I. Physical Structure of the hard disk:
Hard Disk Storage Data is implemented based on the principle of electric and magnetic conversion. The hard disk is composed of one or more metal or glass material disks with Magnetic Material plating on the surface and the magnetic head mounted on both sides of the disk and the corresponding control circuit (figure 1 ), the disc and head are sealed in a dust-free metal shell. When a hard disk is working, the disk is rotated at a designed high speed. The head configured on the disk surface is radial under the control of the circuit and then stored or read data. When the system writes data to the hard disk, the "Write Data" current in the head generates a magnetic field, which changes the magnetic material status on the disk surface, and remains unchanged after the write current magnetic field disappears, in this way, the data is stored. When the system reads data from the hard disk, the head passes through the specified area of the disk, and the magnetic field on the disk surface causes the head to generate induced current or coil impedance changes, after being processed by related circuits, the data is restored. Therefore, as long as the disk surface can be processed more smoothly, the head can be designed more precisely, and the disk rotation speed can be improved as much as possible, the disk can be created with a larger capacity and faster Data Reading and Writing speed. This is because the smoother the disc surface processing, the faster the rotation speed, the closer the head is to the disc surface, and the higher the Read and Write sensitivity and speed; the smaller the head design, the more precise it will make the head occupy less space on the disk, so that the head can create more tracks on a disk to store more data. Ii. Logical Structure of the hard disk: A hard disk consists of many disks (platters). Each disk has a read/write head. If n disks exist. There are 2n faces, corresponding to 2N head (heads), starting from 0, 1, 2. Each disc is divided into several concentric magnetic channels (logically invisible .) The partition rules for each disk are usually the same. In this way, the radius of each disc is the concentric circle with a fixed value R and then logically forms a cylinders with the motor Spindle as the axis, numbered 0, 1, 2 ...... Each track on each disk is divided into dozens of sectors (sector). The general capacity is 512 bytes and is numbered 1, 2, 3, etc. according to certain rules ...... Multiple cylinders × heads × sector sectors are formed. These three parameters are the physical parameters of the hard disk. Many of our practices below require a deep understanding of the meaning of these three parameters. Iii. Disk boot principle: 3.1 MBR (Master Boot Record) sectors: After pressing the power key, the computer starts to execute the BIOS program on the motherboard. After a series of detection and configuration. Start to boot the system in the boot sequence set in BIOS. It is assumed that it is a hard disk. After the BIOS executes its own program, how can the execution right be handed over to the hard disk. After being handed over to the hard disk, where is the stored program executed. In fact, a piece of code called MBR plays an important role. MBR (Master Boot Record), which is also known as the Master Boot Sector. Located in the entire hard disk, the 0-cylinder, 0-head, and 1-sector (which can be regarded as the first sector of the hard disk). After the BIOS executes its own program, it will jump to the first instruction in MBR. Control of the system is handed over to MBR for execution. In the master boot records of a total of 446 bytes, the MBR boot program occupies the first bytes (offset 0 h ~ Offset 1bdh), followed by 64 bytes (offset 1beh ~ 1 FDH offset) to DPT (Disk Partitiontable, Hard Disk Partition Table), the last two bytes "55 AA" (offset 1feh ~ Offset 1ffh) indicates the effective end of the partition. MBR does not differ with the operating system, meaning that different operating systems may have the same MBR. Even if they are different, MBR will not attach the nature of the operating system. Has the characteristics of public guidance. Let's analyze an MBR. The following is an MBR of Seagate GB hard disk viewed by winhex. The MBR Boot Code on your hard disk may not be like this. However, different functions are generally the same. For details about disk MBR decompilation, see wowocock. Let's look at the DPT section. To facilitate disk management, the operating system. Added the concept of disk partitioning. The logic of a disk is divided into several parts. The number of disk partitions is limited to C ~ How do I express the attributes of multiple partitions in 64 bytes of DPT? Microsoft solved this problem through the link. In DPT, the attribute of a partition is described in 16 bytes as the Partition Table item unit. That is to say, the first partition table describes the attributes of a partition, which is generally a basic partition. The second partition table describes the remaining space except the basic partition, which is generally called the extended partition. The general description of this part is shown in table 1. Note: The data exceeding 1 byte in the Table above is displayed as the actual data, that is, the data is displayed as high as the position. Storage is stored at low-level to high-level. The two are different. Please take a closer look. The tables that will appear later are all the same. You can also see the meanings of these parameters in winhex: Note: Each partition table occupies 16 bytes. Assume that the offset address starts from 0. Partition Table item 3. Partition Table item 4 is the same as Partition Table item 3. 1. 0 h offset indicates whether the active partition is marked. Only h and 80 h can be selected. 80 h is activity, and H is not activity. Other values are invalid for Microsoft. 2. Explain again (this is very important): the number of bytes greater than 1 is saved in the storage format (little endian format) or back-byte order. The format before the low byte is a method to save the number. In this way, the byte with the lowest byte first appears in the hexadecimal notation. For example, the lower byte of the relative sector numeric segment 0x3 f000000 is expressed as 0x0000003f. The number of low bytes in the front format is 63 in decimal format. 3. When the system is partitioned, each partition is not allowed to span the cylindrical, that is, all are in the cylindrical unit, which is generally referred to as the partition granularity. Sometimes the input partition size is 7000 m, but the split is 6997 M. That's why. In the sector and cylindrical parameters offset by 2 h and 6 h, the slice occupies 6 bits and the cylinder occupies 10 bits. Take the 6 h offset as an example, the lower six bits are used as the binary representation of the number of sectors. The height of the two parts is the height of the two parts of the Number of cylinders, the height of the two parts is the height of the two parts, the offset of 7 h is the 8-bit of the 10-bit number of the cylindrical parts. We can see that the partition capacity in this way is actually limited. The number of the cylinder and the head starts from 0, and the number of the slice starts from 1, therefore, a maximum of 1024 cylinders x 63 sectors x 256 heads x 8455716864 bytes = bytes. That is, the general 8.4 GB (actually around GB) limit. In fact, the number of magnetic heads is usually only 255 (determined by the addressing registers of the assembly language), even if the three bytes are linearly addressable, it is still insufficient. In the later operating system, partitions larger than GB were not addressed in the C/h/S mode. Instead, offset CH ~ The offset FH contains 4 bytes and 32-bit linear sector addresses to indicate the total number of sectors occupied by the partition. 4 bytes can represent 2 ^ 32 sectors, that is, 2 TB = 2048 GB. Currently, this is an astronomical number for most computers. The size of the C/h/s representation is the same as that of the linear sector representation. That is to say, the two representation methods are coordinated. Linear addressing prevails, even if not. (Errors may occur in some systems ). C/h/s is usually filled with Feh FFH. That is, the maximum value that C/h/s can represent. Sometimes it will be filled with a cylindrical model of 1024. However, these bytes are irrelevant. Although the current system uses linear addressing to handle the partition size. However, the principle of not cross-cylinder remains unchanged. The total number of sectors in this partition plus the number of reserved sectors between the original partition and the original partition must be an integer multiple of the cylindrical capacity. (The first sector in the reserved sector is the MBR or virtual MBR that stores the partition table. The total number of partition sectors is not counted in the linear representation. If it is the first partition, the reserved sector is all the sectors before the current partition. Appendix: Partition Table type mark 4 A partitioned table consists of 64 bytes and can describe a total of 4 Partition Table items. Each partition table item can describe a primary partition or an extended partition (for example, the preceding partition table, the first Partition Table item describes the primary partition drive C, the second partition table item describes the extended partitions, and the third and fourth Partition Table items are left blank) 3.2 extended partitions Each logical drive in an extended partition has an extended Boot Record (EBR) similar to an MBR, which is also called a virtual MBR or an extended MBR. The extended boot record includes an extended partition table and the tags of this sector. The extended Boot Record will only contain the first information of the first cylinder of each logical drive in the extended partition. The Boot Sector in a logical drive is generally located in the relative Sector 32 or 63. However, if there are no extended partitions on the disk, there will be no extended boot records and logical drives. The first entry in the extended partition table of the first logical drive points to its own Boot Sector. The second option points to the EBR of the next logical drive. If no further logical drive exists, the second option is not used and is recorded as a series of zeros. If an attached logical drive exists, the first entry of the extended partition table of the second logical drive points to its own Boot Sector. The second entry of the extended partition table of the second logical drive points to the EBR of the next logical drive. The third and fourth items of the extended partition table will never be used. A four-partition disk structure shows the general structure of the disk. 5: For extended partitions, 6 shows that the extended Boot Record of the logical drive in the extended partition is a connection table. The figure shows the three logical drives on an extended partition, indicating the differences between the previous logical drive and the last logical drive in the extended partition table. Except for the last logical drive on the extended partition, the format of the extended partition table described in table 2 is repeated in each logical drive: the first entry identifies the Boot Sector of the logical drive, the second item identifies the EBR of the next logical drive. The extended partition table of the last logical drive only lists its partition items. The second to fourth items of the last extended partition table are used. The numeric segment of the relative sector in the extended partition table shows the number of bytes that are displaced from the extended partition to the first sector in the logical drive. The number in the total sector number segment refers to the number of sectors that constitute the logical drive. The value of the number segment of the total sector is equal to the number of sectors from the boot sector defined by the extended partition table entry to the end of the logical drive. Sometimes there is surplus space at the end of the disk. What is the surplus space? As we have mentioned above, the partition is based on the size of the 1-cylinder as the partition granularity. If the total disk space is not an integer number of cylinders, the remaining space of one cylinder is the remaining space, this part of space is not used in partitions, so it is generally unavailable. In principle, the physical mode of a disk determines that the total disk capacity should be the capacity of an integer cylindrical disk. Why is there insufficient space for a cylindrical disk. In my understanding, for the purpose of making greater use of space, disks are generally not managed physically based on the external sector that is larger than the internal sector, CHS are abstracted for compatibility with the operating system. 1. Read MBR The hard disk Boot Record (MBR) does not belong to any operating system, nor can it be read using the disk operation commands provided by the operating system. But we can use the int13h 2 function provided in the ROM-BIOS to read the content of this sector, it can also be read by the software tool norton8.0 diskedit. EXE. The call parameters for the int13h read disk sector function are as follows: Entry parameter: Ah = 2 (function number specified) Al = number of sectors to read DL = disk number (0, 1-floppy disk; 80, 81-hard disk) DH = head number CL height 2-bit + CH = cylindrical number CL 6-bit lower = fan ID CS: BX = memory buffer address for storing read data Export parameter: CS: BX = read data storage address Error message: cf = 1 Ah = Error Code You can use DEBUG to read data from the zero-cylinder, zero-head, and one-sector disks on the hard disk as follows: A> debug -A 100 XXXX: XXXX mov ax, 0201 (read 1 sector with function number 2) XXXX: XXXX mov BX, 1000 (put read data into the buffer address Cs: 1000) XXXX: XXXX mov CX, 0001 (read 0 cylindrical, 1 sector) XXXX: XXXX mov dx, 0080 (specify the 0 head of the first physical disk) XXXX: xxxx int 13 XXXX: xxxx int 3 XXXX: xxxx (Press ENTER) -G = 100 (execute the above program segment) -D 1000 11ff (display 512 bytes of MBR content) 2. MBR Composition The primary Boot Record MBR for one sector of a hard disk is composed of four parts, as shown in Table 1-1-1. · The primary Bootstrap program (offset h--0088h), which is responsible for loading from the active partition and running the System Bootstrap program. · Error information data area. The offset address 0089h--00e1h indicates an error message, and 00e2h--01bdh indicates 0 bytes. · The Partition Table (DPT, disk partition table) contains four partition items, with an offset of 01beh--01fdh. Each partition table item is 16 bytes long, A total of 64 bytes are partition item 1, partition item 2, partition item 3, and partition item 4. · The end flag. The two byte values of the Offset 01fe--01ff are the end flag 55aa. If this flag is incorrect, it cannot be started.
0000-0088 |
Master Boot Record Main Bootstrap program |
Master Guide Program |
0089-01bd |
Error information data Zone |
Data Zone |
01be-01cd |
Partition item 1 (16 bytes) |
Partition Table |
01ce-01dd |
Partition Item 2 (16 bytes) |
01de-01ed |
Partition Item 3 (16 bytes) |
01ee-01fd |
Partition Item 4 (16 bytes) |
01fe |
55 |
End mark |
01ff |
AA |
Table 1-1 Structure of MBR 3. Partition Information Structure in MBR In an MBR that occupies 512 bytes, the 64-byte offset of 01beh--01fdh is the content of 4 partition items (partition info table ). It is determined by the disk media type and the user's definition of partitions using fdisk. In practice, fdisk can divide a disk into less than four primary partitions, but not more than four. The project of each partition table is 16 bytes, and its content is described in Table 6-19. Table 1-2 partition item table (16 bytes) content and meaning
Storage byte |
Content and meaning |
1st bytes |
Guide flag. If the value is 80 h, it indicates the active partition. If the value is H, it indicates the non-active partition. |
2nd, 3, 4 bytes |
The START head, Fan area, and Cylinder Number of the current partition. Where: Head number-2nd bytes; Fan area number-6-bit lower than 3rd bytes; The cylinder number, which is 3rd bytes in height, 2 bits, and 8 bits in 4th bytes. |
5th bytes |
Partition type. 00 h -- indicates that the partition is not used (that is, it is not specified ); 06h--fat16 basic partition; 0bh--fat32 basic partition; 05 h -- extended partition; 07h--ntfs partition; 0fh -- (LBA mode) extended partition (83h is LINUX partition, etc ). |
6th, 7, 8 bytes |
End head, Fan area, and Cylinder Number of the current partition. Where: Head number-6th bytes; Fan area number-6-bit lower than 7th bytes; Cylinder Number-2-plus 7th bytes in height. |
9th, 10, 11, 12 bytes |
Number of slice used before this partition. |
13th, 14, 15, 16 bytes |
The total number of sectors in the current partition. |
4. Main Features and workflow of MBR When the PC is started, the system first tests the hardware device. After the test is successful, the UDF int 19 h is started, then read the content of the system disk's 0-cylinder, 0-head, and 1-Sector Master Boot Record (MBR) to the area where the memory specified unit 0: 7c00 address starts, and execute the MBR program segment. The Master Boot Record (MBR) of the hard disk does not belong to any operating system. It is transferred to the memory before all operating systems and plays a role, then, the control is handed over to the operating system in the primary partition (active partition), and the hard disk is managed using the primary partition information table. The main functions of the MBR segment are as follows: · Check whether the hard disk partition table is in good condition. · Search for bootable "active" partitions in the partition table. · Load the content of the first logical sector of the active partition into the memory. In the DOS partition, the content of this sector is called the DOS Boot Record (DBR ). The execution process of the MBR boot segment is 1-3.
Figure 1-3 MBR boot section Execution Process Partition Table chain structure of the hard disk logical drive A hard disk consists of multiple 512-byte sectors, which are organized into "partitions ". The partitioning rule for a hard disk is that all the sectors in a partition must be continuous, and the hard disk can have up to four physical partitions, the four physical partitions can be one primary partition or three primary partitions plus an extended partition. In extended partitions under DOS/Windows Management, logical partitions (logical disks) can and must be further divided ). Since the advent of the MS-DOS3.2, users can divide a primary partition and an extended partition on a physical hard drive, and create multiple logical drives on the extended partition, that is to say, multiple logical disks are attached to a physical disk. For example, if a 10 Gb hard disk is installed on Windows and has three logical disks: C:, D:, and E:, the partition is as follows: Partition 1: The primary partition is 2 GB and formatted as a C: disk. Partition 2: extended partition 8 GB. It is further divided into two 4 GB logical disks, formatted as D: And E: disks. You can install multiple operating systems on a hard disk with multiple primary partitions. Such as Windows, Linux, and Solaris. Each operating system manages its own partitions. However, each operating system operates on partitions differently. For DoS/Windows, it can format a primary partition and an extended partition under its jurisdiction and manage them in the form of C:, D:, and E: Logical disks. Linux, however, is different. It regards "partition" as a device, neither "extended partition" nor "Logical Disk. 1. Logical Disk Link In the FAT file system, the Logical Disk characters are represented by characters C:, D:, E:,..., Z. The primary partition is usually formatted as a C: disk, and the Logical Disk starting from D: disk is built on the extended partition. When the system performs read/write operations, DOS first checks the partition information table in the Master Boot Record (MBR). The partition item points to the DOS Boot Record (DBR) of the active primary partition ). The partition table in MBR is located in the 0-cylinder, 0-head, and 1-sector. The first partition table starting with 1 beh is used as the chain head, the chain table entry in the table indicates the physical location of the next Partition Table (XX cylinder, 0 head, 1 Sector). The 2nd partition tables are saved at the same displacement of 1 beh in the sector, and so on until it points to the physical location of the last partition table (yy cylindrical, 0 head, 1 sector ). Because the partition table does not have a chain table entry, it serves as the chain end of the Partition Table chain. See table 1-4. The first virtual disk, the second virtual disk, and the third virtual disk. MBR Partition Table
Definition C: Disk |
------------> |
Define D: Disk |
-----------> |
Definition E: Disk |
------------> |
Definition F: Disk |
Description of remaining space |
Description of remaining space |
Description of remaining space |
Description of remaining space |
Unused |
Unused |
Unused |
Unused |
Unused |
Unused |
Unused |
Unused |
55aa |
55aa |
55aa |
55aa |
Figure 1-4 partition linked list with four logical Disks For example, each record in the Partition Table originally located on the cylindrical 0, head 0, and sector 1 corresponds to the DBR of the primary partition. However, if multiple logical disks are created in the extended partition, such as D:, E:, and F:, the partition items in the Partition Table can point to the first Logical Disk :, but for other logical disks, there is no such correspondence. To be able to find multiple logical disks in the extended partition, the DOS system can do the following: · If the hard disk has only one primary partition, that is, the entire hard disk is used as a logical disk C:, the partitioning command fdisk creates an MBR only on the disk's cylindrical 0, head 0, and sector 1. · If a hard disk is divided into 2-4 partitions, fdisk creates an MBR on the disk except for the cylindrical 0, head 0, and sector 1, A virtual MBR is also created on the starting sector of each Logical Disk in the extended partition. Each virtual MBR is used to expand a logical disk on the partition. · The first sector of the extended partition is not used for dbr of a Logical Disk, but is directed to an "extended" partition table, that is, the first virtual MBR. The start point of the DBR sector of the Logical Disk should be the next track 1 Sector of the virtual MBR. The partition tables in these MBR are linked to a partition table Chain 6-17. This is the content described by a hard disk with four table items. DOS uses this method to make an extended partition seem to have multiple hard disks. From Figure 1-5, we can see that the MBR Partition Table on disk cylindrical 0, head 0, and sector 1 points to the first logical disk in the basic partition and extended partition. Introduction to hard disk structures-MBR, partition tables, CHS, and other concepts1. Introduction to the system guidance process The system boot process consists of the following steps) 1. Start the instance; 2. BIOS power-on self-test (post -- power on self test). The memory address is 0fff: 0000; 3. Read the first sector of the hard disk (0-headed, 0-way, 1-sector, that is, Boot Sector) into the memory address 0000: 7c00; 4. Check (Word) 0000: 7dfe whether it is equal to 0xaa55. If it is not equal to, it resends to try other media. If there is no other starting media, it displays "no rom basic" and then crashes; 5. Jump to 0000: Execute the MBR program at 7c00; 6. Copy the MBR to 0000: 0600 and continue the execution; 7. Search for active partitions in the primary partition table. If no active partition is found or more than one active partition is found, stop; 8. Read the first sector of the active partition into the memory address 0000: 7c00; 9. Check (Word) 0000: 7dfe whether it is equal to 0xaa55. If it is not equal, "missing Operating System" is displayed, and then stop, or try to start a floppy disk; 10. Jump to 0000: 7c00 and continue executing the Startup Program of the specific system; 11. Start the system. Steps (2), (3), (4), (5) are completed by the BIOS boot program; (6), (7), (8 ), (9), step (10) is completed by the MBR boot program. Generally, multi-system boot programs (such as smart Boot manager, bootstar, and pqboot) replace standard Master Boot records with their own boot programs, select the partition to be started before running the system startup program. Some system-provided multi-system boot programs (such as Lilo and NT loader) can place their own boot programs in the first sector of the system partition, in Linux, It is a superblock of two sectors. Note: The above steps use a standard MBR, And the boot process of the multi-system boot program is different from this. Ii. Hard Disk structure and parameters 3D parameters (Disk geometry): CHS (cylinder/head/sector) C-Cylinder Number of cylinder cylinders indicates the number of tracks on each disk of the hard disk, the maximum size is 1024 (with 10 binary bit storage). H-head indicates that the hard disk has several heads, that is, several disks, the maximum value is 256 (which is stored in 8 binary bits). The S-sector number table shows several sectors on each track, and the maximum value is 63 (which is stored in 6 binary bits ). 1. Boot Sector Boot Sector Boot Sector is the first sector of the hard disk. It consists of MBR (Master Boot Record), DPT (Disk Partition Table), and Boot Record ID. MBR, also known as the Master Boot Record, occupies the first 446 bytes of the Boot Sector (0 ~ 0x1bd), which stores the System Main Boot Program (which is responsible for loading and running the system boot program from the active partition ). DPT indicates that the primary Partition Table occupies 64 bytes (0x1be ~ 0x1fd), which records the basic partition information of the disk. The primary Partition Table is divided into four partition items, each of which has 16 bytes and records the information of each primary partition respectively (therefore, there can be up to four primary partitions ). The Boot Record ID indicates that the boot zone mark occupies two bytes (0x1fe ~ 0x1ff). For a valid boot area, it is equal to 0xaa55, which indicates whether the boot area is valid ). 2. Partition Table Structure A partition table consists of four partition items. The structure of each item is as follows: Byte state: partition status, 0 = inactive, 0x80 = activated (note this option ); Byte starthead: the start head number of the partition; Word startsc: Start sector and Cylinder Number of the partition. The bottom 6 bits of the base byte are the fan area number, and the height 2 bits are the 9th and 10th bits of the cylinder number, the high byte is the low 8-bit of the cylindrical number; Byte type: partition type, such as 0x0b = FAT32, 0x83 = Linux. 00 indicates that this item is not used; Byte endhead: The ending head number of the partition; Word endsc: End slice and Cylinder Number of the partition, which are defined in the same way as before; DWORD relative: Address of the relative sector of the partition in linear addressing mode (absolute address for the basic partition ); DWORD sectors: partition size (total number of sectors ). In DoS or Windows systems, basic partitions must be divided by cylindrical units (sectors * Heads sectors), for example, for hard disks with CHS of 764/256/63, the minimum partition size is 256*63*512/1048576 = 7.875 MB. Because the first sector of the hard disk has been occupied by the Boot Sector, generally, the remaining 62 sectors of the first hard disk track (0 first 0) will not be occupied by the partition. Some partition software may even leave all the first cylinder empty. Iii. Introduction to the System Startup Process The system startup process consists of the following steps (taking the hard disk as an example ): 1. boot 2. the BIOS power on self test -- Post memory address is 0 FFFF: 0000 3. Read the first sector of the hard disk (0 first, 0 first, and 1 sector, that is, Boot Sector) into the memory address 0000: 7c00. 4. Check (Word) 0000: 7dfe whether it is equal to 0xaa55. If it is not equal to, switch to another startup media. If there is no other startup media, the system displays "no rom basic" and then crashes. 5. Jump to 0000: 7c00 and execute the program in MBR. 6. MBR first copies itself to 0000: 0600, and then continues to execute. 7. Search for active partitions in the primary partition table. If no active partition is found or more than one active partition exists, stop again. 8. Read the first sector of the active partition into the memory address 0000: 7c00. 9. Check (Word) 0000: 7dfe whether it is equal to 0xaa55. If it is not equal, "missing Operating System" is displayed and then stop, or try to start a floppy disk. 10. Jump to 0000: 7c00 and continue executing the Startup Program for the specific system. 11. Start the system... In the above steps, steps 2, 3, and 4 are completed by the BIOS boot program. 6, 7, 8, 9, and 10 are completed by the MBR boot program. Generally, a multi-system boot program (such as smartfdisk, bootstar, and pqboot) replaces the standard Master Boot Record with your own boot program. Before running the system boot program, you can select the partition to be started. Some system-provided multi-system boot programs (such as Lilo and NT loader) can place their own boot programs in the first sector of the system partition, in Linux, It is superblock (in fact, superblock is two sectors ). Note: Standard MBR is used in the above steps. The guiding process of other multi-system boot programs is different from this. |