Editing Boot sector

{{About|the generic concept of boot sectors|the MBR in PCs|Master Boot Record|the VBR in PCs|Volume Boot Record}}
{{short description|Sector of a persistent data storage device}}
[[File:GNU GRUB components.svg|thumb|This example show various components of [[GNU GRUB]] distributed over sectors of a hard disk. When GRUB is installed on a hard disk, boot.img is written into the boot sector of that hard disk. boot.img has a size of only 446 bytes.]]

A '''boot sector''' is the [[disk sector|sector]] of a persistent [[data storage device]] (e.g., [[hard disk]], [[floppy disk]], [[optical disc]], etc.) which contains [[machine code]] to be loaded into [[random-access memory]] (RAM) and then executed by a [[computer system]]'s built-in [[firmware]] (e.g., the [[BIOS]]).

Usually, the first sector of the hard disk is the boot sector, regardless of sector size (512 or 4096 bytes) and partitioning flavor ([[Master boot record|MBR]] or [[GUID Partition Table|GPT]]).

The purpose of defining one particular sector as the ''boot sector'' is inter-operability between firmware and various operating systems.

The purpose of chain-loading, first firmware (e.g., the BIOS), then code in the boot sector, and then, for example, an operating system, is maximal flexibility.

== The IBM PC and compatible computers ==

On an [[IBM PC compatible]] machine, the [[BIOS]] selects a boot device, then copies the first sector from the device (which may be a [[master boot record|MBR]], [[Volume Boot Record|VBR]] or any executable code), into [[physical memory]] at [[memory address]] 0x7C00. On other systems, the process may be quite different.

== Unified Extensible Firmware Interface (UEFI) ==

The [[UEFI]] (not '''legacy boot''' via CSM) does not rely on boot sectors, UEFI system loads the boot loader ('''EFI application''' file in [[USB disk]] or in the [[EFI system partition]]) directly.<ref>{{Cite web|title=UEFI - OSDev Wiki|url=https://wiki.osdev.org/UEFI|access-date=2020-09-26|website=wiki.osdev.org}}</ref> Additionally, the UEFI specification also contains "secure boot", which basically wants the UEFI code to be [[digitally signed]].

== Damage to the boot sector ==

In case a boot sector receives physical damage, the hard disk will no longer be bootable, unless  used with a custom BIOS that defines a non-damaged sector as the boot sector. However, since the very first sector additionally contains data regarding the partitioning of the hard disk, the hard disk will become entirely unusable except when used in conjunction with custom software.

== Partition tables ==

A disk can be partitioned into multiple partitions and, on conventional systems, it is expected to be. There are two definitions on how to store the information regarding the partitioning:

* A [[master boot record]] (MBR) is the first sector of a data storage device that has been [[partition (computing)|partitioned]]. The MBR sector may contain code to locate the active partition and invoke its volume boot record.
* A [[volume boot record]] (VBR) is the first sector of a data storage device that has ''not'' been partitioned, or the first sector of an individual partition on a data storage device that has been partitioned. It may contain code to load an operating system (or other standalone program) installed on that device or within that partition.

The presence of an IBM PC compatible boot loader for x86-CPUs in the boot sector is by convention indicated by a two-byte hexadecimal sequence <kbd>0x55 0xAA</kbd> (called the boot sector signature) at the end of the boot sector (offsets <kbd>0x1FE</kbd> and <kbd>0x1FF</kbd>). This signature indicates the presence of at least a dummy boot loader which is safe to be executed, even if it may not be able actually to load an operating system. It does not indicate a particular (or even the presence of) [[file system]] or operating system, although some old versions of DOS 3 relied on it in their process to detect [[File Allocation Table|FAT]]-formatted media (newer versions do not). Boot code for other platforms or CPUs should not use this signature, since this may lead to a crash when the BIOS passes execution to the boot sector assuming that it contains valid executable code. Nevertheless, some media for other platforms erroneously contain the signature, anyway, rendering this check not 100% reliable in practice.

The signature is checked for by most system BIOSes since (at least) the [[IBM Personal Computer/AT|IBM PC/AT]] (but not by the original IBM PC and some other machines). Even more so, it is also checked by most MBR boot loaders before passing control to the boot sector. Some BIOSes (like the IBM PC/AT) perform the check only for fixed disk/removable drives, while for floppies and superfloppies, it is enough to start with a byte greater or equal to <kbd>06h</kbd> and the first nine words not to contain the same value, before the boot sector is accepted as valid, thereby avoiding the explicit test for <kbd>0x55</kbd>, <kbd>0xAA</kbd> on floppies. Since old boot sectors (e.g., very old CP/M-86 and DOS media) sometimes do not feature this signature despite the fact that they can be booted successfully, the check can be disabled in some environments.
If the BIOS or MBR code does not detect a valid boot sector and therefore cannot pass execution to the boot sector code, it will try the next boot device in the row. If they all fail it will typically display an error message and invoke INT 18h. This will either start up optional resident software in ROM ([[ROM BASIC]]), reboot the system via INT 19h after user confirmation or cause the system to halt the [[bootstrapping (computing)|bootstrapping]] process until the next power-up.

Systems not following the above described design are:

* CD-ROMs usually have their own structure of boot sectors; for [[IBM PC compatible]] systems this is subject to [[El Torito (CD-ROM standard)|El Torito specifications]].
* [[Commodore 128|C128]] or [[Commodore 64|C64]] software on [[Commodore DOS]] disks where data on Track 1, Sector 0 began with a [[magic number (programming)|magic number]] corresponding to string "CBM".<ref>{{cite book|title=Commodore 128 Programmer's Reference Guide|url=https://archive.org/details/C128_Programmers_Reference_Guide_1986_Bamtam_Books_a|year=1986|publisher=Bantam Books|isbn=0-553-34292-4|pages=[https://archive.org/details/C128_Programmers_Reference_Guide_1986_Bamtam_Books_a/page/n453 446]–667}}</ref>
* IBM mainframe computers place a small amount of boot code in the first and second track of the first cylinder of the disk, and the root directory, called the [[Volume Table of Contents]], is also located at the fixed location of the third track of the first cylinder of the disk.
* Other (non IBM-compatible) PC systems may have different boot sector formats on their disk devices.

== Operation ==

{{details|Booting}}

On [[IBM PC compatible]] machines, the [[BIOS]] is ignorant of the distinction between VBRs and MBRs, and of partitioning. The firmware simply loads and runs the first sector of the storage device.<ref>{{cite web |author=Smith |first=Roderick W. |date=2010-04-14 |title=Migrate to GRUB 2 |url=http://www.ibm.com/developerworks/linux/library/l-grub2/index.html?ca=dgr-lnxw97Grub2dth=LX |access-date=2013-03-05 |publisher=Ibm.com}}</ref> If the device is a floppy or [[USB flash drive]], that will be a VBR.  If the device is a hard disk, that will be an MBR. It is the code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the ''active'' partition). The VBR then loads a second-stage bootloader from another location on the disk.

Furthermore, whatever is stored in the first sector of a floppy diskette, USB device, hard disk or any other ''bootable'' storage device, is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it is easy to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional [[Booting|boot managers]] (programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occurs in the form of boot sector viruses.

== Boot-sector viruses ==

Since code in the boot sector is executed automatically, boot sectors have historically been a common attack vector for [[computer virus]]es.

To combat this behavior, the [[system BIOS]] often includes an option to prevent software from writing to the first sector of any attached hard drives; it could thereby protect the [[master boot record]] containing the [[partition table]] from being overwritten accidentally, but not the [[volume boot record]]s in the bootable partitions.<ref>{{cite web|title=Intel Desktop Boards BIOS Settings Dictionary|publisher=[[Intel]]|url=http://download.intel.com/support/motherboards/desktop/sb/biosglossarybymenu_v13.pdf|access-date=2013-09-01}}</ref> Depending on the BIOS, attempts to write to the protected sector may be blocked with or without user interaction. Most BIOSes, however, will display a popup message giving the user a chance to override the setting.
The BIOS option is disabled by default because the message may not be displayed correctly in graphics mode and blocking access to the MBR may cause problems with operating system setup programs or disk access, encryption or partitioning tools like [[FDISK]], which may not have been written to be aware of that possibility, causing them to abort ungracefully and possibly leaving the disk partitioning in an inconsistent state.<ref group="nb" name="NB_FDISK_DRDOS"/>

As an example, the malware [[Petya (malware)|NotPetya]] attempts to gain administrative privileges on an operating system, and then would attempt to overwrite the boot sector of a computer.<ref>{{Cite web|url=https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html|title=New Ransomware Variant "Nyetya" Compromises Systems Worldwide|website=blog.talosintelligence.com|date=27 June 2017 |access-date=2018-05-28}}</ref><ref>{{Cite news|url=https://www.ciodive.com/news/in-an-era-of-global-malware-attacks-what-happens-if-theres-no-kill-switch/447157/|title=In an era of global malware attacks, what happens if there's no kill switch?|work=CIO Dive|access-date=2018-05-28|language=en-US}}</ref> The [[Central Intelligence Agency|CIA]] has also developed malware that attempts to modify the boot sector in order to load additional drivers to be used by other malware.<ref>{{Cite news|url=http://www.securitynewspaper.com/2017/09/01/cia-developed-windows-malware-alters-boot-sector-load-malware/|title=CIA Developed Windows Malware That Alters Boot Sector to Load More Malware|date=2017-09-01|work=Information Security Newspaper|access-date=2018-05-28|language=en-US}}</ref>
Another Malware that overwrites boot sector is the [[MEMZ]]

== See also ==

* [[Master boot record]] (MBR)
* [[Volume boot record]] (VBR)

== Notes ==

<references group="nb"><ref group="nb" name="NB_FDISK_DRDOS">One FDISK utility written to be aware of BIOS boot sector protection features is DR-DOS' FDISK&nbsp;R2.31 (and higher), which will detect this scenario and display additional interactive messages to guide the user through it. In contrast to other [[FDISK]] utilities, DR-DOS FDISK is not only a partitioning tool, but can also format freshly created partitions as [[#FAT12|FAT12]], [[#FAT16|FAT16]] or [[#FAT32|FAT32]]. This reduces the risk to accidentally format wrong volumes.</ref></references><references group="nb"/>

== References ==

{{reflist}}

== External links ==

* {{cite web|url=http://antivirus.about.com/cs/tutorials/a/bsvirus_2.htm|title=Boot sector viruses|author=Mary Landesman|access-date=2006-08-18|archive-date=2011-07-07|archive-url=https://web.archive.org/web/20110707074807/http://antivirus.about.com/cs/tutorials/a/bsvirus_2.htm|url-status=dead}}
* {{cite web|url=http://support.microsoft.com/kb/122221|title=How to Protect Boot Sector from Viruses in Windows|author=Microsoft|work=KnowledgeBase}}
* {{cite web|url=http://faculty.lasierra.edu/~dlin/computer/virus.htm|title=Inexpensive boot sector virus detection and prevention techniques|author=Denny Lin|date=15 June 1994|access-date=13 August 2015}}
* {{cite encyclopedia|url=http://www.viruslist.com/en/virusesdescribed?chapter=152540474#boot|encyclopedia=Virus Encyclopedia / Malware Descriptions / Classic Viruses|title=Boot sector viruses|author=Kaspersky Lab|access-date=2006-06-05|archive-url=https://web.archive.org/web/20070822213331/http://www.viruslist.com/en/virusesdescribed?chapter=152540474#boot|archive-date=2007-08-22|url-status=dead}}
* {{cite web|url=http://www.trendmicro.com/en/security/general/glossary/overview.htm#Boot%20Sector%20Viruses|work=Boot Viruses|title=Glossary of Virus Terms|author=Arman Catacutan|access-date=2006-11-07|archive-url=https://web.archive.org/web/20061211052339/http://www.trendmicro.com/en/security/general/glossary/overview.htm#Boot%20Sector%20Viruses|archive-date=2006-12-11|url-status=dead}}
* {{cite web|url=http://gok.customer.netspace.net.au/resources/|title=Sample to build a boot program on x86 real mode|author=Greg O'Keefe}}
* {{cite web|url=https://susam.net/blog/writing-boot-sector-code.html|title=Writing boot sector code using GNU Assembler|author=Susam Pal}}
* {{cite web|url=http://www.neko-consulting.com/blogs/2|archive-url=https://archive.today/20130129185617/http://www.neko-consulting.com/blogs/2|url-status=usurped|archive-date=2013-01-29|title=Bootsector assembly code with detailed explanation|author=Pierre Ancelot}}

[[Category:Computer file systems]]
[[Category:BIOS]]
[[Category:Booting]]