I have a XP CD here that I have been using to do various installs. Since the next closest available XP CD that I have access to currently is about a thousand miles away in Tennessee (I'm in Mauritania). So, I would like to have a copy of this one.
Making a straight copy is easy enough, except the sand eats all discs here and I don't really want a disc anyhow. I just want to be able to make one.
With linux this is pretty easy to pull off.
dd if=/dev/scd0 of=isos/win_xp.iso
will give me a iso image that I can verify is good by doing:
mount -o loop win_xp.iso /mnt/winxp/
When I get ready to burn it I just do:
cdrecord -v speed=2 dev=0,0 ~will/isos/win_xp.iso
This is all fine and good, but I would like to keep the key with the disc. My initial idea was just to mount the iso image and try writing into it. The structure of an iso though prevents this from working. A simple solution is just to copy the files out and make a new iso. The problem? The disc is bootable and it won't be if I just make a new image. I need to copy the boot image out and put it in the new one.
Wanting to understand rather than just downloading an El Torito XP boot image off the internet too me to the standard.
"The Yellow Book defines the logical structure of a CD-ROM as having 333,000 sectors of 2,352 bytes each. 2,048 bytes of each sector are available for user data, and the other 304 bytes are reserved for things like sync, header, error correction and error detection code."
"The first 15 sectors are unused, with Sector 16 containing the Primary Volume Descriptor (PVD). On ISO9660 discs it always starts with the characters 'CD001'."
When I use hexedit win_xp.iso and search for
"CD001" it is at 0x8001 (2048 * 16 + 1), so all is good. I can
also do:
dd bs=1 count=5 skip=$(((v=16 * 0X800 + 1));echo $v)
if=/dev/scd0 2> /dev/null; echo
"The El Torito Specification adds two entries to the CD-ROM. These are the Boot Record and the Boot Catalog. A Boot Record Volume Descriptor reside at Sector 17 of the CD, which serves as a Secondary Volume Descriptor. The CD001 header of the Boot Record Volume Descriptor indicates that this disc is an ISO 9660 CD-ROM; the EL TORITO SPECIFICATION identifies the disc as one that is potentially bootable."
hexdump -C -n30 -s$(((v=17 * 0x800 + 1));echo $v) /dev/scd0
shows
00008800 00 43 44 30 30 31 01 45 4c 20 54 4f 52 49 54 4f |.CD001.EL TORITO| 00008810 20 53 50 45 43 49 46 49 43 41 54 49 4f 4e 00 00 | SPECIFICATION..| 00008820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00008840 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 |................| 00008850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00008a00 fa 33 c0 8e d0 bc 00 7c 8b f4 8e c0 8e d8 fb eb |.3.....|........| 00008a10 51 43 44 2d 52 4f 4d 20 6e 6f 74 20 62 6f 6f 74 |QCD-ROM not boot| 00008a20 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 79 73 |able on this sys| 00008a30 74 65 6d 2e 52 65 6d 6f 76 65 20 43 44 2d 52 4f |tem.Remove CD-RO| 00008a40 4d 20 61 6e 64 20 70 72 65 73 73 20 45 4e 54 45 |M and press ENTE| 00008a50 52 20 6b 65 79 20 74 6f 20 63 6f 6e 74 69 6e 75 |R key to continu| 00008a60 65 2e bd 11 7c b4 13 b0 00 b9 23 00 b6 00 b2 00 |e...|.....#.....| 00008a70 b7 00 b3 07 cd 10 bd 34 7c b4 13 b0 00 b9 2e 00 |.......4|.......| 00008a80 b6 01 b2 00 b7 00 b3 07 cd 10 b4 00 cd 16 3c 00 |..............<.| 00008a90 74 f8 80 fc 1c 75 f3 ea f0 ff 00 f0 00 00 00 00 |t....u..........| 00008aa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00009000
The spec gives this breakdown (offset from the beginning of sector 17 at 0x8801):
| Offset | Type | Description | Value |
|---|---|---|---|
| 0 | Byte | Boot Record Indicator, must be 0 | 0 |
| 1-5 | Byte | ISO-9660 Identifier, must be "CD001" | CD001 |
| 6 | Byte | Version of this descriptor, must be 1 | 1 |
| 7-26 | Byte | Boot System Identifier, must be "EL TORITO SPECIFICATION" padded with 0’s | EL TORITO SPECIFICATION |
| 27-46 | Byte | Unused, must be 0 | 0 |
| 47-4A | Dword | Absolute pointer to first sector of Boot Catalog | 0x00000013 |
| 4A-7FF | Byte | Unused, must be 0 | There's some gobbeldy gook here that I assume is error handling from the looks of it |
The important value is the pointer to the boot catalog which is 0x13. It is in this sector that we look next:
hexdump -C -n32 -s$(((v=0x13 * 0x800));echo $v) win_xp.iso
00009800 01 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 43 6f |....Microsoft Co| 00009810 72 70 6f 72 61 74 69 6f 6e 00 00 00 4c 49 55 aa |rporation...LIU.|
| Offset | Type | Description | Value |
|---|---|---|---|
| 0 | Byte | Header ID that to indicate that a boot catalog is present on the disc. Must be 01 | 01 |
| 1 | Byte | Platform ID | 0 (80x86 platform id) |
| 1 (Power PC platform id) | |||
| 2 (Mac platform id) | |||
| 2-3 | Word | Reserved as 0 | 0 |
| 4-1B | Character | Manufacturer ID | Microsort Corporation |
| 1C-1D | Word | Checksum (The sum of all the words in this record should be 0) | 0x494C |
| 1E | Byte | Key value, must be 55 | 55 |
| 1F | Byte | Key value must be AA | AA |
hexdump -C -n16 -s$(((v=0x13 * 0x800 + 0x20));echo $v) win_xp.iso
00009820 88 00 00 00 00 00 04 00 25 01 00 00 00 00 00 00 |........%.......|
| Offset | Type | Description | Value |
|---|---|---|---|
| 0 | Byte | Boot Indicator | 0 (not bootable) |
| 88 (bootable) | |||
| 1 | Byte | Boot Media Type | 0 (no emulation) |
| 1 (1.2mb disk) | |||
| 2 (1.44mb disk) | |||
| 3 (2.88mb disk) | |||
| 4 (hard drive) | |||
| 2-3 | Word | Load segment for image. If 0 use traditional 0x7C0 | 0 |
| 4 | Byte | System type (same as byte 5 of partition table in image) | 0 |
| 5 | Byte | Unused | 0 |
| 6-7 | Word | Sector count of virtual/emulated sectors to store at the load segment during boot | 0x0400 |
| 8-B | Dword | Load RBA (start address of the virtual disk) | 0x00000125 |
| C-1F | Byte | Unused | 0 |
Next there could be section entries which would define alternate boot images for things like multiple platforms or languages or whatever. There aren't any though.
The most important value in that last bit is the Load
RBA. It tells the offset of the beginning of the image on
the disc. Note that the double word was composited by collating
the bytes in reverse. 25 01 00 00 makes
0x125. I can use this offset to extract the
image:
dd if=win_xp.iso of=xp_boot.img bs=2048 count=1 skip=$((0x125))
And the md5sum matches what I found on the internet, so I am good.
As long as I am at it I guess I will "slipstream" the first service pack into it and set up an unattended install…