Hight level vector shaders.

[tser]

one of the Demo disc floating around contains the game "King Kong". This game uses vector shaders, compiled with Microsoft (R) D3DX9 Shader Compiler 9.04.91.0000

I don't know anythingt about vector shaders... But is there maybe an expert on it in the room ?

Both Vector Source and a .Bin files are there.  and the demo runs when burned onto a dvd-r.

Not that it will lead to anything, but it would be intersting if we can modify the shaders of that game...

specially because it is rumoured that high level vector shaders have access tot the system memory as well

[tser]

The final version of king kong still has this shader directory,with a binary inside, which contains several shaders.

according to the reference model of shader languages,  shaders can contain array of variables, like ints.

technically that sounds like, creating a array of say 2, and trying to see what will happen if you touch position [3]

I got my direct X December 2005 sdk (legally, downloadable at msdn.microsoft.com) which contains the correct high level shader compiler.

continues digging.

[tser]

i am trying to figure out 3 things here
- one, is it possible at all to mess with the shaders  (simple replace blue water by red water)
- two is it possible, to read from any memory location at all ,using an array overrun
- Three is it possible to write to that memory also

one has been done as of 30-12-2005
two would really be useful, but i doubt if the gpu has no overrun protection
and three sounds currently to  impossible to believe for myself

[tser]

!!!!
It is Possible to Alter the shaders!
AO created All yellow shaders. and..

It worked!

http://tser.org/album/index.php?imagesize=640&d=d.html&image=z2005_12_30.jpg&Album=35

We modified the shaders of the king kong demo.

the shaders are compiled run time..... so you just can edit script files..

for example, to let it be all white :
return float4( 1.0f, 1.0f, 1.0f, 1.0f);
to reproduce :

- load the game
- select the first live
- wait for the loading screen has finished
- and enjoy the new world  : Your code is now in the gpu

[ppu]

now the race to find the memexport instruction encoding? :]

you should loop through all addresses, MEMEXPORT'ing break instructions,
printing out the mem addresses as you go in the shader texture :]

[dirtysanchez]

Very interesting indeed. I'm not sure about this but can you inject code into a shader to run code other than a shader? If its compiled at runtime, the compiler might just throw out extraneous code and throw up a flag to the hypervisor.

[streko]

Very interesting indeed. I'm not sure about this but can you inject code into a shader to run code other than a shader? If its compiled at runtime, the compiler might just throw out extraneous code and throw up a flag to the hypervisor.

The cpu won't be running any of the compiled code even though it shares memory with the gpu.  The compiled code will be used only by the gpu.  I think the goal here is to modify code in memory that the cpu uses, through the gpu, but the kernel will catch things like this.  I don't see any way the gpu can modify anything running in the kernel, which is what we want.

[caustik]

There are a few possibilities I see here:

1) MEMEXPORT may allow access to arbitrary memory locations. This could be used to overwrite code and/or data in key places, allowing for execution of native code (perhaps the code could exist in a texture, or within the shader code itself, or the shader could deposit some code using MEMEXPORT.). There could be two things here that prevent this from working: a) Microsoft saw this and they limit the addresses you can MEMEXPORT to. b) The hypervisor will notice whats going on and foil your plans.

2) There could be a bug in the compilation from HLSL -> Native shader. There could be an exploit here. Once again, the hypervisor might notice whats going on and foil your plans again.

3) There could be unexpected exceptions during the GPU's interpretation of shader instructions. It's most likely the XB360 will handle these gracefully, but possibly not.

4) The library that opens the HLSL from disk could have bugs. Meaning, perhaps the file format itself has edge conditions that could leave an opening for an exploit.

I know i'm probably just stating the obvious, but I figure some people reading this forum might want some explicit explanations :]

caustik

[streko]

We should put the hypervisor to the test, it's never been confirmed to actually exist.  MEMEXPORT would be a good start

[tser]

AO did some technical research :
http://www.gamedev.no/xbox360_shaders.jsp

We might be out of luck here.. but AO and i keep on digging

BTW : we noted that on a HDTV the altered shaders did not get loaded !

[j005u]

AO did some technical research :
http://www.gamedev.no/xbox360_shaders.jsp

We might be out of luck here.. but AO and i keep on digging

BTW : we noted that on a HDTV the altered shaders did not get loaded !

well. here's my theory about why:
the 'standard' for the 360 is 720p right? and did you not find both compiled and uncompiled shaders in the shaders folder?

so wouldn't it make a little bit of sense if for 720p they'd use the compiled shaders and otherwise (pal, ntsc) compile new shaders at runtime?

i don't have any technical knoweledge of shaders so my point might be completely invalid but aslong as we don't have an expert here it's worth a try:
compile the shaders and replace both the sources and the binaries on the disk and see what happens then on a hdtv tv...

[tser]

I have now Experienced 2 fatal Crashes already on my xbox, during my shader experiment.
When the Xbox crashes ...
* It Halt's itself with a freeze : the Screen which was active, remains.
  (one time, black screen, 1 time the loading.wmv file of king kong on a halt - )
* eject does not do anything
* USB Devices are not longer working
* Wireless Controler does not get connected
* Plugin in a USB Controler only lights up Left Corner, and Right Down Corner
* Unconnected Video Out Cable results in red flash, Reconnecting removes red light
* The only way to get your box back is to unplug the power cable

[G0t m4xx 21]

what did you change to make it crash?

[dirtysanchez]

Nice work guys....

We know that the CPU is designed by IBM, and could be a close cousin of the type found in their pSeries servers.

Going by what I've read about how the hypervisor separates running code into individual virtual machines (maybe some type of LPAR)

The POWER4 microprocessor supports an enhanced form of system call, known as Hypervisor mode, that allows a privileged program access to certain hardware facilities. The support also includes protection for those facilities in the processor. This special mode allows the processor to access information about systems located outside the boundaries of the partition where the processor is located.

Various other system components have the ability to limit the impact of hardware errors to a single partition. Generally, this is achieved by turning most hardware error reporting into "bad" data packets that flow back to the requesting processor. In many cases this will cause a machine check interrupt that may or may not be recoverable within the partition. No other partitions are affected.

Partition isolation and security
Applications run inside partitions the same way they run on a standalone server. The design of the pSeries family is such that one partition is isolated from software running in the other partitions, including protection against natural software defects and deliberate software attempts to break the LPAR barriers. It has the following security features:

    * Interpartition data access: the design of pSeries prevents any data access between partitions, other than using regular networks. This isolates the partitions against unauthorized access between boundaries.
    * Unexpected partition crash: a software partition crash should not cause any disruption to other partitions. Neither an application failure nor the operating system failure inside a partition interfere with the operation of other partitions.
    * Denial of Service across shared resources: the pSeries design prevents partitions from making extensive use of a shared resource so that other partitions using that resource become starved. This means that partitions sharing the same PCI bridge chips, for example, cannot lock the bus indefinitely.

The above statement could explain why we're not getting any error reporting whatsoever when the "partition" crashes

[BassACE]

Though my experience is anything but with the PowerPC, I'm gonna throw in my two cents.

tser's crashes imply to me two things:  One, that the Hypervisor sees that King Kong is going out of its virtual machine memory space, thereby causing Kong's VM to lock up.  Two: because the rest of the system freezes, it implys to me that it's getting into some important VM's memory space (at first I thought the kernel, but since it detected hot swap, I'm going to add the dashboard to my list of VM's that Kong's VM is adjacent to; also see the paragraph after the next), and the hypervisor is crashing that adjacent VM.

What if that next VM is for something important, such as the kernel or dashboard.  What if the system crashes because that VM's memory has been tampered with...  by King Kong, but the hypervisor doesn't realize this until it's too late?  This assumes that the kernel memory is adjacent to that VM's memory space of course.  This explains (to me at least) why more or less nothing worked at all, and tser had to pulll the plug to unfreeze his box.

Or, what if the kernel runs in two virtual machines?  One for higher level functions (such as system calls, function calls, device interfacing, etc), and one for lower level functions (such as hotswap, device detection, etc.).  This could explain the controllers and the video cable being detected, but the controllers not working.

I haven't tried any of these experiments, and I could be completely wrong in all of my assumptions, and if I am, please delete this post.  I just wanted to throw in my two cents to help the cause...  And without knowing what tser changed, all this could be compete BS.

[dirtysanchez]

BassACE... you're on the right track.

The Hypervisor doesn't really know if the code running is valid or not. It does know that if a memory overrun does occur, due to crappy coding, it throws out the entire execution within the problem VM and dumps. Dumps where? I have no idea... possibly a CPU instruction resets that specific VM.

This would explain why what tser did with the RETAIL xex file and the demo disc sorta kinda worked.

[annerajb]

hey i dont know if u still need help on shaders but i do shader programming so if u need help or explanation on somehting just ask me

[TheSpecialist]

In light of recent developments, I think this thread needs a bump Especially this post is VERY interesting:

I have now Experienced 2 fatal Crashes already on my xbox, during my shader experiment.
When the Xbox crashes ...
* It Halt's itself with a freeze : the Screen which was active, remains.
  (one time, black screen, 1 time the loading.wmv file of king kong on a halt - )
* eject does not do anything
* USB Devices are not longer working
* Wireless Controler does not get connected
* Plugin in a USB Controler only lights up Left Corner, and Right Down Corner
* Unconnected Video Out Cable results in red flash, Reconnecting removes red light
* The only way to get your box back is to unplug the power cable

Does anybody have some more info on how to mod shader code to replicate such crash ?

[Zenofex]

In light of recent developments, I think this thread needs a bump Especially this post is VERY interesting:

I have now Experienced 2 fatal Crashes already on my xbox, during my shader experiment.
When the Xbox crashes ...
* It Halt's itself with a freeze : the Screen which was active, remains.
  (one time, black screen, 1 time the loading.wmv file of king kong on a halt - )
* eject does not do anything
* USB Devices are not longer working
* Wireless Controler does not get connected
* Plugin in a USB Controler only lights up Left Corner, and Right Down Corner
* Unconnected Video Out Cable results in red flash, Reconnecting removes red light
* The only way to get your box back is to unplug the power cable

Does anybody have some more info on how to mod shader code to replicate such crash ?

TS-

I dont know if youve looked at tsers shader test shader but heres it is in case not.

Code:

//-----------------------------------------------------------------------------
// tser's test shader.
//-----------------------------------------------------------------------------
uniform sampler g_TextureSampler[8] : register( s0 );
struct PSIN
{
    float4 Position         : POSITION;
    float4 Color : COLOR0_centroid;
    float3 TexCoord0        : TEXCOORD0_centroid;
    float3 TexCoord1        : TEXCOORD1_centroid;
    float3 TexCoord2        : TEXCOORD2_centroid;
    float3 TexCoord3        : TEXCOORD3_centroid;
    float3 TexCoord4        : TEXCOORD4_centroid;
    float3 TexCoord5        : TEXCOORD5_centroid;
};





float4 ProcessPixel ( PSIN Input,
int iGodRayShaderId,
int iRemananceShaderId,
int iZoomSmoothId,
int iBlackWhiteId,
int iFogShaderId,
int iBlitShaderId,
int iColorDiffusion,
int iMotionBlur,
int iBigBlur,
int iColorBalance,
int iBKQuad,
int iUnused12,
int iUnused13,
int iUnused14,
int iUnused15)
{

float4 FinalColor = float4(0.0f, 1.0f, 0.0f, 0.0f);
if (iGodRayShaderId ==3)
{
           if (Input.TexCoord0.y<0.9f)
           {
              if (Input.TexCoord0.x>0.1f)
              {
               if (Input.TexCoord0.x<0.9f)
                {  
                 FinalColor = float4 (1.0f,1.0f,0.0f,0.4f);
                }
              }
           }
    }
   

return FinalColor;
}

// Test shader entry points for various configurations of shaders
float4 PSTest( PSIN Input ) : COLOR
{
    return ProcessPixel(Input, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}

\

Although i think this may be part of his "all yellow" test as displayed here
http://tser.org/album/index.php?imagesize=640&d=d.html&image=z2005_12_30.jpg&Album=35
I dont see anything related to MEMEXPORT, so i doubt this is what made it crash (if the crashing actually was due to him trying to read the "unprivledged memory"). I'll keep looking and see if i cant find anything else. GLUCK!

Thanks -Zenofex-

[tser]

alloc is a wonderfull thing.

For example :

float4 AnexportAddress : register(c2);
static float4 Justaconst01= {0, 1, 0, 0};

void main(int index:INDEX)
{
    float4 output = float4(0.5, 0.5 , 1.0, 1.0);
    asm {
      alloc export=1
        mad eA, index, Justaconst01, AnexportAddress
        mov eM0, output
    };
}