Hidden partitions tips
Many a time we come into contact with hidden partitions. This write-up gives a brief description of how they work in general.
I hide and unhide partitions regularly and believe it can be a useful tool to a Linux user. Certainly knowing how it works and able to detect them would be helpful in any fault diagnostic.
Some usages of hidden partitions are given at the end.
How can a partition be hidden?
Every hard disk partition is defined by a partition table of 16 bytes long. Four positions, with a total of 64 bytes, are available in the first sector which is always read if the hard disk has been nominated for booting. These four positions are commonly referred to as the four primaries.
Within each primary partition the information kept are:-
offset--- (bytes)-- Description
-- 0 ------ 1 ----- Boot Indicator (80h = active)
-(1 - 3)--- 3 ----- Starting CHS values
-- 4 ------ 1 ----- Partition-type Descriptor
-(5 - 7)--- 3 -----Ending CHS values
-(8 -11)-- 4 ----- Starting Sector
-(12-15)-- 4 ----- Partition Size (in sectors
The 5th bytes of a partition table describes the partition ID.
The first important point to note is a partition cannot be hidden physically. It is just not recognised by the operating system because its partition ID has been tampered with.
The partition ID is just one byte in the partition table. An operating reads this byte, thereby discovers the filing system type and then able to employ the appropriate algorithm to read its content.
Changing the partition ID does not alter the partition interior. A modern operating system is clever enough to report errors if the partition ID is found inconsistent with a partition it is asked to mount, so it is reasonably safe to edit the partition ID as long as you use the change for a specific purpose.
The tools to edit the partition ID is available in “fdisk”, “cfdisk”, “sfdisk”, “Grub” and “Lilo”. Linux officially supports the hidden partitions because they are listed inside the partition types of “fdisk”, “cfdisk” and “sfdisk”.
The commonly observed PC standard on hidden partitions
I have noticed in the early Dos systems a practice already existed for altering the partition ID so that it could not recognised by the operating system with which the partition was originally created. The practice seems to be a commonly observed PC standard involving advancing the partition ID hexadecimal number systematically by 16 steps.
A partition ID is usually specified in hexadecimal in Linux and so the advancement is equivalent of advancing 1 step in the 2nd alphanumeric character since in hexadecimal the first alphanumeric character stores 16 combinations of 0 to 9, then A to F.
This advancement is also equivalent to toggling the 5th bit in binary number of the partition ID. A binary number of “1111” is 15 or “F” in hexadecimal. By toggling the 5th bit we get “11111” in binary and “1F” in hexadecimal.
Therefore with the partition ID in hexadecimal by advancing the second alphanumeric character by “1” can make the partition magically disappear in the eye of its parent operating system.
Here is a list of the commonly used partitions, hide and unhide
< bit position>-----ID------Partition type------------
0 0 0 0 0 1 1 1 --- 7 ---- ntfs
0 0 0 1 0 1 1 1 --- 17 --- ntfs (hidden)
1 0 0 0 0 0 1 1 --- 83 --- native Linux
1 0 0 1 0 0 1 1 --- 93 --- native Linux (hidden)
0 0 0 0 0 1 1 0 --- 6 ---- fat16
0 0 0 1 0 1 1 0 --- 16 --- fat16 (hidden)
0 0 0 0 1 1 0 0 --- c ---- fat32 (LBA)
0 0 0 1 1 1 0 0 --- 1c --- fat32 (LBA) (hidden)
1 0 1 0 0 1 0 1 --- a5 --- BSD
1 0 1 1 0 1 0 1 --- b5 --- BSD (hidden)
1 0 1 1 1 1 1 1 --- bf --- Solaris
1 0 1 0 1 1 1 1 --- af --- Solaris (hidden)
0 0 0 0 0 1 0 1 --- 5 ---- Dos extended partition
0 0 0 1 0 1 0 1 --- 15 --- Dos extended partition (hidden)
1 0 0 0 0 1 0 1 --- 85 --- Linux extended partition
1 0 0 1 0 1 0 1 --- 95 --- Linux extended partition (hidden)
As always there is an exception to the rule. The Solaris partition is unhide with ID "bf" and hiding it make it into "af". Therefore to hide a Solaris partition in Grub the "unhide" instruction has to be used to toggle its 5th bit from "1" to "0".
The above hidden partitions, as far as I am aware, are supported by all the major PC operating systems and nobody uses another convention. You can find them listed in “fdisk”, “cfdisk” and “sfdisk”. With these programs a user hide the partition by altering the partition ID. Interestingly both the Linux boot loader Grub and Lilo also hides or unhides a partition simply by toggling the 5th bit of binary number of the partition ID.
Use of hidden partitions
From what I have seen to make a partition hidden is to prevent an operating system from reading it. On the face of it there isn’t much application at all apart from the secrecy or security reason. Most of the applications are with booting the MS systems as Linux seldom needs such a facility.
The following applications are what I have found hidden partitions useful for.
(1) To boot several MS systems in the same hard disk – A user can install a MS system, then hide the first one, proceed to install the next system, hide the second and so on until all the four primary partitions are filled. He/she can boot any one by unhiding it. As a MS system treats hidden partitions as foreign and so only the unhidden system is booted, if it is marked active, to the “C” drive same as it was originally installed. This is the most common method of installing several Dos and Windows together in one hard disk.
(2) To manipulate the extended partition as one entity – This is a rare application and I haven’t seen it done when I tried it. I believe it has a potential for Linux. The current SCSI/Sata/IDE/USB disk family allows a maximum of 11 logical partitions inside an extended partition. By hiding the extended partition the entire set of all logical partitions will disappear and the extended partition will be regarded as an “unknown” primary partition by the operating system. Therefore this unknown primary partition, with a possible maximum 11 logical partitions inside, can be moved to another position bodily by programs like Gparted or migrated to other disk by the command “dd”, all as one unit. At the new location the partition can be unhidden to given back the full set of logical partitions. Personally I found this application quite useful.
(3) To increase the number of logical partitions permitted in a hard disk – As an extended partition can be hidden to become an unknown primary partition a user can proceed to create a second extended partition without breaching the PC standard of permitting only one extended partition in a hard disk. Thus another set of 1 logical partition inside, hide the second extended partition can be created. The procedure is repeated until all four primaries are used up. Thus theoretically a maximum of 44 logical partitions can be created in a hard disk with 11 available for operation at any one time if it is unhidden. A SCSI/SATA/IDE/USB hard disk can have 16 device names; 1 for the whole disk sda, 4 for the primaries sda1 to sda4 and 11 logical partitions of sda5 to sda15. Since both Grub and Lilo can hide and unhide partitions so the boot loader is the logical choice to control the availability of the logical partitions
(4) To prevent partition table corruption by installing operating systems potentially incompatible with each other – A Unix-like system of BSD or Solaris uses one partition for installation but subdivides it to BSD-subparts or sub-slices. This works satisfactorily in the presence of only primary partitions. However if an extended partition is introduced Linux could complain because the logical partitions must be continuously linked. BSD/Solaris partitions appear to be extended partitions to Linux because of the subdivisions inside. One way to get over this problem is to hide the unwanted partitions when booting any of these systems.
Once the mechanism of a hidden partition is understood a Linux user then realises it is only a simple matter of just altering the ID to the partition by the terminal program fdisk/cfdisk/sfdisk. Equally he/she can be hide or unhide the partition by either Grub or Lilo.