Partition Table/Master Boot Record: BootloaderNow that we have an understanding of partition address models, we can locate the bootloader. With the exact location of the boot code identified, we can determine whether this area has been modified in the event of a boot failure. LILO is a well-known bootloader for Linux, although GRUB is quickly growing in popularity. After installing LILO or any other bootloader, the assembler code is written between byte 0 and 1BD(H) of the MBR. To modify or view any such bootloader code or partition table, we must use tools such as Binary Editor And Viewer (beav), Linux Disk Editor (lde), Binary vi (bvi), or any other Linux binary editor. In the following example, we demonstrate the exact LILO bootloader code. Before writing the bootloader, the partition is cleaned using the following command: dd if=/dev/zero of=/dev/disk_device_file bs=512 count=1. After the partition table is wiped, we use cfdisk to generate a simple partition. Next, we issue lilo M /dev/disk_device_file to write the assembler code to the bytes already defined. To review the bootloader, we use dd if=/dev/hde of=/tmp/mbr_out count=1 bs=512 and bvi to open the file. dd if=/dev/hde of=/tmp/mbr_out count=1 bs=512 bvi /tmp/mbr_out (Same data as seen above from od h). 00000000 FA EB 31 12 00 00 4C 49 4C 4F 16 05 10 00 01 00..1...LILO...... 00000010 00 7C 00 00 00 00 00 00 00 00 00 00 5E AC 08 C0.|...........^... 00000020 74 09 B4 0E BB 07 00 CD 10 EB F2 B9 13 00 B4 86 t............... 00000030 CD 15 CD 18 31 C0 8E D0 BC 00 7C FB 89 E1 06 53 ....1.....|....S 00000040 56 52 89 CE FC 8E D8 8E C0 BF 00 06 B9 00 01 F3 VR.............. 00000050 A5 EA 56 06 00 00 60 B8 00 12 B3 36 CD 10 61 66 ..V...'....6..af00000060 8B 3E B8 07 66 09 FF 74 1B B4 08 B2 80 CD 13 0F .>..f..t........00000070 B6 CA 92 BA 80 00 E8 9A 00 66 3B 3E B8 7D 74 04 .........f;>.}t. 00000080 42 E2 F3 92 BE BE 07 B9 04 00 F6 04 80 89 F5 78 B..............x 00000090 33 83 C6 10 E2 F4 E8 83 FF 4E 6F 20 70 61 72 74 3........No part 000000A0 69 74 69 6F 6E 20 61 63 74 69 76 65 0D 0A 00 F6 ition active.... 000000B0 04 80 79 10 E8 65 FF 49 6E 76 61 6C 69 64 20 50 ..y..e.Invalid P 000000C0 54 0D 0A 00 83 C6 10 E2 E6 89 EE 66 8B 44 08 66 T..........f.D.f 000000D0 A3 14 06 E8 3D 00 81 3E FE 7D 55 AA 75 11 31 C0 ....=..>.}U.u.1. 000000E0 58 3C FE 75 06 88 D4 5E 5B 07 92 FF 2E 10 06 E8 X<.u...^[....... 000000F0 2A FF 4E 6F 20 62 6F 6F 74 20 73 69 67 6E 61 74 *.No boot signat 00000100 75 72 65 20 69 6E 20 70 61 72 74 69 74 69 6F 6E ure in partition 00000110 0D 0A 00 60 BD 0C 00 BE 0C 06 BB AA 55 B4 41 CD ...'........U.A. 00000120 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 B4 42 .r...U.u....t..B 00000130 EB 3F 52 B4 08 CD 13 72 43 51 C0 E9 06 86 E9 89 .?R....rCQ......00000140 CF 59 C1 EA 08 92 40 83 E1 3F F7 E1 93 A1 14 06 .Y....@..?...... 00000150 8B 16 16 06 39 DA 73 22 F7 F3 39 F8 77 1C C0 E4 ....9.s"..9.w... 00000160 06 86 E0 92 F6 F1 08 E2 89 D1 41 5A 88 C6 B8 01 ..........AZ.... 00000170 02 C4 5C 04 CD 13 72 05 61 C3 B4 40 5A 4D 74 06 ..\...r.a..@ZMt. 00000180 30 E4 CD 13 EB 91 E8 93 FE 44 69 73 6B 20 72 65 0........Disk re 00000190 61 64 20 65 72 72 6F 72 0D 0A 00 00 00 00 00 00 ad error........ 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000001B0 00 00 00 00 00 00 00 00 42 5C 48 62 CF C9 80 01 ........B\Hb.... 000001C0 01 00 83 0E 3F CE 3F 00 00 00 E0 FB 02 00 00 00 ....?.?......... 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U. Another way to view the raw data from the drive is to use od. Reading MBR through od -h is difficult due to the 16-bit address MSB/LSB, which appears in reverse order, as discussed earlier. An example of an octal dump hex read from the same drive as mentioned previously follows: dd if=/dev/hde count=1 bs=512 | od -h 1+0 records in 1+0 records out 0000000 ebfa 1231 0000 494c 4f4c 0516 0010 0001 0000020 7c00 0000 0000 0000 0000 0000 ac5e c008 0000040 0974 0eb4 07bb cd00 eb10 b9f2 0013 86b4 0000060 15cd 18cd c031 d08e 00bc fb7c e189 5306 0000100 5256 ce89 8efc 8ed8 bfc0 0600 00b9 f301 0000120 eaa5 0656 0000 b860 1200 36b3 10cd 6661 0000140 3e8b 07b8 0966 74ff b41b b208 cd80 0f13 0000160 cab6 ba92 0080 9ae8 6600 3e3b 7db8 0474 0000200 e242 92f3 bebe b907 0004 04f6 8980 78f5 0000220 8333 10c6 f4e2 83e8 4eff 206f 6170 7472 0000240 7469 6f69 206e 6361 6974 6576 0a0d f600 0000260 8004 1079 65e8 49ff 766e 6c61 6469 5020 0000300 0d54 000a c683 e210 89e6 66ee 448b 6608 0000320 14a3 e806 003d 3e81 7dfe aa55 1175 c031 0000340 3c58 75fe 8806 5ed4 075b ff92 102e e806 0000360 ff2a 6f4e 6220 6f6f 2074 6973 6e67 7461 0000400 7275 2065 6e69 7020 7261 6974 6974 6e6f 0000420 0a0d 6000 0cbd be00 060c aabb b455 cd41 0000440 7213 810f 55fb 75aa f609 01c1 0474 42b4 0000460 3feb b452 cd08 7213 5143 e9c0 8606 89e9 0000500 59cf eac1 9208 8340 3fe1 e1f7 a193 0614 0000520 168b 0616 da39 2273 f3f7 f839 1c77 e4c0 0000540 8606 92e0 f1f6 e208 d189 5a41 c688 01b8 0000560 c402 045c 13cd 0572 c361 40b4 4d5a 0674 0000600 e430 13cd 91eb 93e8 44fe 7369 206b 6572 0000620 6461 6520 7272 726f 0a0d 0000 0000 0000 0000640 0000 0000 0000 0000 0000 0000 0000 0000 0000660 0000 0000 0000 0000 5c42 6248 c9cf 0180 0000700 0001 0e83 ce3f 003f 0000 fbe0 0002 0000 0000720 0000 0000 0000 0000 0000 0000 0000 0000 * 0000760 0000 0000 0000 0000 0000 0000 0000 aa55 Byte Review on a Used DriveBefore we continue our bootloader discussion, we must address one common difficulty in byte review. Most administrators never clean a drive before installing an OS. When installing an OS such as Linux on a partition in which an OS previously existed, byte review can be misleading and challenging, as shown in the following example. Using cfdisk, we depict the LILO boot code as loaded in a way almost identical to that just shown; however, in the following example, bytes 19A1B7 have data from a previous load that is not utilized by LILO. The key point here is that byte 1BE has a value equal to "80." As mentioned, this byte signifies the boot device, and as you can see in the following example, even a Windows hibernation partition can be marked bootable for Linux. "cfdisk P rts" Disk Drive: /dev/hda Sector 0: 0x000: FA EB 20 01 B5 01 4C 49 4C 4F 16 05 A1 9D 32 41 0x010: 00 00 00 00 74 9C 6B 40 AC C8 AC C8 81 80 60 CD 0x020: C0 11 00 B8 C0 07 8E D0 BC 00 08 FB 52 53 06 56 0x030: FC 8E D8 31 ED 60 B8 00 12 B3 36 CD 10 61 B0 0D 0x040: E8 68 01 B0 0A E8 63 01 B0 4C E8 5E 01 60 1E 07 0x050: 80 FA FE 75 02 88 F2 BB 00 02 8A 76 1D 89 D0 80 0x060: E4 80 30 E0 78 0A 3C 10 73 06 F6 46 1C 40 75 2C 0x070: 88 F2 66 8B 7E 18 66 09 FF 74 21 52 B4 08 B2 80 0x080: CD 13 72 55 92 98 91 BA 7F 00 42 66 31 C0 40 E8 0x090: 71 00 66 3B BF B8 01 74 03 E2 EF 5A 53 8A 76 1E 0x0A0: BE 1F 00 E8 4B 00 B4 99 66 81 7F FC 4C 49 4C 4F 0x0B0: 75 27 5E 68 80 08 07 31 DB E8 35 00 75 FB BE 06 0x0C0: 00 89 F7 B9 0A 00 F3 A6 75 0D B0 02 AE 75 08 06 0x0D0: 55 B0 49 E8 D5 00 CB B4 9A B0 20 E8 CD 00 E8 BA 0x0E0: 00 FE 4E 00 74 08 BC E8 07 61 60 E9 60 FF F4 EB 0x0F0: FD 66 AD 66 09 C0 74 0A 66 03 46 10 E8 04 00 80 0x100: C7 02 C3 60 55 55 66 50 06 53 6A 01 6A 10 89 E6 0x110: 53 F6 C6 60 74 58 F6 C6 20 74 14 BB AA 55 B4 41 0x120: CD 13 72 0B 81 FB 55 AA 75 05 F6 C1 01 75 4A 52 0x130: 06 B4 08 CD 13 07 72 58 51 C0 E9 06 86 E9 89 CF 0x140: 59 C1 EA 08 92 40 83 E1 3F F7 E1 93 8B 44 08 8B 0x150: 54 0A 39 DA 73 38 F7 F3 39 F8 77 32 C0 E4 06 86 0x160: E0 92 F6 F1 08 E2 89 D1 41 5A 88 C6 EB 06 66 50 0x170: 59 58 88 E6 B8 01 02 EB 02 B4 42 5B BD 05 00 60 0x180: CD 13 73 0F 4D 74 09 31 C0 CD 13 61 EB F1 B4 40 0x190: E9 46 FF 88 64 1F 8D 64 10 61 C3 C1 C0 04 E8 03 0x1A0: 00 C1 C0 04 24 0F 27 04 F0 14 40 60 BB 07 00 B4 0x1B0: 0E CD 10 61 C3 00 44 63 AC C8 AC C8 00 00 80 01 0x1C0: 01 00 A0 EF 3F 02 3F 00 00 00 F1 B0 00 00 00 00 0x1D0: 01 03 05 EF FF FF 30 B1 00 00 50 78 53 02 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 45360: 0x000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 ~~~~~~~ Skip to save space~~~~ 0x1A0: 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 0x1B0: 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 00 01 0x1C0: 01 03 83 EF 3F 60 3F 00 00 00 A1 AF 15 00 00 00 0x1D0: 01 61 05 EF 3F CC E0 AF 15 00 C0 EA 18 00 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 1466640: 0x000: 2B 38 04 C8 86 4A 47 E0 EB 54 E3 EA 00 CC 53 CC ~~~~~~~ Skip to save space~~~~ 0x1B0: 43 54 7C D2 10 5D D1 43 2F 86 90 31 04 94 00 01 0x1C0: 01 61 82 EF 3F CC 3F 00 00 00 81 EA 18 00 00 00 0x1D0: 01 CD 05 EF FF FF A0 9A 2E 00 B0 DD 24 02 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 3099600: 0x000: 4D 5F 47 75 69 64 50 6F 6F 6C 01 00 0D 43 4F 4D ~~~~~~~ Skip to save space~~~~ 0x1B0: 44 53 33 64 42 75 66 66 65 72 3B 49 29 56 00 01 0x1C0: 01 CD 8E EF FF FF 3F 00 00 00 71 DD 24 02 00 00 0x1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Partition Table for /dev/hda First Last # Type Sector Sector Offset Length Filesystem Type (ID) Flags -- ------- -------- --------- ------ --------- ---------------- --------- 1 Primary 0 45359 63 45360 IBM Thinkpad hibe (A0) Boot (80) 2 Primary 45360 39070079 0 39024720 Extended (05) None (00) 5 Logical 45360 1466639 63 1421280 Linux (83) None (00) 6 Logical 1466640 3099599 63 1632960 Linux swap (82) None (00) 7 Logical 3099600 39070079 63 35970480 Linux LVM (8E) None (00) Partition Table for /dev/hda ---Starting--- ----Ending---- Start Number of # Flags Head Sect Cyl ID Head Sect Cyl Sector Sectors -- ----- ---- ---- ---- ---- ---- ---- ---- -------- --------- 1 0x80 1 1 0 0xA0 239 63 2 63 45297 2 0x00 0 1 3 0x05 239 63 1023 45360 39024720 5 0x00 1 1 3 0x83 239 63 96 63 1421217 6 0x00 1 1 97 0x82 239 63 204 63 1632897 7 0x00 1 1 205 0x8E 239 63 1023 63 35970417 BIOS Initializing the BootloaderNow that we have covered the bootloader location and difficulties of byte review, we need to cover how the BIOS calls the bootloader and how the bootloader responds. You would think that the first byte of a drive would be the primary thing to focus on. However, the first course of action taken by the BIOS is to search for a partition with the boot flag set. It is important that only one partition be marked as a bootable partition, even though every partition can contain bootable code. If more than one partition contains a boot flag, most BIOSs fail to boot, and some partition tools, such as fdisk, can fail. Using lilo -M to write the boot code to a disk partition fails if a bootable partition is not flagged or if more than one is flagged. The first byte "0" of a partition that contains LILO boot code has a value of FA(H) on the first sector, first track, and first cylinder of the partition represented by 1111 1010 (B). LILO defines this byte as a Clear Interrupt (CLI), documented in "first.S." The second byte defines the location of the bootloader code, and LILO defines this as EB "jump short" or E9 "jump near." But, jump to what? The jump condition starts the location of the bootloader code (LILO, in this case) defined in probe.c. Complete details on LILO's boot code can be reviewed as needed because LILO is open source. The topic of decoding a bootloader is beyond the scope of this chapter. However, covering the boot stage is critical to troubleshooting OS initialization. When booting LILO, for example, the bootloader displays the letters L I L O one at a time, each of which has meaning. Beginning with the display of L, the first stage of the LILO bootloader has completed. Next, I appears, signifying the start of the second stage bootloader and floppy check. Lastly, LO appears, completing the second stage of the bootloader confirming kernel images. Based on the LILO configuration, a kernel is booted. |