Decoding the iSCSI Boot Firmware Table

Representatives of Microsoft have recently raised objections to the publication of information describing the iSCSI Boot Firmware Table (iBFT). The iBFT is a data structure used when Windows is booted from an iSCSI disk hosted on a remote computer, or on an iSCSI network-attached storage (NAS) box; a high-level overview is published by Microsoft at http://download.microsoft.com/download/5/b/9/5b97017b-e28a-4bae-ba48-174cf47d23cd/STO026_WH06.ppt.

The Microsoft representatives seem to have taken the position that the details of this table are confidential, and that anyone with knowledge of its structure must have been privy to information covered by a non-disclosure agreement.

This web page exists solely to prove that the above position is incorrect.

Without revealing any information about its structure, we will show that the iSCSI Boot Firmware Table may be decoded using tools published by Microsoft for this exact purpose.

Step 1: Obtain the boot-capable Microsoft iSCSI initiator

This is available from several sources, including Microsoft itself. For this demonstration, we chose to purchase a copy of emBoot's winBoot/i software, which includes a copy of the boot-capable Microsoft iSCSI initiator. Here is the emBoot download page:

After filling in the web form, we received an e-mail containing a download link, which took us straight to a zip file:

Step 2: Install the boot-capable Microsoft iSCSI initiator

The zip file contains an executable named WBI_CLIENT_X86_V1_50_B13.EXE.rename. We copied this file out of the archive, renamed it to WBI_CLIENT_X86_V1_50_B13.EXE, and ran it:

We found that the iscsibcg.exe utility had been installed into C:\WINDOWS\System32:

Step 3: Boot from iSCSI and run iscsibcg

We booted this installation of Windows via iSCSI, opened up a command prompt, and ran the command

iscsibcg /?

which stated that the iscsibcg utility has two main functions, one of which is to “View the contents of the iBFT table”:

Helpfully, the tool even gave the command which we needed to run in order to view the iSCSI Boot Firmware Table, which was

iscsibcg /ShowiBF

Running this command gave us a complete dump of the table, including the raw hex data and a description of each field. To avoid antagonising Microsoft, only a small extract of the output is shown here:

Conclusions

  • At no point during this process did we need to sign any non-disclosure agreement with Microsoft or any other party.
  • At no point during this process did we reverse-engineer any piece of software or use it for anything other than its explicitly stated purpose, according to its own documentation.
  • The information obtained from this process is entirely sufficient to allow a programmer to write code for generating or parsing an iSCSI Boot Firmware Table.
  • It is therefore incorrect for anyone to claim that the structure of the iSCSI Boot Firmware Table is confidential information.

QR Code
QR Code winbootibft (generated for current page)