[File] [PATCH] of Magdir/windows for Microsoft System Deployment Image (boot.sdi)

Wed May 1 17:55:34 UTC 2019

On May 1,  6:37pm, joerg.jen.der.ek at gmx.net (=?UTF-8?Q?J=c3=b6rg_Jenderek?=) wrote:
-- Subject: [File] [PATCH] of Magdir/windows for Microsoft System Deployment 

| Hello,
| 
| some days ago i run version 5.36 on Windows recovery drive inside boot
| directory. The boot loader file "boot.sdi" is only described as "data".
| 
| So i add lines to Magdir/windows. Unfortunately there exist no official
| documentation about file format by Microsoft, but some information is
| found on Wikipedia. So add comment line like
| # URL: http://en.wikipedia.org/wiki/System_Deployment_Image
| There a link to Sergii Kolisnyk "SDI file format specification" is
| mentioned. So use that as reference, expressed by comment line
| # Reference: http://skolk.livejournal.com/1320.html
| According to that side SDI files start with magic+version bytes. That is
| expressed by  lines
|  0	string			$SDI
|  >4	string			0001		System Deployment Image
| Afterwards display file name extension and user defined mime type by lin
| es:
|  !:mime	application/x-ms-sdi
|  !:ext	sdi
| Unfortunately i myself found only one SDI example. So i can not verify
| what fields are important. For my example many field are empty. So print
| values only in not empty like
|  >>8	ulequad			!0		\b, MDBtype 0x%llx
|  >>112	ulequad			!0		\b, PageAlignment %llu
| 
| Of interest is the table of contents starting at offset 0x400. Each
| entry for a blob occupies 0x40 bytes. Each entry start with a 8 byte
| null padded type identifier like PART, WIM , BOOT, LOAD or DISK. So for
| first blob this is shown by line
|  >>0x400	string		>\0		\b, type %-3.8s
| The numeric typ ( where 0 means non-file-system, 7 means NTFS file
| system and 6 means BIGFAT) is shown by line like
|  >>>0x420	ulequad		!0		(0x%llx)
| The offset and size of first blob is shown by lines like
|  >>>0x410	ulequad		x		at 0x%llx
|  >>>0x418	ulequad		>0		%llu bytes
| For my example first blob was NTFS file system. So inspect this embedded
| part by calling Magdir/filesystems by pointer expression like:
|  >>>>(0x410.l)	indirect	x
| 
| Then repeat procedure for second blob starting with line like
|  >>0x440	string		>\0		\b, type %-3.8s
| For my example this was an empty zero sized WIM image.
| A possible third embedded blob is shown by magics starting
| with line like:
|  >>0x480	string		>\0		\b, type %-3.8s
| 
| After applying the above mentioned modifications by patch
| file-5.36-windows-sdi.diff then SDI example is described like:
| 
| boot.sdi: System Deployment Image, PageAlignment 2, checksum 0x39,
| 	type PART (0x7) at 0x2000 3161088 bytes DOS/MBR boot sector, code
| offset 0x52+2, OEM-ID "NTFS    ",
| Media descriptor 0xf8, sectors/track 2, heads 16, hidden sectors 2,
| dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor);
| NTFS, sectors/track 2, sectors 6173, $MFT start cluster 2058, $MFTMirror
| start cluster 5162, clusters/RecordSegment 2, clusters/index block 8,
| serial number 050d60a27d60a0dc2; contains bootstrap NTLDR,
| 	type WIM at 0x306000
| 
| I hope my diff file can be applied in future version of
| file utility.

Thanks!

added

christos