PXE booting floppy images
From Smop.co.uk
It's an unfortunate fact that even these days, most BIOS updates are floppy based. Some have windows tools, but that doesn't help those of us on Linux.
Ill describe how you can get around this using PXE booting (a form of network booting). What we will do is setup a server to serve out the floppy image, then boot the client from it.
Contents |
Creating the floppy image
The first step is to create the floppy image (normally a DOS bootable floppy disk with the BIOS code and a BIOS flashing program). Normally you receive the BIOS update in one of three formats:
- raw files
- windows program
- dos program
All we want to do at this stage is to create the bootable disk with the files on it - we are _not_ running the BIOS flashing program.
Raw BIOS files (with flashing program) are the easiest to deal with, however most vendors ship programs - if you are lucky these are merely self-extracting zip files (so try using "unzip" to unpack the program). If you are unlucky it's a proprietary program which will either unpack some files or write directly to a floppy.
Raw files
What we need to do is take a bootable DOS diskette - I use one from the excellent <a href="http://www.freedos.org">FreeDOS</a> project - look for the fdboot.img file. Now mount it like this: "mount -o loop fdboot.img /mnt". Then just copy files into it etc. This is also the best way to check that a floppy image is sane.
DOS floppy writing programs
Taking the IBM BIOS program as an example, it used to be a DOS program which writes the floppy disk for you. To use this under linux:
- install (on Debian) "dosemu" and "dosemu-freedos"
- edit /etc/dosemu/dosemu.conf and set:
$_floppy_a= threeinch:/var/lib/freedos/fd.img
- check the permissions on that fd.img file
- I normally use the freedos disk image mentioned above for this file
- run "dosemu"
You might want to resize your xterms to 25 lines high before running dosemu). Look at the prompts - "D:" by default is your home directory. Run the DOS program, telling it to write to A: and watch it write in a fraction of a second (to /var/lib/dosemu/fd.img). Now type "exitemu" to quit dosemu.
Windows writing programs
These are harder, in theory wine or a VMWare install should work, no instruction from me I'm afraid. Some programs will just put the files in a folder for you at which point you need to look at the raw images section on what to do next. Unfortunately some will try to write directly to the floppy (often unneccessarily and they will want the floppy to alreadby be bootable so really they are just dumping a few files in a hardcoded location).
You might find it easiest to use a Windows machine to write the floppy and then read it (again, you'll have to look elsewhere for advice - rawrite2 will _write_ an image to a floppy, we want to read the image).
Netbooting
If you have a real floppy disk drive, then write the image out to a disk (dd if=fd.img of=/dev/fd0) and boot off it. However normally things aren't that easy - e.g. no floppy disk drive!
The network booting requires you to setup a DHCP server which then tells the PC to boot off a TFTP server which will supply the images. It's not a one step process I'm afraid! There are more detailed instructions on these steps <a href="http://syslinux.zytor.com/pxe.php">here</a> and <a href="http://www.kegel.com/linux/pxe.html">here</a>.
First step is to install a DHCP server, you should have an /etc/dhcp/dhcpd.conf file like this (very simple config this!) - you _MUST_ set the hardware ethernet address to that of the victim box (we could use a default entry, but that would be silly for a risky operation like this):
default-lease-time 600;
max-lease-time 7200;
# http://arsinfo.cit.buffalo.edu/FAQ/faq.cgi?pkg=ISC%20DHCP&cat=Options
option T128 code 128 = string;
option T129 code 129 = string;
option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;
allow booting;
allow bootp;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.101 192.168.1.200;
option routers 192.168.1.100;
host victim {
hardware ethernet 00:c0:4f:32:85:0a;
filename "/pxelinux.0";
next-server "192.168.1.1";
}
}
Note that your server must have an appropriate IP address (preferable statically assigned too!) - I use 192.168.1.1. Check that DHCP starts okay, if not, look at the log files and fix it - you may have to specify the interface to use. Note that if there are other boxes on the network you should be careful not to give them bogus information.
Now we need to setup the TFTP server which will send the files over to the victim box. I use "tftpd-hpa" - just install the package.
Now we need to put pxelinux.0 (which doesnt have a lot to do with Linux, despite the name!) in place - this is a simple booter which will finally supply the file for us. Download pxelinux.0 and memdisk from <a href="http://syslinux.zytor.com">zytor</a> and put them in /var/lib/tftpboot. Put your floppy image (fd.img) in there as well. Now make a directory /var/lib/tftpboot/pxelinux.cfg. Create a file with a name like "biosflash.cfg" inside pxelinux.cfg:
default local timeout 100 prompt 5 say type "flash" to reflash your BIOS LABEL local LOCALBOOT 0 label flash kernel memdisk append initrd=fd.img
Now symlink that file to 01-xx-xx-xx-xx-xx-xx where the x's are the MAC address of the victim PC.
Now we just need to boot the victim PC off the network - most modern PCs can do this automatically - check the BIOS boot order (many now have a "boot selection" hotkey - often F12 which can be pressed on boot). If you have an older PC, you can look at the etherboot project, but that involves either a flashed network card or a bootable floppy disk...
