The Starman and Ray Knights disassembled various MBRs from ancient PC DOS to current Windows 7 versions, also covering LILO and GRUB MBRs. The code used by TestDisk — when you are forced to fix a broken MBR — is a variant of the source published by Neil Turton. The TestDisk variant tries to load the VBR for the active partition, and if that doesn't work the user can pick 1234A to load the VBR of partition 1…4 or floppy drive A:. The original code has a timeout allowing to select 1234A, and in that variant the active partition is only the default.
A very simple MBR for the old INT 13h CHS interface is distributed with parted. MBR CHS addressing works only for partitions starting in cylinder 0…1023 for any geometry, or in logical sector number (LBA) 0…16515070 in a (virtual) 1024×256×63 geometry. Some interesting details found in these MBRs and related sources:
- All MBRs first define stack, data and extra segments, and then allow interrupts. On entry SS:SP can be 0000:0400h at the end of the interrupt vector table, and picking something better is a good plan. The new MBR code in rexxfat.rex simply uses 0000:0000h as stack top, i.e., the top of segment 0000h.
- The entry address for both MBRs and VBRs is 0000:7C00h. To load any VBR at this address the MBR needs to move its own code and data to another address. Allegedly some odd BIOS INT 19h code manages to start the MBR at the alias 07C0:0000h. In other words, assume CS:nothing, or fix CS with a far jump. The rexxfat MBR is designed for sector sizes from 256=100h up to 4096=1000h bytes. Therefore the MBR copies itself to 0000:EC00h. Adding 1000h yields a stack bottom at 0000:FC00h; and a stack with 1024 bytes should be enough for INT 13h LBA read operations.
- Allegedly some odd BIOS INT 19h code does not report the disk number for INT 13h in DL correctly. Old MBR code apparently used the active partition flag 80h to populate DL, i.e., any non-zero flag instead of 80h could be used. Variants of this scheme accept 80h…FFh as active, use DL as set by the BIOS, and reject 01h…7Fh as invalid partition table. The minimalistic rexxfat MBR accepts only 80h as active and does not look for trouble in the form of more than one boot partition. Actually it scans the flags backwards checking its own 55AAh magic first.
- Most MBR variants support both CHS and LBA addressing. The minimalistic rexxfat MBR always uses LBA to load six instead of only one VBR sector. If something goes wrong, e.g., there is no active partition, or the loaded VBR has no 55AAh magic, an error is reported. At that point the user can press space, 0…9, a (lower case "A"), or any other key. 0…9 tries to load the MBR for DL=80h…89h, and a tries DL=00h for the first floppy drive. This won't work in emulation modes for say USB, where only 80h for this partitioned medium is supported. Pressing space triggers INT 18h, a modern BIOS would then try to boot the next configured boot medium. Any other key triggers INT 19h to boot the first configured boot medium.
- Various Windows MBRs have special code for the FAT32 backup boot sectors and partition types 0Bh or 0Ch. Windows 7 MBRs support encrypted disks. If you need these features use a hex. editor and copy the code in the first sector up to offset 1B8h. The remaining 72 bytes are the disk ID (four bytes), two unclear nulls, 4×16 bytes for the four partitions, and the magic 55AAh. Little endian whiners, it's 0xAA55 in your debugger ;-)
Allegedly MBRs and VBRs for sector sizes 1024, 2048, and 4096 are supposed to have their magic at the same offset as for sector size 512. At the moment the rexxfat MBR expects that the 72 bytes from offset 1B8h to 1FFh contain the disk ID, partition table, and magic. Flipping one byte in the code from 01h to 00h for the offset of the magic in theory allows sector size 256. In practice VHD images only allow 512, real hard disks used 512, and El Torito or as the name says 512e emulate 512.
No comments:
Post a Comment