What makes a Partition Table valid?

3

QUESTION: What makes a Partition Table recognizable and valid to an operating system? (Linux specifically) ?

Optional Background Info: I thought there was some sort of "signature" that defines a valid Partition Table and if the signature is not found then Linux (or any OS) would just not report partitions?

I'm using a hex editor to inspect seemingly random data (fresh random wipe or encryption of a full drive) and something about it keeps making the drive be recognized as having partitions (sometimes 2, 3 or 4 random sized partitions after it's been wiped or encrypted).

I've inspected bytes 446 through 509 (where the partition table is supposed to be stored; using an index starting from 0) and can't seem to figure out what would make Linux think the partitions are valid --- it's just random data and would have thought it is statistically improbable for a partition to be defined by randomized data written to the MBR.

I've also used GParted partition manager software for Linux to see if it recognizes the partitions and it does not. However, another software and Linux itself does recognize these "partitions". Note: The partitions are of invalid size and don't add up correctly to equal the size of the physical drive and seem to be of random size.

Mikeweb49

Posted 2012-12-28T03:51:50.590

Reputation: 255

Answers

3

Answer: nothing in particular.

An MBR contains a boot signature at the very end to indicate that there is (or should be) executable code for an x86 PC with a BIOS. In the MBR, the code reads the partition table, and boots the active partition. The boot sector of that partition would also have a boot signature. Boot sectors on floppy disks have a boot signature. The idea is to prevent some other kind of machine from blindly loading boot code and executing it; but in practice the signature is just expected to be there. If it is not, that might indicate that the whole sector is corrupted and you should go no further, since you don't want to execute random code.

But an OS can try as hard (or as little) as it wants to try to interpret the partition table. Suppose you were messing around with a disk hex editor, and managed to mangle a few entries in the partition table. Maybe some of the other partitions are still valid, so it might be worth a try; nothing is being executed -- yet. GParted probably does an actual check, and when "it doesn't add up", considers the disk to be corrupt and suitable for repartitioning.

The newer GPT format does employ a CRC32 to detect corruption. Even so, an OS, now knowing for sure that something is wrong, could still do a best effort to see what can be read anyway.

Ken

Posted 2012-12-28T03:51:50.590

Reputation: 7 497

Ken, thanks for your response. So according to this: http://en.wikipedia.org/wiki/Master_boot_record#Sector_layout The "Boot Signature" is 55h AAh in byte positions 510 and 511 (indexed starting at 0). So, what you've said makes sense to indicate whether there is valid boot code to execute. Your mention of the OS trying to interpret the partition table itself regardless of it making sense pretty much coincides with what I was guessing; I'm now on a quest to figure out what Linux specifically is keying off of to think my drive has partitions. Accepting your answer - thank you!

– Mikeweb49 – 2012-12-28T07:24:02.557

Asked: 2012-12-28T03:51:50.590

Viewed: 338 times

Active: 2012-12-28T06:22:14.647