我想验证一下core.img位于 MBR 和我的第一个分区 的开头之间/dev/sda1。
使用
sudo dd bs=512 if=/dev/sda skip=512 count=1540 | hexdump -C
我可以看到/sda1参考:
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000c0400 00 e0 3f 00 00 1a ff 00 4c c1 0c 00 96 a3 21 00 |..?.....L.....!.|
000c0410 ed d7 3f 00 00 00 00 00 02 00 00 00 02 00 00 00 |..?.............|
000c0420 00 80 00 00 00 80 00 00 00 20 00 00 12 11 ac 5e |......... .....^|
000c0430 70 30 ac 5e 47 00 ff ff 53 ef 01 00 01 00 00 00 |p0.^G...S.......|
000c0440 a6 15 01 5c 00 00 00 00 00 00 00 00 01 00 00 00 |...\............|
000c0450 00 00 00 00 0b 00 00 00 00 01 00 00 3c 00 00 00 |............<...|
000c0460 42 02 00 00 6b 04 00 00 e6 59 c6 2c f6 f1 4e 6f |B...k....Y.,..No|
000c0470 b4 c4 ea 0f 76 73 e4 46 00 00 00 00 00 00 00 00 |....vs.F........|
000c0480 00 00 00 00 00 00 00 00 2f 73 64 61 31 00 00 00 |......../sda1...|
000c0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000c04c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 03 |................|
000c04d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000c04e0 08 00 00 00 00 00 00 00 00 00 00 00 b0 a3 c5 a6 |................|
000c04f0 c6 67 43 54 92 58 c9 42 d2 f9 21 0d 01 01 00 00 |.gCT.X.B..!.....|
000c0500 0c 00 00 00 00 00 00 00 a6 15 01 5c 0a f3 02 00 |...........\....|
000c0510 04 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 |................|
000c0520 00 80 78 00 00 80 00 00 00 80 00 00 00 00 79 00 |..x...........y.|
000c0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000c0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 |................|
000c0550 00 00 00 00 00 00 00 00 00 00 00 00 20 00 20 00 |............ . .|
000c0560 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000c0570 00 00 00 00 04 01 00 00 a7 53 a4 1f 00 00 00 00 |.........S......|
000c0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000c07f0 00 00 00 00 00 00 00 00 00 00 00 00 79 1d 94 d7 |............y...|
000c0800
这是 的一部分吗core.img?
我希望有一个像 MBR 这样的神奇数字55 aa,但找不到提及是否core.img有这个数字。
我正在使用 GRUB 2.02,uname -m提供 x86_64。
答案1
好吧,假设你没有更多的知识,你可以在原始数据中搜索它。
要查找的一些模式(及其字节偏移量):
# strings -n 6 -t d /boot/grub/i386-pc/core.img
283 loading
306 Error
2622 RBRPQR
3689 LH%N("
4248 9dzj~)>
...
在启动驱动器上重复相同的搜索:
# strings -n 6 -t d /dev/sda | grep -B 6 -F '9dzj~)>'
395 Hard Disk
410 Error
795 loading
818 Error
3134 RBRPQR
4201 LH%N("
4760 9dzj~)>
--
2239165876 gcry_mpi_invm
2239165890 _gcry_mpi_alloc
2239168795 loading
2239168818 Error
2239171134 RBRPQR
2239172201 LH%N("
2239172760 9dzj~)>
就像哇,这是什么东西?
我们搜索的字符串位于文件中的9dzj~)>字节偏移量处。在我的引导驱动器上的字节偏移处有一个匹配项。实际上,这恰好是相同的偏移量 + 512 字节,因此您可以看出:在我的示例中,实际上位于一个扇区偏移量处。本例中的引导驱动器仍然使用老式的 DOS 分区表。4248core.img4760core.img
字节偏移处的第二个匹配2239171134只是/boot分区上的常规文件。
在另一台机器上进行相同的练习:
寻找一些模式core.img:
# strings -n 6 -t d /boot/grub/i386-pc/core.img | head -n 6
307 loading
330 Error
2638 RBRPQR
3677 N8yf>W
4228 ;E~T\4
4367 8aDk B
grep对于启动驱动器上的其中之一:
# strings -n 6 -t d /dev/vda | grep -B 6 -F ';E~T\4'
1046494 &{$|zO.
1047463 Y 'lg4
1048883 loading
1048906 Error
1051214 RBRPQR
1052253 N8yf>W
1052804 ;E~T\4
--
141418559 normal
141418574 normal
141488435 loading
141488458 Error
141490766 RBRPQR
141491805 N8yf>W
141492356 ;E~T\4
该偏移量比 512 字节稍大,结果为 1052804-4228 = 1048576 = 1 MiB ...为什么?因为此驱动器是 GPT,分区bios_grub偏移量为 1 MiB:
# parted /dev/vda unit b print
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 20401094656B
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 1048576B 2097151B 1048576B grub bios_grub
...就core.img在它的开头:
# cmp /boot/grub/i386-pc/core.img /dev/vda1
/boot/grub/i386-pc/core.img /dev/vda1 differ: byte 501, line 7
# cmp -l /boot/grub/i386-pc/core.img /dev/vda1
501 2 1
502 0 10
509 62 145
529 0 33
530 0 146
cmp: EOF on /boot/grub/i386-pc/core.img after byte 26085
因此,26080 字节与core.img.这是一些东西。 \o/
如果core.img位于的文件/boot实际上不是已安装的文件,则此练习可能会失败。有些安装 CD 安装不同版本的 GRUB;某些多重引导系统,或者更新而不是全新安装,可能使用与文件系统上安装的版本截然不同的 GRUB 版本(如果您从未重新运行grub-install以实际更新磁盘上的 GRUB)。