Title: Implement basic FAT32 driver
Post by: ggnfs000 on January 08, 2017, 06:02:54 AM
Post by: ggnfs000 on January 08, 2017, 06:02:54 AM
Implement basic FAT32 driver
Since I have the my bootloader working, next thing is the ability to load the file from the HDD from regular FAT32 partition, considering currently everything is copied to hard drive using sector raw copy.
Seems like I need to implement small FAT32 driver that knows how to traverse the partition and locate file from root dir and loaded. I had linux ext2 experience in the past, contemplated using ext2 but decided to go for FAT32 since my dev environment is Windows.
Once get over this and bootloader is working, there would be no need to copy the binaries that has been built with raw copy and bootloader has been updated to not trash the partition table. With that, the further compiled files will just be needed to be copied target disk and be tested.
Source: Implement basic FAT32 driver (//)
First of all the this blogger app from Google sucks. I have tried to un-highlight and set different color to various sections however each time changes were lost after save, after wasting much time, I am contemplating to use something not Google. What I have ended up is section of this blog highlighted in incomprehensible array of text color which can not be changed to any color, well this is not my fault, and this is my disclaimer.
Since I have the my bootloader working, next thing is the ability to load the file from the HDD from regular FAT32 partition, considering currently everything is copied to hard drive using sector raw copy.
Seems like I need to implement small FAT32 driver that knows how to traverse the partition and locate file from root dir and loaded. I had linux ext2 experience in the past, contemplated using ext2 but decided to go for FAT32 since my dev environment is Windows.
Once get over this and bootloader is working, there would be no need to copy the binaries that has been built with raw copy and bootloader has been updated to not trash the partition table. With that, the further compiled files will just be needed to be copied target disk and be tested.
At least initially, i am just going to do very basic support for fat32:
- Ability to load any file from root directory on fat32 only.
- Only fat32 support, no FAT16/12, extFS etc., and no support for other file system.
First attempt attempt was how to locate certain file's content by scanning the disk block starting from MBR since that is what MBR code is going to do. Another big effort will be an understanding of FAT 32 Long File Name specification however at first stage, I decided not worry about it.
I started analyzing the regular FAT32 partition on disk. For that, the easiest way was use VMware ESXi virtual machine by installing Windows on it. Once installation is complete, add another HDD#2 and formatted it with FAT32 with legacy MBR partitions. To read the sectors of it, the RW everything utility used however what it reads did not make any sense. I believe the tool has serious flaws even with the latest version, therefore decided to use efi shell command: dblk.
This is done by setting VMware ESXi VM boot mode to UEFI and boot to efi shell. By dumping sector 0 (below) I found that the first FAT32 partition I created under Windows started from sector 800h so, I captured the sector 800h in addition to sector 0 and this should give good starting point to develop simple fat32 drive.
Here is the setup:
VMware ESXi VM in EFI mode.
Three virtual HDD for following purposes:
fs0: is the Windows Server installation in UEFI mode to move around the files and communicate with the outside world.
fs1: is 5GB volume under analysis mapped and has following files, I concentrated on the two highlighted files: dblk6800.log, file1.txt and boot.bin:
- Ability to load any file from root directory on fat32 only.
- Only fat32 support, no FAT16/12, extFS etc., and no support for other file system.
First attempt attempt was how to locate certain file's content by scanning the disk block starting from MBR since that is what MBR code is going to do. Another big effort will be an understanding of FAT 32 Long File Name specification however at first stage, I decided not worry about it.
I started analyzing the regular FAT32 partition on disk. For that, the easiest way was use VMware ESXi virtual machine by installing Windows on it. Once installation is complete, add another HDD#2 and formatted it with FAT32 with legacy MBR partitions. To read the sectors of it, the RW everything utility used however what it reads did not make any sense. I believe the tool has serious flaws even with the latest version, therefore decided to use efi shell command: dblk.
This is done by setting VMware ESXi VM boot mode to UEFI and boot to efi shell. By dumping sector 0 (below) I found that the first FAT32 partition I created under Windows started from sector 800h so, I captured the sector 800h in addition to sector 0 and this should give good starting point to develop simple fat32 drive.
Here is the setup:
VMware ESXi VM in EFI mode.
Three virtual HDD for following purposes:
fs0: is the Windows Server installation in UEFI mode to move around the files and communicate with the outside world.
fs1: is 5GB volume under analysis mapped and has following files, I concentrated on the two highlighted files: dblk6800.log, file1.txt and boot.bin:
Directory of: fs1:\
05/12/16 06:20p 5,310 dblk6800.log 05/12/16 06:20p 5,762 dblk6000.log
10/29/13 01:41p 20,774,912 python-3.3.2.amd64.msi
02/09/15 07:47p 18,833,408 python-2.7.9.amd64.msi
05/12/16 07:10p 8 file1.txt
05/11/16 12:18a 1,572 boot.bin 6 File(s) 39,620,972 bytes
0 Dir(s)
fs2: is another 1GB FAT32 volume to store the output of any analysis mostly output of dblk into text log file. Note that both fs1 and fs2 is accessible from Windows since they are both FAT32.
When using dblk, there are certain tricks in identifying the actual disk you want to analyze from efi shell. The map command displays appears to display all alias associated to any disks/volume and partition. Therefore once you create partition with FAT32 volume in it, there are going to be several different references. First of all there will be alias named i.e. fs0 that refers to the specific volume and usually labelled as:
fs0: Removable HardDisk - Alias hd18ac blk0
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)/HD(1, MBR,0xab184e1b, 0x800, 0x9fe800)
This string contains the PCI address, SCSI controller address as well as the type of partition (MBR, EFI) and some other information. The key is you don't want to analyze this since this is a alias to a volume not the actual raw disk. That is because last two numbers identify the sector and size of this volume within particular disk. However this is also the volume you will analyze its content however it is just not the entire disk. So if you dump the first sector of this alias, it will give you the content of first sector of this volume not MBR. To truly analyze the MBR together with the volume as a whole unit, you'd need to identify the alias that references the actual raw disk. It usually has a similar alias but not as fsX but labelled as blkX. Also the string that represents the alias should have missing volume information:
blk6: Removable hard disk - alias (null)
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)
To make the matter more confusing, the volume also has several alias defined and one of the as blk0 which means whether the particular alias labelled as blkX or fsX should not be used to identify whether it is a raw disk or volume.
fs0: Removable HardDisk - Alias hd18ac blk0
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)/HD(1, MBR,0xab184e1b, 0x800, 0x9fe800)
Therefore to truly identify the raw disk to analyze, make sure following two rules are followed:
- Verify the alias has blkX name not fsX name. As you know this is not enough since fsX can have alias blkX which references same volume.
- Look for the raw disk entry in the map list that has no volume information. If there are multiple hard disks, either you can dump each of them to identify the one you want to analyze or you can still use the volume alias parameters to identify the hard disk. Once you are done identifying the hard disk, use the following command to dump the individual sectors:
dblk blkX <blockNo>
Once you identify your disk correctly and dump its first sector, dblk will display some add'l information about partitions if it finds one:
Content of MBR, If more sectors needs to be captured, it can be done in a same way using the dblk command:
(Master boot record for HDD2 formatted with FAT32)
The first entry in partition table says it is 4GB file system starting at sector 800h:
LBA 0000000000000000 Size 00000200 bytes BlkIo BE532028
00000000: 33 C0 8E D0 BC 00 7C 8E-C0 8E D8 BE 00 7C BF 00 *3...............*
00000010: 06 B9 00 02 FC F3 A4 50-68 1C 06 CB FB B9 04 00 *.......Ph.......*
00000020: BD BE 07 80 7E 00 00 7C-0B 0F 85 0E 01 83 C5 10 *................*
00000030: E2 F1 CD 18 88 56 00 55-C6 46 11 05 C6 46 10 00 *.....V.U.F...F..*
00000040: B4 41 BB AA 55 CD 13 5D-72 0F 81 FB 55 AA 75 09 *.A..U..]r...U.u.*
00000050: F7 C1 01 00 74 03 FE 46-10 66 60 80 7E 10 00 74 *....t..F.f`....t*
00000060: 26 66 68 00 00 00 00 66-FF 76 08 68 00 00 68 00 *&fh....f.v.h..h.*
00000070: 7C 68 01 00 68 10 00 B4-42 8A 56 00 8B F4 CD 13 *.h..h...B.V.....*
00000080: 9F 83 C4 10 9E EB 14 B8-01 02 BB 00 7C 8A 56 00 *..............V.*
00000090: 8A 76 01 8A 4E 02 8A 6E-03 CD 13 66 61 73 1C FE *.v..N..n...fas..*
000000A0: 4E 11 75 0C 80 7E 00 80-0F 84 8A 00 B2 80 EB 84 *N.u.............*
000000B0: 55 32 E4 8A 56 00 CD 13-5D EB 9E 81 3E FE 7D 55 *U2..V...]...>..U*
000000C0: AA 75 6E FF 76 00 E8 8D-00 75 17 FA B0 D1 E6 64 *.un.v....u.....d*
000000D0: E8 83 00 B0 DF E6 60 E8-7C 00 B0 FF E6 64 E8 75 *......`......d.u*
000000E0: 00 FB B8 00 BB CD 1A 66-23 C0 75 3B 66 81 FB 54 *.......f#.u;f..T*
000000F0: 43 50 41 75 32 81 F9 02-01 72 2C 66 68 07 BB 00 *CPAu2....r,fh...*
00000100: 00 66 68 00 02 00 00 66-68 08 00 00 00 66 53 66 *.fh....fh....fSf*
00000110: 53 66 55 66 68 00 00 00-00 66 68 00 7C 00 00 66 *SfUfh....fh....f*
00000120: 61 68 00 00 07 CD 1A 5A-32 F6 EA 00 7C 00 00 CD *ah.....Z2.......*
00000130: 18 A0 B7 07 EB 08 A0 B6-07 EB 03 A0 B5 07 32 E4 *..............2.*
00000140: 05 00 07 8B F0 AC 3C 00-74 09 BB 07 00 B4 0E CD *......<.t.......*
00000150: 10 EB F2 F4 EB FD 2B C9-E4 64 EB 00 24 02 E0 F8 *......+..d..$...*
00000160: 24 02 C3 49 6E 76 61 6C-69 64 20 70 61 72 74 69 *$..Invalid parti*
00000170: 74 69 6F 6E 20 74 61 62-6C 65 00 45 72 72 6F 72 *tion table.Error*
00000180: 20 6C 6F 61 64 69 6E 67-20 6F 70 65 72 61 74 69 * loading operati*
00000190: 6E 67 20 73 79 73 74 65-6D 00 4D 69 73 73 69 6E *ng system.Missin*
000001A0: 67 20 6F 70 65 72 61 74-69 6E 67 20 73 79 73 74 *g operating syst*
000001B0: 65 6D 00 00 00 63 7B 9A-0F 6E DD 47 00 00 00 20 *em...c...n.G... *
000001C0: 21 00 0B FE BF 8B 00 08-00 00 00 E8 9F 00 00 00 *!...............*
000001D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA *..............U.*
Valid MBR
---------
Partition 0 OS 0B Start 00000800 Size 009FE800
Partition 1 OS 00 Start 00000000 Size 00000000
Partition 2 OS 00 Start 00000000 Size 00000000
Partition 3 OS 00 Start 00000000 Size 00000000
SECTOR 800h (first sector of first partition defined in MBR)
LBA 0000000000000800 Size 00000200 bytes BlkIo BE532028
00000000: EB 58 90 4D 53 44 4F 53-35 2E 30 00 02 08 3A 10 *.X.MSDOS5.0...:.*
00000010: 02 00 00 00 00 F8 00 00-3F 00 FF 00 00 08 00 00 *........?.......*
00000020: 00 E8 9F 00 E3 27 00 00-00 00 00 00 02 00 00 00 *.....'..........*
00000030: 01 00 06 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 80 00 29 06 5F BB EE 4E-4F 20 4E 41 4D 45 20 20 *..)._..NO NAME *
00000050: 20 20 46 41 54 33 32 20-20 20 33 C9 8E D1 BC F4 * FAT32 3.....*
00000060: 7B 8E C1 8E D9 BD 00 7C-88 56 40 88 4E 02 8A 56 *.........V@.N..V*
00000070: 40 B4 41 BB AA 55 CD 13-72 10 81 FB 55 AA 75 0A *@.A..U..r...U.u.*
00000080: F6 C1 01 74 05 FE 46 02-EB 2D 8A 56 40 B4 08 CD *...t..F..-.V@...*
00000090: 13 73 05 B9 FF FF 8A F1-66 0F B6 C6 40 66 0F B6 *.s......f...@f..*
000000A0: D1 80 E2 3F F7 E2 86 CD-C0 ED 06 41 66 0F B7 C9 *...?.......Af...*
000000B0: 66 F7 E1 66 89 46 F8 83-7E 16 00 75 39 83 7E 2A *f..f.F.....u9..**
000000C0: 00 77 33 66 8B 46 1C 66-83 C0 0C BB 00 80 B9 01 *.w3f.F.f........*
000000D0: 00 E8 2C 00 E9 A8 03 A1-F8 7D 80 C4 7C 8B F0 AC *..,.............*
000000E0: 84 C0 74 17 3C FF 74 09-B4 0E BB 07 00 CD 10 EB *..t.<.t.........*
000000F0: EE A1 FA 7D EB E4 A1 7D-80 EB DF 98 CD 16 CD 19 *................*
00000100: 66 60 80 7E 02 00 0F 84-20 00 66 6A 00 66 50 06 *f`...... .fj.fP.*
00000110: 53 66 68 10 00 01 00 B4-42 8A 56 40 8B F4 CD 13 *Sfh.....B.V@....*
00000120: 66 58 66 58 66 58 66 58-EB 33 66 3B 46 F8 72 03 *fXfXfXfX.3f;F.r.*
00000130: F9 EB 2A 66 33 D2 66 0F-B7 4E 18 66 F7 F1 FE C2 *..*f3.f..N.f....*
00000140: 8A CA 66 8B D0 66 C1 EA-10 F7 76 1A 86 D6 8A 56 *..f..f....v....V*
00000150: 40 8A E8 C0 E4 06 0A CC-B8 01 02 CD 13 66 61 0F *@............fa.*
00000160: 82 74 FF 81 C3 00 02 66-40 49 75 94 C3 42 4F 4F *.t.....f@Iu..BOO*
00000170: 54 4D 47 52 20 20 20 20-00 00 00 00 00 00 00 00 *TMGR ........*
00000180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001A0: 00 00 00 00 00 00 00 00-00 00 00 00 0D 0A 44 69 *..............Di*
000001B0: 73 6B 20 65 72 72 6F 72-FF 0D 0A 50 72 65 73 73 *sk error...Press*
000001C0: 20 61 6E 79 20 6B 65 79-20 74 6F 20 72 65 73 74 * any key to rest*
000001D0: 61 72 74 0D 0A 00 00 00-00 00 00 00 00 00 00 00 *art.............*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-AC 01 B9 01 00 00 55 AA *..............U.*
PARTITION BOOT SECTOR
https://staff.washington.edu/dittrich/misc/fatgen103.pdf
Some of the important information obtained from sector 800h above are:
Bytes:
00-02: jump to boot code.
03-08 OEM name
11-12 bytes per sector: 200h
13-13 sector per allocation unit/cluster: 8.
14-15 No. of reserved sectors in the reserved region starting first sector of volume: 103a
16-16 No. of FAT tables: 02
..
19-20 16-bit count of Number of sectors in a volume: 0
32-35 32-bit count of No. of sectors in a volume (total sector in all 4 regions of volume): 9fe800.
Note this matches the size in partition table entry in MBR.
36-39 - No. of sector occupied by one FAT: 27e3 / 10211 sectors.
40-41: 00 00
This field is only defined for FAT32 media and does not exist on FAT12 and FAT16 media. Bits 0-3 -- Zero-based number of active FAT. Only valid if mirroring is disabled. Bits 4-6 -- Reserved. Bit 7 -- 0 means the FAT is mirrored at runtime into all FATs. -- 1 means only one FAT is active; it is the one referenced in bits 0-3. Bits 8-15 -- Reserved.
44-47 Cluster No. of first cluster in the root directory: 02.
48-49 Sector number of FSINFO structure in the reserved area of the FAT32 volume. Usually 1.
...
64 Drive No.: 80
66 Extended boot signature (0x29). This is a signature byte that indicates that the following three fields in the boot sector are present: 29
67 70 Volume ID: 06 5F BB EE
71 81 Volume label: 4E-4F 20 4E 41 4D 45 20 20 20 20 - NO NAME
82 89 Always set to the string "FAT32 ". Please see the note for this field in the FAT12/FAT16 section earlier. This field has nothing to do with FAT type determination.
From MSFT spec:
05/12/16 06:20p 5,310 dblk6800.log 05/12/16 06:20p 5,762 dblk6000.log
10/29/13 01:41p 20,774,912 python-3.3.2.amd64.msi
02/09/15 07:47p 18,833,408 python-2.7.9.amd64.msi
05/12/16 07:10p 8 file1.txt
05/11/16 12:18a 1,572 boot.bin 6 File(s) 39,620,972 bytes
0 Dir(s)
fs2: is another 1GB FAT32 volume to store the output of any analysis mostly output of dblk into text log file. Note that both fs1 and fs2 is accessible from Windows since they are both FAT32.
When using dblk, there are certain tricks in identifying the actual disk you want to analyze from efi shell. The map command displays appears to display all alias associated to any disks/volume and partition. Therefore once you create partition with FAT32 volume in it, there are going to be several different references. First of all there will be alias named i.e. fs0 that refers to the specific volume and usually labelled as:
fs0: Removable HardDisk - Alias hd18ac blk0
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)/HD(1, MBR,0xab184e1b, 0x800, 0x9fe800)
This string contains the PCI address, SCSI controller address as well as the type of partition (MBR, EFI) and some other information. The key is you don't want to analyze this since this is a alias to a volume not the actual raw disk. That is because last two numbers identify the sector and size of this volume within particular disk. However this is also the volume you will analyze its content however it is just not the entire disk. So if you dump the first sector of this alias, it will give you the content of first sector of this volume not MBR. To truly analyze the MBR together with the volume as a whole unit, you'd need to identify the alias that references the actual raw disk. It usually has a similar alias but not as fsX but labelled as blkX. Also the string that represents the alias should have missing volume information:
blk6: Removable hard disk - alias (null)
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)
fs0: Removable HardDisk - Alias hd18ac blk0
PciRoot(0x0)/Pci(0x15, 0x0)/Pci(0x0,0x0)/Scsi(0x0, 0x0)/HD(1, MBR,0xab184e1b, 0x800, 0x9fe800)
Therefore to truly identify the raw disk to analyze, make sure following two rules are followed:
- Verify the alias has blkX name not fsX name. As you know this is not enough since fsX can have alias blkX which references same volume.
- Look for the raw disk entry in the map list that has no volume information. If there are multiple hard disks, either you can dump each of them to identify the one you want to analyze or you can still use the volume alias parameters to identify the hard disk. Once you are done identifying the hard disk, use the following command to dump the individual sectors:
dblk blkX <blockNo>
Once you identify your disk correctly and dump its first sector, dblk will display some add'l information about partitions if it finds one:
(Master boot record for HDD2 formatted with FAT32)
The first entry in partition table says it is 4GB file system starting at sector 800h:
LBA 0000000000000000 Size 00000200 bytes BlkIo BE532028
00000000: 33 C0 8E D0 BC 00 7C 8E-C0 8E D8 BE 00 7C BF 00 *3...............*
00000010: 06 B9 00 02 FC F3 A4 50-68 1C 06 CB FB B9 04 00 *.......Ph.......*
00000020: BD BE 07 80 7E 00 00 7C-0B 0F 85 0E 01 83 C5 10 *................*
00000030: E2 F1 CD 18 88 56 00 55-C6 46 11 05 C6 46 10 00 *.....V.U.F...F..*
00000040: B4 41 BB AA 55 CD 13 5D-72 0F 81 FB 55 AA 75 09 *.A..U..]r...U.u.*
00000050: F7 C1 01 00 74 03 FE 46-10 66 60 80 7E 10 00 74 *....t..F.f`....t*
00000060: 26 66 68 00 00 00 00 66-FF 76 08 68 00 00 68 00 *&fh....f.v.h..h.*
00000070: 7C 68 01 00 68 10 00 B4-42 8A 56 00 8B F4 CD 13 *.h..h...B.V.....*
00000080: 9F 83 C4 10 9E EB 14 B8-01 02 BB 00 7C 8A 56 00 *..............V.*
00000090: 8A 76 01 8A 4E 02 8A 6E-03 CD 13 66 61 73 1C FE *.v..N..n...fas..*
000000A0: 4E 11 75 0C 80 7E 00 80-0F 84 8A 00 B2 80 EB 84 *N.u.............*
000000B0: 55 32 E4 8A 56 00 CD 13-5D EB 9E 81 3E FE 7D 55 *U2..V...]...>..U*
000000C0: AA 75 6E FF 76 00 E8 8D-00 75 17 FA B0 D1 E6 64 *.un.v....u.....d*
000000D0: E8 83 00 B0 DF E6 60 E8-7C 00 B0 FF E6 64 E8 75 *......`......d.u*
000000E0: 00 FB B8 00 BB CD 1A 66-23 C0 75 3B 66 81 FB 54 *.......f#.u;f..T*
000000F0: 43 50 41 75 32 81 F9 02-01 72 2C 66 68 07 BB 00 *CPAu2....r,fh...*
00000100: 00 66 68 00 02 00 00 66-68 08 00 00 00 66 53 66 *.fh....fh....fSf*
00000110: 53 66 55 66 68 00 00 00-00 66 68 00 7C 00 00 66 *SfUfh....fh....f*
00000120: 61 68 00 00 07 CD 1A 5A-32 F6 EA 00 7C 00 00 CD *ah.....Z2.......*
00000130: 18 A0 B7 07 EB 08 A0 B6-07 EB 03 A0 B5 07 32 E4 *..............2.*
00000140: 05 00 07 8B F0 AC 3C 00-74 09 BB 07 00 B4 0E CD *......<.t.......*
00000150: 10 EB F2 F4 EB FD 2B C9-E4 64 EB 00 24 02 E0 F8 *......+..d..$...*
00000160: 24 02 C3 49 6E 76 61 6C-69 64 20 70 61 72 74 69 *$..Invalid parti*
00000170: 74 69 6F 6E 20 74 61 62-6C 65 00 45 72 72 6F 72 *tion table.Error*
00000180: 20 6C 6F 61 64 69 6E 67-20 6F 70 65 72 61 74 69 * loading operati*
00000190: 6E 67 20 73 79 73 74 65-6D 00 4D 69 73 73 69 6E *ng system.Missin*
000001A0: 67 20 6F 70 65 72 61 74-69 6E 67 20 73 79 73 74 *g operating syst*
000001B0: 65 6D 00 00 00 63 7B 9A-0F 6E DD 47 00 00 00 20 *em...c...n.G... *
000001C0: 21 00 0B FE BF 8B 00 08-00 00 00 E8 9F 00 00 00 *!...............*
000001D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA *..............U.*
Valid MBR
---------
Partition 0 OS 0B Start 00000800 Size 009FE800
Partition 1 OS 00 Start 00000000 Size 00000000
Partition 2 OS 00 Start 00000000 Size 00000000
Partition 3 OS 00 Start 00000000 Size 00000000
SECTOR 800h (first sector of first partition defined in MBR)
LBA 0000000000000800 Size 00000200 bytes BlkIo BE532028
00000000: EB 58 90 4D 53 44 4F 53-35 2E 30 00 02 08 3A 10 *.X.MSDOS5.0...:.*
00000010: 02 00 00 00 00 F8 00 00-3F 00 FF 00 00 08 00 00 *........?.......*
00000020: 00 E8 9F 00 E3 27 00 00-00 00 00 00 02 00 00 00 *.....'..........*
00000030: 01 00 06 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 80 00 29 06 5F BB EE 4E-4F 20 4E 41 4D 45 20 20 *..)._..NO NAME *
00000050: 20 20 46 41 54 33 32 20-20 20 33 C9 8E D1 BC F4 * FAT32 3.....*
00000060: 7B 8E C1 8E D9 BD 00 7C-88 56 40 88 4E 02 8A 56 *.........V@.N..V*
00000070: 40 B4 41 BB AA 55 CD 13-72 10 81 FB 55 AA 75 0A *@.A..U..r...U.u.*
00000080: F6 C1 01 74 05 FE 46 02-EB 2D 8A 56 40 B4 08 CD *...t..F..-.V@...*
00000090: 13 73 05 B9 FF FF 8A F1-66 0F B6 C6 40 66 0F B6 *.s......f...@f..*
000000A0: D1 80 E2 3F F7 E2 86 CD-C0 ED 06 41 66 0F B7 C9 *...?.......Af...*
000000B0: 66 F7 E1 66 89 46 F8 83-7E 16 00 75 39 83 7E 2A *f..f.F.....u9..**
000000C0: 00 77 33 66 8B 46 1C 66-83 C0 0C BB 00 80 B9 01 *.w3f.F.f........*
000000D0: 00 E8 2C 00 E9 A8 03 A1-F8 7D 80 C4 7C 8B F0 AC *..,.............*
000000E0: 84 C0 74 17 3C FF 74 09-B4 0E BB 07 00 CD 10 EB *..t.<.t.........*
000000F0: EE A1 FA 7D EB E4 A1 7D-80 EB DF 98 CD 16 CD 19 *................*
00000100: 66 60 80 7E 02 00 0F 84-20 00 66 6A 00 66 50 06 *f`...... .fj.fP.*
00000110: 53 66 68 10 00 01 00 B4-42 8A 56 40 8B F4 CD 13 *Sfh.....B.V@....*
00000120: 66 58 66 58 66 58 66 58-EB 33 66 3B 46 F8 72 03 *fXfXfXfX.3f;F.r.*
00000130: F9 EB 2A 66 33 D2 66 0F-B7 4E 18 66 F7 F1 FE C2 *..*f3.f..N.f....*
00000140: 8A CA 66 8B D0 66 C1 EA-10 F7 76 1A 86 D6 8A 56 *..f..f....v....V*
00000150: 40 8A E8 C0 E4 06 0A CC-B8 01 02 CD 13 66 61 0F *@............fa.*
00000160: 82 74 FF 81 C3 00 02 66-40 49 75 94 C3 42 4F 4F *.t.....f@Iu..BOO*
00000170: 54 4D 47 52 20 20 20 20-00 00 00 00 00 00 00 00 *TMGR ........*
00000180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001A0: 00 00 00 00 00 00 00 00-00 00 00 00 0D 0A 44 69 *..............Di*
000001B0: 73 6B 20 65 72 72 6F 72-FF 0D 0A 50 72 65 73 73 *sk error...Press*
000001C0: 20 61 6E 79 20 6B 65 79-20 74 6F 20 72 65 73 74 * any key to rest*
000001D0: 61 72 74 0D 0A 00 00 00-00 00 00 00 00 00 00 00 *art.............*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-AC 01 B9 01 00 00 55 AA *..............U.*
Whole partition structure with formatted as FAT32 partition looks as follows:
FAT1
FAT2
ROOT DIR
OTHER FOLDERS AND FILES.
Here are some of the resources I utilized:
Navigating clusters using FAT:
http://www.ntfs.com/fat-allocation.htm
Root folder specifics:
http://www.ntfs.com/fat-root.htm
Msft fat32 specification is essential for navigating the FAT32 structure:https://staff.washington.edu/dittrich/misc/fatgen103.pdf
Some of the important information obtained from sector 800h above are:
Bytes:
00-02: jump to boot code.
03-08 OEM name
11-12 bytes per sector: 200h
13-13 sector per allocation unit/cluster: 8.
14-15 No. of reserved sectors in the reserved region starting first sector of volume: 103a
16-16 No. of FAT tables: 02
..
19-20 16-bit count of Number of sectors in a volume: 0
32-35 32-bit count of No. of sectors in a volume (total sector in all 4 regions of volume): 9fe800.
Note this matches the size in partition table entry in MBR.
36-39 - No. of sector occupied by one FAT: 27e3 / 10211 sectors.
40-41: 00 00
This field is only defined for FAT32 media and does not exist on FAT12 and FAT16 media. Bits 0-3 -- Zero-based number of active FAT. Only valid if mirroring is disabled. Bits 4-6 -- Reserved. Bit 7 -- 0 means the FAT is mirrored at runtime into all FATs. -- 1 means only one FAT is active; it is the one referenced in bits 0-3. Bits 8-15 -- Reserved.
44-47 Cluster No. of first cluster in the root directory: 02.
48-49 Sector number of FSINFO structure in the reserved area of the FAT32 volume. Usually 1.
...
64 Drive No.: 80
66 Extended boot signature (0x29). This is a signature byte that indicates that the following three fields in the boot sector are present: 29
67 70 Volume ID: 06 5F BB EE
71 81 Volume label: 4E-4F 20 4E 41 4D 45 20 20 20 20 - NO NAME
82 89 Always set to the string "FAT32 ". Please see the note for this field in the FAT12/FAT16 section earlier. This field has nothing to do with FAT type determination.
From MSFT spec:
FAT Data StructureThe next data structure that is important is the FAT itself. What this data structure does is define a singly linked list of the "extents" (clusters) of a file. Note at this point that a FAT directory or file container is nothing but a regular file that has a special attribute indicating it is a directory. The only other special thing about a directory is that the data or contents of the "file" is a series of 32=byte FAT directory entries (see discussion below). In all other respects, a directory is just like a file. The FAT maps the data region of the volume by cluster number. The first data cluster is cluster 2.
The first sector of cluster 2 (the data region of the disk) is computed using the BPB fields for the volume as follows. First, we determine the count of sectors occupied by the root directory: RootDirSectors = ((BPB_RootEntCnt * 32) + (BPB_BytsPerSec – 1)) / BPB_BytsPerSec
= 0 + (512-1) / 512 = 0.
Therefore for FAT32, RootDirSectors is always 0.
The start of the data region, the first sector of cluster 2, is computed as follows:
FirstDataSector = BPB_ResvdSecCnt + (BPB_NumFATs * FATSz) + RootDirSectors;
BPB_ResvdSecCnt:
14-15 No. of reserved sectors in the reserved region starting first sector of volume: 103a
BPB_NumFATs:
16-16 No. of FAT tables: 02
BPB_FATSz32
36-39 - No. of sector occupied by one FAT: 27e3 / 10211 sectors.
With this information from sector 800h, First data sector is found to be at:
103ah + 2 * 27e3h + 0 = 6000h
However this is relative to first sector of partition not the disk so had to add 800h to get the first data sector after mistakenly dumping the 6000h and finding nothing in there makes sense. Once 6800h sector is dumped, got following which appears to be root directory content:
I could not make sense of bytes 0-20h, so starting from 20h:
0-11 - short 8.3 name: DBLK6800LOG
12-12 - attributes:18
..
14-15 - time of creation: 81 92
16-17 - date of creation: ac 48
18-19 - last access date: ac 48
20-21 - hi-word of entry's first cluster No. : 00 00
26-27 - low-word of this entry's first cluster No. : 03 00
28-4 - 32-bit dword holding file size in bytes: be 14 00 00 (5310 bytes)
LBA 0000000000006800 Size 00000200 bytes BlkIo BE5303A8
00000000: 46 41 54 33 32 20 20 20-20 20 20 08 00 00 00 00 *FAT32 .....*
00000010: 00 00 00 00 00 00 C1 91-AC 48 00 00 00 00 00 00 *.........H......*
00000020: 44 42 4C 4B 36 38 30 30-4C 4F 47 20 18 00 81 92 *DBLK6800LOG ....*
00000030: AC 48 AC 48 00 00 81 92-AC 48 03 00 BE 14 00 00 *.H.H.....H......*
00000040: 44 42 4C 4B 36 30 30 30-4C 4F 47 20 18 00 86 92 *DBLK6000LOG ....*
00000050: AC 48 AC 48 00 00 86 92-AC 48 05 00 82 16 00 00 *.H.H.....H......*
00000060: 24 52 45 43 59 43 4C 45-42 49 4E 16 00 7F D0 92 *$RECYCLEBIN.....*
00000070: AC 48 AC 48 00 00 D1 92-AC 48 07 00 00 00 00 00 *.H.H.....H......*
00000080: E5 31 31 36 35 33 31 5F-20 20 20 10 00 B7 E6 92 *.116531_ .....*
00000090: AC 48 AC 48 00 00 E7 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
000000A0: E5 4D 00 53 00 49 00 31-00 63 00 0F 00 E0 63 00 *.M.S.I.1.c....c.*
000000B0: 64 00 32 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *d.2...t.m...p...*
000000C0: E5 53 49 31 43 43 44 32-54 4D 50 10 00 24 E8 92 *.SI1CCD2TMP..$..*
000000D0: AC 48 AC 48 00 00 E9 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
000000E0: E5 31 32 33 35 37 38 5F-20 20 20 10 00 58 EA 92 *.123578_ ..X..*
000000F0: AC 48 AC 48 00 00 EB 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000100: E5 4D 00 53 00 49 00 31-00 63 00 0F 00 C1 63 00 *.M.S.I.1.c....c.*
00000110: 64 00 37 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *d.7...t.m...p...*
00000120: E5 53 49 31 43 43 44 37-54 4D 50 10 00 6E EA 92 *.SI1CCD7TMP..n..*
00000130: AC 48 AC 48 00 00 EB 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000140: E5 4D 00 53 00 49 00 31-00 66 00 0F 00 C4 30 00 *.M.S.I.1.f....0.*
00000150: 66 00 33 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *f.3...t.m...p...*
00000160: E5 53 49 31 46 30 46 33-54 4D 50 10 00 34 EC 92 *.SI1F0F3TMP..4..*
00000170: AC 48 AC 48 00 00 ED 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000180: 42 61 00 6D 00 64 00 36-00 34 00 0F 00 88 2E 00 *Ba.m.d.6.4......*
00000190: 6D 00 73 00 69 00 00 00-FF FF 00 00 FF FF FF FF *m.s.i...........*
000001A0: 01 70 00 79 00 74 00 68-00 6F 00 0F 00 88 6E 00 *.p.y.t.h.o....n.*
000001B0: 2D 00 33 00 2E 00 33 00-2E 00 00 00 32 00 2E 00 *-.3...3.....2...*
000001C0: 50 59 54 48 4F 4E 7E 31-4D 53 49 20 00 8D 3A 99 *PYTHON.1MSI ..:.*
000001D0: AC 48 AC 48 00 00 39 6D-5D 43 09 00 00 00 3D 01 *.H.H..9m]C....=.*
000001E0: 42 61 00 6D 00 64 00 36-00 34 00 0F 00 A8 2E 00 *Ba.m.d.6.4......*
000001F0: 6D 00 73 00 69 00 00 00-FF FF 00 00 FF FF FF FF *m.s.i...........*
Actual content of directory is as follows:
Directory of: fs1:\
05/12/16 06:20p 5,310 dblk6800.log
05/12/16 06:20p 5,762 dblk6000.log
10/29/13 01:41p 20,774,912 python-3.3.2.amd64.msi
02/09/15 07:47p 18,833,408 python-2.7.9.amd64.msi
05/12/16 07:10p 8 file1.txt
5 File(s) 39,619,400 bytes
0 Dir(s)
The important information from the root directory dump is that each entry's 8.3 file name can be easily seen and dates and times of create, modification etc., Most important information is the high and low words of cluster No. which is found to be 00 00 00 03 for dblk6800.log
Since the root directory cluster itself was 02 and there are 8 sectors / cluster, I dumped sector 6808 to get following which appears to be content of dblk6800.log, finally:
00000000: FF FE 0D 00 0A 00 20 00-4C 00 42 00 41 00 20 00 *...... .L.B.A. .*
00000010: 30 00 30 00 30 00 30 00-30 00 30 00 30 00 30 00 *0.0.0.0.0.0.0.0.*
00000020: 30 00 30 00 30 00 30 00-30 00 38 00 30 00 30 00 *0.0.0.0.0.8.0.0.*
00000030: 20 00 53 00 69 00 7A 00-65 00 20 00 30 00 30 00 * .S.i.z.e. .0.0.*
00000040: 30 00 30 00 30 00 32 00-30 00 30 00 20 00 62 00 *0.0.0.2.0.0. .b.*
00000050: 79 00 74 00 65 00 73 00-20 00 42 00 6C 00 6B 00 *y.t.e.s. .B.l.k.*
00000060: 49 00 6F 00 20 00 42 00-45 00 35 00 33 00 32 00 *I.o. .B.E.5.3.2.*
00000070: 30 00 32 00 38 00 0D 00-0A 00 20 00 20 00 30 00 *0.2.8..... . .0.*
...
This makes sense by comparing the content of this file when opened in text editor.
I decided to use same approach in finding the contents of file1.txt and boot.bin. From the sector 6801 dump content, here are the information for those files:
000000A0: 46 49 4C 45 31 20 20 20-54 58 54 20 18 7A 44 99 *FILE1 TXT .zD.*
000000B0: AC 48 AC 48 00 00 4A 99-AC 48 CF 25 08 00 00 00 *.H.H..J..H.%....*
000000C0: E5 36 38 30 38 20 20 20-4C 4F 47 00 18 00 6F 22 *.6808 LOG...o"*
000000D0: AF 48 AF 48 00 00 6F 22-AF 48 00 00 00 00 00 00 *.H.H..o".H......*
000000E0: 42 4F 4F 54 20 20 20 20-42 49 4E 20 18 39 51 23 *BOOT BIN .9Q#*
000000F0: AF 48 AF 48 00 00 54 02-AB 48 D0 25 24 06 00 00 *.H.H..T..H.%$...*
From the dump above, you can easily see cluster No. easily:
file1.txt: 25 CF
boot.bin: 25 D0
To find the sector number to dump, use the same formula:
(Cluster No. of file - 2) * 8 + 6800. Since Cluster. No is relative to root dir's cluster No. which is 2, therefore we subtract to and then multiply 8 which is the sector per cluster and finally adding 6800.
Once this is done, first sector No. of each of above two files and its sector dump is below:
file1.txt 1st sector No: (25 cf - 2) * 8 + 6800h = 19668h
boot.bin 1st sector No: (25 d0 - 2) * 8 + 6800h = 19670h
file1.txt is small text file with few letters:
LBA 0000000000019668 Size 00000200 bytes BlkIo BE5303A8
00000000: 73 64 61 73 64 61 73 64-00 00 00 00 00 00 00 00 *sdasdasd........*
00000010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000060: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
boot.bin is our binary boot loader file:
From sector 19670, you can see the DOS header signature:
LBA 0000000000019670 Size 00000200 bytes BlkIo BE5303A8
00000000: 4D 5A 24 00 04 00 01 00-20 00 00 00 FF FF 21 00 *MZ$..... .....!.*
00000010: 06 01 00 00 00 00 00 00-1E 00 00 00 01 00 01 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
Since DOS header occupies 512 bytes, dumping next sector should reveal the code segment:
LBA 0000000000019671 Size 00000200 bytes BlkIo BE5303A8
00000000: B8 21 00 8E D0 BC 00 01-EB 67 4D 69 6E 69 78 2D *.!.......gMinix-*
00000010: 6C 69 6B 65 20 4B 65 72-6E 65 6C 20 42 6F 6F 74 *like Kernel Boot*
00000020: 6C 6F 61 64 65 72 2E 20-32 30 31 36 2D 32 30 31 *loader. 2016-201*
00000030: 36 2E 24 32 30 31 35 2D-32 30 31 36 2E 20 47 75 *6.$2015-2016. Gu*
00000040: 79 65 6E 20 47 6E 2E 24-43 6F 70 69 65 64 20 31 *yen Gn.$Copied 1*
00000050: 73 74 20 70 61 72 74 20-6F 66 20 6B 65 72 6E 65 *st part of kerne*
00000060: 6C 20 74 6F 20 30 30 30-30 3A 38 30 30 30 68 2E *l to 0000:8000h.*
00000070: 24 BF 00 B8 8E C7 2B FF-8D 36 0A 00 81 C6 00 7C *$.....+..6......*
00000080: B8 00 0E 2E 8A 04 3C 24-74 09 26 89 05 83 C7 02 *......<$t.&.....*
00000090: 46 EB ED BF 00 B8 8E C7-2B FF 81 C7 A0 00 8D 36 *F.......+......6*
000000A0: 33 00 81 C6 00 7C B8 00-0E 2E 8A 04 3C 24 74 09 *3...........<$t.*
000000B0: 26 89 05 83 C7 02 46 EB-ED 66 B8 01 00 00 00 B2 *&.....F..f......*
000000C0: 80 BE 00 7E 8E DE 2B F6-C6 04 10 C6 44 01 00 C7 *......+.....D...*
000000D0: 44 02 01 00 C7 44 04 00-80 C7 44 06 00 00 66 89 *D....D....D...f.*
000000E0: 44 08 66 C7 44 0C 00 00-00 00 B4 42 CD 13 BF 00 *D.f.D......B....*
000000F0: B8 8E C7 2B FF 81 C7 A0-00 81 C7 A0 00 8D 36 48 *...+..........6H*
00000100: 00 81 C6 00 7C B8 00 0E-2E 8A 04 3C 24 74 09 26 *...........<$t.&*
00000110: 89 05 83 C7 02 46 EB ED-EA 00 00 00 08 00 00 00 *.....F..........*
00000120: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
From sector 19672, we know I declared the DAP area and stack area at 100h from DAP area:
LBA 0000000000019672 Size 00000200 bytes BlkIo BE5303A8
00000000: 44 41 50 24 00 00 00 00-00 00 00 00 00 00 00 00 *DAP$............*
00000010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000060: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000070: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000080: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000090: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000100: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000110: 53 54 41 43 4B 24 00 00-00 00 00 00 00 00 00 00 *STACK$..........*
00000120: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000130: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000140: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000150: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000160: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000170: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
By this time, I think this will give me enough knowledge to locate any file in the root directory and load into memory and execute it, with only concern being able to fit all the necessary code into bootloader on MBR. I am still not sure whether to pursue the LFN topics as I prefer to stick to 8.3 naming convention.
The first sector of cluster 2 (the data region of the disk) is computed using the BPB fields for the volume as follows. First, we determine the count of sectors occupied by the root directory: RootDirSectors = ((BPB_RootEntCnt * 32) + (BPB_BytsPerSec – 1)) / BPB_BytsPerSec
= 0 + (512-1) / 512 = 0.
Therefore for FAT32, RootDirSectors is always 0.
The start of the data region, the first sector of cluster 2, is computed as follows:
FirstDataSector = BPB_ResvdSecCnt + (BPB_NumFATs * FATSz) + RootDirSectors;
BPB_ResvdSecCnt:
14-15 No. of reserved sectors in the reserved region starting first sector of volume: 103a
BPB_NumFATs:
16-16 No. of FAT tables: 02
BPB_FATSz32
36-39 - No. of sector occupied by one FAT: 27e3 / 10211 sectors.
With this information from sector 800h, First data sector is found to be at:
103ah + 2 * 27e3h + 0 = 6000h
However this is relative to first sector of partition not the disk so had to add 800h to get the first data sector after mistakenly dumping the 6000h and finding nothing in there makes sense. Once 6800h sector is dumped, got following which appears to be root directory content:
I could not make sense of bytes 0-20h, so starting from 20h:
0-11 - short 8.3 name: DBLK6800LOG
12-12 - attributes:18
..
14-15 - time of creation: 81 92
16-17 - date of creation: ac 48
18-19 - last access date: ac 48
20-21 - hi-word of entry's first cluster No. : 00 00
26-27 - low-word of this entry's first cluster No. : 03 00
28-4 - 32-bit dword holding file size in bytes: be 14 00 00 (5310 bytes)
LBA 0000000000006800 Size 00000200 bytes BlkIo BE5303A8
00000000: 46 41 54 33 32 20 20 20-20 20 20 08 00 00 00 00 *FAT32 .....*
00000010: 00 00 00 00 00 00 C1 91-AC 48 00 00 00 00 00 00 *.........H......*
00000020: 44 42 4C 4B 36 38 30 30-4C 4F 47 20 18 00 81 92 *DBLK6800LOG ....*
00000030: AC 48 AC 48 00 00 81 92-AC 48 03 00 BE 14 00 00 *.H.H.....H......*
00000040: 44 42 4C 4B 36 30 30 30-4C 4F 47 20 18 00 86 92 *DBLK6000LOG ....*
00000050: AC 48 AC 48 00 00 86 92-AC 48 05 00 82 16 00 00 *.H.H.....H......*
00000060: 24 52 45 43 59 43 4C 45-42 49 4E 16 00 7F D0 92 *$RECYCLEBIN.....*
00000070: AC 48 AC 48 00 00 D1 92-AC 48 07 00 00 00 00 00 *.H.H.....H......*
00000080: E5 31 31 36 35 33 31 5F-20 20 20 10 00 B7 E6 92 *.116531_ .....*
00000090: AC 48 AC 48 00 00 E7 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
000000A0: E5 4D 00 53 00 49 00 31-00 63 00 0F 00 E0 63 00 *.M.S.I.1.c....c.*
000000B0: 64 00 32 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *d.2...t.m...p...*
000000C0: E5 53 49 31 43 43 44 32-54 4D 50 10 00 24 E8 92 *.SI1CCD2TMP..$..*
000000D0: AC 48 AC 48 00 00 E9 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
000000E0: E5 31 32 33 35 37 38 5F-20 20 20 10 00 58 EA 92 *.123578_ ..X..*
000000F0: AC 48 AC 48 00 00 EB 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000100: E5 4D 00 53 00 49 00 31-00 63 00 0F 00 C1 63 00 *.M.S.I.1.c....c.*
00000110: 64 00 37 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *d.7...t.m...p...*
00000120: E5 53 49 31 43 43 44 37-54 4D 50 10 00 6E EA 92 *.SI1CCD7TMP..n..*
00000130: AC 48 AC 48 00 00 EB 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000140: E5 4D 00 53 00 49 00 31-00 66 00 0F 00 C4 30 00 *.M.S.I.1.f....0.*
00000150: 66 00 33 00 2E 00 74 00-6D 00 00 00 70 00 00 00 *f.3...t.m...p...*
00000160: E5 53 49 31 46 30 46 33-54 4D 50 10 00 34 EC 92 *.SI1F0F3TMP..4..*
00000170: AC 48 AC 48 00 00 ED 92-AC 48 09 00 00 10 00 00 *.H.H.....H......*
00000180: 42 61 00 6D 00 64 00 36-00 34 00 0F 00 88 2E 00 *Ba.m.d.6.4......*
00000190: 6D 00 73 00 69 00 00 00-FF FF 00 00 FF FF FF FF *m.s.i...........*
000001A0: 01 70 00 79 00 74 00 68-00 6F 00 0F 00 88 6E 00 *.p.y.t.h.o....n.*
000001B0: 2D 00 33 00 2E 00 33 00-2E 00 00 00 32 00 2E 00 *-.3...3.....2...*
000001C0: 50 59 54 48 4F 4E 7E 31-4D 53 49 20 00 8D 3A 99 *PYTHON.1MSI ..:.*
000001D0: AC 48 AC 48 00 00 39 6D-5D 43 09 00 00 00 3D 01 *.H.H..9m]C....=.*
000001E0: 42 61 00 6D 00 64 00 36-00 34 00 0F 00 A8 2E 00 *Ba.m.d.6.4......*
000001F0: 6D 00 73 00 69 00 00 00-FF FF 00 00 FF FF FF FF *m.s.i...........*
Actual content of directory is as follows:
Directory of: fs1:\
05/12/16 06:20p 5,310 dblk6800.log
05/12/16 06:20p 5,762 dblk6000.log
10/29/13 01:41p 20,774,912 python-3.3.2.amd64.msi
02/09/15 07:47p 18,833,408 python-2.7.9.amd64.msi
05/12/16 07:10p 8 file1.txt
5 File(s) 39,619,400 bytes
0 Dir(s)
The important information from the root directory dump is that each entry's 8.3 file name can be easily seen and dates and times of create, modification etc., Most important information is the high and low words of cluster No. which is found to be 00 00 00 03 for dblk6800.log
Since the root directory cluster itself was 02 and there are 8 sectors / cluster, I dumped sector 6808 to get following which appears to be content of dblk6800.log, finally:
00000000: FF FE 0D 00 0A 00 20 00-4C 00 42 00 41 00 20 00 *...... .L.B.A. .*
00000010: 30 00 30 00 30 00 30 00-30 00 30 00 30 00 30 00 *0.0.0.0.0.0.0.0.*
00000020: 30 00 30 00 30 00 30 00-30 00 38 00 30 00 30 00 *0.0.0.0.0.8.0.0.*
00000030: 20 00 53 00 69 00 7A 00-65 00 20 00 30 00 30 00 * .S.i.z.e. .0.0.*
00000040: 30 00 30 00 30 00 32 00-30 00 30 00 20 00 62 00 *0.0.0.2.0.0. .b.*
00000050: 79 00 74 00 65 00 73 00-20 00 42 00 6C 00 6B 00 *y.t.e.s. .B.l.k.*
00000060: 49 00 6F 00 20 00 42 00-45 00 35 00 33 00 32 00 *I.o. .B.E.5.3.2.*
00000070: 30 00 32 00 38 00 0D 00-0A 00 20 00 20 00 30 00 *0.2.8..... . .0.*
...
This makes sense by comparing the content of this file when opened in text editor.
I decided to use same approach in finding the contents of file1.txt and boot.bin. From the sector 6801 dump content, here are the information for those files:
000000A0: 46 49 4C 45 31 20 20 20-54 58 54 20 18 7A 44 99 *FILE1 TXT .zD.*
000000B0: AC 48 AC 48 00 00 4A 99-AC 48 CF 25 08 00 00 00 *.H.H..J..H.%....*
000000C0: E5 36 38 30 38 20 20 20-4C 4F 47 00 18 00 6F 22 *.6808 LOG...o"*
000000D0: AF 48 AF 48 00 00 6F 22-AF 48 00 00 00 00 00 00 *.H.H..o".H......*
000000E0: 42 4F 4F 54 20 20 20 20-42 49 4E 20 18 39 51 23 *BOOT BIN .9Q#*
000000F0: AF 48 AF 48 00 00 54 02-AB 48 D0 25 24 06 00 00 *.H.H..T..H.%$...*
From the dump above, you can easily see cluster No. easily:
file1.txt: 25 CF
boot.bin: 25 D0
To find the sector number to dump, use the same formula:
(Cluster No. of file - 2) * 8 + 6800. Since Cluster. No is relative to root dir's cluster No. which is 2, therefore we subtract to and then multiply 8 which is the sector per cluster and finally adding 6800.
Once this is done, first sector No. of each of above two files and its sector dump is below:
file1.txt 1st sector No: (25 cf - 2) * 8 + 6800h = 19668h
boot.bin 1st sector No: (25 d0 - 2) * 8 + 6800h = 19670h
file1.txt is small text file with few letters:
LBA 0000000000019668 Size 00000200 bytes BlkIo BE5303A8
00000000: 73 64 61 73 64 61 73 64-00 00 00 00 00 00 00 00 *sdasdasd........*
00000010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000060: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
boot.bin is our binary boot loader file:
From sector 19670, you can see the DOS header signature:
LBA 0000000000019670 Size 00000200 bytes BlkIo BE5303A8
00000000: 4D 5A 24 00 04 00 01 00-20 00 00 00 FF FF 21 00 *MZ$..... .....!.*
00000010: 06 01 00 00 00 00 00 00-1E 00 00 00 01 00 01 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
Since DOS header occupies 512 bytes, dumping next sector should reveal the code segment:
LBA 0000000000019671 Size 00000200 bytes BlkIo BE5303A8
00000000: B8 21 00 8E D0 BC 00 01-EB 67 4D 69 6E 69 78 2D *.!.......gMinix-*
00000010: 6C 69 6B 65 20 4B 65 72-6E 65 6C 20 42 6F 6F 74 *like Kernel Boot*
00000020: 6C 6F 61 64 65 72 2E 20-32 30 31 36 2D 32 30 31 *loader. 2016-201*
00000030: 36 2E 24 32 30 31 35 2D-32 30 31 36 2E 20 47 75 *6.$2015-2016. Gu*
00000040: 79 65 6E 20 47 6E 2E 24-43 6F 70 69 65 64 20 31 *yen Gn.$Copied 1*
00000050: 73 74 20 70 61 72 74 20-6F 66 20 6B 65 72 6E 65 *st part of kerne*
00000060: 6C 20 74 6F 20 30 30 30-30 3A 38 30 30 30 68 2E *l to 0000:8000h.*
00000070: 24 BF 00 B8 8E C7 2B FF-8D 36 0A 00 81 C6 00 7C *$.....+..6......*
00000080: B8 00 0E 2E 8A 04 3C 24-74 09 26 89 05 83 C7 02 *......<$t.&.....*
00000090: 46 EB ED BF 00 B8 8E C7-2B FF 81 C7 A0 00 8D 36 *F.......+......6*
000000A0: 33 00 81 C6 00 7C B8 00-0E 2E 8A 04 3C 24 74 09 *3...........<$t.*
000000B0: 26 89 05 83 C7 02 46 EB-ED 66 B8 01 00 00 00 B2 *&.....F..f......*
000000C0: 80 BE 00 7E 8E DE 2B F6-C6 04 10 C6 44 01 00 C7 *......+.....D...*
000000D0: 44 02 01 00 C7 44 04 00-80 C7 44 06 00 00 66 89 *D....D....D...f.*
000000E0: 44 08 66 C7 44 0C 00 00-00 00 B4 42 CD 13 BF 00 *D.f.D......B....*
000000F0: B8 8E C7 2B FF 81 C7 A0-00 81 C7 A0 00 8D 36 48 *...+..........6H*
00000100: 00 81 C6 00 7C B8 00 0E-2E 8A 04 3C 24 74 09 26 *...........<$t.&*
00000110: 89 05 83 C7 02 46 EB ED-EA 00 00 00 08 00 00 00 *.....F..........*
00000120: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
From sector 19672, we know I declared the DAP area and stack area at 100h from DAP area:
LBA 0000000000019672 Size 00000200 bytes BlkIo BE5303A8
00000000: 44 41 50 24 00 00 00 00-00 00 00 00 00 00 00 00 *DAP$............*
00000010: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000020: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000030: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000040: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000050: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000060: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000070: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000080: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000090: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000000F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000100: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000110: 53 54 41 43 4B 24 00 00-00 00 00 00 00 00 00 00 *STACK$..........*
00000120: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000130: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000140: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000150: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000160: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000170: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000180: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
00000190: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001A0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001B0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001C0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001D0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001E0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
000001F0: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 *................*
By this time, I think this will give me enough knowledge to locate any file in the root directory and load into memory and execute it, with only concern being able to fit all the necessary code into bootloader on MBR. I am still not sure whether to pursue the LFN topics as I prefer to stick to 8.3 naming convention.
Source: Implement basic FAT32 driver (//)