Chainloader kernel
It is intended for loading and executing unsupported loaders/kernels. A kernel is specified as a first multiboot module after this kernel. Syntax:
kernel $(DRV)\boot\loader\chain.mdl [parameters]
module <path to loader>
There are following parameters defined:
| –bootdev=<partition> | This specifies a boot device. For example, –bootdev=(hd0,0) specifies a first primary partition as the boot device. A physical device number is passed in EDX register |
| –edx=<dword> | Specifies EDX register content when passing control to a loader. Many loaders accept a physical boot device number in EDX. For example, io.sys (MSDOS kernel) accept –edx=BB, where BB is BIOS boot device number. Ntldr (WinNT bootloader) accepts –edx=PPBB, where BB is BIOS boot device number and PP is partition number, starting from 1. A PP=0xFF means that the device is not partitioned (for example, floppy disk) |
| –ebx=<dword> | Some bootloaders/kernels accept a boot device number in EBX but not in EDX. For example, this takes place with kernel.sys FreeDOS kernel. |
| –load-segment=<seg> | Specifies a segment address for the bootloader to be loaded at. I.e. this is the address where we must copy the bootloader |
| –load-offset=<off> | Specifies an offset in a segment specified with previous parameter |
| –boot-cs=<seg> | Specifies a segment address of entry point inside a loader/kernel |
| –boot-ip=<off> | Specifies an offset in the segment specified in previous parameter. This is where is loader/kernel entry point is. |
| –i13x | An OS/2 specific flag (i.e. it is intended for OS/2 only) which says to OS/2 components that int 13h extensions should be used. A dword of 'I13X' is written at the address 0×3000:0×0 |
Using the chain.mdl kernel, you can load a number of kernels/loaders. For example, you can pass control to memdisk on a cdrom. For that, you must specify cdloader.bin as a chainloaded kernel:
kernel (cd)\boot\loader\chain.mdl –bootdev=(cd)
module (cd)\bootimgs\cdloader.bin
Likewise, you can chainload memdisk on a FAT partition. For that, you must save memdisk bootsector to a file with proper BIOS parameter block (BPB) written in it. You can load it like this:
kernel (hd0,0)\boot\loader\chain.mdl –bootdev=(hd0,0)
module (hd0,0)\bootimgs\memdisk.bin
You can chainload any partition bootsector, for example, DOS or windows one:
kernel (hd0,5)\boot\loader\chain.mdl –bootdev=(hd0,0)
module (hd0,0)0+1
– the module specified is using the blocklist notation. In this case, this loads a file 0+1 (one block taken at zero offset from the beginning of 1st primary partition)
Likewise, you can load OS/2 from any partition, no matter is it primary or logical:
kernel (hd0,5)\boot\loader\chain.mdl –bootdev=(hd3,10) –i13x
bsmodule (hd3,10)0+1
– This sets I13X flag (–i13x). Also, we use a 'bsmodule' command here instead of 'module' one. It does the same, but additionally, it performs some additional actions on the bootsector loaded in memory: it writes a boot drive letter and physical boot device number in the BPB, and fixes hiddensectors value, so it will be equal to a partition offset from the beginning of a hard disk.
You can chainload WinNT ntldr directly, without its bootsector, like this:
kernel (hd0,5)\boot\loader\chain.mdl –edx=0×80 –load-segment=0×2000 –load-offset=0 –boot-cs=0×2000 –boot-ip=0
module (hd0,0)\ntldr
Likewise, you can load WinNT recovery console. The only difference with a previous case is you must write a word “cmdcons” over OEM signature in BPB:
kernel (hd0,5)\boot\loader\chain.mdl –edx=0×80 –load-segment=0×2000 –load-offset=0 –boot-cs=0×2000 –boot-ip=0
write 0x7c03 “cmdcons”
module (hd0,0)\ntldr