Page 1 of 1

Help Analyzing Kryoflux Stream

Posted: Sun Oct 06, 2019 5:29 pm
by dart56
Hello,

I just recently got a Kryoflux to work through transferring my old floppy disks, lots of old DOS games and documents. I've followed the instructions as best I could, and most of the time it does seem to be working correctly. But, I've noticed a few times that I've transferred a disk to an MFM image, and when I open it in WinImage it comes up blank. I know there was data on the disk when it was put away years ago. I realize maybe the disk is beyond recovery. A few times I've done this transfer and the image is blank, but if I just put the disk in my old 486 and type DIR in DOS, it can see the files just fine.

I just thought I'd ask if anyone would be willing to take a look at the Preservation Stream file and see if there is anything else I could do to recover the data? This particular one is a 5-1/4" 40 track double sided disk. Is there actually data in the stream? I'm not really sure how to tell.

https://www37.zippyshare.com/v/5L4oi2Iy/file.html

Thanks in advance for any advice you might have!

Cheers,
Brad

Re: Help Analyzing Kryoflux Stream

Posted: Sun Oct 06, 2019 6:08 pm
by rcade
A lot of times the disk is either detected as the wrong size or has protection on it (or just bad areas). Both of these conditions make basically a blank IMG file, or one that WinImage or other programs can't detect.

Re: Help Analyzing Kryoflux Stream

Posted: Sun Oct 06, 2019 6:58 pm
by SomeGuy
In this case, the disk has a boot sector virus, which has destroyed the Bios Pramater Block that contains the geometry information needed for Winimage to open the image. (real DOS can often get along without that information)

However, there are no files in the root directory and FAT seems to show no sectors allocated.

Re: Help Analyzing Kryoflux Stream

Posted: Sun Oct 06, 2019 8:25 pm
by ZrX
Inner tracks are in a bad shape, enought to damage 7 tracks on the top side of the disk.

The virus has moved the MBR, FATs and directory, and after restoring them in place the contents could be extracted.

https://www61.zippyshare.com/v/d85Vuj8x/file.html

Re: Help Analyzing Kryoflux Stream

Posted: Sun Oct 06, 2019 8:52 pm
by dart56
Thank you to everyone who has replied, but a very special thanks to ZrX for unscrambling the data for me! That is amazing!

Can I ask you to explain a bit about how you restored the image? I'd love to learn more about the process, I have a bunch of disks that seem be in a similar state that it would be very interesting to see if they could be at least partially recovered. Any references or software tools that could help me out would be greatly appreciated!

You guys do cool stuff on this forum. :)

Cheers,
Brad

Re: Help Analyzing Kryoflux Stream

Posted: Mon Oct 07, 2019 2:54 pm
by ZrX
The first sector gave some clues about the virus. After finding some information about it and how it works, I used a hexeditor to locate and copy back the sectors the virus had relocated to another sectors on the disk.

Very basic tools, but you have to understand a bit how disks work and what you need to look for.

The virus itself is such that if you boot a computer from the infected floppy, it'll write itself to other floppies you'll insert afterwards, spreading itself to every disk that hasn't been write protected while it's in memory.

Re: Help Analyzing Kryoflux Stream

Posted: Mon Oct 07, 2019 9:19 pm
by dart56
Hi ZrX,

Thanks again for taking the time to reply.

I've done some reading up on FAT12, and downloaded a HEX editor. I noticed the boot sector of the original image doesn't follow the normal template at all. I also see it has the word LEGALISE in ASCI. Which virus do you think it is? Is it the "Stoned" virus?

A quick look at another disk I have shows the same thing in the boot sector. Apparently I had a virus 25 years ago that I never knew about! Hopefully I can figure out the process to undo it, I get the feeling it will come in handy.

It was really neat to see those old games again, that disk was mostly IBM PCJr stuff dating back at least 30 years.

Cheers,
Brad

Re: Help Analyzing Kryoflux Stream

Posted: Mon Oct 07, 2019 10:04 pm
by ZrX
Yup, "Stoned" was what I found from wikipedia matching the infected sector.

I started looking for the relocated boot sector by searching the hex values $55AA which often is found at the last two bytes of the sector. There were couple of matches that looked like a valid sector. Your mention of PCjr confirms that the sectors at offset $24400 on your image are the correct ones.

One thing to pay attention to is that the relocated data has only one copy of the FAT table, which needs to be duplicated as disks have two copies of the FAT for redundancy:

$00000000 MBR/boot
$00000200 FAT1
$00000600 FAT2
$00000A00 Directory

Also, these offsets depend on the size of the disk, 40/80 tracks, DD/HD.

Re: Help Analyzing Kryoflux Stream

Posted: Tue Oct 08, 2019 1:02 am
by dart56
Thanks for the info. When I get a chance, I'll see if I can duplicate what you did for practice, to see if I'm doing it right.

Re: Help Analyzing Kryoflux Stream

Posted: Fri Oct 11, 2019 5:29 pm
by dart56
ZrX,

Just wanted to let you know I was able to duplicate what you did to fix that disk, and this morning used the same technique to fix another. Thanks again for your help!

Cheers,
Brad