Bootloaders - an introduction

Transcription

Bootloaders - an introduction
Bootloaders - an introduction
Barry Nauta
December 3, 2008
2
Contents
1 Introduction
5
2 The Bootloader
7
2.1
Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.2
Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
2.3
Disk addressing schemes . . . . . . . . . . . . . . . . . . . . . . .
8
2.4
Bios/Mbr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
2.4.1
Volume Boot Record . . . . . . . . . . . . . . . . . . . . .
11
2.5
Efi/Gpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
2.6
MBR, GPT - Side by Side . . . . . . . . . . . . . . . . . . . . . .
13
2.7
Bootsector virus . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
3 Bootloading an operating system
15
3.1
BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
3.2
EFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
3.3
Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
3.3.1
Windows DOS, Windows 3.x, Windows 9x
17
3.3.2
Windows NT, Windows XP, Windows 2000, Windows 2003 18
3.3.3
Windows Vista, Windows 2008 . . . . . . . . . . . . . . .
20
3.4
Grub4Dos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
3.5
Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
3.5.1
Bootcamp . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
3.6.1
24
3.6
. . . . . . . .
LILO . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
4
CONTENTS
3.7
3.6.2
GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
3.6.3
Loading the Linux kernel . . . . . . . . . . . . . . . . . .
26
Multiboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
4 Some experiments
29
4.1
Dualboot: Xp and then Vista . . . . . . . . . . . . . . . . . . . .
29
4.2
Dualboot: Vista and then Xp . . . . . . . . . . . . . . . . . . . .
30
4.3
Multiboot: Xp, Vista, 2008, Linux . . . . . . . . . . . . . . . . .
32
4.3.1
Step 1: partitioning . . . . . . . . . . . . . . . . . . . . .
32
4.3.2
Installing Windows Xp
. . . . . . . . . . . . . . . . . . .
32
4.3.3
Installing Windows Vista . . . . . . . . . . . . . . . . . .
33
4.3.4
Installing Windows 2008 Server . . . . . . . . . . . . . . .
34
4.3.5
Linux installation . . . . . . . . . . . . . . . . . . . . . . .
35
4.3.6
Multiboot installation conclusions . . . . . . . . . . . . .
35
A MBR - a closer look
A.1 The partition table . . . . . . . . . . . . . . . . . . . . . . . . . .
37
39
B GPT - a closer look
41
C Utilities
43
D Glossary
45
Chapter 1
Introduction
This document is the result of a study performed for the course “Operating
Systems and Security”. The course is given at the “Vrije Universiteit Brussel”
(Vub) by Prof. Timmermans as part of the study “Master in applied computer
sciences”.
As the title suggests, this article is an introduction on bootloaders. There are
many operating systems and many bootloaders available, what you will find in
this document is a small explanation on Bios/Mbr versus Efi/Gpt architectures, and some explanations on the bootloading process using Ntldr, Bcd and
Lilo/Grub. Additionally, there are some experiments by using multiboot systems on common operating systems including Windows Xp, Windows Vista and
Linux (Ubuntu). The experiments are all based on the Bios/Mbr architecture.
5
6
CHAPTER 1. INTRODUCTION
Chapter 2
The Bootloader
When a computer is turned on, the first thing it does, is loading a small program
into memory, which aids in choosing and loading the desired operating system
(Os). This process is called ‘bootstrapping’ or ‘booting’ in short. The program
that is initially loaded is called the ‘bootloader’.
2.1
Bootstrapping
In general computer terms, a bootstrap process is one in which a small and
simple process is used to help loading a bigger and more complicated program.
In this document, we will refer to the type of bootstrap program that is used to
select and load an appropriate operating system.
2.2
Partitions
Hard-disks are often divided into partitions, which is a physical division of the
disk. There are several reasons to use partitions, the most obvious for the bootprocess is the use of different operating systems. Different operating systems are
often placed on different partitions since they may have a similar file structure or
even files that may cause conflicts (a good example is the c:\Windows directory
for Windows Xp and Windows Vista, those operating systems cannot coexist on
the same partition) or that they have a different filesystem (for example Ntfs
for Windows Xp and Ext2 for Linux).
When a computer starts up, it needs to know which partition contains the operating system that will be started. On Ibm-Pc architectures, this information
can be found in the Master Boot Record (Mbr), a small segment on a harddisk
that can be found in front of the very first partition. On newer architectures
(Itanium), this information can be found in the Guid Partition Table (Gpt).
Both the Mbr (in combination with the Bios) and Gpt (in combination with
Efi) will be discussed in more detail in the next sections.
7
8
2.3
CHAPTER 2. THE BOOTLOADER
Disk addressing schemes
Disk addressing schemes are partially related to the boot process. For instance;
the Bios uses Chs as addressing scheme, Efi uses Lba.
The initial method (IBM PCs) of addressing disks was using Cylinder-HeadSector addressing.
A harddisk is divided into platters, physical disks with a narrow gap between
them. The platters are double-side, meaning that information is stored on each
side of the platter, much like the old-days vinyl records. Each platter has a head
that can read information from the platter, the platter is spinning in rounds so
a head reads from a ring (called a track), when it reads data.
All the heads are positioned at the same location, which makes that if you read
from a specific track on one platter, the head on the other platter is positioned
at the same location and you can read data from that location as well. This
operation of reading multiple platters at the same time forms a stack of logical
rings, which in disk-terms is called a ’cylinder’.
Finally, each circle on a platter (a track or ‘one ring’) is divided into smaller
segments (usually 64), called ‘sectors’.
The 16-byte entries within an Mbr use Chs values that are limited to 1024
cylinders, 255 heads and 63 sectors. This leads to a maximum disk-size of
1024 · 255 · 63 · 512 = 8.422.686.720
2.4. BIOS/MBR
9
bytes. Since there is a limit on the size of disks using this addressing scheme,
‘Logical-Block-Addressing’ (LBA) has been introduced which is used by most
modern operating systems. It is important to realize that although the operating systems bypass the Bios-calls (i.e. int13 for disk access), the bootloaders/managers still uses the Bios-calls.
2.4
Basic Input/Output System - Master Boot
Record
The Bios is the only available software (more precise: it is firmware; software
that is embedded in hardware) available to a personal computer when it has
not yet booted.1 When a computer starts, the Bios2 loads and executes a small
program (the bootstrap program) which resides in the Master Boot Record
(Mbr).3 This program is also called the “Master Boot Code” (also known as
‘Initial Program Load’ (Ipl) . a term that comes from the Ibm mainframe
systems. 4
The “Master Boot Code”, on its turn, reads the partition table that resides at
the end of the sector. The partition table is used to determine which partition
is bootable.5 It is, of course, the bootable partition that must contain the stage
2 boot-loader (more on this later).
The Ibm-Pc architecture supports up to 4 primary partitions. The Mbr actually has a partition table that is split into 4 entries. If more partitions are
needed, one of those primary partitions can be changed to an extended partition
which can on its turn contain 24 logical partitions.
1 The Bios is basically a set of basic instructions (machine code) that enable the communication between the hardware and the operating system that is going to be loaded.
2 In fact; the CPU is started, finds that its memory is empty and jumps to a fixed address FFFF0-FFFFF, which contains a jump statement to the Bios code (which can be located
anywhere)
3 The Master Boot Record (also called the ‘partition sector’ or the ‘master boot block’) is
the first physical sector of the first boot device.
The Mbr uses Cylinder-Head-Sector (chs) addressing.
The boot device is usually a hard disk, but it can also be a floppy disk/Cd-Rom etc.
4 These terms are often used in an ambiguous way; the Ipl is sometimes confused with the
Mbr and vice versa. The Mbr is actually the combination of the Ipl and the partition table.
5 One (and only one!) of the four partitions in the Mbr partition table can have an ‘active’
status, indicating that this is the partition to use when a computer is booted.
10
CHAPTER 2. THE BOOTLOADER
The following image (source: 5) shows an overview of a Mbr strtucture. This
picture also contains a reference to extended partitions which will be explained
in more detail afterwards.
Each logical drive in the extended partitions has an ‘Extended Boot Record’
(Ebr), which describes the partitioning of the logical drive. The Ebr is also
called the ‘Extended Partition Boot Record’ (Epbr), it will always be located
on the first sector of the extended partition.
The primary partitions are limited and they are all described in the partition
table in the Mbr. This is not the case for extended partitions and since there
can be many logical partitions, each Ebr is placed in the beginning of a logical
partition. If there are multiple logical partitions, the preceding partition will
contain a pointer to the next logical partition (Ebr).
2.5. EFI/GPT
11
The following image (source: 5) gives a better explanation:
2.4.1
Volume Boot Record
A Volume Boot Record (Vbr) (also know as the Volume Boot Sector) or “Primary Boot Record” (Pbr) is a type of bootsector. On non-partitioned devices
(and thus also external devices), the Vbr is the first sector of the device, on
partitioned devices, it is the first sector of any specific partion (in this case, the
first sector of the device itself is the Mbr).
The process of a bootloader invoking the Vbr is known as ‘Chainloading’, going
from the first stage to the second stage.
2.5
Extensible Firmware Interface - GUID Partition Table
The Extensible Firmware Interface is a proposition of Intel to replace the Bios
and uses the guid (Globally Unique IDentifier) Partition Table (Gpt) as a
replacement of the Bios’ Master Boot Record (Mbr).
Efi is proposed as improvement over Bios, since Bios has limitations like 16bit processor mode, 1 Mb addressable space etc. Some of the enhancements
to the standard Bios like Advanced Configuration and Power Interface (Acpi)
and System Management Bios (Smbios) are also present in Efi, since they are
not bound by the 16-bit limitations.
Efi is an open-source standard, that defines an architecture independent in-
12
CHAPTER 2. THE BOOTLOADER
terface between the platform firmware and operating system. Since it is an
interface, it is (in theory) easier to make modifications by motherboard vendors.
Gpt does not use ‘Cylinder-Head-Sector’ (Chs) addressing, like the Mbr does,
it uses ‘Logical Block Addressing’ (Lba) instead.
A very big difference between Mbr and Gpt is that the Mbr contains an
executable binary for identifiying and booting the active partition which lies
outside the Mbr, the Gpt contains this functionality itself. In other words:
Efi contains it’s own boot-loader. It starts with a protective Mbr block, which
is used for backwards compatibility and makes sure that tools that try to modify
the Mbr do not accidentally destroy vital boot information when they think
that they are dealing with Mbr code. This part is also called ‘Legacy Mbr’ or
‘Protective Mbr (Lba0)
To recognize the partition table scheme, the SystemId for the partition is set to
0xEE, indicating that Gpt is used, which makes Efi ignore the Mbr. Gpt also
has a redundancy feature, the header and the partition table are written at the
beginning as well as the end of the disk.
The Efi system partition (the partition that contains the bootloader programs
for all operating systems that are installed on the system) is formatted in a Fat
variant.
2.6. MBR, GPT - SIDE BY SIDE
2.6
13
MBR, GPT - Side by Side
The following picture gives an overview of the partitions of a disk for an ibm-pc6
architecture (Mbr disk), compared to an Itanium7 Gpt disk (source: 5).
2.7
Bootsector virus
A bootsector virus is a virus that infects the very first sector of a disk (floppy
disk or hard disk). The first sector of your hard-disk is your bootsector and it
contains the Mbr. Since the Mbr is executed every time your systems starts,
the virus can be very harmful. Once the Mbr is infected, the virus loads into
memory and can infect every hard disk, or external disk, known to the system.
Bootvirusses were typically spread via infected floppy disks. When a user left a
floppy disk accidentally in the drive, the next time the system booted, it tried
to boot from the floppy (this is a feature that can nowadays be (de)activated
in the Bios) and the virus kicked in. 8 Any antivirus software is sufficient to
clean an infected bootsector/Mbr.
6 ibm-pc or x86 stands for the 32-bit instruction set architecture that is binary compatible
with the 80386, a microprocessor which has been the most commonly used processor for
personal computers from 1986 up until now (end of 2008).
7 Itanium is the brand name for Intel 64-bit microprocessors that implements the Intel
Itanium architecture (which was, despite the name, originally developed by Hewlett-Packard
(hp))
8 In the past, a lot of floppy disks were bootable, but a floppy disk does not need to be
bootable to infect a system.
14
CHAPTER 2. THE BOOTLOADER
Chapter 3
Bootloading an operating
system
This chapter describes from a high-level point of view, the different steps in the
booting process of some of the major operating systems. First the differences
between the Bios and Efi startup processes are explained, after which the boot
processes of some of the major operating systems are examined.
3.1
BIOS
In a few words, we could say that on startup, the Bios runs a Post (Power-On
Self Test) to check for the availability of some vital hardware and executes the
Mbr afterwards. The full steps are shown below:
1. The computer is switched on, the (x86) Cpu is programmed to look at the
address FFFF:0000h, the last 16 bytes of memory in the first megabyte.
This address contains a jump (jmp) command to the Bios.
2. The Bios runs the Post. During this process (hardware vendor dependent), a video Bios, a check for a warm/cold boot (a warm boot indicates
that a large part of the Post can be skipped)
3. Sets up the interrupt table containing the addresses to the interrupt routines. Interrupt 13 is the most important of these interrupts, it contains
the Bios fixed disk (native I/O) services.
4. Initializes (after performing some tests) vital hardware like the Cmos
(Complementary Metal–Oxide–Semiconductor; a special memory-chip
that stores information like the boot-order, system-clock etc), the Dma
(Direct Memory Access), controller, the keyboard controller, and the like.
5. Initializes (again after performing some tests) hardware like keyboards,
hard disks etc.
15
16
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
6. Looks for Rom extensions (a Bios on an option card). Typical Rom
extensions can be found in video cards, network adapters etc. The first two
bytes of a Rom extension are 55aa, the Bios locates Rom extensions by
searching for this pattern. If an extension is found, the Rom initialization
code is called.
7. Finally, the Bios looks for a boot sector (Vbr) 1 on an external device,
or the Mbr on a hard disk (this option can usually be set in the Bios,
although this was not the case for older systems) and copies it to address
0x7c00.
3.2
EFI
On machines with Efi firmware, it is the firmware itself that contains a bootmanager. It is the BootRom that performs a Post. Efi takes care of basic
hardware initialization and the selection of the actual operating system to start.
The Microsoft boot-manager entry is called “Windows Boot Manager” and can
be found at the following location: \EFI\Microsoft\Boot\Bootmgfw.efi. On
Macintosh machines, the file called /System/Library/CoreServices/boot.efi.
Since the Efi is modular and the specification an interface, each vendor provides
a different version. Microsoft even implements a second bootmanager with its
own menu with boot options.
3.3
Microsoft
Microsoft has three generations of bootloaders. The first one loads Dos based
operating systems like Dos itself, Windows 3.x and Windows 95/98. The Windows Nt generation (version 4 and 5) include a new bootloader called Ntldr.
Windows Vista and Windows 2008 use Bcd as bootloader.
1 A VBR is the first sector of a device that has not been partitioned, or the first sector of
an individual partition on a device that has been partitioned.
3.3. MICROSOFT
3.3.1
17
Windows DOS, Windows 3.x, Windows 9x
Once the Bios has completed its initialization phase, the boot process looks for
the bootable partition and starts the operating system by invoking the operating
system files (io.sys, msdos.sys and command.com)
The full explanation of the steps follow:
1. The Bios loads the Mbrs boot code and executes it. It looks for the
boot device, if the device is a hard-disk, some additional steps (examining
the master partition table including retrieving information on extended
partitions) are performed:
(a) If the master boot code has found an extended partition, the extended
partition table will be loaded. This table lists the logical volumes in
the extended partition. The extended partition tables of the logical
volumes are chained, the process uses this feature to find and load
all extended partitions.
18
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
(b) Once the (optional) extended partitions have been loaded the master
boot code tries to boot the active (primary) partition, resulting in
error codes on failure.
2. The Volume Boot Record is loaded and executes
3. The Volume Boot Code inspects the disk from which it boots, resulting
in error codes on failure.
4. The root directory of the device that is used for booting must now contain
three files: (io.sys, msdos.sys and command.com) (If these files are not
found, an error message is displayed)
5. The boot program loads the three operating system files into memory and
executes them. The files, on their turn, load the command interpreter and
the system control files (config.sys and autoexec.bat)
The kernel image was implemented in two files (io.sys and msdos.sys) in older
Dos versions, Dos 7 implemented the kernel image in one file (io.sys). The
file msdos.sys was transferred to a text-based configuration file.
For the windows systems, the last line of the autoexec.bat called the file
win.com which on its turn loads the Windows kernel (krnl386.com) and some
additional modules. The Windows kernel finally loads the primary shell (progman.exe
for Windows 3.x, explorer.exe for later versions)
Since the windows kernel is loaded from the autoexec.bat file, this file can be
used to implement some sort of bootmanager. Different bootoptions are shown
in the accompanying image.
3.3.2
Windows NT, Windows XP, Windows 2000, Windows 2003
These versions of Windows all use Ntldr as bootloader.
NTLDR
Ntldr has some tasks to perform before the user can select the actual operating
system to boot:
1. The windows loader (Ntldr) is loaded.
2. The loader switches the processor to 32-bit mode (which is needed by
Ntldr)
3. Ntldr starts a mini-filesystem with appropriate drivers. This is needed
to be able to load Windows from different filesystem formats.
4. The loader reads the boot.ini file and presents the user with a menu,
based on the configuration in the boot.ini file. If this file is not present,
3.3. MICROSOFT
19
the system assumes default values, prints an error message and continues.
If only one boot option is present in the configuration file, the system
reads the configuration and continues without presenting the menu to the
user.
5. Ntldr loads the operating system that is selected by the user. If the
selected operating system is any of the ones mentioned in this section,
Ntldr set’s up the hardware and loads and executes ntdetect.com. For
other operating systems, the control is passed to the file bootsect.dos,
or any other bootloader.
6. ntdetect.com (osloader.exe on Risc systems) scans the hardware and
gives the discovered list to the Ntldr which loads ntoskrnl.exe and
gives it the list previously received. We now enter the Windows Load
Phases.
The Windows Load Phases for the mentioned systems can differ slightly from
one to another, however the general sequence for the mentioned systems consists
of the following:
20
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
1. Kernel Load Phase
2. Kernel Initialization Phase
3. Services Load Phase
4. Windows Load Phase (Windows Subsystem Start Phase)
Kernel Load Phase
The ‘Kernel Load Phase’ loads the ‘Hardware Abstraction Layer’ (Hal, found in
the file hal.dll) and the registry is loaded and checked for additional needed
device drivers. ntoskernel.exe is loaded (but not executed). Ntldr now
initializes the kernel and passes control to it.
Kernel Initialization Phase
The drivers that were loaded in the ‘Kernel Load Phase’ as well as the kernel
itself are initialized. The registry hardware list is created with the information
collected by ntdetect.com.
Service Load Phase
The session manager is started who’s task is to check all programs that must be
started. The paging file is setup and the disk is checked for errors (chkdsk.exe).
Windows Load Phase
The Win32 subsystem starts and invokes winlogon.exe. The service controller
checks the registry for services that must be started, right after the login screen
is presented indicating that the system has properly started.2
3.3.3
Windows Vista, Windows 2008
It is either the Bios or the Efi that loads the Windows Nt6 boot manager
called ‘Winload’.
It is Winload that bootstraps the Windows kernel3 , it loads the operating
system kernel, the Hardware Abstraction Layer (Hal) and the system registry.
2 Actually,
the boot process is not yet finished; it finishes after a successful logon and the
‘Last Known Good Configuration’ boot-sequence has been copied.
3 Winload is the equivalent of Ntldr for older Windows Nt systems, although it does not
implement features like hibernation (dispatched to the program called winresume or implementation of the bootmenu (already handled by the boot-manager))
3.3. MICROSOFT
21
The boot manager (which must be located at the root directory of the boot
volume) reads the ‘Boot Configuration Data’ file and presents the user a bootmenu. Whenever an operating system is chosen, the bootmanager executes
winload.exe to load the operating system.
The steps the Winload takes are simpler than Ntldr, since some of the tasks
performed by Ntldr have already been performed by the bootmanager (presentation of the menu) or are delegated to other programs (winresume for hibernation).
The steps that Winload performs are the following:
1. It loads the system registry.
2. Winload loads the operating system kernel. The Hardware Abstraction
Layer is initialized as well as all needed kernel libraries.
3. All (kernel, Hal, libraries and device drivers) the image files are checked
by their digital signature and loaded.
4. The registry is scanned to check all used device drivers, the device drivers
that are in the ‘boot’ classes are verified and loaded into memory.
22
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
3.4
Grub4Dos
Not really a specific Windows bootloader, but has some interesting features that
are worth to mention.
Grub4Dos is a fork of the Grub project (see 3.6.2), but has evolved a lot.
Grub uses a staging mechanism, each stage containing a different small program, to bootload an operating system, Grub4Dos on the other hand, uses one
single file (grldr or grub.exe, depending from which operating system you
boot) which can be chainloaded from other bootloaders like Ntldr, Grub4Dos
can be written to the bootsector of a device (using the file grldr.mbr) or grldr
can be loaded via the device’s Mbr. Additionally, Grub4Dos can be loaded in
multiple ways (it can be loaded by the bootloader in the Mbr, it can be loader
from the Windows Vista bootloader and it can serve as bootfile for bootable
Cdroms (El Torito). Finally, Grub4Dos implements functionality that allows
you to map virtual disks (harddisk or floppydisks) from image files which can
be used after Dos has started.
If the Grub4Dos bootloader (grldr of grub.exe) is chainloaded from another
bootloader, it scan the local disks for the configuration. This means that the
configuration file is not bound to a specific location, it can even be mobed
between disks.
If Grub4Dos (the Mbr of Grub4Dos) is installed in the Mbr, it scans all devices
for the loader, which on its turn scans devices for the bootmenu (menu.lst).
If no menu configuration is found, a command-line is presented, otherwise the
menu is shown.
3.5
Macintosh
The latest Mac versions come in two flavors, Power PC (Ppc which uses Open
Firmware (a Bios based bootloader) or Intel based Macs, which use Efi/Gpt.
Apple divides the boot process in ten major steps:
1. Power on. The hardware activates the Boot Rom firmware. In case of
OpenFirmware, a Bios variant, the following two steps are performed:
(a) Post, checks vital hardware
(b) Open Firmware, builds the device tree and selects which operating
system to boot.
2. Booter, the ‘BootX’ is the loader that loads the kernel. It is the bootloader
that passes control to this bootloader when Mac OsX is selected as the
operating system. The bootloader can be found at the following location:
/System/Library/CoreServices/BootX.
3. Kernel load, device drivers are loaded and the mach init process (the
process that manages all Cpu processes, like multi-tasking, memory usage
etc.) is launched.
3.6. LINUX
23
4. System initialization. The System initialization is divided into four subtasks:
(a) Determination of single-user boot or Cdrom boot
(b) System initialization scripts are run, completes the basic initialization
tasks and load the startup items
(c) The login window is launched.
(d) System processes that were needed during boot are cleaned up
5. Startup items, these consist of programs and shell scripts that clean the
temporary files and launch daemon background processes.
6. Login. After the user has logged in, the users environment is loaded, the
Dock, Finder and UI server are started. Optionally the setup assistent is
loaded (in case an installation is in progress) and some of the applications
(user specified) are launched.
7. Authenticating users. This process occurs after the login process. It uses
the Directory Services to authenticate the user (the loginwindow manages
the authenticating process, but does not authenticate the user itself)
8. User environment setup.
3.5.1
Bootcamp
Bootcamp is a utility that lets the user install other operating systems (like
Windows Xp or Windows Vista) on a Macintosch.
The Gpt specification uses a ‘protective Mbr’, as mentioned earlier, this Mbr
should have exactly one partition, its Id should be set to 0xEE.
Apple has bypassed this rule and Bootcamp uses a hyrbid Mbr/Gpt. What
happens is that when you create a new partition on the disk (using the tools
that are supplied by Apple!), this partition gets copied to the partition table of
the protective Mbr of the Gpt (and thus breaking the standard).
3.6
Linux
While technically spoken, Lilo and Grub are not ‘Linux’ bootloaders (they can
boot a multitude of operating systems), they are freely distributed with Linux
and are therefor often seen as ‘Linux’ bootloaders.
Both Lilo and Grub are staged bootloaders where the first stage (which is a
small part of code in the Mbr) is only used to load the second stage.
Once the second stage is loaded into the main memory, the user is presented
with a screen showing the different bootoptions (operating systems) that are
available.
24
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
If the selected operating system is a linux flavour, the kernel is loaded from the
boot directory. If the selected operating system is not a linux flavour, another
bootloader will be invoked.
Lilo and Grub are very similar, their main differences are:
• Grub has an interactive interface, whereas Lilo only alows one command
with parameters for interaction.
• Lilo stores information about the operatings system (like kernel location
etc) in the Mbr. The downside of this approach is that after each kernel
modification, the bootloader needs to be adapted as well, Grub uses a
dedicated stage for this.
• Grub can handle many more partition types (Lilo cannot read ext2 partitions for example)
• Lilo is a two-stage bootloader, Grub has more stages
3.6.1
LILO
The first stage of the bootloader has finished, the second stage of the bootloader
displays the bootloader screen, reads the kernel and initrd into memory and
hands over the control of the machine to the kernel.
The bootprocess using Lilo shows the word Lilo, each letter indicating a milestone within the boot process. The boot sequence will be explained using these
letters
1. L: When the primary bootloader begins to execute, the first ‘L’ is printed.
This is the first stage of the boot process. It reads the map file (which is
compiled into the boot code) which contains the pointers to the available
operating systems to boot. This map file also contains the address of the
second bootloader.
2. I: The ‘I’ is printed just before Lilo loads the second bootloader (stage
2). If during a boot you see the letters ‘LI’ appear, after which the system
halts, this indicates that the second bootloader cannot be found. (this
happens often after recompilation of a kernel or installation of another
kernel. It is possible to recompile a kernel, move bootloader etc., but
the command /sbin/lilo needs to be executed afterwards to update the
Mbr)
3. L: The first thing the second bootloader does is printing the second ‘L’.
It reads the map file afterwards to retrieve the additional needed files.
4. O: Lilo runs after the map contents have been loaded and verified. Lilo
is ready to pass the control to the kernel. Lilo can also load boot code
for a non-linux system.
3.6. LINUX
3.6.2
25
GRUB
This subsection deals with Grub 1, also known as Grub legacy. This is still the
most widespread version of Grub although Grub 2 has made a lot of progress.
Grub stage 1 is contained in the Mbr, its main task is to load the next stage
of Grub; stage 24
Grub stage 2 presents the user with a boot menu as well as a command prompt
which can be used to enter additional parameters for the boot process. Once
the options are known, Grub loads the kernel which takes over control. Grub
can also give control to another bootloader for operating systems that do not
support the multiboot standard. This process is called chainloading. The other
bootloader is loaded as if it was called by the Mbr directly.
A more detailed explanation of the boot sequence:
1. The Mbr boot code (stage 1) is executed
2. The bootloader code contains the address of the next stage, which is usually stage 1.5. Stage 1.5 is located in the first 30 bytes, right after the
Mbr. This space is also known as the “Dos compatibility space”.
3. Stage 1.5 knows about the bot filesyste,. It opens the filesystem, looks
for the stage 2 executable and passes control to it. This step is created to
give a greater flexibility in upgrading kernels, stage 2 upgrades etc, since
changes do not imply modifications to the Mbr (which is not the case for
Lilo).
4 Stage 1 can also load stage 1.5 which is located directly after the Mbr. Stage 1.5 is used
to load other filesystems than ext2 and ext3. Stage 1.5 is filesystem aware and simply loads
stage 2.
26
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
4. Stage 2 executes. It loads the menu configuration (menu.lst) and (usually) provides the user with a menu, based on its configuration.
The next step is to load the Linux kernel.
Stage 1.5 - The DOS compatibility region
Previously, disks were addressed in Cylinder-Head-Sector (Chs) mode, a physical layout of the disk. Nowadays, disks are addressed in ‘Logical Block Addressing’ (Lba) mode.5
Dos required that its image stayed in one cylinder. Partition managers therefor
added a region so that the first partition was aligned with the boundaries of
the cylinder. The usual number of sectors per cylinder is 63 of which the Mbr
takes only one. This leaves 62 sectors (usually 512 bytes per sector) of unused
disk space.
The Dos compatibility region is used by Grub to store stage 1.5, the stage that
contains file-system specific code.
3.6.3
Loading the Linux kernel
After the bootloader has loaded the kernel, the kernel initializes, configures and
examines the system’s hardware. It looks for a initrd image in well known
location in it memory. The initrd image is mounted and the necessary drivers
5 In Lba, only one number is used to address data, rather than three. Each linear base
address describes a single block. The reason for using Lba instead of Chs in the filesystem is
because of its simplicity. (source: wikipedia)
3.7. MULTIBOOT
27
are loaded. Virtual devices (lvm or Software raid) are optionally loaded before the image is unmounted and the kernel continues by freeing up all unused
memory. The filesystem is setup, by creating a root device, which is mounted
as read-only. Again all unused memory is freed, we now have a fully-loaded and
operational kernel in memory.
Next step is to invoke the /sbin/init program (which is also simply called
‘init’), to setup a user environment (otherwise, we could not do a lot with the
computer).
The init process becomes the parent process of all subprocesses that will be
started. It starts by initializing the available run-levels, usually ending at runlevel 5 (graphical multi-user environment).
3.7
Multiboot
The image below shows some possible boot scenarios. There is one part with
dotted lines, it shows a path from the Ntldr to a file called bootsect.dos.
This file is actually installed by the Windows Nt installation process, simulating
a normal boot process (actually, it is a copy of the ’old’ bootsector before the
installation on Windows Nt).
28
CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM
The image shows some of the possible paths during a multiboot bootprocess.
Most bootloaders are capable of chainloading another bootloader. This has one
big implication: multiple bootmenus. If you boot Grub, for instance, and you
use it to load Windows, you get redirected to the Windows bootloader. If this
bootloader only contains one entry, it will skip the menu, however, mutliple
entries lead to the effect that you will first see the Grub bootmenu, afterwards
the Windows menu.
A remedy might be to setup the multi-boot system in such a way, that each
operating system has its own bootloader. 6
A more complicated setup includes creating images of each operating system
to be installed, reinstalling them afterwards and let the bootmanager link the
different operating systems.
Both methods are undesirable, they require a lot of work, with limited outcome,
they are thus not part of the experiments. 7 .
6 This might work if the number of operating systems is limited and fit within the maximum
limit of four primary partitions (a partition can be set hidden when a new operating system
is installed, therefor the installer will not modify the specific boot process).
7 Dan Goodell did follow this setup
Chapter 4
Some experiments
Before experimenting with dual boot systems, it is convenient to have a partition manager available, since the installation procedures of Windows Xp nor
Windows Vista foresee any partitioning options during installation.
The experiments with the combination of Windows Xp and Windows Vista are
run on a Pentium with 2 Gb of internal memory and a disk capacity of 60
Gb. The multiboot experiment is performed within a Virtual Machine (using
VmWare Fusion) with a Mac (running OsX Leopard) as host. The virtual
machine has 1 Gb of internal memory assigned and a disk capacity of 30 Gb.
4.1
Dualboot: Installing Windows Vista next to
Windows Xp
Starting with an easy scenario, we install Windows Vista on a system with
Windows Xp already installed (and we assume that it is properly partitioned).
The Vista installation recognizes Xp, creates an entry in the bootloader, so next
time the system is booted, the user is presented with a menu allowing the choice
of either operating system. Let’s have a closer look.
After the installation, a file called boot.bak is placed in the root of the Xp
partition. The contents show the following:
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
The comments mention the bcdedit.exe application, which is a commandline
utility that can be found in the directory c:\Windows\System32. 1 Running
1 BcdEdit
is a commandline utility to manage Bcd stores; a Bcd store contains the different
29
30
CHAPTER 4. SOME EXPERIMENTS
this program gives the following output:
c:\Windows\System32>bcdedit.exe
Windows Boot Manager
-------------------identifier
device
description
locale
inherit
default
displayorder
toolsdisplayorder
timeout
{bootmgr}
partition=D:
Windows Boot Manager
en-US
{globalsettings}
{current}
{ntldr}
{current}
{memdiag}
30
Windows Legacy OS Loader
-----------------------identifier
{ntldr}
device
partition=D:
path
\ntldr
description
Earlier Version of Windows
Windows Boot Loader
------------------identifier
device
path
description
locale
inherit
osdevice
systemroot
resumeobject
nx
{current}
partition=C:
\Windows\system32\winload.exe
Microsoft Windows Vista
en-US
{bootloadersettings}
partition=C:
\Windows
{18a863e9-9cf4-11dd-acd6-81fd24c4e1bb}
OptIn
Using BCDedit, these options can be changed, new entries can be added etc.2
Bcd is an abbreviation for ‘Boot Configuration Data’ .
Vista no longer uses Ntldr, but Bcd. The configuration file (boot.ini) has
been backup and contains a message that this type of loading is no longer
supported.
4.2
Dualboot: Installing Windows Xp next to
Windows Vista
Installing Windows Xp, after Vista has been installed, requires some manual
intervention afterwards. Windows Xp is older than Vista, the technology (read:
the boot process) is simply not built to cope with newer technologies.
When Vista is already installed, and a copy of Windows Xp is placed next to
it, the Windows Xp installation overwrites the Windows Vista bootloader and
replaces it by the one known to Xp: Ntldr. Since this bootloader has no
boot entries
2 There is also a utility called msconfig.exe which provides a Graphical User Interface
(GUI) that allows you to change some basic options like default boot option, timeout etc. Its
functionality is limited compared to BCDEdit
4.2. DUALBOOT: VISTA AND THEN XP
31
notion of Vista, you will find yourself booting straight into Xp, no option to
boot Vista is presented.
Intuitively, you might consider two rescue options: modify Xp’s bootloader to
also present the option to boot Vista or install Vista’s bootloader and configure
it to allow the choice of either Xp or Vista (and we have seen that this works
in the previous section)
After booting to Xp, a ‘boot.ini’ file is available with the following contents:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Since the bootloader of Windows Xp (ntldr) is not forward compatible, it
didn’t recognize Windows Vista, the option is not available in the boot menu.
Since there is only one operating system defined, the system will skip the bootmenu and boot straight into Windows Xp.
To fix this unwanted behaviour, Microsoft has a support-page explaining the details. Following the indicated steps3 I was able to reinstall the Vista bootloader
with an entry for both Windows Xp and Windows Vista.
The steps to take are the following (6):
1. Use Bootsect.exe to restore the Windows Vista Mbr and the boot code
that transfers control to the Windows Boot Manager program. To do this,
type the following command at a command prompt:
Drive:\boot\Bootsect.exe /NT60 All
In this command, Drive is the drive where the Windows Vista installation
media is located.
2. Use Bcdedit.exe to manually create an entry in the bcd Boot.ini file
for the earlier version of the Windows operating system. To do this, type
the following commands at a command prompt.
In these commands, Drive is the drive where Windows Vista is installed.
(a) Drive:\Windows\system32\Bcdedit /create ntldr /d "Description
for earlier Windows version"
Note: In this command, the description for earlier Windows version
can be any text that you want. For example, the description for
earlier Windows version can be “Windows Xp” or “Windows Server
2003”.
(b) Drive:\Windows\system32\Bcdedit /set ntldr device partition=x:
Note: In this command, x: is the drive letter for the active partition.
(c) Drive:\Windows\system32\Bcdedit /set ntldr path \ntldr
(d) Drive:\Windows\system32\Bcdedit /displayorder ntldr /addlast
3 I had to perform those steps from the Vista installation cd since there were problems
locking the harddisks. There were some additional errors, but these appeared to be non-fatal
32
CHAPTER 4. SOME EXPERIMENTS
4.3
Multiboot: Xp, Vista, Windows 2008 Server
and Linux
It should now be clear that we should start with the installation of the oldest
operating system first, working our way ‘up’ unto the latest, finishing with
Linux, since the Linux bootloaders recognize all other. Before that, however,
I used gparted to partition the disk, since not all operating systems provide a
partitioning option during installation.
Some things are convenient to know before starting:
• Windows 2008 Server need minimal 6 Gb to install
• Linux uses a dedicated partition for its swap-space (not necessary, but
common practice)
• Linux stores boot information in a dedicated directory called ‘boot’. If
we would like to setup two Linux partitions, we can either give them a
seperate boot-location, or we can let them point to the same location.
In the latter case, changes only need to be made once. (An additional
note; for older Bioses, this boot partition must be within the first 1024
cylinders of the harddrive in order to be bootable! If you have an old
Bios, place the boot partition at the front of your partition table), this
is also the reason why I placed a dedicated partition in the beginnning of
the disk.
4.3.1
Step 1: partitioning
I chose the following setup (screenshot from gparted):
4.3.2
Installing Windows Xp
The installation detects the partitions that I have recently setup (except for the
Linux partitions, which is quite logical) and after selecting the first partition,
4.3. MULTIBOOT: XP, VISTA, 2008, LINUX
33
the installer asks me what to do with the partition (format, convert to ntfs).
I chose not to format, not to convert the partition, thus leaving it in fat32.
The installation leads to no suprises, after rebooting, we boot straight into
Windows Xp.
4.3.3
Installing Windows Vista
The windows installation asks whether I am interested in going online to get
the latest updates during installation. To speed up the process, I chose not to.
Vista also recognizes the created partitions (as expected) and it comes with a
warning that windows cannot be installed on the first partition, since it is not
an ntfs partition. During the Windows Vista, the installer reboots and we
directly notice that the new bootloader is already installed. Two options are
available: ‘Earlier version of windows’ and ‘Windows setup’. We do not get to
chose, the installer boots straight into the setup program.
34
4.3.4
CHAPTER 4. SOME EXPERIMENTS
Installing Windows 2008 Server
The installer asks which version of Windows 2008 I purchased (actually, I didn’t
purchase any, I downloaded it from Msdn). Chose one of the available options
(beware that the ‘Core’ option gives a command-line only interface!) and after
booting we see that Windows 2008 adapted the bootoptions that were available
after Vista installation:
4.3. MULTIBOOT: XP, VISTA, 2008, LINUX
35
Windows 2008 Server installed without problems, the menu shows the three
expected boot-options.
4.3.5
Linux installation
The initial idea was to install Fedora (which allows the option to use Lilo
as bootloader as well as Grub), but the Fedora installer/partitioner does not
recognize any of the NTFS partitions (additionally it crashed when trying to
set it up), so I switched to Ubuntu.
The installation finishes and after a reboot, we are presented with Grub, which
allows us to boot to either Ubuntu, or go to the Vista/Longhorn loader. This
last option goes, as expected, to the Windows Bootloader as it was installed by
Vista. This means that if we would like to boot into any windows system, we
have to pass two bootloaders....
4.3.6
Multiboot installation conclusions
Proper planning is clearly needed, the partitions, their filesystem format and
sizes need to be known upfront. Once you have determined this information,
start with the oldest windows version first and work your way up to the newer
windows versions. Installing Linux with either Lilo or Grub afterwards should
not pose any problems, but be prepared to perform some manual interventions
afterwards.
36
CHAPTER 4. SOME EXPERIMENTS
Appendix A
MBR - a closer look
The Mbr that I retrieved during of one of the experiments; Windows Xp (This
image is best viewed in full scale and in color)
37
38
0000
012c
017c
01b5
01b8
01bc
01be
01fe
APPENDIX A. MBR - A CLOSER LOOK
Master Boot Code, also known as Initial Program Load.
Error messages, ends with 00 (in bold).
Padding, all zero-bytes.
Fixed for english versions of windows: 2c 44 63 - Part of dmadmin.exe,
used by Windows Nt to display the Mbr error codes which may be
language dependent.
Disk signature, needed by Windows Nt to identify the right disk and
used for drive assignation.
Unused, usually nulls: 0x0000.
Start of the partition table, it contains 4 16-byte entries (this Mbr has
only one defined partition). The active partition is Indicated with the
value “80”, the other partitions start with the value “00” (values in bold).
Mbr signature: 0xAA55 (on all Ibm-Pcs, and compatible, numbers of
two or more bytes are always stored in reverse order). Actually 0xAA55
is called the ‘Magic Number’, it is used to denote the end of both Mbrs
and bootsectors.
Each of the four possible primary partitions contain a boot-indicator, the value
of 80 indicates that this partition is active (booteable), in which case we call it
a ‘high bit’.
Partition
Partition
Partition
Partition
1:
2:
3:
4:
80 01 01 00 07 fe ff ff 3f 00 00 00 62 04 53 07
00 fe ff ff 0f fe ff ff a1 04 53 07 5f f4 a5 06
. . . empty. . .
. . . empty. . .
byte 0: The first byte tells use whether the partition is bootable (80 for the
active partition, 00 for an inactive partition. There can only be one active
partition). It is the active partition that contains the boot manager.
byte 1-3: The next three bytes contain the “Cylinder/Heads/Sector” (Chs)
address of the partition start.
byte 4: This byte indicates the partition type. A few examples: 07 indicates
Windwows Nt or OS/2 HPFS, 0f indicates Win95 Extended, 83 indicates linux
swap.
byte 5-7: Chs address of the partition end.
byte 8-11: The starting sector number (little endian)
byte 12-15: The partition size
A.1. THE PARTITION TABLE
A.1
39
The partition table
The partition table is a 64-byte structure, as we have seen above. The table
contains 4 entries, leaving us with 16 bytes for one partition. The first entry in
the example of this chapter contains the following code: 80 01 01 00 07 fe
ff ff 3f 00 00 00 62 04 53 07. The first entry of a partition table always
starts at address 01be, this gives us the following dissection of the tabel (little
endian!)
Offset
01be
01bf
01x0
Length
8 bits
8 bits
16 bits
Value
80
01
01
00
01c2
01c3
01c4
8 bits
8 bits
16 bits
07
fe
ff
ff
01c6
32 bits
3f 00 00 00
01ca
32 bits
62 04 53 07
Description
Boot indicator, 80 for the active
boot-partition, 00 for inactive.
Starting head
Starting sector, only the first 6 bytes are
used. The upper 2 bits of this byte are
used by the starting cylinder field.
Starting cylinder, uses this byte + 2 bits
from the starting sector to get the
cylinder value.
System ID. 07 means Ntfs
Ending head
Ending sector. Same division as the
starting sector.
Ending cylinder, borrows 2 bits from
the ending sector
Relative sectors, the offset from the
beginning of the disk to the beginning
of the volume, counting by sectors.
Total sectors.
40
APPENDIX A. MBR - A CLOSER LOOK
Appendix B
GPT - a closer look
I have not tried to modify anything on my Mac (no bootcamp installed) so
the presented information here is more limited compared to that of the Mbr,
however, some things can be interesting.
First, I tried to view a dump of the Mbr using the following commands:
Barry$ sudo dd if=/dev/disk0 of=/Users/Barry/Desktop/macmbr.code bs=1 count=512
512+0 records in
512+0 records out
512 bytes transferred in 0.064308 secs (79648 bytes/sec)
Viewing the result in a hexviewer is uninteresting, the magic number can be seen,
as well as a lot of nulls. The partition table is more interesting, especially with
the information following afterwards:
01B0:
01C0:
01D0:
01E0:
01F0:
00
FF
00
00
00
00
FF
00
00
00
00
EE
00
00
00
00
FE
00
00
00
00
FF
00
00
00
00
FF
00
00
00
00
01
00
00
00
00
00
00
00
00
90
00
00
00
00
63
00
00
00
00
00
2F
00
00
00
00
60
00
00
00
00
38
00
00
00
00
3A
00
00
00
00
00
00
00
55
FE
00
00
00
AA
The disk signature is set to 90 63 00, one partition is visible, but it is nonbootable.
41
42
APPENDIX B. GPT - A CLOSER LOOK
The following shows some more interesting information:
Barry$ sudo fdisk /dev/rdisk0
Disk: /dev/rdisk0 geometry: 60801/255/63 [976773168 sectors]
Signature: 0xAA55
Starting
Ending
#: id cyl hd sec - cyl hd sec [
start size]
-----------------------------------------------------------------------1: EE 1023 254 63 - 1023 254 63 [
1 - 976773167] <Unknown ID>
2: 00
0
0
0 0
0
0 [
0 0] unused
3: 00
0
0
0 0
0
0 [
0 0] unused
4: 00
0
0
0 0
0
0 [
0 0] unused
The Magic Number is not a surprise, what is surprising is the ‘unknown ID’.
Actually, this is not surprising at all; the identifier EE is used to protect the
Gpt to tools designed for the Mbr (like fdisk), but unaware of Gpt (see 2.5).
The following commands show a bit of information as well:
Barry$ sudo gpt -r show /dev/rdisk0
start
size index contents
0
1
PMBR
1
1
Pri GPT header
2
32
Pri GPT table
34
6
40
409600
1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
409640 976101344
2 GPT part - 48465300-0000-11AA-AA11-00306543ECAC
976510984
262151
976773135
32
Sec GPT table
976773167
1
Sec GPT header
We clearly see the redundancy that is built in into Gpt; the partition table and
the header are duplicated. Furthermore, the Guid
C12A7328-F81F-11D2-BA4B-00A0C93EC93B indicates that we are dealing with
a Efi System Partition, 48465300-0000-11AA-AA11-00306543ECAC indicates a
‘Hierarchical File System’ (Hps) filesystem, which is the default filesystem for
Osx.
One last command, the outcome should be self-explanable:
Barry$ diskutil list
/dev/disk0
#:
TYPE NAME
0:
GUID_partition_scheme
1:
EFI
2:
Apple_HFS Harddrive
SIZE
*465.8 Gi
200.0 Mi
465.4 Gi
IDENTIFIER
disk0
disk0s1
disk0s2
Appendix C
Utilities
There are several useful utilties to work with bootloaders (Tools come with the
description provided by the vendors/developers)
1. BCDEdit
Boot Configuration Data (Bcd) files provide a store that is used to describe boot applications and boot application settings. The objects and
elements in the store effectively replace Boot.ini.
BCDEdit is a command-line tool for managing Bcd stores. It can be used
for a variety of purposes, including creating new stores, modifying existing
stores, adding boot menu options, and so on. BCDEdit serves essentially
the same purpose as Bootcfg.exe on earlier versions of Windows, but
with two major improvements:
• BCDEdit exposes a wider range of boot options than Bootcfg.exe.
• BCDEdit has improved scripting support.
BCDEdit is the primary tool for editing the boot configuration of Windows
Vista and later versions of Windows. It is included with the Windows
Vista distribution in the %systemroot%\System32 folder.
2. Beeblebrox
Beeblebrox is a partition table editor for Windows 95/98 or NT. With
Beeblebrox you can : backup and restore your partition tables, edit any
value in any partition table, hide/unhide partitions, change the active
partition, search for partition boot records to help in partition recovery,
view partition boot sector information and delete a partition.
3. GParted
GParted s used for creating, deleting, resizing, moving, checking and copying partitions, and the file systems on them. This is useful for creating
space for new operating systems (works with Vista System and Data partitions), reorganizing disk usage, copying data residing on hard disks and
mirroring one partition with another (disk imaging).
43
44
APPENDIX C. UTILITIES
4. HDHacker
HDHacker is a stand-alone micro-utility that saves, visualizes, and restores
the Mbr (from a physical drive), the BootSector (from a logical drive) or
any specified sector from any disk (even removable disks).
HDHacker can be used, for example, to save and restore a particular boot
manager (such as Lilo, for example) before a new Windows setup (which,
obviously, overwrites it).
An Mbr and BootSector backup can also be useful for simple precautionary purposes too, since sometimes viruses or other Os setup (like Linux)
could overwrite and/or alter the Mbr/Boot Sectors, making it impossible
to start up previous Os and/or access datas stored on the disk. HDHacker
can provide “insurance” against all these types of loss.
5. MbrFix
Perform several Master Boot Record (Mbr) tasks, like backing up, restoring, fixing the boot code in the Mbr, etc. The utility should not be used
for Guid Partition Table (Gpt) disks.
6. MBRWizard
MBRwizard is a powerful, yet flexible utility designed to assist with all
types of Master Boot Record difficulties. Intially developed to overcome
MBR problems introduced by disk imaging products such as Symantec
Ghost and Acronis True Image, MBRwizard has become a popular utility
for repairing all types of Mbr problems, especially those caused by disk2-disk (d2d) and system backup and recovery applications.
7. PartInfo
This Dos or Nt/2000/Xp utility will display the partition information in
the Mbr and Embr. The output can be redirected to a file and sent for
review if needed.
8. SecInspect
SecInspect.exe is a command-line diagnostics tool that allows administrators to view the contents of master boot records, boot sectors, and IA64
Guid partition tables. Additional features include creating hex dumps of
binary files and backup/restore of sector ranges.
9. VmWare Fusion
VMware Fusion is a virtual machine software product developed by VMware
for Macintosh computers with Intel processors. Fusion allows Intel-based
Macs to run x86 and x86-64 “guest” operating systems, such as Microsoft
Windows, Linux, NetWare and Solaris as virtual machines simultaneously
with Mac OS X as the “host” operating system using a combination of
virtualization, emulation and dynamic recompilation.
Appendix D
Glossary
A lot of the items in this glossary are retrieved from http://www.wikipedia.
org.
• Basic Input/Output System (BIOS)
Firmware code run by a personal computer (Ibm-Pc architecture) when
it first starts up. The Bios is responsible for initializing vital hardware
(like video-card, keyboard etc). The Bios gives contraol to a bootloader
for system startup.
• Booting
In computing, booting (booting up) is a bootstrapping process that starts
operating systems when the user turns on a computer system. A boot
sequence is the initial set of operations that the computer performs when it
is switched on. The bootloader typically loads the main operating system
for the computer.
• Boot Configuration Data (BCD)
Boot Configuration Data (Bcd) is a firmware- independent database for
boot-time configuration data. It replaces the boot.ini that was used by
Ntldr, and is used by Microsoft’s new Windows Boot Manager.
• Bootloader
A bootloader is a small program that is user to boot other operating
systems.
• Bootmgr
For Vista, the Mbr looks for and loads bootmgr, Vista’s replacement for
Ntldr, however, bootmgr serves only one function: as a bootmanager.
Bootmgr refers to a file called bcd (short for boot configuration data).
You can say bcd is like boot.ini, it contains the menu entries for Vista’s
boot menu.
• bootsect.dos
ootsect.dos is created by Windows NT Setup. It is a copy of the bootsector as it existed before the installation of Windows Nt and allows the
45
46
APPENDIX D. GLOSSARY
Windows not loader (Ntldr to load Dos based operating systems, simulating the previous operating system’s normal boot procedure).
• Bootstrapping
In computing, bootstrapping (”to pull oneself up by one’s bootstraps”)
refers to techniques that allow a simple system to activate a more complicated system. A common scenario is the start up process of a computer
system, where a small program, such as the Bios, initializes and tests
hardware, peripherals and external memory devices, then loads a program from one of them and passes control to it, thus allowing loading of
larger programs, such as an operating system.
Bootstrapping was shortened to booting, or the process of starting up
any computer, which is the most common meaning for non-technical computer users. The verb “boot” is similarly derived. A “bootstrap” most
commonly refers to the simple program itself that actually begins the initialization of the computer’s operating system, like Grub, Lilo or Ntldr.
• Chainloading
Chain loading is a method used by computer programs to replace the
currently executing program with a new program, using a common data
area (a so-called core common area) to pass information from the current
program to the new program. It occurs in several areas of computing.
In operating system boot manager programs, chain loading is used to pass
control from the boot manager to a boot sector. The target boot sector
is loaded in from disk, replacing the boot sector from which the boot
manager itself was bootstrapped, and executed.
• Complementary Metal-Oxide-Semiconductor (CMOS)
Complementary metal-oxide-semiconductor (Cmos), is a major class of
integrated circuits. Cmos technology is used in microprocessors, microcontrollers, static RAM, and other digital logic circuits.
The Bios uses the Cmos to store information like the bootorder of physical
devices, hardware clock etc.
• Cylinder-Head-Sector (CHS)
Cylinder-head-sector, also known as Chs, was an early method for giving
addresses to each physical block of data on a hard disk drive. In the case
of floppy drives, for which the same exact diskette medium can be truly
low-level formatted to different capacities, this is still true.
Though Chs values no longer have a direct physical relationship to the
data stored on disks, pseudo Chs values (which can be translated by disk
electronics or software) are still being used by many utility programs.
• Direct Memory Access (DMA)
Direct memory access (DMA) is a feature of modern computers and microprocessors that allows certain hardware subsystems within the computer
to access system memory for reading and/or writing independently of the
central processing unit. Many hardware systems use DMA including disk
drive controllers, graphics cards, network cards, sound cards and GPUs
47
• Electrically Erasable Programmable Read-Only Memory (EEPROM)
EEPROM is a type of non-volatile memory used in computers and other
electronic devices to store small amounts of data that must be saved when
power is removed.
• EXT2
The ext2 or second extended file system is a file system for the Linux
kernel. Although ext2 is not a journaling file system, its successor, ext3,
provides journaling and is almost completely compatible with ext2.
• Extended Boot Record (EBR)
An Extended Boot Record (Ebr), or Extended Partition Boot Record
(Epbr), is a descriptor for a logical partition under the common Dos
disk drive partitioning system. In that system, when one (and only one)
partition record entry in the Master Boot Record (Mbr) is designated
an ”extended partition,” then that partition can be subdivided into a
number of logical drives. The actual structure of that extended partition
is described by one or more Ebrs, which are located inside the extended
partition. The first (and sometimes only) Ebr will always be located on
the very first sector of the extended partition.
Unlike primary partitions, which are all described by a single partition
table within the Mbr, and thus limited in number, each Ebr precedes the
logical partition it describes. If another logical partition follows, then the
first Ebr will contain an entry pointing to the next Ebr; thus, multiple
Ebrs form a sort of chain from the first to the next, and finally to the last
one. This means the number of logical drives that can be formed within an
extended partition is limited only by the amount of available disk space.4
• Extensible Firmware Interface (EFI)
The Extensible Firmware Interface (Efi) is a specification that defines a
software interface between an operating system and platform firmware.
Efi is intended as a significantly improved replacement of the old legacy
Bios firmware interface historically used by all Ibm-Pc-compatible personal computers.
The Efi specification was originally developed by Intel, and is now managed by the Unified Efi Forum and is officially known as Unified Efi
(Uefi).
• File Allocation Table (FAT)
File Allocation Table or Fat is a computer file system architecture. It is
the primary file system for various operating systems including MsDos,
DrDos, and Microsoft Windows (up to Windows Me).
• Firmware
Executable machine code, installed in a computers non-volatile memory
(Eeprom). It initializes low-level hardware, and passes on the control
the the operating system loader. The firmware examples described in the
document are Bios and Efi.
• Guid Partition Table (GPT)
In computer hardware, Guid Partition Table (Gpt) is a standard for
48
APPENDIX D. GLOSSARY
the layout of the partition table on a physical hard disk. It is a part of
the Extensible Firmware Interface (Efi) standard proposed by Intel as a
replacement for the Pc Bios, one of the few remaining parts of the original
Ibm-Pc. Efi uses Gpt whereas Bios uses a Master Boot Record (Mbr).
• Globally Unique Identifier (GUID)
A Globally Unique Identifier or (Guid) is a special type of identifier used
in software applications in order to provide a reference number which is
unique in any context (hence, ”Globally”). While each generated Guid
is not guaranteed to be unique, the total number of unique keys (2128
or 3.4 · 1038 ) is so large that the probability of the same number being
generated twice is very small.
• Grand Unified Bootloader (GRUB)
Gnu Grub (”Grub” for short) is a boot loader package from the Gnu
Project. Grub is the reference implementation of the Multiboot Specification, which allows a user to have several different operating systems on
their computer at once, and to choose which one to run when the computer
starts. Grub can be used to select from different kernel images available
on a particular operating system’s partitions, as well as to pass boot-time
parameters to such kernels.
• Hardware Abstraction Layer (HAL)
A hardware abstraction layer (Hal) is an abstraction layer, implemented
in software, between the physical hardware of a computer and the software
that runs on that computer. Its function is to hide differences in hardware
from most of the operating system kernel, so that most of the kernelmode code does not need to be changed to run on systems with different
hardware.
The Windows Nt operating system has a Hal in the kernel space, between
hardware and kernel, drivers, executive services. This allows portability of
the Windows Nt kernel-mode code to a variety of processors, with different
memory management unit architectures, and a variety of systems with
differentI/O bus architectures; most of that code runs without change on
those systems, when compiled for the instruction set for those systems.
• Initial Program Load (IPL)
The program that resides in the Master Boot Code part of the Master
Boot Record.
• Linux Loader (LILO)
Lilo (LInux LOader) is a generic boot loader for Linux. It was one of the
most popular bootloaders until Grub was released.
• Logical Block Addressing (LBA)
Logical block addressing (Lba) is a common scheme used for specifying
the location of blocks of data stored on computer storage devices, generally
secondary storage systems such as hard disks. The term Lba can mean
either the address or the block to which it refers. Logical blocks in modern
computer systems are typically 512 or 1024 bytes each. ISO 9660 CDs (and
images of them) use 2048-byte blocks.
49
The Lba scheme replaces earlier schemes which exposed the physical details of the storage device to the software of the operating system. Chief
among these was the cylinder-head-sector (Chs) scheme, where blocks
were addressed by means of a tuple which defined the cylinder, head, and
sector at which they appeared on the hard disk. Chs didn’t map well to
devices other than hard disks (such as tapes and networked storage), and
was generally not used for them.
• Master Boot Code
The first 440 bytes of the Master Boot Record, it contains a small program
that is used to chainload a bootmanager. Also known as ‘Initial Program
Load’
• Master Boot Record (MBR)
The first 512 bytes of the boot sector of a harddisk. It contains code
to bootstrap operatings systems (the ‘Master Boot Code’) as well as the
partition table of the disk, used to indicate the active partition from which
to boot the operating system.
• NT File System (NTFS)
Ntfs is the standard file system of Windows Nt, including its later
versions Windows 2000, Windows Xp, Windows Server 2003, Windows
Server 2008, and Windows Vista.
• NT Loader (NTLDR)
Ntldr (abbreviation of Nt Loader) is the boot loader for all releases of
Microsoft’s Windows NT operating system up to and including Windows
XP and Windows Server 2003.
Ntldr is typically run from the primary hard disk drive, but it can also
run from portable storage devices such as a CD-ROM, USB flash drive, or
floppy disk. Ntldr can also load a non NT-based operating system given
the appropriate boot sector in a file.
For Xp, the Mbr looks for and loads ntldr. Ntldr then read from
boot.ini. If it finds two or more entries in boot.ini, then it will present a
menu option for the entries (unless you set to boot an item automatically).
• Power-On Self Test (POST)
Power-on self-test (Post) is the common term for a computer, router or
printer’s pre-boot sequence. The same basic sequence is present on all
computer architectures. It is the first step of the more general process
called initial program load (Ipl), booting, or bootstrapping. The term
Post has become popular in association with and as a result of the proliferation of the Pc. It can be used as a noun when referring to the code
that controls the pre-boot phase or when referring to the phase itself. It
can also be used as a verb when referring to the code or the system as it
progresses through the pre-boot phase. Alternatively this may be called
“Posting.”
• Random Access Memory (RAM)
Ram is a form of computer data storage. Today it takes the form of
integrated circuits that allow the stored data to be accessed in any order
50
APPENDIX D. GLOSSARY
(i.e., at random). The word random thus refers to the fact that any piece of
data can be returned in a constant time, regardless of its physical location
and whether or not it is related to the previous piece of data.
The word Ram is mostly associated with volatile types of memory, where
the information is lost after the power is switched off.
• Volume Boot Record (VBR)
A Volume Boot Record (also known as a volume boot sector or a partition
boot sector, although the latter is not strictly correct) is a type of boot
sector, stored in a disc volume on a hard disk, floppy disk, or similar data
storage device, that contains code for booting programs (usually, but not
necessarily, operating systems) stored in other parts of the volume. On
non-partitioned storage devices, it is the first sector of the device. On
partitioned devices, it is the first sector of an individual partition on the
device, with the first sector of the entire device instead being a Master
Boot Record (Mbr). The code in volume boot records is invoked either
directly by the machine’s firmware or indirectly by an Mbr or a boot
manager. Invoking a Vbr via a boot manager is known as chain loading.
Some dual boot systems, such as Ntldr, take copies of the bootstrap code
that individual operating systems install into a single partition’s Vbr and
store them in disc files, loading the relevant Vbr content from file after
the boot loader has asked the user which operating system to bootstrap.
In certain file system formats, in addition to bootstrap code the Vbr
contains a Bios parameter block that specifies the location and layout of
the principal on-disc data structures for the file system.
References
[1] Microsoft Technet, How Basic Disks and Volumes Work
http://technet.microsoft.com/en-us/library/cc739412.aspx
[2] Microsoft Technet, Boot INI Options Reference
http://technet.microsoft.com/en-gb/sysinternals/bb963892.aspx
[3] Microsoft Technet, Microsoft Advanced Windows Debugging and Troubleshooting - How windows starts up
http://blogs.msdn.com/...art-1-of-4.aspx
http://blogs.msdn.com...the-second.aspx
[4] Microsoft Technet, Troubleshooting the Startup Process
http://technet.microsoft.com/en-us/library/bb457123.aspx
[5] Microsoft Technet, How Basic Disks and Volumes Work
http://technet.microsoft.com/en-us/library/cc739412.aspx
[6] Microsoft Support, Windows Vista no longer starts after you install an
earlier version of the Windows operating system in a dual-boot configuration
http://support.microsoft.com/kb/919529
[7] Apple Developer Connection, Technical Note TN2166, Secrets of the GPT
http://developer.apple.com/technotes/tn2006/tn2166.html
[8] Boot Process and Startup Sequence Overview
http://ali.apple.com/ali_sites/adcchd/Exhibits/Assets/unit_additional/
ADD_1_SG_BootOverview.pdf
[9] GNU GRUB, The GRUB Homepage
http://www.gnu.org/software/grub/
[10] Manpages, The LILO manpage
http://www.netadmintools.com/html/5lilo.conf.man.html
[11] Intel, Extensible Firmware Interface (EFI)
http://www.intel.com/technology/efi/
[12] Starman. An Examination of the Windows 2000 and Windows Xp Mbr
http://mirror.href.com/thestarman/asm/mbr/Win2kmbr.htm
[13] Multibooters. Dual/Multi booting with Vista
http://www.multibooters.co.uk/
51
52
APPENDIX D. GLOSSARY
[14] Jonathan de Boyne Pollard. Frequently Given Answers written by JdeBP
- Operating System bootstraps
http://homepages.tesco.net./J.deBoynePollard/FGA/
[15] Wikipedia, The Free Encyclopedia
BIOS - BootCamp - Booting - Boot sector - Chain loading - CHS - Disk
partitioning - EFI - EFI partition - GRUB - GPT - Linux startup - MBR
- Multi boot - NTLDR - Open Firmware - POST - Volume Boot Record Windows NT startup - Windows Vista startup
Index
bootmgr, 45
bootsect.dos, 45
File Allocation Table, 47
Firmware, 9, 47
80386, 13
Globally Unique Identifier, 11, 48
GPT, see GUID Partition Table
GRUB, 48
Grub4Dos, 22
GUID, see Globally Unique Identifier
GUID Partition Table, 11, 47
Basic Input/Output System, 9, 45
BCD, see Boot Configuration Data
BIOS, see Basic Input/Output System
Boot Configuration Data, 30, 45
Booting, 45
Bootloader, 7, 45
BootRom, 16
Bootstrapping, 7, 46
Bootx, 22
HAL, see Hardware Abstraction Layer
Hardware Abstraction Layer, 20, 48
HFS, see Hierarchical File System
Hierarchical File System, 42
Chainloading, 11, 46
Initial Program Load, 9, 48
CHS, see Cylinder-Head-Sector, see CylinderIPL, see Initial Program Load
Head-Sector
Itanium, 13
CMOS, see Complementary Metal OxLBA, see Logical-Block-Addresing, see
ide Semiconductor
Logical Block Addressing
Complementary Metal Oxide SemiconLegacy MBR, 12
ductor, 15, 46
Cylinder-Head-Sector, 12, 26, 38, 46
LILO, 48
Logical Block Addresing, 9
Direct Memory Access, 15, 46
Logical Block Addressing, 12, 48
DMA, see Direct Memory Access
Master Boot Code, 9, 49
EBR, see Extended Boot Record
Master Boot Record, 9, 49
EEPROM, see Electrically Erasable Pro- MBR, see Master Boot Record
grammable Read-Only Memory
NT File System, 49
EFI, see Extensible Firmware Interface NT Loader, 49
Electrically Erasable Programmable ReadNTFS, see NT File System
Only Memory, 47
NTLD, see NT Loader
EPBR, see Extended Partition Boot
OpenFirmware, 22
Record
Operating System, 7
EXT2, 47
OS, see Operating System
Extended Boot Record, 10, 47
Extended Partition Boot Record, 10
Extensible Firmware Interface, 11, 47 PBR, see Primary Boot Record
POST, see Power-On Self Test
FAT, see File Allocation Table
Power-On Self Test, 15, 49
53
54
Primary Boot Record, 11
Protective MBR, 12
RAM, see Random Access Memory
Random Access Memory, 49
ROM extension, 16
VBR, see Volume Boot Record, see Volume Boot Record
Volume Boot Record, 11, 16, 50
x86, 13
INDEX