| |
|
Pierre's
field guide to partition table recovery
( © DataRescue
sa/nv 1997-1998 )
(thanks
to Bruce P. Burrell and Tarkan Yetiser for their suggestions, corrections
and constructive comments)
Part 1 - Basics
|
|
|
|
| |
Please
read this warning before going
any further. Also, check
out the minimal knowledge
I expect you have.You'll need a disk editor and a bootable disk.
I suggest you use Norton Disk Editor, a nifty program included
in Norton
Utilities. |
The goal
| |
This
document is not intended to be a comprehensive reference about low
level disk structures; it does not even attempt to cover all common
scenarios. See it as a extremely small piece of knowledge that could
at best save your a**, and at worst give you a primer in logical
data recovery. |
The Master Boot Record
| |
The Master
Boot Record (MBR) is 99.999% of the time located on the first physical
sector of a hard disk. It contains two functionally different parts
- some executable
code
- the partition
table
The executable
code is loaded into RAM at boot time and, guess what, executed.
Its role is to determine which partition is the bootable one to
load and execute its boot sector. That sector then usually loads
the operating system. One interesting thing to know is that the
boot sector is, 99.999% of the time, the first sector a partition.
Hint : a partition begins by a boot sector and ends before another
boot sector (either a boot sector or another partition table actually).
The code part of the MBR is the part that is refreshed when FDISK
/MBR is used. Please note that using FDISK /MBR blindly might be
a risky endeavour in that it can do more harm than good. For example,
some hard drives need to use a drive overlay software, such as OnTrack
Disk Manager, to be able to handle large drives. On such drives,
the loader code in the MBR is not the "standard" code FDISK /MBR
puts there. In such cases, you would be destroying the OnTrack loader
code, and your drive will not be accessible afterwards. In addition,
the partition table information is not the same as that on a hard
drive that does not have disk overlay software.
The partition table itself is located at the offset 1BEh of the
first sector of the hard disk. There are four 16-bytes entries in
the table, each of them being a placeholder for the description
of a partition on the hard disk. We have this |
Master Boot Record Structure
| Offset |
Nature |
size |
| +00h |
Executable code |
may vary |
| +1BEh |
1st partition table entry |
16 bytes |
| +1CEh |
2nd partition table entry |
16 bytes |
| +1DEh |
3rd partition table entry |
16 bytes |
| +1EEh |
4th partition table entry |
16 bytes |
| +1FEh |
Executable marker 55h AAh |
2 bytes |
The Partition Table
| |
At
this point, it should be obvious that, if a partition table entry
is only 16-bytes long, you don't need a PhD to fix it. Especially
if you know that it is structured like this |
Partition Table Entry Structure
| Offset |
Nature |
Size |
| +OOh |
Partition State
00h = non active
80h = Boot Partition |
1 byte |
| +01h |
Begin of partition : Head |
1 byte |
| +02h |
Begin of partition : Cylinder - Sector |
1 word |
| +04h |
Type of partition (see list) |
1 byte |
| +05h |
End of partition : Head |
1 byte |
| +06h |
End of partition : Cylinder - Sector |
1 word |
| +08h |
Number of sectors between the MBR
and the 1st sector of the partition |
4 bytes |
| +0Ch |
Number of sectors in the partition |
4 bytes |
The first hurdle
| |
There
is only one tricky part in this data structure : the Cylinder -
Sector encoding : if you look at the word as a series of bits, we
have |
Cylinder - Sector encoding
| 15 |
14 |
13 |
12 |
11 |
10 |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
| Cylinder bits 7 to 0 |
Cyl bits 9 & 8 |
Sector
bit 5 to 0 |
One Example : the value 957Fh represents
| 15 |
14 |
13 |
12 |
11 |
10 |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
| 95h |
7Fh |
| 1 |
0 |
0 |
1 |
0 |
1 |
0 |
1 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
| Cylinder - bits 7 to 0 |
9 & 8 |
Sector - bit 5 to 0 |
| 0110010101 = Cylinder 405 |
111111 = Sector 63 |
|
|
How it looks when everything is OK
| |
Now,
let's have a look at a typical working configuration as you'd see
it with a disk editor: |
As seen on the disk
| State |
Begin Head |
Begin Sect and Cyl |
Type |
End Head |
End Sect and Cyl |
Relative Sect |
Number of Sect |
| 80h |
01h |
0001h |
06h |
3Fh |
957Fh |
0000003Fh |
0018FA41h |
| 00h |
00h |
9641h |
05h |
3Fh |
90BFh |
0018FA80h |
000F7140h |
| |
And here is a more meaningful interpretation of the
same data : |
"Translated"
| State |
Begin Head |
Begin Cyl |
Begin Sect |
Type |
End Head |
End Cyl |
End Sect |
Relative Sect |
Number of Sect |
| Bootable |
1 |
0 |
1 |
BigDos |
63 |
405 |
63 |
63 |
1636929 |
| Not Bootable |
0 |
406 |
1 |
Extended |
63 |
656 |
63 |
1636992 |
1012032 |
| |
Note
the types of the partition : the first partition is a "BIGDOS" partition,
the second partition is an "EXTENDED" one. What does that mean ?
Well, a "BIGDOS" partition is simply a partition bigger than 32M
: at one point DOS could not handle partitions bigger than 32M and
when support was introduced, there had to be a way to identify those
"huge" newcomers... In practice, you won't have to worry about the
older types. |
Second Hurdle
| |
The
notion of extended partition is actually the second obstacle on
our path to recovery. You have noticed that the partition table
of the MBR holds at most 4 partitions entries. That is clearly not
enough to handle all possibilities. Just as BIGDOS partitions were
introduced to overcome the 32M barrier, EXTENDED partitions were
introduced to allow more than four partitions. How does that work
? Well, recursively (don't we all like that word ? ;-)). An EXTENDED
partition points to an area of the disk that is actually a virtual
disk by itself. And what do we usually find in the first sector
of a disk ? That's right : a sector containing a partition table
! Have a look at what we find at Cylinder 406, Head 0, Sector 1 |
A partition within a partition
| State |
Begin Head |
Begin Cyl |
Begin Sect |
Type |
End Head |
End Cyl |
End Sect |
Relative Sect |
Number of Sect |
| Not Bootable |
1 |
406 |
1 |
BigDos |
63 |
656 |
63 |
63 |
1011969 |
| |
The
Extended Partition contains a classical BIGDOS partition, beginning
at the next Head on sector 1, offset by 63 sectors from the Extended
partition and using all but 63 sectors of the available space...
Schematically, we have
- Physical
Disk
- BigDos
Partition
- Extended
Partition
Of course, this
Russian Doll structure it can get much worse than this but, it may
also be simpler : when up to four "normal" partitions have been
defined, for example.
Well, ponder this information for a while. We'll soon be back
with the second part of this field
guide. |
|
