close
Master Boot Record (MBR) 解析
最近在研究 Master Boot Record (MBR) 格式, 因此將心得 Post 在 Blog 上.
複製隨身碟至 Image 檔案
使用 Win32 Disk Imager 將隨身碟映射至 Image 檔案, 如圖:
Basic Structure of the Master Boot Record Sector
Offsets Length Description ------------------------------------------------------------ 000 ~ 1BD 446 Code Area 1BE ~ 1FD 64 Master Partition Table 1FE ~ 1FF 2 Boot Record Signature
Boot Record Signature
Offsets Byte Values ------------------------------------------------------------ 1FE 55 ■ 1FF AA ■
MBR 位於 Disk 之第一個 512 Byte 的 Sector 之內. 基本結構包括了 Code Area, Master Partition Table 以及 Boot Record Signature (55 AA) . 用 Hex Viewer 來看大概是這樣子的.
The Standard 64-byte Primary Partition Table
Offsets Length Content ------------------------------------------------------------ 1BE ~ 1CD 16 Table Entry for Primary Partition # 1 1CE ~ 1DD 16 Table Entry for Primary Partition # 2 1DE ~ 1ED 16 Table Entry for Primary Partition # 3 1EE ~ 1FD 16 Table Entry for Primary Partition # 4
A Partition Table Entry
Offsets Length Content ------------------------------------------------------------ 0 1 Boot Indicator (80h = active) ■ 1 ~ 3 3 Starting CHS values ■ 4 1 Partition-type Descriptor ■ 5 ~ 7 3 Ending CHS values ■ 8 ~ 11 4 Starting Sector ■ 12 ~ 15 4 Partition Size (in sectors) ■
Offet(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 000001C0 0C 00 0B 38 F8 B8 89 00 00 00 77 9F 3A 00 00 00 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
關於 Partition-type Descriptor, 請參考 https://en.wikipedia.org/wiki/Partition_type
Partition-ID Occurrence Access Bootable Type Origin Supported-by Description ------------------------------------------------------------------------------------------------------------------------ ... 0Bh MBR,EBR CHS,LBA x86 File system Microsoft DOS 7.1+ FAT32 with CHS addressing ...
Starting Sector (89 00 00 00)
我們來計算一下 Starting Sector (89 00 00 00) 它的 offset 是多少? 看起來 Starting Sector 這個 field 是 LSBF (Least Significant Bit First) .
0X00000089 = 137
137 * 512 = 70144 = 0X011200
我們來看一下 offset 0X01200
哇, 賓果 "MSDOS5.0" 耶; 這就是我們要的.
Partition Size (77 9F 3A 00)
我們再來看 Partition Size:
0X003A9F77 = 3841911
3841911 * 512 = 1967058432
又賓果; 這的確是 Partition Size.
Boot Sector
Bytes Content ------------------------------------------------------------------------------------------ 0-2 Jump to bootstrap (E.g. eb 3c 90; on i86: JMP 003E NOP. One finds either eb xx 90, or e9 xx xx. The position of the bootstrap varies.) 3-10 OEM name/version (E.g. "IBM 3.3", "IBM 20.0", "MSDOS5.0", "MSWIN4.0". Various format utilities leave their own name, like "CH-FOR18". Sometimes just garbage. Microsoft recommends "MSWIN4.1".) /* BIOS Parameter Block starts here */ 11-12 Number of bytes per sector (512) Must be one of 512, 1024, 2048, 4096. 13 Number of sectors per cluster (1) Must be one of 1, 2, 4, 8, 16, 32, 64, 128. A cluster should have at most 32768 bytes. In rare cases 65536 is OK. 14-15 Number of reserved sectors (1) FAT12 and FAT16 use 1. FAT32 uses 32. 16 Number of FAT copies (2) 17-18 Number of root directory entries (224) 0 for FAT32. 512 is recommended for FAT16. 19-20 Total number of sectors in the filesystem (2880) (in case the partition is not FAT32 and smaller than 32 MB) 21 Media descriptor type (f0: 1.4 MB floppy, f8: hard disk; see below) 22-23 Number of sectors per FAT (9) 0 for FAT32. 24-25 Number of sectors per track (12) 26-27 Number of heads (2, for a double-sided diskette) 28-29 Number of hidden sectors (0) Hidden sectors are sectors preceding the partition. /* BIOS Parameter Block ends here */ 30-509 Bootstrap 510-511 Signature 55 aa
FAT32
Bytes Content
------------------------------------------------------------------------------------------
11-27 (as before)
28-31 Number of hidden sectors (0)
32-35 Total number of sectors in the filesystem
36-39 Sectors per FAT
40-41 Mirror flags
Bits 0-3: number of active FAT (if bit 7 is 1)
Bits 4-6: reserved
Bit 7: one: single active FAT; zero: all FATs are updated at runtime
Bits 8-15: reserved
42-43 Filesystem version
44-47 First cluster of root directory (usually 2)
48-49 Filesystem information sector number in FAT32 reserved area (usually 1)
50-51 Backup boot sector location or 0 or 0xffff if none (usually 6)
52-63 Reserved
64 Logical Drive Number (for use with INT 13, e.g. 0 or 0x80)
65 Reserved - used to be Current Head (used by Windows NT)
66 Extended signature (0x29)
Indicates that the three following fields are present.
67-70 Serial number of partition
71-81 Volume label
82-89 Filesystem type ("FAT32 ")
我們來驗證 Boot Sector 以及 FAT32 的幾個 fields:
1. OEM: "MSDOS5.0"
2. Number of Bytes per Sector (0002) :
0X0200 = 512
3. Total Number of Sectors (77 9F 3A) :
0X3A9F77 = 3841911
3841911 * 512 = 1967058432
4. Filesystem type:
FAT32
5. Signature
55AA
還不賴吧?
Offet(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0001200 EB 58 90 4D 53 44 4F 53 35 2E 30 00 02 08 26 00 0001210 02 00 00 00 00 F8 00 00 3F 00 FF 00 89 00 00 00 0001220 77 9F 3A 00 A1 0E 00 00 00 00 00 00 02 00 00 00 0001230 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 0001240 00 00 29 6C 78 E2 80 4E 4F 20 4E 41 4D 45 20 20 0001250 20 20 46 41 54 33 32 20 20 20 33 C9 8E D1 BC F4 0001260 7B 8E C1 8E D9 BD 00 7C 88 4E 02 8A 56 40 B4 08 0001270 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F 0001280 B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7 0001290 C9 66 F7 E1 66 89 46 F8 83 7E 16 00 75 38 83 7E 00012A0 2A 00 77 32 66 8B 46 1C 66 83 C0 0C BB 00 80 B9 00012B0 01 00 E8 2B 00 E9 48 03 A0 FA 7D B4 7D 8B F0 AC 00012C0 84 C0 74 17 3C FF 74 09 B4 0E BB 07 00 CD 10 EB 00012D0 EE A0 FB 7D EB E5 A0 F9 7D EB E0 98 CD 16 CD 19 00012E0 66 60 66 3B 46 F8 0F 82 4A 00 66 6A 00 66 50 06 00012F0 53 66 68 10 00 01 00 80 7E 02 00 0F 85 20 00 B4 0001300 41 BB AA 55 8A 56 40 CD 13 0F 82 1C 00 81 FB 55 0001310 AA 0F 85 14 00 F6 C1 01 0F 84 0D 00 FE 46 02 B4 0001320 42 8A 56 40 8B F4 CD 13 B0 F9 66 58 66 58 66 58 0001330 66 58 EB 2A 66 33 D2 66 0F B7 4E 18 66 F7 F1 FE 0001340 C2 8A CA 66 8B D0 66 C1 EA 10 F7 76 1A 86 D6 8A 0001350 56 40 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 66 61 0001360 0F 82 54 FF 81 C3 00 02 66 40 49 0F 85 71 FF C3 0001370 4E 54 4C 44 52 20 20 20 20 20 20 00 00 00 00 00 0001380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0001390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00013A0 00 00 00 00 00 00 00 00 00 00 00 00 0D 0A 52 65 00013B0 6D 6F 76 65 20 64 69 73 6B 73 20 6F 72 20 6F 74 00013C0 68 65 72 20 6D 65 64 69 61 2E FF 0D 0A 44 69 73 00013D0 6B 20 65 72 72 6F 72 FF 0D 0A 50 72 65 73 73 20 00013E0 61 6E 79 20 6B 65 79 20 74 6F 20 72 65 73 74 61 00013F0 72 74 0D 0A 00 00 00 00 00 AC CB D8 00 00 55 AA
參考資料:
https://www.win.tue.nl/~aeb/linux/fs/fat/fat-1.html
http://thestarman.pcministry.com/asm/mbr/PartTables.htm
文章標籤
全站熱搜
留言列表
{{ article.title }}
