Volume boot record

from Wikipedia, the free encyclopedia
This article also needs to be revised. Details should be given on the talk page of the article Master Boot Record . Please help to improve it , and then remove this flag.

Right half of the picture: Schematic representation of a volume boot record (partitioning according to the MBR specifications. Left a master boot record)

The volume boot record comprises the first sectors of a volume with the file systems FAT (including FAT32 and exFAT), HPFS and NTFS from Microsoft . Since a volume is very often a partition of a hard disk or another storage medium, the first sector is also referred to as the partition boot sector , or as part of the VBR also as the volume boot sector . With a bootable medium , the boot code in the VBR is used to start the operating system stored on the respective file system on a BIOS -based computer with one or more MBR partitions using the chain-loading principle .

Launcher

Historically, the first IBM PCs did not have partitions. The PC DOS or MS-DOS or CP / M operating system started from a floppy disk that had a boot sector with a size of 512 bytes. This corresponds to the size of a sector or the first track (track0). Only with the introduction of variable geometries, i.e. different media, was an option added to the boot sector to take changed conditions into account: the BIOS parameter block (BPB for short).

With the FAT12 and FAT16 file systems, the VBR is exactly one sector in size. It contains all the information required to start the operating system, as well as a boot loader , whose program code uses this information to locate the start files on the file system and execute them using the chain loading principle. For MS-DOS this is e.g. B. the file IO.SYS .

For the bootloader, however, it makes no difference whether the VBR is actually the boot sector or whether it has already been loaded using the chainloading principle - this is always the case when the file system is located within a partition on the storage medium. The default case is then a Master Boot Record as the boot sector, the program code can be found and the active partition contained therein partition boot sector ( English partition boot sector ) loads. The first sector is therefore not freely usable for the file system contained on it, but it is a reserved part of it as a volume boot sector . The terms are therefore synonyms for the VBR when it actually only covers the first sector.

With the file systems HPFS, NTFS, FAT32 and exFAT, however, the size of a sector, 512 bytes, is no longer sufficient for the program code, so that these file systems use several sectors. That is u. a. also because the BPB is larger with FAT32 and therefore less space is left for the bootloader. The term English volume boot sector is still limited to the first sector, while volume boot record (VBR) stands for all sectors used.

For PCs that do not use a BIOS, no start program is necessary and the program code in the VBR is therefore not executed. This is e.g. B. is the case with PCs that use UEFI as firmware. The program code is also not used if an operating system has already started and is accessing a file system . However, depending on the operating system and file system driver, the BIOS parameter block may be evaluated.

Structure of a VBR

The following paragraph describes a FAT32 VBR which (without a copy ) has 3 sectors of 512 bytes each. With NTFS, the VBR usually has 16 sectors.

Sector 0 of the VBR

The following table shows the structure of sector 0 of a VBR. The individual function bytes are counted as an offset from the start of the VBR.

Offset Length
(bytes)		 description
0x00 3 Jump command to the bootloader (EB xx 90 or E9 xx xx, except for Atari )
0x03 8th OEM | system name
0x0B 2 Bytes per sector (usually 512; 1024, 2048 or 4096 allowed)
0x0D 1 Sectors per cluster (2 n with n = {1..64}. N = 128 should not be used)
0x0E 2 Number of reserved sectors (including boot sector). 1 for FAT12 / 16 *, 32 for FAT32.
0x10 1 Number of FATs (should always be 2).
0x11 2 Maximum number of entries in the main directory. Should be 0 for FAT32 (unlimited), 512 for FAT16, otherwise multiplied by 32 a multiple of the bytes per sector.
0x13 2 Number of all sectors in the partition. If 0, then the value is at 0x20. Must be == 0 for FAT32, otherwise only 0 if number> = 64 K.
0x15 1 Media identifier. 0xF8 (hard disk) .. 0xFF are permitted.
0x16 2 Number of sectors per FAT. With FAT32 == 0 (is at 0x24).
0x18 2 Number of sectors per track for BIOS INT13. Usually only relevant for media with a geometry - cylinder / head / sector (C / H / S) addressing.
0x1A 2 Number of heads for BIOS INT13. Usually only relevant for media with one geometry - C / H / S addressing.
0x1C 4th Number of sectors in front of this partition (also known as "hidden sectors"). For media without MBR (e.g. floppy) 0. OS specific. Usually only relevant for media that are visible via BIOS INT13.
0x20 4th Number of all sectors in the partition. If 0, then the value is at 0x13. Must be! = 0 for FAT32, otherwise only! = 0 if> = 64K.
0x24 4th FAT32 only: number of sectors per FAT.
0x24 1 FAT12 / 16 only: physical drive number for BIOS INT13 (0 + n ... floppy n, 0x80 + n .. hard disk n). OS specific.
0x25 1 FAT12 / 16 only: reserved (used by NT).
0x26 1 FAT12 / 16 only: extended boot signature: If == 0x29 then the following 3 fields are present.
0x27 4th FAT12 / 16 only: Volume ID (usually a combination of date and time).
0x2B 11 FAT12 / 16 only: Volume Name (padded with spaces, e.g. 'NO NAME').
0x36 8th FAT12 / 16 only: File system ID (padded with spaces: 'FAT', 'FAT12' or 'FAT16'). Has only an informal character, i.e. H. should not be used to determine the FAT type!
0x24 4th FAT32 only: number of sectors per FAT.
0x28 2 FAT32 only: FAT bit switch:

15: 8 .. reserved
7 .. 0 => FAT is mirrored in all other FATs during runtime. 1 => only one FAT is active.
6: 4 .. reserved.
3: 0 .. Number of the active FAT (0 based), if mirroring is deactivated (see bit 7).

0x2A 2 FAT32 only: file system version (HI byte: major, LO byte: minor)
0x2C 4th FAT32 only: start cluster of the main directory (a priori 2).
0x30 2 FAT32 only: Sector number of the file system information sector within the reserved area (with Microsoft operating systems always == 1).
0x32 2 FAT32 only: If! = 0, start (sector number) of the copy of the VBRs within the reserved area (a priori 6).
0x34 12 FAT32 only: Reserved.
0x40 1 FAT32 only: physical drive number for BIOS INT13 (0 + n ... floppy n, 0x80 + n .. hard disk n). OS specific.
0x41 1 FAT32 only: Reserved (used by NT).
0x42 1 FAT32 only: Extended boot signature: If == 0x29 then the following 3 fields are present.
0x43 4th FAT32 only: Volume ID (usually a combination of date and time).
0x47 11 FAT32 only: Volume Name (padded with spaces, e.g. 'NO NAME').
0x52 8th FAT32 only: File system ID (padded with spaces: 'FAT32'). Has only an informal character, i.e. H. should not be used to determine the FAT type!
0x5A 324 MSDOS5.0: Bootloader program code . Often starts after the BIOS parameter block (BPB: FAT12 / 16 0x0B..0x3D, FAT32 0xB..0x59 inclusive) and can have parts in the VBR [2], in the normal data area of ​​the file system or even in normally invisible / unused sectors the disk (e.g. viruses). The position, content and size of the following 3 fields given as an example for MSDOS5.0 can also vary depending on the bootloader version and language.
0x19E 67 MSDOS5.0: Bootloader error messages
0x1E6 11 MSDOS5.0: Operating system kernel name ('IO SYS')
0x1F1 11 MSDOS5.0: System file name ('MSDOS SYS')
0x1FC 2 Reserved: 0x00 0x00
0x1FE 2 Boot signature 0x55 0xAA

Sector 1: FSInfo sector (only with FAT32)

The FSInfo sector should help the operating system to find the next free cluster more quickly. The currently free clusters of the partition and which cluster is or could be free next are saved. The information is only intended as a reference for the operating system and does not have to be correct!

Byte 0 - 3 FSInfo signature 0x52 0x52 0x61 0x41 ( RRaA)
Byte 4 - 483 reserved
Bytes 484 - 487 second signature 0x72 0x72 0x41 0x61 ( rrAa)
Bytes 488 - 491 free clusters (doesn't have to be right!)
Bytes 492 - 495 next free cluster (doesn't have to be right!)
Byte 496 - 507 reserved
Bytes 508 - 511 0x55 0xAA

The FSInfo sector is not necessary for the FAT32 to run smoothly.

Sector 2 of the VBR

Sector 2 of the VBR has no use for the time being. It provides additional memory for boot code in the event that sector 0 did not have enough space for the boot code. If the complete boot code is already in sector 0, sector 2 remains empty except for the last two bytes in offset 0x5FE and 0x5FF, which in turn contain the magic number 0x55 0xAA.

Copy of the VBR

A backup copy of all 3 sectors of the VBR is created in sectors 6 to 8 under the FAT32 file system . These can be used to restore if the VBR is damaged. Common formatting programs usually do not overwrite this backup copy, so that just formatting a partition and the associated new creation of a FAT does not guarantee the safe removal of all data on the partition.

Other file systems

In principle, the volume boot record is independent of the file system used. However, there is no data field in the BIOS parameter block (BPB) that would indicate the file system used. In practice, the VBR was therefore not used by other file systems, but the boot sector or track is 0of a volume is reserved for almost all file systems. For example, neither ext2 nor ReFS use a VBR.

Web links

Individual evidence

  1. a b c Technopedia - Volume Boot Record (VBR). Retrieved June 11, 2020 .
  2. Christopher C. Yang et al .: Intelligence and Security Informatics: IEEE ISI 2008 International Workshops: PAISI, PACCF, and SOCO 2008 . 2008, p. 306 (English).
  3. NTFS Partition Boot Sector. Retrieved June 11, 2020 .
  4. ^ Sean K. Daily: Optimizing Windows NT . 1998, p. 719 .
  5. Steve Bunting: EnCase® Computer Forensics: The Official EnCE®: EnCase® Certified Examiner Study Guide . 2008, p. 36 (English).
  6. http://www.ntfs.com/fat-boot-modif.htm
  7. https://www.incibe-cert.es/en/blog/bootkits-en
  8. http://www.resilientfilesystem.co.uk/refs-volume-boot-record