The LILO (Linux Loader) MBR

An Assembly Listing
As seen in Memory during Execution
and some
Notes on How to Remove LILO from the MBR

NOTE: Although there's no need to pursue the disassembly of this code (since it's already an Open-Source program), I've listed the Assembly instructions from the first sector with some of my own comments. ( This MBR code is only the 'first stage' of the complete LILO program. )   You can find documented sources by LILO's original author, Werner Almesberger, on most Linux archive sites. [Try looking here first: sunsite.unc.edu/pub/Linux/system/boot/lilo/ for the archive, lilo-21.tar.gz (version 21). The code for the MBR is found in the file, first.S, whereas the much larger portion of the Assembly code for the Second Stage is found in the file, second.S. Note that the lastest version of LILO (v.22) has gone through some extensive changes; including the ability to display some graphics screens at boot up. The code for its MBR has been changed and is no longer referenced as first.S, but rather as mbr.S. The code and data shown below is for version 20 and should still be applicable to version 21, but not for version 22.]

A View of the LILO MBR
in a Disk Editor
(Note: Various versions of LILO are in existence;
this is only one of those versions.)

The executable code of the LILO MBR begins with a 'Clear Interrupts' (CLI) instruction ('FA'), then continues with a two-byte Jump Instruction ('EB 6C') pointing to the body of the code at offsets 06Fh through 170h. Although the code is that of a Master Boot Record, it contains a section of data at the beginning of the sector (similar to many OS Boot Records) making it necessary to JMP (Jump) over that section to the rest of the code. The LILO Name is embedded near the start of this data section to identify the sector as a LILO MBR (from offsets 006h through 009h). The 'lba' string is optional; it indicates that LILO should use its LBA sector code. The Hex Word at offset 00Ch-00Dh (0014h) shows this code is for version 20 (14 hex = 20 decimal) of LILO.

Absolute sector 0 (cylinder 0, head 0, sector 1)
       0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
0000  FA EB 6C 6C 62 61 4C 49 4C 4F 01 00 14 00 5A 00  ..llbaLILO....Z.
0010  00 00 00 00 2D DB 75 3B 1D 87 80 1A 01 1E 87 80  ....-.u;........
0020  1A 01 1C 87 80 1A 01 01 00 00 00 00 00 00 00 20  ...............
0030  87 80 1A 01 2B 85 80 18 01 2C 85 80 18 01 2D 85  ....+....,....-.
0040  80 18 01 2E 85 80 18 01 2F 85 80 18 01 30 85 80  ......../....0..
0050  18 01 31 85 80 18 01 32 85 80 18 01 00 00 00 00  ..1....2........
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8  ................
0070  C0 07 8E D8 8C 06 6A 00 89 36 68 00 89 1E 6C 00  ......j..6h...l.
0080  88 16 6E 00 B8 00 8A 8E C0 B9 00 01 29 F6 29 FF  ..n.........).).
0090  FC F3 A5 EA 98 00 00 8A FA 8E D8 8E C0 BC 00 B0  ................
00A0  B8 00 80 8E D0 FB B0 0D E8 57 00 B0 0A E8 52 00  .........W....R.
00B0  B0 4C E8 4D 00 BE 34 00 BB 00 10 FC AD 89 C1 AD  .L.M..4.........
00C0  89 C2 09 C8 74 20 46 E8 43 00 72 06 81 C3 00 02  ....t F.C.r.....
00D0  EB EA 50 B0 20 E8 2A 00 58 88 E0 E8 12 00 31 C0  ..P. .*.X.....1.
00E0  88 C2 CD 13 EB CF B0 49 E8 17 00 EA 00 00 00 8B  .......I........
00F0  50 C0 E8 04 E8 01 00 58 24 0F 04 30 3C 3A 72 02  P......X$..0<r.
0100  04 07 30 FF B4 0E CD 10 C3 5A 59 5B C3 F6 C2 40  ..0......ZY[...@
0110  74 54 80 E2 BF 53 51 52 B4 08 CD 13 72 EB 88 F0  tT...SQR....r...
0120  5A 88 16 73 01 88 F2 30 F6 51 86 CD D0 C5 D0 C5  Z..s...0.Q......
0130  80 E5 03 89 0E 71 01 59 83 E1 3F F6 E1 01 C8 93  .....q.Y..?.....
0140  58 F7 F3 92 F6 F1 FE C4 88 26 74 01 92 88 D6 8A  X........&t.....
0150  16 73 01 3B 06 71 01 77 13 86 C4 D0 C8 D0 C8 0A  .s.;.q.w........
0160  06 74 01 89 C1 5B B8 01 02 CD 13 C3 5B 31 C0 F9  .t...[......[1..
0170  C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01  ................
01C0  01 00 83 1F 7F C8 3F 00 00 00 A1 0E 0E 00 00 00  ......?.........
01D0  41 C9 05 1F BF 0A E0 0E 0E 00 C0 07 02 00 00 00  A...............
01E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.
       0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

Although LILO is a Boot Manager, it follows the structure of all MBRs by placing the standard four-entry Partition Table in its agreed upon location (between offsets 01BEh and 01FDh; inclusive) which is followed by the standard Word-sized signature ID (or Magic number) of AA55h (remember hex Words for Intel x86 CPUs are stored in memory with the Lowest-byte first and the Highest-byte last to make processing quicker).




An Examination of the Assembly Code


0000:7C00 FA            CLI                ; Clear Interrupts
                                           ; 
0000:7C01 EB6C          JMP     7C6F       ; Code continues below after
                                           ;  the 'data table' examples.


      This portion of the LILO MBR is somewhat similar to the "BPB" of an
   MS-DOS or Windows OS Boot Record only because it provides further data
   about the Boot Record. But it also contains such things as the Input
   Timeout, Boot Delay and even a Timestamp.


0003:           6C 62 61 4C 49 4C 4F 01 00 14 00 5A 00  ..llbaLILO....Z.
0010:  00 00 00 00 2D dB 75 3B 1D 87 80 1A 01 1E 87 80  ....-.u;........
0020:  1A 01 1C 87 80 1A 01 01 00 00 00 00 00 00 00 20  ...............
0030:  87 80 1A 01 2B 85 80 18 01 2C 85 80 18 01 2D 85  ....+....,....-.
0040:  80 18 01 2E 85 80 18 01 2F 85 80 18 01 30 85 80  ......../....0..
0050:  18 01 31 85 80 18 01 32 85 80 18 01 00 00 00 00  ..1....2........
0060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............
        0  1  2  3  4  5  6  7  8  9  a  b  c  d  e

 Offset
(in hex)    Size     Description                               Example
========  =======  =======================================   ===========
 03-05    3 bytes    Optional ASCII string:  "lba"                -
                     (if found, LILO uses LBA sector mode)
 06-09    4 bytes    ASCII string: "LILO" (always present)        -

 0a-0b      WORD     FIRST STAGE                                0x0001
 0c-0d      WORD     VERSION        v.20 (14hex = 20 decimal)   0x0014
 0e-0f      WORD     Input Timeout                              0x005a
 10-11      WORD     Boot Delay                                 0x0000

   12       byte     COM Port (0 = unused, 1 = COM1, etc.)        00
   13       byte     Serial Port Parameters (0 = unused)          00

 14-17     DWORD     Timestamp                                0x3b75db2d

 18-19      WORD     First Descriptor Sector Address (CX)       0x871d
 1a-1b      WORD     First Descriptor Sector Address (DX)       0x1a80
   1c       byte     (d1_AL) Not Used                             01

 1d-1e      WORD     2nd Descriptor Sector Address (CX)         0x871e
 1f-20      WORD     2nd Descriptor Sector Address (DX)         0x1a80
   21       byte     (d2_AL) Not Used                             01

 22-23      WORD     Default Command-Line Sector Address (CX)   0x871c
 24-25      WORD     Default Command-Line Sector Address (DX)   0x1a80
   26       byte     (dc_AL) Not Used                             01

   27       byte     Flag to indicate if Prompt is always to      01
                     be Entered (also used as alignment byte)

 28-29      WORD     Length of Initial Greeting Message         0x0000
 2a-2b      WORD     Location of Message (CX)                   0x0000
 2c-2d      WORD     Location of Message (DX)                   0x0000
   2e       byte     (ms_AL) Not Used                             00

 2f-30      WORD     Keyboard Translation Table Location (CX)   0x8720
 31-32      WORD     Keyboard Translation Table Location (DX)   0x1a80
   33       byte     (kt_AL)                                      01

 34-5b (+?) ????     Second Stage Sector Addresses:
                                                         0x852b, 0x1880, 01
                                                         0x852c, 0x1880, 01
                                                         0x852d, 0x1880, 01
                                                         0x852e, 0x1880, 01
                                                         0x852f, 0x1880, 01
                                                         0x8530, 0x1880, 01
                                                         0x8531, 0x1880, 01
                                                         0x8532, 0x1880, 01

 5c         ????     ? ? ? ?

 6a - 6e    Used for copying possible external data parameters.
0000:7C6F B8C007        MOV     AX,07C0      ; Note: 07C0:0000 = 0000:7C00
0000:7C72 8ED8          MOV     DS,AX
0000:7C74 8C066A00      MOV     [006A],ES
0000:7C78 89366800      MOV     [0068],SI
0000:7C7C 891E6C00      MOV     [006C],BX
0000:7C80 88166E00      MOV     [006E],DL
0000:7C84 B8008A        MOV     AX,8A00        ; Segment of new location.
0000:7C87 8EC0          MOV     ES,AX
0000:7C89 B90001        MOV     CX,0100
0000:7C8C 29F6          SUB     SI,SI
0000:7C8E 29FF          SUB     DI,DI
0000:7C90 FC            CLD
0000:7C91 F3            REPZ                   ; All of the code and the
0000:7C92 A5            MOVSW                  ;   tables are moved to a
                                               ;  SEGMENT much higher up
                                               ;   in Memory...

0000:7C93 EA9800008A    JMP     8A00:0098      ; JUMP to new code area...
The following code begins at location: 8A00:0098
[Only the Offset Locations are shown in the code listings below.] 

:0098 FA            CLI                 ; Clear Interrupts
:0099 8ED8          MOV     DS,AX       ; Set DS and...
:009B 8EC0          MOV     ES,AX       ; ES from AX
:009D BC00B0        MOV     SP,B000     ; Set the Stack Pointer to...
:00A0 B80080        MOV     AX,8000     ; B000 and the Stack...
:00A3 8ED0          MOV     SS,AX       ; Segment to 8000.
:00A5 FB            STI                 ; Enable Interrupts again

:00A6 B00D          MOV     AL,0D
:00A8 E85700        CALL    0102        ; Display  CARRIAGE RETURN

:00AB B00A          MOV     AL,0A
:00AD E85200        CALL    0102        ; Display  LINE FEED

:00B0 B04C          MOV     AL,4C
:00B2 E84D00        CALL    0102        ; Display an ASCII 'L'
                                        ; This completes first stage
                                        ; of the LILO Loader!

:00B5 BE3400        MOV     SI,0034
:00B8 BB0010        MOV     BX,1000
:00BB FC            CLD


:00BC AD            LODSW
:00BD 89C1          MOV     CX,AX
:00BF AD            LODSW
:00C0 89C2          MOV     DX,AX

:00C2 09C8          OR      AX,CX       ; At End of File?
:00C4 7420          JZ      00E6        ; Yes, so --> Begin loading
                                        ;   the Second Stage Loader.

:00C6 46            INC     SI
:00C7 E84300        CALL    010D

:00CA 7206          JB     00D2         ; Error! --> Error routine

:00CC 81C30002      ADD     BX,0200     ; 200h = 512 bytes
:00D0 EBEA          JMP     00BC        ; Get next Sector


; ========================================================================


:00D2 50            PUSH    AX
:00D3 B020          MOV     AL,20       ;
:00D5 E82A00        CALL    0102        ; Display  SPACE
:00D8 58            POP     AX
:00D9 88E0          MOV     AL,AH       ; Display Error Code
:00DB E81200        CALL    00F0

:00DE 31C0          XOR     AX,AX       ; | RESET the
:00E0 88C2          MOV     DL,AL       ; | Floppy Disk
:00E2 CD13          INT     13          ; | Controller.

:00E4 EBCF          JMP     00B5

:00E6 B049          MOV     AL,49
:00E8 E81700        CALL    0102        ; Display an ASCII 'I'

:00EB EA0000008B    JMP     8B00:0000   ; --> Jump to Second Stage
                                        ;          of Boot Loader

The instruction above jumps to the next stage of the LILO Boot Loading Program at: 8B00:0000.

S U B R O U T I N E  s 
:00F0 50            PUSH    AX
:00F1 C0E804     *  SHR     AL,04       ; the only OpCode in the MBR
                                        ; that isn't just 8086 code.
:00F4 E80100        CALL    00F8

:00F7 58            POP     AX

:00F8 240F          AND     AL,0F
:00FA 0430          ADD     AL,30
:00FC 3C3A          CMP     AL,3A
:00FE 7202          JB      0102

:0100 0407          ADD     AL,07

:0102 30FF          XOR     BH,BH
:0104 B40E          MOV     AH,0E       ; Function 0Eh of INT 10
:0106 CD10          INT     10          ;  "Teletype Output" Display one
                                        ;  character on the screen. 
:0108 C3            RET

:0109 5A            POP     DX
:010A 59            POP     CX
:010B 5B            POP     BX
:010C C3            RET

:010D F6C240        TEST    DL,40
:0110 7454          JZ      0166
:0112 80E2BF        AND     DL,BF
:0115 53            PUSH    BX
:0116 51            PUSH    CX
:0117 52            PUSH    DX
:0118 B408          MOV     AH,08
:011A CD13          INT     13

:011C 72EB          JB      0109
:011E 88F0          MOV     AL,DH
:0120 5A            POP     DX
:0121 88167301      MOV     [0173],DL
:0125 88F2          MOV     DL,DH
:0127 30F6          XOR     DH,DH
:0129 51            PUSH    CX
:012A 86CD          XCHG    CL,CH
:012C D0C5          ROL     CH,1
:012E D0C5          ROL     CH,1
:0130 80E503        AND     CH,03
:0133 890E7101      MOV     [0171],CX
:0137 59            POP     CX
:0138 83E13F        AND     CX,+3F
:013B F6E1          MUL     CL
:013D 01C8          ADD     AX,CX
:013F 93            XCHG    BX,AX
:0140 58            POP     AX
:0141 F7F3          DIV     BX
:0143 92            XCHG    DX,AX
:0144 F6F1          DIV     CL
:0146 FEC4          INC     AH
:0148 88267401      MOV     [0174],AH
:014C 92            XCHG    DX,AX
:014D 88D6          MOV     DH,DL
:014F 8A167301      MOV     DL,[0173]
:0153 3B067101      CMP     AX,[0171]
:0157 7713          JA      016C

:0159 86C4          XCHG    AL,AH
:015B D0C8          ROR     AL,1
:015D D0C8          ROR     AL,1
:015F 0A067401      OR      AL,[0174]
:0163 89C1          MOV     CX,AX
:0165 5B            POP     BX

:0166 B80102        MOV     AX,0201         ; | READ one
:0169 CD13          INT     13              ; | Sector

:016B C3            RET

:016C 5B            POP     BX
:016D 31C0          XOR     AX,AX
:016F F9            STC
:0170 C3            RET




         A N    E X A M P L E   P A R T I T I O N     T A B L E 
       ----------------------------------------------------------

01BE                                             80 01                ..
01C0   01 00 83 3F 3F 20 3F 00 00 00 81 07 02 00 00 00  ...?? ?.........
01D0   01 21 05 3F BF 6C C0 07 02 00 00 2D 24 00 00 00  .!.?.l.....-$...
01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.

Notes on Removing LILO Boot Manager

The following is an edited article from the Microsoft's Knowledge Base article Q171611, Titled: "Removing the Linux LILO Boot Manager"

SUMMARY

This describes how to remove the LILO boot manager from the Master Boot Record (MBR).

MORE INFORMATION

When Linux is installed on your computer, it allows a dual boot by loading a boot manager called LILO directly into the MBR. To remove LILO, perform the following steps:

If Linux is Still Installed

Run LILO with either the -u or -U switch. The second parameter (the one after the switch) must be the device name.

The only difference between the two switches is that -u checks the time stamp on the current MBR and the backed-up one, whereas -U does not check the time stamp at all.

If Linux is No Longer Installed Correctly

NOTE: The following procedure is more difficult [and is "not supported by Microsoft..." as the KB article says, "...and is done strictly at the discretion of the user. Microsoft assumes no liability for lost or corrupted data. This procedure should be done only as a last resort."] and most likely one you must attempt because you tried to remove the Linux partition or had some disk structure accident before you could remove the LILO Boot Manager using the correct procedure... Or, you simply didn't know about its existence! This procedure has not been tested by The Starman either... If you do not have access to the NT Resource Kit's Disksave program mentioned below, you could also use The Ranish Partition Manager (or better in my opinion: PQ's MBRUTIL) to both 'save' and 'restore' your hard drive's first sector (MBR) or any other utility that will do so.

IMPORTANT: fdisk /mbr removes the Windows NT disk signature (not the same as the MBR's AA55h Word signature!) from the MBR. If this drive is a member of a Windows NT fault tolerance set, it will no longer be recognized as a member of that set.
  1. Use the Windows NT Resource Kit Disksave.exe utility to back up the MBR and boot sector.


  2. Boot to MS-DOS and type the following:


    3. fdisk /mbr
  3. Restart your computer.


The computer should start normally. If the computer does not start normally, boot to an MS-DOS boot disk and run Disksave again to restore the MBR and boot sector. You may also need to run Fdisk to specify the new active partition to boot.

 

 


Last Update: 18 August 2003.

You can write to me using this: online reply form. (It opens in a new window.)

The Starman's FREE TOOLS Page

MBR and Boot Records Index

The Starman's Realm Index Page

 

 

 

 

1