What's so special about 0x55AA?

Question

I have encountered 0x55AA in 2 scenarios:

• the final 2 bytes of boot sector in the legacy booting process contains 0x55AA.
• the first 2 bytes of the Option ROM must be 0x55AA

So what's special about 0x55AA?

The binary version of 0x55AA is 0101010110101010. Is it because it is evenly interleaved 0 and 1? But I don't see that's a strong criteria.

Answer 1

Reference : https://www.techtarget.com/whatis/definition/Master-Boot-Record-MBR

If the final signature is 0x55AA or 0xAA55 of MBR at 511th and 512th bytes respectively BIOS transfers control to the MBR to boot the OS. If the final signature does not match, the BIOS looks for additional bootable devices. If no devices are found, the OS does not boot, and the user receives an error message.

Question : Addition boot devices include "extended boot partitions" also, containing "extended boot records", having the same final signature 0x55AA or 0xAA55 at the end of the record.

Answer 2

0x55AA is a "signature word". It is used as the "end of sector" marker in the last 2 bytes of a 512 byte boot record. This includes MBR and it's extended boot records and in the newer GPTs protective MBR.

References:

Image from Master Boot Record - microsoft.com.

How Basic Disks and Volumes Work - microsoft.com.

Answer 3

There is nothing magical or mystical about that combination. Implementers needed a means by which to determine if the first sector of a device was bootable (boot signature) and that combination occurring in the last two bytes of a sector is so improbable, is why it was chosen.

Similarly, SMBIOS entry point can be found scanning BIOS for _SM_ signature that must be on an segment boundary like this;

  Find_SMBIOS:
    push    ds
    push    bx                      ; Preserve essential
    push    si

; Establish DS:BX to point to base of BIOS code

    mov     ax, 0xf000
    mov     ds, ax                  ; Segment where table lives
    xor     bx, bx                  ; Initial pointer
    mov     eax, '_SM_'             ; Scan buffer for this signature

; Loop has maximum of 4096 interations. As table is probably at top of buffer, cycling
; though it backwards saves time. In my test bed, BOCH's 2.6.5 BIOS-bochs-latest it was
; 1,451 interations.

.L0: sub     bx, 16                  ; Bump pointer to previous segment
     jnz     .J0

; Return NULL in AX and set CF. Either AX or flag can be tested on return.

    mov     ax, bx
    stc
    jmp     .Done

; Did we find signature at this page

.J0: cmp     [bx], eax
    jnz     .L0                     ; NZ, keep looking

; Calculate checksum to verify position

    mov     cx, 15
    mov     ax, cx
    mov     si, bx                  ; DS:SI = Table entry point

; Compute checksum on next 15 bytes

.L1: lodsb
    add     ah, al
    loop    .L1

    or      ah, ah
    jnz     .L0                     ; Invalid, try to find another occurence

; As entry point is page aligned, we can do this to determine segment.

    shr     bx, 4
    mov     ax, ds
    add     ax, bx
    clc                             ; NC, found signature

.Done:
    pop     si
    pop     bx                      ; Restore essential
    pop     ds

    ret     

That signature is easily identifiable in a hex dump and it fits into a 16 bit register. Where those two criteria precipitating factors, I don't know, but again, the probability of 0x5f4d535f appearing on an even 16 byte boundary is very unlikely.