June 10, 2011, 1 p.m.
posted by lambda
Kill and Resurrect the Master Boot Record
The MBR is a 512-byte segment at the very beginning (the first sector) of a hard drive. This segment contains two major parts: the boot code in the first 446 bytes and the partition table (plus a 2-byte signature) in the remaining 66 bytes. When you run lilo, grub-install, or fdisk /mbr in DOS, it writes to these first 446 bytes. When you run cfdisk or some other disk-partition program, it writes to the remaining 66 bytes.
The MBR is very important and crucial for booting your system, and in the case of your partition table, crucial for accessing your data; however, many people never back up their MBR. Use Knoppix to easily create backups of your MBR, which you can later restore in case you ever accidentally overwrite your partition table or boot code. It is important to double-check each command you type, as typing 466 instead of 446 can mean the difference between blanking the boot code and partially destroying your partition table.
Save the MBR
[email protected][knoppix]$ sudo dd if= /dev/hda of=/home/knoppix/mbr_backup bs=512 count=1
Change /dev/hda to match the drive you wish to back up. In your home directory, you should now see a 512-byte file called mbr_backup. Dd is used to create images of entire hard drives, and in this case, a similar command is used; however, it contains two new options: bs and count. The bs (byte size) option tells dd to input and output 512 bytes at a time, and the count option tells dd to do this only once. The result of the command is that the first 512 bytes of the drive (the MBR) are copied into the file. If for some reason you only want to back up the boot sector (although it's wise to always back up the partition table as well), replace 512 with 446. Now that you have backed up the MBR, copy it to a safe location, such as another computer or a CD-ROM.
Kill the MBR
Now you should know how to totally destroy the MBR. To do this, simply use the same command you used to back up an MBR, but replace the input file with /dev/zero and the output file with the drive, overwriting each byte of the MBR with zero. If you only want to blank your boot code, type:
[email protected][knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=446 count=1
To clear the complete MBR, including the partition table, type:
[email protected][knoppix]$ sudo dd if=/dev/zero of=/dev/hda bs=512 count=1
While blanking the partition table in effect prevents you from accessing files on the drive, it isn't a replacement for proper wiping of the complete drive, because the files are still potentially retrievable from the drive. Even the partition table itself is recoverable with the right tools.
Resurrect the MBR
[email protected][knoppix]$ sudo dd if=/home/knoppix/mbr_backup of= /dev/hda bs=446 count=1
Because of the bs=446 element, this command only restores the boot code in the MBR. I purposely left out the last 66 bytes of the file so the partition table would not be overwritten (just in case you have repartitioned or changed any partition sizes since your last MBR backup). If you have accidentally corrupted or deleted your partition table, restore the full 512 bytes to the MBR with:
[email protected][knoppix]$ sudo dd if=mbr_backup of= /dev/hda bs=512 count=1
How Do I fdisk/mbr?
Knoppix also provides a useful tool called install-mbr that allows you to manipulate the MBR in many ways. The most useful feature of this tool is that it can install a "default" master boot record on a drive, which is useful if you want to remove lilo or grub completely from the MBR so Windows can boot by itself, or so you can install Windows to a hard drive that previously used Linux. The results are the same as if you were to type fdisk /mbr in DOS. To remove the traces of lilo or grub from your MBR, run:
[email protected][knoppix]$ sudo install-mbr /dev/hda
Replace /dev/hda with your drive.
The install-mbr manpage by typing man install-mbr in a console.