How can i find the MBR sector in a VMDK file?

Question

I'm trying to understand how the vmware bios finds the MBR before it loads it.

In physical Hard disks it's easy - the MBR sits at the first sector.
But .. what happens in VM's?

I created 2 VM's - In the first vmdk (with a linux-based system installed on it) i found the MBR at offset 0x2A0000.
In the second vmdk file (with Windows XP installed on it), I found the MBR more than once - but all of the offsets i found couldn't be divided by 512 (sector size), which is kinda weird (as far as i know, the MBR should start on the beginning of a sector + sector size is 512 bytes in vmdk's => The starting offset of the MBR MUST divide by 512. correct me if i'm wrong).
So they were probably copies for backup i guess.. Needless to say that @ offset 0x2A0000 in the xp .vmdk was nothing interesting.

So.. how vmware's BIOS finds the MBR? where is this configurable parameter located \ how is it being calculated?

Additional info:
- Both VMDK's are 1-file-hard-disk files (and can grow untill 40GB).
The systems they serve use them & only them (XP uses xp.vmdk and linux uses linux.vmdk, without additional VMDK's).

- @Windows VM I used WinHex on \.\PhysicalDrive0 to get the MBR.it looked ok (signature, etc..).
- @Linux VM I used the command "dd if=/dev/sda of=mbr.bin bs=512 count=1", then viewed the hex bytes to get the MBR.I looked at it and it looked fine (GRUB, signature at end, etc).
After getting the MBR's from the VM's, I searched in each corresponding .vmdk file for the MBR in the host pc (with an hex editor), and the offsets were as i mentioned above.

Any help would be appreciated. Thanks!

Answer 1

Saw people viewing this question and still no comment or answer, so i did a little research myself.
Got the following conclusions (which eventually answers my question):

1.When creating a XXX GB virtual hard disk with VMware (.VMDK file) it can be one of two types: flat or sparse (they can also be splitted to more than one .VMDK file, but I didn't covered those at my research).
- flat = all hard disk space (XXX GB) is allocated once at creation time.
.VMDK file size on disk is XXX GB.

- sparse = hard disk file is expendable (up to XXX GB).
.VMDK file size is small at the beginning and grows when needed.

As I stated in my question in the additional info, both .VMDK's were sparse.

2.As mentioned in the question, the MBR sits at the beginning of the first sector of the physical hard disk , and I wondered where it sits in the .VMDK file and how VMware calculates it.
It turns out that on flat .VMDK file, it's also located at the beginning of the first sector!
That's pretty straight foreword when looking at them.. but mine weren't flat. So, what happens in sparse .vmdk's? where does the mbr sits?

3.sparse .vmdk file has a different structure (for the detailed structure, you can read VMware's Virtual Disk Format Spec with focus on Page 6 - struct SparseExtentHeader.
Couldn't find there the logic of how the MBR \ first sector is calculated, but as far as I saw (explained in 5 how I got to it) it goes like this:

@ .VMDK offset 0x38 - 0x3F (8 bytes long) sits gdOffset.it stores the offset(****) of the metadata.
The first 4 bytes of the metadata are the next offset(****) to jump to.
There, the next 4 bytes are the offset(****) of the MBR.
(****) means offset in sectors. e.g. 1 means offset 512, 2 means 1024, etc..

To summarize it all, it looks like this:
Let's say 'data stored at offsets 0x38-0x3F (8 bytes long)' as [(0x38):8].

Then,
MBR Offset = 512 X [(512 X [(512 X [(0x38):8]):4]):4]

4.I created 2 new VM's (Windows xp and Linux) with sparse .VMDK's and this method of MBR calculation also proved itself for them both (as you can see in the attached images at 7).

5. How did I got to this formula?
Using SysInternal's process Monitor while filtering:
-Process contains vmware
-Operation is CreateFile \ ReadFile
-Path contains <.vmdk file path>

I got every single .vmdk read (and it's offset).
I looked where it reads the offset of the MBR (in the Linux system I knew the offset was 0x2A0000), and what it had already read before. Jumped to offsets that looked like they are going to help me figure what's happening there.. and they certainly did :)

6. What I didn't explained is why the MBR in the xp system in my original question was at a weird offset (that can't be divided by 512).
Well, to be honest, I have no full reason, but I forgot to mention that before the MBR checks I deleted the original MBR from this system and powered the VM. It asked me if I want to start windows normally, and only then it appeared in the strange offset (copied it to there for backup or something).The strange thing here is that I couldn't find this MBR in normal offset. I had some progress but no firm answer.
If someone knows, feel free to comment (:

7.Attached images: