Advanced OS Customizations & Bootloaders

Reverse Engineer UEFI/BIOS Boot: Unpacking the x86 Boot Process for Custom Bootloaders

By Antigravity Research Published May 29, 2026 ⏱️ 4 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Demystifying the Boot Process

The journey from powering on an x86 computer to the loading of an operating system is a complex ballet of firmware and low-level code. For developers venturing into operating system development, custom bootloaders, or embedded systems, understanding this initial hand-off from UEFI or BIOS is crucial. This article dives deep into the x86 boot process, providing insights into how system firmware prepares the hardware and ultimately transfers control to your bootloader. We will specifically focus on developing a minimal x86 bootloader from scratch, primarily targeting the BIOS boot sequence due to its directness for initial learning, while conceptually touching upon UEFI.

The Initial Stages: BIOS vs. UEFI Hand-off

Before any operating system code runs, the system’s firmware (BIOS or UEFI) performs essential initialization. While their approaches differ, their ultimate goal is to find a bootable device and load a program from it.

BIOS Boot Sequence

The traditional BIOS (Basic Input/Output System) initiates a sequence of events:

  1. Power-On Self-Test (POST): BIOS performs hardware checks (memory, CPU, peripherals).
  2. Firmware Initialization: Initializes controllers, sets up basic I/O services.
  3. Boot Device Search: BIOS searches for bootable devices based on a pre-configured order.
  4. Master Boot Record (MBR) Loading: Upon finding a bootable disk (e.g., a hard drive), BIOS reads the first 512-byte sector, known as the MBR, into memory address 0x7C00.
  5. Execution Transfer: Control is then transferred to the code at 0x7C00. At this point, the CPU is in 16-bit real mode, and a minimal set of BIOS services are available via interrupts (e.g., disk I/O, video output).

Understanding Real Mode

Real mode is the CPU’s operational mode immediately after reset, characterized by 20-bit segmented memory addressing (allowing access to 1MB of memory) and no memory protection. Your initial bootloader code will execute in this mode.

UEFI Boot Sequence

Unified Extensible Firmware Interface (UEFI) offers a more modern and extensible boot environment:

  1. POST & Driver Initialization: Similar to BIOS, but initializes a richer set of drivers and services.
  2. EFI System Partition (ESP) Discovery: UEFI locates the ESP on a GPT-partitioned disk.
  3. Boot Manager: The UEFI firmware’s boot manager executes, reading boot entries (e.g., ootootx64.efi) from the ESP.
  4. EFI Application Loading: A chosen EFI application (e.g., your bootloader or an OS boot manager like GRUB) is loaded into memory.
  5. Execution Transfer: Control is transferred to the EFI application. UEFI operates in protected mode or long mode (64-bit), offering more memory and advanced features directly.

Protected Mode and Long Mode

Protected mode (32-bit) and long mode (64-bit) offer full access to memory, hardware protection, multitasking features, and flat memory models. While a UEFI bootloader often starts directly in these modes, a BIOS bootloader must explicitly transition to them.

Building a Minimal x86 BIOS Bootloader: Stage 1

Our minimal bootloader will reside in the first 512 bytes of a disk (acting as an MBR or VBR). We’ll use NASM for assembly.

Prerequisites

  • NASM assembler
  • QEMU emulator
  • A Linux/macOS environment (for `dd` and shell commands)

The “Hello World” Bootloader

Let’s start with a simple bootloader that prints a message to the screen.

; boot.asm - Minimal "Hello World" Bootloader
ORG 0x7C00
BITS 16

start:
    ; Setup data segment registers
    mov ax, 0x07C0  ; Segment address for where we are loaded
    mov ds, ax      ; Data segment
    mov es, ax      ; Extra segment (often used for strings)
    mov ss, ax      ; Stack segment
    mov sp, 0xFFFE  ; Stack pointer at the end of our 512-byte sector

    ; Print string using BIOS interrupt 0x10, AH=0x0E (Teletype Output)
    mov si, message ; Source index points to our message
print_char:
    lodsb           ; Load byte from [si] into AL, increment si
    cmp al, 0       ; Check if end of string (null terminator)
    je  halt
    mov ah, 0x0E    ; BIOS teletype output function
    mov bh, 0       ; Page number (usually 0)
    mov bl, 0x07    ; Attribute (white on black)
    int 0x10        ; Call video interrupt
    jmp print_char

halt:
    hlt             ; Halt CPU execution

message: db "Hello from x86 Bootloader!", 0

; Pad with zeros until 510 bytes, then add boot signature
times 510 - ($ - $$) db 0
dw 0xAA55       ; Boot signature

Compiling and Running

1. Assemble:

nasm -f bin boot.asm -o boot.bin

2. Create a disk image:

dd if=boot.bin of=boot.img bs=512 count=1

3. Run with QEMU:

qemu-system-x86_64 -fda boot.img

You should see

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #assembly #BIOS #Bootloader #UEFI #x86

Related Technical Guides

Customizing Android Boot: Building Your Own Systemd-boot UKI with Custom Kernel Modules

May 29, 2026

The OverlayFS Toolkit: Automating Persistent Android System Tweaks and App Installs

May 29, 2026

Ftrace Event Cookbook: Essential Kernel Events for Android Performance Debugging (Sched, MM, Block)

May 30, 2026