A Master Boot Record Comparison

The MBRs produced upon installing Windows 98, and upon intalling linux

When you install an operating system on a computer, there are a number of different parts to install. Two in particular:

    Kernel - first, the bulk or guts of the code for the operating system program. An operating system is just a computer program, after all, so it consists of executable machine code like any other. This has to be laid down on the hard disk somewhere, to be found and loaded into memory for execution whenever you boot the computer. This can be called the operating system's kernel.

    Boot loader -  second, the code to go out and find that pre-positioned kernel code, in the right place on the disk, and make it load into memory. This can be called the boot loader.

A place provided to house boot loader code is the Master Boot Record (MBR), a term that means the first 512 bytes on a hard disk. This is suitable for code intended to boot the computer because any code sitting there will get called during boot (according to the hardware's design). We say it's "in the path of execution."

The programs that install operating systems-- found on OS "installation" CDs-- always place their kernel code on the hard disk. Usually, though sometimes optionally, they also write the code they desire into the MBR as well. This is to ensure that their kernel code will get loaded and executed. They insure it by emplacing code in the MBR that-- guess what?-- loads and executes their kernel. Otherwise, it would be entirely possible to put the kernel code on the disk without it ever being executed. That's what would happen if code that bypasses this kernel sits in the MBR (as would be the case, for example, if the MBR instead called some other operating system elsewhere on the disk). It would also happen if no intelligent code at all were sitting in the MBR (in which case some kind of unpredictable halt or crash would take place during a boot attempt).

In class, we installed linux on a hard disk where Windows98 had been installed earlier. We allowed linux to overwrite the MBR. This displaced (i.e., eliminated) whatever code had previously been put there at the time when Window98 was originally installed. Before installing linux, I captured a copy of the old Windows MBR and saved it into a file. After the linux installation, I did the same thing with the new MBR from linux. So we have the two files available for comparison.

I have placed on the remote Unix server these two 512-byte files. They are:


First, the file /home/ftp/pub/mbr-byWindows98 contains what was  in the MBR at the beginning of our linux installation session. That is, what the original Windows install operation had inscribed there. Second, the file /home/ftp/pub/mbr-byRedHatLinux contains what LILO wrote there during the install (LILO is the LInux LOader, which we invoked while installing).

Before we can examine these we need to produce byte-by-byte "file dumps." There are programs for this purpose. They are called hexadecimal editors. A freeware example in Windows is XVI32. In linux, the magic command is

  od -Ad -tx1z <filename>

(If you have a copy of the file on one platform and want to move it to the other, the tool to do it is ftp.)

I've done the work for you by producing two hexdumps. The files containing them are on the remote Unix server and you can view them via the links below. Those files are:


Via the following links, you can view either the Windows hexdump or the linux hexdump. Have a look at them, and given what you have learned about the content and composition of MBRs, try to locate the code portions, the partition table portion, and the 2-byte final signature portions of these MBRs. What do they have in common? Where do they differ? Is any portion of them directly legible? What do you suppose it is?