Master Boot Record
The Master Boot Record is the same for pretty much all Operating Systems. It is located on the first Sector of the Hard Drive, at Cylinder 0, Head 0, Sector 1. It is the first piece of code that your computer runs after it has checked all of your hardware (POST) and turned control of loading software over the hard drive. It also contains the partition table, which defines the different sections of your hard drive. Basically if anything happens to this little 512 byte section, your hard drive is brain dead. Kinda scary, eh? :)
| Offset | Description | Size |
| 000h | Executable Code (Boots Computer) | 446 Bytes |
| 1BEh | 1st Partition Entry (See Next Table) | 16 Bytes |
| 1CEh | 2nd Partition Entry | 16 Bytes |
| 1DEh | 3rd Partition Entry | 16 Bytes |
| 1EEh | 4th Partition Entry | 16 Bytes |
| 1FEh | Executable Marker (55h AAh) | 2 Bytes |
Partition Entry (Part of MBR)
| Offset | Description | Size |
| 00h | Current State of Partition (00h=Inactive, 80h=Active) | 1 Byte |
| 01h | Beginning of Partition - Head | 1 Byte |
| 02h | Beginning of Partition - Cylinder/Sector (See Below) | 1 Word |
| 04h | Type of Partition (See List Below) | 1 Byte |
| 05h | End of Partition - Head | 1 Byte |
| 06h | End of Partition - Cylinder/Sector | 1 Word |
| 08h | Number of Sectors Between the MBR and the First Sector in the Partition | 1 Double Word |
| 0Ch | Number of Sectors in the Partition | 1 Double Word |
Cylinder/Sector Encoding
I guess back in the days of 10MB hard drives and 8086's, code was at a premium. So they did everything they could to preserve space. Unfortunately now we have to live with it, but luckily they created new ways of translating the system so the 1024 Cylinder Limit (2^10) isn't too big of a problem, for newer computers, at least. Older ones usually need some sort of Disk Overlay program to make them see the whole hard drive.
Anyway, to get the Sector out of this, you need to apply an AND mask ($3F) to it. To get the Cylinder, you take the high byte and OR it with the low byte that has been AND masked with ($C0) and then Shifted Left Two. It's not very easy to explain, so I'll just show you how I did it with two routines I made (In Pascal) for Encoding and Decoding the Cylinder/Sector. Hopefully even if you don't know Pascal you'll be able to read it.
Function CylSecEncode(Cylinder, Sector : Word) : Word;
Begin
CylSecEncode := (Lo(Cylinder) shl 8) or (Hi(Cylinder) shl 6) or Sector;
End;
Procedure CylSecDecode(Var Cylinder, Sector : Word; CylSec : Word);
Begin
Cylinder := Hi(CylSec) or ((Lo(CylSec) and $C0) shl 2);
Sector := (CylSec and $3F);
End;
| 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| Cylinder Bits 7 to 0 | Cylinder Bits 9+8 | Sector Bits 5 to 0 | |||||||||||||
Partition Type Listing
There are more than just these shown, but I've only included that ones relevant to MS Operating Systems.
| Value | Description |
| 00h | Unknown or Nothing |
| 01h | 12-bit FAT |
| 04h | 16-bit FAT (Partition Smaller than 32MB) |
| 05h | Extended MS-DOS Partition |
| 06h | 16-bit FAT (Partition Larger than 32MB) |
| 0Bh | 32-bit FAT (Partition Up to 2048GB) |
| 0Ch | Same as 0BH, but uses LBA1 13h Extensions |
| 0Eh | Same as 06H, but uses LBA1 13h Extensions |
| 0Fh | Same as 05H, but uses LBA1 13h Extensions |
Reading Multiple Partitions
Since FAT16 is limited to 2GB per partition, drives that use it tend to have multiple partitions. The first partition is the Primary Partition, and everything else is stored in the Extended Partition. It's a little tricky when it comes to reading those extra partitions though (not a lot, just a little). The first record in the partition table shows where the Primary partition is (how big it is, where it starts, and where it ends). The second entry in the partition table shows where the Entire Extended Partition is (which may include more than just one partition). To read any more partitions, you go to the where it says the Extended Partition starts, and read the first sector. It acts just like the MBR. It'll have blank where the code is supposed to be, and in the partition table it will have for it's first entry the next Partition in the Drive, and if there are anymore, there will be another Extended partition, just like before. However, all references to Sector Numbers are made using the that new MBR point as the reference, making it a virtual drive. Just incase this doesn't make much sense (and by the way I explain things I can understand if it doesn't), let me show you how a drive with three partitions is setup.
MBR of Whole Drive
Entry #1 - Points to Partition #1
Entry #2 - Points to the Entire Extended PartitionYou would read the first sector of that Extended Partition, and see another MBR Structure.
MBR of Extended Partition
Entry #1 - Points to Partition #2
Entry #2 - Points to Rest of Extended Partition after Partition #2Now, all references to Sector Numbers (most specifically the entry at Offset 08h) in those Entries wouldn't be referenced from the start of the drive, but from the start of the Extended Partition. However, the CHS (Cylinder, Head, Sector) numbers would still be right.
Once again, you would read the first sector of that Extended Partition, and see the next MBR.
MBR of Rest of Extended Partition
Entry #1 - Points to Partition #3
No Entry #2, since this was the Last PartitionIf there were another partition, the pattern would continue just like before, until the last one was reached.
FAT16 Boot Record
This information is located in the first sector of every partition.
| Offset | Description | Size |
| 00h | Jump Code + NOP | 3 Bytes |
| 03h | OEM Name | 8 Bytes |
| 0Bh | Bytes Per Sector | 1 Word |
| 0Dh | Sectors Per Cluster | 1 Byte |
| 0Eh | Reserved Sectors | 1 Word |
| 10h | Number of Copies of FAT | 1 Byte |
| 11h | Maximum Root Directory Entries | 1 Word |
| 13h | Number of Sectors in Partition Smaller than 32MB | 1 Word |
| 15h | Media Descriptor (F8h for Hard Disks) | 1 Byte |
| 16h | Sectors Per FAT | 1 Word |
| 18h | Sectors Per Track | 1 Word |
| 1Ah | Number of Heads | 1 Word |
| 1Ch | Number of Hidden Sectors in Partition | 1 Double Word |
| 20h | Number of Sectors in Partition | 1 Double Word |
| 24h | Logical Drive Number of Partition | 1 Word |
| 26h | Extended Signature (29h) | 1 Byte |
| 27h | Serial Number of Partition | 1 Double Word |
| 2Bh | Volume Name of Partition | 11 Bytes |
| 36h | FAT Name (FAT16) | 8 Bytes |
| 3Eh | Executable Code | 448 Bytes |
| 1FEh | Executable Marker (55h AAh) | 2 Bytes |
FAT16 Drive Layout
| Offset | Description |
| Start of Partition | Boot Sector |
| Start + # of Reserved Sectors | Fat Tables |
| Start + # of Reserved + (# of Sectors Per FAT * 2) | Root Directory Entry |
| Start + # of Reserved + (# of Sectors Per FAT * 2) + ((Maximum Root Directory Entries * 32) / Bytes per Sector) | Data Area (Starts with Cluster #2) |
Cluster Meaning (FAT Table Entries)
A Cluster is a Group of Sectors on the Hard Drive that have information in them. A 16K Cluster has 32 Sectors in it (512*32=16384). Each Cluster is given a spot in the FAT Table. When you look at an Entry in the FAT, the number there tells you whether or not that cluster has data in it, and if so, if it is the end of the data or there is another cluster after it. All Data on a Partition starts with Cluster #2 (Right after Root Directory). If the FAT Entry is 0, then there is no data in that cluster. If the FAT Entry is FFFFh, then it is the last entry in the chain.
| FAT Code Range | Meaning |
| 0000h | Available Cluster |
| 0002h-FFEFh | Used, Next Cluster in File |
| FFF0h-FFF6h | Reserved Cluster |
| FFF7h | BAD Cluster |
| FFF8h-FFFF | Used, Last Cluster in File |
Directory Table
Another aspect when looking at a File System at Low Level is the Directory Table. The Directory Table is what stores all of the File and Directory Entries. Someone else has already written a good resource for this information on the net, so go here to look at it. The link doesn't work anymore, but luckily I saved the page a while back, so i'll just post it on my site.
Footnotes
1 - LBA = Logical Block Addressing - Uses the Int 13h Extensions built into newer BIOS's to access data above the 8GB barrier, or to access strickly in LBA mode, instead of CHS (Cylinder, Head, Sector).
扫一扫
3564
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
