|
Linux |
||||||||||||||||
|
MBR
MBR stands for Master Boot Record. It is located at the first 512 bytes of a storage device that contains the operating system.
It contains the operating system bootloader and the storage device's partition table.
You can backup MBR into a binary file and then retore when you need or analyze it in detail. Basic command format to back up MBR is as follows. To run this command, you need to have "root" permission.
# dd if=/dev/sdX of=path/file bs=512 count=1
For example, to backup the MBR in my Linux PC. I tried the following
# dd if=/dev/sda of=/tmp/sda-mbr.bin bs=512 count=1
When this runs successfuly, you would see printout as follows.
1+0 records in 1+0 records out 512 bytes (512 B) copied, 0.000133197 s, 3.8 MB/s
Then you can check if it is properly backed up as follows.
# ls /tmp
sda-mbr.bin
How to view the conents of MBR
Once you backup the MBR into a file as in previous section, you can view the contents of MBR using a command as shown below.
# xxd /tmp/sda-mbr.bin
0000000: eb63 9000 0000 0000 0000 0000 0000 0000 .c.............. 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0302 ................ 0000040: ff00 0020 0100 0000 0002 fa90 90f6 c280 ... ............ 0000050: 7502 b280 ea59 7c00 0031 0080 0100 0000 u....Y|..1...... 0000060: 0000 0000 fffa 9090 f6c2 8074 05f6 c270 ...........t...p 0000070: 7402 b280 ea79 7c00 0031 c08e d88e d0bc t....y|..1...... 0000080: 0020 fba0 647c 3cff 7402 88c2 52bb 1704 . ..d|<.t...R... 0000090: 8027 0374 06be 887d e817 01be 057c b441 .'.t...}.....|.A 00000a0: bbaa 55cd 135a 5272 3d81 fb55 aa75 3783 ..U..ZRr=..U.u7. 00000b0: e101 7432 31c0 8944 0440 8844 ff89 4402 ..t21..D.@.D..D. 00000c0: c704 1000 668b 1e5c 7c66 895c 0866 8b1e ....f..\|f.\.f.. 00000d0: 607c 6689 5c0c c744 0600 70b4 42cd 1372 `|f.\..D..p.B..r 00000e0: 05bb 0070 eb76 b408 cd13 730d f6c2 800f ...p.v....s..... 00000f0: 84d0 00be 937d e982 0066 0fb6 c688 64ff .....}...f....d. 0000100: 4066 8944 040f b6d1 c1e2 0288 e888 f440 @f.D...........@ 0000110: 8944 080f b6c2 c0e8 0266 8904 66a1 607c .D.......f..f.`| 0000120: 6609 c075 4e66 a15c 7c66 31d2 66f7 3488 f..uNf.\|f1.f.4. 0000130: d131 d266 f774 043b 4408 7d37 fec1 88c5 .1.f.t.;D.}7.... 0000140: 30c0 c1e8 0208 c188 d05a 88c6 bb00 708e 0........Z....p. 0000150: c331 dbb8 0102 cd13 721e 8cc3 601e b900 .1......r...`... 0000160: 018e db31 f6bf 0080 8ec6 fcf3 a51f 61ff ...1..........a. 0000170: 265a 7cbe 8e7d eb03 be9d 7de8 3400 bea2 &Z|..}....}.4... 0000180: 7de8 2e00 cd18 ebfe 4752 5542 2000 4765 }.......GRUB .Ge 0000190: 6f6d 0048 6172 6420 4469 736b 0052 6561 om.Hard Disk.Rea 00001a0: 6400 2045 7272 6f72 0d0a 00bb 0100 b40e d. Error........ 00001b0: cd10 ac3c 0075 f4c3 365e a5c9 0000 8000 ...<.u..6^...... 00001c0: 0101 83fe ffff c13e 0000 004c a112 00fe .......>...L.... 00001d0: ffff 0cfe ffff c18a a112 4d82 2114 00fe ..........M.!... 00001e0: ffff 05fe ffff fe0f c326 0248 7513 0000 .........&.Hu... 00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
The first 3 Bytes : This would be the most important parts in all MBR and it's role is just to jump to another part in the MTR. In this example, it is as follows. eb 63 90 'eb' mean 'jmp' in assembly language. 63 indicates the number of bytes in hex to jump from the command. Therefore, eb 63 indicates jump 0x63 bytes (i.e, 99 bytes in decimal) from this command. '90' mean 'nop' which does not do anything.
The violet part : The part highlighted in violet is the part jumped over by the command 'eb 63'. This part may be used for other purpose like BPB(BIOS Parameter Block).
4752 5542 : Ascii string for 'GRUB'
The data stored in this location is a small computer code that the BIOS loads and executes to start the boot process. This code, when fully executed, transfers control to the boot program stored on the boot (active) partition to load the operating system. What kind of program it is ? If you want to know the details of the code, you can convert the code into the assembly code as in following example.
# objdump -D -Mintel,x86-64 -b binary -m i386 -Maddr32,data32 sda-mbr.bin
sda-mbr.bin: file format binary
Disassembly of section .data:
00000000 <.data>: 0: eb 63 jmp 0x65 2: 90 nop ... 3b: 00 00 add BYTE PTR [eax],al 3d: 00 03 add BYTE PTR [ebx],al 3f: 02 ff add bh,bh 41: 00 00 add BYTE PTR [eax],al 43: 20 01 and BYTE PTR [ecx],al 45: 00 00 add BYTE PTR [eax],al 47: 00 00 add BYTE PTR [eax],al 49: 02 fa add bh,dl 4b: 90 nop 4c: 90 nop 4d: f6 c2 80 test dl,0x80 50: 75 02 jne 0x54 52: b2 80 mov dl,0x80 54: ea (bad) 55: 59 pop rcx 56: 7c 00 jl 0x58 58: 00 31 add BYTE PTR [ecx],dh 5a: 00 80 01 00 00 00 add BYTE PTR [eax+0x1],al 60: 00 00 add BYTE PTR [eax],al 62: 00 00 add BYTE PTR [eax],al 64: ff (bad) 65: fa cli 66: 90 nop 67: 90 nop 68: f6 c2 80 test dl,0x80 6b: 74 05 je 0x72 6d: f6 c2 70 test dl,0x70 70: 74 02 je 0x74 72: b2 80 mov dl,0x80 74: ea (bad) 75: 79 7c jns 0xf3 77: 00 00 add BYTE PTR [eax],al 79: 31 c0 xor eax,eax 7b: 8e d8 mov ds,eax 7d: 8e d0 mov ss,eax 7f: bc 00 20 fb a0 mov esp,0xa0fb2000 84: 64 fs 85: 7c 3c jl 0xc3 87: ff 74 02 88 push QWORD PTR [edx+eax*1-0x78] 8b: c2 52 bb ret 0xbb52 8e: 17 (bad) 8f: 04 80 add al,0x80 91: 27 (bad) 92: 03 74 06 be add esi,DWORD PTR [esi+eax*1-0x42] 96: 88 7d e8 mov BYTE PTR [ebp-0x18],bh 99: 17 (bad) 9a: 01 be 05 7c b4 41 add DWORD PTR [esi+0x41b47c05],edi a0: bb aa 55 cd 13 mov ebx,0x13cd55aa a5: 5a pop rdx a6: 52 push rdx a7: 72 3d jb 0xe6 a9: 81 fb 55 aa 75 37 cmp ebx,0x3775aa55 af: 83 e1 01 and ecx,0x1 b2: 74 32 je 0xe6 b4: 31 c0 xor eax,eax b6: 89 44 04 40 mov DWORD PTR [esp+eax*1+0x40],eax ba: 88 44 ff 89 mov BYTE PTR [edi+edi*8-0x77],al be: 44 02 c7 add r8b,dil c1: 04 10 add al,0x10 c3: 00 66 8b add BYTE PTR [esi-0x75],ah c6: 1e (bad) c7: 5c pop rsp c8: 7c 66 jl 0x130 ca: 89 5c 08 66 mov DWORD PTR [eax+ecx*1+0x66],ebx ce: 8b 1e mov ebx,DWORD PTR [esi] d0: 60 (bad) d1: 7c 66 jl 0x139 d3: 89 5c 0c c7 mov DWORD PTR [esp+ecx*1-0x39],ebx d7: 44 06 rex.R (bad) d9: 00 70 b4 add BYTE PTR [eax-0x4c],dh dc: 42 cd 13 rex.X int 0x13 df: 72 05 jb 0xe6 e1: bb 00 70 eb 76 mov ebx,0x76eb7000 e6: b4 08 mov ah,0x8 e8: cd 13 int 0x13 ea: 73 0d jae 0xf9 ec: f6 c2 80 test dl,0x80 ef: 0f 84 d0 00 be 93 je 0x93be01c5 f5: 7d e9 jge 0xe0 f7: 82 (bad) f8: 00 66 0f add BYTE PTR [esi+0xf],ah fb: b6 c6 mov dh,0xc6 fd: 88 64 ff 40 mov BYTE PTR [edi+edi*8+0x40],ah 101: 66 89 44 04 0f mov WORD PTR [esp+eax*1+0xf],ax 106: b6 d1 mov dh,0xd1 108: c1 e2 02 shl edx,0x2 10b: 88 e8 mov al,ch 10d: 88 f4 mov ah,dh 10f: 40 89 44 08 0f rex mov DWORD PTR [eax+ecx*1+0xf],eax 114: b6 c2 mov dh,0xc2 116: c0 e8 02 shr al,0x2 119: 66 89 04 66 mov WORD PTR [esi+eiz*2],ax 11d: a1 60 7c 66 09 c0 75 movabs eax,ds:0x664e75c009667c60 124: 4e 66 126: a1 5c 7c 66 31 d2 66 movabs eax,ds:0x34f766d231667c5c 12d: f7 34 12f: 88 d1 mov cl,dl 131: 31 d2 xor edx,edx 133: 66 f7 74 04 3b div WORD PTR [esp+eax*1+0x3b] 138: 44 08 7d 37 or BYTE PTR [ebp+0x37],r15b 13c: fe c1 inc cl 13e: 88 c5 mov ch,al 140: 30 c0 xor al,al 142: c1 e8 02 shr eax,0x2 145: 08 c1 or cl,al 147: 88 d0 mov al,dl 149: 5a pop rdx 14a: 88 c6 mov dh,al 14c: bb 00 70 8e c3 mov ebx,0xc38e7000 151: 31 db xor ebx,ebx 153: b8 01 02 cd 13 mov eax,0x13cd0201 158: 72 1e jb 0x178 15a: 8c c3 mov ebx,es 15c: 60 (bad) 15d: 1e (bad) 15e: b9 00 01 8e db mov ecx,0xdb8e0100 163: 31 f6 xor esi,esi 165: bf 00 80 8e c6 mov edi,0xc68e8000 16a: fc cld 16b: f3 a5 rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi] 16d: 1f (bad) 16e: 61 (bad) 16f: ff 26 jmp QWORD PTR [esi] 171: 5a pop rdx 172: 7c be jl 0x132 174: 8e 7d eb mov ?,WORD PTR [ebp-0x15] 177: 03 be 9d 7d e8 34 add edi,DWORD PTR [esi+0x34e87d9d] 17d: 00 be a2 7d e8 2e add BYTE PTR [esi+0x2ee87da2],bh 183: 00 cd add ch,cl 185: 18 eb sbb bl,ch 187: fe 47 52 inc BYTE PTR [edi+0x52] 18a: 55 push rbp 18b: 42 20 00 rex.X and BYTE PTR [eax],al 18e: 47 rex.RXB 18f: 65 6f outs dx,DWORD PTR gs:[esi] 191: 6d ins DWORD PTR es:[edi],dx 192: 00 48 61 add BYTE PTR [eax+0x61],cl 195: 72 64 jb 0x1fb 197: 20 44 69 73 and BYTE PTR [ecx+ebp*2+0x73],al 19b: 6b 00 52 imul eax,DWORD PTR [eax],0x52 19e: 65 gs 19f: 61 (bad) 1a0: 64 00 20 add BYTE PTR fs:[eax],ah 1a3: 45 72 72 rex.RB jb 0x218 1a6: 6f outs dx,DWORD PTR ds:[esi] 1a7: 72 0d jb 0x1b6 1a9: 0a 00 or al,BYTE PTR [eax] 1ab: bb 01 00 b4 0e mov ebx,0xeb40001 1b0: cd 10 int 0x10 1b2: ac lods al,BYTE PTR ds:[esi] 1b3: 3c 00 cmp al,0x0 1b5: 75 f4 jne 0x1ab 1b7: c3 ret
Partition 1 : 8000 0101 83fe ffff c13e 0000 004c a112 Partition 1 : 00fe ffff 0cfe ffff c18a a112 4d82 2114 Partition 1 : 00fe ffff 05fe ffff fe0f c326 0248 7513 Partition 1 : 0000 0000 0000 0000 0000 0000 0000 0000
Let's decode Partition Table
Partition 1 : 8000 0101 83fe ffff c13e 0000 004c a112
The first one byte (Byte 0) : indicate whether the partion is bootable partion or non-bootable partition. 80 - Bootable partition 00 - Non bootable partition Byte 1-3 : indicate Cylinder-Head-Sector of the first absolute sector in partition, each takes one byte. In this example, this field can be decoded as follows Cylinder : 00 Head : 01 Sector : 01
Byte 4 : indicate partion type. In this exampe, it means as follows 83 : a native Linux file system (For all the list of partion type, refer to Wikipedia : Partition Type)
Byte 5-7 : indicate Cylinder-Head-Sector of the last absolute sector in partition, each takes one byte. In this example, this field can be decoded as follows Cylinder : fe Head : ff Sector : ff
Byte 8-11 : indicate Logical block addressing of first absolute sector in the partition. In case of this example, c13e0000 : 16065 (= 0x3EC1)
Byte 12-15 : indicate Number of sectors in the partition. In case of this example, 004ca112 : 312560640 (= 0x12a14c00) sectors
I always recommend you to try this kind of manual decoding at least once to understand the details, but you would not want to do it again :). Once you understand the details and just want a quick decode, you can decode the mbr backup file using following command
# file sda-mbr.bin
sda-mbr.bin: x86 boot sector; GRand Unified Bootloader, stage1 version 0x3, stage2 address 0x2000, stage2 segment 0x200; partition 1: ID=0x83, active, starthead 0, startsector 16065, 312560640 sectors; partition 2: ID=0xc, starthead 254, startsector 312576705, 337740365 sectors; partition 3: ID=0x5, starthead 254, startsector 650317822, 326453250 sectors, code offset 0x63
Reference :
[1] The Master Boot Record (MBR) and Why it is Necessary? [2] The GRUB MBR(being the GRand Unified BootLoader's "stage1" Sector )
|
||||||||||||||||