4

I have encountered 0x55AA in 2 scenarios:

  • the final 2 bytes of boot sector in the legacy booting process contains 0x55AA.
  • the first 2 bytes of the Option ROM must be 0x55AA

So what's special about 0x55AA?

The binary version of 0x55AA is 0101010110101010. Is it because it is evenly interleaved 0 and 1? But I don't see that's a strong criteria.

smwikipedia
  • 61,609
  • 92
  • 309
  • 482
  • 2
    Possible duplicate of [Why 55 AA is used as the boot signature on IBM PCs?](http://stackoverflow.com/questions/11075003/why-55-aa-is-used-as-the-boot-signature-on-ibm-pcs) – cadaniluk Oct 11 '16 at 09:37
  • 2
    Actually it is 0xAA55 as a 16-bit word which on a little endian system gets stored as bytes 0x55 0xAA. – Michael Petch Oct 11 '16 at 11:39
  • 1
    It's also used as the return value of a lot of perl modules found on the CPAN, which are required to return a trueish value. See http://returnvalues.userperl.at/values.html – Aaron Nov 28 '16 at 16:25

2 Answers2

6

0x55AA is a "signature word". It is used as the "end of sector" marker in the last 2 bytes of a 512 byte boot record. This includes MBR and it's extended boot records and in the newer GPTs protective MBR.

References:

Starting and Ending Cylinder, Head, and Sector Fields

Image from Master Boot Record - microsoft.com.

How Basic Disks and Volumes Work - microsoft.com.

Matheus Avellar
  • 1,507
  • 1
  • 22
  • 29
Bil Wilson
  • 61
  • 1
  • 2
0

There is nothing magical or mystical about that combination. Implementers needed a means by which to determine if the first sector of a device was bootable (boot signature) and that combination occurring in the last two bytes of a sector is so improbable, is why it was chosen.

Similarly, SMBIOS entry point can be found scanning BIOS for _SM_ signature that must be on an segment boundary like this;

  Find_SMBIOS:
    push    ds
    push    bx                      ; Preserve essential
    push    si

; Establish DS:BX to point to base of BIOS code

    mov     ax, 0xf000
    mov     ds, ax                  ; Segment where table lives
    xor     bx, bx                  ; Initial pointer
    mov     eax, '_SM_'             ; Scan buffer for this signature

; Loop has maximum of 4096 interations. As table is probably at top of buffer, cycling
; though it backwards saves time. In my test bed, BOCH's 2.6.5 BIOS-bochs-latest it was
; 1,451 interations.

.L0: sub     bx, 16                  ; Bump pointer to previous segment
     jnz     .J0

; Return NULL in AX and set CF. Either AX or flag can be tested on return.

    mov     ax, bx
    stc
    jmp     .Done

; Did we find signature at this page

.J0: cmp     [bx], eax
    jnz     .L0                     ; NZ, keep looking

; Calculate checksum to verify position

    mov     cx, 15
    mov     ax, cx
    mov     si, bx                  ; DS:SI = Table entry point

; Compute checksum on next 15 bytes

.L1: lodsb
    add     ah, al
    loop    .L1

    or      ah, ah
    jnz     .L0                     ; Invalid, try to find another occurence

; As entry point is page aligned, we can do this to determine segment.

    shr     bx, 4
    mov     ax, ds
    add     ax, bx
    clc                             ; NC, found signature

.Done:
    pop     si
    pop     bx                      ; Restore essential
    pop     ds

    ret

That signature is easily identifiable in a hex dump and it fits into a 16 bit register. Where those two criteria precipitating factors, I don't know, but again, the probability of 0x5f4d535f appearing on an even 16 byte boundary is very unlikely.

Shift_Left
  • 1,208
  • 8
  • 17
  • 1
    "That signature is easily identifiable in a hex dump and it fits into a 16 bit register." The _SM_ signature fits in 32 bits, not 16. – ecm Aug 02 '19 at 11:57