bootcamp – Trying to recover APFS (Sorry I know this has been posted about 1×10^x times)


Early 2013 MBPr

OSX 10.? APFS (Sorry don’t know the exact release, don’t boot OSX all that often anymore) – What I broke, also don’t see any local recovery.

Kali Linux – Bootable via rEFInd

Windows 10 Enterprise Eval – Bootable via rEFInd

Okie, so background first I suppose, this trouble started when I tried to shrink my APFS volume to install Windows. I did this from the disk utility GUI in OSX and it completed with an unknown error, looking at the GUI partition table it looked ok and I didn’t investigate further and moved on because, apparently, I’m a dummy, I was in a rush and yes I should have known better.
I then started getting an error while trying to use bootcamp utility to get the windows drivers on a stick, thought this was a network error so I decided to reboot, and, boom, no OSX.
At this point I went ahead and installed Windows to the space freed by OSX’s disk util, broke rEFInd, fixed rEFInd, and now have bootable partitions for Linux and Windows, but OSX was showing FFFF(insert more F’s for OSX here) as the GUID.

Where I am now:
From reading this thread found by googling my jumbled hexdump while looking for my APFS magic block I think I’m almost back, but I was getting lost on “switch the bits AND bytes” instructions offered by @klanomath (dude you’re a legend answering all these broken partition questions) and I wanted to do my due diligence and confirm I’m doing this correctly before continuing.

firereverie@kaliMBPr:~$ sudo dd if=/dev/sda skip=409640 bs=512 count=1 | hexdump
1+0 records in
1+0 records out
512 bytes copied, 7.9173e-05 s, 6.5 MB/s
0000000 9bff f313 75f6 5f85 0001 0000 0000 0000
0000010 8ef4 0004 0000 0000 0001 8000 0000 0000
0000020 584e 4253 1000 0000 9fe3 042f 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0000 0000
0000040 0002 0000 0000 0000 659b 8290 b472 f14e
0000050 23a5 4b63 657f 6bdf f7d5 0007 0000 0000
0000060 8ef5 0004 0000 0000 0118 0000 6c24 0000
0000070 3352 0004 0000 0000 add8 0003 0000 0000
0000080 0078 0000 0acc 0000 0076 0000 0002 0000
0000090 0ab9 0000 0013 0000 f70d 0007 0000 0000
00000a0 3102 000a 0000 0000 0401 0000 0000 0000
00000b0 0000 0000 0064 0000 0403 0000 0000 0000
00000c0 0406 0000 0000 0000 9df4 0001 0000 0000
00000d0 4012 0002 0000 0000 6980 0006 0000 0000
00000e0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000200
firereverie@kaliMBPr:~$ 

So if I’m reading this correctly 0000020 should be what I’m looking for but should read as “4e58 5324” (magic) “0010 0000” (4096 size) and “e39f 2f04” (part size @ 3818860292).

At this point I should be able to follow @klanomath’s instruction for rebooting to internet recovery and editing the GPT in terminal, but I really wanted to make sure I’m interpreting the linux hex dump correctly first.

Thanks -fire