Page 1 of 1

Best way to detect FAT

Posted: Thu Feb 05, 2015 4:10 am
by kubawal
Hey!

I'm writing FAT fs driver and I don't know what detect if this filesystem is really FAT.
In FAT32, in EBR is 'signature' field that must be 0x28 or 0x29 but what about FAT12/16?
I assume that 0xAA55 'bootable partition' signature is filesystem-independent?
Are other BPB members like e.g. OEM trustable?

Re: Best way to detect FAT

Posted: Thu Feb 05, 2015 5:40 am
by alexfru
The best way would likely include:
- checking partition type (there are a number of those that are used by different FAT variants)
- checking all magic numbers in boot sectors
- sanity-checking of all other boot sector values (number of FAT copies, bytes per sector, sectors per cluster, etc, etc)
- basic checking of structural FS integrity (back up boot sectors in FAT32, FAT copies, root directory location and content of first cluster, a few cluster chains)

IOW, you don't want to miss obvious and cheap checks. At the same time, you don't want to validate the entire FS, especially if it's large and full of files. You also don't want to fail on minor inconsistencies/damage that you may encounter.

Start somewhere.

Re: Best way to detect FAT

Posted: Thu Feb 05, 2015 8:35 am
by Brendan
kubawal wrote:Hey!

I'm writing FAT fs driver and I don't know what detect if this filesystem is really FAT.
In FAT32, in EBR is 'signature' field that must be 0x28 or 0x29 but what about FAT12/16?
I assume that 0xAA55 'bootable partition' signature is filesystem-independent?
Are other BPB members like e.g. OEM trustable?
It's possibly much worse than you realise. There's about 6 different variations of the BPB, and some (e.g. "DOS 2.0 BPB") don't include half the information (and don't include things like EBR signature or the OEM string). You'd have to detect which BPB format and which version of FAT.

The 0xAA55 'bootable' signature is typically used for the MBR and boot loaders for all file systems (including the "boot loader in a partition with no file system at all" case). It's also possible to have a FAT file system that isn't bootable where the 0xAA55 'bootable' signature isn't present. I wouldn't trust the OEM string too much either - if you expect it to be present in the first place, I'd be tempted to see if it contains valid ASCII only.

In general; I'd do something like a probability calculation. For example, maybe have a score for each BPB type that starts at 50%, then examine the first field of the BPB (bytes per logical sector) and determine how believable it is and adjust the scores accordingly (e.g. maybe add 15% to all scores if the field says "512 bytes per sector", and subtract 25% if it says "128 bytes per sector", etc). Then do something similar for the next field (logical sectors per cluster), and so on. Eventually you'll get to fields like the "physical sectors per track" (at offset 0x18) that doesn't effect the score for "DOS 2.0 BPB" at all and only effect the score for "DOS 3.0 or later" BPBs.

Eventually you'll run out of things in all the different versions of BPBs to check; and decide which BPB is the most probable and if it's "likely enough" to be a BPB at all.

Once you've made that decision, you'd do something similar to determine FAT type by looking at anything that could effect the scores and calculating a probability for each file system type (e.g. if you decided it's most likely a "DOS 2.0 BPB" then you might decide it's very unlikely that it's FAT32, if the total logical sectors is large you might decide it's less likely that it's FAT12, etc). For this I would also include a "probability that it's HPFS" and a "probability that it's NTFS".


Cheers,

Brendan