Jump to content

Help needed with Vista recovery MBR


comcc

Recommended Posts

Hi All,

I hope someone here knows a way to help me with my problem. Let me start by saying that I DID NOT create the system restore DVDs when I got my PC (DOH!).

I have a Compaq desktop computer (SR5433) with Winodws Vista Home Premium that I was using to try out Ubuntu 8.04. I unintentionally overwrote the hard drive MBR with GRUB during the install of Ubuntu to a second hard drive I added. I made the mistake of thinking that my factory hard drive would be left alone and I would be able to boot to the OS of my choice by changing the boot order in the BIOS.

Anyway, after I removed the second hard drive I learned of my error as I was no longer able to boot Vista. I started trying to use EasyBCD to "fix" the mess I had made and following a number of posts recommending that I use the Vista Recovery Disc (not provided by Compaq with my PC) to run the "bootrec.exe /fixmbr command". Doing this allowed me to boot Vista normally. I was also able to access the factory recovery partition by setting it to Active and perform a "full" system restore.

I then made a backup of my boot sector using an Ubuntu Live CD to "sudo dd if=/dev/sda of=~/mbr.bin bs=512 count=63" (count=63 to be sure I got any other pieces that might still be there) then copied it to a network share. I then used a DOS floppy boot disk with Dan Goodell's MBRSAVER.exe to save the MBR and partition table. I also made a boot sector backup from another similar Compaq PC. I restored the backup from the other PC to my PC and then put my partition table back using MBRSAVER.

At this point, I can access the recovery partition from the Vista Boot Menu and press F8, but pressing F11 at bootup to access the recovery partition does not work. I am not able to create the factory system recovery disks either. When I try to run the Recovery Disc Creation software from Vista to create the recovery DVDs I get the error "The recovery partition could not be found. Exit PC Recovery Disc Creator and contact HP support". When I try to use Recovery Manager to restore to factory condition I get the error "The system does not have a recovery partition" and then prompts me to run the recovery from the recovery disk set.

The only option HP support offers is to get the recovery discs from them. I am not quite ready to go that route, and I am hoping someone here knows a way to repair the boot sector/MBR to allow the factory recovery options to work properly again. I looked at the first 63 sectors from both of the backups that I have and it looks like there may be DMI information stored there including the hard drive model and serial number. There is an SMINST directory on my hard drive that has most of the recovery programs including a file named boot.img that looks like it might be part of a boot CD image that the factory uses to set up the hard drive, but I have no idea how to use it to repair my PC. I am unable to think of what else I can do at this point, other than order the Compaq recovery disks and pray that they will repair the damage I did.

Here is a sample from the boot.img file:

Manufacturer Menu:
<1> clear the partition table of drive 1
<2> erase the Master Boot Record of drive 1
<3> wipe all sectors of drive 1
<4> Install ST Master Boot Record
<A> Install Standard Master Boot Record
<S> Save DMI Sysinfo to drive 1
<T> Test the system RAM for defects
<ESC> restart this CDROM

Erasing hard drive. Press <ESC> to cancel
MB done; MB left
Please enter the size in MB for the SmartImage partition

Create a SmartImage partition:
<1> at the BEGINNING of the drive
<2> at the END of the drive
ÿÿÿÿ -RECOVERYSMIMG Uªë0T
ROM fake 1.0 by XSS, ©2002 SoftThinks
ŒÈŽØŽÀ¾ è Ë» ¹ ¬
Àt´ÍëõÃ[CDBootLoader]
DeleteAllPartitions=1
ROM Fake installed at segment ROM Fake code size in Bytes is ROM Fake total size in Bytes is ÿÿ ë.
Tried to find: in:
Tried to find one of:
...in:
Storing DMI Sysinfo to the hard drive
Press a key to reboot.

Link to comment
Share on other sites


I have also encountered problems restoring SoftThinks MBR to allow the function key to properly boot into the WinRE, however since we/I am a customer of theirs, and knowing how they operate (via our intermediary) and also how making this option work involved reverse engineering their software (used to put the recovery partition on the drive originally/because they offer no custom support without large fees), I decided it was not worth the effort.

However, I do know that the recovery partition needs to be hidden, have no drive letter, and have an ID of 12. You CAN set this with diskpart. The main issue is because SoftThinks' Vista recovery uses WinRE, it switches the drive types and priorities when that option is selected. Simply putting the key in (ie F11) and specifying it to boot off the WinRE partition is not enough, there is other BCD logic in there.

Perhaps reading up on WinRE will help you out.

I'd like to ad that is pretty silly SoftThinks Vista recovery solution is merely a customized/automated WinRE solution. :sneaky:

Link to comment
Share on other sites

Thanks for the response. I actually read about some of your problems earlier this year regarding this issue while I was trying to find a solution to my problem. I will try the points you mention to see if that is what I need to fix this, but I am reasonably certain I will need to add at least some information back into the MBR in order for the factory recovery F11 key and the Recovery Disc Creator to work. I really don't mind that the F11 key does not work, if I could just make the recovery discs.

Link to comment
Share on other sites

Well, I tried removing the drive letter assignment and using ptedit to set the partition type to 12. No change as far as the recovery processs and Disc Creator are concerned. I also checked on another Compaq machine that is almost the same. The partitions on that one are both type 07 and the recovery partition is assigned drive D: by Vista. The recovery process on that one still works properly. I am going to do more analysis of the MBR on that one and see if I can determine how the drive check logic actually determines whether or not the drive contains a valid recovery partition. Thanks again for your suggestions. BTW, I think the factory uses a file named xss.exe to collect/build the MBR DMI information, as there are several references to that .exe within the different files on the recovery partition.

Link to comment
Share on other sites

Well, I tried removing the drive letter assignment and using ptedit to set the partition type to 12. No change as far as the recovery processs and Disc Creator are concerned. I also checked on another Compaq machine that is almost the same. The partitions on that one are both type 07 and the recovery partition is assigned drive D: by Vista. The recovery process on that one still works properly. I am going to do more analysis of the MBR on that one and see if I can determine how the drive check logic actually determines whether or not the drive contains a valid recovery partition. Thanks again for your suggestions. BTW, I think the factory uses a file named xss.exe to collect/build the MBR DMI information, as there are several references to that .exe within the different files on the recovery partition.

Yes, the reason why my previous threads (here) on this subject seemed to have just stopped was because I took all further research into a private forum. I have also tried multiple programs (3 or 4 different) to capture the MBR and then reapply it, but the results never came out properly. For my case, the recovery partition used the old PE (1.5 for XP) and I was testing on whether we could apply our images with the recovery partition with Imagex instead of Ghost. So I've tried the ones that copy the MBR and ones that let you custom write it. My testing method was as follows:

1. Image a machine using Ghost, which contained the recovery partition.

2. Capture the MBR

3. Use Imagex to capture both the System (NTFS) and Recovery (FAT32) partition.

4. Create custom diskpart script to set the drives up as Ghost makes them.

5. Format the drive and redeploy images using Imagex, and using custom diskpart script.

Windows always booted afterwards. I could confirm that the recovery partition was intact, had all the correct files and the correct settings, but the key to enter it never worked. If I manually set the key (using one of the MBR programs) I would get the recovery message "Protected by x" or "Press key to start recovery" but when it tried to boot to that partition, it gave either OS not found type message or a stop error.

The program you are referring to, relating to XSS.exe is actually NOT the name of that program. XSS is the company name, the real name of the program is MBRINST.EXE. It is possible to get ahold of this program, but it is largely undocumented. You can find it on HP's site, it is included in a fix for Vista's ability to boot to the internet, HotStart I think but not sure. You're going to have to find this program yourself, I won't help you besides that.

Proper use of the program requires switches via the cmdline. It is actually a GUI based app but there are things that are needed to be done via a switch that is not in the GUI. Now, SoftThinks does not actually have this program in the either the CD that creates the partition, or on the partition itself. This program is loaded via memory, either its functions are built into its software, or it builds the app in memory when it needs to write to the MBR. In fact, at the time of the creation of the recovery partition, their software creates a dump file that sits in the recovery partition. I can't remember the name of it exactly, but I think it has 'mbr' in the name. This is the file that the software uses to write to the MBR. So, using the app or libraries built in, the cmdline needs to be something like this:

mbrinst /mbr [filename.ext] /UnknownSwitch

The reason for this is because MBRINST would return the following:

MBRInst. Programmed for SoftThinks (c)2001-2005
Hard drive #0 is "\\.\Physicaldrive0"
using "\\.\Physicaldrive0" for MBRInst
>installing new master boot record (MBR1STD (one sector, standard MBR, bo ***
Master boot record installed successfully.
>Updating recovery partition boot record
! WARNING: Recovery partition could not be located

*** = it had more text here but its not applicable to this post.

So as a conclusion, in order to run this program properly, there must be an INI (there is an INI also called mbrinst.ini) that is created in memory that specifies the recovery partition location OR a cmdline switch is used to point to the correct partition. I stopped at this point because I did not want to rebuild their Creator CD using debugging tools (like ProcMon for example) because even if I were able to get it to work, it would not be legal for us to use it that way.

Link to comment
Share on other sites

AFAIK the MBR used in those machines has "special" code that allows the use of F11.

From the menu you posted it seems to me like this "special" MBR is option "4", while the "normal" one is option "A".

Since you already have a backup of first 63 sectors (partially working) and the means to restore them, you could try using option "4".

@Tripredacus

Actually you "vanished" from the original thread:

http://www.msfn.org/board/Create-Recovery-....html&st=26

leaving an open question.

Did you try using the SELM parameter? :unsure:

And how?

jaclaz

Link to comment
Share on other sites

@Tripredacus

I think it is likely that there is a checksum of some type performed on the MBR code to verify that the drive is indeed the correct one. I found several spots in BOTH of the MBRs that I have access to that look like that may be the case. Your assertion that the MBRInst.exe program is now built in RAM seems reasonable, as I have not been able to find anything that looks like it in the digging that I have done. I will look for the HP update you are referring to in the hopes that it may shed some light on how this process works.

@jaclaz

I agree with your statement about the menus, but that menu is from a file that I have no way to use beyond reading it (so far). I am not able to execute that menu in any way that I am yet aware of. I tried burning it to a CD as a bootable CD image and when I tried to boot from it nothing happened. I will try renaming it to an .exe and see what that does. I am also going to try making a bootable floppy using that file as the bootsector.

I will post my findings here.

Link to comment
Share on other sites

No luck with making the boot.img into an .exe file. Same story with trying to use it as a floppy boot disc (not a FAT12 image). I was able to find the MBRInst.exe and MBR.ini. I have seen some of the same info in the files on my recovery partition, so if I can piece together the sequence, I think I have a decent chance of getting this worked out. I will keep you posted.

Link to comment
Share on other sites

comcc,

Seeing as the app tells you to contact HP support, have you attempted to contact HP support? They may have an app that can recreate the recovery partition.

Has anyone ever attempted to pick apart the recovery discs? I have a full IBM recovery disc that recreates the hidden partition and re-enables the F11 function. I may have to dig around there this weekend and see what I can come up with!

Link to comment
Share on other sites

Sorry I had taken for given that you actually mounted the boot.img, instead you "peered" in it with a hex editor or a plain edirtor? :unsure:

.img is a conventional extension given to disk images (typically .ima is for floppy disks and .img for hard disk images - but it's not "compulsory")

How big is the "boot.img"? (in Bytes)

Have you tried accessing it with Winimage or mounting it with VDK?

Winimage:

http://www.winimage.com/

VDK:

http://chitchat.at.infoseek.co.jp/vmware/vdk.html

Pseudo-GUI for VDK:

http://home.graffiti.net/jaclaz:graffiti.n...ts/VDM/vdm.html

jaclaz

Link to comment
Share on other sites

Actually you "vanished" from the original thread

This was because I started getting into confidential business information the further along I went. It would not have been legal for me to

continue posting about it here the more I learned.

As far as my requirement, there was two options. There was the message that appeared on the screen, a protection notice. When this notice

was on the screen for five seconds, you could press F10 to boot to the recovery partition. There was also a stealth option, where pressing

the 'R' key would ALSO boot into the recovery partition.

Your assertion that the MBRInst.exe program is now built in RAM seems reasonable, as I have not been able to find anything that looks

like it in the digging that I have done.

I guessed this because I found function calls to MBRInst in the INIs and code in the recovery builder. The recovery builder is also inside the recovery partition. It has the capability of either running a recovery OR creating/updating the partition. THe second option is triggered IF a License UFD is connected to the system AND the partition has been activated. If the partition is not activated, it would give you a message saying you are not authorized to use the software. Anyways, I wasn't too concerned with spoofing the licenses because we have access to them, and blowing up licenses and partitions is perfectly fine for me!

Got off track there. The builder set (the thing I have that you don't) shows me the following process. The software determines what information is to go into the MBR. This is based on the options that you select during the partition creation. It then writes an INI file into the recovery partition. Then it calls MBRINST.EXE to use the INI file to write to the MBR. The file remains on the partition in the event that an update or recreate is performed. I've searched the CDs, the partitions (I have 2 different for testing) using string searches, Ghost Explorer, mounting via imagex and can find no actual application called MBRINST.EXE nor any provided by XSS. When I got to the point where my next step was to create a new recovery creator, but inserting debugging tools, I had stopped. I brought it up in a meeting about where I was at, and since any further work would be reverse-engineering, it was determined that it would violate our agreement with SoftThinks. It is my theory that the MBRInst is either created in memory OR that its functions (the DLL does exist) are built into the software.

Has anyone ever attempted to pick apart the recovery discs? I have a full IBM recovery disc that recreates the hidden partition and re-enables the F11 function. I may have to dig around there this weekend and see what I can come up with!

I've tried to do this. The funny thing is that SoftThinks uses the Windows OPK to create the recovery discs. Concerning the ones I have (XP Pro) they use the WinPE 1.5. The CD boot process is different than the WinPE 2.0, as such I haven't figured it out. Basically these CDs are the same as the Unattend CDs we have for XP, but they do not use the startnet.cmd, the winbom.ini or any other standard unattend files as the XP install does, so I haven't been able to trace the actual process. For example, I can see that when the partition loads, it runs startnet.cmd, but its only command is winpe -factory. I would need to determine what that cmd actually loads. I know that winpe -factory isn't their software, but their software is the first thing that loads up.

Link to comment
Share on other sites

@TheReasonIFail

I tried contacting HP (Compaq) support. Thier response was: "You can order the Recovery CDs if you would like." Not really much help. I don't mind doing that, and I probably will have to if I am not able to fix this myself, but I really would like to know *HOW* this works as well as being unable to guarantee that the recovery discs from HP will indeed work. If you search the web you will find dozens, if not hundreds, of reports that the recovery discs directly from HP often do not work, only work partially, leave some software uninstalled, or even refuse to work at all claiming the machine in question is not the correct one, sometimes leaving the owner in worse shape than before they tried to restore the PC.

As for trying to "pick apart" the recovery discs, that is more or less what I am trying to do with the factory recovery partition, just without the discs.

@jaclaz

I have tried using both hex editors and plain text editors to look at the boot.img file (as well as many others on the PC, both on the recovery partition and on the user partition). I have tried numerous different programs (WinImage, IsoBuster, PowerIso, ImgBurn, anything else that I had that came to mind) to try to mount the image or access it in a normal fashion, but so far nothing I have tried recognizes/understands the boot.img file format. All the programs report that the image is unreadable, corrupt, unknown, or something similar. I will attach the file for you if you would care to have a look. It is only 94KB.

@Tripredacus

Thanks for the additional info and insight. I have the Winodws XP OPK, so if you think I might be able to use that or something from it to rebuild the MBR on my PC, please feel free to let me know what you have in mind.

bootimg.zip

Link to comment
Share on other sites

I spent the last several hours trying different changes to the MBR without making any real progress. Unless there is some sort of key or checksum written to the MBR, I am running out of things to try in the MBR. I had not thought of this before, but now I am thinking that there may be something embedded in the boot sector of the recovery partition logical drive. I am going to look at that next, but I need to get some sleep tonight.

Link to comment
Share on other sites

From the boot image file you posted, it seems to me:

1) it's a boot CD image of some kind (the text CDBOOT is present a number of times)

2) the size is a multiple of 2048 (size of the CD sector)

I would try to make a bootable .iso with it and test the result in Qemu (or other VM) - I would try several ones as they tend to be "picky" when it comes to .iso booting

I would use mkisofs.exe with something like:

mkisofs -v -iso-level 3 -l -D -d -J -joliet-long -R -sysid "Win32" -b boot.img -no-emul-boot -boot-load-seg 0x1000 -allow-multidot -hide boot.img -hide boot.catalog -o .mytest.iso SMINST

or

mkisofs -v -iso-level 3 -l -D -d -J -joliet-long -R -sysid "Win32" -b boot.img -no-emul-boot -boot-load-size 47 -boot-info-table -allow-multidot -hide boot.img -hide boot.catalog -o .mytest.iso SMINST

(just ideas, mind you ;))

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...