Given a MBR and the structure of MBR/partition table, how can you calculate the size and starting address of each partition?
For clarification let's say I was given this-
Answer: There are three partition table entries shown in the MBR.
Partition 1: Starting LBA Address: Sector 63 (decimal). If using hex representation, the starting address is 0000003f. Size: 20482812 Sectors (decimal). If using hex representation, the size is 01388afc.
Partition 2: Starting LBA Address: Sector 20482875 (decimal). If using hex representation, the starting address is 01388b3b. Size: 20482875 Sectors (decimal). If using hex representation, the size is 01388b3b.
Partition 3: Starting LBA Address: Sector 40965750 (decimal). If using hex representation, the starting address is 02711676. Size: 37142280 Sectors (decimal). If using hex representation, the size is 0236bf08.
How do you get to that answer?
I believe the most trouble understanding the hex representation of the partition table comes from the endianness problem. Intel PCs are based on the little-endian architecture with an actual reversed byte order for multi-byte number representations. So the LBA sector offset number like
01388b3b
is stored as3b8b 3801
- which is right there in your MBR / partition table beginning at 0x01dd. The fact that the number is repeated right thereafter is just a coincidence - the partition length just equals the partition's LBA offset.Depends on the OS, system, and file-system format.
Wikipedia is a good resource on the subject: http://en.wikipedia.org/wiki/Master_boot_record
Start following the layout. The partition table entries start at 000001BE ... with the 16-byte partition record...
skipping the not-so-important bits...
the 1st partition is NTFS (000001C3) and starts at 0000003f (look at the 4 bytes in little-endian starting at 000001c6) and the size is 01388acf (look at the 4 bytes in little-endian format starting at 00001ca)
If you can't read the wikipedia page & understand it... you probably shouldn't be doing this... or should have studied better in class.
Partitions start at 1be (000001BE)
To figure out where 1be is first go to the offset (offset is the first column) 0001b0. Now at 0001b0: count in hex to find E. For example if we look at the first set of numbers after 0001b0: 0000 we count the first two digits (00) as 0 then the second two as 1… continue counting until you reach E which is at 8001 (80 is “E”). This is the start of the partition table – which is always 16 bytes so it ends at 3801 (or the second to last set of numbers in offset row 0001c0).
LBA address always starts at 8 and ends at 11. So if we look at our first partition (8001 – 3801) and count to 8 we end up at 3f00 (3f is “8”) and the end is 0000 (last two 00’s are “11”). So the entire LBA address is 3f00 0000 BUT we must reverse the order because it is in little endian format and we want hex . So to do that break the number up like this 3f 00 00 00
00 00 00 3f <- “reversed”
Repeat the process from to the rest of the partition info -- stop if you find all 0's. Note: you can't have more than 4 (primary) partitions.