ヴィトロニクス A-35 リサーチプラットフォーム

photo.jpgヴェルム・インヴェニリ(Verum Inveniri)
2018/08/27 08:36:16
マイク・パルンボ、お見事だ。

我々の行ったデッドドロップを同一人物が同じ都市でふたつ回収したのも今回が初めてであったことも取り上げておこう。そふたつのボーナス・アイテムパスコードは、有効に活用してくれたまえ。

マイク・パルンボのデッドドロップ回収報告

今朝フィラデルフィアで行われたデッドドロップをふたつとも回収したところだ。その証拠として、開示するよう指示された文書と表紙を紹介しよう。

私はふたつとも全て手にしているよ。最初のものは「VI」と記された封筒に入れられてあったが、ふたつ目のものは表紙が半分に折り畳まれ、そこに挟み込まれていたよ。

NSA//ELINT//DOWSINGRED//TS//SI//REL

ヴィトロニクス A-35
リサーチ・プラットフォーム

1. はじめに

(TS//SI//REL) ヴィトロニクス A-35 は磁気記憶媒体を長期的にエックスエムへ曝露させることによる時間膨張効果を検証するものであり、486DX及び3.5インチフロッピーディスクドライブを搭載したIBM PCが用いられる。

(TS//SI//REL) 安全に配慮し、実験監督員はエックスエムの照射中はPCから100メートル以上距離をとるものとする。

2. 実験報告概要

(TS//SI//REL) フロッピーディスクへブートセクタを記述し、ディスクを起動させた。エックスエム曝露後もディスクは読み取り可能だったが、486DXによる再起動はできなくなっていた。ディスク上のデータを分析したところ、ブートセクタが幾つか不要データで上書きされた事実が明らかとなった。

(TS//SI//REL) ディスク上の破損箇所には構造化がみられたものの、その意味するところは識別できなかった。実験は数度繰り返されたが、毎回異なる破損箇所が発生しているようだった。実験監督員に破損データの意味するところはわからなかった。

詳細は附録1を参照のこと。

この箇所は意図して空白とする。

Verum Inveniri
2018/08/28 16:45:05
マイク・パルンボによって発見されたフィラデルフィアのデッドドロップがユートライオンによってアーカイブ化されたよ。次に挑ばねばならないのは、フロッピーディスクからの起動だね。

ユートライオンの報告
「VI.OS」コードを転写しました。残すは「実際にフロッピーをPC上で動作させる」ことでしょうか?私もこの挑戦に挑もうかと思いますが、今やフロッピーを手に入れるのは難儀しますね。

main.asm

  1. ;; ==** ~ +=+ +
  2. ;; =+ :~ :=+++ + = =:
  3. ;; == = ++ + ~ ~~
  4. ;; ==:~ ,= + =
  5. ;; = = = += ~
  6. ;; ~== ~=+,=
  7. ;; = ~ ?+=
  8. ;; +~ =??+
  9. ;; += =/ ++
  10. ;; +?+~ ++
  11. ;; ~+ =+
  12. ;;
  13. ;; This code is released into the public domain.
  14. ;; The authors disclaim all effects of latent XM expose.
  15. ;; Original copyright string: (C) 1992 VITRONICS, Inc.
  16. ;; qemu-system-x86_64 -cpu 'Skylake-Server' -drive format=raw,file=viOS.bin
  17. %define KILL_PROC
  18. %define PAGE_PRESENT (1 << 0)
  19. %define PAGE_WRITE (1 << 1)
  20. %define PML4T_ADDR 0x1000
  21. [ORG 0x7c00]
  22. [BITS 16]
  23. main16:
  24. ; set up segments
  25. cli
  26. xor ax, ax
  27. mov ss, ax
  28. mov sp, main16 ; put the stack just below the code
  29. ; no room for any of this...
  30. ;mov ds, ax
  31. ;mov es, ax
  32. ;mov fs, ax
  33. ;mov gs, ax
  34. ; print banner
  35. call clear
  36. mov si, logo
  37. call print_logo
  38. mov si, z_boot_msg
  39. call print
  40. %ifdef KILL_PROC
  41. call die
  42. %endif
  43. jmp go_long_mode
  44. ; Tries to get into long mode (from real mode) as quickly as possible.
  45. ; will break on a 486 but will work in 2018 :-)
  46. go_long_mode:
  47. ; clear out the page tables (0x1000 dwords)
  48. mov edi, PML4T_ADDR
  49. mov cr3, edi
  50. mov ecx, 0x1000
  51. xor eax, eax
  52. cld
  53. rep stosd
  54. mov edi, cr3
  55. ; set up the intermediate page table levels
  56. mov dword [edi], 0x2000 | PAGE_PRESENT | PAGE_WRITE ; PML4T
  57. lea edi, [edi + 0x1000]
  58. mov dword [edi], 0x3000 | PAGE_PRESENT | PAGE_WRITE ; PDPT
  59. lea edi, [edi + 0x1000]
  60. mov dword [edi], 0x4000 | PAGE_PRESENT | PAGE_WRITE ; PDT
  61. lea edi, [edi + 0x1000]
  62. ; create 256 pages (1MB), identity mapped
  63. mov ebx, 0x3 ; rw
  64. mov ecx, 256
  65. .set_pte:
  66. mov dword [edi], ebx
  67. add ebx, 0x1000
  68. add edi, 8
  69. loop .set_pte
  70. ; disable IRQs
  71. ;mov al, 0xff
  72. ;out 0xa1, al
  73. ;out 0x21, al
  74. ; load an empty interrupt discriptor table
  75. ;lidt [IDT]
  76. ; enable the a20 gate so we can address more than 20 bits of memory
  77. ;mov al, 2
  78. ;out 0x92, al
  79. ; enable SSE etc. don't need all this.
  80. ; need OSXSAVE even though it makes Bochs die. QEMU seems to support it.
  81. ; hard mode: they can try on a real PC and post to G+ for high-value code
  82. ; bonus points for using a floppy disk
  83. mov eax, 0x000406a3 ; OSXSAVE | OSXMMEXCPT | OSFSXR | PAE | PVI :-) | VME
  84. mov cr4, eax
  85. ; enable long mode support
  86. mov ecx, 0xc0000080 ; EFER (extended feature enable)
  87. rdmsr
  88. or eax, 0x100 ; long mode
  89. wrmsr
  90. ; if we're here, we're about to enable protected mode, so display a message
  91. mov si, z_long_msg
  92. call print
  93. %ifdef KILL_PROC
  94. call die
  95. %endif
  96. ; if they can't execute AVX instructions, the processor will die after
  97. ; printing "goo.gl/" so give them a little hint for what it was about to do
  98. mov si, z_googl
  99. call print
  100. ; protected mode time, none of our BIOS fns will work after this
  101. mov eax, cr0
  102. and eax, 0xfffffffb ; clear coproc emulation
  103. or eax, 0x80010003 ; Paging, write protect, monitor coproc, protected mode
  104. mov cr0, eax ; we still alive?
  105. ; load the long mode GDT and jump into long mode
  106. lgdt [GDT64.pointer]
  107. jmp GDT64.code:main64
  108. ; Load si with the address of the logo; this will print it
  109. print_logo:
  110. pushad
  111. mov cx, 11 ; rows
  112. .print_logo_loop:
  113. call print_logo_row
  114. push si
  115. mov si, z_crlf
  116. call print
  117. pop si
  118. add si, 3
  119. loop .print_logo_loop
  120. .print_logo_out:
  121. popad
  122. ret
  123. ; Kills the CPU
  124. ; sensitive can patch by removing callcites with nop or changing hlt into ret
  125. die:
  126. mov si, z_halted
  127. call print
  128. hlt
  129. ; Load si with the address of the row, and this function will unpack and print
  130. print_logo_row:
  131. pushad
  132. ; this will load upper 8 bits with garbage but we only care about 24/32
  133. mov ebx, dword [si]
  134. cld
  135. mov cx, 24 ; bits per row
  136. .print_logo_row_loop:
  137. bt ebx, 0 ; is low bit 1?
  138. setc al ; sets al to 1 if the low bit is 1
  139. imul ax, ax, 42 ; multiply by 42 (produce asterisk or NUL)
  140. or al, 0x20 ; convert NUL to space
  141. mov ah, 0x0e
  142. int 0x10 ; print it
  143. shr ebx, 1
  144. loop .print_logo_row_loop
  145. .print_logo_row_out:
  146. popad
  147. ret
  148. ; Load si with the address of text, and this will print it
  149. ; pulled straight from earlier '90s source archives
  150. print:
  151. pushad
  152. .print_loop:
  153. lodsb
  154. test al, al
  155. je .print_done
  156. mov ah, 0x0e
  157. int 0x10
  158. jmp .print_loop
  159. .print_done:
  160. popad
  161. ret
  162. ; Clears the screen.
  163. clear:
  164. xor ah, ah
  165. mov al, 0x03
  166. int 0x10
  167. ret
  168. ; all 64 bit code from now on
  169. %include "vios/main64.asm"
  170. ; place all the data at the end
  171. ALIGN 1
  172. logo: ; vi logo bitmap
  173. ; same one on g+ but simpler (original would take up half the bootsector)
  174. db 0x9e, 0x00, 0x47
  175. db 0xd8, 0xbe, 0x32
  176. db 0xb0, 0xb0, 0x1a
  177. db 0xe0, 0xb1, 0x04
  178. db 0x40, 0xa1, 0x05
  179. db 0xc0, 0xe1, 0x03
  180. db 0x80, 0xc2, 0x01
  181. db 0x00, 0xf3, 0x00
  182. db 0x00, 0xdb, 0x00
  183. db 0x00, 0xcf, 0x00
  184. db 0x00, 0x63, 0x00
  185. ; null-terminated strings; mostly preserved from the original
  186. ; added goo.gl string for 2018 version given to sensitives
  187. z_boot_msg: db 0x0d, 0x0a, "VI.OS v0.5.1798", 0x0d, 0x0a, \
  188. "(C) '92 VITRONICS", 0x0d, 0x0a, 0
  189. z_halted: db "SYS_HALTED", 0
  190. z_long_msg: db "Booting", 0x0d, 0x0a, 0
  191. z_googl: db 1, " goo.gl/"
  192. z_crlf: db 0x0d, 0x0a, 0
  193. ;ALIGN 4
  194. ;IDT:
  195. ; .length dw 0
  196. ; .base dd 0
  197. ; this is new
  198. ALIGN 8
  199. GDT64:
  200. .null: equ $ - GDT64
  201. dw 0x0000 ; limit
  202. dw 0x0000 ; base (low)
  203. db 0x00 ; base (middle)
  204. db 0x00 ; access (none)
  205. db 0x00 ; flags
  206. db 0x00 ; base (high)
  207. .code: equ $ - GDT64
  208. dw 0x0000 ; limit
  209. dw 0x0000 ; base (low)
  210. db 0x00 ; base (middle)
  211. db 10011010b ; access (present/exec/read)
  212. db 00100000b ; 64 bit
  213. db 0x00 ; base (high)
  214. dw 0 ; pad
  215. .data: equ $ - GDT64
  216. dw 0x0000 ; limit
  217. dw 0x0000 ; base (low)
  218. db 0x00 ; base (middle)
  219. db 10010010b ; access (read/write)
  220. db 00100000b ; 64 bit
  221. db 0x00 ; base (high)
  222. .pointer:
  223. dw $ - GDT64 - 1 ; size of GDT
  224. dq GDT64 ; base addr
  225. ; zero fill to 512 bytes
  226. times 510 - ($-$$) db 0
  227. dw 0xaa55

Verum Inveniri
2018/08/28 16:38:39
非常に素晴らしい転写だね。最新の64ビットPCにフロッピーディスクからブートさせるのは厄介のようだね。
2018/08/28 17:29:53
果てしなき解読の経緯だ。

20180826_175852.jpg 20180826_175900.jpg 20180826_175907.jpg 20180826_175917.jpg 20180826_175925.jpg 20180826_175935.jpg 20180826_222329.jpg

Verum Inveniri
2018/08/27 08:36:16
Excellent work, +Mike Palumbo.

We would also like to point out that this is the first time that the same person has retrieved more than one of our dead drops in the same city. Two bonus gear passcodes heading your way; use them wisely.

#CassandraPrime #VIEverywhere

Mike Palumbo
2018/08/27 07:57:02
+Ingress +Verum Inveniri

I am currently in possession of both of this morning's dead drops from Philadelphia. As proof, here are the pages requested to be shared, after the cover sheet.

I have 2 full sets of these. The first was in a manila envelope labeled "VI", the second was folded by itself, with the cover sheet ripped in half.

Verum Inveniri
2018/08/28 16:45:05
+YutoRaion has produced an archival copy of the Philadephia dead drops discovered by +Mike Palumbo. Next challenge: make it boot off a floppy disk.

https://github.com/resYuto/viOS

YutoRaion
2018/08/28 11:40:12
+Ingress, +Verum Inveniri / CC: +Mike Palumbo

Transcripted your "VI.OS" code...

Remain challenge is "Execute on real PC (with Floppy)"?

I want accept this challenge, however floppies are now scarce

Verum Inveniri
2018/08/28 16:38:39
Very impressive transcription. Beware - making a modern 64-bit PC boot from a floppy drive might be difficult. We tried.
2018/08/28 17:29:53
awrappedriddle.blogspot.com - Untold puzzling history

NSA//ELINT//DOWSINGRED//TS//SI//REL

VITRONICS A-35
Research Platform

1. INTRODUCTION
(TS//SI//REL) The VITRONICS A-35 is a research platform for testing time dilation effects of concentrated long-term XM exposure on magnetic strorage mediums. The research platform consists of an IBM PC with a 486DX and 3.5" floppy drive.

(TS//SI//REL) For personnel safety, experiment supervisors stayed at least 100 meters from the PC while it was being subjected to lensed XM.

2. ABSTRACT EXPERIMENT REPORT
(TS//SI//REL) A boot sector was written to a floppy disk, and the disk was booted. After exposure, the disk was readable, but failed to reboot on the 486DX. Analysis of the data on the disk revealed that several sections of the boot sector had been overwritten with garbage.

(TS//SI//REL) Corruption on the disk had structure, but no discernable purpose. Experiment was repeated several times and different corruption occurred each time, seemingly at random. No corrupted data was interpretable by experiment supervisors.

See Addendom 1 for more details.

This space intentionally left blank.