Partition TableMaster Boot Record: Bootloader


Partition Table/Master Boot Record: Bootloader

Now that we have an understanding of partition address models, we can locate the bootloader. With the exact location of the boot code identified, we can determine whether this area has been modified in the event of a boot failure.

LILO is a well-known bootloader for Linux, although GRUB is quickly growing in popularity. After installing LILO or any other bootloader, the assembler code is written between byte 0 and 1BD(H) of the MBR. To modify or view any such bootloader code or partition table, we must use tools such as Binary Editor And Viewer (beav), Linux Disk Editor (lde), Binary vi (bvi), or any other Linux binary editor.

In the following example, we demonstrate the exact LILO bootloader code. Before writing the bootloader, the partition is cleaned using the following command: dd if=/dev/zero of=/dev/disk_device_file bs=512 count=1. After the partition table is wiped, we use cfdisk to generate a simple partition. Next, we issue lilo M /dev/disk_device_file to write the assembler code to the bytes already defined.

To review the bootloader, we use dd if=/dev/hde of=/tmp/mbr_out count=1 bs=512 and bvi to open the file.

dd if=/dev/hde of=/tmp/mbr_out count=1 bs=512 bvi /tmp/mbr_out (Same data as seen above from od h). 00000000 FA EB 31 12 00 00 4C 49 4C 4F 16 05 10 00 01 00..1...LILO...... 00000010  00 7C 00 00 00 00 00 00 00 00 00 00 5E AC 08 C0.|...........^... 00000020  74 09 B4 0E BB 07 00 CD 10 EB F2 B9 13 00 B4 86 t............... 00000030  CD 15 CD 18 31 C0 8E D0 BC 00 7C FB 89 E1 06 53 ....1.....|....S 00000040  56 52 89 CE FC 8E D8 8E C0 BF 00 06 B9 00 01 F3 VR.............. 00000050  A5 EA 56 06 00 00 60 B8 00 12 B3 36 CD 10 61 66 ..V...'....6..af00000060 8B 3E B8 07 66 09 FF 74 1B B4 08 B2 80 CD 13 0F .>..f..t........00000070 B6 CA 92 BA 80 00 E8 9A 00 66 3B 3E B8 7D 74 04 .........f;>.}t. 00000080  42 E2 F3 92 BE BE 07 B9 04 00 F6 04 80 89 F5 78 B..............x 00000090  33 83 C6 10 E2 F4 E8 83 FF 4E 6F 20 70 61 72 74 3........No part 000000A0  69 74 69 6F 6E 20 61 63 74 69 76 65 0D 0A 00 F6 ition active.... 000000B0  04 80 79 10 E8 65 FF 49 6E 76 61 6C 69 64 20 50 ..y..e.Invalid P 000000C0  54 0D 0A 00 83 C6 10 E2 E6 89 EE 66 8B 44 08 66 T..........f.D.f 000000D0  A3 14 06 E8 3D 00 81 3E FE 7D 55 AA 75 11 31 C0 ....=..>.}U.u.1. 000000E0  58 3C FE 75 06 88 D4 5E 5B 07 92 FF 2E 10 06 E8 X<.u...^[....... 000000F0  2A FF 4E 6F 20 62 6F 6F 74 20 73 69 67 6E 61 74 *.No boot signat 00000100  75 72 65 20 69 6E 20 70 61 72 74 69 74 69 6F 6E ure in partition 00000110  0D 0A 00 60 BD 0C 00 BE 0C 06 BB AA 55 B4 41 CD ...'........U.A. 00000120  13 72 0F 81 FB 55 AA 75 09 F6 C1 01 74 04 B4 42 .r...U.u....t..B 00000130  EB 3F 52 B4 08 CD 13 72 43 51 C0 E9 06 86 E9 89 .?R....rCQ......00000140  CF 59 C1 EA 08 92 40 83 E1 3F F7 E1 93 A1 14 06 .Y....@..?...... 00000150  8B 16 16 06 39 DA 73 22 F7 F3 39 F8 77 1C C0 E4 ....9.s"..9.w... 00000160  06 86 E0 92 F6 F1 08 E2 89 D1 41 5A 88 C6 B8 01 ..........AZ.... 00000170  02 C4 5C 04 CD 13 72 05 61 C3 B4 40 5A 4D 74 06 ..\...r.a..@ZMt. 00000180  30 E4 CD 13 EB 91 E8 93 FE 44 69 73 6B 20 72 65 0........Disk re 00000190  61 64 20 65 72 72 6F 72 0D 0A 00 00 00 00 00 00 ad error........ 000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000001B0 00 00 00 00 00 00 00 00 42 5C 48 62 CF C9 80 01 ........B\Hb.... 000001C0  01 00 83 0E 3F CE 3F 00 00 00 E0 FB 02 00 00 00 ....?.?......... 000001D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U.


Another way to view the raw data from the drive is to use od. Reading MBR through od -h is difficult due to the 16-bit address MSB/LSB, which appears in reverse order, as discussed earlier. An example of an octal dump hex read from the same drive as mentioned previously follows:

dd if=/dev/hde count=1 bs=512 | od -h 1+0 records in 1+0 records out 0000000 ebfa 1231 0000 494c 4f4c 0516 0010 0001 0000020 7c00 0000 0000 0000 0000 0000 ac5e c008 0000040 0974 0eb4 07bb cd00 eb10 b9f2 0013 86b4 0000060 15cd 18cd c031 d08e 00bc fb7c e189 5306 0000100 5256 ce89 8efc 8ed8 bfc0 0600 00b9 f301 0000120 eaa5 0656 0000 b860 1200 36b3 10cd 6661 0000140 3e8b 07b8 0966 74ff b41b b208 cd80 0f13 0000160 cab6 ba92 0080 9ae8 6600 3e3b 7db8 0474 0000200 e242 92f3 bebe b907 0004 04f6 8980 78f5 0000220 8333 10c6 f4e2 83e8 4eff 206f 6170 7472 0000240 7469 6f69 206e 6361 6974 6576 0a0d f600 0000260 8004 1079 65e8 49ff 766e 6c61 6469 5020 0000300 0d54 000a c683 e210 89e6 66ee 448b 6608 0000320 14a3 e806 003d 3e81 7dfe aa55 1175 c031 0000340 3c58 75fe 8806 5ed4 075b ff92 102e e806 0000360 ff2a 6f4e 6220 6f6f 2074 6973 6e67 7461 0000400 7275 2065 6e69 7020 7261 6974 6974 6e6f 0000420 0a0d 6000 0cbd be00 060c aabb b455 cd41 0000440 7213 810f 55fb 75aa f609 01c1 0474 42b4 0000460 3feb b452 cd08 7213 5143 e9c0 8606 89e9 0000500 59cf eac1 9208 8340 3fe1 e1f7 a193 0614 0000520 168b 0616 da39 2273 f3f7 f839 1c77 e4c0 0000540 8606 92e0 f1f6 e208 d189 5a41 c688 01b8 0000560 c402 045c 13cd 0572 c361 40b4 4d5a 0674 0000600 e430 13cd 91eb 93e8 44fe 7369 206b 6572 0000620 6461 6520 7272 726f 0a0d 0000 0000 0000 0000640 0000 0000 0000 0000 0000 0000 0000 0000 0000660 0000 0000 0000 0000 5c42 6248 c9cf 0180 0000700 0001 0e83 ce3f 003f 0000 fbe0 0002 0000 0000720 0000 0000 0000 0000 0000 0000 0000 0000 * 0000760 0000 0000 0000 0000 0000 0000 0000 aa55


Byte Review on a Used Drive

Before we continue our bootloader discussion, we must address one common difficulty in byte review. Most administrators never clean a drive before installing an OS. When installing an OS such as Linux on a partition in which an OS previously existed, byte review can be misleading and challenging, as shown in the following example. Using cfdisk, we depict the LILO boot code as loaded in a way almost identical to that just shown; however, in the following example, bytes 19A1B7 have data from a previous load that is not utilized by LILO. The key point here is that byte 1BE has a value equal to "80." As mentioned, this byte signifies the boot device, and as you can see in the following example, even a Windows hibernation partition can be marked bootable for Linux.

"cfdisk P rts" Disk Drive: /dev/hda Sector 0: 0x000: FA EB 20 01 B5 01 4C 49 4C 4F 16 05 A1 9D 32 41 0x010: 00 00 00 00 74 9C 6B 40 AC C8 AC C8 81 80 60 CD 0x020: C0 11 00 B8 C0 07 8E D0 BC 00 08 FB 52 53 06 56 0x030: FC 8E D8 31 ED 60 B8 00 12 B3 36 CD 10 61 B0 0D 0x040: E8 68 01 B0 0A E8 63 01 B0 4C E8 5E 01 60 1E 07 0x050: 80 FA FE 75 02 88 F2 BB 00 02 8A 76 1D 89 D0 80 0x060: E4 80 30 E0 78 0A 3C 10 73 06 F6 46 1C 40 75 2C 0x070: 88 F2 66 8B 7E 18 66 09 FF 74 21 52 B4 08 B2 80 0x080: CD 13 72 55 92 98 91 BA 7F 00 42 66 31 C0 40 E8 0x090: 71 00 66 3B BF B8 01 74 03 E2 EF 5A 53 8A 76 1E 0x0A0: BE 1F 00 E8 4B 00 B4 99 66 81 7F FC 4C 49 4C 4F 0x0B0: 75 27 5E 68 80 08 07 31 DB E8 35 00 75 FB BE 06 0x0C0: 00 89 F7 B9 0A 00 F3 A6 75 0D B0 02 AE 75 08 06 0x0D0: 55 B0 49 E8 D5 00 CB B4 9A B0 20 E8 CD 00 E8 BA 0x0E0: 00 FE 4E 00 74 08 BC E8 07 61 60 E9 60 FF F4 EB 0x0F0: FD 66 AD 66 09 C0 74 0A 66 03 46 10 E8 04 00 80 0x100: C7 02 C3 60 55 55 66 50 06 53 6A 01 6A 10 89 E6 0x110: 53 F6 C6 60 74 58 F6 C6 20 74 14 BB AA 55 B4 41 0x120: CD 13 72 0B 81 FB 55 AA 75 05 F6 C1 01 75 4A 52 0x130: 06 B4 08 CD 13 07 72 58 51 C0 E9 06 86 E9 89 CF 0x140: 59 C1 EA 08 92 40 83 E1 3F F7 E1 93 8B 44 08 8B 0x150: 54 0A 39 DA 73 38 F7 F3 39 F8 77 32 C0 E4 06 86 0x160: E0 92 F6 F1 08 E2 89 D1 41 5A 88 C6 EB 06 66 50 0x170: 59 58 88 E6 B8 01 02 EB 02 B4 42 5B BD 05 00 60 0x180: CD 13 73 0F 4D 74 09 31 C0 CD 13 61 EB F1 B4 40 0x190: E9 46 FF 88 64 1F 8D 64 10 61 C3 C1 C0 04 E8 03 0x1A0: 00 C1 C0 04 24 0F 27 04 F0 14 40 60 BB 07 00 B4 0x1B0: 0E CD 10 61 C3 00 44 63 AC C8 AC C8 00 00 80 01 0x1C0: 01 00 A0 EF 3F 02 3F 00 00 00 F1 B0 00 00 00 00 0x1D0: 01 03 05 EF FF FF 30 B1 00 00 50 78 53 02 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 45360: 0x000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 ~~~~~~~ Skip to save space~~~~ 0x1A0: 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 0x1B0: 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 00 01 0x1C0: 01 03 83 EF 3F 60 3F 00 00 00 A1 AF 15 00 00 00 0x1D0: 01 61 05 EF 3F CC E0 AF 15 00 C0 EA 18 00 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 1466640: 0x000: 2B 38 04 C8 86 4A 47 E0 EB 54 E3 EA 00 CC 53 CC ~~~~~~~ Skip to save space~~~~ 0x1B0: 43 54 7C D2 10 5D D1 43 2F 86 90 31 04 94 00 01 0x1C0: 01 61 82 EF 3F CC 3F 00 00 00 81 EA 18 00 00 00 0x1D0: 01 CD 05 EF FF FF A0 9A 2E 00 B0 DD 24 02 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Sector 3099600: 0x000: 4D 5F 47 75 69 64 50 6F 6F 6C 01 00 0D 43 4F 4D ~~~~~~~ Skip to save space~~~~ 0x1B0: 44 53 33 64 42 75 66 66 65 72 3B 49 29 56 00 01 0x1C0: 01 CD 8E EF FF FF 3F 00 00 00 71 DD 24 02 00 00 0x1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA Partition Table for /dev/hda             First    Last  # Type    Sector   Sector   Offset  Length   Filesystem Type (ID)  Flags -- ------- -------- --------- ------ --------- ---------------- ---------  1 Primary        0    45359      63    45360  IBM Thinkpad hibe (A0) Boot (80)  2 Primary    45360  39070079     0 39024720  Extended (05)     None (00)  5 Logical    45360   1466639    63  1421280  Linux (83)        None (00)  6 Logical  1466640   3099599    63  1632960  Linux swap (82)   None (00)  7 Logical  3099600  39070079    63 35970480  Linux LVM (8E)    None (00) Partition Table for /dev/hda          ---Starting---       ----Ending----    Start Number of  # Flags Head Sect Cyl   ID   Head Sect Cyl    Sector Sectors -- ----- ---- ---- ---- ----  ---- ---- ---- -------- --------- 1   0x80    1    1    0 0xA0   239   63    2       63     45297 2   0x00    0    1    3 0x05   239   63 1023    45360  39024720 5   0x00    1    1    3 0x83   239   63   96       63   1421217 6   0x00    1    1   97 0x82   239   63  204       63   1632897 7   0x00    1    1  205 0x8E   239   63 1023       63  35970417


BIOS Initializing the Bootloader

Now that we have covered the bootloader location and difficulties of byte review, we need to cover how the BIOS calls the bootloader and how the bootloader responds. You would think that the first byte of a drive would be the primary thing to focus on. However, the first course of action taken by the BIOS is to search for a partition with the boot flag set. It is important that only one partition be marked as a bootable partition, even though every partition can contain bootable code. If more than one partition contains a boot flag, most BIOSs fail to boot, and some partition tools, such as fdisk, can fail.

Using lilo -M to write the boot code to a disk partition fails if a bootable partition is not flagged or if more than one is flagged. The first byte "0" of a partition that contains LILO boot code has a value of FA(H) on the first sector, first track, and first cylinder of the partition represented by 1111 1010 (B). LILO defines this byte as a Clear Interrupt (CLI), documented in "first.S." The second byte defines the location of the bootloader code, and LILO defines this as EB "jump short" or E9 "jump near." But, jump to what? The jump condition starts the location of the bootloader code (LILO, in this case) defined in probe.c. Complete details on LILO's boot code can be reviewed as needed because LILO is open source. The topic of decoding a bootloader is beyond the scope of this chapter. However, covering the boot stage is critical to troubleshooting OS initialization.

When booting LILO, for example, the bootloader displays the letters L I L O one at a time, each of which has meaning. Beginning with the display of L, the first stage of the LILO bootloader has completed. Next, I appears, signifying the start of the second stage bootloader and floppy check. Lastly, LO appears, completing the second stage of the bootloader confirming kernel images. Based on the LILO configuration, a kernel is booted.



Linux Troubleshooting for System Administrators and Power Users
Real World Mac Maintenance and Backups
ISBN: 131855158
EAN: 2147483647
Year: 2004
Pages: 129
Authors: Joe Kissell

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net