Location of EWF overlay "flags" in disk partition?

  • Thread starter Thread starter Gereon
  • Start date Start date
G

Gereon

I would appreciate any information anyone can give me about where in the EWF
disk partition the flags (like the ones that "ewfmgr.exe -restore -all"
would configure) can be found. My intention is to set the system to do a
"-restore -all" by configuring the flags with code in our custom BIOS, so
that there is no chance of the data in the overlay getting re- used if the
system reboots very early on. I guess I'm not much of a Googler; I keep
finding references to people doing it but nothing explicit about where they
found the flags or what they were set to.
 
Gereon,

I don't have a straight answer for you but rather a quick comment.

The info you are looking for is undocumented (EWF Config Overlay structure is undocumented). This is out of the product suport and
may change from the XPe or EWF version to version. This may not work well for you in future if you decide to patch EWF or move to
new SP in your image.

Although I don't know particular fileds of the config structure it was very simple to figure out enable/disable flag bits of EWF RAM
Config overlay. I basically compared the partition data before and after I change the EWF state and reboot.
Similar you can do with the -restore-all command. Just use some tools that will allow you to see sectors on any partition
(DiskProbe, DiskEdit, Paragon Partition Manager, Partition Magic, etc.).
 
Gereon,

I'm not sure that I understand what you want to do. (I mean I do not understand why you want do to this in such way).

Something about boot process:
- Disk is divided in at least two partitions, one with original data and one hidden with overlay data.
1. After BIOS, MBR, and FS boot sector are done executing ntldr is loaded from original partition. (Overlay is not examined whether
ntldr was deleted).
2. Special ntldr is aware of hidden partition existence and start using its overlay data to create last known state.

Early in boot while ntldt is executing you can press F8 and get a menu that allow you to discard bad overlay data, etc. So your user
instead of going to BIOS could you press F8.

Regards,
Slobodan
 
Hi Slobodan,
You probably don't recall helping me before (you help a lot of people, I
don't expect you to keep track!), but in a previous thread KM, you, and I
established that unless the system booted to a point where
ewfmgr -restore -all could be executed, there was a condition where the
system may actually use overlay data on reboot instead of always restoring
to the original state. Here's the thread:

http://groups-beta.google.com/group...a3?q=Gereon+EWF&rnum=1&hl=en#626a2efbb294b1a3

At any rate, I'm going to try to get ahold of a copy of one of the programs
KM listed in hopes of being able to navigate to the partition and watch the
flags change.

Best Regards,
Gereon
 
Hi Gereon,

Ahh now I see what you want to do :-)

You can use diskedit from NU to access raw partition infos. Or you can use my copy program
http://www.xpefiles.com/viewtopic.php?t=144

Make sure that you use source and destination paths exactly as in help. otherwise you can end up with overwriting MBR insted of MBR
being written to file.

Since EWF partition is hidden from XPP you probably won't be able to access it directly, but trough absolute disk acceess you should
be able too.

You will need these steps for your patch program so this will be good practice for you.

First you need to find out where EWF partition beggins.

Step 1. You need to get first 512 bytes from beggining of disk in some file.
http://www.ata-atapi.com/hiwtab.htm
You need to pick 4 bytes that represent LBA partition start for partition type that belong to EWF. Multiply it by 512 to get disk
byte offset.

Step 2. Use calculated offset to copy beggining of EWF partition to file, grab 65536 bytes for instance.
Step 3. Grab new data in another file after you execute EWF command in XPe.

Use "Total Commander" or any hex editor that can compare two binay files and show you differences.

Regards,
Slobodan

PS: let us know if you need more help or when you have some findings.
 
I agree with Slobodan's steps.

Although, personally, I preferred using Paragon Partition Manager. There was no need to calculate partition offset as I could just
see the sectors of any (and hidden) partitions including EWF.
Then you can save the sector into a file with the tool and compare it with a bunch of tools (free are: WinDiff, fc command, etc.)
 
I think we got it. I thought it would be close to the start of the
partition, but it was actually 34 sectors in. We just overwrite one sector
there with an image of it after I do a -restore -all, and it seems to play
nice.

And yeah, we know we're hackin'. But if the EWF had the right flags, we
wouldn't need to!
 
Back
Top