Read the MBR with DEBUG

Materials:
Working complete PC
Blank Diskette
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
Objectives:
The student will become familiar with:
use the BIOS INT 13h Interface to read the HDD's MBR
the MBR layout,
a partition table layout.
Competency:
The student will learn how to use the BIOS INT 13h interface for the purposes of data recovery including the definitions of the passed parameters to the call and how to read and write a physical sector using DEBUG to execute the INT 13h call.

    Preparation

  1. Boot to the student CD-ROM and GHOST in DOS. Accept the size offered (2GB) and restart the machine when prompted. As it reboots remove the CD-ROM. The system will boot to true MS-DOS 6.22. At the C:\> prompt start DEBUG and proceed with the following exercise.

    2. Procedures

  2. The DEBUG LOAD command only reads COOKED sectors as opposed to RAW sectors. In our language a RAW sector is read AS IS by BIOS off of the disk. A COOKED sector is located and retrieved or written using the drive's file system. In the event that the drive's file system has been compromised then it is impossible to access COOKED sectors. They must be accessed RAW, directly by their geometric coordinate.

  3. The HDD's Master Boot Record resides outside of the partitions it defines and as such it cannot be located within any particularly drive letter and does not have a file system logical offset. It is by definition then a pure RAW sector and cannot be accessed ever by the DEBUG LOAD command. It will now be accessed using the BIOS INT 13h call.

  4. The MBR is ALWAYS located at Cyl=0, Head=0, Sector=1 of the physical disk. In this exercise, the MBR of the first physical HDD will accessed, which is BIOS drive # 80h. Therefore the required parameters are:

    AH = 02, AL = 01 so AX = 0201
BX = 0100
CH = 00, CL = 01 so CX = 0001
DH = 00, DL = 80 so DX = 0080

  5. The assembly language instructions are then:

    mov ax, 0201 then drop the leading zeros: mov ax, 201
mov bx, 0100 => mov bx, 100
mov cx, 0001 => mov cx, 1
mov dx, 0080 => mov dx, 80

  6. Now start DEBUG's assembly language processor at offset 300h and input the program:

    -a 300
242C:0300 mov ax, 201
242C:0303 mov bx, 100
242C:0306 mov cx, 1
242C:0309 mov dx, 80
242C:030C int 13
242C:030E int 3
242C:030F (press [Enter] here to exit the assembler)
-_

  7. Execute the program with the "g=300" command and watch for the "No Carry" flag indicator:

    -g=300
AX=0001  BX=0100  CX=0001  DX=0080  SP=FFEE  BP=0000  SI=0000  DI=0000  
DS=242C  ES=242C  SS=242C  CS=242C  IP=030E   NV UP EI PL ZR NA PE NC 
242C:030E CC            INT	3                                  
-_

  8. The INT 13h call read the MBR into RAM. Display the top half of it on screen:

    -d 100 1ff
242C:0100  FA 33 C0 8E D0 BC 00 7C-8B F4 50 07 50 1F FB FC   .3.....|..P.P...
242C:0110  BF 00 06 B9 00 01 F2 A5-EA 1D 06 00 00 BE BE 07   ................
242C:0120  B3 04 80 3C 80 74 0E 80-3C 00 75 1C 83 C6 10 FE   ...<.t..<.u.....
242C:0130  CB 75 EF CD 18 8B 14 8B-4C 02 8B EE 83 C6 10 FE   .u......L.......
242C:0140  CB 74 1A 80 3C 00 74 F4-BE 8B 06 AC 3C 00 74 0B   .t..<.t.....<.t.
242C:0150  56 BB 07 00 B4 0E CD 10-5E EB F0 EB FE BF 05 00   V.......^.......
242C:0160  BB 00 7C B8 01 02 57 CD-13 5F 73 0C 33 C0 CD 13   ..|...W.._s.3...
242C:0170  4F 75 ED BE A3 06 EB D3-BE C2 06 BF FE 7D 81 3D   Ou...........}.=
242C:0180  55 AA 75 C7 8B F5 EA 00-7C 00 00 49 6E 76 61 6C   U.u.....|..Inval
242C:0190  69 64 20 70 61 72 74 69-74 69 6F 6E 20 74 61 62   id partition tab
242C:01A0  6C 65 00 45 72 72 6F 72-20 6C 6F 61 64 69 6E 67   le.Error loading
242C:01B0  20 6F 70 65 72 61 74 69-6E 67 20 73 79 73 74 65    operating syste
242C:01C0  6D 00 4D 69 73 73 69 6E-67 20 6F 70 65 72 61 74   m.Missing operat
242C:01D0  69 6E 67 20 73 79 73 74-65 6D 00 00 81 31 57 12   ing system...1W.
242C:01E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:01F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
-_

  9. The error messages that it can display are visible. The 1st stage OS boot strap loader program code is above them. Now display the bottom half of the sector:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  10. The bottom of the sector is very sparse BUT the values that are here are CRITICAL, the primary DOS partition is defined here, and the sector ends in the boot signature of 55 AA. Without that, the BIOS boot strap loader will ignore the sector as invalid and the system will not boot up at all from the HDD. The layout of the MBR is:

    Offset Size Field
    00h 420 bytes 1st stage OS boot strap loader
    1BEh 16 bytes 1st partition table
    1CEh 16 bytes 2nd partition table
    1DEh 16 bytes 3rd partition table
    1EEh 16 bytes 4th partition table
    1FEh 2 bytes boot signature (55 AA)

  11. With the bottom half of the MBR still on screen locate the byte at offset 1BEh of the sector. NOTE: these offsets are ZERO based, but the sector was loaded into DEBUG's RAM workspace which starts at offset 100h. So the byte is actually located at offset 2BEh of the DEBUG RAM workspace. First locate the row that starts with offset 2B0h. Then the first byte is 2B0h, then the byte after the dash is eight so its address is 2B8h, continue counting 2B9, 2BA, 2BB, 2BC, 2BD then 2BE. This is the first byte of the first partition table:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  12. The partition table itself is sixteen bytes long, so it occupies the highlighted bytes:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  13. The 2nd partition table starts at offset 1CEh of the sector. Add 100h and it can be found at offset 2CEh of the DEBUG output. Find the row that starts with 2C0h, the byte after the dash is 2C8, then 2C9, 2CA, 2CB, 2CC, 2CD, and then 2CE, the byte we seek:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  14. The 2nd partition table is also 16 bytes in size occupying the highlighted bytes:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  15. Locate the start and then the full 16 bytes occupied by the 3rd and 4th partition tables of this MBR. NOTE: the 2nd 3rd and 4th partitions on this drive are empty (all zeros).

  16. Locate the byte located at offset 1FEh of the sector (2FEh within the DEBUG RAM workspace.) This is the first byte of the boot signature field which is two bytes long and MUST contain the values 55h and AAh:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  17. The layout of a partition table is an industrywide BIOS standard as follows:

    Offset Size Field
    00h 1 byte Active flag: 80h = active, 00h = not active
    01h 1 byte start sector's head#
    02h 1 byte Start sector's sector#
    03h 1 byte start sector's cylinder#
    04h 1 byte Partition ID (See below)
    05h 1 byte end sector's head#
    06h 1 byte end sector's sector#
    07h 1 byte end sector's cylinder#
    08h 4 bytes start sector's LBA offset from this MBR
    0Ch 4 bytes partition size in number of sectors

  18. Some basic partition ID's are:

    PID Means
    00h No partition
    01h Microsoft FAT12
    04h Microsoft FAT16 (no clusters, max. partition = 32MB)
    05h Microsoft Extended DOS Partition
    06h Microsoft FAT16B (cluster support, max. partition = 2GB)
    07h Originally IBM OS/2 HPFS, now Microsoft NTFS
    0Bh Microsoft FAT32 no INT 13h Extensions support (CHS)
    0Ch Microsoft FAT32 with INT 13h Extensions support (LBA)
    0Eh Microsoft FAT16 with INT 13h Extensions support (LBA)
    0Fh Microsoft Extended DOS Partition with INT 13h Extensions support (LBA)

  19. There are MANY more definitions for PID's than these. You should look them up online and collect as many as you can for future reference. All types that we will be working with this semester will be within this list. Locate the first partition table again:

    -d 200 2ff
242C:0200  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0210  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0220  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0230  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0240  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0250  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0260  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0270  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0280  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:0290  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01   ................
242C:02C0  01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00   ......?.....?...
242C:02D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
242C:02F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA   ..............U.
-_

  20. The first byte of it is the byte that in the partition table layout table refers to as the byte at offset 00h. It is the field at offset 00h OF THIS PARTITION TABLE. Create on a sheet of paper an empty partition table layout table like this:

    Offset Size Value
    00h 1 byte  
    01h 1 byte  
    02h 1 byte  
    03h 1 byte  
    04h 1 byte  
    05h 1 byte  
    06h 1 byte  
    07h 1 byte  
    08h 4 bytes  
    0Ch 4 bytes  

  21. Now fill in the boxes with the values found in each field of the partition table:

    Offset Size Value
    00h 1 byte 80
    01h 1 byte 01
    02h 1 byte 01
    03h 1 byte 00
    04h 1 byte 06
    05h 1 byte FE
    06h 1 byte 7F
    07h 1 byte 04
    08h 4 bytes 3F 00 00 00
    0Ch 4 bytes 86 FA 3F 00

  22. Now an analysis of this partition table can begin. According to the definitions of the fields above the value of the byte at offset 00h of 80h indicates that the partition is set active and therefore the system will boot from the partition. The byte at offset 01h holds the start sector's head#, at 02h holds the sector# and at offset 03h holds the cylinder#. Together they hold the start sector's geometric coordinate or CHS address of: Cyl=0, Head=1, Sector=1. The byte at offset 04h holds the partition ID. These are accepted somewhat industrywide. The value of 06h means Microsoft FAT 16B, the one that supports clusters and partitions up to 2GB in size.

  23. The value at offset 05h is the end sector's head#, at offset 06 is its sector# and at 07 is its cylinder#. The geometric coordinate of the ending sector of the partition is then: Cyl=04, Head=FE, Sector=7F. However, the high 2 bits of the 10 bit cylinder number are stored as the high 2 bits of the sector number. This leads to madness, but that's the way they did it 24 years ago. It is the BIOS standard and far be it from us to change it now, though screams of agony are acceptable.

  24. First, convert the sector number to binary: 7Fh =b=> 0111 1111b. Take the top two bits off leaving xx11 1111b and convert back to hexadecimal =h=> 3Fh or 63. Now convert the removed 2 bits back to hex also: 01b =h=> 1h and place this to the far left of the cylinder number. 1h merged with 04h = 104h. This is the actual cylinder number. So the geometric coordinate is actually: Cyl=104h, head=FEh, Sector=3Fh.

  25. The value that starts at offset 08h is a four byte value: 3F 00 00 00. Because the CPU is a little endian machine these must be byte reversed to reveal the actual 32-bit number: 3F 00 00 00 =x=> 00 00 00 3Fh. NOTE: BYTE reversed NOT hex digit reversed. This number is 63 and is the LBA address of the starting sector if the partition table is found in the hard drive's MBR. It is the DISTANCE to the starting sector if the partition table is found in any other location (which do exist and will be dealt with in the future.)

  26. The value that starts at offset 0Ch is a four byte value: 86 FA 3F 00. Because the CPU is a little endian machine these must be byte reversed to reveal the actual 32-bit number: 86 FA 3F 00 =x=> 00 3F FA 86h. NOTE: BYTE reversed NOT hex digit reversed. This number is 4,192,902 and indicates that the partition is this many sectors in size.

  27. In future lessons, deeper analysis will be performed in which many of these values can be manually verified for accuracy.

Back to Page Top

Copyright©2000-2006 Brian Robinson ALL RIGHTS RESERVED