Make your own free website on Tripod.com

The Microsoft Extended DOS Partition and the EMBR

Materials:
Working complete PC
Blank Diskette
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
Objectives:
The student will become familiar with:
The Microsoft Extended DOS Partition type,
The Microsoft Extended Master Boot Record Sector's location, function, and layout,
Using the partition table to determine the EMBR's location,
Use the BIOS INT 13h Interface to read the Extended DOS Partition's EMBR,
Analysis of the EMBR's partition tables.
Competency:
The student will continue learning how to use the BIOS INT 13h interface for the purposes of data recovery including routine acquisition of the MBR of BIOS drive 80h, analysis of the partition table including the calculation of the location of the EMBR of the Extended DOS Partition, develop the INT 13h call to acquire that EMBR, display it on screen and analyze it.

    Preparation

  1. The student should GHOST DOS onto the hard drive into a 600MB Primary DOS partition. Boot to the C: drive and run FDISK and create an Extended DOS Partition as large as FDISK offers, then create a D: Drive of 250MB, and an E: Drive of 500MB. Exit FDISK properly and reboot.

  2. The student should then run DEBUG and read the MBR and display the bottom half on screen. The two partition tables will then be analyzed in the following procedures.

  3. Procedures

  4. Record the two partition tables. The example partition tables from the hard drives and partition sizes specified in the preparation section above lead to the following partition tables:

    Partition Table #1 (at offset 1BEh of the MBR)

    Offset Value
    00h 80
    01h 01
    02h 01
    03h 00
    04h 06
    05h FE
    06h 3F
    07h 4C
    08h 00 00 00 3F
    0Ch 00 12 DF CE

    Partition Table #2 (at offset 1CEh of the MBR)

    Offset Value
    00h 00
    01h 00
    02h 01
    03h 4D
    04h 05
    05h FE
    06h FF
    07h FF
    08h 00 12 E0 0D
    0Ch 00 E8 23 F3

  5. A simple analysis of the first partition table reveals:

    Partition Table #1 (at offset 1BEh of the MBR)

    Offset Value Meaning
    00h 80 Active (bootable) partition
    01h 01 Start Sector Coordinates:
    C = 0, H = 1, S = 1
    02h 01
    03h 00
    04h 06 MS FAT16 "B" (cluster support)
    05h FE End Sector Coordinates:
    C = 76, H = 254, S = 63
    06h 3F
    07h 4C
    08h 00 00 00 3F Start Sector LBA Offset = 63
    0Ch 00 12 DF CE Partition Size: Sectors = 1,236,942 x 512 = 633,314,304 bytes

  6. The analysis of the 2nd partition table reveals:

    Offset Value Meaning
    00h 00 Not an Active (bootable) partition
    01h 00 Start Sector Coordinates:
    C = 77, H = 0, S = 1
    02h 01
    03h 4D
    04h 05 MS Extended DOS Partition
    05h FE End Sector Coordinates:
    C = 1023, H = 254, S = 63
    (See below)
    06h FF
    07h FF
    08h 00 12 E0 0D Start Sector LBA Offset = 1,237,005
    0Ch 00 E8 23 F3 Partition Size: Sectors = 15,213,555 x 512 = 7,789,340,160 bytes

  7. The ending sector's geometric coordinate fields are:

    Offset Value  Field
    01     FE     End Sector's Head
    02     FF     End Sector's Sector
    03     FF     End Sector's Cylinder
    
    BUT End Sector's Sector is greater than 3F so:
    Convert to binary:
    FF = 1 1 1 1 1 1 1 1
          |        |
          |        +-> Sector bits = 3F
          +-> Top two bits of Cylinder # = 3
                                           |
        +----------------------------------+
        |
        | End Sector's Cylinder
        |           |
        |           |
        |           v
        +-------> 3 FF
    
    
  8. Applying the CHS-to-LBA formula for the Extended DOS partition's starting sector reveals:

    (Assumes HDD BIOS Geometry C=1024, H=255, S=63)
    C(TH x TS) + H(TS) + (S-1) = LBA
    
    77(255 x 63) + 0(63) + (1-1) = LBA
    
    77 x 255 x 63 + 0 + 0 = 1,237,005 
    
    
  9. This matches the field at offset 08 of the partition table. Now use the formula to determine the LBA address of the ending sector:

    (Assumes HDD BIOS Geometry C=1024, H=255, S=63)
    C(TH x TS) + H(TS) + (S-1) = LBA
    
    1023(255 x 63) + 254(63) + (63-1) = LBA
    
    (16,434,495) + (16002) + (62) = 16,450,559
    
    
  10. Subtract the LBA address of the start sector of any structure from the end sector LBA address of that structure then add one and the result is the size of that structure in sectors:

    Structure size in sectors:
    ESLBA - SSLBA + 1 = StrucSize
    
    16,450,559 - 1,237,005 + 1 = 15,213,555
    
    
  11. This value concurs with the partition size value from the field at offset 0Ch of the partition table. As we have seen already the starting sector of a type 06 partition (MS FAT16B) is its DBR. This DBR sector consists of the jump instruction, DPB, 2nd stage boot strap loader, and the boot signature. This DPB maps out the locations of all of the file system structures within the partition including the start sector of the first FAT, the number of FAT's, and the size of the FAT(s). This in turn leads to the sector that follows these which is the first sector of the root directory. The DPB specifies the size of the root. Knowing this, the location of the starting sector of the first data cluster and therefore all subsequent data clusters can be calculated.

  12. The starting sector of an Extended DOS Partition is NOT a DBR. It is an EMBR - Extended Master Boot Record. It is basically another MBR but missing the 1st stage OS boot strap loader code because the BIOS will never go looking for it, so it could never get control and boot the system anyway. However, it DOES contain partition tables and can therefore define another type 06 partition which DOES get a drive letter and DOES get formatted and will have a DBR.

  13. Based of the early analysis numbers for partition table #2, the starting sector's geometric coordinates provided by the fields 01, 02, and 03 of that table yield: C = 4D, Head = 00, Sector = 01. These yield register parameters of:

    AH = 02, AL = 01 => AX = 0201
    BX = 100
    CH = 4D, CL = 1 => CX = 4D01
    DH = 00, DL = 80 => DX = 0080
    
  14. So the DEBUG script to read this starting sector of the Extended DOS Partition would then be:

    mov ax, 201
    mov bx, 100
    mov cx, 4D01
    mov dx, 80
    int 13
    int 3
    
  15. Start DEBUG's assembly language interpreter at offset 300 and enter this code, then execute it. Once executed, display the top half of the sector on screen. It will be all zeros, display the bottom half of the sector on screen. It does not contain much, but notice the values starting at offset 2BEh on screen and the "55 AA" at the end of the sector. Copy out the raw partition tables to worksheets. Based on the partitions developed during the preparation portion of this module done on the HDD used in class, they should look like this:

    Partition Table #1 (at offset 1BEh of the EMBR)

    Offset Value
    00h 00
    01h 01
    02h 01
    03h 4D
    04h 06
    05h FE
    06h 3F
    07h 6C
    08h 00 00 00 3F
    0Ch 00 07 D7 E1

    Partition Table #2 (at offset 1CEh of the EMBR)

    Offset Value
    00h 00
    01h 00
    02h 01
    03h 6D
    04h 05
    05h FE
    06h 3F
    07h AC
    08h 00 07 D8 20
    0Ch 00 0F B0 40

  16. This EMBR contains two partition tables of its own. One describes a type 06 MS FAT16B partition and the other is another MS Extended DOS Partition. The first sector of the type 06 will be a DBR, and the first sector of the type 05 will be another EMBR. The type 06 partition described in the first partition table of this EMBR is the first logical drive within the Extended DOS Partition which FDISK created on this drive. It is the D: Drive. The following illustration shows the situation so far, the MBR contains two partition tables, the first points to the starting sector of a type 06 which is a DBR, the second points to the starting sector of a type 05 which is an EMBR. That EMBR contains two partition tables the first points to the starting sector of a type 06 which is a DBR, the second points to the starting sector of a type 05 which is an EMBR. That EMBR should contain at least one partition table pointing to the starting sector of a type 06, a DBR:

  17. The logical drives are then type 06 partitions (or any other "formattable" partition type) defined in an EMBR. The EMBR then contains one other entry leading to the next EMBR where the next logical drive would be defined. Thus the MBR points to the first EMBR in a chain of them each defining one logical drive along the way. This is obviously not the way these structures are presented to the user by FDISK, but this is what FDISK builds on the physical disk when it is exited properly by the user.

  18. The analysis of the first of the two partition tables found in the EMBR just transcribed yields the following information:

    Offset Value Meaning
    00h 00 Not an active (bootable) partition
    01h 01 Start Sector Coordinates:
    C = 77, H = 1, S = 1
    02h 01
    03h 4D
    04h 06 MS FAT16 "B" (cluster support)
    05h FE End Sector Coordinates:
    C = 108, H = 254, S = 63
    06h 3F
    07h 6C
    08h 00 00 00 3F Start Sector LBA Offset = 63
    0Ch 00 07 D7 E1 Partition Size: Sectors = 514,017 x 512 = 263,176,704 bytes

  19. It can be seen why the field at offset 08h of a partition table is referred to as the "LBA offset to the starting sector" rather than the "LBA Address of the starting sector". It is the distance from this EMBR sector to it, not its raw LBA address. If the LBA address of the EMBR is known, which it is from the MBR partition table data, then the true LBA address of the starting sector of the first sector of any partition defined within the EMBR can be calculated by the following:

    EMBRLBA + SSofs = SSLBA
    Where:
    EMBRLBA = the true LBA address of the EMBR,
    SSofs = Start Sector's offset, value from its ptable field at offset 08,
    SSLBA = Start Sector's true LBA address
    
  20. This EMBR's LBA address was given as the offset of the starting sector of the type 05 partition in the MBR (field at offset 08h of the second partition table). That value + the field at offset 08h of the type 06 partition listed in this MBR will give the LBA address of the DBR of the logical drive:

    EMBRLBA + SSofs = SSLBA
    Where:
    EMBRLBA = 1,237,005 
    SSofs = 63
    Therefore:
    1,237,005 + 63 = 1,237,068
    
  21. Applying the LBA-to-CHS formula reveals:

          LBA   
       (TH x TS)  = C, R1
    
        R1 
        TS   = H, R2
    
       R2 + 1 = S
    
    Therefore (given the BIOS translations have assigned Total Heads = 255, Sectors = 63):
       1,237,068
       (255 x 63)  = C:77, R1 = 63
    
       63
       63   = H:1, R2 = 0
    
       0 + 1 = S:1
    
    
  22. This confirms the values of the fields at offset 01, 02, and 03 of the partition table listing this sector's CHS at C = 77, H = 1, S = 1. Create the assembly code to read this sector into DEBUG workspace RAM. Execute the code and display the top of the sector on screen verifying that it is a DBR. (Second field should read "MSDOS5.0"):

    Assembly code to read the logical drive's DBR
    mov ax, 201
    mov bx, 100
    mov cx, 4D01
    mov dx, 180
    int 13
    int 3
    
  23. A simple analysis of the second partition table reveals:

    Offset Value Meaning
    00h 00 Not an active (bootable) partition
    01h 00 Start Sector Coordinates:
    C = 109, H = 0, S = 1
    02h 01
    03h 6D
    04h 05 MS Extended DOS Partition
    05h FE End Sector Coordinates:
    C = 172, H = 254, S = 63
    06h 3F
    07h AC
    08h 00 07 D8 20 Start Sector LBA Offset = 514,080
    0Ch 00 0F B0 40 Partition Size: Sectors = 1,028,160 x 512 = 526,417,920 bytes

  24. Develop the assembly code to load the starting sector of this type 05 partition into the DEBUG workspace RAM. Since it is another type 05, this sector will be another EMBR. Execute the code and display the top and bottom halves of the sector on screen confirming that another EMBR has been found. The first EMBR described the D: drive and pointed to this second EMBR which describes the E: drive (type 06 partition table entry:

    Assembly code to read the second EMBR (use fields at offsets 01, 02, 03)
    mov ax, 201
    mov bx, 100
    mov cx, 6D01
    mov dx, 80
    int 13
    int 3
    
  25. Based on the type 06 partition table information found in the second EMBR, load the first sector of the E: drive into RAM and display it on screen. What type of sector was expected? (FAT16B DBR) Was this confirmed when it was displayed?

  26. In the next exercise, the first real world data recovery operation on a hard drive will be performed in which the MBR will be destroyed and these two logical drives will be recovered whole and in tact.

Back to Page Top

Copyrightę2000-2006 Brian Robinson ALL RIGHTS RESERVED