Revisiting Bytes 0, 1, and 2

Revisiting Bytes 0, 1, and 2

Regarding bytes 0, 1 and 2 in FAT Boot Sector Walk Through, I wrote:

[B]ytes 0, 1 and 2 contain the jump code … 90 58 EB, which is the address on the USB stick for any boot code.

Notice the following screenshot taken from the hex editor in the aforementioned post, particularly the red semi-circled area. In this shot, I have the hex editor set to display decimal offsets into the image, so each byte (starting with zero) relates to what is displayed. If you refer back to the full image and count the number of bytes on the first line, you’ll notice that 17 bytes are displayed. The first byte on the second line is byte 18, which is the number displayed in the first column of the second line.


Displaying decimal offset is very handy, particularly when you’re doing keyword searches, which I’ll be covering at a later date. But it’s not that helpful when you have a hex offset, such as we have in bytes 0-2. In this case, we want to switch from decimal to hex. Almost every hex editor worth its salt will let you make this switch. In the 0xED editor, you go to Preferences and switch Number mode from Decimal to Hex. After doing so, the offsets will appear similar to the following:


You’ll notice that the 18 changed to 12. The 12 is hexidecimal, which equates to 18 decimal.

In the toolbar of 0xED, there’s an area called Go To Offset that looks like this:


If we enter 9058EB, the hex editor will jump us to that area of the image. In my case, it’s nothing but zeros for as far as the eye can see because this USB image isn’t bootable. While bytes 0, 1 and 2 technically constitute an invalid entry, it doesn’t matter because it doesn’t hurt anything. (Update: DOS and Windows require this value to be set, whether or not the file system is bootable. Other operating systems do not. Moreover for FAT12 and FAT16, bytes 0-2 will contain the value EB 3C 90. FAT32 will contain EB 58 90.) If the stick was bootable, this jump code should point to the relevant boot code. If not, we could locate the boot code, modify this entry to point to the correct address, and boot from the stick.

I may revisit this later if I ever get around to creating a bootable stick. Until then, play around with it and have fun. cough