We have had three installments on RAID 5 failure and how the XOR operation gives us insight into discovering the stripe size and drive order for an array. Understanding the next installment is critical to the entire method of reverse engineering a RAID 5 configuration.
We understand that when we use an XOR operation on the same bits we always return FALSE. So, XORing a TRUE and a TRUE give you a FALSE, and XORing a FALSE and a FALSE give you a FALSE. Understanding this, we can hopefully understand the following.
The Master File Table (MFT) Magic number is ‘FILE’. Four ASCII letters represented in HEX format as 46h, 49h, 4Ch, 45h. These HEX values correspond to the letters ‘F’, ‘I’, ‘L’, ‘E’ respectively. Now, when you XOR 46h with 46h you get 00h. This is illustrated in the following diagram.
Figure 1
Next, let’s take a look at the actual data and what happens when the entire magic number is XORed. This next figure is of key importance in understanding what is referred to as a parity block. The parity block is the XORing of all the drives in the array and the result is stored in the parity block for that particular stripe; each stripe in a RAID 5 has its own parity block, and as the stripes progress the parity block switches from drive to drive in a very definable pattern. There are basically two RAID 5 stripe types, right to left, and left to right. Within each of these is there are two types, Asymmetrical, and Symmetrical, or Asynchronous, and Synchronous. These two terms and their meanings have nothing to do with how a RAID 5 actual works. The term ‘symmetrical’ means the same on both sides where ‘asymmetrical’ is the opposite. The term ‘synchronous’ and ‘asynchronous’ mean to either wait for something to finish, or execute then continue on with your task irregardless of what is currently going on. The actual functioning of the parity block in its rotation as well as the order of read precedence will be discussed in the next installment. As for now, below is what using the XORing operation on a RAID 5 looks like.
Bear in mind, this is only for odd numbered RAID 5 failure configurations.
Figure 2
In figure 2 we see Drive 0 as all zeroes, Drive 1, and Drive 2, with the HEX representation for the magic MFT number ‘FILE’. From Figure 2 we can see that the parity block is Drive 0, and the two data blocks are Drive 1, and Drive 2.
In the next installment we will discuss the RAID 5 block reading methods using two different ordering types.