Backup Truecrypt bootloader in MBR using dd

Truecrypt system encryption of Windows partition uses first 512 b (sector 0 – MBR) for the bootloader, next 2048 b (sectors 1–5) should be used for decompressor SW and next 29 184 b (sectors 5–61) as the compressed Truecrypt boot loader. Considering the hard drive geometry to pretend having 63 sectors per track, the last sector of the first track (therefore sector no. 62) contains the system partition volume header. (Very important, because without it the partition cannot be mounted. For non-system encrypted partitions, the volume headers are backuped at the beginning and end of the partition.)

Boot into your favourite GNU/Linux distributions, Live CD or even a VirtualBox machine from within the active Windows session if you use VMDK to access physical partitions instead of image files:

cmd
cd "C:\Program Files\Oracle\VirtualBox"
VBoxManage internalcommands listpartitions -rawdisk \\.\PhysicalDrive0
VBoxManage internalcommands createrawvmdk -filename Linux.vmdk -rawdisk
\\.\PhysicalDrive0 -partitions 3 -mbr mbr.img

assuming the default VirtualBox install path, using PhysicalDrive0 and based on the list from the first VBoxManage command choosing the right partition numbers selected to be available for the guest VM. The fake MBR replaces the real MBR reserved for the host OS if we want actually to run the virtualized guest OS from the harddisk. Not yet having the fake MBR it is being the egg and chicken problem, so we can stick with the virtualized LiveCD having access to physical disk, skipping the mbr part in the last command before creating the virtual machine in VirtualBox GUI and running the LiveCD (I use Linux Mint 13 Mate edition).

We can perhaps mount a USB flash disk first to the virtual machine to get the backup of the MBR and bootloader back into the host system, or we can just send it via the shared network. Then in terminal console, we just use dd to copy the necessary bytes to the file. Very important is to use proper source and destination based on the naming scheme of disks and partitions on YOUR system, wrong setting can screw up a lot :-) To confirm the correct disks and partitions, you can use first

sudo parted
> print list
 (seeing all the disks and partitions)
> quit

and then copy the first 63 sectors of the hard disk into the file on the mounted flash disk, for example:

sudo dd if=/dev/sda of=/mnt/sdb1/bootloader.img bs=512 count=63

where /dev/sda being the correct harddisk address obtained from GNU parted „print list“ command, and /mnt/sdb1 being the flash drive mounted before into that location. You should get a response like

63+0 records in
63+0 records out
32256 bytes (32 kB) copied, 0.000934103 s, 34.5 MB/s
  • For copying just the first sector with MBR including partition table, change count=63 to count=1 (and perhaps a different output file name like mbr.img,
  • for doing the same, excluding the primary artition table, use just bs=446.
  • to backup just the Truecrypt system encryped partition header use count=1 and an additional parameter skip=62.

In case you or some installer damages these first 63 sectors of the harddisk, you can boot again into the LiveCD Linux and from the backup rewrite the sectors back by switching the „if“ for „of“ and vice versa — warning again, it is dangerous from various reasons:

  • if you omit or set not correctly the bs/count/skip values – the command can without any warning easily overwrite whole harddisk,
  • by setting output not to the root of the disk (e.g. sda) but the partition (sda1) you overwrite the first sectors of that partition, not the space before them :-)
  • first 440 to 446 bytes of the 512-byte first sector contain the bootstrap code, then 64 bytes follows with the partition table of the first 1 to 4 „primary partitions“ with info about where at which sector number these partitions begin and end. It is not a good idea to change the partition locations and then restore the original MBR, because the restored partition table will point to very different places :-) To prevent this, it may be useful to restore only the first 446 bytes by using the bs=446. Optimally, manual restoration of Truecrypt MBR + bootloader should restore only the first 446 bytes of the first sector, then continuing with from the beginning of the first byte of second sector, keeping the current partition table intact.

Because of the possibly catastrophic result of the restoration overwriting the partition table it is better to prefer doing it the safe way = using the Truecrypt Rescue Disk CD that should not destroy the partition table :-) This guide thus serves more like a mental exercise than a practise that should be performed regularly :)

 

Addendum: Structure of a master boot record (source: Wikipedia)
Address Description Size in bytes
Hex Oct Dec
0000 0000 0 code area 440
(max. 446)
01B8 0670 440 disk signature (optional) 4
01BC 0674 444 Usually nulls; 0x0000 2
01BE 0676 446 Table of primary partitions
(Four 16-byte entries, IBM partition table scheme)
64
01FE 0776 510 55h MBR signature 2
01FF 0777 511 AAh
MBR, total size: 446 + 64 + 2 = 512

Autor

Martin

Pracuji jako ajťák a grafik na volné noze, zejména ale pro brněnskou firmu vyrábějící ekodrogerii. Dále působím v brněnském systému místní směny Rozleťse, Českém zahrádkářském svazu, České psychedelické společnosti, spolku Archetypal a Mezinárodní komunitě dzogčhenu. Chcete mě podpořit? BTC: 37mf2FJR26Ce3DxMkocukJDgB1eVjasnZB, příp. PGP podepsané adresy dalších kryptoměn.

Jedna myšlenka na “Backup Truecrypt bootloader in MBR using dd”

Napsat komentář

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *