Master Boot Record4 Analysis of MBR Master bootstrap loader code 33 C0 8E D0 BC 00 7C FB …...
Transcript of Master Boot Record4 Analysis of MBR Master bootstrap loader code 33 C0 8E D0 BC 00 7C FB …...
The Master Boot Record (MBR) is located at the physical beginning of hard drive (Head 0 Cylinder 0 Sector 1), editable using the Hex editor. It consists of a master bootstrap loader code (446 bytes) and four subsequent, identically structure partition records. Finally, the hexadecimal signature 55AA completes a valid MBR.
The format of a partition record is as follows:
1
Address Content
0000H-00D9H Master bootstrap loader
00DAH-01BDH Reserved
01BEH-01CDH Partition 1
01CEH-01DDH Partition 2
01DEH-01EDH Partition 3
01EEH-01FDH Partition 4
01FEH-01FFH 55AAH
Offset Size Description
0 8-bit A value of 80 designates an active partition
1 8-bit Partition start head
2 8-bit Partition start sector (bits 0-5)
3 8-bit Partition start track (total length is 10 bits; bit
9 and bit 8 are located in bit 7 and bit 6 in the
start sector bits).
*If 02H is X and 03H is Y, the total tracks
number= (X>>6)*16^2+Y
4 8-bit Operating system indicator
5 8-bit Partition end head
6 8-bit Partition end sector (bits 0-5)
7 8-bit Partition end track (total length is 10 bits; bit
9 and bit 8 are located in bit 7 and bit 6 in the
start sector bits).
8 32-bit Sectors preceding partition
C 32-bit Length of partition in sectors
Master Boot Record
Operating system indicators: (hexadecimal, incomplete list)
00 Empty partition-table entry01 DOS FAT1204 DOS FAT16 (up to 32 MB)05 DOS 3.3+ extended partition06 DOS 3.31+ FAT16 (over 32 MB)07 OS/2 HPFS, Windows NT NTFS, Advanced Unix08 OS/2 v1.0-1.3, AIX bootable partition, SplitDrive09 AIX data partition0A OS/2 Boot Manager0B Windows 95+ FAT320C Windows 95+ FAT32 (using LBA-mode INT 13 extensions)0E DOS FAT16 (over 32 MB, using INT 13 extensions)0F Extended partition (using INT 13 extensions)17 Hidden NTFS partition1B Hidden Windows 95 FAT32 partition1C Hidden Windows 95 FAT32 partition (using LBA-mode INT 13 extensions)1E Hidden LBA VFAT partition42 Dynamic disk volume50 OnTrack Disk Manager, read-only partition51 OnTrack Disk Manager, read/write partition81 Linux82 Linux Swap partition, Solaris (Unix)83 Linux native file system (ext2fs/xiafs)85 Linux EXT86 FAT16 volume/stripe set (Windows NT)87 HPFS fault-tolerant mirrored partition, NTFS volume/stripe setBE Solaris boot partitionC0 DR-DOS/Novell DOS secured partitionC6 Corrupted FAT16 volume/stripe set (Windows NT)C7 Corrupted NTFS volume/stripe setF2 DOS 3.3+ secondary partition
2
Master Boot Record
For example: There’re 2 Primary NTFS partitions and the second one is active. Also, there are seven Extended partitions and the fifth one is NTFS while the others are FAT32. The MBR of this drive will be shown as:
3
Master Boot Record
4
Analysis of MBR
Master bootstrap loader code 33 C0 8E D0 BC 00 7C FB …
01BEH-01CDH is the partition record of
Partition 1. This is not an active
partition. It starts from Head 1 Cylinder
70 Sector 1. The OS is HPFS,
Windows NT NTFS, Advanced UNIX.
01CEH-01DDH is the partition record of
Partition 2. This is an active partition. It
starts from Head 1 Cylinder 340 Sector
1. The OS is HPFS, Windows NT
NTFS, Advanced UNIX.
01DEH-01EDH is the partition record of
Partition 3. This is not active partition.
The operating system indicator of 0F
indicates that this is an Extended
Partition (using INT 13 extension). The
Extended Partition Record starts from
Head 0 Cylinder 435 Sector 1.
Master Boot Record
The content of the Extended Partition Table at the address of Head 0 Cylinder 435 Sector 1 is shown below, where the structure is the same as Main Partition Table in MBR.
5
The 4th partition record is empty.
55AAH is the ending signature of MBR.
Master Boot Record
There will be another 6 Extended Partition Tables which have the same structures as the one shown above.
6
Analysis of Extended Partition Table
The 1st extended partition
starts from Head 1 Cylinder
435 Sector 1. The OS is
Windows 95+FAT32.
The operating system
indicates a DOC extended
partition. It points to the next
Extended Partition Table
which locates at Head 0
Cylinder 777 Sector 1.
Partition table entry #3 00
Partition table entry #4 00
Master Boot Record