Studying MBR and GPT structures
To work with a hard disk, you first need to somehow mark it up so that the operating system can understand in which areas of the disk you can write information. Since hard disks are large, their space is usually divided into several parts - disk partitions. Each such partition can be assigned its own drive letter (for systems of the Windows family) and you can work with it as if it were an independent disk in the system.
There are two ways of partitioning disks. The first way is to use the MBR. This method has been used almost since the advent of hard drives and works with any operating system. The second way is to use the new markup system - GPT. This method is supported only by modern operating systems, since it is still relatively young.
Until recently, the MBR structure was used on all personal computers in order to be able to split one large physical hard disk (HDD) into several logical parts - partitions of a disk (partition). Currently, the MBR is actively being supplanted by a new partitioning structure of disks - GPT (GUID Partition Table). However, the MBR is still widely used, so let's see what it is.
The MBR is always in the first sector of the hard disk. When the computer boots, the BIOS reads this sector from the disk into memory at address 0000: 7C00h and transfers control to it.
')
So, the first section of the MBR structure is a section with executable code that will manage the further loading. The size of this section can be a maximum of 440 bytes. Next come the 4 bytes allocated for identifying the disk. In operating systems where authentication is not used, the executable code may take this place. The same goes for the next 2 bytes.
Starting with the 01BEh offset, the hard disk partition table itself is located. The table consists of 4 entries (one for each possible partition of the disk) with a size of 16 bytes.
Record structure for one section:
The first byte in this structure is a sign of section activity. This sign determines from which section to continue the download. There can be only one active partition, otherwise the download will not continue.
The next three bytes are the so-called CHS coordinates of the first sector of the partition.
At offset 04h is the partition type code. It is for this type that you can determine what is in this section, what file system is on it, etc. The list of reserved types of sections can be viewed, for example, in Wikipedia under the link Types of sections .
After the partition type, there are 3 bytes, defining the CHS coordinates of the last sector of the partition.
So, at present, LBA-addressing is used everywhere for sectors on a disk and in the structure of a partition record the address of its first sector is written at offset 08h, and the size of the partition is written at offset 0Ch.
For disks up to 8GB in size (when addressing via CHS is still possible), the structure fields with CHS coordinates and LBA addressing must match each other by value (correctly converted from one format to another). For disks larger than 8GB, the values ​​of all three bytes of the CHS coordinates must be equal to FFh (the FEh value is also allowed for the head).
At the end of the MBR structure is always the signature AA55h. It to some extent allows you to verify that the MBR sector is not damaged and contains the necessary data.
Sections marked in the table with type 05h and 0Fh are the so-called extended sections. With them, you can create more partitions on the disk than the MBR allows. In fact, there are several more extended partitions, for example, there are sections with types C5h, 15h, 1Fh, 91h, 9Bh, 85h. Basically, all these types of partitions were used at one time by different operating systems (such as OS / 2, DR-DOS, FreeDOS) for the same purpose - to increase the number of partitions on the disk. However, over time, the various formats disappeared and only sections with types 05h and 0Fh remained. The only exception is the type 85h. It can still be used in Linux to form a second chain of logical disks hidden from other operating systems. Partitions with type 05h are used for disks less than 8 GB (where addressing via CHS is still possible), and type 0Fh is used for disks larger than 8 GB (and LBA addressing is used).
In the first sector of the extended section is the EBR structure (Extended Boot Record). It is very similar to the structure of the MBR, but has the following differences:
At the end of the EBR structure, as well as in the MBR, there must be a “magic” value AA55h.
Unlike the MBR, where it is allowed to create no more than four partitions, the EBR structure allows you to organize a list of logical partitions, limited only by the size of the container partition (the one with type 05h or 0Fh). The following record format is used to organize such a list: the first entry in the EBR partition table indicates the logical partition associated with this EBR, and the second entry indicates the next EBR partition in the list. If this logical partition is the last in the list, then the second entry in the EBR partition table must be filled with zeros.
The format of partition entries in EBR is similar to the format of entries in the MBR structure, but it is a little different logically.
The sign of partition activity for partitions of the EBR structure will always be 0, since the download was performed only from the main partitions of the disk. The CHS coordinates that the partition begins with are used if LBA addressing is not involved, as well as in the MBR structure.
But the fields where in the LBA-addressing mode there should be the number of the initial sector and the number of sectors of the section, in the structure of EBR are used a little differently.
For the first entry of the EBR partition table, the distance in sectors between the current EBR sector and the beginning of the logical partition referenced by the entry is recorded in the field of the initial sector of the partition (offset 08h). In this case, the size of this logical partition in the sectors is written in the field of the number of sectors of the partition (offset 0Ch).
For the second entry of the EBR partition table, the distance between the sector of the very first EBR and the sector of the next EBR in the list is recorded in the field of the initial sector of the section. In this case, the size of the disk area from the sector of this next EBR structure and to the end of the logical partition belonging to this structure is written in the field of the number of partition sectors.
Thus, the first entry in the partition table describes how to find, and what size the current logical partition occupies, and the second entry describes how to find it, and what size the next EBR occupies in the list, along with its partition.
In modern computers, the BIOS has been replaced by the new UEFI specification, and with it the new partition device on the hard disk - GUID Partition Table (GPT). This structure took into account all the shortcomings and limitations of the MBR, and it was developed with a large margin for the future.
In the structure of GPT, only LBA-addressing is used now, there are no more CHSs and no problems with their conversion either. Moreover, 64 bits are allocated for LBA-addresses, which allows you to work with them without any tricks, as with 64-bit integers, and also (if it comes to that) will give you the opportunity in the future to easily expand 48-bit LBA-addressing to 64 -bit
In addition, unlike the MBR, the GPT structure stores two copies of itself on disk, one at the beginning of the disk and the other at the end. Thus, in case of damage to the main structure, it will be possible to restore it from the saved copy.
We now consider the structure of the GPT structure in more detail. The entire GPT structure on the hard disk consists of 6 parts:
The first sector on the disk (with the address LBA 0) is the same MBR sector. It is left for compatibility with old software and is designed to protect the GPT structure from accidental damage when running programs that do not know anything about GPT. For such programs, the partition structure will look like one partition occupying all the space on the hard disk.
The structure of this sector is no different from the normal MBR sector. In its partition table, a single entry must be created with partition type 0xEE. The section must start with the address LBA 1 and have a size of 0xFFFFFFFF. In the fields for CHS-addressing, the section must begin, respectively, with the address 0/0/2 (sector 1 is occupied by the MBR itself) and have the final CHS address FF / FF / FF. The sign of the active partition must be 0 (inactive).
When a computer is running with UEFI, this MBR sector is simply ignored and no code in it is also executed.
This header sector contains data about all LBA-addresses used for partitioning the disk.
GPT header structure:
The UEFI system checks the correctness of the GPT header using checksums calculated using the CRC32 algorithm. If the primary header is damaged, then the checksum of the copy of the header is checked. If the checksum of the header copy is correct, this copy is used to restore the information in the primary header. Restoration also occurs in the opposite direction - if the primary header is correct and the copy is incorrect, then the copy is restored according to the data from the primary header. If both copies of the header are damaged, the disk becomes inaccessible for work.
The partition table additionally has its own checksum, which is recorded in the header at offset 0x58. When the data in the partition table changes, this amount is calculated anew and updated in the primary header and in its copy, and then the checksum of the GPT headers themselves is calculated and updated.
The next part of the GPT structure is the partition table itself. Currently, Windows and Linux operating systems use the same partition table format - a maximum of 128 partitions, 128 bytes are allocated to each partition entry, respectively, the entire partition table will take 128 * 128 = 16384 bytes, or 32 disk sectors.
Section Record Format:
Section attributes written at offset 0x30 may have the following bit values:
With the remaining parts of the markup everything is clear and without a detailed description. Content sections - speaks for itself. A copy of the partition table is also understandable; it stores a copy of the partition table. Well, the last sector of the disk is a copy of the GPT header.
There are two ways of partitioning disks. The first way is to use the MBR. This method has been used almost since the advent of hard drives and works with any operating system. The second way is to use the new markup system - GPT. This method is supported only by modern operating systems, since it is still relatively young.
MBR structure
Until recently, the MBR structure was used on all personal computers in order to be able to split one large physical hard disk (HDD) into several logical parts - partitions of a disk (partition). Currently, the MBR is actively being supplanted by a new partitioning structure of disks - GPT (GUID Partition Table). However, the MBR is still widely used, so let's see what it is.
The MBR is always in the first sector of the hard disk. When the computer boots, the BIOS reads this sector from the disk into memory at address 0000: 7C00h and transfers control to it.
')
So, the first section of the MBR structure is a section with executable code that will manage the further loading. The size of this section can be a maximum of 440 bytes. Next come the 4 bytes allocated for identifying the disk. In operating systems where authentication is not used, the executable code may take this place. The same goes for the next 2 bytes.
Starting with the 01BEh offset, the hard disk partition table itself is located. The table consists of 4 entries (one for each possible partition of the disk) with a size of 16 bytes.
Record structure for one section:
The first byte in this structure is a sign of section activity. This sign determines from which section to continue the download. There can be only one active partition, otherwise the download will not continue.
The next three bytes are the so-called CHS coordinates of the first sector of the partition.
At offset 04h is the partition type code. It is for this type that you can determine what is in this section, what file system is on it, etc. The list of reserved types of sections can be viewed, for example, in Wikipedia under the link Types of sections .
After the partition type, there are 3 bytes, defining the CHS coordinates of the last sector of the partition.
The CHS coordinates of the sector are decoded as the Cylinder Head Sector and respectively denote the cylinder (track) number, the head (surface) number and sector number. Cylinders and heads are numbered from zero, the sector is numbered from one. Thus CHS = 0/0/1 means the first sector on the zero cylinder on the zero head. This is where the MBR sector is located.The problem with CHS-coordinates is that with such a record you can address a maximum of 8 GB of disk. In the DOS era, this was acceptable, but pretty soon this was no longer enough. To solve this problem, LBA (Logical Block Addressing) was developed, which used 32-bit flat numbering of disk sectors. This allowed us to address discs up to 2TB in size. Later, the LBA bit depth was increased to 48 bits, but the MBR did not affect these changes. It still has 32-bit sector addressing.
All sections of the disk, with the exception of the first, usually begin with a zero head and the first sector of a cylinder. That is, their address will be N / 0/1. The first partition of the disk begins with the head 1, that is, at 0/1/1. This is all due to the fact that the zero head is already occupied by the MBR sector. Thus, there is always an additional unused 62 sector between the MBR sector and the beginning of the first section. Some OS loaders use them for their needs.
The storage format of the cylinder number and sector in the section record structure is interesting. The cylinder number and sector number are divided between two bytes, but not equally, but like 10: 6. That is, the sector number has the lower 6 bits of the low byte, which allows setting sector numbers from 1 to 63. And the cylinder number is assigned 10 bits - 8 bits of the high byte and the remaining 2 bits from the low byte: “CCCCCCCC CCSSSSSS”, and byte are the high bits of the cylinder number.
So, at present, LBA-addressing is used everywhere for sectors on a disk and in the structure of a partition record the address of its first sector is written at offset 08h, and the size of the partition is written at offset 0Ch.
For disks up to 8GB in size (when addressing via CHS is still possible), the structure fields with CHS coordinates and LBA addressing must match each other by value (correctly converted from one format to another). For disks larger than 8GB, the values ​​of all three bytes of the CHS coordinates must be equal to FFh (the FEh value is also allowed for the head).
At the end of the MBR structure is always the signature AA55h. It to some extent allows you to verify that the MBR sector is not damaged and contains the necessary data.
Extended Sections
Sections marked in the table with type 05h and 0Fh are the so-called extended sections. With them, you can create more partitions on the disk than the MBR allows. In fact, there are several more extended partitions, for example, there are sections with types C5h, 15h, 1Fh, 91h, 9Bh, 85h. Basically, all these types of partitions were used at one time by different operating systems (such as OS / 2, DR-DOS, FreeDOS) for the same purpose - to increase the number of partitions on the disk. However, over time, the various formats disappeared and only sections with types 05h and 0Fh remained. The only exception is the type 85h. It can still be used in Linux to form a second chain of logical disks hidden from other operating systems. Partitions with type 05h are used for disks less than 8 GB (where addressing via CHS is still possible), and type 0Fh is used for disks larger than 8 GB (and LBA addressing is used).
In the first sector of the extended section is the EBR structure (Extended Boot Record). It is very similar to the structure of the MBR, but has the following differences:
- There is no executable code in EBR. Some downloaders can write it there, but usually this place is filled with zeros.
- Disk signatures and two unused bytes must be filled with zeros
- Only the first two entries can be filled in the partition table. The remaining two entries must be filled with zeros.
At the end of the EBR structure, as well as in the MBR, there must be a “magic” value AA55h.
Unlike the MBR, where it is allowed to create no more than four partitions, the EBR structure allows you to organize a list of logical partitions, limited only by the size of the container partition (the one with type 05h or 0Fh). The following record format is used to organize such a list: the first entry in the EBR partition table indicates the logical partition associated with this EBR, and the second entry indicates the next EBR partition in the list. If this logical partition is the last in the list, then the second entry in the EBR partition table must be filled with zeros.
The format of partition entries in EBR is similar to the format of entries in the MBR structure, but it is a little different logically.
The sign of partition activity for partitions of the EBR structure will always be 0, since the download was performed only from the main partitions of the disk. The CHS coordinates that the partition begins with are used if LBA addressing is not involved, as well as in the MBR structure.
But the fields where in the LBA-addressing mode there should be the number of the initial sector and the number of sectors of the section, in the structure of EBR are used a little differently.
For the first entry of the EBR partition table, the distance in sectors between the current EBR sector and the beginning of the logical partition referenced by the entry is recorded in the field of the initial sector of the partition (offset 08h). In this case, the size of this logical partition in the sectors is written in the field of the number of sectors of the partition (offset 0Ch).
For the second entry of the EBR partition table, the distance between the sector of the very first EBR and the sector of the next EBR in the list is recorded in the field of the initial sector of the section. In this case, the size of the disk area from the sector of this next EBR structure and to the end of the logical partition belonging to this structure is written in the field of the number of partition sectors.
Thus, the first entry in the partition table describes how to find, and what size the current logical partition occupies, and the second entry describes how to find it, and what size the next EBR occupies in the list, along with its partition.
GPT structure
In modern computers, the BIOS has been replaced by the new UEFI specification, and with it the new partition device on the hard disk - GUID Partition Table (GPT). This structure took into account all the shortcomings and limitations of the MBR, and it was developed with a large margin for the future.
In the structure of GPT, only LBA-addressing is used now, there are no more CHSs and no problems with their conversion either. Moreover, 64 bits are allocated for LBA-addresses, which allows you to work with them without any tricks, as with 64-bit integers, and also (if it comes to that) will give you the opportunity in the future to easily expand 48-bit LBA-addressing to 64 -bit
In addition, unlike the MBR, the GPT structure stores two copies of itself on disk, one at the beginning of the disk and the other at the end. Thus, in case of damage to the main structure, it will be possible to restore it from the saved copy.
We now consider the structure of the GPT structure in more detail. The entire GPT structure on the hard disk consists of 6 parts:
| LBA address | Size (sectors) | Purpose |
| Lba 0 | one | Protective MBR sector |
| Lba 1 | one | Primary GPT header |
| Lba 2 | 32 | Disk partition table |
| Lba 34 | Nn | Disc partition contents |
| Lba -34 | 32 | Copy of the partition table |
| LBA -2 | one | Copy of gpt header |
Protective MBR sector
The first sector on the disk (with the address LBA 0) is the same MBR sector. It is left for compatibility with old software and is designed to protect the GPT structure from accidental damage when running programs that do not know anything about GPT. For such programs, the partition structure will look like one partition occupying all the space on the hard disk.
The structure of this sector is no different from the normal MBR sector. In its partition table, a single entry must be created with partition type 0xEE. The section must start with the address LBA 1 and have a size of 0xFFFFFFFF. In the fields for CHS-addressing, the section must begin, respectively, with the address 0/0/2 (sector 1 is occupied by the MBR itself) and have the final CHS address FF / FF / FF. The sign of the active partition must be 0 (inactive).
When a computer is running with UEFI, this MBR sector is simply ignored and no code in it is also executed.
Primary GPT header
This header sector contains data about all LBA-addresses used for partitioning the disk.
GPT header structure:
| Offset (bytes) | Field size (bytes) | Fill example | Field Name and Description |
| 0x00 | 8 bytes | 45 46 49 20 50 41 52 54 | Header signature. Used to identify all EFI-compatible GPT headers. It should contain the value 45 46 49 20 50 41 52 54, which in the form of text is interpreted as "EFI PART". |
| 0x08 | 4 bytes | 00 00 01 00 | Header format version (not UEFI specifications). Header version 1.0 is currently in use. |
| 0x0C | 4 bytes | 5C 00 00 00 | The size of the GPT header in bytes. It has a value of 0x5C (92 bytes) |
| 0x10 | 4 bytes | 27 6D 9F C9 | GPT header checksum (at addresses from 0x00 to 0x5C). The checksum algorithm is CRC32. When calculating the checksum, the initial value of this field is assumed to be zero. |
| 0x14 | 4 bytes | 00 00 00 00 | Reserved. Must be 0 |
| 0x18 | 8 bytes | 01 00 00 00 00 00 00 00 | The address of the sector containing the primary GPT header. Always matters LBA 1. |
| 0x20 | 8 bytes | 37 C8 11 01 00 00 00 00 | The address of the sector containing a copy of the GPT header. The address of the last sector on the disk is always important. |
| 0x28 | 8 bytes | 22 00 00 00 00 00 00 | Sector address from which partitions begin on disk. In other words - the address of the first partition of the disk |
| 0x30 | 8 bytes | 17 C8 11 01 00 00 00 00 | Address of the last sector of the disk allocated for partitions |
| 0x38 | 16 bytes | 00 A2 DA 98 9F 79 C0 01 A1 F4 04 62 2F D5 EC 6D | GUID of the disk. Contains a unique identifier issued by the disk and GPT header when marking up |
| 0x48 | 8 bytes | 02 00 00 00 00 00 00 | Address of the beginning of the partition table |
| 0x50 | 4 bytes | 80 00 00 00 | The maximum number of sections that a table can contain |
| 0x54 | 4 bytes | 80 00 00 00 | Record size for section |
| 0x58 | 4 bytes | 27 C3 F3 85 | Checksum partition table. Checksum Algorithm - CRC32 |
| 0x5C | 420 bytes | 0 | Reserved. Must be filled with zeros |
The UEFI system checks the correctness of the GPT header using checksums calculated using the CRC32 algorithm. If the primary header is damaged, then the checksum of the copy of the header is checked. If the checksum of the header copy is correct, this copy is used to restore the information in the primary header. Restoration also occurs in the opposite direction - if the primary header is correct and the copy is incorrect, then the copy is restored according to the data from the primary header. If both copies of the header are damaged, the disk becomes inaccessible for work.
The partition table additionally has its own checksum, which is recorded in the header at offset 0x58. When the data in the partition table changes, this amount is calculated anew and updated in the primary header and in its copy, and then the checksum of the GPT headers themselves is calculated and updated.
Disk partition table
The next part of the GPT structure is the partition table itself. Currently, Windows and Linux operating systems use the same partition table format - a maximum of 128 partitions, 128 bytes are allocated to each partition entry, respectively, the entire partition table will take 128 * 128 = 16384 bytes, or 32 disk sectors.
Section Record Format:
| Offset (bytes) | Field size (bytes) | Fill example | Field Name and Description |
| 0x00 | 16 bytes | 28 73 2A C1 1F F8 D2 11 BA 4B 00 A0 C9 3E C9 3B | Section type GUID. The example shows the type of partition "EFI System partition". List of all types can be found here. |
| 0x10 | 16 bytes | C0 94 77 FC 43 86 C0 01 92 E0 3C 77 2E 43 AC 40 | Unique GUID section. Generated when creating a partition. |
| 0x20 | 8 bytes | 3F 00 00 00 00 00 00 00 | The starting LBA address of the section |
| 0x28 | 8 bytes | CC 2F 03 00 00 00 00 00 | Last LBA section address |
| 0x30 | 8 bytes | 00 00 00 00 00 00 00 00 | Bitmask section attributes |
| 0x38 | 72 bytes | EFI system partition | Section name. 36-character unicode string |
Section attributes written at offset 0x30 may have the following bit values:
| Indicates the need for a partition for the functioning of the system. OEM developers can thus protect their partitions from being overwritten with disk utilities. | |
| Marks a section as read only. Used only for "Microsoft Basic Data Partition" with type {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7} | |
| Marks a section as hidden. Used only for "Microsoft Basic Data Partition" with type {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7} | |
| Prevents automatic assignment of a drive letter to a given section. Used only for "Microsoft Basic Data Partition" with type {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7} |
With the remaining parts of the markup everything is clear and without a detailed description. Content sections - speaks for itself. A copy of the partition table is also understandable; it stores a copy of the partition table. Well, the last sector of the disk is a copy of the GPT header.
Source: https://habr.com/ru/post/347002/
All Articles