Boot Loaders

Bootloaders - an introduction

Barry Nauta

December 3, 2008

2

Contents

1 Introduction 5

2 The Bootloader 7

2.1 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3 Disk addressing schemes . . . . . . . . . . . . . . . . . . . . . . . 8

2.4 Bios/Mbr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.4.1 Volume Boot Record . . . . . . . . . . . . . . . . . . . . . 11

2.5 Efi/Gpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.6 MBR, GPT - Side by Side . . . . . . . . . . . . . . . . . . . . . . 13

2.7 Bootsector virus . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Bootloading an operating system 15

3.1 BIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 EFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3 Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3.1 Windows DOS, Windows 3.x, Windows 9x . . . . . . . . 17

3.3.2 Windows NT, Windows XP, Windows 2000, Windows 2003 18

3.3.3 Windows Vista, Windows 2008 . . . . . . . . . . . . . . . 20

3.4 Grub4Dos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.5 Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.5.1 Bootcamp . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.6 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.6.1 LILO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3

4 CONTENTS

3.6.2 GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.6.3 Loading the Linux kernel . . . . . . . . . . . . . . . . . . 26

3.7 Multiboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Some experiments 29

4.1 Dualboot: Xp and then Vista . . . . . . . . . . . . . . . . . . . . 29

4.2 Dualboot: Vista and then Xp . . . . . . . . . . . . . . . . . . . . 30

4.3 Multiboot: Xp, Vista, 2008, Linux . . . . . . . . . . . . . . . . . 32

4.3.1 Step 1: partitioning . . . . . . . . . . . . . . . . . . . . . 32

4.3.2 Installing Windows Xp . . . . . . . . . . . . . . . . . . . 32

4.3.3 Installing Windows Vista . . . . . . . . . . . . . . . . . . 33

4.3.4 Installing Windows 2008 Server . . . . . . . . . . . . . . . 34

4.3.5 Linux installation . . . . . . . . . . . . . . . . . . . . . . . 35

4.3.6 Multiboot installation conclusions . . . . . . . . . . . . . 35

A MBR - a closer look 37

A.1 The partition table . . . . . . . . . . . . . . . . . . . . . . . . . . 39

B GPT - a closer look 41

C Utilities 43

D Glossary 45

Chapter 1

Introduction

This document is the result of a study performed for the course “OperatingSystems and Security”. The course is given at the “Vrije Universiteit Brussel”(Vub) by Prof. Timmermans as part of the study “Master in applied computersciences”.

As the title suggests, this article is an introduction on bootloaders. There aremany operating systems and many bootloaders available, what you will find inthis document is a small explanation on Bios/Mbr versus Efi/Gpt architec-tures, and some explanations on the bootloading process using Ntldr, Bcd andLilo/Grub. Additionally, there are some experiments by using multiboot sys-tems on common operating systems including Windows Xp, Windows Vista andLinux (Ubuntu). The experiments are all based on the Bios/Mbr architecture.

5

6 CHAPTER 1. INTRODUCTION

Chapter 2

The Bootloader

When a computer is turned on, the first thing it does, is loading a small programinto memory, which aids in choosing and loading the desired operating system(Os). This process is called ‘bootstrapping’ or ‘booting’ in short. The programthat is initially loaded is called the ‘bootloader’.

2.1 Bootstrapping

In general computer terms, a bootstrap process is one in which a small andsimple process is used to help loading a bigger and more complicated program.In this document, we will refer to the type of bootstrap program that is used toselect and load an appropriate operating system.

2.2 Partitions

Hard-disks are often divided into partitions, which is a physical division of thedisk. There are several reasons to use partitions, the most obvious for the boot-process is the use of different operating systems. Different operating systems areoften placed on different partitions since they may have a similar file structure oreven files that may cause conflicts (a good example is the c:\Windows directoryfor Windows Xp and Windows Vista, those operating systems cannot coexist onthe same partition) or that they have a different filesystem (for example Ntfsfor Windows Xp and Ext2 for Linux).

When a computer starts up, it needs to know which partition contains the op-erating system that will be started. On Ibm-Pc architectures, this informationcan be found in the Master Boot Record (Mbr), a small segment on a harddiskthat can be found in front of the very first partition. On newer architectures(Itanium), this information can be found in the Guid Partition Table (Gpt).Both the Mbr (in combination with the Bios) and Gpt (in combination withEfi) will be discussed in more detail in the next sections.

7

8 CHAPTER 2. THE BOOTLOADER

2.3 Disk addressing schemes

Disk addressing schemes are partially related to the boot process. For instance;the Bios uses Chs as addressing scheme, Efi uses Lba.

The initial method (IBM PCs) of addressing disks was using Cylinder-Head-Sector addressing.

A harddisk is divided into platters, physical disks with a narrow gap betweenthem. The platters are double-side, meaning that information is stored on eachside of the platter, much like the old-days vinyl records. Each platter has a headthat can read information from the platter, the platter is spinning in rounds soa head reads from a ring (called a track), when it reads data.

All the heads are positioned at the same location, which makes that if you readfrom a specific track on one platter, the head on the other platter is positionedat the same location and you can read data from that location as well. Thisoperation of reading multiple platters at the same time forms a stack of logicalrings, which in disk-terms is called a ’cylinder’.

Finally, each circle on a platter (a track or ‘one ring’) is divided into smallersegments (usually 64), called ‘sectors’.

The 16-byte entries within an Mbr use Chs values that are limited to 1024cylinders, 255 heads and 63 sectors. This leads to a maximum disk-size of

1024 · 255 · 63 · 512 = 8.422.686.720

2.4. BIOS/MBR 9

bytes. Since there is a limit on the size of disks using this addressing scheme,‘Logical-Block-Addressing’ (LBA) has been introduced which is used by mostmodern operating systems. It is important to realize that although the oper-ating systems bypass the Bios-calls (i.e. int13 for disk access), the bootload-ers/managers still uses the Bios-calls.

2.4 Basic Input/Output System - Master BootRecord

The Bios is the only available software (more precise: it is firmware; softwarethat is embedded in hardware) available to a personal computer when it hasnot yet booted.1 When a computer starts, the Bios2 loads and executes a smallprogram (the bootstrap program) which resides in the Master Boot Record(Mbr).3 This program is also called the “Master Boot Code” (also known as‘Initial Program Load’ (Ipl) . a term that comes from the Ibm mainframesystems. 4

The “Master Boot Code”, on its turn, reads the partition table that resides atthe end of the sector. The partition table is used to determine which partitionis bootable.5 It is, of course, the bootable partition that must contain the stage2 boot-loader (more on this later).

The Ibm-Pc architecture supports up to 4 primary partitions. The Mbr ac-tually has a partition table that is split into 4 entries. If more partitions areneeded, one of those primary partitions can be changed to an extended partitionwhich can on its turn contain 24 logical partitions.

1The Bios is basically a set of basic instructions (machine code) that enable the commu-nication between the hardware and the operating system that is going to be loaded.

2In fact; the CPU is started, finds that its memory is empty and jumps to a fixed ad-dress FFFF0-FFFFF, which contains a jump statement to the Bios code (which can be locatedanywhere)

3The Master Boot Record (also called the ‘partition sector’ or the ‘master boot block’) isthe first physical sector of the first boot device.

The Mbr uses Cylinder-Head-Sector (chs) addressing.The boot device is usually a hard disk, but it can also be a floppy disk/Cd-Rom etc.4These terms are often used in an ambiguous way; the Ipl is sometimes confused with the

Mbr and vice versa. The Mbr is actually the combination of the Ipl and the partition table.5One (and only one!) of the four partitions in the Mbr partition table can have an ‘active’

status, indicating that this is the partition to use when a computer is booted.


The following image (source: 5) shows an overview of a Mbr strtucture. Thispicture also contains a reference to extended partitions which will be explainedin more detail afterwards.

Each logical drive in the extended partitions has an ‘Extended Boot Record’(Ebr), which describes the partitioning of the logical drive. The Ebr is alsocalled the ‘Extended Partition Boot Record’ (Epbr), it will always be locatedon the first sector of the extended partition.

The primary partitions are limited and they are all described in the partitiontable in the Mbr. This is not the case for extended partitions and since therecan be many logical partitions, each Ebr is placed in the beginning of a logicalpartition. If there are multiple logical partitions, the preceding partition willcontain a pointer to the next logical partition (Ebr).

2.5. EFI/GPT 11

The following image (source: 5) gives a better explanation:

2.4.1 Volume Boot Record

A Volume Boot Record (Vbr) (also know as the Volume Boot Sector) or “Pri-mary Boot Record” (Pbr) is a type of bootsector. On non-partitioned devices(and thus also external devices), the Vbr is the first sector of the device, onpartitioned devices, it is the first sector of any specific partion (in this case, thefirst sector of the device itself is the Mbr).

The process of a bootloader invoking the Vbr is known as ‘Chainloading’, goingfrom the first stage to the second stage.

2.5 Extensible Firmware Interface - GUID Par-tition Table

The Extensible Firmware Interface is a proposition of Intel to replace the Biosand uses the guid (Globally Unique IDentifier) Partition Table (Gpt) as areplacement of the Bios’ Master Boot Record (Mbr).

Efi is proposed as improvement over Bios, since Bios has limitations like 16-bit processor mode, 1 Mb addressable space etc. Some of the enhancementsto the standard Bios like Advanced Configuration and Power Interface (Acpi)and System Management Bios (Smbios) are also present in Efi, since they arenot bound by the 16-bit limitations.

Efi is an open-source standard, that defines an architecture independent in-


terface between the platform firmware and operating system. Since it is aninterface, it is (in theory) easier to make modifications by motherboard ven-dors.

Gpt does not use ‘Cylinder-Head-Sector’ (Chs) addressing, like the Mbr does,it uses ‘Logical Block Addressing’ (Lba) instead.

A very big difference between Mbr and Gpt is that the Mbr contains anexecutable binary for identifiying and booting the active partition which liesoutside the Mbr, the Gpt contains this functionality itself. In other words:Efi contains it’s own boot-loader. It starts with a protective Mbr block, whichis used for backwards compatibility and makes sure that tools that try to modifythe Mbr do not accidentally destroy vital boot information when they thinkthat they are dealing with Mbr code. This part is also called ‘Legacy Mbr’ or‘Protective Mbr (Lba0)

To recognize the partition table scheme, the SystemId for the partition is set to0xEE, indicating that Gpt is used, which makes Efi ignore the Mbr. Gpt alsohas a redundancy feature, the header and the partition table are written at thebeginning as well as the end of the disk.

The Efi system partition (the partition that contains the bootloader programsfor all operating systems that are installed on the system) is formatted in a Fatvariant.

2.6. MBR, GPT - SIDE BY SIDE 13

2.6 MBR, GPT - Side by Side

The following picture gives an overview of the partitions of a disk for an ibm-pc6

architecture (Mbr disk), compared to an Itanium7 Gpt disk (source: 5).

2.7 Bootsector virus

A bootsector virus is a virus that infects the very first sector of a disk (floppydisk or hard disk). The first sector of your hard-disk is your bootsector and itcontains the Mbr. Since the Mbr is executed every time your systems starts,the virus can be very harmful. Once the Mbr is infected, the virus loads intomemory and can infect every hard disk, or external disk, known to the system.

Bootvirusses were typically spread via infected floppy disks. When a user left afloppy disk accidentally in the drive, the next time the system booted, it triedto boot from the floppy (this is a feature that can nowadays be (de)activatedin the Bios) and the virus kicked in. 8 Any antivirus software is sufficient toclean an infected bootsector/Mbr.

6ibm-pc or x86 stands for the 32-bit instruction set architecture that is binary compatiblewith the 80386, a microprocessor which has been the most commonly used processor forpersonal computers from 1986 up until now (end of 2008).

7Itanium is the brand name for Intel 64-bit microprocessors that implements the IntelItanium architecture (which was, despite the name, originally developed by Hewlett-Packard(hp))

8In the past, a lot of floppy disks were bootable, but a floppy disk does not need to bebootable to infect a system.


Chapter 3

Bootloading an operatingsystem

This chapter describes from a high-level point of view, the different steps in thebooting process of some of the major operating systems. First the differencesbetween the Bios and Efi startup processes are explained, after which the bootprocesses of some of the major operating systems are examined.

3.1 BIOS

In a few words, we could say that on startup, the Bios runs a Post (Power-OnSelf Test) to check for the availability of some vital hardware and executes theMbr afterwards. The full steps are shown below:

1. The computer is switched on, the (x86) Cpu is programmed to look at theaddress FFFF:0000h, the last 16 bytes of memory in the first megabyte.This address contains a jump (jmp) command to the Bios.

2. The Bios runs the Post. During this process (hardware vendor depen-dent), a video Bios, a check for a warm/cold boot (a warm boot indicatesthat a large part of the Post can be skipped)

3. Sets up the interrupt table containing the addresses to the interrupt rou-tines. Interrupt 13 is the most important of these interrupts, it containsthe Bios fixed disk (native I/O) services.

4. Initializes (after performing some tests) vital hardware like the Cmos(Complementary Metal–Oxide–Semiconductor; a special memory-chipthat stores information like the boot-order, system-clock etc), the Dma(Direct Memory Access), controller, the keyboard controller, and the like.

5. Initializes (again after performing some tests) hardware like keyboards,hard disks etc.

15

16 CHAPTER 3. BOOTLOADING AN OPERATING SYSTEM

6. Looks for Rom extensions (a Bios on an option card). Typical Romextensions can be found in video cards, network adapters etc. The first twobytes of a Rom extension are 55aa, the Bios locates Rom extensions bysearching for this pattern. If an extension is found, the Rom initializationcode is called.

7. Finally, the Bios looks for a boot sector (Vbr) 1 on an external device,or the Mbr on a hard disk (this option can usually be set in the Bios,although this was not the case for older systems) and copies it to address0x7c00.

3.2 EFI

On machines with Efi firmware, it is the firmware itself that contains a boot-manager. It is the BootRom that performs a Post. Efi takes care of basichardware initialization and the selection of the actual operating system to start.

The Microsoft boot-manager entry is called “Windows Boot Manager” and canbe found at the following location: \EFI\Microsoft\Boot\Bootmgfw.efi. OnMacintosh machines, the file called /System/Library/CoreServices/boot.efi.

Since the Efi is modular and the specification an interface, each vendor providesa different version. Microsoft even implements a second bootmanager with itsown menu with boot options.

3.3 Microsoft

Microsoft has three generations of bootloaders. The first one loads Dos basedoperating systems like Dos itself, Windows 3.x and Windows 95/98. The Win-dows Nt generation (version 4 and 5) include a new bootloader called Ntldr.Windows Vista and Windows 2008 use Bcd as bootloader.

1A VBR is the first sector of a device that has not been partitioned, or the first sector ofan individual partition on a device that has been partitioned.

3.3. MICROSOFT 17

3.3.1 Windows DOS, Windows 3.x, Windows 9x

Once the Bios has completed its initialization phase, the boot process looks forthe bootable partition and starts the operating system by invoking the operatingsystem files (io.sys, msdos.sys and command.com)

The full explanation of the steps follow:

1. The Bios loads the Mbrs boot code and executes it. It looks for theboot device, if the device is a hard-disk, some additional steps (examiningthe master partition table including retrieving information on extendedpartitions) are performed:

(a) If the master boot code has found an extended partition, the extendedpartition table will be loaded. This table lists the logical volumes inthe extended partition. The extended partition tables of the logicalvolumes are chained, the process uses this feature to find and loadall extended partitions.


(b) Once the (optional) extended partitions have been loaded the masterboot code tries to boot the active (primary) partition, resulting inerror codes on failure.

2. The Volume Boot Record is loaded and executes

3. The Volume Boot Code inspects the disk from which it boots, resultingin error codes on failure.

4. The root directory of the device that is used for booting must now containthree files: (io.sys, msdos.sys and command.com) (If these files are notfound, an error message is displayed)

5. The boot program loads the three operating system files into memory andexecutes them. The files, on their turn, load the command interpreter andthe system control files (config.sys and autoexec.bat)

The kernel image was implemented in two files (io.sys and msdos.sys) in olderDos versions, Dos 7 implemented the kernel image in one file (io.sys). Thefile msdos.sys was transferred to a text-based configuration file.

For the windows systems, the last line of the autoexec.bat called the filewin.com which on its turn loads the Windows kernel (krnl386.com) and someadditional modules. The Windows kernel finally loads the primary shell (progman.exefor Windows 3.x, explorer.exe for later versions)

Since the windows kernel is loaded from the autoexec.bat file, this file can beused to implement some sort of bootmanager. Different bootoptions are shownin the accompanying image.

3.3.2 Windows NT, Windows XP, Windows 2000, Win-dows 2003

These versions of Windows all use Ntldr as bootloader.

NTLDR

Ntldr has some tasks to perform before the user can select the actual operatingsystem to boot:

1. The windows loader (Ntldr) is loaded.

2. The loader switches the processor to 32-bit mode (which is needed byNtldr)

3. Ntldr starts a mini-filesystem with appropriate drivers. This is neededto be able to load Windows from different filesystem formats.

4. The loader reads the boot.ini file and presents the user with a menu,based on the configuration in the boot.ini file. If this file is not present,

3.3. MICROSOFT 19

the system assumes default values, prints an error message and continues.If only one boot option is present in the configuration file, the systemreads the configuration and continues without presenting the menu to theuser.

5. Ntldr loads the operating system that is selected by the user. If theselected operating system is any of the ones mentioned in this section,Ntldr set’s up the hardware and loads and executes ntdetect.com. Forother operating systems, the control is passed to the file bootsect.dos,or any other bootloader.

6. ntdetect.com (osloader.exe on Risc systems) scans the hardware andgives the discovered list to the Ntldr which loads ntoskrnl.exe andgives it the list previously received. We now enter the Windows LoadPhases.

The Windows Load Phases for the mentioned systems can differ slightly fromone to another, however the general sequence for the mentioned systems consistsof the following:


1. Kernel Load Phase

2. Kernel Initialization Phase

3. Services Load Phase

4. Windows Load Phase (Windows Subsystem Start Phase)

Kernel Load Phase

The ‘Kernel Load Phase’ loads the ‘Hardware Abstraction Layer’ (Hal, found inthe file hal.dll) and the registry is loaded and checked for additional neededdevice drivers. ntoskernel.exe is loaded (but not executed). Ntldr nowinitializes the kernel and passes control to it.

Kernel Initialization Phase

The drivers that were loaded in the ‘Kernel Load Phase’ as well as the kernelitself are initialized. The registry hardware list is created with the informationcollected by ntdetect.com.

Service Load Phase

The session manager is started who’s task is to check all programs that must bestarted. The paging file is setup and the disk is checked for errors (chkdsk.exe).

Windows Load Phase

The Win32 subsystem starts and invokes winlogon.exe. The service controllerchecks the registry for services that must be started, right after the login screenis presented indicating that the system has properly started.2

3.3.3 Windows Vista, Windows 2008

It is either the Bios or the Efi that loads the Windows Nt6 boot managercalled ‘Winload’.

It is Winload that bootstraps the Windows kernel3, it loads the operatingsystem kernel, the Hardware Abstraction Layer (Hal) and the system registry.

2Actually, the boot process is not yet finished; it finishes after a successful logon and the‘Last Known Good Configuration’ boot-sequence has been copied.

3Winload is the equivalent of Ntldr for older Windows Nt systems, although it does notimplement features like hibernation (dispatched to the program called winresume or imple-mentation of the bootmenu (already handled by the boot-manager))

3.3. MICROSOFT 21

The boot manager (which must be located at the root directory of the bootvolume) reads the ‘Boot Configuration Data’ file and presents the user a boot-menu. Whenever an operating system is chosen, the bootmanager executeswinload.exe to load the operating system.

The steps the Winload takes are simpler than Ntldr, since some of the tasksperformed by Ntldr have already been performed by the bootmanager (pre-sentation of the menu) or are delegated to other programs (winresume for hi-bernation).

The steps that Winload performs are the following:

1. It loads the system registry.

2. Winload loads the operating system kernel. The Hardware AbstractionLayer is initialized as well as all needed kernel libraries.

3. All (kernel, Hal, libraries and device drivers) the image files are checkedby their digital signature and loaded.

4. The registry is scanned to check all used device drivers, the device driversthat are in the ‘boot’ classes are verified and loaded into memory.


3.4 Grub4Dos

Not really a specific Windows bootloader, but has some interesting features thatare worth to mention.

Grub4Dos is a fork of the Grub project (see 3.6.2), but has evolved a lot.

Grub uses a staging mechanism, each stage containing a different small pro-gram, to bootload an operating system, Grub4Dos on the other hand, uses onesingle file (grldr or grub.exe, depending from which operating system youboot) which can be chainloaded from other bootloaders like Ntldr, Grub4Doscan be written to the bootsector of a device (using the file grldr.mbr) or grldrcan be loaded via the device’s Mbr. Additionally, Grub4Dos can be loaded inmultiple ways (it can be loaded by the bootloader in the Mbr, it can be loaderfrom the Windows Vista bootloader and it can serve as bootfile for bootableCdroms (El Torito). Finally, Grub4Dos implements functionality that allowsyou to map virtual disks (harddisk or floppydisks) from image files which canbe used after Dos has started.

If the Grub4Dos bootloader (grldr of grub.exe) is chainloaded from anotherbootloader, it scan the local disks for the configuration. This means that theconfiguration file is not bound to a specific location, it can even be mobedbetween disks.

If Grub4Dos (the Mbr of Grub4Dos) is installed in the Mbr, it scans all devicesfor the loader, which on its turn scans devices for the bootmenu (menu.lst).If no menu configuration is found, a command-line is presented, otherwise themenu is shown.

3.5 Macintosh

The latest Mac versions come in two flavors, Power PC (Ppc which uses OpenFirmware (a Bios based bootloader) or Intel based Macs, which use Efi/Gpt.

Apple divides the boot process in ten major steps:

1. Power on. The hardware activates the Boot Rom firmware. In case ofOpenFirmware, a Bios variant, the following two steps are performed:

(a) Post, checks vital hardware(b) Open Firmware, builds the device tree and selects which operating

system to boot.

2. Booter, the ‘BootX’ is the loader that loads the kernel. It is the bootloaderthat passes control to this bootloader when Mac OsX is selected as theoperating system. The bootloader can be found at the following location:/System/Library/CoreServices/BootX.

3. Kernel load, device drivers are loaded and the mach init process (theprocess that manages all Cpu processes, like multi-tasking, memory usageetc.) is launched.

3.6. LINUX 23

4. System initialization. The System initialization is divided into four sub-tasks:

(a) Determination of single-user boot or Cdrom boot

(b) System initialization scripts are run, completes the basic initializationtasks and load the startup items

(c) The login window is launched.

(d) System processes that were needed during boot are cleaned up

5. Startup items, these consist of programs and shell scripts that clean thetemporary files and launch daemon background processes.

6. Login. After the user has logged in, the users environment is loaded, theDock, Finder and UI server are started. Optionally the setup assistent isloaded (in case an installation is in progress) and some of the applications(user specified) are launched.

7. Authenticating users. This process occurs after the login process. It usesthe Directory Services to authenticate the user (the loginwindow managesthe authenticating process, but does not authenticate the user itself)

8. User environment setup.

3.5.1 Bootcamp

Bootcamp is a utility that lets the user install other operating systems (likeWindows Xp or Windows Vista) on a Macintosch.

The Gpt specification uses a ‘protective Mbr’, as mentioned earlier, this Mbrshould have exactly one partition, its Id should be set to 0xEE.

Apple has bypassed this rule and Bootcamp uses a hyrbid Mbr/Gpt. Whathappens is that when you create a new partition on the disk (using the toolsthat are supplied by Apple!), this partition gets copied to the partition table ofthe protective Mbr of the Gpt (and thus breaking the standard).

3.6 Linux

While technically spoken, Lilo and Grub are not ‘Linux’ bootloaders (they canboot a multitude of operating systems), they are freely distributed with Linuxand are therefor often seen as ‘Linux’ bootloaders.

Both Lilo and Grub are staged bootloaders where the first stage (which is asmall part of code in the Mbr) is only used to load the second stage.

Once the second stage is loaded into the main memory, the user is presentedwith a screen showing the different bootoptions (operating systems) that areavailable.


If the selected operating system is a linux flavour, the kernel is loaded from theboot directory. If the selected operating system is not a linux flavour, anotherbootloader will be invoked.

Lilo and Grub are very similar, their main differences are:

• Grub has an interactive interface, whereas Lilo only alows one commandwith parameters for interaction.

• Lilo stores information about the operatings system (like kernel locationetc) in the Mbr. The downside of this approach is that after each kernelmodification, the bootloader needs to be adapted as well, Grub uses adedicated stage for this.

• Grub can handle many more partition types (Lilo cannot read ext2 par-titions for example)

• Lilo is a two-stage bootloader, Grub has more stages

3.6.1 LILO

The first stage of the bootloader has finished, the second stage of the bootloaderdisplays the bootloader screen, reads the kernel and initrd into memory andhands over the control of the machine to the kernel.

The bootprocess using Lilo shows the word Lilo, each letter indicating a mile-stone within the boot process. The boot sequence will be explained using theseletters

1. L: When the primary bootloader begins to execute, the first ‘L’ is printed.This is the first stage of the boot process. It reads the map file (which iscompiled into the boot code) which contains the pointers to the availableoperating systems to boot. This map file also contains the address of thesecond bootloader.

2. I: The ‘I’ is printed just before Lilo loads the second bootloader (stage2). If during a boot you see the letters ‘LI’ appear, after which the systemhalts, this indicates that the second bootloader cannot be found. (thishappens often after recompilation of a kernel or installation of anotherkernel. It is possible to recompile a kernel, move bootloader etc., butthe command /sbin/lilo needs to be executed afterwards to update theMbr)

3. L: The first thing the second bootloader does is printing the second ‘L’.It reads the map file afterwards to retrieve the additional needed files.

4. O: Lilo runs after the map contents have been loaded and verified. Lilois ready to pass the control to the kernel. Lilo can also load boot codefor a non-linux system.

3.6. LINUX 25

3.6.2 GRUB

This subsection deals with Grub 1, also known as Grub legacy. This is still themost widespread version of Grub although Grub 2 has made a lot of progress.Grub stage 1 is contained in the Mbr, its main task is to load the next stageof Grub; stage 24

Grub stage 2 presents the user with a boot menu as well as a command promptwhich can be used to enter additional parameters for the boot process. Oncethe options are known, Grub loads the kernel which takes over control. Grubcan also give control to another bootloader for operating systems that do notsupport the multiboot standard. This process is called chainloading. The otherbootloader is loaded as if it was called by the Mbr directly.

A more detailed explanation of the boot sequence:

1. The Mbr boot code (stage 1) is executed

2. The bootloader code contains the address of the next stage, which is usu-ally stage 1.5. Stage 1.5 is located in the first 30 bytes, right after theMbr. This space is also known as the “Dos compatibility space”.

3. Stage 1.5 knows about the bot filesyste,. It opens the filesystem, looksfor the stage 2 executable and passes control to it. This step is created togive a greater flexibility in upgrading kernels, stage 2 upgrades etc, sincechanges do not imply modifications to the Mbr (which is not the case forLilo).

4Stage 1 can also load stage 1.5 which is located directly after the Mbr. Stage 1.5 is usedto load other filesystems than ext2 and ext3. Stage 1.5 is filesystem aware and simply loadsstage 2.


4. Stage 2 executes. It loads the menu configuration (menu.lst) and (usu-ally) provides the user with a menu, based on its configuration.

The next step is to load the Linux kernel.

Stage 1.5 - The DOS compatibility region

Previously, disks were addressed in Cylinder-Head-Sector (Chs) mode, a physi-cal layout of the disk. Nowadays, disks are addressed in ‘Logical Block Address-ing’ (Lba) mode.5

Dos required that its image stayed in one cylinder. Partition managers thereforadded a region so that the first partition was aligned with the boundaries ofthe cylinder. The usual number of sectors per cylinder is 63 of which the Mbrtakes only one. This leaves 62 sectors (usually 512 bytes per sector) of unuseddisk space.

The Dos compatibility region is used by Grub to store stage 1.5, the stage thatcontains file-system specific code.

3.6.3 Loading the Linux kernel

After the bootloader has loaded the kernel, the kernel initializes, configures andexamines the system’s hardware. It looks for a initrd image in well knownlocation in it memory. The initrd image is mounted and the necessary drivers

5In Lba, only one number is used to address data, rather than three. Each linear baseaddress describes a single block. The reason for using Lba instead of Chs in the filesystem isbecause of its simplicity. (source: wikipedia)

3.7. MULTIBOOT 27

are loaded. Virtual devices (lvm or Software raid) are optionally loaded be-fore the image is unmounted and the kernel continues by freeing up all unusedmemory. The filesystem is setup, by creating a root device, which is mountedas read-only. Again all unused memory is freed, we now have a fully-loaded andoperational kernel in memory.

Next step is to invoke the /sbin/init program (which is also simply called‘init’), to setup a user environment (otherwise, we could not do a lot with thecomputer).

The init process becomes the parent process of all subprocesses that will bestarted. It starts by initializing the available run-levels, usually ending at run-level 5 (graphical multi-user environment).

3.7 Multiboot

The image below shows some possible boot scenarios. There is one part withdotted lines, it shows a path from the Ntldr to a file called bootsect.dos.This file is actually installed by the Windows Nt installation process, simulatinga normal boot process (actually, it is a copy of the ’old’ bootsector before theinstallation on Windows Nt).


The image shows some of the possible paths during a multiboot bootprocess.Most bootloaders are capable of chainloading another bootloader. This has onebig implication: multiple bootmenus. If you boot Grub, for instance, and youuse it to load Windows, you get redirected to the Windows bootloader. If thisbootloader only contains one entry, it will skip the menu, however, mutlipleentries lead to the effect that you will first see the Grub bootmenu, afterwardsthe Windows menu.

A remedy might be to setup the multi-boot system in such a way, that eachoperating system has its own bootloader. 6

A more complicated setup includes creating images of each operating systemto be installed, reinstalling them afterwards and let the bootmanager link thedifferent operating systems.

Both methods are undesirable, they require a lot of work, with limited outcome,they are thus not part of the experiments. 7.

6This might work if the number of operating systems is limited and fit within the maximumlimit of four primary partitions (a partition can be set hidden when a new operating systemis installed, therefor the installer will not modify the specific boot process).

7Dan Goodell did follow this setup

http://www.goodells.net/multiboot/index.htm

Chapter 4

Some experiments

Before experimenting with dual boot systems, it is convenient to have a par-tition manager available, since the installation procedures of Windows Xp norWindows Vista foresee any partitioning options during installation.

The experiments with the combination of Windows Xp and Windows Vista arerun on a Pentium with 2 Gb of internal memory and a disk capacity of 60Gb. The multiboot experiment is performed within a Virtual Machine (usingVmWare Fusion) with a Mac (running OsX Leopard) as host. The virtualmachine has 1 Gb of internal memory assigned and a disk capacity of 30 Gb.

4.1 Dualboot: Installing Windows Vista next toWindows Xp

Starting with an easy scenario, we install Windows Vista on a system withWindows Xp already installed (and we assume that it is properly partitioned).The Vista installation recognizes Xp, creates an entry in the bootloader, so nexttime the system is booted, the user is presented with a menu allowing the choiceof either operating system. Let’s have a closer look.

After the installation, a file called boot.bak is placed in the root of the Xppartition. The contents show the following:

;;Warning: Boot.ini is used on Windows XP and earlier operating systems.;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.;[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

The comments mention the bcdedit.exe application, which is a commandlineutility that can be found in the directory c:\Windows\System32. 1 Running

1BcdEdit is a commandline utility to manage Bcd stores; a Bcd store contains the different

29

30 CHAPTER 4. SOME EXPERIMENTS

this program gives the following output:

c:\Windows\System32>bcdedit.exe

Windows Boot Manager--------------------identifier {bootmgr}device partition=D:description Windows Boot Managerlocale en-USinherit {globalsettings}default {current}displayorder {ntldr}

{current}toolsdisplayorder {memdiag}timeout 30

Windows Legacy OS Loader------------------------identifier {ntldr}device partition=D:path \ntldrdescription Earlier Version of Windows

Windows Boot Loader-------------------identifier {current}device partition=C:path \Windows\system32\winload.exedescription Microsoft Windows Vistalocale en-USinherit {bootloadersettings}osdevice partition=C:systemroot \Windowsresumeobject {18a863e9-9cf4-11dd-acd6-81fd24c4e1bb}nx OptIn

Using BCDedit, these options can be changed, new entries can be added etc.2

Bcd is an abbreviation for ‘Boot Configuration Data’ .

Vista no longer uses Ntldr, but Bcd. The configuration file (boot.ini) hasbeen backup and contains a message that this type of loading is no longersupported.

4.2 Dualboot: Installing Windows Xp next toWindows Vista

Installing Windows Xp, after Vista has been installed, requires some manualintervention afterwards. Windows Xp is older than Vista, the technology (read:the boot process) is simply not built to cope with newer technologies.

When Vista is already installed, and a copy of Windows Xp is placed next toit, the Windows Xp installation overwrites the Windows Vista bootloader andreplaces it by the one known to Xp: Ntldr. Since this bootloader has no

boot entries2There is also a utility called msconfig.exe which provides a Graphical User Interface

(GUI) that allows you to change some basic options like default boot option, timeout etc. Itsfunctionality is limited compared to BCDEdit

4.2. DUALBOOT: VISTA AND THEN XP 31

notion of Vista, you will find yourself booting straight into Xp, no option toboot Vista is presented.

Intuitively, you might consider two rescue options: modify Xp’s bootloader toalso present the option to boot Vista or install Vista’s bootloader and configureit to allow the choice of either Xp or Vista (and we have seen that this worksin the previous section)

After booting to Xp, a ‘boot.ini’ file is available with the following contents:

[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Since the bootloader of Windows Xp (ntldr) is not forward compatible, itdidn’t recognize Windows Vista, the option is not available in the boot menu.Since there is only one operating system defined, the system will skip the boot-menu and boot straight into Windows Xp.

To fix this unwanted behaviour, Microsoft has a support-page explaining the de-tails. Following the indicated steps3 I was able to reinstall the Vista bootloaderwith an entry for both Windows Xp and Windows Vista.

The steps to take are the following (6):

1. Use Bootsect.exe to restore the Windows Vista Mbr and the boot codethat transfers control to the Windows Boot Manager program. To do this,type the following command at a command prompt:Drive:\boot\Bootsect.exe /NT60 All

In this command, Drive is the drive where the Windows Vista installationmedia is located.

2. Use Bcdedit.exe to manually create an entry in the bcd Boot.ini filefor the earlier version of the Windows operating system. To do this, typethe following commands at a command prompt.In these commands, Drive is the drive where Windows Vista is installed.

(a) Drive:\Windows\system32\Bcdedit /create ntldr /d "Descriptionfor earlier Windows version"Note: In this command, the description for earlier Windows versioncan be any text that you want. For example, the description forearlier Windows version can be “Windows Xp” or “Windows Server2003”.

(b) Drive:\Windows\system32\Bcdedit /set ntldr device partition=x:Note: In this command, x: is the drive letter for the active partition.

(c) Drive:\Windows\system32\Bcdedit /set ntldr path \ntldr(d) Drive:\Windows\system32\Bcdedit /displayorder ntldr /addlast

3I had to perform those steps from the Vista installation cd since there were problemslocking the harddisks. There were some additional errors, but these appeared to be non-fatal


4.3 Multiboot: Xp, Vista, Windows 2008 Serverand Linux

It should now be clear that we should start with the installation of the oldestoperating system first, working our way ‘up’ unto the latest, finishing withLinux, since the Linux bootloaders recognize all other. Before that, however,I used gparted to partition the disk, since not all operating systems provide apartitioning option during installation.

Some things are convenient to know before starting:

• Windows 2008 Server need minimal 6 Gb to install

• Linux uses a dedicated partition for its swap-space (not necessary, butcommon practice)

• Linux stores boot information in a dedicated directory called ‘boot’. Ifwe would like to setup two Linux partitions, we can either give them aseperate boot-location, or we can let them point to the same location.In the latter case, changes only need to be made once. (An additionalnote; for older Bioses, this boot partition must be within the first 1024cylinders of the harddrive in order to be bootable! If you have an oldBios, place the boot partition at the front of your partition table), thisis also the reason why I placed a dedicated partition in the beginnning ofthe disk.

4.3.1 Step 1: partitioning

I chose the following setup (screenshot from gparted):

4.3.2 Installing Windows Xp

The installation detects the partitions that I have recently setup (except for theLinux partitions, which is quite logical) and after selecting the first partition,

4.3. MULTIBOOT: XP, VISTA, 2008, LINUX 33

the installer asks me what to do with the partition (format, convert to ntfs).I chose not to format, not to convert the partition, thus leaving it in fat32.

The installation leads to no suprises, after rebooting, we boot straight intoWindows Xp.

4.3.3 Installing Windows Vista

The windows installation asks whether I am interested in going online to getthe latest updates during installation. To speed up the process, I chose not to.

Vista also recognizes the created partitions (as expected) and it comes with awarning that windows cannot be installed on the first partition, since it is notan ntfs partition. During the Windows Vista, the installer reboots and wedirectly notice that the new bootloader is already installed. Two options areavailable: ‘Earlier version of windows’ and ‘Windows setup’. We do not get tochose, the installer boots straight into the setup program.


4.3.4 Installing Windows 2008 Server

The installer asks which version of Windows 2008 I purchased (actually, I didn’tpurchase any, I downloaded it from Msdn). Chose one of the available options(beware that the ‘Core’ option gives a command-line only interface!) and afterbooting we see that Windows 2008 adapted the bootoptions that were availableafter Vista installation:

4.3. MULTIBOOT: XP, VISTA, 2008, LINUX 35

Windows 2008 Server installed without problems, the menu shows the threeexpected boot-options.

4.3.5 Linux installation

The initial idea was to install Fedora (which allows the option to use Liloas bootloader as well as Grub), but the Fedora installer/partitioner does notrecognize any of the NTFS partitions (additionally it crashed when trying toset it up), so I switched to Ubuntu.

The installation finishes and after a reboot, we are presented with Grub, whichallows us to boot to either Ubuntu, or go to the Vista/Longhorn loader. Thislast option goes, as expected, to the Windows Bootloader as it was installed byVista. This means that if we would like to boot into any windows system, wehave to pass two bootloaders....

4.3.6 Multiboot installation conclusions

Proper planning is clearly needed, the partitions, their filesystem format andsizes need to be known upfront. Once you have determined this information,start with the oldest windows version first and work your way up to the newerwindows versions. Installing Linux with either Lilo or Grub afterwards shouldnot pose any problems, but be prepared to perform some manual interventionsafterwards.


Appendix A

MBR - a closer look

The Mbr that I retrieved during of one of the experiments; Windows Xp (Thisimage is best viewed in full scale and in color)

37

38 APPENDIX A. MBR - A CLOSER LOOK

0000 Master Boot Code, also known as Initial Program Load.012c Error messages, ends with 00 (in bold).017c Padding, all zero-bytes.01b5 Fixed for english versions of windows: 2c 44 63 - Part of dmadmin.exe,

used by Windows Nt to display the Mbr error codes which may belanguage dependent.

01b8 Disk signature, needed by Windows Nt to identify the right disk andused for drive assignation.

01bc Unused, usually nulls: 0x0000.01be Start of the partition table, it contains 4 16-byte entries (this Mbr has

only one defined partition). The active partition is Indicated with thevalue “80”, the other partitions start with the value “00” (values in bold).

01fe Mbr signature: 0xAA55 (on all Ibm-Pcs, and compatible, numbers oftwo or more bytes are always stored in reverse order). Actually 0xAA55is called the ‘Magic Number’, it is used to denote the end of both Mbrsand bootsectors.

Each of the four possible primary partitions contain a boot-indicator, the valueof 80 indicates that this partition is active (booteable), in which case we call ita ‘high bit’.

Partition 1: 80 01 01 00 07 fe ff ff 3f 00 00 00 62 04 53 07Partition 2: 00 fe ff ff 0f fe ff ff a1 04 53 07 5f f4 a5 06Partition 3: . . . empty. . .Partition 4: . . . empty. . .

byte 0: The first byte tells use whether the partition is bootable (80 for theactive partition, 00 for an inactive partition. There can only be one activepartition). It is the active partition that contains the boot manager.

byte 1-3: The next three bytes contain the “Cylinder/Heads/Sector” (Chs)address of the partition start.

byte 4: This byte indicates the partition type. A few examples: 07 indicatesWindwows Nt or OS/2 HPFS, 0f indicates Win95 Extended, 83 indicates linuxswap.

byte 5-7: Chs address of the partition end.

byte 8-11: The starting sector number (little endian)

byte 12-15: The partition size

A.1. THE PARTITION TABLE 39

A.1 The partition table

The partition table is a 64-byte structure, as we have seen above. The tablecontains 4 entries, leaving us with 16 bytes for one partition. The first entry inthe example of this chapter contains the following code: 80 01 01 00 07 feff ff 3f 00 00 00 62 04 53 07. The first entry of a partition table alwaysstarts at address 01be, this gives us the following dissection of the tabel (littleendian!)

Offset Length Value Description01be 8 bits 80 Boot indicator, 80 for the active

boot-partition, 00 for inactive.01bf 8 bits 01 Starting head01x0 16 bits 01 Starting sector, only the first 6 bytes are

used. The upper 2 bits of this byte areused by the starting cylinder field.

00 Starting cylinder, uses this byte + 2 bitsfrom the starting sector to get thecylinder value.

01c2 8 bits 07 System ID. 07 means Ntfs01c3 8 bits fe Ending head01c4 16 bits ff Ending sector. Same division as the

starting sector.ff Ending cylinder, borrows 2 bits from

the ending sector01c6 32 bits 3f 00 00 00 Relative sectors, the offset from the

beginning of the disk to the beginningof the volume, counting by sectors.

01ca 32 bits 62 04 53 07 Total sectors.

40 APPENDIX A. MBR - A CLOSER LOOK

Appendix B

GPT - a closer look

I have not tried to modify anything on my Mac (no bootcamp installed) sothe presented information here is more limited compared to that of the Mbr,however, some things can be interesting.

First, I tried to view a dump of the Mbr using the following commands:

Barry$ sudo dd if=/dev/disk0 of=/Users/Barry/Desktop/macmbr.code bs=1 count=512512+0 records in512+0 records out512 bytes transferred in 0.064308 secs (79648 bytes/sec)

Viewing the result in a hexviewer is uninteresting, the magic number can be seen,as well as a lot of nulls. The partition table is more interesting, especially withthe information following afterwards:

01B0: 00 00 00 00 00 00 00 00 90 63 00 00 00 00 00 FE01C0: FF FF EE FE FF FF 01 00 00 00 2F 60 38 3A 00 0001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0001E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0001F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA

The disk signature is set to 90 63 00, one partition is visible, but it is non-bootable.

41

42 APPENDIX B. GPT - A CLOSER LOOK

The following shows some more interesting information:

Barry$ sudo fdisk /dev/rdisk0Disk: /dev/rdisk0 geometry: 60801/255/63 [976773168 sectors]Signature: 0xAA55

Starting Ending#: id cyl hd sec - cyl hd sec [ start - size]------------------------------------------------------------------------1: EE 1023 254 63 - 1023 254 63 [ 1 - 976773167] <Unknown ID>2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

The Magic Number is not a surprise, what is surprising is the ‘unknown ID’.Actually, this is not surprising at all; the identifier EE is used to protect theGpt to tools designed for the Mbr (like fdisk), but unaware of Gpt (see 2.5).

The following commands show a bit of information as well:

Barry$ sudo gpt -r show /dev/rdisk0start size index contents

0 1 PMBR1 1 Pri GPT header2 32 Pri GPT table34 640 409600 1 GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B

409640 976101344 2 GPT part - 48465300-0000-11AA-AA11-00306543ECAC976510984 262151976773135 32 Sec GPT table976773167 1 Sec GPT header

We clearly see the redundancy that is built in into Gpt; the partition table andthe header are duplicated. Furthermore, the GuidC12A7328-F81F-11D2-BA4B-00A0C93EC93B indicates that we are dealing witha Efi System Partition, 48465300-0000-11AA-AA11-00306543ECAC indicates a‘Hierarchical File System’ (Hps) filesystem, which is the default filesystem forOsx.

One last command, the outcome should be self-explanable:

Barry$ diskutil list/dev/disk0

#: TYPE NAME SIZE IDENTIFIER0: GUID_partition_scheme *465.8 Gi disk01: EFI 200.0 Mi disk0s12: Apple_HFS Harddrive 465.4 Gi disk0s2

Appendix C

Utilities

There are several useful utilties to work with bootloaders (Tools come with thedescription provided by the vendors/developers)

1. BCDEditBoot Configuration Data (Bcd) files provide a store that is used to de-scribe boot applications and boot application settings. The objects andelements in the store effectively replace Boot.ini.

BCDEdit is a command-line tool for managing Bcd stores. It can be usedfor a variety of purposes, including creating new stores, modifying existingstores, adding boot menu options, and so on. BCDEdit serves essentiallythe same purpose as Bootcfg.exe on earlier versions of Windows, butwith two major improvements:

• BCDEdit exposes a wider range of boot options than Bootcfg.exe.

• BCDEdit has improved scripting support.

BCDEdit is the primary tool for editing the boot configuration of WindowsVista and later versions of Windows. It is included with the WindowsVista distribution in the %systemroot%\System32 folder.

2. BeeblebroxBeeblebrox is a partition table editor for Windows 95/98 or NT. WithBeeblebrox you can : backup and restore your partition tables, edit anyvalue in any partition table, hide/unhide partitions, change the activepartition, search for partition boot records to help in partition recovery,view partition boot sector information and delete a partition.

3. GPartedGParted s used for creating, deleting, resizing, moving, checking and copy-ing partitions, and the file systems on them. This is useful for creatingspace for new operating systems (works with Vista System and Data par-titions), reorganizing disk usage, copying data residing on hard disks andmirroring one partition with another (disk imaging).

43

http://technet.microsoft.com/en-us/library/cc709667.aspx

http://students.cs.byu.edu/~codyb/

http://gparted.sourceforge.net/

44 APPENDIX C. UTILITIES

4. HDHackerHDHacker is a stand-alone micro-utility that saves, visualizes, and restoresthe Mbr (from a physical drive), the BootSector (from a logical drive) orany specified sector from any disk (even removable disks).

HDHacker can be used, for example, to save and restore a particular bootmanager (such as Lilo, for example) before a new Windows setup (which,obviously, overwrites it).

An Mbr and BootSector backup can also be useful for simple precaution-ary purposes too, since sometimes viruses or other Os setup (like Linux)could overwrite and/or alter the Mbr/Boot Sectors, making it impossibleto start up previous Os and/or access datas stored on the disk. HDHackercan provide “insurance” against all these types of loss.

5. MbrFixPerform several Master Boot Record (Mbr) tasks, like backing up, restor-ing, fixing the boot code in the Mbr, etc. The utility should not be usedfor Guid Partition Table (Gpt) disks.

6. MBRWizardMBRwizard is a powerful, yet flexible utility designed to assist with alltypes of Master Boot Record difficulties. Intially developed to overcomeMBR problems introduced by disk imaging products such as SymantecGhost and Acronis True Image, MBRwizard has become a popular utilityfor repairing all types of Mbr problems, especially those caused by disk-2-disk (d2d) and system backup and recovery applications.

7. PartInfoThis Dos or Nt/2000/Xp utility will display the partition information inthe Mbr and Embr. The output can be redirected to a file and sent forreview if needed.

8. SecInspectSecInspect.exe is a command-line diagnostics tool that allows administra-tors to view the contents of master boot records, boot sectors, and IA64Guid partition tables. Additional features include creating hex dumps ofbinary files and backup/restore of sector ranges.

9. VmWare FusionVMware Fusion is a virtual machine software product developed by VMwarefor Macintosh computers with Intel processors. Fusion allows Intel-basedMacs to run x86 and x86-64 “guest” operating systems, such as MicrosoftWindows, Linux, NetWare and Solaris as virtual machines simultaneouslywith Mac OS X as the “host” operating system using a combination ofvirtualization, emulation and dynamic recompilation.

http://dimio.altervista.org/eng/

http://www.sysint.no/nedlasting/mbrfix.htm

http://www.mbrwizard.com/

http://www.terabyteunlimited.com/downloads-free-software.htm

http://www.microsoft.com/downloads/details.aspx?FamilyID=dd3ef22a-a586-4079-9489-c3ea14573fc4&DisplayLang=en

http://www.vmware.com/products/fusion/

Appendix D

Glossary

A lot of the items in this glossary are retrieved from http://www.wikipedia.org.

• Basic Input/Output System (BIOS)Firmware code run by a personal computer (Ibm-Pc architecture) whenit first starts up. The Bios is responsible for initializing vital hardware(like video-card, keyboard etc). The Bios gives contraol to a bootloaderfor system startup.

• BootingIn computing, booting (booting up) is a bootstrapping process that startsoperating systems when the user turns on a computer system. A bootsequence is the initial set of operations that the computer performs when itis switched on. The bootloader typically loads the main operating systemfor the computer.

• Boot Configuration Data (BCD)Boot Configuration Data (Bcd) is a firmware- independent database forboot-time configuration data. It replaces the boot.ini that was used byNtldr, and is used by Microsoft’s new Windows Boot Manager.

• BootloaderA bootloader is a small program that is user to boot other operatingsystems.

• BootmgrFor Vista, the Mbr looks for and loads bootmgr, Vista’s replacement forNtldr, however, bootmgr serves only one function: as a bootmanager.Bootmgr refers to a file called bcd (short for boot configuration data).You can say bcd is like boot.ini, it contains the menu entries for Vista’sboot menu.

• bootsect.dosootsect.dos is created by Windows NT Setup. It is a copy of the boot-sector as it existed before the installation of Windows Nt and allows the

45

http://www.wikipedia.org

http://www.wikipedia.org

46 APPENDIX D. GLOSSARY

Windows not loader (Ntldr to load Dos based operating systems, sim-ulating the previous operating system’s normal boot procedure).

• BootstrappingIn computing, bootstrapping (”to pull oneself up by one’s bootstraps”)refers to techniques that allow a simple system to activate a more compli-cated system. A common scenario is the start up process of a computersystem, where a small program, such as the Bios, initializes and testshardware, peripherals and external memory devices, then loads a pro-gram from one of them and passes control to it, thus allowing loading oflarger programs, such as an operating system.

Bootstrapping was shortened to booting, or the process of starting upany computer, which is the most common meaning for non-technical com-puter users. The verb “boot” is similarly derived. A “bootstrap” mostcommonly refers to the simple program itself that actually begins the ini-tialization of the computer’s operating system, like Grub, Lilo or Ntldr.

• ChainloadingChain loading is a method used by computer programs to replace thecurrently executing program with a new program, using a common dataarea (a so-called core common area) to pass information from the currentprogram to the new program. It occurs in several areas of computing.

In operating system boot manager programs, chain loading is used to passcontrol from the boot manager to a boot sector. The target boot sectoris loaded in from disk, replacing the boot sector from which the bootmanager itself was bootstrapped, and executed.

• Complementary Metal-Oxide-Semiconductor (CMOS)Complementary metal-oxide-semiconductor (Cmos), is a major class ofintegrated circuits. Cmos technology is used in microprocessors, micro-controllers, static RAM, and other digital logic circuits.

The Bios uses the Cmos to store information like the bootorder of physicaldevices, hardware clock etc.

• Cylinder-Head-Sector (CHS)Cylinder-head-sector, also known as Chs, was an early method for givingaddresses to each physical block of data on a hard disk drive. In the caseof floppy drives, for which the same exact diskette medium can be trulylow-level formatted to different capacities, this is still true.

Though Chs values no longer have a direct physical relationship to thedata stored on disks, pseudo Chs values (which can be translated by diskelectronics or software) are still being used by many utility programs.

• Direct Memory Access (DMA)Direct memory access (DMA) is a feature of modern computers and micro-processors that allows certain hardware subsystems within the computerto access system memory for reading and/or writing independently of thecentral processing unit. Many hardware systems use DMA including diskdrive controllers, graphics cards, network cards, sound cards and GPUs

47

• Electrically Erasable Programmable Read-Only Memory (EEP-ROM)EEPROM is a type of non-volatile memory used in computers and otherelectronic devices to store small amounts of data that must be saved whenpower is removed.

• EXT2The ext2 or second extended file system is a file system for the Linuxkernel. Although ext2 is not a journaling file system, its successor, ext3,provides journaling and is almost completely compatible with ext2.

• Extended Boot Record (EBR)An Extended Boot Record (Ebr), or Extended Partition Boot Record(Epbr), is a descriptor for a logical partition under the common Dosdisk drive partitioning system. In that system, when one (and only one)partition record entry in the Master Boot Record (Mbr) is designatedan ”extended partition,” then that partition can be subdivided into anumber of logical drives. The actual structure of that extended partitionis described by one or more Ebrs, which are located inside the extendedpartition. The first (and sometimes only) Ebr will always be located onthe very first sector of the extended partition.

Unlike primary partitions, which are all described by a single partitiontable within the Mbr, and thus limited in number, each Ebr precedes thelogical partition it describes. If another logical partition follows, then thefirst Ebr will contain an entry pointing to the next Ebr; thus, multipleEbrs form a sort of chain from the first to the next, and finally to the lastone. This means the number of logical drives that can be formed within anextended partition is limited only by the amount of available disk space.4

• Extensible Firmware Interface (EFI)The Extensible Firmware Interface (Efi) is a specification that defines asoftware interface between an operating system and platform firmware.Efi is intended as a significantly improved replacement of the old legacyBios firmware interface historically used by all Ibm-Pc-compatible per-sonal computers.

The Efi specification was originally developed by Intel, and is now man-aged by the Unified Efi Forum and is officially known as Unified Efi(Uefi).

• File Allocation Table (FAT)File Allocation Table or Fat is a computer file system architecture. It isthe primary file system for various operating systems including MsDos,DrDos, and Microsoft Windows (up to Windows Me).

• FirmwareExecutable machine code, installed in a computers non-volatile memory(Eeprom). It initializes low-level hardware, and passes on the controlthe the operating system loader. The firmware examples described in thedocument are Bios and Efi.

• Guid Partition Table (GPT)In computer hardware, Guid Partition Table (Gpt) is a standard for


the layout of the partition table on a physical hard disk. It is a part ofthe Extensible Firmware Interface (Efi) standard proposed by Intel as areplacement for the Pc Bios, one of the few remaining parts of the originalIbm-Pc. Efi uses Gpt whereas Bios uses a Master Boot Record (Mbr).

• Globally Unique Identifier (GUID)A Globally Unique Identifier or (Guid) is a special type of identifier usedin software applications in order to provide a reference number which isunique in any context (hence, ”Globally”). While each generated Guidis not guaranteed to be unique, the total number of unique keys (2128

or 3.4 · 1038) is so large that the probability of the same number beinggenerated twice is very small.

• Grand Unified Bootloader (GRUB)Gnu Grub (”Grub” for short) is a boot loader package from the GnuProject. Grub is the reference implementation of the Multiboot Specifi-cation, which allows a user to have several different operating systems ontheir computer at once, and to choose which one to run when the computerstarts. Grub can be used to select from different kernel images availableon a particular operating system’s partitions, as well as to pass boot-timeparameters to such kernels.

• Hardware Abstraction Layer (HAL)A hardware abstraction layer (Hal) is an abstraction layer, implementedin software, between the physical hardware of a computer and the softwarethat runs on that computer. Its function is to hide differences in hardwarefrom most of the operating system kernel, so that most of the kernel-mode code does not need to be changed to run on systems with differenthardware.

The Windows Nt operating system has a Hal in the kernel space, betweenhardware and kernel, drivers, executive services. This allows portability ofthe Windows Nt kernel-mode code to a variety of processors, with differentmemory management unit architectures, and a variety of systems withdifferentI/O bus architectures; most of that code runs without change onthose systems, when compiled for the instruction set for those systems.

• Initial Program Load (IPL)The program that resides in the Master Boot Code part of the MasterBoot Record.

• Linux Loader (LILO)Lilo (LInux LOader) is a generic boot loader for Linux. It was one of themost popular bootloaders until Grub was released.

• Logical Block Addressing (LBA)Logical block addressing (Lba) is a common scheme used for specifyingthe location of blocks of data stored on computer storage devices, generallysecondary storage systems such as hard disks. The term Lba can meaneither the address or the block to which it refers. Logical blocks in moderncomputer systems are typically 512 or 1024 bytes each. ISO 9660 CDs (andimages of them) use 2048-byte blocks.

49

The Lba scheme replaces earlier schemes which exposed the physical de-tails of the storage device to the software of the operating system. Chiefamong these was the cylinder-head-sector (Chs) scheme, where blockswere addressed by means of a tuple which defined the cylinder, head, andsector at which they appeared on the hard disk. Chs didn’t map well todevices other than hard disks (such as tapes and networked storage), andwas generally not used for them.

• Master Boot CodeThe first 440 bytes of the Master Boot Record, it contains a small programthat is used to chainload a bootmanager. Also known as ‘Initial ProgramLoad’

• Master Boot Record (MBR)The first 512 bytes of the boot sector of a harddisk. It contains codeto bootstrap operatings systems (the ‘Master Boot Code’) as well as thepartition table of the disk, used to indicate the active partition from whichto boot the operating system.

• NT File System (NTFS)Ntfs is the standard file system of Windows Nt, including its later

versions Windows 2000, Windows Xp, Windows Server 2003, WindowsServer 2008, and Windows Vista.

• NT Loader (NTLDR)Ntldr (abbreviation of Nt Loader) is the boot loader for all releases ofMicrosoft’s Windows NT operating system up to and including WindowsXP and Windows Server 2003.

Ntldr is typically run from the primary hard disk drive, but it can alsorun from portable storage devices such as a CD-ROM, USB flash drive, orfloppy disk. Ntldr can also load a non NT-based operating system giventhe appropriate boot sector in a file.

For Xp, the Mbr looks for and loads ntldr. Ntldr then read fromboot.ini. If it finds two or more entries in boot.ini, then it will present amenu option for the entries (unless you set to boot an item automatically).

• Power-On Self Test (POST)Power-on self-test (Post) is the common term for a computer, router orprinter’s pre-boot sequence. The same basic sequence is present on allcomputer architectures. It is the first step of the more general processcalled initial program load (Ipl), booting, or bootstrapping. The termPost has become popular in association with and as a result of the pro-liferation of the Pc. It can be used as a noun when referring to the codethat controls the pre-boot phase or when referring to the phase itself. Itcan also be used as a verb when referring to the code or the system as itprogresses through the pre-boot phase. Alternatively this may be called“Posting.”

• Random Access Memory (RAM)Ram is a form of computer data storage. Today it takes the form ofintegrated circuits that allow the stored data to be accessed in any order


(i.e., at random). The word random thus refers to the fact that any piece ofdata can be returned in a constant time, regardless of its physical locationand whether or not it is related to the previous piece of data.

The word Ram is mostly associated with volatile types of memory, wherethe information is lost after the power is switched off.

• Volume Boot Record (VBR)A Volume Boot Record (also known as a volume boot sector or a partitionboot sector, although the latter is not strictly correct) is a type of bootsector, stored in a disc volume on a hard disk, floppy disk, or similar datastorage device, that contains code for booting programs (usually, but notnecessarily, operating systems) stored in other parts of the volume. Onnon-partitioned storage devices, it is the first sector of the device. Onpartitioned devices, it is the first sector of an individual partition on thedevice, with the first sector of the entire device instead being a MasterBoot Record (Mbr). The code in volume boot records is invoked eitherdirectly by the machine’s firmware or indirectly by an Mbr or a bootmanager. Invoking a Vbr via a boot manager is known as chain loading.Some dual boot systems, such as Ntldr, take copies of the bootstrap codethat individual operating systems install into a single partition’s Vbr andstore them in disc files, loading the relevant Vbr content from file afterthe boot loader has asked the user which operating system to bootstrap.In certain file system formats, in addition to bootstrap code the Vbrcontains a Bios parameter block that specifies the location and layout ofthe principal on-disc data structures for the file system.

References

[1] Microsoft Technet, How Basic Disks and Volumes Workhttp://technet.microsoft.com/en-us/library/cc739412.aspx

[2] Microsoft Technet, Boot INI Options Referencehttp://technet.microsoft.com/en-gb/sysinternals/bb963892.aspx

[3] Microsoft Technet, Microsoft Advanced Windows Debugging and Trou-bleshooting - How windows starts uphttp://blogs.msdn.com/...art-1-of-4.aspxhttp://blogs.msdn.com...the-second.aspx

[4] Microsoft Technet, Troubleshooting the Startup Processhttp://technet.microsoft.com/en-us/library/bb457123.aspx

[5] Microsoft Technet, How Basic Disks and Volumes Workhttp://technet.microsoft.com/en-us/library/cc739412.aspx

[6] Microsoft Support, Windows Vista no longer starts after you install anearlier version of the Windows operating system in a dual-boot configura-tionhttp://support.microsoft.com/kb/919529

[7] Apple Developer Connection, Technical Note TN2166, Secrets of the GPThttp://developer.apple.com/technotes/tn2006/tn2166.html

[8] Boot Process and Startup Sequence Overviewhttp://ali.apple.com/ali_sites/adcchd/Exhibits/Assets/unit_additional/ADD_1_SG_BootOverview.pdf

[9] GNU GRUB, The GRUB Homepagehttp://www.gnu.org/software/grub/

[10] Manpages, The LILO manpagehttp://www.netadmintools.com/html/5lilo.conf.man.html

[11] Intel, Extensible Firmware Interface (EFI)http://www.intel.com/technology/efi/

[12] Starman. An Examination of the Windows 2000 and Windows Xp Mbrhttp://mirror.href.com/thestarman/asm/mbr/Win2kmbr.htm

[13] Multibooters. Dual/Multi booting with Vistahttp://www.multibooters.co.uk/

51


http://technet.microsoft.com/en-gb/sysinternals/bb963892.aspx

http://blogs.msdn.com/ntdebugging/archive/2007/06/19/how-windows-starts-up-part-1-of-4.aspx

http://blogs.msdn.com/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx

http://technet.microsoft.com/en-us/library/bb457123.aspx


http://support.microsoft.com/kb/919529

http://developer.apple.com/technotes/tn2006/tn2166.html

http://ali.apple.com/ali_sites/adcchd/Exhibits/Assets/unit_additional/ADD_1_SG_BootOverview.pdf

http://ali.apple.com/ali_sites/adcchd/Exhibits/Assets/unit_additional/ADD_1_SG_BootOverview.pdf

http://www.gnu.org/software/grub/

http://www.netadmintools.com/html/5lilo.conf.man.html

http://www.intel.com/technology/efi/

http://mirror.href.com/thestarman/asm/mbr/Win2kmbr.htm

http://www.multibooters.co.uk/


[14] Jonathan de Boyne Pollard. Frequently Given Answers written by JdeBP- Operating System bootstrapshttp://homepages.tesco.net./J.deBoynePollard/FGA/

[15] Wikipedia, The Free EncyclopediaBIOS - BootCamp - Booting - Boot sector - Chain loading - CHS - Diskpartitioning - EFI - EFI partition - GRUB - GPT - Linux startup - MBR- Multi boot - NTLDR - Open Firmware - POST - Volume Boot Record -Windows NT startup - Windows Vista startup

http://homepages.tesco.net./J.deBoynePollard/FGA/

http://en.wikipedia.org/wiki/BIOS

http://en.wikipedia.org/wiki/Boot_Camp_(software)

http://en.wikipedia.org/wiki/Booting

http://en.wikipedia.org/wiki/Boot_sector

http://en.wikipedia.org/wiki/Chain_loading

http://en.wikipedia.org/wiki/Cylinder-head-sector

http://en.wikipedia.org/wiki/Disk_partitioning

http://en.wikipedia.org/wiki/Disk_partitioning

http://en.wikipedia.org/wiki/Extensible_Firmware_Interface

http://en.wikipedia.org/wiki/EFI_System_Partition

http://en.wikipedia.org/wiki/GNU_GRUB

http://en.wikipedia.org/wiki/GUID_Partition_Table

http://en.wikipedia.org/wiki/Linux_startup_process

http://en.wikipedia.org/wiki/Master_Boot_Record

http://en.wikipedia.org/wiki/Multi_boot

http://en.wikipedia.org/wiki/NTLDR

http://en.wikipedia.org/wiki/Open_Firmware

http://en.wikipedia.org/wiki/Power-on_self_test

http://en.wikipedia.org/wiki/Volume_Boot_Record

http://en.wikipedia.org/wiki/Windows_NT_Startup_Process

http://en.wikipedia.org/wiki/Windows_Vista_startup_process

Index

bootmgr, 45bootsect.dos, 45

80386, 13

Basic Input/Output System, 9, 45BCD, see Boot Configuration DataBIOS, see Basic Input/Output SystemBoot Configuration Data, 30, 45Booting, 45Bootloader, 7, 45BootRom, 16Bootstrapping, 7, 46Bootx, 22

Chainloading, 11, 46CHS, see Cylinder-Head-Sector, see Cylinder-

Head-SectorCMOS, see Complementary Metal Ox-

ide SemiconductorComplementary Metal Oxide Semicon-

ductor, 15, 46Cylinder-Head-Sector, 12, 26, 38, 46

Direct Memory Access, 15, 46DMA, see Direct Memory Access

EBR, see Extended Boot RecordEEPROM, see Electrically Erasable Pro-

grammable Read-Only Mem-ory

EFI, see Extensible Firmware InterfaceElectrically Erasable Programmable Read-

Only Memory, 47EPBR, see Extended Partition Boot

RecordEXT2, 47Extended Boot Record, 10, 47Extended Partition Boot Record, 10Extensible Firmware Interface, 11, 47

FAT, see File Allocation Table

File Allocation Table, 47Firmware, 9, 47

Globally Unique Identifier, 11, 48GPT, see GUID Partition TableGRUB, 48Grub4Dos, 22GUID, see Globally Unique IdentifierGUID Partition Table, 11, 47

HAL, see Hardware Abstraction LayerHardware Abstraction Layer, 20, 48HFS, see Hierarchical File SystemHierarchical File System, 42

Initial Program Load, 9, 48IPL, see Initial Program LoadItanium, 13

LBA, see Logical-Block-Addresing, seeLogical Block Addressing

Legacy MBR, 12LILO, 48Logical Block Addresing, 9Logical Block Addressing, 12, 48

Master Boot Code, 9, 49Master Boot Record, 9, 49MBR, see Master Boot Record

NT File System, 49NT Loader, 49NTFS, see NT File SystemNTLD, see NT Loader

OpenFirmware, 22Operating System, 7OS, see Operating System

PBR, see Primary Boot RecordPOST, see Power-On Self TestPower-On Self Test, 15, 49

53

54 INDEX

Primary Boot Record, 11Protective MBR, 12

RAM, see Random Access MemoryRandom Access Memory, 49ROM extension, 16

VBR, see Volume Boot Record, see Vol-ume Boot Record

Volume Boot Record, 11, 16, 50

x86, 13

Documents

Boot Loaders