Re: GRUB and ntldr

bug-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GRUB and ntldr

From:	Molle Bestefich
Subject:	Re: GRUB and ntldr
Date:	Sat, 12 Nov 2005 08:56:29 +0000

Thomas Schweikle wrote:
> AFAIK does the MBR load the first active primary partition boot
> block (an other 512 Bytes).

Yes.

> This loads parts of ntldr.

I suspect the 1st block, but I'm not sure.

> Then jumps to a place within ntldr
> (ntldr is not started at position 0x0 in the file).

Seems odd, but might be true.  Why do you think so?

Should be easy to find out the address.  'dd' the first 512 bytes from
hda1 (whatever) into a file, name that file 'xxx.com' and load it into
IDA Pro.  Look at the code, I'm sure that there's a CALL or something
similar at the end that jumps to the NTLDR code.

(IDA Pro is available as freeware and trial versions, it runs under Wine.)

> It would be nice enough if one could tell us exactly how MBR,
> partition boot sector and ntldr interact and work, then what is
> required to make ntldr find "boot.ini".

I'll go ahead and suggest how you can find out.

First:
$ dd if=/dev/zero of=blank_disk.img bs=1M count=100
$ losetup /dev/loop0 blank_disk.img

Then,
1. Boot bochs with the above image as a harddrive image and the
Windows 2000/XP cdrom to boot from.
2. Create a blank NTFS partition with the setup program.
3. Reboot.
4. Start the Recovery Console
5. Expand NTDETECT.COM, NTLDR, WINDOWS\system32\ntoskrnl.exe and
WINDOWS\system32\hal.dll onto C:, or copy them from another partition
which you attach to bochs.
6. Make sure there's a boot.ini, either by copying it from somewhere
or by using the Recovery Console's boot.ini generator (type HELP for
info on that).
7. Type FIXBOOT (or FIXBOOT C:).
8. Type FIXMBR (or FIXMBR \\Device\HardDrive0\Partition0).
9. Type EXIT

Then boot bochs in debugging mode.  You can use GFE as a graphical
frontend for the bochs debugger.  You should be able to follow the
boot process in action.  You'll probably be specifically interested in
looking for 'int 13' calls.  Look for the value in the AH register as
int 13 is about to be called - that value denotes the function which
it's calling.  Most likely one of 'get geometry', 'load chs sector',
'load lba sector' or something similar.  Can't remember them all, but
you can look them up in Ralf Brown's interrupt guide.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: GRUB and ntldr, Thomas Schweikle, 2005/11/10
- Re: GRUB and ntldr, Yedidyah Bar-David, 2005/11/10
  - Re: GRUB and ntldr, Thomas Schweikle, 2005/11/11
    - Re: GRUB and ntldr, Molle Bestefich <=
- Re: GRUB and ntldr, Molle Bestefich, 2005/11/10
  - Re: GRUB and ntldr, adrian15, 2005/11/11

Prev by Date: Re: Disk mapping confusion with the device command
Next by Date: Re: Disk mapping confusion with the device command
Previous by thread: Re: GRUB and ntldr
Next by thread: Re: GRUB and ntldr
Index(es):
- Date
- Thread