Jump to content











Photo
- - - - -

grubinst.exe- write failed- Vista & NTFS bootsector


  • Please log in to reply
42 replies to this topic

#26 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 03 August 2009 - 10:53 PM

I just made a tiny little tool that allows for rawdisk usage with vmware on Vista/2008/Win7; http://communities.v.../docs/DOC-10455


This should be revised (important):

Each partition entry is exactly 16 bytes and there are 4 primary partitions.

To:

Each partition entry is exactly 16 bytes and there are 4 partition entries, of which at most one can be an extended partition.


More loosely I wouldn't zero out the "magic bytes" 55AA.

Further considerations:

  • your tool may only work for primary partitions or for ALL logical Volumes inside Extended (all together as you break the first ring of the chain of EPBR's) :idea:
  • dsfo/dsfi won't be practical to access the EPBR, as access to physicaldrive is possible only with offset 0.

:P

jaclaz

#27 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 04 August 2009 - 05:16 AM

More loosely I wouldn't zero out the "magic bytes" 55AA.

That is just temporarily, as soon as diskpart has rescanned the disks, the signature is written back.

Have you tried?

Where would the trace for logical partitions be in mbr?

Joakim

#28 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 August 2009 - 08:24 AM

Where would the trace for logical partitions be in mbr?


Check here:
http://www.ranish.com/part/primer.htm
http://www.goodells....boot/ptedit.htm
http://www.boot-land...?...=7138&st=33

The method is absolutely the same, but whilst by slightly modifying the principle of your tool you can easily "select" just one partition entry, corresponding (if the partition is Primary) to just one partition, the Extended partition entry is nothing but a redirector to the EPBR (or EMBR), which in itself is contains the first logical volume data AND a Redirector to next EPBR, and so on, thus if you zero out the entry in MBR, you effectively put off-line ALL logical Volumes inside Extended.

In itself, the approach of completely zeroing out a partition entry (or worse, all of them together) seems to me a bit risky, I have no idea how "strong" is the lock (if any) that Vista/2008/Windows7 puts on \\PhysicalDrives, but for this specific task, if I were you I would try simply changing the single byte which represent Partition ID, trying setting it to 00 or "unused" like 21, as steve6375 does for his second "fake partition":
http://www.boot-land...?...ic=7739&hl=

For this approach, instead of dsfo/dsfi, it would be IMHO more advised a "specific tool" like MBRFIX:
http://www.sysint.no...ting/mbrfix.htm
A sequence of:

MbrFix /drive <num> /partition <part> getpartitiontype
Get partition type
MbrFix /drive <num> /partition <part> setpartitiontype <typenum>
Set partition type


would do the trick nicely.
To make sure of having access to the "old" partitiontype, you could use the features of:

MbrFix /drive <num> readstate Read state from byte 0x1b2 in MBR
MbrFix /drive <num> writestate <state> Write state to byte 0x1b2 in MBR

to store temporarily the partition type in the MBR itself, so that it can be recovered even if anything goes wrong on the file/filesystem where you would otherwise store it. (this is probably a bit of paranoia :P, but better be safe then sorry, as I see it :P

Same, or even more features are contained in MBRWIZ:
http://mbrwizard.com/
http://mbrwizard.com...erence.php#copy
that also has a "Hide" partition command, that could be the solution.

Still, nothing of the above represents a solution for selectively use/zero out single logical volumes inside Extended, just as above I have no idea which kind of limits there are on a Vista/2008/Windows7 about accessing the EPBR's. :), notr I know a "specific command line app to do so. :idea:

:P

jaclaz

#29 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 04 August 2009 - 08:56 AM

Very good reply!

In itself, the approach of completely zeroing out a partition entry (or worse, all of them together) seems to me a bit risky, I have no idea how "strong" is the lock (if any) that Vista/2008/Windows7 puts on \\PhysicalDrives, but for this specific task, if I were you I would try simply changing the single byte which represent Partition ID, trying setting it to 00 or "unused" like 21, as steve6375 does for his second "fake partition":

The only reason for zeroing the signature is when you need access to the whole disk only (not not individual partitions), and it only applies to Vista.

to store temporarily the partition type in the MBR itself, so that it can be recovered even if anything goes wrong on the file/filesystem where you would otherwise store it. (this is probably a bit of paranoia :), but better be safe then sorry, as I see it :idea:


A good point. Would it not be better to write such backups past sector 0, ie 1 and upwards?
After all, I suggested taking backups of the mbr's of your disks and placing it in a different place.

Same, or even more features are contained in MBRWIZ:
http://mbrwizard.com/
http://mbrwizard.com...erence.php#copy
that also has a "Hide" partition command, that could be the solution.


Hiding the partition is not sufficient to unlock the volume. You have to somehow trick the OS to believe the partition does not exist.
I will do some more tests and see if only 1 byte does the trick for individual partitions...

Still, nothing of the above represents a solution for selectively use/zero out single logical volumes inside Extended, just as above I have no idea which kind of limits there are on a Vista/2008/Windows7 about accessing the EPBR's. :P, notr I know a "specific command line app to do so. :P


On Server 2008 and Windows7, diskpart can put the disk offline. Use select disk, then "offline disk". That will unlock the complete disk and give you access to every sector.


Joakim

#30 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 August 2009 - 09:44 AM

A good point. Would it not be better to write such backups past sector 0, ie 1 and upwards?
After all, I suggested taking backups of the mbr's of your disks and placing it in a different place.


Be very, very , and I mean very careful (please read as DON'T DO IT :idea:) when using un-standard places.
  • grub4dos grldr.mbr will take first 18 sectors of a disk.
  • partition magic and Acronis are re-known to use "odd" sectors, like 12 or 14 (simply cannot remember) to store data
  • old DOS/Windows Commercial app may use some hidden sector to store License/Activation data
  • other bootmanagers may use other sectors, system commander is one of them if I remember correctly

Now, in the case of grub4dos, the second sector (sector 1 LBA) is an actual backup of the MBR as it was at the time grldr.mbr was installed, i.e. the only place where this data is stored and retrievable in case of need.

Overwriting it may seem allright, but if anything goes wrong, you've just hosed BOTH original MBR and it's backup copy. :P

On the other hand chosing a relatively "high" sector, like 31 (you cannot go beyond it unless you want to lose compatibility with - the rare cases in where - drives are partitioned with older nx64x32 geometry) doesn't give you any guarantee that some tool or app wouldn't use it.

Of course storing it on another disk drive seems like the right thing to do, but this also implies the use of at least two disk drives.

Decisions, always decisions.... :)

:P

jaclaz

#31 maanu

maanu

    Gold Member

  • Advanced user
  • 1,125 posts
  •  
    Pakistan

Posted 04 August 2009 - 09:47 AM

Hiding the partition is not sufficient to unlock the volume. You have to somehow trick the OS to believe the partition does not exist.
I will do some more tests and see if only 1 byte does the trick for individual partitions...



On Server 2008 and Windows7, diskpart can put the disk offline. Use select disk, then "offline disk". That will unlock the complete disk and give you access to every sector.



Joakim


hi joakim ,

are u certain about the highlighted part of the quote ? im asking this coz ,

when using fbinst to format flash drive etc , it was reported to give errors in windows 7 . so may be it can solve the issue since diskpart can put the usb drive offline to let fbinst do its job ?

or does offline means that the explorer also looses control over usb drive ? same with the case of installing G4D to the MBR using grubinst , we put the primary hdd offine , and let grubinst patch MBR of it with G4D ?

i have not yet used 7 , just asking it coz im thinking about writing a tutorial on fbinst , so this trick ll be very useful for me.

thanks..

#32 online

online

    Silver Member

  • Advanced user
  • 767 posts

Posted 04 August 2009 - 10:02 AM

@jaclaz

as steve6375 does for his second "fake partition"

Pardon me for possibly a bit of "board-vanity" :idea:... and just for the record: please, note that the 2nd partition on UFD in order to improve its bootability is (modestly) my original idea/finding and that then to make it as a "fake" partition is an original implementation of steve6375.
Knowing your proverbial accuracy :P, I think it would be a nice thing if also the source was mentioned, sometimes. :)

#33 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 04 August 2009 - 10:04 AM

or does offline means that the explorer also looses control over usb drive ?

Yes, putting the disk offline, means the exist no mountpoints and thus explorer cannot be used. The trick is for writing directly to ANY sector on that disk, something that the OS prevents with a lock when its online (unless tweaked as already mentioned earlier). However, I notice that WinHex is capable of writing directly to anything outside mbr without the need for such workarounds, so I guess other ways should be possible too....

Joakim

#34 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 August 2009 - 11:36 AM

@jaclaz

Pardon me for possibly a bit of "board-vanity" :idea:... and just for the record: please, note that the 2nd partition on UFD in order to improve its bootability is (modestly) my original idea/finding and that then to make it as a "fake" partition is an original implementation of steve6375.
Knowing your proverbial accuracy :), I think it would be a nice thing if also the source was mentioned, sometimes. :P


Sure :P, I never said who's idea it was, I was referring to the use of the 21 as partition ID, as clearly understandable in the whole sentence:

for this specific task, if I were you I would try simply changing the single byte which represent Partition ID, trying setting it to 00 or "unused" like 21, as steve6375 does for his second "fake partition"


Read the sentence again, this time slowly, and you will see that NO paternity of ideas was attributed, not even implied, to steve6375 or to you , or to anyone else.

There was no reason in the present context to do so, rest assured, that, should it be justified, I won't miss:
Matteo 22:21
http://www.biblegate...amp;version=55;
http://www.biblegate...c...&version=9;

...though as it happened with Julius Ceasar, it may resolve as about 23 stabs. :P

:P

:P

jaclaz

#35 online

online

    Silver Member

  • Advanced user
  • 767 posts

Posted 04 August 2009 - 01:03 PM

Sure :), I never said who's idea it was

Yep, in fact it is just this the point :P: saying it, how you said it, then the sentence seemed to imply that the author was the same of the "faking" implementation (that's just as a natural - phrasal semantics - consequence).
http://it.wikipedia.org/wiki/Semantica
http://en.wikipedia.org/wiki/Semantics

Just as an example: politicians and advertisers (is there an ethical difference between those categories?) - in the verbal (mass-)communication - sometimes use just that as an artifice/stratagem/expedient when they want to say without to say.
However, I guarantee you that I am more than sincerely sure that it is NOT your case (and on the other hand neither mine :P).

:P

Matteo 22:21

"Render therefore unto Caesar the things which are Caesar's"

(internal quoting is from your link)

Generally, I would add: "Take the things which are not Caesar's away from Caesar". :P

...though as it happened with Julius Ceasar, it may resolve as about 23 stabs. :P

Really, it would be enough for me to add a board-function similar to the "Thanks" one... that's something like

Take 1 &#34;THANKS&#34; away from <USERNAME>
:idea:

#36 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 August 2009 - 01:31 PM

the sentence seemed to imply


Time for some more English? :idea:

Beauty (and malice :P) is in the eye of the beholder.
http://www.phrases.o...ings/59100.html
http://www.usingengl...e beholder.html

and:

Juliet:
"What's in a name? That which we call a rose
By any other name would smell as sweet."

http://www.enotes.co...ch-we-call-rose

:)

jaclaz

#37 online

online

    Silver Member

  • Advanced user
  • 767 posts

Posted 04 August 2009 - 03:29 PM

(and malice :)) is in the eye of the beholder.

Sorry, but I won't take it. :P
Although I generally agree with the above aphorism, also I think even you can not be excluded from the observation; so if you thought that in my eyes reading your sentence there was "malice" :P ... then possibly the malice could be in your eyes reading my reply. :idea:
Probably - and just about that specific case/topic :P - we should call it more as "sensitization". :P

However, I guarantee you that I am more than sincerely sure that it is NOT your case (and on the other hand neither mine :P).

Please, note that I was not joking when I said that. :)


"Nothing either good or bad, but thinking makes it so".

Hamlet Act 2, scene 2, 239–251

http://www.enotes.co...-thinking-makes

#38 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 04 August 2009 - 08:07 PM

To make sure of having access to the "old" partitiontype, you could use the features of:

MbrFix /drive <num> readstate Read state from byte 0x1b2 in MBR
MbrFix /drive <num> writestate <state> Write state to byte 0x1b2 in MBR

to store temporarily the partition type in the MBR itself, so that it can be recovered even if anything goes wrong on the file/filesystem where you would otherwise store it. (this is probably a bit of paranoia :idea:, but better be safe then sorry, as I see it :P


I like the theory of backing up values just in case.

But the problem arise when you have 2 or more partitions you want raw access to at the same time. That unused space in 0x1b2 is only 1 byte and only fits 1 partition id entry backup. There are still 62 sectors until first partition, that often is unused. Do we know of a certain place in there that always is unused?

It brings me back to the need for an app that will be able to write arbitrary values to any location. Will look into Tiny Hexer, but it may be a little overkill for the actual use.

It also appears that setting the partition id to 00 is sufficient for individual partitions usage in vmware.

Joakim

#39 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 August 2009 - 11:02 AM

I like the theory of backing up values just in case.

But the problem arise when you have 2 or more partitions you want raw access to at the same time. That unused space in 0x1b2 is only 1 byte and only fits 1 partition id entry backup. There are still 62 sectors until first partition, that often is unused. Do we know of a certain place in there that always is unused?

Well, you can use, the four bytes "normally" used for the XP Kansas City Shuffle:
http://www.911cd.net...o...1242&st=132
http://www.911cd.net...o...1242&st=139
(make sure you actually READ all the above posts)
but read below.

It also appears that setting the partition id to 00 is sufficient for individual partitions usage in vmware.


If you only set the partition ID as 00, there are several apps that can "guess" the partition type, and since we are talking about a strictly windows application, even if the restoring goes wrong AND the user is unexperienced, there are not that much possibilities:
01 FAT12 <-unprobable
04 FAT16 (small)<-unprobable
06 FAT16 CHS
07 NTFS
07 ex-FAT (FAT64) (:idea:)
0B FAT32 CHS
0C FAT32 LBA
0E FAT16 LBA

Since you left the actuall addresses (DATA) of the partition untouched you can always re-create the "right" partition ID by peeking at the bootsector (in first sector of the address for the beginning of the partition).
For FAT12 and 16 it is at offset 0x36 ->"FAT12" or "FAT16"
For FAT32 it is at offset 0x52->"FAT32"
For ex-FAT (FAT64) it is at offset :P
For NTFS it is at offset 0x3->"NTFS"

But you have no way to distinguish between 06 and 0E and between 0B and 0C. :)

Maybe you can then store just this this info (coded) in the single byte at 0x1b2.

Of course, if the "XP Kansas Shuffle" has been used on the MBR, you are going to break it, as well if something else changed the status value.

:P

jaclaz

#40 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 05 August 2009 - 09:20 PM

To gain direct access to sectors within the filesystem, MS has put it nicely on msdn; http://msdn.microsof...y/cc835968.aspx

About diskpart and offline there needs to be a little correction to what I said earlier. You also need to remove the readonly attribute that offline automatically sets.

So to script it, execute;

diskpart /s offline.txt

offline.txt
select disk 1

offline disk

attribute disk clear readonly

rescan

exit

This only applies to Server 2008 and Windows7, and NOT Vista, and is by far the safest way. For Vista either zero partition id or signature as already mentioned. I tried MANY different id's on Server 2008, but none of them let grubinst.exe pass without write errors. Putting zero's did it though.

My tool is soon updated with this (still looking for a solid way to backup several id's inside mbr or first 63 sectors..)

Joakim

#41 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 August 2009 - 09:31 PM

So to script it, execute;

diskpart /s offline.txt


OT, but not much :P, and JFYI:
http://www.msfn.org/...o...26069&st=16
http://www.msfn.org/...o...26069&st=19

:idea:

jaclaz

#42 joakim

joakim

    Silver Member

  • Team Reboot
  • 886 posts
  • Location:Bergen
  •  
    Norway

Posted 05 August 2009 - 10:17 PM

http://www.msfn.org/...o...26069&st=16
http://www.msfn.org/...o...26069&st=19


Hmm, when comparing it looks like David and Goliath, and I'm the noob with the lamerbatch..

The new version of my tool is; http://communities.v.../docs/DOC-10455

Still no backup inside mbr implemented, but thinking about it.

Joakim

#43 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,349 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 11 December 2010 - 06:46 PM

You can install grub4dos to an NTFS partition under Vista/Win7 like this:

LockDismount.exe -force 1 grubinst --install-partition=0 (hd1) & touchdrv h:
Locking volume H: ...OK
Dismounting volume H: ...OK
Successfully locked and/or dismounted all volumes on PhysicalDrive1
Executing grubinst --install-partition=0 (hd1)...
Exit Code: 0
Unlocking all volumes...OK

LockDismount is from another post

touchdrv from here

or use v2.1.606 of RMPrepUSB or later.