Hack 2. Kill and Resurrect the Master Boot Record 
How to (carefully) back up and restore
the
Master Boot Record (MBR).
The MBR is a 512-byte segment at the very
beginning (the first sector) of a hard drive. This segment contains
two major parts: the boot
code in
the first 446 bytes and the partition
table (plus a 2-byte signature) in the
remaining 66 bytes. When you run
lilo,
grub-install, or fdisk /mbr
in DOS, it writes to these first 446 bytes. When you run
cfdisk or some other disk-partition program, it
writes to the remaining 66 bytes.
 |
Writing directly to your MBR can be dangerous. One typo or mistake
can make your entire system unbootable or even erase your entire
partition table. Make sure you have a complete backup of your MBR, if
not your full hard drive, on other media (like a floppy or anything
other than the hard drive itself) before you try any potentially
destructive commands.
|
|
The MBR is very important and crucial for booting your system, and in
the case of your partition table, crucial for accessing your data;
however, many people never back up their MBR. Use Knoppix to easily
create backups of your MBR, which you can later restore in case you
ever accidentally overwrite your partition table or boot code. It is
important to double-check each command you type, as typing 466
instead of 446 can mean the difference between blanking the boot code
and partially destroying your partition table.
1.3.1. Save the MBR
First,
before you attempt anything potentially destructive, back up the
current MBR. Boot into Knoppix, and type the following command into a
terminal:
knoppix@ttyp0[knoppix]$ sudo dd if=
/dev/hda
of=/home/knoppix/mbr_backup
bs=512 count=1
Change /dev/hda to match the drive you
wish to back up. In your home directory, you should now see a
512-byte file called mbr_backup.
Dd is used to create images of entire hard
drives, and in this case, a similar command is used; however, it
contains two new options: bs and
count. The bs (byte size)
option tells dd to input and output 512 bytes at
a time, and the count option tells
dd to do this only once. The result of the
command is that the first 512 bytes of the drive (the MBR) are copied
into the file. If for some reason you only want to back up the boot
sector (although it's wise to always back up the
partition table as well), replace 512 with 446. Now that you have
backed up the MBR, copy it to a safe location, such as another
computer or a CD-ROM.
 |
The full 512-byte copy of the MBR contains the partition table, so it
gets out of sync whenever you change partitions on your drive. If you
back up the full MBR, be sure to update your backup whenever you make
partition changes.
|
|
1.3.2. Kill the MBR
Now you
should know how to totally
destroy the MBR. To do this, simply use the same command you used to
back up an MBR, but replace the input file with
/dev/zero and the output file with the drive,
overwriting each byte of the MBR with zero. If you only want to blank
your boot code, type:
knoppix@ttyp0[knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=446 count=1
To clear the complete MBR, including the partition table, type:
knoppix@ttyp0[knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=512 count=1
While blanking the partition table in effect prevents you from
accessing files on the drive, it isn't a replacement
for proper wiping of the complete drive, because the files are still
potentially retrievable from the drive. Even the partition table
itself is recoverable with the right tools.
1.3.3. Resurrect the MBR
If you
deleted your boot sector in the last section, you probably want to
restore it now. To do this, copy the backup you made earlier to your
home directory in Knoppix and run:
knoppix@ttyp0[knoppix]$ sudo dd if=/home/knoppix/mbr_backup of=
/dev/hda
bs=446 count=1
Because of the bs=446 element, this command
only restores the boot code in the MBR. I purposely left out the last
66 bytes of the file so the partition table would not be overwritten
(just in case you have repartitioned or changed any partition sizes
since your last MBR backup). If you have accidentally corrupted or
deleted your partition table, restore the full 512 bytes to the MBR
with:
knoppix@ttyp0[knoppix]$ sudo dd if=mbr_backup of=
/dev/hda
bs=512 count=1
1.3.4. How Do I fdisk/mbr?
Knoppix also provides a useful tool called install-mbr
that allows you to manipulate the MBR in many ways. The most useful
feature of this tool is that it can install a
"default" master boot record on a
drive, which is useful if you want to remove lilo
or grub completely from the MBR so
Windows can boot by itself, or so you can install Windows to a hard
drive that previously used Linux. The results are the same as if you
were to type fdisk /mbr
in DOS. To remove the traces of lilo or
grub from your MBR, run:
knoppix@ttyp0[knoppix]$ sudo install-mbr
/dev/hda
Replace /dev/hda with your drive.
1.3.5. See Also
Kyle Rankin
| 
