Determine what program is in my MBR code

Question

I've done a lot of partitioning / dual booting on my Macbook Pro. Right now I have Mac OS X installed along with Ubuntu 12.04, with Grub installed on the Ubuntu partition.

I am wondering - what is the code in my MBR (the first 446 bytes)? Because Macs use EFI and GUID partitioning, the MBR is only a protective/hybrid MBR (in my case, it is a hybrid MBR).

Q: How can I identify what program is in my MBR (based on its hexdump)? Is there some sort of a signature? I'm guessing it's grub but I did a hexdump of it and it didn't match the code I found in this article detailing the Grub MBR ("Stage 1") code.

EDIT: I am runnning rEFInd, an EFI bootmanager program. It is an EFI application, and thus resides on my EFI system partition. This program is what runs immediately following bootup, but I do not think it places any code in the 446 bytes of the MBR.

EDIT2: I should add that I have had Windows installed for dual-boot as well.

Answer 1

I think I've found the answer: I believe it is Windows boot code. Based on the readable ASCII in the hexdump ("Invalid partition table.Error loading operating system.Missing operating system.") I was able to do a Google search and found a site which discussed windows bootloaders. The hexdump of mine matches the Windows 7 bootloader detailed at http://thestarman.pcministry.com/asm/mbr/W7MBR.htm#CODE. This makes sense, because I have installed Windows 7 in the past on my computer.

Answer 2

The ms-sys utility can not only identify many variants of MBR and PBR boot codes, but also write them if needed.

Usage:
        ms-sys [options] [device]
Options:
    -1, --fat12     Write a FAT12 floppy boot record to device
    -2, --fat32nt5  Write a FAT32 partition NT5.0 boot record to device
    -8, --fat32nt6  Write a FAT32 partition NT6.0 boot record to device
    -x, --exfatnt6  Write a EXFAT partition NT6.0 boot record to device
    -e, --fat32pe   Write a FAT32 partition PE boot record to device
    -3, --fat32     Write a FAT32 partition DOS boot record to device
    -4, --fat32free Write a FAT32 partition FreeDOS boot record to device
    -5, --fat16free Write a FAT16 partition FreeDOS boot record to device
    -6, --fat16     Write a FAT16 partition DOS boot record to device
    -n, --ntfs      Write a NTFS partition Windows 7 boot record to device
    -o, --fat16ros  Write a FAT16 partition ReactOS boot record to device
    -c, --fat32ros  Write a FAT32 partition ReactOS boot record to device
    -q, --fat32kos  Write a FAT32 partition KolibriOS boot record to device
    -l, --wipelabel Reset partition disk label in boot record
    -p, --partition Write partition info (hidden sectors, heads and drive id)
                    to boot record
    -H, --heads <n> Manually set number of heads if partition info is written
    -B, --bps <n>   Manually set number of bytes per sector (default 512)
    -O, --writeoem <s>   Write OEM ID string <s> to file system
    -S, --writewds <x>   Write Windows Disk Signature hexadecimal <x> to MBR
    -7, --mbr7      Write a Windows 7 MBR to device
    -i, --mbrvista  Write a Windows Vista MBR to device
    -m, --mbr       Write a Windows 2000/XP/2003 MBR to device
    -9, --mbr95b    Write a Windows 95B/98/98SE/ME MBR to device
    -d, --mbrdos    Write a DOS/Windows NT MBR to device
    -s, --mbrsyslinux    Write a Syslinux MBR to device
    -t, --mbrgptsyslinux Write a Syslinux GPT MBR to device
    -a, --mbrreactos     Write a ReactOS MBR to device
    -k, --mbrkolibrios   Write a KolibriOS MBR to device
    -r, --mbrrufus  Write a Rufus MBR to device
    -g, --mbrgrub4dos    Write a Grub4Dos MBR to device
    -b, --mbrgrub2  Write a Grub 2 MBR to device
    -z, --mbrzero   Write an empty (zeroed) MBR to device
    -f, --force     Force writing of boot record
    -h, --help      Display this help and exit
    -v, --version   Show program version
    -w, --write     Write automatically selected boot record to device

    Default         Inspect current boot record

Warning: Writing the wrong kind of boot record to a device might
destroy partition information or file system!

Examples of use in inspection mode (typical results on a pure UEFI system):

# ms-sys /dev/sda                # MBR of an UEFI-bootable disk
/dev/sda has an x86 boot sector,
it is a zeroed non-bootable master boot record, like the one this
program creates with the switch -z on a hard disk device.

# ms-sys /dev/sda1              # PBR of an UEFI ESP
/dev/sda1 has a FAT32 file system.
/dev/sda1 has an x86 boot sector,
it is an unknown boot record
The OEM ID is mkfs.fat

Answer 3

Another way to find out the MBR-technology is the bootinfoscript that was originally published on Source Forge.

As it seems bytes 0x80 and 0x81 can be used to identify the MBR-Code:

  case ${Bytes80_to_81} in
    0069) BST='ISOhybrid (Syslinux 3.72-3.73)';;
    010f) BST='HP Recovery';;
    019d) BST='BSD4.4: FAT32';;
    0211) BST='Dell Utility: FAT16';;
    0488) BST="Grub2's core.img";;

bootinfoscript#L2595

The following command reads bytes 0x80 and 0x81 from disk:

sudo hexdump -v -s 0x80 -n 2 -e '2/1 "%x" "\n"' /dev/sdXY
#   hexdump - ASCII, decimal, hexadecimal, octal dump
#       -v               => Cause hexdump to display all input data.
#       -s offset        => Skip offset bytes from the beginning of the input.
#       -n length        => Interpret only length bytes of input.
#       -e format_string => Specify a format string to be used for displaying data:
#           2/1  => number of bytes substited by %x / iteration count for the whole format string.
#           "%x" => Will be substituted with bytes, number of bytes is specified by first number, here 2.
#           \n   => Append line break
#       /dev/sdXY        => Input file.

Source and case table in the german ubuntuusers wiki.

Answer 4

You could copy the first few KiB of the disk/partition to a file, and then let strings(1) or perhaps objdump(1) loose on that to find out what is in there.