fec photos-fec
umount /mnt/hdimage
lziprecover -v -Fr --fec-file=photos-fec/ photos/*
(Check and rename repaired files. They are named photos/*_fixed)
A fec file consists of one chksum packet, one or more fec packets, and one optional second chksum packet. The first chksum packet must be the first packet in the file, but the second chksum packet does not need to be the last packet in the file. The essential information is stored in the chksum packet(s), while the potentially numerous fec packets are kept as simple as possible:
+=================+===============+=================+ | Chksum packet | Fec packets | Chksum packet | +=================+===============+=================+
All multibyte values are stored in little endian order except 'prodata_md5'.
The 'fbs' (fec_block_size) field is coded as a little endian 16-bit floating point unsigned integer with an 11-bit mantissa at bits 0-10 and a 5-bit exponent at bits 11-15. The mantissa is an integer between 0 and 2047. The exponent is an integer between 9 and 40, stored with a bias of -9; the exponent 9 is stored as 0, and 40 is stored as 31. Values are stored with the largest mantissa and smallest exponent; 4096 is stored as m=8, e=0. This encoding can store values from 0 bytes to 2047 TiB (2^51 - 2^40 bytes) with a maximum resolution of 512 bytes, but 0 and the values beyond 128 TiB are not used:
5 11 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | exp | mantissa | The 'fbs' (fec_block_size) field +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 15 11 10 0
The fec file format is 4-byte aligned for speed because FEC data are created and decoded 4 bytes at a time. The 4-byte alignment has been achieved by a careful design, without adding any padding bytes.
The fec file format has an overhead of 8 bytes per protected data block, plus 16 bytes per FEC block, plus 80 bytes.
A chksum packet contains one CRC for each of the N data blocks in the protected file, and is structured as shown in the following table. All lengths and offsets are in decimal:
Field Name | Offset | Length (in bytes)
|
---|---|---|
magic | 0 | 4
|
version | 4 | 1
|
flags | 5 | 1
|
fbs | 6 | 2
|
prodata_size | 8 | 8
|
prodata_md5 | 16 | 16
|
header_crc | 32 | 4
|
crc_array | 36 | 4N
|
payload_crc | 36 + 4N | 4
|
For the expected thousands of bit flips caused by a zeroed sector, a
symmetric CRC like CRC32 is probably better than CRC32-C, which detects all
the errors with an odd number of bit flips at the expense of a larger number
of undetected errors with an even number of bit flips.
A fec packet contains one FEC block and is structured as shown in the following table. All lengths and offsets are in decimal:
Field Name | Offset | Length (in bytes)
|
---|---|---|
magic | 0 | 4
|
fbn | 4 | 2
|
fbs | 6 | 2
|
header_crc | 8 | 4
|
fec_block | 12 | fbs
|
payload_crc | 12 + fbs | 4
|
Lziprecover can repair perfectly most files with small errors (up to one single-byte error per member), without the need of any extra redundance at all. If the reparation is successful, the repaired file is identical bit for bit to the original. This makes lzip files resistant to bit flip, one of the most common forms of data corruption.
The file is repaired in memory. Therefore, enough virtual memory (RAM + swap) to contain the largest damaged member is required. Member size is limited to 2 GiB on 32-bit systems.
The error may be located anywhere in the file except in the first 5 bytes of each member header (magic and version) or in the 'Member size' field of the trailer (last 8 bytes of each member). If the error is in the header it can be easily repaired with a text editor like GNU Moe (see File format). If the error is in the member size, it is enough to ignore the message about 'bad member size' when decompressing.
Bit flip happens when one bit in the file is changed from 0 to 1 or vice versa. It may be caused by bad RAM or even by natural radiation. I have seen a case of bit flip in a file stored on an USB flash drive.
One byte may seem small, but most file corruptions not produced by transmission errors or I/O errors just affect one byte, or even one bit, of the file. Also, unlike magnetic media, where errors usually affect a whole sector, solid-state storage devices tend to produce single-byte errors, which lziprecover can repair.
Repairing a file can take some time. Small files or files with the error located near the beginning can be repaired in a few seconds. But repairing a large file compressed with a large dictionary size and with the error located far from the beginning, may take hours.
On the other hand, errors located near the beginning of the file cause much more loss of data than errors located near the end. So lziprecover repairs more efficiently the worst errors.
If you have several copies of a file but all of them are too damaged to repair them individually (see Repairing one byte), lziprecover can try to produce a correct file by merging the good parts of the damaged copies.
The merge may succeed even if some copies of the file have all the headers and trailers damaged, as long as there is at least one copy of every header and trailer intact, even if they are in different copies of the file.
The merge fails if the damaged areas overlap (at least one byte is damaged in all copies), or are adjacent and the boundary can't be determined, or if the copies have too many damaged areas.
All the copies to be merged must have the same size. If any of them is larger or smaller than it should, either because it has been truncated or because it got some garbage data appended at the end, it can be brought to the correct size with the following command before merging it with the other copies:
ddrescue -s<correct_size> -x<correct_size> file.lz correct_size_file.lz
To give you an idea of its possibilities, when merging two copies, each of them with one damaged area affecting 1 percent of the copy, the probability of obtaining a correct file is about 98 percent. With three such copies the probability rises to 99.97 percent. For large files (a few MB) with small errors (one sector damaged per copy), the probability approaches 100 percent even with only two copies. (Supposing that the errors are randomly located inside each copy).
Some types of solid-state device (NAND flash, for example) can produce bursts of scattered single-bit errors. Lziprecover is able to merge files with thousands of such scattered errors by grouping the errors into clusters and then merging the files as if each cluster were a single error.
Here is a real case of successful merging. Two copies of the file icecat-3.5.3-x86.tar.lz (compressed size 9 MB) became corrupt while stored on the same NAND flash device. One of the copies had 76 single-bit errors scattered in an area of 1020 bytes, and the other had 3028 such errors in an area of 31729 bytes. Lziprecover produced a correct file, identical to the original, in just 5 seconds:
lziprecover -vvm a/icecat-3.5.3-x86.tar.lz b/icecat-3.5.3-x86.tar.lz Merging member 1 of 1 (2552 errors) 2552 errors have been grouped in 16 clusters. Trying variation 2 of 2, block 2 Input files merged successfully.
Note that the number of errors reported by lziprecover (2552) is lower than the number of corrupt bytes (3104) because contiguous corrupt bytes are counted as a single multibyte error.
Example 1: Recover a compressed backup from two copies on CD-ROM with error-checked merging of copies.
ddrescue -d -r1 -b2048 /dev/cdrom cdimage1 mapfile1 mount -t iso9660 -o loop,ro cdimage1 /mnt/cdimage cp /mnt/cdimage/backup.tar.lz rescued1.tar.lz umount /mnt/cdimage (insert second copy in the CD drive) ddrescue -d -r1 -b2048 /dev/cdrom cdimage2 mapfile2 mount -t iso9660 -o loop,ro cdimage2 /mnt/cdimage cp /mnt/cdimage/backup.tar.lz rescued2.tar.lz umount /mnt/cdimage lziprecover -m -v -o backup.tar.lz rescued1.tar.lz rescued2.tar.lz Input files merged successfully. lziprecover -tv backup.tar.lz backup.tar.lz: ok
Example 2: Recover the first volume of those created with the command 'lzip -b 32MiB -S 650MB big_db' from two copies, big_db1_00001.lz and big_db2_00001.lz, with member 07 damaged in the first copy, member 18 damaged in the second copy, and member 12 damaged in both copies. The correct file produced is saved in big_db_00001.lz.
lziprecover -m -v -o big_db_00001.lz big_db1_00001.lz big_db2_00001.lz Input files merged successfully. lziprecover -tv big_db_00001.lz big_db_00001.lz: ok
Lziprecover can recover a zeroed sector in a lzip file by concatenating the decompressed contents of the file up to the beginning of the zeroed sector and the uncompressed data corresponding to the zeroed sector, and then feeding the concatenated data to the same version of lzip that created the file. For this to work, a reference file is required containing the uncompressed data corresponding to the missing compressed data of the zeroed sector, plus some context data before and after them. It is possible to recover a large file using just a few kB of reference data.
The difficult part is finding a suitable reference file. It must contain the exact data required (possibly mixed with other data). Containing similar data is not enough.
A zeroed sector may be caused by the incomplete recovery of a damaged storage device (with I/O errors) using, for example, ddrescue. The reproduction can't be done if the zeroed sector overlaps with the first 15 bytes of a member, or if the zeroed sector is smaller than 8 bytes.
The file is reproduced in memory. Therefore, enough virtual memory (RAM + swap) to contain the damaged member is required. Member size is limited to 2 GiB on 32-bit systems.
To understand how it works, take any lzipped file, say foo.lz, decompress it (keeping the original), and try to reproduce an artificially zeroed sector in it by running the following commands:
lzip -kd foo.lz lziprecover -vv --debug-reproduce=65536,512 --reference-file=foo foo.lz
which should produce an output like the following:
Reproducing: foo.lz Reference file: foo Testing sectors of size 512 at file positions 65536 to 66047 (master mpos = 65536, dpos = 296892) foo: Match found at offset 296892 Reproduction succeeded at pos 65536 1 sectors tested 1 reproductions returned with zero status all comparisons passed
Using foo as reference file guarantees that any zeroed sector in foo.lz can be reproduced because both files contain the same data. In real use, the reference file needs to contain the data corresponding to the zeroed sector, but the rest of the data (if any) may differ between both files. The reference data may be obtained from the partial decompression of the damaged file itself if it contains repeated data. For example if the damaged file is a compressed tarball containing several partially modified versions of the same file.
The offset reported by lziprecover is the position in the reference file of the first byte that could not be decompressed. This is the first byte that will be compressed to reproduce the zeroed sector.
The reproduce mode tries to reproduce the missing compressed data originally present in the zeroed sector. It is based on the perfect reproducibility of lzip files (lzip produces identical compressed output from identical input). Therefore, the same version of lzip that created the file to be reproduced should be used to reproduce the zeroed sector. Near versions may also work because the output of lzip changes infrequently. If reproducing a tar.lz archive created with tarlz, the version of lzip, clzip, or minilzip corresponding to the version of the lzlib library used by tarlz to create the archive should be used.
When recovering a tar.lz archive and using as reference a file from the filesystem, if the zeroed sector encodes (part of) a tar header, the archive can't be reproduced. Therefore, the less overhead (smaller headers) a tar archive has, the more probable is that the zeroed sector does not include a header, and that the archive can be reproduced. The tarlz format has minimum overhead. It uses basic ustar headers, and only adds extended pax headers when they are required.
Reproduce mode is especially useful when recovering a corrupt backup (or a corrupt source tarball) that is part of a series. Usually only a small fraction of the data changes from one backup to the next or from one version of a source tarball to the next. This makes sometimes possible to reproduce a given corrupted version using reference data from a near version. The following two tables show the fraction of reproducible sectors (reproducible sectors divided by total sectors in archive) for some archives, using sector sizes of 512 and 4096 bytes. mailbox-aug.tar.lz is a backup of some of my mailboxes. backup-feb.tar.lz and backup-apr.tar.lz are real backups of my own working directory:
Reference file | File | Reproducible (512)
|
---|---|---|
backup-feb.tar | backup-apr.tar.lz | 3273 / 4342 = 75.38%
|
backup-apr.tar | backup-feb.tar.lz | 3259 / 4161 = 78.32%
|
gawk-5.0.0.tar | gawk-5.0.1.tar.lz | 4369 / 5844 = 74.76%
|
gawk-5.0.1.tar | gawk-5.0.0.tar.lz | 4379 / 5603 = 78.15%
|
gmp-6.1.1.tar | gmp-6.1.2.tar.lz | 2454 / 3787 = 64.8%
|
gmp-6.1.2.tar | gmp-6.1.1.tar.lz | 2461 / 3782 = 65.07%
|
Reference file | File | Reproducible (4096)
|
---|---|---|
mailbox-mar.tar | mailbox-aug.tar.lz | 4036 / 4252 = 94.92%
|
backup-feb.tar | backup-apr.tar.lz | 264 / 542 = 48.71%
|
backup-apr.tar | backup-feb.tar.lz | 264 / 520 = 50.77%
|
gawk-5.0.0.tar | gawk-5.0.1.tar.lz | 327 / 730 = 44.79%
|
gawk-5.0.1.tar | gawk-5.0.0.tar.lz | 326 / 700 = 46.57%
|
gmp-6.1.1.tar | gmp-6.1.2.tar.lz | 175 / 473 = 37%
|
gmp-6.1.2.tar | gmp-6.1.1.tar.lz | 181 / 472 = 38.35%
|
Note that the "performance of reproduce" is a probability, not a partial recovery. The data are either recovered fully (with the probability X shown in the last column of the tables above) or not recovered at all (with probability 1 - X).
Example 1: Recover a damaged source tarball with a zeroed sector of 512 bytes at file position 1019904, using as reference another source tarball for a different version of the software.
lziprecover -vv -e --reference-file=gmp-6.1.1.tar gmp-6.1.2.tar.lz Reproducing bad area in member 1 of 1 (begin = 1019904, size = 512, value = 0x00) (master mpos = 1019904, dpos = 6292134) warning: gmp-6.1.1.tar: Partial match found at offset 6277798, len 8716. Reference data may be mixed with other data. Trying level -9 Reproducing position 1015808 Member reproduced successfully. Copy of input file reproduced successfully.
Example 2: Recover a damaged backup with a zeroed sector of 4096 bytes at file position 1019904, using as reference a previous backup. The damaged backup comes from a damaged partition copied with ddrescue.
ddrescue -b4096 -r10 /dev/sdc1 hdimage mapfile mount -o loop,ro hdimage /mnt/hdimage cp /mnt/hdimage/backup.tar.lz backup.tar.lz umount /mnt/hdimage lzip -t backup.tar.lz backup.tar.lz: Decoder error at pos 1020530 lziprecover -vv -e --reference-file=old_backup.tar backup.tar.lz Reproducing bad area in member 1 of 1 (begin = 1019904, size = 4096, value = 0x00) (master mpos = 1019903, dpos = 5857954) warning: old_backup.tar: Partial match found at offset 5743778, len 9546. Reference data may be mixed with other data. Trying level -9 Reproducing position 1015808 Member reproduced successfully. Copy of input file reproduced successfully.
Example 3: Recover a damaged backup with a zeroed sector of 4096 bytes at file position 1019904, using as reference a file from the filesystem. (If the zeroed sector encodes (part of) a tar header, the tarball can't be reproduced).
# List the contents of the backup tarball to locate the damaged member. tarlz -n0 -tvf backup.tar.lz [...] example.txt tarlz: Skipping to next header. tarlz: backup.tar.lz: Archive ends unexpectedly. # Find in the filesystem the last file listed and use it as reference. lziprecover -vv -e --reference-file=/somedir/example.txt backup.tar.lz Reproducing bad area in member 1 of 1 (begin = 1019904, size = 4096, value = 0x00) (master mpos = 1019903, dpos = 5857954) /somedir/example.txt: Match found at offset 9378 Trying level -9 Reproducing position 1015808 Member reproduced successfully. Copy of input file reproduced successfully.
If backup.tar.lz is a multimember file with more than one member damaged and lziprecover shows the message 'One member reproduced. Copy of input file still contains errors.', the procedure shown in the example above can be repeated until all the members have been reproduced.
'tarlz --keep-damaged -n0 -xf backup.tar.lz example.txt' produces a partial copy of the reference file example.txt that may help locate a complete copy in the filesystem or in another backup, even if example.txt has been renamed.
Tarlz is a massively parallel (multi-threaded) combined implementation of the tar archiver and the lzip compressor.
Tarlz creates tar archives using a simplified and safer variant of the POSIX pax format compressed in lzip format, keeping the alignment between tar members and lzip members. The resulting multimember tar.lz archive is backward compatible with standard tar tools like GNU tar, which treat it like any other tar.lz archive.
Multimember tar.lz archives have some safety advantages over solidly compressed tar.lz archives. For example, in case of corruption, tarlz can extract all the undamaged members from the tar.lz archive, skipping over the damaged members, just like the standard (uncompressed) tar. Keeping the alignment between tar members and lzip members minimizes the amount of data lost in case of corruption. In this chapter we'll explain the ways in which lziprecover can recover and process multimember tar.lz archives.
If you have several copies of the damaged archive, try merging them first because merging has a high probability of success. See Merging files. If the command below prints something like 'Input files merged successfully.' you are done and archive.tar.lz now contains the recovered archive:
lziprecover -m -v -o archive.tar.lz a/archive.tar.lz b/archive.tar.lz
If you only have one copy of the damaged archive with a zeroed block of data caused by an I/O error, you may try to reproduce the archive. See Reproducing one sector. If the command below prints something like 'Copy of input file reproduced successfully.' you are done and archive_fixed.tar.lz now contains the recovered archive:
lziprecover -vv -e --reference-file=old_archive.tar archive.tar.lz
If you only have one copy of the damaged archive, you may try to repair the archive, but this has a lower probability of success. See Repairing one byte. If the command below prints something like 'Copy of input file repaired successfully.' you are done and archive_fixed.tar.lz now contains the recovered archive:
lziprecover -v --byte-repair archive.tar.lz
If all the above fails, and the archive was created with tarlz, you may save the damaged members for later and then copy the good members to another archive. If the two commands below succeed, bad_members.tar.lz will contain all the damaged members and archive_cleaned.tar.lz will contain a good archive with the damaged members removed:
lziprecover -v --dump=damaged -o bad_members.tar.lz archive.tar.lz lziprecover -v --strip=damaged -o archive_cleaned.tar.lz archive.tar.lz
You can then use 'tarlz --keep-damaged' to recover as much data as possible from each damaged member in bad_members.tar.lz:
mkdir tmp cd tmp tarlz --keep-damaged -xvf ../bad_members.tar.lz
Lziprecover is able to copy a list of members from a file to another. For example the command 'lziprecover --dump=1-10:r1:tdata archive.tar.lz > subarch.tar.lz' creates a subset archive containing the first ten members, the end-of-file blocks, and the trailing data (if any) of archive.tar.lz. The 'r1' part selects the last member, which in an appendable tar.lz archive contains the end-of-file blocks.
The name of the fixed file produced by --byte-repair and --merge is made by appending the string _fixed.lz to the original file name. If the original file name ends with one of the extensions .tar.lz, .lz, or .tlz, the string _fixed is inserted before the extension.
The name of the fixed file produced by --fec=repair is made by appending the string _fixed to the original file name. If the original file name ends with one of the extensions .tar.lz, .lz, or .tlz, the string _fixed is inserted before the extension.
Sometimes extra data are found appended to a lzip file after the last member. Such trailing data may be:
Trailing data are in no way part of the lzip file format, but tools reading lzip files are expected to behave as correctly and usefully as possible in the presence of trailing data.
Trailing data can be safely ignored in most cases. In some cases, like that of user-added data, they are expected to be ignored. In those cases where a file containing trailing data must be rejected, the option --trailing-error can be used. See --trailing-error.
Lziprecover facilitates the management of metadata stored as trailing data in lzip files. See the following examples:
Example 1: Add a comment or description to a compressed file.
# First append the comment as trailing data to a lzip file echo 'This file contains this and that' >> file.lz # This command prints the comment to standard output lziprecover --dump=tdata file.lz # This command outputs file.lz without the comment lziprecover --strip=tdata file.lz > stripped_file.lz # This command removes the comment from file.lz lziprecover --remove=tdata file.lz
Example 2: Add and check a cryptographically secure hash. (This may be convenient, but a separate copy of the hash must be kept in a safe place to guarantee that both file and hash have not been maliciously replaced).
sha256sum < file.lz >> file.lz lziprecover --strip=tdata file.lz | sha256sum -c \ <(lziprecover --dump=tdata file.lz)
Example 1: Extract all the files from archive foo.tar.lz.
tar -xf foo.tar.lz or lziprecover -cd foo.tar.lz | tar -xf -
Example 2: Restore a regular file from its compressed version file.lz. If the operation is successful, file.lz is removed.
lziprecover -d file.lz
Example 3: Check the integrity of the compressed file file.lz and show status.
lziprecover -tv file.lz
Example 4: The right way of concatenating the decompressed output of two or more compressed files. See Trailing data.
Don't do this cat file1.lz file2.lz file3.lz | lziprecover -d - Do this instead lziprecover -cd file1.lz file2.lz file3.lz You may also concatenate the compressed files like this lziprecover --strip=tdata file1.lz file2.lz file3.lz > file123.lz Or keeping the trailing data of the last file like this lziprecover --strip=empty file1.lz file2.lz file3.lz > file123.lz
Example 5: Decompress file.lz partially until 10 KiB of decompressed data are produced.
lziprecover -D 0,10KiB file.lz
Example 6: Decompress file.lz partially from decompressed byte at offset 10000 to decompressed byte at offset 14999 (5000 bytes are produced).
lziprecover -D 10000-15000 file.lz
Example 7: Repair a corrupt byte in the file file.lz. (Indented lines are abridged diagnostic messages from lziprecover).
lziprecover -v --byte-repair file.lz Copy of input file repaired successfully. lziprecover -tv file_fixed.lz file_fixed.lz: ok mv file_fixed.lz file.lz
Example 8: Split the multimember file file.lz and write each member in its own recXXXfile.lz file. Then use 'lziprecover -t' to test the integrity of the resulting files.
lziprecover -s file.lz lziprecover -tv rec*file.lz
See --unzcrash, for a faster way of testing the robustness of lzip.
The lziprecover package also includes unzcrash, a program written to test robustness to decompression of corrupted data, inspired by unzcrash.c from Julian Seward's bzip2. Type 'make unzcrash' in the lziprecover source directory to build it.
By default, unzcrash reads the file specified and then repeatedly decompresses it, increasing 256 times each byte of the compressed data, so as to test all possible one-byte errors. Note that it may take years or even centuries to test all possible one-byte errors in a large file (tens of MB).
If the option --block is given, unzcrash reads the file specified and then repeatedly decompresses it, setting all bytes in each successive block to the value given, so as to test all possible full sector errors.
If the option --truncate is given, unzcrash reads the file specified and then repeatedly decompresses it, truncating the file to increasing lengths, so as to test all possible truncation points.
None of the three test modes described above should cause any invalid memory accesses. If any of them does, please, report it as a bug to the maintainers of the decompressor being tested.
Unzcrash really executes as a subprocess the shell command specified in the first non-option argument, and then writes the file specified in the second non-option argument to the standard input of the subprocess, modifying the corresponding byte each time. Therefore unzcrash can be used to test any decompressor (not only lzip), or even other decoder programs having a suitable command-line syntax.
If the decompressor returns with zero status, unzcrash compares the output of the decompressor for the original and corrupt files. If the outputs differ, it means that the decompressor returned a false negative; it failed to recognize the corruption and produced garbage output. The only exception is when a multimember file is truncated just after the last byte of a member, producing a shorter but valid compressed file. Except in this latter case, please, report any false negative as a bug.
In order to compare the outputs, unzcrash needs a 'zcmp' program able to understand the format being tested. For example the 'zcmp' provided by zutils. If the 'zcmp' program used does not understand the format being tested, all the comparisons fail because the compressed files are compared without being decompressed first. Use --zcmp=false to disable comparisons.
The format for running unzcrash is:
unzcrash [options] 'lzip -t' file
The compressed file must not contain errors and the decompressor being tested must decompress it correctly for the comparisons to work.
unzcrash supports the following options:
-h
--help
-V
--version
-b
range--bits=
rangeExamples of range | Tests errors of N-bits
|
---|---|
1 | 1
|
1,2,3 | 1, 2, 3
|
2-4 | 2, 3, 4
|
1,3-5,8 | 1, 3, 4, 5, 8
|
1-3,5-8 | 1, 2, 3, 5, 6, 7, 8
|
-B[
size][,
value]
--block[=
size][,
value]
-d
n--delta=
n-e
position,
value--set-byte=
position,
value-n
--no-check
-p
bytes--position=
bytes-q
--quiet
-s
bytes--size=
bytes-t
--truncate
-v
--verbose
-z
--zcmp=<command>
Exit status: 0 for a normal exit, 1 for environmental problems (file not found, invalid command-line options, I/O errors, etc), 2 to indicate a corrupt or invalid input file, 3 for an internal consistency error (e.g., bug) which caused unzcrash to panic.
There are probably bugs in lziprecover. There are certainly errors and omissions in this manual. If you report them, they will get fixed. If you don't, no one will ever know about them and they will remain unfixed for all eternity, if not longer.
If you find a bug in lziprecover, please send electronic mail to lzip-bug@nongnu.org. Include the version number, which you can find by running 'lziprecover --version'.