« How Apple Got Everything Right By Doing Everything Wrong
stage1 c0de »
h1

MBR’s

April 15, 2009

I am currently developing a boot loader code.

A boot loader is a code, which will be placed in first 512 bytes of sector 0. When BIOS finishes all it’s job, it will load the first 512 byte from sector 0 and loads it into memory 0000:7c00 or 07co:0000. both these address falls into 0×07C00h memory location.

Jumping to this location can be done in two ways:

jmp 0000:7C00

jmp 07C0:0000

Hence your boot loader code should place itself into the memory location 0X07C00 and that can be done via:

[org 0x07C00]

and that’s the power of assembly :)

I will give a skeletion view of how a boot loader / master boot record would look like:

; ———————————————————————————————————

[bits 16]

[org 0x07C00]

mov ax, 0×0000

mov ds, ax

call printstring

JMP $ ; looping

; load a sector

mov ah, 0×02 ; service

mov al, 0×03 ; number of sectors to read

mov ch, 0×00     ; cylinder number

mov cl, 0×02 ; sector number

mov dh, 0×00 ; head number

mov dl, 0×00 ; drive number

int 0×13

jc reset

JMP 0×1000:0000 ; jump to memory location 0×10000

; assuming stage2 or kernel will be loaded in 0×10000

TIMES 510 – ($ – $$) db 0

DW 0xAA55

; ———————————————————————————————————

What is AA55 ?

but how will BIOS knows that first 512 bytes in a disk is a boot loader code or not ? because not all disks should have boot loaders. Imagine the old DOS days. You will use only one floppy to load MS DOS and use other disks to store programs like dBASE, WordStar; etc. Hence not necessary that these disks should contain a boot sector code. Also remember you get a message “INVALID BOOT DISKETTE or DISK BOOT FAILURE”. So, How does BIOS recognizes it?

Actually the boot loader code is only 510 bytes. The rest 2 bytes are used to identify whether it’s boot loader or not. That is called as Boot Magic or Boot Signature and it is AA55. if you load the first 512 bytes of a boot sector in hex editor you will notice the AA55 in last two sectors.

for example, see the HEX view of FreeBSD’s boot code below:

File:Binary executable file2.png

See the last two words, which is “55 aa”. 00000200 is equivalent to 512 in decimal !

the above code I have written, will load kernel or a stage2 loader from a floppy.

now got it how a boot sector virus can work :)

Posted in Uncategorized |

Leave a Comment