1

I have a dump from a hard-disk which has aa55 at offset 510. But the places where I have read about it says it is 55aa in dump.

000001fe: aa55

So, I'm wondering if the data is stored in big-endian or little-endian on my disk?

Thanks

Avinash Dhinwa
  • 370
  • 2
  • 13
  • The value you are lookig for is two bytes aa followed by 55, i.e. there is no concern about endiness. So look for byte aa followed by 55. Trying to think of the signature as a 16-bit values and ends just makes it difficult. – DisappointedByUnaccountableMod Dec 25 '18 at 08:54
  • @barny: that's backwards. An MBR boot signature is 55 then aa, because x86 is little-endian. Wikipedia confirms: https://en.wikipedia.org/wiki/Master_boot_record#Sector_layout – Peter Cordes Dec 25 '18 at 10:03
  • The boot signature is ALWAYS a 0x55 byte followed by a 0xaa byte. How you display it in a debugger or dump utility may be different if they output the data as WORD's instead of bytes. Because the x86 is little endian if you display (or define) it as a word it will be 0xaa55 . The low byte 0x55 will be stored in memory followed by the 0xaa in the. If you write the DWORD (32-bit) value 0x87654321 to memory it will be 0x21 0x43 0x65 0x87 (reverse order) – Michael Petch Dec 26 '18 at 22:39
  • 1
    There are some bad bootloader out there (and bad tutorials) where they get the boot signature backwards because of this. You can't rely on everything you read on the internet being correct. Some BIOSes don't even check for the boot signature so even if it is backwards it may still appear to work :( – Michael Petch Dec 26 '18 at 22:40
  • @MichaelPetch Thanks, you are right. In some places it is mentioned as a two byte word whereas in some places it is separate bytes. On wiki, it is two different bytes. – Avinash Dhinwa Dec 26 '18 at 22:52

1 Answers1

3

It's 0xaa55 as a little-endian 16-bit word, so it's 55 then aa if you look at the bytes separately. i.e. db 0x55, 0xaa

This indicates that the first sector (512 bytes) of the disk is a bootable MBR boot sector that can be loaded at linear address 0x7c00 and executed in real mode.

Wikipedia confirms this layout: https://en.wikipedia.org/wiki/Master_boot_record#Sector_layout

From 2 recent SO questions that have sources for boot sectors in ASM:

AT&T syntax: How to handle keyboard in real mode through BIOS interrupts?

.org 510
.word 0xaa55

NASM: Assembly 32-bit print to display code runs on qemu, fails to work on real hardware

TIMES 510-($-$$) db  0
dw 0xaa55

These are x86 assemblers, so they of course assemble 16-bit integers to x86's little-endian.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • What **linear address*** is being discussed here, is it RAM's linear address? – Avinash Dhinwa Dec 25 '18 at 15:24
  • The reversal of boot signature can only happen if it is stored as a single 2-byte word and not separately as 0x55 and 0xaa. Am I right saying that? – Avinash Dhinwa Dec 25 '18 at 15:26
  • 2
    @AVINASHDHINWA “linear address” refers a RAM address after applying segmentation. `7c00` is the linear address for `0000:7c00`, `07c0:0000` and a bunch of other segment/offset pairs. The boot signature is not reversed. This is just the interpretation of the boot signature as a two-byte number in little endian. – fuz Dec 25 '18 at 15:54