FAT32 structure information

Master Boot Record

The Master Boot Record is the same for pretty much all operating systems. it is located on the first sector of the hard drive, at cylinder 0, head 0, Sector 1. it is the first piece of code that your computer runs after it has checked all of your hardware (post) and turned control of loading software over the hard drive. it also contains the Partition Table, which defines the different sections Your hard drive. Basically if anything happens to this little 512 byte section, your hard drive is brain dead. Kinda scary, eh?

Offset	Description	Size
000 h	Executable code (boots computer)	446 bytes
1beh	1st Partition Entry (See Next Table)	16 Bytes
1CEh	2nd Partition Entry	16 Bytes
1DEh	3rd Partition Entry	16 Bytes
1EEh	4th Partition Entry	16 Bytes
1FEh	Boot Record Signature (55 h AAh)	2 Bytes

Partition entry (part of MBR)

Offset	Description	Size
00 h	Current State of Partition (00 h = Inactive, 80 h = Active)	1 Byte
01 h	Beginning of Partition-Head	1 Byte
02 h	Beginning of Partition-Cylinder/Sector (See Below)	1 Word
04 h	Type of Partition (See List Below)	1 Byte
05 h	End of Partition-Head	1 Byte
06 h	End of Partition-Cylinder/Sector	1 Word
08 h	Number of Sectors Between the MBR and the First Sector in the Partition	1 Double Word
0Ch	Number of Sectors in the Partition	1 Double Word

Cylinder/sector Encoding

I guess back in the days of 10 MB hard drives and 8086's, code was at a premium. so they did everything they cocould to preserve space. unfortunately now we have to live with it, but luckily they created new ways of translating the system so the 1024 Cylinder Limit (2 ^ 10) isn' t too big of a problem, for newer computers, at least. older ones usually need some sort of Disk Overlay program to make them see the whole hard drive.

Anyway, to get the Sector out of this, you need to apply an AND mask ($ 3F) to it. to get the Cylinder, you take the high byte and OR it with the low byte that has been AND masked with ($ C0) and then Shifted Left Two. it's not very easy to explain, so I'll just show you how I did it with two routines I made (In Pascal) for Encoding and Decoding the Cylinder/Sector. hopefully even if you don't know Pascal you'll be able to read it.

Function CylSecEncode (Cylinder, Sector: Word): Word;
Begin
CylSecEncode: = (Lo (Cylinder) shl 8) or (Hi (Cylinder) shl 6) or Sector;
End;

Procedure CylSecDecode (Var Cylinder, Sector: Word; CylSec: Word );
Begin
Cylinder: = Hi (CylSec) or (Lo (CylSec) and $ C0) shl 2 );
Sector: = (CylSec and $ 3F );
End;

15	14	13	12	11	10	9	8	7	6	5	4	3	2	1	0
Cylinder Bits 7 to 0								Cylinder Bits 9 + 8		Sector Bits 5 to 0

Partition Type Listing

There are more than just these shown, but I 've only supported ded that ones relevant to MS Operating Systems.

Value	Description
00 h	Unknown or Nothing
01 h	12-bit FAT
04 h	16-bit FAT (Partition Smaller than 32 MB)
05 h	Extended MS-DOS (Partition)
06 h	16-bit FAT (Partition Larger than 32 MB)
0Bh	32-bit FAT (Partition Up to 2048 GB)
0Ch	Same as 0BH, but uses LBA1 13 h Extensions
0Eh	Same as 06 H, but uses LBA1 13 h Extensions
0Fh	Same as 05 H, but uses LBA1 13 h Extensions

Reading multiple partitions

Although having multiple partitions in FAT32 isn't as likely as in fat16, it still works the same way. the first partition is the primary partition, and everything else is stored in the extended partition. it's a little tricky when it comes to reading those extra partitions though (not a lot, just a little ). the first record in the Partition Table shows where the primary partition is (how big it is, where it starts, and where it ends ). the second entry in the Partition Table shows where the entire extended partition is (which may include more than just one partition ). to read any more partitions, you go to the where it says the extended partition starts, and read the first sector. it acts just like the MBR. it'll have blank where the code is supposed to be, and in the partition table it will have for it's first entry the next partition in the drive, and if there are anymore, there will be another extended partition, just like before. however, all references to sector numbers are made using the that new MBR point as the reference, making it a Virtual Drive. just incase this doesn't make much sense (and by the way I explain things I can understand if it doesn 't), let me show you how a drive with three partitions is setup.

MBR of Whole Drive

Entry #1-Points to Partition #1
Entry #2-Points to the Entire Extended Partition

You wocould read the first sector of that Extended Partition, and see another MBR Structure.

MBR of Extended Partition

Entry #1-Points to Partition #2
Entry #2-Points to Rest of Extended Partition after Partition #2

Now, all references to Sector Numbers (most specifically the entry at Offset 08 h) in those Entries wouldn't be referenced from the start of the drive, but from the start of the Extended Partition. however, the CHS (Cylinder, Head, Sector) numbers wowould still be right.

Once again, you wocould read the first sector of that Extended Partition, and see the next MBR.

MBR of Rest of Extended Partition

Entry #1-Points to Partition #3
No Entry #2, since this was the Last Partition

If there were another partition, the pattern wocould continue just like before, until the last one was reached.

 

FAT32 Boot Record

This information is located in the first sector of every partition.

Offset	Description	Size
00 h	Jump Code + NOP	3 Bytes
03 h	OEM Name (Probably MSWIN4.1)	8 Bytes
0Bh	Bytes Per Sector	1 Word
0Dh	Sectors Per Cluster	1 Byte
0Eh	Reserved Sectors	1 Word
10 h	Number of Copies of FAT	1 Byte
11 h	Maximum Root Directory Entries (N/A for FAT32)	1 Word
13 h	Number of Sectors in Partition Smaller than 32 MB (N/A for FAT32)	1 Word
15 h	Media Descriptor (F8h for Hard Disks)	1 Byte
16 h	Sectors Per FAT in Older FAT Systems (N/A for FAT32)	1 Word
18 h	Sectors Per Track	1 Word
1Ah	Number of Heads	1 Word
1Ch	Number of Hidden Sectors in Partition	1 Double Word
20 h	Number of Sectors in Partition	1 Double Word
24 h	Number of Sectors Per FAT	1 Double Word
28 h	Flags (Bits 0-4 Indicate Active FAT Copy) (Bit 7 Indicates whether FAT processing ing is Enabled or Disabled <Clear is Enabled>) (If FAT processing ing is Disabled, the FAT Information is only written to the copy indicated by bits 0-4)	1 Word
2Ah	Version of FAT32 Drive (High Byte = Major Version, Low Byte = Minor Version)	1 Word
2Ch	Cluster Number of the Start of the Root Directory	1 Double Word
30 h	Sector Number of the File System Information Sector (See Structure Below) (Referenced from the Start of the Partition)	1 Word
32 h	Sector Number of the Backup Boot Sector (Referenced from the Start of the Partition)	1 Word
34 h	Reserved	12 Bytes
40 h	Logical Drive Number of Partition	1 Byte
41 h	Unused (cocould be High Byte of Previous Entry)	1 Byte
42 h	Extended Signature (29 h)	1 Byte
43 h	Serial Number of Partition	1 Double Word
47 h	Volume Name of Partition	11 Bytes
52 h	FAT Name (FAT32)	8 Bytes
5Ah	Executable Code	420 Bytes
1FEh	Boot Record Signature (55 h AAh)	2 Bytes

File System Information Sector

Usually this is the Second Sector of the partition, although since there is a reference in the Boot Sector to it, I'm assuming it can be moved around. I never got a complete picture of this one. although I do know where the important fields are.

Offset	Description	Size
00 h	First Signature (52 h 52 h 61 h 41 h)	1 Double Word
04 h	Unknown, Currently (Might just be Null)	480 Bytes
1E4h	Signature of FSInfo Sector (72 h 72 h 41 h 61 h)	1 Double Word
1E8h	Number of Free Clusters (Set to-1 if Unknown)	1 Double Word
1ECh	Cluster Number of Cluster that was Most Recently Allocated.	1 Double Word
1F0h	Reserved	12 Bytes
1FCh	Unknown or Null	2 Bytes
1FEh	Boot Record Signature (55 h AAh)	2 Bytes

FAT32 drive Layout

Offset	Description
Start of Partition	Boot Sector
Start + # of Reserved Sectors	Fat Tables
Start + # of reserved + (# of sectors per fat * 2) <assuming that fat indexing is enabled, I personally haven'tseen a case where it wasn' t, but I guess there is always the possibility>	Data Area (starts with cluster #2)

 

Cluster meaning

A Cluster is a Group of Sectors on the Hard Drive that have information in them. A 4 K Cluster has 8 Sectors in it (512*8 = 4096 ). each Cluster is given a spot in the FAT Table. when you look at an Entry in the FAT, the number there tells you whether or not that cluster has data in it, and if so, if it is the end of the data or there is another cluster after it. all Data on a Partition starts with Cluster #2. if the FAT Entry is 0, then there is no data in that cluster. if the FAT Entry is 0 FFFFFFFh, then it is the last entry in the chain.

This is one of my biggest holes in my information. I am unable to find anyplace that shows what numbers mean what when it comes to the FAT table. I was able to tell the end of the chain just by looking at a FAT32 Drive, but I don't know what stands for a BAD Cluster or what the maximum valid number for showing data is.

For now, you can calculate the maximum valid cluster in a partition with this formula:

(# Of Sectors in Partition)-(# of Sectors per Fat * 2)-(# of Reserved Sectors)/(# of Sectors per Cluster)

If there is any remainder in the answer to that formula, it just means that there were a few extra clusters at the end of the partition (probably not enough to make another cluster ), so you can just get rid of anything after the decimal point.

Thanks to Andrew Classen for pointing this formula out to me.

 

Directory table

Another aspect when looking at a file system at low level is the directory table. the directory table is what stores all of the file and directory entries. basically there is only one difference between the directory table of fat16 and FAT32, so go here to look at fat16's structure. the difference is: the reserved OS/2 byte (offset 20 [14 h]) in the short filename structure is replaced with the high word of the cluster number (since it's now 4 bytes instead of 2 ).

Footnotes

1-LBA = Logical Block Addressing-uses the INT 13 H extensions built into newer BIOS's to access data abve the 8 GB barrier, or to access strickly in LBA mode, instead of CHS (cylinder, Head, sector ).