Working complete PC
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
The student will become familiar with:
use the formula to verify the MBR partition table(s)
use the formulas to calculate the positions of file system sectors,
use the formulas to calculate the sizes of file system structures.
The student will learn how to use the CHS-to-LBA sector coordinate conversion formulas for the purposes of data recovery including making calculations of the positions of key sectors listed within the partition table for the purposes of verifying it as well as being able to locate and load key sectors into DEBUG and being able to calculate the sizes of key structures including the FATs and the root directory.
Boot to the student CD-ROM and GHOST in DOS. Accept the size offered (2GB) and restart the machine when prompted. Reboot to the CD-ROM a second time. Change into the Q:\DISKS directory and create a DOS 6.22 version bootable diskette with the command: "LOADDSKF 3C90XCLI.DSK B:" Remember that the physical diskette drive has been assigned drive letter B: by the bootable CD-ROM. The diskette being restored here is a DOS Client for a Novell bindery (NetWare 3.12) server used in NET2. It is however, a bootable DOS 6.22 diskette with many commands included particularly DEBUG.EXE.
Change to the Q:\BIN directory and copy XMSDSK.EXE to the floppy. Copy DEVICE.COM to the floppy. Change to the floppy and rename the file CONFIG.SYS to CONFIG.OLD to prevent its execution. Remove the student CD-ROM and reboot to the floppy.
Launch HIMEM.SYS manually using the DEVICE.COM command like this: "DEVICE HIMEM.SYS /V" DEVICE.COM is software not a part of DOS. It will NOT capitalize automatically like DOS will so be SURE that any switches sent to drivers are capitalized at the command line.
Launch the RAM drive like this: "XMSDSK 8192 D: /Y /T" This sets up an 8MB RAM drive at the top of RAM and assigns it drive letter D.
Change to the D: drive and set the path to the floppy: "path=A:\" Now launch DEBUG and proceed with the exercise below.
The DEBUG LOAD command only reads COOKED sectors as opposed to RAW sectors. In our language a RAW sector is read AS IS by BIOS off of the disk. A COOKED sector is located and retrieved or written using the drive's file system. In the event that the drive's file system has been compromised then it is impossible to access COOKED sectors. They must be accessed RAW, directly by their geometric coordinate.
The basic INT 13h interface that we use in DEBUG requires the CHS geometric coordinate for the sector being read. The LBA calls to the INT 13h interface are far too complex to be implemented from simple DEBUG scripts and too impractical for us to use. Because of this, two questions immediately arise: How can LBA addresses be converted to CHS (and vice versa)? And how can sectors be read that are beyond the CHS coordinate limits?
The formulas for converting from CHS to LBA and from LBA to CHS will be examined in this exercise. To answer the second question simply: it can't be done in DEBUG. (Don't worry we have another tool that CAN access them.)
CHS-to-LBA Formula (C x TH x TS) + (H x TS) + (S - 1) = LBA Where: C = the sector's Cylinder# TH = the Total Heads of the hard drive according to the BIOS translation in effect TS = the Total Sectors/Track of the hard drive H = the sector's Head# S = the sector's Sector#
First load the hard drive's MBR into DEBUG's RAM workspace using the procedures developed in the Read the MBR with DEBUG module. This module also describes where the partition tables are located within the MBR and the layout of the partition tables. Display the bottom half of the MBR on screen and locate the first partition table:
-d 100 1ff 242C:0200 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0220 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:0290 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:02A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:02B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01 ................ 242C:02C0 01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00 ......?.....?... 242C:02D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:02E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 242C:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U. -_
Chart the fields of the partition table as discussed in the Read the MBR with DEBUG module:
|08h||4 bytes||3F 00 00 00|
|0Ch||4 bytes||86 FA 3F 00|
As before an analysis of this partition table can begin. This will however be a deeper analysis in which the accuracy and therefore reliability of the partition table can be determined. The value of the byte at offset 00h of 80h indicates that the partition is set active and therefore the system would attempt to boot from the partition. The byte at offset 01h holds the start sector's head#, at 02h holds the sector# and at offset 03h holds the cylinder#. Together they hold the start sector's geometric coordinate or CHS address of: Cyl=0, Head=1, Sector=1. The byte at offset 04h holds the partition ID. These are accepted somewhat industrywide. The value of 06h means Microsoft FAT 16B, the one that supports clusters and partitions up to 2GB in size.
The value at offset 05h is the end sector's head#, at offset 06 is its sector# and at 07 is its cylinder#. The geometric coordinate of the ending sector of the partition is then: Cyl=04, Head=FE, Sector=7F. However, the high 2 bits of the 10 bit cylinder number are stored as the high 2 bits of the sector number. This byte must be converted into binary in order to strip the two top bits off and append then to the cylinder number and also discover the true sector number.
First, convert the sector number to binary: 7Fh =b=> 0111 1111b. Take the top two bits off leaving xx11 1111b and convert back to hexadecimal =h=> 3Fh or 63. This is the true sector number for the end sector;s CHS coordinate. Now convert the removed 2 bits back to hex also: 01b =h=> 1h and place this to the far left of the cylinder number. 1h merged with 04h = 104h. This is the actual cylinder number of the end sector's coordinate. So the geometric coordinate is actually: Cyl=104h, head=FEh, Sector=3Fh.
The value that starts at offset 08h is a four byte value: 3F 00 00 00. Because the CPU is a little endian machine these must be byte reversed to reveal the actual 32-bit number: 3F 00 00 00 =x=> 00 00 00 3Fh. NOTE: BYTE reversed NOT hex digit reversed. This number is 63 and is the LBA address of the starting sector if the partition table is found in the hard drive's MBR. It is the DISTANCE to the starting sector if the partition table is found in any other location (which do exist and will be dealt with in the future.)
Armed with the CHS-to-LBA conversion formula this can now be directly verified. Given that the HDD has a geometry of C=1024, H=255, S=63 use these numbers for the TH and TS variables. The geometric coordinate of the sector is C=0, H=1, S=1 so substitute these into the formula for the C, H, and S variables:
CHS-to-LBA Formula (C x TH x TS) + (H x TS) + (S - 1) = LBA Substituing the provided values: (0 x 255 x 63) + (1 x 63) + (1 - 1) = LBA (0) + (63) + (0) = LBA 63 = LBA (address of the sector)
The value that starts at offset 0Ch is a four byte value: 86 FA 3F 00. Because the CPU is a little endian machine these must be byte reversed to reveal the actual 32-bit number: 86 FA 3F 00 =x=> 00 3F FA 86h. NOTE: BYTE reversed NOT hex digit reversed. This number is 4,192,902 and indicates that the partition is this many sectors in size.
The partition's size can directly be calculated as the difference between the LBA address of the ending sector minus the LBA address of the starting sector plus 1:
Any Multisector's Structure Size is given by the general formula: S = (EnsSecLBA - StartSecLBA) + 1 where: S = Structure size in sectors EnsSecLBA = the End Sector's LBA address StartSecLBA = the Start Sector's LBA address Therefore first calculate the End Sector's LBA using the CHS-to-LBA formula: (C x TH x TS) + (H x TS) + (S - 1) = LBA so: (260 x 255 x 63) + (254 x 63) + (63 - 1) = LBA (4176900) + (16002) + (62) = LBA 4,192,964 = LBA Now use this is the StrucSize formula: S = (4192964 - 63) + 1 S = 4,192,902
Copyrightę2000-2006 Brian Robinson ALL RIGHTS RESERVED