Linux -MBR                                             Home : www.sharetechnote.com

 

 

 

MBR stands for Master Boot Record. It is located at the first 512 bytes of a storage device that contains the operating system. It contains the operating system bootloader and the storage device's partition table.

 

Location (in Bytes)

Length (in Bytes)

Description

001-440

440

MBR boot code that is launched by the BIOS

441-446

6

MBR Disk Signature

447-510

64

Partition table (of primary and extended partitions)

4 Partition information, each of the partions takes up 16 bytes

511-512

2

MBR boot signature 0xAA55

 

 

How to backup MBR ?

 

You can backup MBR into a binary file and then retore when you need or analyze it in detail. Basic command format to back up MBR is as follows. To run this command, you need to have "root" permission.

 

# dd if=/dev/sdX of=path/file bs=512 count=1

 

For example, to backup the MBR in my Linux PC. I tried the following

 

# dd if=/dev/sda of=/tmp/sda-mbr.bin bs=512 count=1

 

When this runs successfuly, you would see printout as follows.

 

1+0 records in

1+0 records out

512 bytes (512 B) copied, 0.000133197 s, 3.8 MB/s

 

Then you can check if it is properly backed up as follows.

 

# ls /tmp

 

sda-mbr.bin

 

 

How to view the conents of MBR

 

Once you backup the MBR into a file as in previous section, you can view the contents of MBR using a command as shown below.

 

# xxd /tmp/sda-mbr.bin

 

0000000: eb63 9000 0000 0000 0000 0000 0000 0000  .c..............

0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................

0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................

0000030: 0000 0000 0000 0000 0000 0000 0000 0302  ................

0000040: ff00 0020 0100 0000 0002 fa90 90f6 c280  ... ............

0000050: 7502 b280 ea59 7c00 0031 0080 0100 0000  u....Y|..1......

0000060: 0000 0000 fffa 9090 f6c2 8074 05f6 c270  ...........t...p

0000070: 7402 b280 ea79 7c00 0031 c08e d88e d0bc  t....y|..1......

0000080: 0020 fba0 647c 3cff 7402 88c2 52bb 1704  . ..d|<.t...R...

0000090: 8027 0374 06be 887d e817 01be 057c b441  .'.t...}.....|.A

00000a0: bbaa 55cd 135a 5272 3d81 fb55 aa75 3783  ..U..ZRr=..U.u7.

00000b0: e101 7432 31c0 8944 0440 8844 ff89 4402  ..t21..D.@.D..D.

00000c0: c704 1000 668b 1e5c 7c66 895c 0866 8b1e  ....f..\|f.\.f..

00000d0: 607c 6689 5c0c c744 0600 70b4 42cd 1372  `|f.\..D..p.B..r

00000e0: 05bb 0070 eb76 b408 cd13 730d f6c2 800f  ...p.v....s.....

00000f0: 84d0 00be 937d e982 0066 0fb6 c688 64ff  .....}...f....d.

0000100: 4066 8944 040f b6d1 c1e2 0288 e888 f440  @f.D...........@

0000110: 8944 080f b6c2 c0e8 0266 8904 66a1 607c  .D.......f..f.`|

0000120: 6609 c075 4e66 a15c 7c66 31d2 66f7 3488  f..uNf.\|f1.f.4.

0000130: d131 d266 f774 043b 4408 7d37 fec1 88c5  .1.f.t.;D.}7....

0000140: 30c0 c1e8 0208 c188 d05a 88c6 bb00 708e  0........Z....p.

0000150: c331 dbb8 0102 cd13 721e 8cc3 601e b900  .1......r...`...

0000160: 018e db31 f6bf 0080 8ec6 fcf3 a51f 61ff  ...1..........a.

0000170: 265a 7cbe 8e7d eb03 be9d 7de8 3400 bea2  &Z|..}....}.4...

0000180: 7de8 2e00 cd18 ebfe 4752 5542 2000 4765  }.......GRUB .Ge

0000190: 6f6d 0048 6172 6420 4469 736b 0052 6561  om.Hard Disk.Rea

00001a0: 6400 2045 7272 6f72 0d0a 00bb 0100 b40e  d. Error........

00001b0: cd10 ac3c 0075 f4c3 365e a5c9 0000 8000  ...<.u..6^......

00001c0: 0101 83fe ffff c13e 0000 004c a112 00fe  .......>...L....

00001d0: ffff 0cfe ffff c18a a112 4d82 2114 00fe  ..........M.!...

00001e0: ffff 05fe ffff fe0f c326 0248 7513 0000  .........&.Hu...

00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa  ..............U.

 

 

< MBR Boot Code >

 

The data stored in this location is a small computer code that the BIOS loads and executes to start the boot process. This code, when fully executed, transfers control to the boot program stored on the boot (active) partition to load the operating system. What kind of program it is ? If you want to know the details of the code, you can convert the code into the assembly code as in following example.

 

# objdump -D -Mintel,x86-64 -b binary -m i386 -Maddr32,data32 sda-mbr.bin

 

sda-mbr.bin:     file format binary

 

Disassembly of section .data:

 

00000000 <.data>:

   0:   eb 63                   jmp    0x65

   2:   90                      nop

        ...

  3b:   00 00                   add    BYTE PTR [eax],al

  3d:   00 03                   add    BYTE PTR [ebx],al

  3f:   02 ff                   add    bh,bh

  41:   00 00                   add    BYTE PTR [eax],al

  43:   20 01                   and    BYTE PTR [ecx],al

  45:   00 00                   add    BYTE PTR [eax],al

  47:   00 00                   add    BYTE PTR [eax],al

  49:   02 fa                   add    bh,dl

  4b:   90                      nop

  4c:   90                      nop

  4d:   f6 c2 80                test   dl,0x80

  50:   75 02                   jne    0x54

  52:   b2 80                   mov    dl,0x80

  54:   ea                      (bad)

  55:   59                      pop    rcx

  56:   7c 00                   jl     0x58

  58:   00 31                   add    BYTE PTR [ecx],dh

  5a:   00 80 01 00 00 00       add    BYTE PTR [eax+0x1],al

  60:   00 00                   add    BYTE PTR [eax],al

  62:   00 00                   add    BYTE PTR [eax],al

  64:   ff                      (bad)

  65:   fa                      cli

  66:   90                      nop

  67:   90                      nop

  68:   f6 c2 80                test   dl,0x80

  6b:   74 05                   je     0x72

  6d:   f6 c2 70                test   dl,0x70

  70:   74 02                   je     0x74

  72:   b2 80                   mov    dl,0x80

  74:   ea                      (bad)

  75:   79 7c                   jns    0xf3

  77:   00 00                   add    BYTE PTR [eax],al

  79:   31 c0                   xor    eax,eax

  7b:   8e d8                   mov    ds,eax

  7d:   8e d0                   mov    ss,eax

  7f:   bc 00 20 fb a0          mov    esp,0xa0fb2000

  84:   64                      fs

  85:   7c 3c                   jl     0xc3

  87:   ff 74 02 88             push   QWORD PTR [edx+eax*1-0x78]

  8b:   c2 52 bb                ret    0xbb52

  8e:   17                      (bad)

  8f:   04 80                   add    al,0x80

  91:   27                      (bad)

  92:   03 74 06 be             add    esi,DWORD PTR [esi+eax*1-0x42]

  96:   88 7d e8                mov    BYTE PTR [ebp-0x18],bh

  99:   17                      (bad)

  9a:   01 be 05 7c b4 41       add    DWORD PTR [esi+0x41b47c05],edi

  a0:   bb aa 55 cd 13          mov    ebx,0x13cd55aa

  a5:   5a                      pop    rdx

  a6:   52                      push   rdx

  a7:   72 3d                   jb     0xe6

  a9:   81 fb 55 aa 75 37       cmp    ebx,0x3775aa55

  af:   83 e1 01                and    ecx,0x1

  b2:   74 32                   je     0xe6

  b4:   31 c0                   xor    eax,eax

  b6:   89 44 04 40             mov    DWORD PTR [esp+eax*1+0x40],eax

  ba:   88 44 ff 89             mov    BYTE PTR [edi+edi*8-0x77],al

  be:   44 02 c7                add    r8b,dil

  c1:   04 10                   add    al,0x10

  c3:   00 66 8b                add    BYTE PTR [esi-0x75],ah

  c6:   1e                      (bad)

  c7:   5c                      pop    rsp

  c8:   7c 66                   jl     0x130

  ca:   89 5c 08 66             mov    DWORD PTR [eax+ecx*1+0x66],ebx

  ce:   8b 1e                   mov    ebx,DWORD PTR [esi]

  d0:   60                      (bad)

  d1:   7c 66                   jl     0x139

  d3:   89 5c 0c c7             mov    DWORD PTR [esp+ecx*1-0x39],ebx

  d7:   44 06                   rex.R (bad)

  d9:   00 70 b4                add    BYTE PTR [eax-0x4c],dh

  dc:   42 cd 13                rex.X int 0x13

  df:   72 05                   jb     0xe6

  e1:   bb 00 70 eb 76          mov    ebx,0x76eb7000

  e6:   b4 08                   mov    ah,0x8

  e8:   cd 13                   int    0x13

  ea:   73 0d                   jae    0xf9

  ec:   f6 c2 80                test   dl,0x80

  ef:   0f 84 d0 00 be 93       je     0x93be01c5

  f5:   7d e9                   jge    0xe0

  f7:   82                      (bad)

  f8:   00 66 0f                add    BYTE PTR [esi+0xf],ah

  fb:   b6 c6                   mov    dh,0xc6

  fd:   88 64 ff 40             mov    BYTE PTR [edi+edi*8+0x40],ah

 101:   66 89 44 04 0f          mov    WORD PTR [esp+eax*1+0xf],ax

 106:   b6 d1                   mov    dh,0xd1

 108:   c1 e2 02                shl    edx,0x2

 10b:   88 e8                   mov    al,ch

 10d:   88 f4                   mov    ah,dh

 10f:   40 89 44 08 0f          rex mov DWORD PTR [eax+ecx*1+0xf],eax

 114:   b6 c2                   mov    dh,0xc2

 116:   c0 e8 02                shr    al,0x2

 119:   66 89 04 66             mov    WORD PTR [esi+eiz*2],ax

 11d:   a1 60 7c 66 09 c0 75    movabs eax,ds:0x664e75c009667c60

 124:   4e 66

 126:   a1 5c 7c 66 31 d2 66    movabs eax,ds:0x34f766d231667c5c

 12d:   f7 34

 12f:   88 d1                   mov    cl,dl

 131:   31 d2                   xor    edx,edx

 133:   66 f7 74 04 3b          div    WORD PTR [esp+eax*1+0x3b]

 138:   44 08 7d 37             or     BYTE PTR [ebp+0x37],r15b

 13c:   fe c1                   inc    cl

 13e:   88 c5                   mov    ch,al

 140:   30 c0                   xor    al,al

 142:   c1 e8 02                shr    eax,0x2

 145:   08 c1                   or     cl,al

 147:   88 d0                   mov    al,dl

 149:   5a                      pop    rdx

 14a:   88 c6                   mov    dh,al

 14c:   bb 00 70 8e c3          mov    ebx,0xc38e7000

 151:   31 db                   xor    ebx,ebx

 153:   b8 01 02 cd 13          mov    eax,0x13cd0201

 158:   72 1e                   jb     0x178

 15a:   8c c3                   mov    ebx,es

 15c:   60                      (bad)

 15d:   1e                      (bad)

 15e:   b9 00 01 8e db          mov    ecx,0xdb8e0100

 163:   31 f6                   xor    esi,esi

 165:   bf 00 80 8e c6          mov    edi,0xc68e8000

 16a:   fc                      cld

 16b:   f3 a5                   rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi]

 16d:   1f                      (bad)

 16e:   61                      (bad)

 16f:   ff 26                   jmp    QWORD PTR [esi]

 171:   5a                      pop    rdx

 172:   7c be                   jl     0x132

 174:   8e 7d eb                mov    ?,WORD PTR [ebp-0x15]

 177:   03 be 9d 7d e8 34       add    edi,DWORD PTR [esi+0x34e87d9d]

 17d:   00 be a2 7d e8 2e       add    BYTE PTR [esi+0x2ee87da2],bh

 183:   00 cd                   add    ch,cl

 185:   18 eb                   sbb    bl,ch

 187:   fe 47 52                inc    BYTE PTR [edi+0x52]

 18a:   55                      push   rbp

 18b:   42 20 00                rex.X and BYTE PTR [eax],al

 18e:   47                      rex.RXB

 18f:   65 6f                   outs   dx,DWORD PTR gs:[esi]

 191:   6d                      ins    DWORD PTR es:[edi],dx

 192:   00 48 61                add    BYTE PTR [eax+0x61],cl

 195:   72 64                   jb     0x1fb

 197:   20 44 69 73             and    BYTE PTR [ecx+ebp*2+0x73],al

 19b:   6b 00 52                imul   eax,DWORD PTR [eax],0x52

 19e:   65                      gs

 19f:   61                      (bad)

 1a0:   64 00 20                add    BYTE PTR fs:[eax],ah

 1a3:   45 72 72                rex.RB jb 0x218

 1a6:   6f                      outs   dx,DWORD PTR ds:[esi]

 1a7:   72 0d                   jb     0x1b6

 1a9:   0a 00                   or     al,BYTE PTR [eax]

 1ab:   bb 01 00 b4 0e          mov    ebx,0xeb40001

 1b0:   cd 10                   int    0x10

 1b2:   ac                      lods   al,BYTE PTR ds:[esi]

 1b3:   3c 00                   cmp    al,0x0

 1b5:   75 f4                   jne    0x1ab

 1b7:   c3                      ret

 

 

< Partition Table >

 

Partition 1 : 8000 0101 83fe ffff c13e 0000 004c a112

Partition 1 : 00fe ffff 0cfe ffff c18a a112 4d82 2114

Partition 1 : 00fe ffff 05fe ffff fe0f c326 0248 7513

Partition 1 : 0000 0000 0000 0000 0000 0000 0000 0000

 

Let's decode Partition Table

 

Partition 1 : 8000 0101 83fe ffff c13e 0000 004c a112

 

The first one byte (Byte 0) :  indicate whether the partion is bootable partion or non-bootable partition.

    80 - Bootable partition

    00 - Non bootable partition

Byte 1-3 : indicate Cylinder-Head-Sector of the first absolute sector in partition, each takes one byte. In this example, this field can be decoded as follows

    Cylinder : 00

    Head : 01

    Sector : 01

 

Byte 4 : indicate partion type. In this exampe, it means as follows

 

Byte 5-7 : indicate Cylinder-Head-Sector of the last absolute sector in partition, each takes one byte. In this example, this field can be decoded as follows

    Cylinder : fe

    Head : ff

    Sector : ff

 

Byte 8-11 : indicate Logical block addressing of first absolute sector in the partition. In case of this example,

    c13e0000 : 16065 (= 0x3EC1)

 

Byte 12-15 : indicate Number of sectors in the partition. In case of this example,

    004ca112 : 312560640 (= 0x12a14c00) sectors

 

I always recommend you to try this kind of manual decoding at least once to understand the details, but you would not want to do it again :).  Once you understand the details and just want a quick decode, you can decode the mbr backup file using following command

 

 

# file sda-mbr.bin

 

sda-mbr.bin:

x86 boot sector;

GRand Unified Bootloader, stage1 version 0x3, stage2 address 0x2000, stage2 segment 0x200;

partition 1: ID=0x83, active, starthead 0, startsector 16065, 312560640 sectors;

partition 2: ID=0xc, starthead 254, startsector 312576705, 337740365 sectors;

partition 3: ID=0x5, starthead 254, startsector 650317822, 326453250 sectors,

code offset 0x63

 

 

Reference :

 

[1] The Master Boot Record (MBR) and Why it is Necessary?