Menu
I have grub v1.98 installed and after disassembling the MBR I find the following code snippet that I don't understand:
xor ax,ax
mov [si+0x4],ax
inc ax
mov [si-0x1],al
mov [si+0x2],ax
mov word [si],0x10
mov ebx,[0x7c5c]
mov [si+0x8],ebx
mov ebx,[0x7c60]
mov [si+0xc],ebx
mov word [si+0x6],0x7000
mov ah,0x42
int 0x13
It seems this piece of code tries to set up disk address of stage 1.5 code, then load and run it. However, how could I figure out which physical block it tries to read? What's more, what is the destination of the stage 1.5 code? 0x7000?
I refer to MBR for Windows 7, where subsequent boot up code is loaded 0x7c00. Given MBR is first loaded at address 0x7c00, it contains a piece of code copying MBR from 0x7c00 to 0x0600 and then branch to 0x0600 in case the original code corrupted. Will loading stage 1.5 code to address 0x7000 conflict the original code? What's more, I also find:
jmp short 0x65
nop
sar byte [si+0x7c00],1
mov es,ax
mov ds,ax
mov si,0x7c00
mov di,0x600
mov cx,0x200
cld
rep movsb
push ax
push word 0x61c
retf
at the beginning of the MBR. It seems the code tries to do the same thing as in MBR of windows 7 to copy the original MBR from 0x7c00 to 0x0600, except for the first jmp instruction. Will these codes in fact executed? If yes, when will control jumps here.(I believe the answer is YES, but am confused by the leading jmp).
613
Stage 1 is the piece of GRUB that resides in the MBR or the boot sector of another partition or drive. Since the main portion of GRUB is too large to fit into the 512 bytes of a boot sector, Stage 1 is used to transfer control to the next stage, either Stage 1.5 or Stage 2.
Grub is the default boot manager on Linux. This program runs early in the boot process, before the linux kernel starts.
The GRUB 2 files will normally be located in the /boot/grub and /etc/grub. d folders and the /etc/default/grub file in the partition containing the Ubuntu installation. If another Ubuntu/Linux distribution controlled the boot process, it will be replaced by the GRUB 2 settings in the new installation.
The secondary boot loader reads the operating system or kernel as well as the contents of /boot/sysroot/ into memory. Once GRUB determines which operating system or kernel to start, it loads it into memory and transfers control of the machine to that operating system.
GRUB 1.98 is GRUB version 2. In version 2, there is no stage 1.5 anymore. The stage 1.5 had a fixed place between MBR and first partition. It was (most often) unused space on the hard drive. GPT partitioning and other (unusual) layouts do not provide this space.
In GRUB v2 stage 1 loads core.img, which can be stored at any LBA48 location, typically between MBR and first partition, but it can also be stored within a partition. In the non-EFI case of GPT, a custom partition should be created for it. The location is hardwired into stage 1.
See also: http://www.gnu.org/software/grub/manual/grub.html#Images
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
