| file allocation table - 16bit |
| | forewords
this
article is about fat16 with additional comments regarding windows 98.
certain things will appear/handle differently in other oses.
special
thanks go to jon fox who helped me out on calculating the volume serial
number, the lfn checksum and making some worthy comments while in draft
form, i really appreaciate it. |
| overview
 |  | master boot record |  | sectors 1 - 62 |  | boot record |  | fat 1 |  | fat 2 |  | root directory |  | sub directory |  | data |
1 block = 512 bytes |
this
is a scale diagram of the start of the disk with a small fat16
partition at the beginning. this partition is just over 20mb in size,
to save space not all the data/subdir/surplus area is shown - there
would be 44,815 blocks or ~=896 lines if this part was shown completely. |
| master boot record diagram
mbr in general ( =512 bytes )
the
master boot record (mbr) is located in the first data sector on the
hard disk. the mbr can have upto 4 primary partitions, each entry
occupies 16 bytes. if the slot is unused, the space is filled with 00.
each entry sets out the addressing parameters for the partition. hard
disks have grown considerably in size since they were first invented,
this has caused some strange addressing techniques to be used to ensure
compatibility. hard drives used to be addressed by cylinder, head and
sector (chs). as cylinders increased, instead of addressing it
literally, the addressing values became virtual. example: 16 heads are
specified on the drive and in bios, but when opened up there were only
6 physical heads. this is converted by the hard disks controller card
to real values. however virtual chs addressing is also limited, when
these values are exceeded, logical block addressing (lba) is used by
partitions. lba is achieved by addressing each sector on the disk by
number, the first sector is 0.
executable code ( =446 bytes ) 
this
is the first piece of software that runs when a computer loads up. it
can be less than 446 bytes; the remainding bytes will filled with 00.
the bios checks for the executable signature, if absent a hardware
error is displayed, else the code is run. it looks for and loads
partition parameters in the four areas and checks that only one is
bootable. it then checks the active partition's boot record for the
executable signature before running it. if this is absent the error:
missing operating system will appear.
boot indicator ( =1 byte ) 
determines which partition to boot from. 00 = inactive and 80 = active
there
must only be one partition marked as 80. if more than one are marked
the system will halt with the error: invalid partition table. if none
are marked the system will display a hardware error like: operating
system not found; this will vary from machine.
starting head ( =1 byte ) 
states the starting head for the partition in hex.
eg, 01 = head 1; and another example: 3f = head 63
if
these values are incorrect the system will halt with: error loading
operating system. the maximum number of heads is 256. if the partition
is in lba mode the head will be one less than the maximum.
starting sector/cylinder ( =2 bytes ) 
states
the sector and cylinder on which the partition begins. though it looks
like the first byte states the sector and the second the cylinder in
hex, this is not the case.
example: 62 sectors and 690 cylinders; from the disk read: be,b2
first convert to binary: be,b2 -> 1011 1110,1011 0010
the last 6 bits of the first byte: 11 1110 = 3e -> decimal = 62 sectors
6 bits gives a potential maximum of 63 sectors, 1 - 63 inclusively.
join the first 2 bits of the first byte with the whole second byte:
10 1011 0010 = 2b2 -> decimal = 690 cylinders
10 bits gives a potential maximum of 1024 cylinders, 0-1023 inclusively.
if these values are incorrect the system will halt with: error loading operating system.
partition type ( =1 byte ) 
states the type of partition, there are others, but for different systems.
the
maximum number of heads = 256, the maximum number of sectors is 63 and
the maximum number of cylinder is 1024. hard disk are formatted with
512 byte sectors. therefore the maximum partition is 1024 * 256 * 63 *
512 = 8,455,716,864. anything addressed over this will be a lba
partition.
if
a partition is marked as active and has a operating system installed
and the partition is marked as hidden the system will load the io.sys
and then prompt: type the name of the command interpreter (eg.,
c:\windows\command.com) a>_
ending head ( =1 byte ) 
as the starting head, but ending.
ending sector/cylinder ( =2 bytes ) 
as the starting sector/cylinder, but ending.
the starting sector ( =4 bytes ) 
this is the logical sector jump to the partition. this sector contains the partition's boot record. from the disk:
40,03,07,01 flip -> 01,07,03,40 convert to decimal = sector 17,236,800
sectors in the partition ( =4 bytes ) 
states
the number of sectors in the partition, the last sector will be one
less than the total as the first sector is sector 0. from the disk:
f0,ae,24,00 flip -> 00,24,ae,fo convert to decimal = 2,404,080
sectors
executable signature ( =2 bytes ) 
these
two bytes indicate that the sector is executable, the system will check
for them. if incorrect a hardware error will be displayed. example; on
a toshiba satellite:
insert system disk in drive.
press any key when ready....
and on a hi-grade ultinote: operating system not found; if they are present the code will run. |
| sectors 1 - 62 ( =31,744 bytes )
sectors
1 - 62 inclusively are normally left empty. applications that do use it
include: multi boot loaders like ranish advanced boot manager. security
programs such as reflex-magnetics disknet. viruses that copy themselves
to the master boot record so that they can load every time, sometimes
move the real mbr into this area, plus any more virus code. full disk
encryption programs and disk translation software for very large hard
disks may also reside here. |
| boot record diagram
-> jumpcode
-> oem/id name
 -> bytes per sector
-> sectors per allocation
 -> resevered sectors
 -> no. of fats
 -> root entries
-> total sectors(16)
 -> media type
-> sectors per fat
 -> sectors per track |  -> no. of heads
 -> hidden sectors
-> total sectors(32)
-> drive id
 -> nt reserved
 -> extended boot signature
 -> volume serial number
 -> volume/partition name
-> fat type
-> executable boot(strap) code
-> executable signature |
|
jumpcode ( =3 bytes )
the
offset jump to the boot(strap) executable code plus a nop. from the
disk: eb,3e,90 -> translates to: |jumpshort(to)|offset 3e|no
operation|
oem/id name ( =8 bytes )
some
indication to what system formatted the partition, not checked, but set
for compatibility. mswin4.0 and mswin4.1 as formatted by windows 95 and
98 respectfully.
bytes per sector ( =2 bytes )
normally
set to 512 bytes; from the disk: 00,02 flip -> 02,00 convert to
decimal = 512 bytes. 1024, 2048 and 4096 are also valid, but are not
generally used.
sectors per cluster ( =1 byte )
states
the number of sectors per cluster. this will vary depending on the size
of the partition. example: 10 convert to decimal = 16 sectors
for hard disks:
note
that in this table the cluster size is calculated with a sector size of
512, which is most common. cluster sizes should not exceed 32,768 bytes
resevered sectors ( =2 bytes )
states
the number of reserved sectors. on fat12/16: 01,00 flip -> 00,01
convert to decimal = 1 sector - the boot record is this.
no. of fats ( =1 byte )
states
the number fats used. normally set to 2 in case of bad sectors, which
could lead to data errors. however >=1 is also valid - unsure of
maximum.
root entries ( =2 bytes )
states
the maximum number of 32byte entries in the root directory; unused for
fat32 and set to 00,00; however for fat16: 00,02 flip -> 02,00
convert to decimal = 512; 512 * 32(bytes) = 16384 bytes - data is
stored after this point.
total sectors(16) ( =2 bytes )
set
if the partiton is less than 33,554,432 bytes (32mb) in size - mainly
for a floppy disk: 40,0b flip -> 0b,40 convert to decimal = 2880
sectors; fat16 partitions may also use this entry. if number of sectors
is above this will be set to 00,00
media type ( =1 byte )
states the physical media type; f8 = hard drive; f0 = (standard) floppy drive
sectors per fat ( =2 bytes )
number
of sectors in one fat; for a floppy: 09,00 flip -> 00,09 covert to
decimal = 9 * 512(bytes per sector) = 4608; there are two copies of the
fat thus 4608 * 2 = 9,216 bytes - the jump to the root directory.
sectors per track ( =2 bytes )
states the number of sectors per track.
no. of heads ( =2 bytes )
number
of disk drive heads; eg on a floppy disk: 02,00 flip -> 02,00
convert to decimal = 2 heads. on a hard disk this will be much more; eg
f0,00 flip -> 00,f0 convert to decimal = 240 heads
hidden sectors ( =4 bytes )
this
will matchup with the starting sector stated in the partitions' entry
in the mbr. it states the number of hidden sectors from the beginning
of the drive to the boot record of the partition. normally set to
3f,00,00,00 flip -> 00,00,00,3f convert to decimal = 63, for a
primary partition. note that sector 63 will contain the boot record, as
sector numbers start at zero. another example from disk: 40,03,07,01
flip -> 01,07,03,40 convert to decimal = 17,236,800
total sectors(32) ( =4 bytes )
no
of sectors in the partition eg, 10,ec,03,00 flip -> 00,03,ec,10
convert to decimal = 257040 sectors (normally 512 bytes) this entry is
used if total sectors(16) is set to 00,00
drive id ( =1 byte )
set to 00 for floppy disks and 80 for hard disks. also refered to as the logical drive number.
nt reserved ( =1 byte )
set at format to 00 and not checked thereafter.
extended boot signature ( =1 byte )
set to 29 indicating that the serial, label and type data is present.
volume serial number ( =4 bytes )
when
a partition is formatted; quick or full, it will display the newly
assigned serial such as: 15e7-2a35. this is written in reverse on the
disk as: 35,2a,e7,15. calculated by combining the date and time at the
point of format, it is an unique identifier to keep track of drives in
use. it is not possible to retrive the date and time from the serial
number.
time: 2:22:32.50p | date: (oct)10-03-2001 | serial on disk: 35,2a,e7,15
first byte is calculated as follows:
milliseconds + days -> convert to hex
50 + 3 = 53 -> = 35
the second byte is calculated as follows:
months + seconds -> convert to hex
10 + 32 = 42 -> = 2a
last two bytes are calculated as follows:
(hours [if pm + 12] * 256) + minutes + years -> convert to hex & flip
(2 + 12 = 14 * 256 = 3584) + 22 + 2001 = 5607 -> 15,e7 -> e7,15
volume/partition name ( =11 bytes )
the
volume label can be up to 11 characters. it also has to be referenced
in the root directory as a 32 byte entry with the volume attribute to
be displayed. "no name" will normally be used when the label is unused.
fat type ( =8 bytes )
normally
set to: fat12, fat16 and fat(32); this is not used to determine the fat
type and can be changed, though some non-ms drivers use it. usefull as
a quick reference of the fat type; though not always accurate.
executable boot code ( =448 bytes )
sets
out the aforementioned partition infomation and checks for the first
file to start the system; normally io.sys. if this is not present; the
stated error message (or modified one) will apppear. normally as
follows:
invalid system disk
replace the disk, and then press any key
od,oa
meaning carriage-return and linefeed respectfully; derived from a
typewritters actions. the system will look in two places for this 11
character dos named file, which can be renamed. the first 11 and 2
bytes from the end. the file must have an extension which is >= 1
letter.
executable signature ( =2 bytes )
the mbr checks for this signature: 55,aa - if absent: "missing operating system" error. |
| the fat diagrams
-> media type
-> partition state
-> 1st of a 6 cluster entry
-> 3 cluster entry
-> 2 to 5 of a 6 cluster entry | -> 10 cluster entry
-> last cluster of 6 entry
-> available cluster
-> 2 bad clusters |
|
fat in general
the
file allocation tables (fat) are positioned between the boot record and
the root directory. there are normally two identical copies made of the
fat; fat1 and fat2; designed to try and prevent storage errors when
disks were less reliable. the smallest size fat16 seems to be
256*512bytes
media type ( =2 bytes )
the
first 2 bytes of fat16 state the media type; f8 = hard disk; floppy
disks are f0; this value must match up with the media type stated in
the boot record.
partition state ( =2 bytes )
set
to ff,ff at format and at shut down; it means that the partition is
"clean" not mounted or hasn't been written to. browsing the
directories, getting properties and opening files will not mount the
disk; even if the last accessed date is updated, the disk will not be
mounted. however if data or an entry is rename or saved these two bytes
will change to ff,f7 indicating that the partition is "dirty" mounted
or in use. if a system starting up finds that the partition is still
mounted, it will know that the system did not shut down properly and
may run scandisk. this only applies to hard disks. jon fox informs me
that this section is also used to indicate if an hardware error
occurred - i was unable to verify this ;-)
fat attributes ( varies in size )
data
clusters starts at cluster 2 right after the root directory. on fat16
one cluster represented by 2 bytes in the fat.
2bytes->16bits->fat16 - fat32 uses 4 bytes. each 2 bytes in the
fat mark a position in the data area of the partition. if the cluster
is part of chain of clusters; occupying more than one cluster, they
will be numbered in hex order. the numbers range from 03,00 to 99,ff;
adding from the left. if the cluster is the last in the chain or if the
entry only takes up one cluster it will be marked as ff,ff. if a file
is resaved and it exceeds its allocated cluster, the file or directory
list will be split onto two, and the extra clusters located elsewhere
on the drive. the fat will be changed so that the last cluster in the
first chain will point to the start of the next cluster chain. in the
diagram above the first cluster points to cluster 6, (though labeled as
07,00 it is cluster 6). this is known as fragmenting, and can slow the
system down a little as these pieces need to be reassembled before use.
defragmenting will move the data around so that all the chains of
clusters are grouped together. if there is no data stored or data has
been deleted the fat will be marked as 00,00. sometimes the system
cannot keep up with this; if a 20 cluster entry is deleted and then a
new 5 cluster one created the data maybe located after the blank
entries of the deleted 20 cluster one. a reboot maybe required for the
area to be acknowledged. if the fat entries do not completely fill the
last sector of the fat the remaining space will be left empty and
scandisk will not check it. bad clusters are marked with f7,ff. data
will not be written to these areas and a thorough scandisk will not
recover these clusters, only report that they are there. data can be
hidden in phoney bad clusters, such program needs to keep track of
where the data is stored and replace certain fat entries and the data
"disappears" |
| data entry diagram
-> ordinal field
-> unicode long file name
-> longfile name attribute
 -> reserved for future use
-> dos name check sum
-> lfn data location
-> dos file name
-> entry attributes
-> nt reserved | -> create time
-> create date
-> access date
-> access time
-> modified time
-> modified date
-> data location
-> data length |
|
entries in general
entries
are made up of 32 bytes. if the entry is deleted the first byte is
changed to e5; and the sectors are marked as free. basic computer
forensics can reveal alot because of this. if this is a risk, check http://www.fortunecity.com/skyscraper/true/882/Comparison_Shredders.htm
for prevention programs. defraging the disk will compress the directory
entries and clear any redundent ones; it will also rearrange the data
so that it is grouped together, but old data will still be there. if
the first byte is 00, entries are considered to have ended for that
directory.
_be aware of that_
ordinal fields ( =1 byte - every 32 bytes of the lfn)
the
first byte of each 32 byte string of the long file name is called the
ordinal field. it tells the system which order the entries are to be
read in. this is in hex and read from 01. the first byte of the
_entire_ entry however is different, it defines the length of the total
lfn entry.
from the root dir:
| | | no. of 16 byte lines/size |
| a/41
b/42
c/43
d/44
e/45
f/46
g/47
h/48
i/49
j/4a
k/4b
l/4c
m/4d
n/4e
o/4f
p/50
q/51
r/52
s/53
t/54 |
| length is >=001 & <=013
length is >=014 & <=026
length is >=027 & <=039
length is >=040 & <=052
length is >=053 & <=065
length is >=066 & <=078
length is >=079 & <=091
length is >=092 & <=104
length is >=105 & <=117
length is >=118 & <=130
length is >=131 & <=143
length is >=144 & <=156
length is >=157 & <=169
length is >=170 & <=182
length is >=183 & <=195
length is >=196 & <=208
length is >=209 & <=221
length is >=222 & <=234
length is >=235 & <=247
length is >=248 & <=250 |
| 02 lines 032 bytes/020
04 lines 064 bytes/040
06 lines 096 bytes/060
08 lines 128 bytes/080
10 lines 160 bytes/0a0
12 lines 192 bytes/0c0
14 lines 224 bytes/0e0
16 lines 256 bytes/100
18 lines 288 bytes/120
20 lines 320 bytes/140
22 lines 352 bytes/160
24 lines 384 bytes/180
26 lines 416 bytes/1a0
28 lines 448 bytes/1c0
30 lines 480 bytes/1e0
32 lines 512 bytes/200
34 lines 544 bytes/220
36 lines 576 bytes/240
38 lines 608 bytes/260
40 lines 640 bytes/280 |
|
|
the 32 byte blocks are positioned in reverse order with the last section at the beginning of the entire entry.
the long file name
the
name is stored in unicode format. a double byte character system
designed to handle all possible foreign and scientific characters. the
orginal ascii characters are the same except they are two bytes in
size, the second byte is a null; 00. check http://www.unicode.org
for a more in depth explaination. there can be up to 13 unicode
characters per 32 byte section. if however the long file name does not
fill the slot exactly a unicode null (00,00) will be added to the end,
followed by ff,ff's until the section is filled. note that entries do
not have to have a lfn.
as you can see from the table above a
long file name in the root directory can be between 1 and 250
characters. this is alittle odd as there is still space for 10(?) more
characters, also stated by microsoft that files could have upto 255
characters. total path length; tpl refered to in this text is the
character length from the drive letter to the folder or file, eg:
"c:\new folder" has a tpl of 13. "c:\new folder\test.dat" has a tpl of
22. a large tpl can have strange effects on explorer. a single folder
in c:\ can have a tpl of 253 (250 + c:\) it can only contain files
<= 4 characters in length. however if there are two folders the tpl
can be up to 255, with 2 remaining for files. the maximum valid tpl for
98f16 including a file is 258. note that this value can change alittle,
eg one character folders; c:\a\a\a\...etc (122 folders; maximum) can
have a tpl length of 254, including 7 for a file; and even this can
change, if you paste a file in it can be up to 12 characters for a
file. why this varies is unclear. explorer checks the tpl on entry
creation to see that it does not exceed an illegal value, however it
only checks it up to that point. thus two folders could be created, and
the first one renamed to a longer length so that when the subfolder is
accessed the tpl is greater than allowed. while a tpl of such length
will have stange effects on the system eg, inaccessable, unviewable,
unmoveable, undeleteable, false properties of files and folders;
scandisk will fix them by either renaming the affected files or folders
and/or moving them to the root directory. one combination is of note.
create a folder in the root directory with a name of 1 character, save
a file of 5 characters in length into the folder, rename the folder so
it has 250 characters in the name. tpl is 259. properties are correct
for the file and it can be opened and resaved to the same location,
however it cannot be moved out of that folder nor renamed or deleted,
to do so the foldername must be shortened. this doesn't stop the file
being opened and resaved to a different location. scandisk doesn't seem
to mind this combination.
not all ascii (unicode) characters can
be used in long file names. names cannot contain the following
characters: \/:*?"<>| if the name begins with a space it will be
removed, if a fullstop - prompt for a valid name. if the name ends with
a fullstop or spaces they will be removed. letters from the extended
character set can cause some confusion of explorer in 9x/me systems.
the following acsii characters inclusively are of note in 9x: 158, 169,
176->224, 226->229, 231->240, 242->245, 247, 249,
251->252 and 254->255; 75 characters. in me: 176->180,
185->188, 191->197, 200->206, 213, 217->220, 223, 242 and
254; 31 characters. if a folder contains any of this characters you
cannot access it via explorer; it errors with "the folder 'path'
doesn't exist" twice. properties are displayed incorrectly. copying and
deletion attempts result in "cannot delete file file system error
(1026)." explorer will prevent the entering of these characters by
turning them in the underscore. they can be entered in a dosbox. check
numlock is on; normally by default, then press alt+type the number on
the keypad - laptops normally alt+fn+no. if a file has these characters
in, when opened it will prompt "cannot find the 'path\file' do you want
to create a new file?" clicking no creates an untitled blank document.
clicking yes creates a new blank file, but with the illegal character
an underscore in the name - resave it. now, and this is quite
interesting; when opening or deleting the illegal file, it will
open/delete the one with the underscore in. this means that explorer,
on finding a entry with a character in that it cannot handle, scans the
current directory for one of the same name, but with an underscore in.
folders can also be "redirected" this way and the underscore named
entry will be opened with internet explorer. scandisk doesn't seem to
mind this.
some whole words are also a problem. you cannot
create directories or files of the following names: aux, con, nul, prn,
com1, com2, com3, com4, lpt1, lpt2, lpt3, lpt4, lpt5, lpt6, lpt7, lpt8,
lpt9, clock$ and config$ in total, 19 words. it will error with either:
unable to create directory or cannot rename thefilename: access is
denied. it seems that these values, reserved hardware device/port
names, may already be in use by the operating system - they are
mentioned in the io.sys. attempts to access a folder with a subfolder
of both the same reserved name will crash/freeze the system for:
aux\aux, con\con, nul\nul, clock$\clock$ and config$\config$. the
others will result in the error: invalid directory. you cannot create
files or folders in windows of these reserved words, but you can change
them with a hexeditor on the disk, most result in either errors,
instant freezing/crashing of the system and nondeletable, noncopiable
or inaccessable entries in explorer. a lot of these entries' properties
are reported as 112bytes. scandisk will rename most reserved names with
a hyphen on the end. however scandisk does seem to mind the following
names: lpt4 to lpt9. the names have to be in uppercase or scandisk will
error and fix to uppercase. the folder 'path' does not exist error
appears twice on attempted access; files cannot be opened. cannot
delete file: file system error (1026). properties report the folder as
a file of zero bytes. cannot copy file: file system error (1026) note
that these may vary as hardware configurations may be different.
lfn attributes and location
( = 1 byte and 2 bytes respectfully; every 32 byte section of the lfn )
entire
entries are read in as 32 byte blocks. to ensure compatiblity with
older systems, when they introduced long file names, each section of a
long file name had to "pretend" to be an entire entry. to do this the
entry attribute and data location are set to the "impossible values" of
0f and 00,00 respectfully. each 32 byte section of the long file name
is required to have this slotted in.
lfn reserved ( =1 byte - every 32 bytes of the lfn )
set
to 00 at entry creation. it is reserved for future use; however copying
or renaming a file/folder resets it to 00. resaving a file retains any
changed values.
dos name checksum ( =1 byte - every 32 bytes of the lfn )
this
is for checking that the dos name and the long file name match up
correctly. if this value is incorrect, the lfn will be discarded and
the dos name subsituted.
the steps are:
1. take the ascii value of the first character. this is your first sum
2. rotate all the bits of the sum rightward by one bit
3. add the ascii value of the next character with the value from above. this is
your next sum
4. repeat steps 2 through 3 until you are all through with the 11 characters in
the 8.3 filename
note that spaces (ascii value 20) are also included.
to calculate manually use calc.exe; view scientific, switch to hex mode and select the byte radiobutton under the display.
dosname: UNTITLEDTXT - lfn checksum: 44
in this section "->" means rotate all the bits, one bit to the right.
U = 55 = 0101 0101 -> 1010 1010 = AA
N = 4E + AA = F8 = 1111 1000 -> 0111 1100 = 7C
T = 54 + 7C = D0 = 1101 0000 -> 0110 1000 = 68
I = 49 + 68 = B1 = 1011 0001 -> 1101 1000 = D8
T = 54 + D8 = 2C = 0010 1100 -> 0001 0110 = 16
L = 4C + 16 = 62 = 0110 0010 -> 0011 0001 = 31
E = 45 + 31 = 76 = 0111 0110 -> 0011 1011 = 3b
D = 44 + 3b = 7f = 0111 1111 -> 1011 1111 = bf
T = 54 + bf = 13 = 0001 0011 -> 1000 1001 = 89
X = 58 + 89 = e1 = 1110 0001 -> 1111 0000 = f0
T = 54 + f0 = 44
dos file name ( =11 bytes )
dos
names can be >=1 and <=11 characters. any remaining bytes will be
filled with spaces. if the entry also has a long file name attached the
dos name is changed slightly. the name is shortened to 6 characters and
a tilde~ and number are added to the end, giving a total of 8
characters. if the first 6 letters are different from all other dos
names in that directory then the ending is ~1 however if they are the
same the ending number will be different. the system scans the dos
names in that directory for the lowest available ending number to use,
incrementing by 1 (decimal) as needed. when ~10 is reached the dos name
is reduced to 5 characters to make room. if a file is copied to a
different directory the dos name and long file name checksum may
change, as the system checks both dos and long file names already in
use. process referred to in this text as tilded. the last three letters
of a dos name are considered the file extension and will be divided off
from the rest by a space or a fullstop. all letters are converted to
uppercase. if an entry has its dos name converted to lowercase it can
cause problems. while files handle okay, attempts to open a folders
results in the error: c:\folder is not accessible. this folder was
moved or removed. in a dosbox the result is path not found and the
volume serial number and name are displayed, it can however be deleted,
in dos or explorer. scandisk will fix this by converting back to
uppercase. if the name contains spaces, they will be removed and the
name tilded. if the name contains a fullstop, upto the first three
letters thereafter are considered the extension. if the extension is
more than three letters, just the first three will be used plus the
name is tilded. if the name contains more than one fullstop the last
one is used as the divide between the name and extension. all other
fullstops are removed and the name is tilded.
lfn names cannot
contain the following characters: \/:*?"<>| some can be attempted
to be used in dos, but they have strange effects. tested in a dosbox;
file creator is "copy con filename" typed text "crtl + z","enter"
\ creation: path not found; rename: invalid parameter
/ creation: invalid switch; rename: anything after and including the forward slash will be removed
: creation: to many parameters; rename: file not found
* creation: anything after and including the asterisk; but not the extension will be removed. * is a wildcard
?
creation: the question mark is removed; rename: either the question
mark will be substituted for an other letter or it will be removed; how
it substitutes is unclear. ? like * is a wildcard
" creation: the double quotation mark is removed; rename: as creation
< creation: file not found; rename: as creation
>
creation: splits into two different file at the greater-than sign. the
first half contains the text, while the second contains the following
text: " 1 file(s)
copied" - the confirmation that appears after the text is saved;
rename: as creation, but the second half contains nothing as there
isan't a confirmation on rename. the > character pushes screen
output to "somewhere" as shown in the example above a file. >>
appends to "wherever"
| creation: anything after and including the
vertical bar will be removed, also on save the message bad command or
file name appears; rename: as creation. the | can be used to "pipe"
instructions eg: echo y|del *.* >nul will quietly delete all files
in the current directory (hidden, readonly and system attribute file
are not deleted)
entry attributes ( =1 byte )
documented attribute values
none: 00
archive: 20
read-only: 01
system: 04
hidden: 02
directory: 10
volume: 28 (hdd)
if attribute = 00 then its treated as a file.
for archive, hidden and system attributes; add the values together: 26
archive
and directory *can* also be unoffically stated as other values. read in
the first nybble and convert it to decimal. if its divisible by 2 its
an archive, else its a folder.
if the second nybble is >=8
and <=e the entry disappears and becomes the volume name. the volume
attribute should only be stated once on the partition, offset 15h.
sometimes there will be an entry already in root that will override
this. this is valid if the entry has no data attached, else scandisk
will delete and recover any clusters. n.b: volumes are archives; if
stating it in the root (this will only work in root) so f8 is invalid
here. there can only be one valid entry in the root that can have the
volume attribute.
if the second nybble is =f the entry
disappears completely, however its still a volume. scandisk will error
if there is data attached, and delete any data.
volumes can
labelled <=11 characters from explorer, however you can increase the
length by saving an entry in the root directory and changing its
attributes to a volume, this can have some interesting effects. volume
names >=12 and <=32 will prevent renaming of the label via
explorer even though the text field will be editable. error: access
denied. >=33 the label will be greyed out and uneditable. volume
names of >=78 will cause illegal operation errors and not enough
available memory errors on attempted format in explorer. volume names
of >=83 will cause scandisk to crash in a similar way, and reboot
maybe needed even if the volume attribute is removed. all values above
these have not been tested, but are believed to be the same. partitions
can still be formatted in dos/dosbox.
ntreserved ( =1 byte )
set to 00 at entry creation and never modified or checked thereafter.
reserved for windows nt. copying the file resets the attribute, but renaming doesn't.
create time ( =3 bytes )
minimum time: 00:00:00 = 00 00 00 if zero, no time in properties
maximum time: 23:59:59 = 64 7D BF
how it calculates it:
the values on the disk are: 64,90,a6 and properties: 8:52:33pm
first flip the bytes: 64,90,a6 -> a6,90,64
convert to binary: a6,90,64 -> 10100110,10010000,01100100
divide up the sections and convert back to decimal: (from left to right)
(5bits;hour) 10100 -> = 20hrs (24hr) or - 12 = 8pm
(6bits;mins) 110100 -> = 52 minutes
(5bits;secs) 10000 -> 16; * 2 = 32 seconds
(8bits;mili) 01100100 -> = 100 milliseconds
if millisecs >=000 and <=099; seconds is correct + no. of milliseconds
if millisecs >=100 and <=199; seconds + 1 = seconds + no. of milliseconds
if millisecs >=200; seconds + 2 = seconds (etc) but its considered invalid
which gives 33 seconds exactly: 8:52:33pm
invalid times such as 2600hours simply roll fowards to become 0200hours in properties, scandisk does not error.
create date ( =2 bytes )
minimum date: 1/1/1980 = 21 00
maximum date: 2/7/2106 = 46 FC
how it calculates it:
the values on the disk are: 14,2b and properties: 20th august 2001
first flip the bytes: 14,2b -> 2b,14
convert to binary: 2b,14 -> 00101011,00010100
divide up the sections and convert back to decimal: (from left to right)
(7bits;yr) 0010101 -> 21; + 1980 = 2001
(4bits;mt) 1000 -> = 8 or august
(5bits;dy) 10100 -> = 20th
20th august 2001
invalid dates such as the 31st of september simply roll forwards to the 1st of october in properties, scandisk does not error.
the last possible create date and time is:
sunday, february 07, 2106 7:28:15am anything beyond = (unknown)
the create date and time seem to be handled together though they are separate entries.
access date ( =2 bytes )
minimum date: 1/1/1980 = 21 00
maximum date: 2/7/2106 = 46 FC
this
date is highly changeable, just right clicking on it will reset to
current date, however it can be correctly querried programatically.
this is calculated the same way as the modified date (see above)
access time ( =2 bytes )
minimum/maximum: 00 00
this
is a strange entry, it has to be 00 00, if you change it manually,
windows changes it back if you view the properties of the file, or if
you resave it. therfore you can only get access properties to the day.
modifed time ( =2 bytes )
00:00:00 = 00 00 if zero, no time in properties
23:59:58 = 24 28
this
is calculated the same way as the modified time (see above) except that
it does not have the same accuracy; one less byte. thus the modified
time is to the nearest 2 seconds.
the last possible modified date and time is:
sunday, february 07, 2106 7:28:14am
modified date ( =2 bytes )
minimum date: 1/1/1980 = 21 00
maximum date: 2/7/2106 = 46 FC
this is calculated the same way as the modified date (see above)
data location ( =2 bytes )
the minimum can be 00 - 0 and the maximum ff - 65535
the correct value will point the os to the starting cluster of the data.
eg, 03 00
flip these values: 00 03
convert to decimal: 3
data starts at the beginning of the third cluster.
if
an entry points to the same cluster they are said to be cross-linked,
this is of note regarding folders. foldernames mentioned are only for
reference. create a folder in root called folder1, create a subfolder
within called folder2. change the location of folder2 to 00. attempts
to access folder2 result in explorer looping back to root. scandisk
will error and the fix is to move/recover folder2 and its contents to
the root directory. scandisk can get a little muddled if you create a
subfolder within folder2 called folder3 and point the location of
folder3 to folder2. the default fix is to give each file a separate
copy of the shared cluster(s) if this is attempted scandisk will loop
at each attempt, and any data in folder3 maynot be recovered. there
are, however other fix options available which will recover the data,
though some directories maybe undeletable due to an exceeded total path
length, just shorten the folder name.
data length ( =4 bytes )
the minimum can be 00 00 00 00 - 0 and the maximum ff ff ff ff -
4,294,967,295
gb, mb, kb, by
this entry will state the length of data to read in.
eg, AC 3B 96 00
flip these values: 00 96 3B AC
convert to decimal: 9,845,676 bytes or 9.38MB
folders have a value of: 00 00 00 00
the
maximum is restricted by the size of the partition. the largest
partition creatable by fdisk for fat16 is 2047.31mb (2,146,765,824
bytes) entry stated as 00,80,f0,7f. the largest file creatable in this
partition is 1.99gb (2,146,467,840 bytes). not all the data area is
filled, 18,944 bytes of surplus sectors were left empty at the end.
subdirectories ( =64 bytes )
at the beginning of all directories (not root) there will be two folder
entries of total 64 bytes before the list of files or folders within
that directory. they are dot and dotdot and are visable in dos. dot is
the current folder and dotdot is the parent folder. each entry will
have the following properties: a dos name of either dot or dotdot;
attributes of a folder; the create, access, modified date and time,
though only the modified date and time are required; the cluster
location of the folder, dot will be the same as the current folder and
dotdot will be the same as the parent folder or 00 if root; and a data
length of zero. also these entries have to be at the beginning of the
directory list. a three dot entry is not valid even though you can
change to two folders up. you can add more entire "dot" entries without
scandisk erroring, on the condition that the dos name, the directory
attribute, the cluster location matchup and the data length is zero.
these extra entries will also not be visable in explorer and they do
not have to be at the beginning of the directory list. folders seem to
handle okay without the dot and dotdot entries and the system doesn't
check the location values when changing directory.
the root
directory in fat16 is a fixed at 16,384 bytes in size. in total: 512
dosname entries of 32bytes or 256, 64byte entries with a lfn of upto 13
characters. if the maximum lfn entry is used, a maximum of 24 entries
can be listed in the root directory with 256 bytes remaining. at this
point errors will occur if any entries are attempted to be added or
lengthen. entrycopy: "cannot copy thefile: the directory or file cannot
be created." entryrename: "cannot rename thefile: access is denied.
make sure the disk is not full or write-protected and that the file is
not currently in use."
subfolders can have many entries. when a
subfolder is created, 1 cluster is set aside for entries. when this is
exceeded the directory list extends into another cluster, usually one
is not avaiable right after the first section, as a result directory
lists get fragmented accross the drive. |
| | you must get permission from the respective author before reproduction |
|
|
