I looked at the source code of GRUB:
The main trick is this:
GRUB is divided into two parts stage1, stage2 (stage1.5)
Stage1 is the 512 boot area, which loads Stage2 in the file system. Stage2 completes the other things of GRUB, command line, and 罝, load KERNEL from the file system. . . But STAGE1 can only have 512 bytes of code. . Is it impossible to identify file systems :(
Solved Tips, Stage1 is only loaded into the first file block (2sector = 1K), then jumps to the STAGE2 execution, this 1K content, the start is a self-loading code, will load other parts of Stage2 (in the file In the system), and then half 512 bytes are data, and the file block table of STAGE2 (the trick is here ^ ^), so that the STAGE2's self-loading code does not recognize the file system, you can directly load Stage2 directly from the file block table. , Then run Stage2, Stage2 is very good, use it to identify various file systems, kernel file format. . Match. . , Then load Kernel, start KERNEL.
STAGE2 file block table, after copying Stage2 to the file system, then modify the Stage2, and also write the location of the first file block of Stage2 to Stage1, which is formed.
