The boot sector is the first 512 bytes on a hard disk (446 bytes for bootloader code, 64 bytes for partition table, and the last two bytes in the sector are a signature word for the sector and are always hex 55 AA). The partition table contains the entries for the primary and extended partitions and each entry is 16 bytes long, giving a maximum of 4 entries available.
The following table describes each entry in the Partition Table. The sample values correspond to the information for partition 1.(taken from http://www.ntfs.com/partition-table.htm)
Partition Table Fields
Byte Offset | Field Length | Sample Value | Meaning |
|---|---|---|---|
00 | BYTE | 0x80 | Boot Indicator. Indicates whether the partition is the system partition. Legal values are: |
01 | BYTE | 0x01 | |
02 | 6 bits | 0x01 | Starting Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Starting Cylinder field. |
03 | 10 bits | 0x00 | Starting Cylinder. This field contains the lower 8 bits of the cylinder value. Starting cylinder is thus a 10-bit number, with a maximum value of 1023. |
04 | BYTE | 0x06 | System ID. This byte defines the volume type. In Windows NT, it also indicates that a partition is part of a volume that requires the use of the HKEY_LOCAL_MACHINE\SYSTEM\DISK Registry subkey. |
05 | BYTE | 0x0F | |
06 | 6 bits | 0x3F | Ending Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Ending Cylinder field. |
07 | 10 bits | 0x196 | Ending Cylinder. This field contains the lower 8 bits of the cylinder value. Ending cylinder is thus a 10-bit number, with a maximum value of 1023. |
08 | DWORD | 3F 00 00 00 | |
12 | DWORD | 51 42 06 00 |
First we identify the partition table.
# xxd -l 64 -s +446 /dev/sdb // jumps to the offset at byte position 446 and displays the next 64 bytes which will be the partition table
Now according to the partition table field the first byte( of the 16 byte per entry) represents the boot indicator field. When the BIOS passes control to the boot sector, the code withing the fist 446 bytes looks at the partition table and identifies the boot/system partition (Legal values are hex value 80 or 00: 00 = Do not use for booting, 80 = System partition). We are gonna change this system partiton flag to 00. This will see the partition as unbootable.
So the MBR is 446 bytes in length(offset 0-445). The next 64 bytes represents the partition table consisting of a possible 4 entries (16 bytes x 4). The first byte of each entry indicates whether its the system partition or not. If their was only one partiton then the bytes 446 - 462 would contain values, whilst the rest of the entries would be all zero's.
To change the first partition entry system id field, we want to put the value of hexadecimal 00 at offset 446 bytes. First we create a simple text file with only the value of 00 in it. Then we use the 'xxd' program to convert this simple text file into a binay file containing only the hex value of 00.
# echo "00" | xxd -ps -r > byte.bin
Now to get that byte written into offset 446 you use the 'dd' program.
# dd if=byte.bin of=/dev/sdb seek=446 bs=1 count=1// reads and writes 1byte , 1 time, from byte.bin file at offest 446 into the block device /dev/sdb
To do this all in one command, we can make use of pipes:
# echo "00" | xxd -ps -r | dd of=/dev/sdb seek=446 bs=1 count=1
References/Good reading:
http://www.ntfs.com/partition-table.htm
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/
No comments:
Post a Comment