TheeCSDump: The micro-FSD

Top Page

LVM MBR Disassembled

Bootable JFS Partition Bootsector

The micro-FSD

os2ldr Entry Values

The micro-FSD

This module contains the micro-FSD which is located between the partition bootsector and the actual data on the hard drive. The load segment was calculated in Phase 2 and for the Bochs drive image is 0x8800. The entry point is 8800:199C or 0x8999C with the registers (Bochs image) loaded as follows:

	eax: 0x0000199C
	ecx: 0x00007FBE
	edx: 0x00000080
	ebx: 0x00000000
	esp: 0x00007C00
	ebp: 0x00000000
	esi: 0xFFFF0046
	edi: 0x00000000
	eflags 0x00000246
	IOPL=0 id vip vif ac vm rf nt of df IF tf sf ZF af PF cf

Segment registers:

cs:s=0x8800    ds:s=0x8800    ss:s=0x0000    es:s=0x07C0    fs:s=0x3000

This is somewhat irrelevant because es, ds, and ss will be set to cs (0x8800 in this example) and sp set to 0x5000.

Items from previous loads:

If INT13 Ext functions are supported then 3000:0000, segment contain in fs, has 58333149h, stored as 49 31 33 58. If not the location is zero.
The storage area contains the results of Phase 2 -- (Bochs disk) 0x8803E 3F, 0, 0 0, 0, 0, 0, 0 or 0x000000000000003F.

The JFS superblock procedure loads the super block and stores values at the following locations:

superblock 8800:160C (0x8960C to 0x8980C)
offset 1858 to 185B (0x89858 to 0x89858)
offset 185C to 185F (0x8985C to 0x8985F)

; module locations
ft_cfiles dw 3
ft_ldrseg dw 0
ft_ldrlen dd 0
ft_museg dw 0
ft_mulen dd 0x5000
ft_mfsseg dw 0
ft_mfslen dd 0
ft_ripseg dw 0
ft_riplen dd 0x0

; microFSD vector table
ft_muOpen dd seg:1A9C
ft_muRead dd seg:1BD4
ft_muClose dd seg:1DAE
ft_muTerminate dd seg:1DD4

88000	jmp	short near ptr _entry  ;  Entry point from MBR code
88002	nop

;  BIOS parameter block (BPB) 
88003	db    'IBM 4.50'    ; Partition creator
8800B	db    0, 2    ; 0x0200 size of sector in bytes
8800D	db    0
8800E	db    0
8800F	db    0
88010	db    0
88011	db    0
88012	db    0
88013	db    0
88014	db    0
88015	db   F8    ; media type - hard disk
88016	db    0
88017	db    0
88018	db   3F, 0		; BPB formatted geo: Sectors - 63
8801A	db    20, 0		; BPB formatted geo: Heads - 32
8801C	db    3F, 0, 0 ,0	; 0x0000003F hidden sectors
88020	db    41, 12, 13, 0    ; 0x00131241 Big number of sectors
88024	db    80    		;  physical drive number
88025	db    80    		;  Boot drive letter
88026	db    29    		;  Ext-BPB signature
88027	db    BD , 55,  9C, 69    ;  Partition serial number 0x699c55bd
8802B	db    bochs, 0, 0, 0, 0, 0, 0    ; Partition label (11)
88036	db    "JFS     "    ; Filesystem type (8)

; Used as temp storage
8803E	db    0, 0, 0, 0    ; absolute number of the start of the sectors
88042	db    0, 0, 0, 0

; DAP : Disk Address Packet (16 bytes)
88046	db    10		; size of DAP = 16 = 10h
88047	db    0			; unused, should be zero
88048	db    20		; number of sectors to be read
88049	db    0			; unused, should be zero
8804A	db    0, 0, 0, 0	;segment:offset pointer to the memory buffer
8804E	db    0, 0, 0, 0, 0, 0, 0, 0

; eax: 0x00000001 ecx: 0x00007fbe edx: 0x00000080 ebx: 0x00000000
; esp: 0x00004ffe ebp: 0x00000000 esi: 0xffff160c edi: 0x00000040
; IOPL=0 id vip vif ac vm rf nt of df IF tf sf ZF af PF cf

; readdrive
;
;  entry:
;	ax contains number of sectors to read
;       es segment for DAP structure
;	ds segment for transfer buffer
;	si offset for transfer buffer
;       es:003E + 4 and es:0042 + 4 absolute number start sectors to read
;	es:0024 drive index
;	di (L) and bx (H) contain offset to absolute start for begin read

readdrive  proc near		

	push	ds		; save ds and dx
	push	dx		

	mov	dx, ds	 
	push	es	       
	pop	ds		; set ds to entry es value

	; DAP : Disk Address Packet (16 bytes)
	; offset range 	size 	description
	; 00h 		1 byte 	size of DAP = 16 = 10h
	; 01h 		1 byte 	unused, should be zero
	; 02h 		1 byte 	number of sectors to be read, 0..127 (= 7Fh)
	; 03h 		1 byte 	unused, should be zero
	; 04h..07h    4 bytes 	segment:offset pointer to the memory buffer 
		;			to which sectors will be transferred
	; 08h..0Fh    8 bytes 	absolute number of the start of the sectors to be read 
	
	; This routine DAP structure:
		; ds:0046		size of DAP - 16 bytes always
		; ds:0047		always zero
		; ds:0048		number of sectors to read
		; ds:0049		always zero
		; ds:004A to 004D       segment:offset pointer transfer buffer
		; ds:004E to 0055	absolute number of the start of the sectors to be 
		;                       read (1st sector of drive has number 0)
		
		; Load DAP
	mov	ds:48h,	ax	; number of sectors to read, ax contains on entry
	mov	ds:4Ch,	dx	; Buffer segment
	mov	ds:4Ah,	si	; Buffer offset
	mov	si, 46h         ; DAP offset

	mov	eax, ds:3Eh	; move sector read start from storage area
	mov	ds:4Eh,	eax	; ds:003E to ds:0055 to DAP
	mov	eax, ds:42h	
	mov	ds:52h,	eax	

	add	ds:4Eh,	edi
	adc	ds:52h,	ebx

	; DAP located at ds:0046

	mov	ah, 42h         ; 42h = function number for extended read
	mov	dl, ds:24h      ; drive index 
	mov	al, 0
	int	13h		; cf  Set On Error, Clear If No Error
				; ah  Return Code		

	jnb	short goodread
	or	ah, ah
	jnz	short readerror

goodread:
	pop	dx		; restore entry dx and ds before returning
	pop	ds
	retn

readerror:                      ; display some DAP info 
	push	ax
	mov	eax, ds:52h
	shr	eax, 10h
	call	dispaddress
	mov	eax, ds:52h
	call	dispaddress
	mov	eax, ds:4Eh
	shr	eax, 10h
	call	dispaddress
	mov	eax, ds:4Eh
	call	dispaddress
	mov	ax, ds:48h
	shl	eax, 10h
	pop	ax
	mov	al, dl
	mov	si, 0DEh	; SYS02027  message
	call	$+3		; really a jump to displayerr - never returns

readdrive  endp


; displayerr
;  Display error message pointed to by ds:(e)si and address
;  then hang the system

displayerr	proc near

	cld		
	push	eax

_dispnextchar:
	lodsb			; Load byte at address DS:(E)SI into AL
	test	al, 0FFh	
	jz	short   _endmessage
	mov	ah, 0Eh
	mov	bx, 7
	int	10h		
	jmp	short _dispnextchar	

_endmessage:				
	sti			
	pop	eax
	push	eax
	and	eax, 0FFFF0000h	
	shr	eax, 10h	
	call	dispaddress	
	mov	al, 3Ah
	mov	ah, 0Eh
	mov	bx, 7
	int	10h		
	pop	eax
	call	dispaddress	

_hangsystem:
	jmp	short   _hangsystem

displayerr	endp


; dispaddress
;  Display address in hex

 dispaddress	proc near		
	push	ax
	mov	al, ah
	and	al, 0F0h	
	mov	cl, 4
	shr	al, cl		
	call	dispchar
	pop	ax
	push	ax
	mov	al, ah
	and	al, 0Fh		
	call	dispchar
	pop	ax
	push	ax
	and	al, 0F0h	
	mov	cl, 4
	shr	al, cl	
	call	dispchar
	pop	ax
	push	ax
	and	al, 0Fh		
	call	dispchar
	pop	ax
	retn			

dispaddress  endp


; dispchar
;  Output char from dispaddress

dispchar	proc near		
	add	al, 30h		
	cmp	al, 39h
	jle	short   _dispchar1
	add	al, 7

_dispchar1:				
	mov	ah, 0Eh
	mov	bx, 7
	int	10h		
	retn			

dispchar	endp

eax: 0x0000199c 6556
ecx: 0x00007fbe 32702
edx: 0x00000080 128
ebx: 0x00000000 0
esp: 0x00007c00 31744
ebp: 0x00000000 0
esi: 0xffff0046 -65466
edi: 0x00000000 0
eip: 0x0000199c
eflags 0x00000246
IOPL=0 id vip vif ac vm rf nt of df IF tf sf ZF af PF cf

; cs:s=0x8800 ds:s=0x8800 ss:s=0x0000 es:s=0x07c0 fs:s=0x3000

0x0008924a <bogus+ 0>: 0x03 0x00 0x00 0x10 0x00 0xae 0x00 0x00
0x00089252 <bogus+ 8>: 0x00 0x88 0x00 0x50 0x00 0x00 0x7c 0x00
0x0008925a <bogus+ 16>: 0xe9 0xea 0x00 0x00 0x00 0x00 0x00 0x00
0x00089262 <bogus+ 24>: 0x00 0x00 0x9c 0x1a 0x00 0x88

8924A ft_cfiles       dw 0x0003
8924C ft_ldrseg       dw 0x1000
8924E ft_ldrlen       dd 0xAE ; will vary with version of os2ldr used
89252 ft_museg        dw 0x0000
89254 ft_mulen        dd 0
89258 ft_mfsseg       dw 0
8925A ft_mfslen       dd 0
8925E ft_ripseg       dw 0
89260 ft_riplen       dd 0

; microFSD vector table
89264 ft_muOpen_OFF   		dw 0
89266 ft_muOpen_SEG   		dw 0
89268 ft_muRead_OFF   		dw 0
8926A ft_muRead_SEG   		dw 0
8926C ft_muClose_OFF  		dw 0
8926E ft_muClose_SEG  		dw 0
89270 ft_muTerminate_OFF 	dw 0
89272 ft_muTerminate_SEG 	dw 0

This is the main entry point from Phase 2:

(SEG:199C)
_entry	proc far
	push	cs
	pop	ax
	mov	es, ax		; swap cs to es
	mov	ds, ax		; set ds to cs

	; setup	stack
	cli
	mov	ss, ax		; set ss to cs
	mov	sp, 5000h
	sti
	; es / ds / ss	set to entry cs

	call	readsuperblock

	mov	ax, 202h
	push	ds
	push	ax
	push	ds
	mov	si, 2B2Fh	; ALTF2ON.$$$ location
	push	si
	mov	ax, cs
	mov	word ptr cs:loc_899BC+3, ax

loc_899BC:				
	call	ft_muOpen
	add	sp, 8		; clean	up the stack - post C function?
	or	ax, ax
	jnz	short MAIN_JMP_1 ; ?? zero return is good result
	mov	al, 1
	mov	ds:byte_8AB2E, al
	mov	ax, cs
	mov	word ptr cs:loc_899D3+3, ax

loc_899D3:				
	call	ft_muClose

MAIN_JMP_1:				
	mov	si, 1D6h		; os2boot file name
	mov	di, 7Ch			; os2boot load address
	mov	ds:ft_mfsseg, di  ; miniFSD location
	call	LoadFile
	test	bx, 1		; test if good load
	jz	short good_os2boot

	mov	si, 1274h	; SYS1475: The file OS2BOOT cannot be found
	call	ErrorHangSys    ; does not return

good_os2boot:				
	mov	eax, ds:dword_88202
	mov	ds:ft_mfslen, eax    ; miniFSD length
	mov	si, 1CFh	; os2ldr file name
	mov	di, 1000h	; os2boot load address
	mov	ds:ft_ldrseg, di    ; os2ldr location
	call	LoadFile
	test	bx, 1		; test if good load
	jz	short good_os2ldr

	mov	si, 12ABh	; Missing OS2LDR
	call	ErrorHangSys    ; does not return

good_os2ldr:
	mov	eax, ds:dword_88202
	mov	ds:ft_ldrlen, eax    ; os2ldr length

	; loading 0Fh to DispCopyInd stops display
	; of copyright message

	mov	al, 0Fh
	mov	ds:DispCopyRInd, al

	; setup MicroFSD entry
	push	ds
	pop	ax
	mov	ds:ft_museg, ax    ; MicroFSD location
	mov	eax, 5000h
	mov	ds:ft_mulen, eax    ; MicroFSD length

	; number of entries
	mov	ds:ft_cfiles, 3

	; sets up a function list
	mov	ds:ft_muOpen_SEG, ds
	mov	ds:ft_muOpen_OFF, 1A9Ch	; ds:1A9C
	mov	ds:ft_muRead_SEG, ds
	mov	ds:ft_muRead_OFF, 1BD4h	; ds:1BD4
	mov	ds:ft_muClose_SEG, ds
	mov	ds:ft_muClose_OFF, 1DAEh ; ds:1DAE
	mov	ds:ft_muTerminate_SEG, ds
	mov	ds:ft_muTerminate_OFF, 1DAEh ; ds:1DD4
	mov	ds:ft_ripseg, 0
	mov	ds:ft_riplen, 0

	push	ds
	push	cs
	pop	ds
	mov	eax, dword ptr ds:aJfs+8
	mov	ds:dword_8801C,	eax
	pop	ds
	assume ds:nothing
	xor	di, di		; zero di
	mov	es:[di], eax
	mov	dl, ds:24h
	mov	dh, dl
	mov	ds:24h,	dx
	mov	dh, 14h
	mov	si, 0Bh
	push	ds
	pop	es
	mov	di, 124Ah
	mov	ax, ds:124Ch
	push	ax
	xor	ax, ax
	push	ax

	retf	; Should be a return which enters os2ldr

_entry	endp

readsuperblock  proc near

	mov	si, 160Ch    ; 8800:160C buffer
	mov	ax, 1		; read 1 sector

	mov	edi, 40h      ; offset from beginning of partition 
	mov	ebx, 0         ; for read

	; read 1 sector from offset of partition 0x40 (64) or 32,768
	; from the IBM docs this would be the superblock and it gets
	; read into memory at offset 160C buffer 
	; see openJFS -- jfs_superblock.h
	call	readdrive      ; load superblock to 0x8960C

	mov	eax, ds:161Ch
	bsf	ecx, eax
	mov	ds:1942h, cx     ; 0x89942
	mov	edx, ds:163Ch
	and	edx, 0FF000000h
	shr	edx, 18h
	mov	eax, ds:1640h
	shld	edx, eax, cl
	shl	eax, cl
	mov	ds:1858h, eax         ; 0x89858
	mov	ds:185Ch, edx         ; 0x8985C
	mov	dword ptr ds:23Eh, 2  ; 0x8823E
	push	bp
	mov	bp, sp
	xor	ecx, ecx
	mov	di, 3D45h
	call	sub_8AA59
	mov	cl, al
	mov	ch, 0
	push	cx
	mov	di, 1509h
	call	sub_8AA59
	mov	bx, 1
	pop	cx
	cmp	cl, al
	jg	short loc_8AA55
	mov	si, 3D45h
	mov	di, 1509h
	mov	bx, 1
	repe cmpsb
	or	cl, cl
	jnz	short loc_8AA55
	cmp	byte ptr es:[di], 5Ch ;	'\'
	jz	short loc_8AA3E
	cmp	byte ptr es:[di], 0
	jnz	short loc_8AA55

loc_8AA3E:				
	mov	al, [si-1]
	cmp	al, es:[di-1]
	jnz	short loc_8AA55
	mov	di, si
	mov	al, 5Ch	; '\'
	stosb
	mov	ds:14EFh, di
	xor	ax, ax
	stosb
	xor	bx, bx

loc_8AA55:				
	mov	ax, bx
	pop	bp
	retn

readsuperblock  endp

BootableJFSLoad

The micro-FSD