SUPERBLOCKS
Now that we have a high level view of the extended filesystem, we will drill down into each of its major components, starting with the superblock. The superblock is 1024 bytes long and begins 1024 bytes (2 sectors) into the partition right after the boot block. By default the superblock is repeated in the first block of each block group, but this can be changed by enabling various filesystem features.
Some readers may be familiar with the BIOS parameter blocks and extended BIOS parameter blocks in FAT and NTFS boot sectors. On Windows systems the parameters in those blocks contain all the information the operating system requires in order to read files from the disk. The superblock performs a similar function for Linux systems. Information contained in the superblock includes
Block size
Total blocks
Number of blocks per block group
Reserved blocks before the first block group
Total number of inodes
Number of inodes per block group
The volume name
Last write time for the volume
Last mount time for the volume
Path where the filesystem was last mounted
Filesystem status (whether or not cleanly unmounted)
When examining a filesystem it can be convenient to use a hex editor that is made specifically for this purpose. One such editor is Active@ Disk Editor by Lsoft. It is freely available and there is a version for Linux (as well as one for Windows). The Active@ Disk Editor (ADE) may be downloaded from http://disk-editor.org. ADE has several nice features, including templates for interpreting common filesystem structures such as superblocks and inodes. The subject system’s superblock is shown in ADE in Figure 7.5. We will cover the fields in Figure 7.5 in detail later in this chapter during our discussion of various filesystem features. For the moment, I feel I should point out that the block size (offset 0x18 in the superblock) is stored as x, where the block size in bytes = 2(10 + x) = 1024 * 2x. For example, the stored block size of 2 equates to a 4 kB (4096 byte) block. Table 7.1 summarizes all of the fields that may be present in a superblock as of this writing. The material in Table 7.1 primarily comes from the header file /usr/src/
FIGURE 7.5
Examining a superblock with Active@ Disk Editor.
Table 7.1. Superblock field summary.
| Offset | Size | Name | Description |
|---|---|---|---|
| 0x0 | 4 | inodecount | Total inode count. |
| 0x4 | 4 | blockcountlo | Total block count. |
| 0x8 | 4 | rblockcountlo | This number of blocks can only be allocated by the super-user. |
| 0xC | 4 | freeblockcountlo | Free block count. |
| 0x10 | 4 | freeinodecount | Free inode count. |
| 0x14 | 4 | firstdatablock | First data block. |
| 0x18 | 4 | logblocksize | Block size is 2 ^ (10 + logblocksize). |
| 0x1C | 4 | logclustersize | Cluster size is (2 ^ logclustersize). |
| 0x20 | 4 | blockpergroup | Blocks per group. |
| 0x24 | 4 | clusterpergroup | Clusters per group, if bigalloc is enabled. |
| 0x28 | 4 | inodepergroup | Inodes per group. |
| 0x2C | 4 | mtime | Mount time, in seconds since the epoch. |
| 0x30 | 4 | wtime | Write time, in seconds since the epoch. |
| 0x34 | 2 | mntcount | Number of mounts since the last fsck. |
| 0x36 | 2 | maxmntcount | Number of mounts beyond which a fsck is needed. |
| 0x38 | 2 | magic | Magic signature, 0xEF53 |
| 0x3A | 2 | state | File system state. |
| 0x3C | 2 | errors | Behavior when detecting errors. |
| 0x3E | 2 | minorrevlevel | Minor revision level. |
| 0x40 | 4 | lastcheck | Time of last check, in seconds since the epoch. |
| 0x44 | 4 | checkinterval | Maximum time between checks, in seconds. |
| 0x48 | 4 | creatoros | OS. One of: Probably 0 = Linux |
| 0x4C | 4 | revlevel | Revision level. One of: 0 or 1 |
| 0x50 | 2 | defresuid | Default uid for reserved blocks. |
| 0x52 | 2 | defresgid | Default gid for reserved blocks. |
|---|---|---|---|
| 0x54 | 4 | firstino | First non-reserved inode. |
| 0x58 | 2 | inodesize | Size of inode structure, in bytes. |
| 0x5A | 2 | blockgroupnr | Block group # of this superblock. |
| 0x5C | 4 | featurecompat | Compatible feature set flags. |
| 0x60 | 4 | featureincompat | Incompatible feature set. |
| 0x64 | 4 | featurerocompat | Readonly-compatible feature set. |
| 0x68 | byte | uuid[16] | 128-bit UUID for volume. |
| 0x78 | char | volumename[16] | Volume label. |
| 0x88 | char | lastmounted[64] | Directory where filesystem was last mounted. |
| 0xC8 | 4 | algorithmusagebitmap | For compression (Not used in e2fsprogs/Linux) |
| 0xCC | byte | preallocblocks | Blocks to preallocate for files |
| 0xCD | byte | preallocdirblocks | Blocks to preallocate for directories. |
| 0xCE | 2 | reservedgdtblocks | Number of reserved GDT entries. |
| 0xD0 | byte | journaluuid[16] | UUID of journal superblock |
| 0xE0 | 4 | journalinum | inode number of journal file. |
| 0xE4 | 4 | journaldev | Device number of journal file |
| 0xE8 | 4 | lastorphan | Start of list of orphaned inodes to delete. |
| 0xEC | 4 | hashseed[4] | HTREE hash seed. |
| 0xFC | byte | defhashversion | Default hash algorithm to use for directories. |
| 0xFD | byte | jnlbackuptype | Journal backup type. |
| 0xFE | 2 | descsize | Size of group descriptors |
| 0x100 | 4 | defaultmountopts | Default mount options. |
| 0x104 | 4 | firstmetabg | First metablock block group. |
| 0x108 | 4 | mkftime | When the filesystem was created. |
| 0x10C | 4 | jnlblocks[17] | Backup copy of the journal inode’s iblock[]. |
| 0x150 | 4 | blockcounthi | High 32-bits of the block count. |
|---|---|---|---|
| 0x154 | 4 | rblockcounthi | High 32-bits of the reserved block count. |
| 0x158 | 4 | freeblockcounthi | High 32-bits of the free block count. |
| 0x15C | 2 | minextraisize | All inodes have at least # bytes. |
| 0x15E | 2 | wantextraisize | New inodes should reserve # bytes. |
| 0x160 | 4 | flags | Miscellaneous flags. |
| 0x164 | 2 | raidstride | RAID stride. |
| 0x166 | 2 | mmpinterval | Seconds to wait in multi-mount prevention. |
| 0x168 | 8 | mmpblock | Block # for multi-mount protection data. |
| 0x170 | 4 | raidstripewidth | RAID stripe width. |
| 0x174 | byte | loggroupperflex | Flexible block group size= 2^loggroupperflex. |
| 0x175 | byte | checksumtype | Metadata checksum algorithm type. |
| 0x176 | 2 | reservedpad | Alignment padding. |
| 0x178 | 8 | kbytewritten | KB written to this filesystem ever. |
| 0x180 | 4 | snapshotinum | inode number of active snapshot. |
| 0x184 | 4 | snapshotid | Sequential ID of active snapshot. |
| 0x188 | 8 | snapshotrblockcount | Number of blocks reserved for active snapshot. |
| 0x190 | 4 | snapshotlist | inode number of the head of the snapshot. |
| 0x194 | 4 | errorcount | Number of errors seen. |
| 0x198 | 4 | firsterrortime | First time an error happened. |
| 0x19C | 4 | firsterrorino | inode involved in first error. |
| 0x1A0 | 8 | firsterrorblock | Number of block involved of first error. |
| 0x1A8 | byte | firsterrorfunc[32] | Name of function where the error happened. |
| 0x1C8 | 4 | firsterrorline | Line number where error happened. |
| 0x1CC | 4 | lasterrortime | Time of most recent error. |
| 0x1D0 | 4 | lasterrorino | inode involved in most recent error. |
| 0x1D4 | 4 | lasterrorline | Line number where most recent error happened. |
| 0x1D8 | 8 | lasterrorblock | Number of block involved in most recent error. |
| 0x1E0 | byte | lasterrorfunc[32] | Name of function for most recent error. |
| 0x200 | byte | mountopts[64] | ASCIIZ string of mount options. |
| 0x240 | 4 | usrquotainum | Inode number of user quota file. |
| 0x244 | 4 | grpquotainum | Inode number of group quotafile. |
| 0x248 | 4 | overheadblocks | Overhead blocks/clusters in fs. |
| 0x24C | 4 | backupbgs[2] | Block groups containing superblock backups. |
| 0x24E | 4 | encryptalgos[4] | Encryption algorithms in use. |
| 0x252 | 4 | reserved[105] | Padding to the end of the block. |
| 0x3FC | 4 | checksum | Superblock checksum. |
When using Active@ Disk Editor I recommend that you open each volume by selecting “Open in Disk Editor” as shown in Figure 7.6. This creates a new tab with a logical view of your filesystem. This logical view is more convenient than the raw physical view because, among other things, it will automatically apply some of the built-in templates. If you ever use this tool with Windows filesystems it will also translate clusters to sectors for you.
FIGURE 7.6
Opening a logical view of a volume in Active@ Disk Editor.