Materials: Working complete PC Blank Diskette Student Diskette, "New Boot A Ver 2.0+" Student CD-ROM, "Room 6359" Objectives: The student will become familiar with: The Microsoft Extended DOS Partition type, The Microsoft Extended Master Boot Record Sector's location, function, and layout, Using the partition table to determine the EMBR's location, Use the BIOS INT 13h Interface to read the Extended DOS Partition's EMBR, Analysis of the EMBR's partition tables. Competency: The student will continue learning how to use the BIOS INT 13h interface for the purposes of data recovery including routine acquisition of the MBR of BIOS drive 80h, analysis of the partition table including the calculation of the location of the EMBR of the Extended DOS Partition, develop the INT 13h call to acquire that EMBR, display it on screen and analyze it. |
Preparation
The student should GHOST DOS onto the hard drive into a 600MB Primary DOS partition. Boot to the C: drive and run FDISK and create an Extended DOS Partition as large as FDISK offers, then create a D: Drive of 250MB, and an E: Drive of 500MB. Exit FDISK properly and reboot.
The student should then run DEBUG and read the MBR and display the bottom half on screen. The two partition tables will then be analyzed in the following procedures.
Procedures
Record the two partition tables. The example partition tables from the hard drives and partition sizes specified in the preparation section above lead to the following partition tables:
Partition Table #1 (at offset 1BEh of the MBR)
Offset | Value |
00h | 80 |
01h | 01 |
02h | 01 |
03h | 00 |
04h | 06 |
05h | FE |
06h | 3F |
07h | 4C |
08h | 00 00 00 3F |
0Ch | 00 12 DF CE |
Partition Table #2 (at offset 1CEh of the MBR)
Offset | Value |
00h | 00 |
01h | 00 |
02h | 01 |
03h | 4D |
04h | 05 |
05h | FE |
06h | FF |
07h | FF |
08h | 00 12 E0 0D |
0Ch | 00 E8 23 F3 |
A simple analysis of the first partition table reveals:
Partition Table #1 (at offset 1BEh of the MBR)
Offset | Value | Meaning |
00h | 80 | Active (bootable) partition |
01h | 01 |
Start Sector Coordinates: C = 0, H = 1, S = 1 |
02h | 01 | |
03h | 00 | |
04h | 06 | MS FAT16 "B" (cluster support) |
05h | FE |
End Sector Coordinates: C = 76, H = 254, S = 63 |
06h | 3F | |
07h | 4C | |
08h | 00 00 00 3F | Start Sector LBA Offset = 63 |
0Ch | 00 12 DF CE | Partition Size: Sectors = 1,236,942 x 512 = 633,314,304 bytes |
The analysis of the 2nd partition table reveals:
Offset | Value | Meaning |
00h | 00 | Not an Active (bootable) partition |
01h | 00 |
Start Sector Coordinates: C = 77, H = 0, S = 1 |
02h | 01 | |
03h | 4D | |
04h | 05 | MS Extended DOS Partition |
05h | FE |
End Sector Coordinates: C = 1023, H = 254, S = 63 (See below) |
06h | FF | |
07h | FF | |
08h | 00 12 E0 0D | Start Sector LBA Offset = 1,237,005 |
0Ch | 00 E8 23 F3 | Partition Size: Sectors = 15,213,555 x 512 = 7,789,340,160 bytes |
The ending sector's geometric coordinate fields are:
Offset Value Field 01 FE End Sector's Head 02 FF End Sector's Sector 03 FF End Sector's Cylinder BUT End Sector's Sector is greater than 3F so: Convert to binary: FF = 1 1 1 1 1 1 1 1 | | | +-> Sector bits = 3F +-> Top two bits of Cylinder # = 3 | +----------------------------------+ | | End Sector's Cylinder | | | | | v +-------> 3 FF
Applying the CHS-to-LBA formula for the Extended DOS partition's starting sector reveals:
(Assumes HDD BIOS Geometry C=1024, H=255, S=63) C(TH x TS) + H(TS) + (S-1) = LBA 77(255 x 63) + 0(63) + (1-1) = LBA 77 x 255 x 63 + 0 + 0 = 1,237,005
This matches the field at offset 08 of the partition table. Now use the formula to determine the LBA address of the ending sector:
(Assumes HDD BIOS Geometry C=1024, H=255, S=63) C(TH x TS) + H(TS) + (S-1) = LBA 1023(255 x 63) + 254(63) + (63-1) = LBA (16,434,495) + (16002) + (62) = 16,450,559
Subtract the LBA address of the start sector of any structure from the end sector LBA address of that structure then add one and the result is the size of that structure in sectors:
Structure size in sectors: ESLBA - SSLBA + 1 = StrucSize 16,450,559 - 1,237,005 + 1 = 15,213,555
This value concurs with the partition size value from the field at offset 0Ch of the partition table. As we have seen already the starting sector of a type 06 partition (MS FAT16B) is its DBR. This DBR sector consists of the jump instruction, DPB, 2nd stage boot strap loader, and the boot signature. This DPB maps out the locations of all of the file system structures within the partition including the start sector of the first FAT, the number of FAT's, and the size of the FAT(s). This in turn leads to the sector that follows these which is the first sector of the root directory. The DPB specifies the size of the root. Knowing this, the location of the starting sector of the first data cluster and therefore all subsequent data clusters can be calculated.
The starting sector of an Extended DOS Partition is NOT a DBR. It is an EMBR - Extended Master Boot Record. It is basically another MBR but missing the 1st stage OS boot strap loader code because the BIOS will never go looking for it, so it could never get control and boot the system anyway. However, it DOES contain partition tables and can therefore define another type 06 partition which DOES get a drive letter and DOES get formatted and will have a DBR.
Based of the early analysis numbers for partition table #2, the starting sector's geometric coordinates provided by the fields 01, 02, and 03 of that table yield: C = 4D, Head = 00, Sector = 01. These yield register parameters of:
AH = 02, AL = 01 => AX = 0201 BX = 100 CH = 4D, CL = 1 => CX = 4D01 DH = 00, DL = 80 => DX = 0080
So the DEBUG script to read this starting sector of the Extended DOS Partition would then be:
mov ax, 201 mov bx, 100 mov cx, 4D01 mov dx, 80 int 13 int 3
Start DEBUG's assembly language interpreter at offset 300 and enter this code, then execute it. Once executed, display the top half of the sector on screen. It will be all zeros, display the bottom half of the sector on screen. It does not contain much, but notice the values starting at offset 2BEh on screen and the "55 AA" at the end of the sector. Copy out the raw partition tables to worksheets. Based on the partitions developed during the preparation portion of this module done on the HDD used in class, they should look like this:
Partition Table #1 (at offset 1BEh of the EMBR)
Offset | Value |
00h | 00 |
01h | 01 |
02h | 01 |
03h | 4D |
04h | 06 |
05h | FE |
06h | 3F |
07h | 6C |
08h | 00 00 00 3F |
0Ch | 00 07 D7 E1 |
Partition Table #2 (at offset 1CEh of the EMBR)
Offset | Value |
00h | 00 |
01h | 00 |
02h | 01 |
03h | 6D |
04h | 05 |
05h | FE |
06h | 3F |
07h | AC |
08h | 00 07 D8 20 |
0Ch | 00 0F B0 40 |
This EMBR contains two partition tables of its own. One describes a type 06 MS FAT16B partition and the other is another MS Extended DOS Partition. The first sector of the type 06 will be a DBR, and the first sector of the type 05 will be another EMBR. The type 06 partition described in the first partition table of this EMBR is the first logical drive within the Extended DOS Partition which FDISK created on this drive. It is the D: Drive. The following illustration shows the situation so far, the MBR contains two partition tables, the first points to the starting sector of a type 06 which is a DBR, the second points to the starting sector of a type 05 which is an EMBR. That EMBR contains two partition tables the first points to the starting sector of a type 06 which is a DBR, the second points to the starting sector of a type 05 which is an EMBR. That EMBR should contain at least one partition table pointing to the starting sector of a type 06, a DBR:
The logical drives are then type 06 partitions (or any other "formattable" partition type) defined in an EMBR. The EMBR then contains one other entry leading to the next EMBR where the next logical drive would be defined. Thus the MBR points to the first EMBR in a chain of them each defining one logical drive along the way. This is obviously not the way these structures are presented to the user by FDISK, but this is what FDISK builds on the physical disk when it is exited properly by the user.
The analysis of the first of the two partition tables found in the EMBR just transcribed yields the following information:
Offset | Value | Meaning |
00h | 00 | Not an active (bootable) partition |
01h | 01 |
Start Sector Coordinates: C = 77, H = 1, S = 1 |
02h | 01 | |
03h | 4D | |
04h | 06 | MS FAT16 "B" (cluster support) |
05h | FE |
End Sector Coordinates: C = 108, H = 254, S = 63 |
06h | 3F | |
07h | 6C | |
08h | 00 00 00 3F | Start Sector LBA Offset = 63 |
0Ch | 00 07 D7 E1 | Partition Size: Sectors = 514,017 x 512 = 263,176,704 bytes |
It can be seen why the field at offset 08h of a partition table is referred to as the "LBA offset to the starting sector" rather than the "LBA Address of the starting sector". It is the distance from this EMBR sector to it, not its raw LBA address. If the LBA address of the EMBR is known, which it is from the MBR partition table data, then the true LBA address of the starting sector of the first sector of any partition defined within the EMBR can be calculated by the following:
EMBRLBA + SSofs = SSLBA Where: EMBRLBA = the true LBA address of the EMBR, SSofs = Start Sector's offset, value from its ptable field at offset 08, SSLBA = Start Sector's true LBA address
This EMBR's LBA address was given as the offset of the starting sector of the type 05 partition in the MBR (field at offset 08h of the second partition table). That value + the field at offset 08h of the type 06 partition listed in this MBR will give the LBA address of the DBR of the logical drive:
EMBRLBA + SSofs = SSLBA Where: EMBRLBA = 1,237,005 SSofs = 63 Therefore: 1,237,005 + 63 = 1,237,068
Applying the LBA-to-CHS formula reveals:
LBA (TH x TS) = C, R1 R1 TS = H, R2 R2 + 1 = S Therefore (given the BIOS translations have assigned Total Heads = 255, Sectors = 63): 1,237,068 (255 x 63) = C:77, R1 = 63 63 63 = H:1, R2 = 0 0 + 1 = S:1
This confirms the values of the fields at offset 01, 02, and 03 of the partition table listing this sector's CHS at C = 77, H = 1, S = 1. Create the assembly code to read this sector into DEBUG workspace RAM. Execute the code and display the top of the sector on screen verifying that it is a DBR. (Second field should read "MSDOS5.0"):
Assembly code to read the logical drive's DBR mov ax, 201 mov bx, 100 mov cx, 4D01 mov dx, 180 int 13 int 3
A simple analysis of the second partition table reveals:
Offset | Value | Meaning |
00h | 00 | Not an active (bootable) partition |
01h | 00 |
Start Sector Coordinates: C = 109, H = 0, S = 1 |
02h | 01 | |
03h | 6D | |
04h | 05 | MS Extended DOS Partition |
05h | FE |
End Sector Coordinates: C = 172, H = 254, S = 63 |
06h | 3F | |
07h | AC | |
08h | 00 07 D8 20 | Start Sector LBA Offset = 514,080 |
0Ch | 00 0F B0 40 | Partition Size: Sectors = 1,028,160 x 512 = 526,417,920 bytes |
Develop the assembly code to load the starting sector of this type 05 partition into the DEBUG workspace RAM. Since it is another type 05, this sector will be another EMBR. Execute the code and display the top and bottom halves of the sector on screen confirming that another EMBR has been found. The first EMBR described the D: drive and pointed to this second EMBR which describes the E: drive (type 06 partition table entry:
Assembly code to read the second EMBR (use fields at offsets 01, 02, 03) mov ax, 201 mov bx, 100 mov cx, 6D01 mov dx, 80 int 13 int 3
Based on the type 06 partition table information found in the second EMBR, load the first sector of the E: drive into RAM and display it on screen. What type of sector was expected? (FAT16B DBR) Was this confirmed when it was displayed?
In the next exercise, the first real world data recovery operation on a hard drive will be performed in which the MBR will be destroyed and these two logical drives will be recovered whole and in tact.
Copyright©2000-2006 Brian Robinson ALL RIGHTS RESERVED