WIN98SE analysis of the main boot record code of the hard disk

The hard drive boot record MBR (Master boot records) refers to the contents of the 0-side 0-Channel 1-sector area of the hard disk. The ROM BIOS of PC and its compatible machine is read out from the hard disk after the power and post self-test is successful, and then the address is transferred to the memory 0:7c00. The code is responsible for finding the items that can be booted from the 4 partitioned table entries in the tail of the code, and reading out their boot record to boot.

The MBR has been around for a long time to maintain the original code of IBM's IBM PC Machine Design in 1982, until the hard disk capacity exceeded the maximum capacity 8.4G the traditional BIOS could support, it had to add the new INT13 feature extension code, but the main functionality remained unchanged.

; HDD Master boot Record Code analysis:
; This code is taken from a hard disk that was processed by Win98SE's "fdisk/mbr" command
;
; PC ROM after the success of the Power and post self-test, the code from the hard disk of the 0-face 0-1 sector location read out,
; Placed at 0:7C00, the register is set as follows:
; Cs=ds=es=ss=0. ip=7c00h, sp=0400h
;
; This code is responsible for finding the items that can be booted from the 4 partitioned table entries in the tail of the code, and reading out their boot records to guide them.
;
; The process is as follows:
;
; 1). Move code from 0:7C00 to 0:600
; 2. Check the validity of 4 partitioned table entries:
; A). Is there a bootable partition?
; Non-ROM BASIC (INT 18)
; B. Multiple boot partitions?
; Yes then show ' Invalid partition ' after hanging machine
; c). A bootable flag is an invalid value other than 0 and 80h?
; Yes then show ' Invalid partition ' after hanging machine
; 3. Find the only effective boot partition project, read the corresponding boot record into 0:7C00,
; a). There are two ways of reading,
; Generally using the classic INT13 ah=2 number call,
; If it is a 0Eh system ID, use another new BIOS INT13 ah=42 number extension feature
; B. Read the copy 10 times if the read in operation error (including the read content is invalid), and if the system ID is 0b,0c, because they have a backup of the boot record in 6 sector locations after the original boot record, the backup will start from the 6th time
; c). Still error turns to show ' Missing operating system ' or ' Error loading operating system ' after hanging machine
; 4). Turn to effective boot record 0:7c00
;
; It loads the boot record to 0:7c00, and when it turns to it, the Register is set as follows: Cs=ds=es=ss=0. ip=7c00h, di=sp=7c00h, si=bp--> point to a partition table entry in the boot
;. 386p
_data Segment Public
Assume Cs:_data, Ds:_data
ORG 600h
MBR proc FAR
; The ROM in the IBM PC starts the boot process by performing a hardware initialization and a verification to all external D Evices. If all goes, it'll then load from the boot drive the sector from track 0, head 0, Sector 1. This sector is placed to physical address 07c00h. The initial registers are set up as follows:cs=ds=es=ss=0. ip=7c00h, sp=0400h, CLI.
Assembly Code:
0000:0600 start:; Relocate to 0:0600
0000:0600 C0 xor Ax,ax
0000:0602 8E D0 mov ss,ax
0000:0604 BC 7C00 mov sp,7c00h; New stack at 0:7C00
0000:0607 FB STI; Interrupts OK now
0000:0608 Push AX
0000:0609 Modified Pop ES
0000:060A Push AX
0000:060b 1F pop ds; Es:ds=0
0000:060c FC CLD; MOVSB Direction:forward
0000:060d. Be 7C1B mov si,offset loc_restart-600h + 7c00h
0000:0610. BF 061B mov di,offset loc_restart
0000:0613 Push AX
0000:0614 Push di
0000:0615 B9 01E5 mov cx,offset code_end-offset loc_restart
0000:0618 F3/A4 Rep MOVSB; Move CX-byte data from Ds:si to Es:di
0000:061a CB RETF; return address = 0:061b = Offset
Loc_loc_restart

; Look throught partition Table
; For valid & Activate entry
0000:061b Loc_restart:
0000:061b. Be 07BE mov si,offset partition_tab
0000:061e B1 mov cl,4; Number of table Entrie

0000:0620 LOC_NEXTPE:
0000:0620 2C cmp [Si],ch; is boot indicator <= 0 (ch=0)?
0000:0622 7C JL Short Loc_boot; < 0, that is 80h, bootable entry found
0000:0624 jnz short Loc_bad!=0 &!<0, which is invalid (0 & 80h only)
0000:0626 C6 Add si,10h; = 0, go partition next entry
0000:0629 E2 F5 Loop Loc_nextpe
; No more entries to lookup
0000:062b CD int 18h; No bootable entries-go to ROM basic

0000:062d Loc_boot:; XRef 0622
0000:062d 8B mov dx,[si]; Head and drive to boot
0000:062f 8B EE mov bp,si; Save table entry to the partition boot record

0000:0631 Loc_nextrpe: All remaining entries should the begin with 0
0000:0631-C6-add si,10h; Next table entry
0000:0634-Dec CX. # entries left
0000:0635 jz short Loc_tabok, all entries look OK
0000:0637 2C CMP [Si],ch; Other entries = 0?
0000:0639 F6 JE Loc_nextrpe; Yes, this one is OK

0000:063b Loc_bad:; Found a invalid entry:
; A). From 0624:boot ID!=0 and!=80h
; B. From 0639:multi entries with id=80h
0000:063b. is 0710 mov si,offset msg1+1; ' Invalid partition '

0000:063e loc_halt:; show msg then halt
0000:063e 4E Dec si
0000:063f loc_msg:; xref 064B, 06BA
0000:063f AC LODSB; Got a message char
0000:0640 3C cmp al,0
0000:0642 the FA je loc_halt; no more char, then halt
0000:0644 BB 00 Modified mov bx,7
0000:0647 B4 0E mov ah,0eh
0000:0649 CD int 10h then display it:ah=functn 0Eh
; Write Char Al, Bl=attr, teletype mode
000:064b loc_msgh: xref 06BF
0000:064b EB F2 jmp short loc_msg; Does the entire message

; Tempory variable in heap:
; bp + 24h db?; Boot Record Drive
; bp + 25h DW?; Boot Record sector (2nd copy of the boot record)
0000:064D Loc_tabok:; XRef 0635
0000:064D-mov [Bp+25h],ax; Clear sector/cyl of 2nd copy of boot Recordto 0
0000:0650 Xchg Si,ax; Si=0
0000:0651 8A mov al,[bp+4]; sys_id
0000:0654 B4 ah,6;
0000:0656 3C 0E CMP Al,0eh; sys_id = 0Eh?
0000:0658 JE Short loc_check13ext; Yes
0000:065a B4 0B mov ah,0bh
0000:065c 3C 0C CMP al,0ch; sys_id = 0Ch?
0000:065e JE Short loc_sysid0b0c; Yes
0000:0660 3 a C4 CMP Al,ah; sys_id = 0Bh?
0000:0662 2B jne Short loc_int13old; No

0000:0664 Inc. ax; Chang ZF to jump over Check13ext
0000:0665 loc_sysid0b0c:; sys_id = 0Bh, 0Ch, got here
0000:0665 C6-mov-ptr [bp+25h],6; Set Boot Record sector = 6
0000:0669 JNZ Short Loc_int13old

0000:066b Loc_check13ext:

; Function A (Check Extensions Present)
; In:ah-int function number
; Bx-55aah
; Dl-drive
; Out:al-internal use, not preserved
; ah-21h, Major version of these extensions
; bx-aa55h
; Cx-interface support bit map as follows,
; 0 Extended Access functions.
; 1 Drive Locking and ejecting
; 2 EDD Support
0000:066b BB 55AA mov bx,55aah; 3-15 Reserved, must be 0
0000:066e Push ax; Carry flag Clear if INT 13h, FN 41h supported
0000:066f B4 mov ah,41h; Check Extensions Present notifies the caller that
0000:0671 CD int 13h; Extended drive support is preset.
0000:0673 Pop ax; Support INT13 ext?
0000:0674-JC Short Loc_no13ext; No
0000:0676. Bayi FB AA55 CMP bx,0aa55h
0000:067a jne Short Loc_no13ext
0000:067c F6 C1 Test cl,1
0000:067f 0B JZ Short Loc_no13ext
; Yes
0000:0681 8A E0 mov ah,al; Change code to jump over old INT 13
0000:0683 of mov [BP+24H],DL; Drive
0000:0686 C7 06a1 1EEB mov word ptr ds:[6a1h],1eebh; "Jump Short 06c1"

0000:068c Loc_no13ext:
0000:068c the Mov [Bp+4],ah; Return from Function (Check Extensions Present)

0000:068f Loc_int13old:; 0bh,0ch,0eh, got here.

0000:068f BF 000A mov di,0ah; Retry Count
0000:0692 Loc_readin:; Read in the boot record, XRef 06b6, 06d8
0000:0692 B8 0201 mov ax,201h; Func Ah=2:read, Al=1:sector
0000:0695 8B DC mov bx,sp; Es:bx=7c00h:buffer
0000:0697 C9 xor Cx,cx
0000:0699-FF-CMP di,5; Retry 5 times still error?
0000:069c 7F JG Short loc_readbackup; No
; Yes, read 2nd copy of Boot Record
0000:069e 8B 4E mov cx,[bp+25h]; Ch=cyl, Cl=sector
; JMP Short Loc_int13ext
0000:06A1 Loc_readbackup:; XRef 069C
0000:06A1 4E add cx,[bp+2]; Start_sector (Bits 0-5)
0000:06a4 CD int 13h; Disk dl=drive? Ah=func 02h
; Read sectors to Memory ES:BX
; Al=#,ch=cyl,cl=sectr,dh=head
0000:06A6 Loc_int13extback:; Go back from Int13ext, XRef 06CF
0000:06A6 JC Short Loc_retry
0000:06a8 be 0746 mov si,offset MSG3; ' Missing operating system '
0000:06ab Bayi 3E 7DFE AA55 cmp word ptr ds:[7dfeh],0aa55h; Magic word valid?
0000:06b1 5A JE Short loc_gobootrecok; Yes, finished.
; No
0000:06B3, EF Sub di,5; Try backup of boot record if possible
0000:06b6 7F DA JG Loc_readin

0000:06b8 Loc_endofretry:; End of retry, still error
; Show error message, then halt
0000:06b8 F6 test Si,si; Error msg in SI?
0000:06ba jnz loc_msg; Yes, go show
0000:06BC be 0727 mov si,offset MSG2; No, show ' Error Loading operating system '
0000:06BF EB 8A jmp short LOC_MSGH

0000:06C1 Loc_int13ext:; XRef 0686, 06A1
0000:06C1 CBW; al=01 so ax=0001
0000:06C2 Xchg Cx,ax; cx=0001
0000:06C3 Push DX
0000:06C4 CWD; Dx:ax = Start_sector
0000:06C5 add ax,[bp+8]; Rel_sec (lo Word)
0000:06C8 0A ADC dx,[bp+0ah]; Rel_sec (hi Word)
; Dx:ax = Logic Sector #, cx=# of SEC to read
0000:06CB E8 0012 Call Int13ext; Call Int13ext to read in the boot record
0000:06ce 5A Pop DX
0000:06CF EB D5 jmp short Loc_int13extback
0000:06d1 Loc_retry:; XRef 06A6
0000:06d1 4F Dec di; Dec Retry Count
0000:06D2 E4 JZ Loc_endofretry
0000:06d4 C0 xor Ax,ax
0000:06d6 CD int 13h; Disk dl=drive? Ah=func 00h
; Reset disk, Al=return status
0000:06d8 EB B8 jmp short Loc_readin
0000:06da DB 0, 0, 0, 0, 0, 0; Reserved

MBR ENDP

; INT Extended Read--------------------------------------------------------------------------------
; entry:ah-42h
; Dl-drive number
; Ds:si-disk Address Packet
; Exit:carry Clear
; AH-0
; Carry set
; Ah-error Code
; This function transfer sectors from the device to memory. In the event of an error,
; The Block Count field is the disk address packet contains the number of good blocks
; Read before the error occurred.
;
; Ds:si-> Device Address packet
; Offset Type Description
; 0 Byte Packet size in bytes. Shall be 10h.
; 1 Byte Reserved, must be 0
; 2 Byte of blocks to transfer. This field has a maximum value of 127 (7FH).
; 3 Byte Reserved, must be 0
; 4 2Word address of transfer buffer. The is the buffer which read/write operations would use
; To transfer the data. This is a 32-bit address of the form Seg:offset.
; 8 4word starting logical block address, on the target device, of the "the" is transferred.
; This is a-bit unsigned linear address. If the device supports LBA addressing this
; Value should be passed unmodified. If the device does not support LBA addressing
; The following formula holds true when the address was converted to a CHS value:
; LBA = (C1 * H0 + H1) * S0 + s1-1
; WHERE:C1 = Selected Cylinder number
; H0 = number of Heads (Maximum head number + 1)
; H1 = Selected Head number
; S0 = Maximum Sector number
; S1 = Selected Sector number
0000:06e0 Int13ext proc Near
; Input dx:ax-32 bit of logic sector address to read in
; Cl-number of Sector to read
; Es:bx-buffer to hold data
; Output carry clear if sucessful
; Es:bx-end of Read-in-data + 1
; Carry set if error
0000:06E0 push si; 10
0000:06e1 F6 xor Si,si
0000:06e3 push si; E
0000:06e4 push si; C
0000:06E5-Push DX; A
0000:06e6 Push ax; 8-4w:starting Logical Block Address (DX:AX)
0000:06e7-A-push es; 6-2w:address of transfer buffer (ES:BX)
0000:06e8 Push BX; 4
0000:06e9-A-push CX; 2-by:number of blocks to transfer
0000:06ea be 0010 mov si,10h
0000:06ed push si; 0-by:packet size = 10h bytes
0000:06ee 8B F4 mov si,sp
0000:06F0 Push AX
0000:06F1 Push DX
0000:06F2 B8 4200 mov ax,4200h
0000:06F5 8A mov dl,[bp+24h]; Boot Record Drive
0000:06f8 CD Int 13h
0000:06FA 5A Pop DX
0000:06FB Pop Ax
0000:06FC 8D Ten Lea sp,[si+10h]
0000:06FF 0A JC Short Loc_ret

0000:0701 locloop_0701:; Move Dx:ax to point end of buffer
0000:0701 Inc. AX
0000:0702 JNZ Short loc_0705
0000:0704 + inc DX
0000:0705 loc_0705:; XRef 0702
0000:0705 C7 Add bh,2
0000:0708 E2 F7 Loop locloop_0701

0000:070a F8 CLC
0000:070b Loc_ret:; XRef 06FF
0000:070b 5E Pop si
0000:070c C3 RETN
Int13ext ENDP

0000:070d Loc_gobootrecok:; XRef 06B1
0000:070d EB jmp Short Loc_bootrecok

0000:070f 6E 6C MSG1 db ' Invalid partition table ', 0
0000:0715 64 20 70 61 72 74
0000:071b 6F 6E 20
0000:0721 6C 65 00
0000:0727 6F MSG2 db ' Error loading operating system ', 0
0000:072d 6C 6F 6E
0000:0733 6F 70 65 72
0000:0739 6E 67 20
0000:073f 6D
0000:0745 00
0000:0746 4D MSG3 DB ' Missing operating system '
0000:074C 6F 70 65 72
0000:0752 6E 67 20
0000:0758 6D
0000:075e 0025[00] db Notoginseng dup (0); Reserved space for message translation

0000:0783 Loc_bootrecok:; Boot record OK, XRef 070D
0000:0783 8B FC mov di,sp; Sp=7c00
0000:0785 1E Push DS
0000:0786 Push di
0000:0787 8B F5 mov si,bp; Ds:si-> 7c00
0000:0789 CB RETF; Jump to 0:7C00 (which is the boot record)

ORG 07BEh

Part_table struc; Offset Size Description
Boot_ind db?; 00h BYTE Boot indicator (80h = active partition) 0-boot indicator
Start_head db?; 01h BYTE partition Start head
Start_sector db?; 02H BYTE partition start sector (Bits 0-5)
Start_cyl db?; 03H BYTE partition start track (Bits 8,9 in bits 6,7 of sector)
sys_id db?; 04H BYTE Operating System indicator (below)
End_head db?; 05h BYTE Partition End Head
End_sector db?; 06H BYTE partition End sector (Bits 0-5)
End_cyl db?; 07h BYTE partition End track (Bits 8,9 in bits 6,7 of sector)
REL_SEC DD?; 08h DWORD sectors preceding partition
NUM_SEC DD?; 0Ch DWORD length of partition in sectors
Part_table ends; Values for operating system indicator:
; 00h empty
; 01h DOS 12-bit FAT
; 04h DOS 16-bit FAT
; 05h DOS 3.3+ Extended partition
; 06h DOS Large File System
; 0Bh DOS 32-bit FAT
; 0Ch DOS 32-bit FAT
; 0Eh DOS 32-bit FAT
0000:07be partition_tab label byte; XRef 061B
1boot_ind DB 80h; Bootable
0000:07BF 0B 7F 7F 1start_head db 01h
1start_sector DB 01h
1start_cyl DB 00h
1sys_id DB 0Bh; DOS FAT32
1end_head DB 7Fh
1end_sector DB 7Fh
0000:07C5 C8 3F 1end_cyl db 0c8h
1REL_SEC DD 0000003Fh
1NUM_SEC DD 00383b41h
0000:07CB 3B 38 00 00
0000:07CE 2boot_ind DB 00h
2start_head DB 00h
2start_sector DB 41h
0000:07d1 C9 7F FF 2start_cyl db 0c9h
2sys_id DB 05h; DOS Extender
2end_head DB 7Fh
2end_sector DB 0FFh
2end_cyl DB 13h
0000:07D5 2rel_sec DD 00383b80h
0000:07d7 3B BA 2num_sec DD 0028ba80h

...
ORG 07FEh
0000:07fe AA Magicword DW 0aa55h

Code_end label Byte; Use this labelt to get length of code

_data ends; XRef 0615

End Start