Hard disk & partition(collection)
What is a hard disk partition?
A hard disk partition is a defined storage space on a hard drive.
Most operating systems allow users to divide a hard disk into multiple partitions, making one physical hard disk into several smaller logical hard disks.
Reasons to Use Hard Disk Partitions
A user may decide to split a hard disk into multiple partitions in order to organize his data more effectively. On Microsoft Windows machines, it is common to store the OS and applications on one hard disk partition and user data on another hard disk partition. When a problem occurs with Microsoft Windows, the OS partition can be completely formatted and reinstalled without affecting the data partition.
A user may decide to split a hard disk into multiple partitions because smaller partitions often have smaller cluster sizes. A cluster size is the smallest chunk of data which a partition can store. A large partition might have a cluster size of 16KB. This mens that a file with one character in it will occupy 16KB of space on the disk. In a smaller partition, that file might only require 4KB to store. This is a useful strategy if you are storing a large number of small files.
A user may have to split a large hard disk into multiple partitions if the hard disk is larger than the partition size supported by the operating system.
Creating Hard Disk Partitions
Most operating system use the 'fdisk' command to create hard disk partitions. Many operating systems also have graphical tools which accomplish the same task, such as EASEUS Partition Master.
Hard Disk Partitions and File Systems
You don't actually store data in hard disk partitions.
You store file systems in hard disk partitions and then you store data in these file systems.
Some operating systems blur the lines between partitions and file systems.
The Partition Table
Partition information is stored in the partition table, a reserved area at the beginning of a hard disk.
Extended Partitions
A standard partition table is only able to store information about four partitions. At one time this meant that a hard disk could have a maximum of four partitions.
To work around this limitation, extended partitions were created.
An extended partition stores information about other partitions. By using an extended partition, you can create many more than four partitions on your hard disk.
The four standard partitions are often called the primary partitions.
Partitions configured into an extended partition are often referred to as logical partitions.
Partition Types
When a partition is created, a special byte of data is written to record what type of partition it is.
Because one hard disk may be shared by multiple operating systems, operating systems tend to agree on the meaning of these values.
The table below lists some of the partition types in use.
Partition Number Partition Type
00 Empty
01 DOS 12-bit FAT
02 XENIX root
03 XENIX usr
04 DOS 16-bit FAT 05 DOS Extended Partition
06 DOS 16-bit FAT >=32
07 OS/2 HPFS, WinNT NTFS
08 AIX
09 AIX bootable
0a OS/2 Boot Manager
0b Win95 FAT32
0c Win95 FAT32 (LBA)
0e Win95 FAT16 (LBA)
0f Win95 Extended (LBA)
35 OS/2 JFS
39 Plan 9
40 Venix 80286
51 Novell
52 Microport
63 Unix System V, Mach, GNU HURD
64 Novell Netware 286
65 Novell Netware 386
75 PIC/IX
80 MINIX until 1.4a
81 MINUX, Linux
82 Solaris X86, Linux swap
83 Linux native
85 Linux extended
93 Amoeba
94 Amoeba BBT
a5 FreeBSD, NetBSD, BSD/386, 386BSD
a6 OpenBSD
a7 NEXTSTEP
b7 BSDI BSD/386 filesystem
b8 BSDI BSD/386 swap
be Solaris 8 bootable
bf Solaris x86
c7 Syrinx
db CP/M
e1 DOS access
e3 DOS R/O
eb BeOS BFS
fb VMWare filesystem
fc VMWare swap
f2 DOS secondary
ff Xenix Bad Block Table
What is MBR?
Short for Master Boot Record, a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk. The program begins the boot process by looking up the partition table to determine which partition to use for booting. It then transfers program control to the boot sector of that partition, which continues the boot process. In DOS and Windows systems, you can create the MBR with the FDISK /MBR command.
An MBR virus is a common type of virus that replaces the MBR with its own code. Since the MBR executes every time a computer is started, this type of virus is extremely dangerous. MBR viruses normally enter a system through a floppy disk that is installed in the floppy drive when the computer is started up. Even if the floppy disk is not bootable, it can infect the MBR.
At the completion of your system's Power On Self Test (POST), INT 19 is called. Usually INT 19 tries to read a boot sector from the first floppy drive. If a boot sector is found on the floppy disk, the that boot sector is read into memory at location 0000:7C00 and INT 19 jumps to memory location 0000:7C00. However, if no boot sector is found on the first floppy drive, INT 19 tries to read the MBR from the first hard drive. If an MBR is found it is read into memory at location 0000:7c00 and INT 19 jumps to memory location 0000:7c00. The small program in the MBR will attempt to locate an active (bootable) partition in its partition table. If such a partition is found, the boot sector of that partition is read into memory at location 0000:7C00 and the MBR program jumps to memory location 0000:7C00. Each operating system has its own boot sector format. The small program in the boot sector must locate the first part of the operating system's kernel loader program (or perhaps the kernel itself or perhaps a "boot manager program") and read that into memory.
INT 19 is also called when the CTRL-ALT-DEL keys are used. On most systems, CTRL-ALT-DEL causes an short version of the POST to be executed before INT 19 is called.
If an active partition is found, that partition's boot record is read into 0000:7c00 and the MBR code jumps to 0000:7c00 with SI pointing to the partition table entry that describes the partition being booted. The boot record program uses this data to determine the drive being booted from and the location of the partition on the disk.
If no active partition table entry is found, ROM BASIC is entered via INT 18. All other errors cause a system hang.
OFFSET 0 1 2 3 4 5 6 7 8 9 A B C D E F *0123456789ABCDEF*
000000 fa33c08e d0bc007c 8bf45007 501ffbfc *.3.....|..P.P...*
000010 bf0006b9 0001f2a5 ea1d0600 00bebe07 *................*
000020 b304803c 80740e80 3c00751c 83c610fe *.....t....u.....*
000030 cb75efcd 188b148b 4c028bee 83c610fe *.u......L.......*
000040 cb741a80 3c0074f4 be8b06ac 3c00740b *.t....t.......t.*
000050 56bb0700 b40ecd10 5eebf0eb febf0500 *V.......^.......*
000060 bb007cb8 010257cd 135f730c 33c0cd13 *..|...W.._s.3...*
000070 4f75edbe a306ebd3 bec206bf fe7d813d *Ou...........}.=*
000080 55aa75c7 8bf5ea00 7c000049 6e76616c *U.u.....|..Inval*
000090 69642070 61727469 74696f6e 20746162 *id partition tab*
0000a0 6c650045 72726f72 206c6f61 64696e67 *le.Error loading*
0000b0 206f7065 72617469 6e672073 79737465 * operating syste*
0000c0 6d004d69 7373696e 67206f70 65726174 *m.Missing operat*
0000d0 696e6720 73797374 656d0000 00000000 *ing system......*
0000e0 00000000 00000000 00000000 00000000 *................*
0000f0 0O000000 00000000 00000000 00000000
0001b0 00000000 00000000 00000000 00008001 *................*
0001c0 0100060d fef83e00 00000678 0d000000 *...........x....*
0001d0 00000000 00000000 00000000 00000000 *................*
0001e0 00000000 00000000 00000000 00000000 *................*
0001f0 00000000 00000000 00000000 000055aa *..............U.*
What is Partition Table?
Partition can be considered as a piece of disk space, which is marked thereby runs on some operating system. Partition table is located at the first sector (cylinder 0, head 0 and sector 1, MBR) of each hard disk. It memorizes information about sizes and locations of partitions on hard disk. The partition information is started on offset 1BEH of master boot sector. Each partition entry is 16 bytes long. The total partition table is 64 bytes long. Then partition table is limited to a maximum of 4 entries. That is, there is a maximum of 4 partitions, which is called primary partition and can be created on hard disk.
But there are problems: many people want to create more than 4 partitions. So the extended partition is designed for this demand. Master extended partition is the primary partition. Differing from other partitions, the first sector of extended partition is not a boot sector, but another partition table, which is called logical partition table.
Commonly, there are only two partition entries in logical partition table. One points to a partition, called logical partition, whose boundary must be limited to the extended partition. The other entry, if needed, of the extended partition table points to the next logical partition table. Similarly, its boundary is limited to its parents extended partition. And the next logical partition table may also have two partition entries: one points to a logical partition; the other points to another logical partition table and the rest may be deduced by analogy. Therefore, many partitions could be created in extended partition.
Now let's have a look at the layout of one partition entry.
The 16 bytes of one entry are as follows:
OFFSET BYTE DESCRIPTION
0 1 Boot label. Tell computer toboot from this partition
1 1 Starting head
2 1 Lower 6 bits (bit 0 to bit 5) isstarting sector.
Higher 2 bits (bit 6 to bit 7) is the higher bits of starting cylinder
3 1 The lower 8 bits of starting cylinder
4 1 Partition type
5 1 Ending head
6 1 Lower 6 bits (bit 0 to bit 5) isending sector.
Higher 2 bits (bit 6 to bit 7) is the higher bits of ending cylinder
7 1 The lower 8 bits of ending cylinder
8 4 Leading sectors of this partition
12 4 Number of sectors of this partition
(a) Boot label (offset 0):
Most of the disks have one primary partition. Some people want to have more operating systems on their computers, so they have to create some other primary partitions. To tell the computer from which operating system to boot, one "Active" partition is in need. That's why partition table always keeps an indicator of the currently "Active" partition - the one from which the computer boots. In Partition Table Doctor or Super Fdisk, the active partition is figured out by "Active" with "Yes".
(b) Starting position (offset 1-3):
Describes the partition's starting position, the cylinder, the head and the sector. Also called starting CHS.
starting head = (OFFSET 1)
starting sector = (OFFSET 2) & 0x3f
starting cylinder = (((OFFSET 2) & 0xc0)(c) Partition type (offset 4):
Indicates what file system is in the partition. For example, 06 or 0E indicates a FAT file system. 0B or 0C indicates a FAT32 file system. 07 indicates NTFS or OS/2 HPFS file system.
(d) Ending position (offset 5-7):
Describes the partition's ending position, the cylinder, the head and the sector. Also called ending CHS.
(e) Leading sectors (offset 8-11):
The number of sectors before this partition. If we count all sectors on hard disk in sequence from zero, this field will exactly point to the first sector of this partition.
(f) Number of sectors (offset 12-15):
The total number of sectors on this partition. So the size of this partition will be (Number of sectors)*512/1048576 MB.
Master boot record
From Wikipedia, the free encyclopedia
This article is in need of attention from an expert on the subject. Please help recruit one or improve this article yourself. See thetalk page for details. Please consider using {{Expert-subject}} to associate this request with a WikiProject.
Structure of a Master Boot Record
Address Description Size
in
bytes
Hex
Oct
Dec
0000 0000 0 Code Area 440
(max. 446)
01B8 0670 440 Optional Disk signature 4
01BC 0674 444 Usually Nulls; 0x0000 2
01BE 0676 446 Table of primary partitions
(Four 16-byte entries, IBM Partition Table scheme) 64
01FE 0776 510 55h MBR signature;
0xAA55[1]
2
01FF 0777 511 AAh
MBR, total size: 446 + 64 + 2 = 512
A master boot record (MBR), or partition sector, is the 512-byte boot sector that is the first sector ("LBA Sector 0") of a partitioned data storage device such as a hard disk. (The boot sector of a non-partitioned device is a Volume Boot Record. These are usually different, although it is possible to create a record that acts as both; it is called a multi boot record.) The MBR may be used for one or more of the following:
Holding a disk's primary partition table.[2]
Bootstrapping operating systems, after the computer's BIOS passes execution to machine code instructions contained within the MBR.
Uniquely identifying individual disk media, with a 32-bit disk signature; even though it may never be used by the machine the disk is running on.[3][4][5][6]
Due to the broad popularity of IBM PC-compatible computers, this type of MBR is widely used, to the extent of being supported by and incorporated into other computer types including newer cross-platform standards for bootstrapping and partitioning.[citation needed]
Contents
[hide]
• 1 MBRs and disk partitioning
• 2 MBRs and system bootstrapping
• 3 MBRs and disk identity
• 4 Programming Considerations
• 5 Editing/replacing MBR contents
• 6 References
• 7 Further reading
• 8 See also
• 9 External links
[edit]MBRs and disk partitioning
Layout of one 16-byte partition record
Offset Field
length
(bytes) Description
0x00 1 status[7] (0x80 = bootable (active), 0x00 = non-bootable,
other = invalid[8])
0x01 3 CHS address of first block in partition.[9]
The format is described in the next 3 bytes.
0x01 1 head[10]
0x02 1 sector is in bits 5–0[11]; bits 9–8 of cylinder are in bits 7–6
0x03 1 bits 7–0 of cylinder[12]
0x04 1 partition type[13][14]
0x05 3 CHS address of last block in partition.[15]
The format is described in the next 3 bytes.
0x05 1 head
0x06 1 sector is in bits 5–0; bits 9–8 of cylinder are in bits 7–6
0x07 1 bits 7–0 of cylinder
0x08 4 LBA of first sector in the partition[16]
0x0C 4 number of blocks in partition, in little-endian format[16]
The MBR is not located in a partition, it is located at a Main Boot Record area in front of the first partition.
When a data storage device has been partitioned with the MBR Partition Table scheme (i.e., the conventionalIBM PC partitioning scheme), the master boot record contains the primary partition entries in its partition table. The partition table may also contain entries for other, secondary partitions which are stored in extended boot records (EBRs), BSD disklabels, and Logical Disk Manager metadata partitions that are described by those primary entries.[17]
By convention, there are exactly four primary partition table entries in the MBR Partition Table scheme, although some DOS operating systems did extend this to five (PTS-DOS)[18] or even eight (AST or NEC DOS)[19][20]entries. Both the partition length and partition start address are stored as 32-bit quantities. Because the block size is 512 bytes, this implies that neither the maximum size of a partition nor the maximum start address (both in bytes) can exceed 232 × 512 bytes, or 2 TiB. Alleviating this capacity limitation is one of the prime motivations for the development of the GUID Partition Table (GPT).
Where a data storage device has been partitioned with the GPT scheme, the Master Boot Record will still contain a partition table, but its only purpose is to indicate the existence of the GUID Table and to prevent utility programs that understand only the MBR Partition Table scheme from creating any partitions in what they would see as free space on the disk, thereby accidentally erasing the GUID table.
[edit]MBRs and system bootstrapping
On IA-32 IBM PC compatible machines using the MBR Partition Table scheme, the bootstrapping firmwarecontained within the ROM BIOS loads and executes the master boot record. Because the i386 family of processors boot up in real mode, the code in the MBR uses real mode machine language instructions. This code normally passes control by chain loading the volume boot record (VBR) of the active (primary) partition, although some boot managers replace that conventional code with their own.
The conventional MBR code expects the MBR Partition Table scheme to have been used, and scans the list of (primary) partition entries in its embedded partition table to find the only one that is marked with the active flag. It then loads and runs the Volume Boot Record for that partition. (Thus the master boot record, like other boot sectors, is a target for boot-sector infectingcomputer viruses. See boot sector.)
The MBR replacement code in some boot managers can perform a variety of tasks, and what those tasks are varies from boot manager to boot manager. In some, for example, it loads the remainder of the boot manager code from the first track of the disk, which it assumes to be "free" space that is not allocated to any disk partition, and executes it. In others, it uses a table of embedded disk locations to locate the remainder of the boot manager code to load and to execute. (Both approaches have problems. The first relies on behavior that is not universal across all disk partitioning utilities. The second requires that the embedded list of disk locations be updated when changes are made that would relocate the remainder of the code.)
On machines that do not use IA-32 processors, and on machines that use Extensible Firmware Interface (EFI) firmware, this design is unsuitable, and the MBR is not used as part of the system bootstrap. On the latter, the firmware is instead capable of directly understanding the GPT partitioning scheme and the FAT filesystem format, and loads and runs programs held as files in the EFI System partition. The MBR will be involved only insofar as it might contain the partition table if the MBR Partition Table scheme has been used.
There is some MBR replacement code that emulates EFI firmware's bootstrap, which makes non-EFI machines capable of booting from disks using the GPT partitioning scheme. (A typical example is a Multi Boot Record, which can be used as MBR and as a Volume Boot Record in the bootstrap process and hence the name. It detects a GPT and loads the EFI compatible code from disk to complete this task.)
[edit]MBRs and disk identity
Information contained in the Partition Table of an external hard drive as it appears in the utility program, QtParted, running under Linux.
In addition to the bootstrap code and a partition table, master boot records may contain a Windows NT disk signature. This is a 32-bit value that is intended to uniquely identify the disk medium (as opposed to the disk unit — the two not necessarily being the same for removable hard disks).
The disk signature was introduced by Windows NT version 3.5, but is now used by several operating systems, including the Linux kernel version 2.6 and later. Linux uses the NT disk signature at boot time to determine the location of the boot volume.[21]
Windows NT (and later Microsoft operating systems) uses the disk signature as an index to all the partitions on any disk ever connected to the computer under that OS; these signatures are kept in Registry keys, primarily for storing the persistent mappings between disk partitions and drive letters. It may also be used in boot.ini files (though most do not), to describe the location of bootable Windows NT (or later) partitions.[22] One key (among many) where NT disk signatures appear in a Windows 2000/XP Registry is:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
If a disk's signature stored in the MBR was A8 E1 B9 D2 (in that order) and its first partition corresponded with logical drive C: under Windows, then the REG_BINARY data under the key value, \DosDevices\C:, would be:
A8 E1 B9 D2 00 7E 00 00 00 00 00 00
The first four bytes are said disk signature. (Note: In other keys, these bytes may appear in reverse order from that found in the MBR sector.) These are followed by eight more bytes, forming a 64-bit Integer, in little endian notation, which are used to locate the byte offset of this partition. In this case, 00 7E corresponds to the hexadecimal value 0x7E00 (32,256dec). Dividing this byte offset by 512 (the size of a hard disk's physical sector in bytes) results in 63, which is the physical sector number (or LBA) containing the first block of the partition ([23]).
If this disk had another partition with the values 00 F8 93 71 02 following the disk signature (under, e.g., the key value \DosDevices\D:), it would begin at byte offset 0x27193f800(10,495,457,280dec), which is also the first byte of physical sector 20,498,940.
[edit]Programming Considerations
Assume that the system being programmed uses the BIOS MBR scheme, as stated above, and the system BIOS locates a valid MBR on a partitioned drive in its boot sequence. As stated above, conventional MBR code loads and runs the operating-system-dependent Volume Boot Record (or bootloader) code that is located at the beginning of the disk's "active" partition. The MBR can simply assume that the one active partition on the current drive is supposed to boot, or alternately, it can be programmed as a Dual boot MBR. A dual boot MBR must interact with the user to determine which partition on which drive should boot, and may transfer control to the MBR of a different drive.
The BIOS will load the first valid MBR that it finds into hexadecimal physical address 0x7c00, and jump to that address. Part of the end of the 512 byte sector is pre-allocated for the partition table and other information (see above), so the MBR program must be tiny enough to fit within 440 bytes of memory. The MBR program may communicate with the user, examine the partition table, or perform some housekeeping tasks such as enabling the A20 line, or changing to Unreal mode from Real mode. Eventually, the MBR will need to perform its main task, and load the program that will perform the next stage of the boot process, usually by making use of the INT 13 BIOS call.
Typical boot sector code also expects to be loaded at physical address 0x7c00, even though all the memory from physical address 0x501 (address 0x500 is the last one used by the BIOS)[citation needed] to somewhere short of 0x9ffff is typically available in Real mode (a total of up to 640 KB minus the first 1281 bytes of memory)[24] Since 0x7c00 is the location where the MBR is already running, one of the first tasks of an MBR is usually to relocate itself somewhere else in memory—most often at 0x600 (for Microsoft code). A conventional Volume Boot Record is only one sector long; but it does no harm and is trivial to allow the MBR to load significantly more than just one sector. Some bootloaders are longer than one sector, so loading more than one sector can speed up the boot process.
[edit]Editing/replacing MBR contents
Though it is possible to directly manipulate the bytes in the MBR sector using various Disk Editors, there are tools to write fixed sets of functioning code to the MBR . Since MS-DOS 5.0, the DOS-mode program FDISK has included the (undocumented, but widely used) switch /mbr, which will rewrite the MBR code. Under Windows 2000 or later, the Recovery Console can be used to write new MBR code to a hard disk using its fixmbr command. Under Windows Vista and Windows 7, the Recovery Environment can be used to write new MBR code to a hard disk by clicking on Command Prompt and typing bootrec /FixMbr.
Some third-party utilities may also be used for directly editing the contents of partition tables (without requiring any knowledge of hexadecimal or disk/sector editors).[25]
In Linux, ms-sys may be used to install a standard MBR. The GRUB and LILO projects have tools for writing code to the MBR sector, namely grub-install and lilo -mbr. The grubinteractive console also has commands to write to the MBR. dd is also a commonly used Unix command to copy or overwrite any sector, MBR included.
A hard disk partition is a defined storage space on a hard drive.
Most operating systems allow users to divide a hard disk into multiple partitions, making one physical hard disk into several smaller logical hard disks.
Reasons to Use Hard Disk Partitions
A user may decide to split a hard disk into multiple partitions in order to organize his data more effectively. On Microsoft Windows machines, it is common to store the OS and applications on one hard disk partition and user data on another hard disk partition. When a problem occurs with Microsoft Windows, the OS partition can be completely formatted and reinstalled without affecting the data partition.
A user may decide to split a hard disk into multiple partitions because smaller partitions often have smaller cluster sizes. A cluster size is the smallest chunk of data which a partition can store. A large partition might have a cluster size of 16KB. This mens that a file with one character in it will occupy 16KB of space on the disk. In a smaller partition, that file might only require 4KB to store. This is a useful strategy if you are storing a large number of small files.
A user may have to split a large hard disk into multiple partitions if the hard disk is larger than the partition size supported by the operating system.
Creating Hard Disk Partitions
Most operating system use the 'fdisk' command to create hard disk partitions. Many operating systems also have graphical tools which accomplish the same task, such as EASEUS Partition Master.
Hard Disk Partitions and File Systems
You don't actually store data in hard disk partitions.
You store file systems in hard disk partitions and then you store data in these file systems.
Some operating systems blur the lines between partitions and file systems.
The Partition Table
Partition information is stored in the partition table, a reserved area at the beginning of a hard disk.
Extended Partitions
A standard partition table is only able to store information about four partitions. At one time this meant that a hard disk could have a maximum of four partitions.
To work around this limitation, extended partitions were created.
An extended partition stores information about other partitions. By using an extended partition, you can create many more than four partitions on your hard disk.
The four standard partitions are often called the primary partitions.
Partitions configured into an extended partition are often referred to as logical partitions.
Partition Types
When a partition is created, a special byte of data is written to record what type of partition it is.
Because one hard disk may be shared by multiple operating systems, operating systems tend to agree on the meaning of these values.
The table below lists some of the partition types in use.
Partition Number Partition Type
00 Empty
01 DOS 12-bit FAT
02 XENIX root
03 XENIX usr
04 DOS 16-bit FAT 05 DOS Extended Partition
06 DOS 16-bit FAT >=32
07 OS/2 HPFS, WinNT NTFS
08 AIX
09 AIX bootable
0a OS/2 Boot Manager
0b Win95 FAT32
0c Win95 FAT32 (LBA)
0e Win95 FAT16 (LBA)
0f Win95 Extended (LBA)
35 OS/2 JFS
39 Plan 9
40 Venix 80286
51 Novell
52 Microport
63 Unix System V, Mach, GNU HURD
64 Novell Netware 286
65 Novell Netware 386
75 PIC/IX
80 MINIX until 1.4a
81 MINUX, Linux
82 Solaris X86, Linux swap
83 Linux native
85 Linux extended
93 Amoeba
94 Amoeba BBT
a5 FreeBSD, NetBSD, BSD/386, 386BSD
a6 OpenBSD
a7 NEXTSTEP
b7 BSDI BSD/386 filesystem
b8 BSDI BSD/386 swap
be Solaris 8 bootable
bf Solaris x86
c7 Syrinx
db CP/M
e1 DOS access
e3 DOS R/O
eb BeOS BFS
fb VMWare filesystem
fc VMWare swap
f2 DOS secondary
ff Xenix Bad Block Table
What is MBR?
Short for Master Boot Record, a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk. The program begins the boot process by looking up the partition table to determine which partition to use for booting. It then transfers program control to the boot sector of that partition, which continues the boot process. In DOS and Windows systems, you can create the MBR with the FDISK /MBR command.
An MBR virus is a common type of virus that replaces the MBR with its own code. Since the MBR executes every time a computer is started, this type of virus is extremely dangerous. MBR viruses normally enter a system through a floppy disk that is installed in the floppy drive when the computer is started up. Even if the floppy disk is not bootable, it can infect the MBR.
At the completion of your system's Power On Self Test (POST), INT 19 is called. Usually INT 19 tries to read a boot sector from the first floppy drive. If a boot sector is found on the floppy disk, the that boot sector is read into memory at location 0000:7C00 and INT 19 jumps to memory location 0000:7C00. However, if no boot sector is found on the first floppy drive, INT 19 tries to read the MBR from the first hard drive. If an MBR is found it is read into memory at location 0000:7c00 and INT 19 jumps to memory location 0000:7c00. The small program in the MBR will attempt to locate an active (bootable) partition in its partition table. If such a partition is found, the boot sector of that partition is read into memory at location 0000:7C00 and the MBR program jumps to memory location 0000:7C00. Each operating system has its own boot sector format. The small program in the boot sector must locate the first part of the operating system's kernel loader program (or perhaps the kernel itself or perhaps a "boot manager program") and read that into memory.
INT 19 is also called when the CTRL-ALT-DEL keys are used. On most systems, CTRL-ALT-DEL causes an short version of the POST to be executed before INT 19 is called.
If an active partition is found, that partition's boot record is read into 0000:7c00 and the MBR code jumps to 0000:7c00 with SI pointing to the partition table entry that describes the partition being booted. The boot record program uses this data to determine the drive being booted from and the location of the partition on the disk.
If no active partition table entry is found, ROM BASIC is entered via INT 18. All other errors cause a system hang.
OFFSET 0 1 2 3 4 5 6 7 8 9 A B C D E F *0123456789ABCDEF*
000000 fa33c08e d0bc007c 8bf45007 501ffbfc *.3.....|..P.P...*
000010 bf0006b9 0001f2a5 ea1d0600 00bebe07 *................*
000020 b304803c 80740e80 3c00751c 83c610fe *.....t....u.....*
000030 cb75efcd 188b148b 4c028bee 83c610fe *.u......L.......*
000040 cb741a80 3c0074f4 be8b06ac 3c00740b *.t....t.......t.*
000050 56bb0700 b40ecd10 5eebf0eb febf0500 *V.......^.......*
000060 bb007cb8 010257cd 135f730c 33c0cd13 *..|...W.._s.3...*
000070 4f75edbe a306ebd3 bec206bf fe7d813d *Ou...........}.=*
000080 55aa75c7 8bf5ea00 7c000049 6e76616c *U.u.....|..Inval*
000090 69642070 61727469 74696f6e 20746162 *id partition tab*
0000a0 6c650045 72726f72 206c6f61 64696e67 *le.Error loading*
0000b0 206f7065 72617469 6e672073 79737465 * operating syste*
0000c0 6d004d69 7373696e 67206f70 65726174 *m.Missing operat*
0000d0 696e6720 73797374 656d0000 00000000 *ing system......*
0000e0 00000000 00000000 00000000 00000000 *................*
0000f0 0O000000 00000000 00000000 00000000
0001b0 00000000 00000000 00000000 00008001 *................*
0001c0 0100060d fef83e00 00000678 0d000000 *...........x....*
0001d0 00000000 00000000 00000000 00000000 *................*
0001e0 00000000 00000000 00000000 00000000 *................*
0001f0 00000000 00000000 00000000 000055aa *..............U.*
What is Partition Table?
Partition can be considered as a piece of disk space, which is marked thereby runs on some operating system. Partition table is located at the first sector (cylinder 0, head 0 and sector 1, MBR) of each hard disk. It memorizes information about sizes and locations of partitions on hard disk. The partition information is started on offset 1BEH of master boot sector. Each partition entry is 16 bytes long. The total partition table is 64 bytes long. Then partition table is limited to a maximum of 4 entries. That is, there is a maximum of 4 partitions, which is called primary partition and can be created on hard disk.
But there are problems: many people want to create more than 4 partitions. So the extended partition is designed for this demand. Master extended partition is the primary partition. Differing from other partitions, the first sector of extended partition is not a boot sector, but another partition table, which is called logical partition table.
Commonly, there are only two partition entries in logical partition table. One points to a partition, called logical partition, whose boundary must be limited to the extended partition. The other entry, if needed, of the extended partition table points to the next logical partition table. Similarly, its boundary is limited to its parents extended partition. And the next logical partition table may also have two partition entries: one points to a logical partition; the other points to another logical partition table and the rest may be deduced by analogy. Therefore, many partitions could be created in extended partition.
Now let's have a look at the layout of one partition entry.
The 16 bytes of one entry are as follows:
OFFSET BYTE DESCRIPTION
0 1 Boot label. Tell computer toboot from this partition
1 1 Starting head
2 1 Lower 6 bits (bit 0 to bit 5) isstarting sector.
Higher 2 bits (bit 6 to bit 7) is the higher bits of starting cylinder
3 1 The lower 8 bits of starting cylinder
4 1 Partition type
5 1 Ending head
6 1 Lower 6 bits (bit 0 to bit 5) isending sector.
Higher 2 bits (bit 6 to bit 7) is the higher bits of ending cylinder
7 1 The lower 8 bits of ending cylinder
8 4 Leading sectors of this partition
12 4 Number of sectors of this partition
(a) Boot label (offset 0):
Most of the disks have one primary partition. Some people want to have more operating systems on their computers, so they have to create some other primary partitions. To tell the computer from which operating system to boot, one "Active" partition is in need. That's why partition table always keeps an indicator of the currently "Active" partition - the one from which the computer boots. In Partition Table Doctor or Super Fdisk, the active partition is figured out by "Active" with "Yes".
(b) Starting position (offset 1-3):
Describes the partition's starting position, the cylinder, the head and the sector. Also called starting CHS.
starting head = (OFFSET 1)
starting sector = (OFFSET 2) & 0x3f
starting cylinder = (((OFFSET 2) & 0xc0)(c) Partition type (offset 4):
Indicates what file system is in the partition. For example, 06 or 0E indicates a FAT file system. 0B or 0C indicates a FAT32 file system. 07 indicates NTFS or OS/2 HPFS file system.
(d) Ending position (offset 5-7):
Describes the partition's ending position, the cylinder, the head and the sector. Also called ending CHS.
(e) Leading sectors (offset 8-11):
The number of sectors before this partition. If we count all sectors on hard disk in sequence from zero, this field will exactly point to the first sector of this partition.
(f) Number of sectors (offset 12-15):
The total number of sectors on this partition. So the size of this partition will be (Number of sectors)*512/1048576 MB.
Master boot record
From Wikipedia, the free encyclopedia
This article is in need of attention from an expert on the subject. Please help recruit one or improve this article yourself. See thetalk page for details. Please consider using {{Expert-subject}} to associate this request with a WikiProject.
Structure of a Master Boot Record
Address Description Size
in
bytes
Hex
Oct
Dec
0000 0000 0 Code Area 440
(max. 446)
01B8 0670 440 Optional Disk signature 4
01BC 0674 444 Usually Nulls; 0x0000 2
01BE 0676 446 Table of primary partitions
(Four 16-byte entries, IBM Partition Table scheme) 64
01FE 0776 510 55h MBR signature;
0xAA55[1]
2
01FF 0777 511 AAh
MBR, total size: 446 + 64 + 2 = 512
A master boot record (MBR), or partition sector, is the 512-byte boot sector that is the first sector ("LBA Sector 0") of a partitioned data storage device such as a hard disk. (The boot sector of a non-partitioned device is a Volume Boot Record. These are usually different, although it is possible to create a record that acts as both; it is called a multi boot record.) The MBR may be used for one or more of the following:
Holding a disk's primary partition table.[2]
Bootstrapping operating systems, after the computer's BIOS passes execution to machine code instructions contained within the MBR.
Uniquely identifying individual disk media, with a 32-bit disk signature; even though it may never be used by the machine the disk is running on.[3][4][5][6]
Due to the broad popularity of IBM PC-compatible computers, this type of MBR is widely used, to the extent of being supported by and incorporated into other computer types including newer cross-platform standards for bootstrapping and partitioning.[citation needed]
Contents
[hide]
• 1 MBRs and disk partitioning
• 2 MBRs and system bootstrapping
• 3 MBRs and disk identity
• 4 Programming Considerations
• 5 Editing/replacing MBR contents
• 6 References
• 7 Further reading
• 8 See also
• 9 External links
[edit]MBRs and disk partitioning
Layout of one 16-byte partition record
Offset Field
length
(bytes) Description
0x00 1 status[7] (0x80 = bootable (active), 0x00 = non-bootable,
other = invalid[8])
0x01 3 CHS address of first block in partition.[9]
The format is described in the next 3 bytes.
0x01 1 head[10]
0x02 1 sector is in bits 5–0[11]; bits 9–8 of cylinder are in bits 7–6
0x03 1 bits 7–0 of cylinder[12]
0x04 1 partition type[13][14]
0x05 3 CHS address of last block in partition.[15]
The format is described in the next 3 bytes.
0x05 1 head
0x06 1 sector is in bits 5–0; bits 9–8 of cylinder are in bits 7–6
0x07 1 bits 7–0 of cylinder
0x08 4 LBA of first sector in the partition[16]
0x0C 4 number of blocks in partition, in little-endian format[16]
The MBR is not located in a partition, it is located at a Main Boot Record area in front of the first partition.
When a data storage device has been partitioned with the MBR Partition Table scheme (i.e., the conventionalIBM PC partitioning scheme), the master boot record contains the primary partition entries in its partition table. The partition table may also contain entries for other, secondary partitions which are stored in extended boot records (EBRs), BSD disklabels, and Logical Disk Manager metadata partitions that are described by those primary entries.[17]
By convention, there are exactly four primary partition table entries in the MBR Partition Table scheme, although some DOS operating systems did extend this to five (PTS-DOS)[18] or even eight (AST or NEC DOS)[19][20]entries. Both the partition length and partition start address are stored as 32-bit quantities. Because the block size is 512 bytes, this implies that neither the maximum size of a partition nor the maximum start address (both in bytes) can exceed 232 × 512 bytes, or 2 TiB. Alleviating this capacity limitation is one of the prime motivations for the development of the GUID Partition Table (GPT).
Where a data storage device has been partitioned with the GPT scheme, the Master Boot Record will still contain a partition table, but its only purpose is to indicate the existence of the GUID Table and to prevent utility programs that understand only the MBR Partition Table scheme from creating any partitions in what they would see as free space on the disk, thereby accidentally erasing the GUID table.
[edit]MBRs and system bootstrapping
On IA-32 IBM PC compatible machines using the MBR Partition Table scheme, the bootstrapping firmwarecontained within the ROM BIOS loads and executes the master boot record. Because the i386 family of processors boot up in real mode, the code in the MBR uses real mode machine language instructions. This code normally passes control by chain loading the volume boot record (VBR) of the active (primary) partition, although some boot managers replace that conventional code with their own.
The conventional MBR code expects the MBR Partition Table scheme to have been used, and scans the list of (primary) partition entries in its embedded partition table to find the only one that is marked with the active flag. It then loads and runs the Volume Boot Record for that partition. (Thus the master boot record, like other boot sectors, is a target for boot-sector infectingcomputer viruses. See boot sector.)
The MBR replacement code in some boot managers can perform a variety of tasks, and what those tasks are varies from boot manager to boot manager. In some, for example, it loads the remainder of the boot manager code from the first track of the disk, which it assumes to be "free" space that is not allocated to any disk partition, and executes it. In others, it uses a table of embedded disk locations to locate the remainder of the boot manager code to load and to execute. (Both approaches have problems. The first relies on behavior that is not universal across all disk partitioning utilities. The second requires that the embedded list of disk locations be updated when changes are made that would relocate the remainder of the code.)
On machines that do not use IA-32 processors, and on machines that use Extensible Firmware Interface (EFI) firmware, this design is unsuitable, and the MBR is not used as part of the system bootstrap. On the latter, the firmware is instead capable of directly understanding the GPT partitioning scheme and the FAT filesystem format, and loads and runs programs held as files in the EFI System partition. The MBR will be involved only insofar as it might contain the partition table if the MBR Partition Table scheme has been used.
There is some MBR replacement code that emulates EFI firmware's bootstrap, which makes non-EFI machines capable of booting from disks using the GPT partitioning scheme. (A typical example is a Multi Boot Record, which can be used as MBR and as a Volume Boot Record in the bootstrap process and hence the name. It detects a GPT and loads the EFI compatible code from disk to complete this task.)
[edit]MBRs and disk identity
Information contained in the Partition Table of an external hard drive as it appears in the utility program, QtParted, running under Linux.
In addition to the bootstrap code and a partition table, master boot records may contain a Windows NT disk signature. This is a 32-bit value that is intended to uniquely identify the disk medium (as opposed to the disk unit — the two not necessarily being the same for removable hard disks).
The disk signature was introduced by Windows NT version 3.5, but is now used by several operating systems, including the Linux kernel version 2.6 and later. Linux uses the NT disk signature at boot time to determine the location of the boot volume.[21]
Windows NT (and later Microsoft operating systems) uses the disk signature as an index to all the partitions on any disk ever connected to the computer under that OS; these signatures are kept in Registry keys, primarily for storing the persistent mappings between disk partitions and drive letters. It may also be used in boot.ini files (though most do not), to describe the location of bootable Windows NT (or later) partitions.[22] One key (among many) where NT disk signatures appear in a Windows 2000/XP Registry is:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
If a disk's signature stored in the MBR was A8 E1 B9 D2 (in that order) and its first partition corresponded with logical drive C: under Windows, then the REG_BINARY data under the key value, \DosDevices\C:, would be:
A8 E1 B9 D2 00 7E 00 00 00 00 00 00
The first four bytes are said disk signature. (Note: In other keys, these bytes may appear in reverse order from that found in the MBR sector.) These are followed by eight more bytes, forming a 64-bit Integer, in little endian notation, which are used to locate the byte offset of this partition. In this case, 00 7E corresponds to the hexadecimal value 0x7E00 (32,256dec). Dividing this byte offset by 512 (the size of a hard disk's physical sector in bytes) results in 63, which is the physical sector number (or LBA) containing the first block of the partition ([23]).
If this disk had another partition with the values 00 F8 93 71 02 following the disk signature (under, e.g., the key value \DosDevices\D:), it would begin at byte offset 0x27193f800(10,495,457,280dec), which is also the first byte of physical sector 20,498,940.
[edit]Programming Considerations
Assume that the system being programmed uses the BIOS MBR scheme, as stated above, and the system BIOS locates a valid MBR on a partitioned drive in its boot sequence. As stated above, conventional MBR code loads and runs the operating-system-dependent Volume Boot Record (or bootloader) code that is located at the beginning of the disk's "active" partition. The MBR can simply assume that the one active partition on the current drive is supposed to boot, or alternately, it can be programmed as a Dual boot MBR. A dual boot MBR must interact with the user to determine which partition on which drive should boot, and may transfer control to the MBR of a different drive.
The BIOS will load the first valid MBR that it finds into hexadecimal physical address 0x7c00, and jump to that address. Part of the end of the 512 byte sector is pre-allocated for the partition table and other information (see above), so the MBR program must be tiny enough to fit within 440 bytes of memory. The MBR program may communicate with the user, examine the partition table, or perform some housekeeping tasks such as enabling the A20 line, or changing to Unreal mode from Real mode. Eventually, the MBR will need to perform its main task, and load the program that will perform the next stage of the boot process, usually by making use of the INT 13 BIOS call.
Typical boot sector code also expects to be loaded at physical address 0x7c00, even though all the memory from physical address 0x501 (address 0x500 is the last one used by the BIOS)[citation needed] to somewhere short of 0x9ffff is typically available in Real mode (a total of up to 640 KB minus the first 1281 bytes of memory)[24] Since 0x7c00 is the location where the MBR is already running, one of the first tasks of an MBR is usually to relocate itself somewhere else in memory—most often at 0x600 (for Microsoft code). A conventional Volume Boot Record is only one sector long; but it does no harm and is trivial to allow the MBR to load significantly more than just one sector. Some bootloaders are longer than one sector, so loading more than one sector can speed up the boot process.
[edit]Editing/replacing MBR contents
Though it is possible to directly manipulate the bytes in the MBR sector using various Disk Editors, there are tools to write fixed sets of functioning code to the MBR . Since MS-DOS 5.0, the DOS-mode program FDISK has included the (undocumented, but widely used) switch /mbr, which will rewrite the MBR code. Under Windows 2000 or later, the Recovery Console can be used to write new MBR code to a hard disk using its fixmbr command. Under Windows Vista and Windows 7, the Recovery Environment can be used to write new MBR code to a hard disk by clicking on Command Prompt and typing bootrec /FixMbr.
Some third-party utilities may also be used for directly editing the contents of partition tables (without requiring any knowledge of hexadecimal or disk/sector editors).[25]
In Linux, ms-sys may be used to install a standard MBR. The GRUB and LILO projects have tools for writing code to the MBR sector, namely grub-install and lilo -mbr. The grubinteractive console also has commands to write to the MBR. dd is also a commonly used Unix command to copy or overwrite any sector, MBR included.