**This is an old revision of the document!** ----
====== Decoding the iSCSI Boot Firmware Table ====== Representatives of Microsoft have recently raised objections to the publication of information describing the iSCSI Boot Firmware Table (iBFT). The iBFT is a data structure used when Windows is booted from an iSCSI disk hosted on a remote computer, or on an iSCSI network-attached storage (NAS) box. The Microsoft position seems to be that the definition of this table is confidential information, and that anyone who knows how it is constructed can have obtained such information only by signing a non-disclosure agreement. This document exists solely to prove that this position is incorrect. Without revealing any information about the structure of the iSCSI Boot Firmware Table, we will demonstrate that it is trivial to decode, using tools published by Microsoft for this explicit purpose. ==== Step 1: Obtain the boot-capable Microsoft iSCSI initiator ==== This is available from several sources, including Microsoft themselves. For this demonstration, we chose to purchase a copy of winBoot/i from [[http://www.emboot.com|emBoot]]. Here is the emBoot download page: {{ iscsiboot/emboot-download-page.png?200x150 }} After filling in the web form, we received an e-mail containing a download link, which took us straight to a zip file: {{ iscsiboot/emboot-zipfile.png?200x150 }} ==== Step 2: Install the boot-capable Microsoft iSCSI initiator ==== The zip file contains an executable named WBI_CLIENT_X86_V1_50_B13.EXE.rename. We copied this file out of the archive and renamed it to WBI_CLIENT_X86_V1_50_B13.EXE, and ran it: {{iscsiboot/emboot-client-setup1.png?200x150 }} {{iscsiboot/emboot-client-setup2.png?200x150 }} {{iscsiboot/emboot-client-setup3.png?200x150 }} {{iscsiboot/emboot-client-setup4.png?200x150 }} {{iscsiboot/emboot-client-setup5.png?200x150 }} {{iscsiboot/emboot-client-setup6.png?200x150 }} {{iscsiboot/emboot-client-setup7.png?200x150 }} {{iscsiboot/emboot-client-setup8.png?200x150 }} {{iscsiboot/emboot-client-setup9.png?200x150 }} {{iscsiboot/emboot-client-setup10.png?200x150 }} {{iscsiboot/emboot-client-setup11.png?200x150}} We found that the iscsibcg.exe utility had been installed into C:\WINDOWS\System32: {{ iscsiboot/iscsibcg-installed.png?200x150 }} ==== Step 3: Boot from iSCSI and run iscsibcg ==== We booted this installation of Windows via iSCSI, opened up a command prompt, and ran the command iscsibcg /? which stated that the iscsibcg utility has two main functions, one of which is to "View the contents of the iBFT table": {{ iscsiboot/iscsibcg-options.png?200x150 }} The tool helpfully even gave the command which we needed to run in order to view the iSCSI Boot Firmware Table, which was iscsibcg /ShowiBF Running this command gave us a complete dump of the table, including the raw hex data and a description of each field. To avoid antagonising Microsoft, only a small extract of the output is shown here: {{ iscsiboot/iscsibcg-showibf.png?200x150 }} ==== Conclusions ==== * At no point during this process did we have to sign any non-disclosure agreement with Microsoft or any other party. * At no point during this process did we reverse-engineer any piece of software or use it for anything other than its explicitly stated purpose, according to its own documentation. * The information obtained from this process is completely sufficient for a programmer wishing to write code to generate or parse an iSCSI Boot Firmware Table. * Microsoft is therefore incorrect in claiming that the structure of the iSCSI Boot Firmware Table is confidential information.