Monitor Tests Forum

Full Version: DDC Handshake for Nvidia 3D Vision (not lightboost) on 2233RZ
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hey guys,

Seeing all this activity around LightBoost and the work done to get it running on different hardware without 3D Vision makes me really happy.

Some years ago, when the first 3D Vision monitors came out I got my hands on a Samsung 2233RZ. I did a project at home trying to make a DIY "3D Vision" that used IZ3D drivers and some cheap shutter glasses.

In the end it worked quite beautifully at 120Hz, but there was one obstacle remaining: the 2233RZ had a special "3D mode" that could only be engaged when connected to a 3D Vision-compatible Nvidia card.

The DIY project worked in the standard 120Hz mode of the 2233RZ, but 3D image ghosting was pretty bad. Turns out that the special "3D mode" of the display increases the scan speed so that there is more time for shutter glasses to open (so less ghosting).


I never got the monitor to go into this mode, and could do little reverse-engineering because I didn't even have an NVidia card or 3D Vision kit. So I accepted it didn't work great and left the project at that.


Now, three years later, I see how ToastyX managed to crack the proprietary DDC handshake that NVidia uses to enable LightBoost. Big Grin I know it's not the same thing, but maybe the lessons learned can also be applied to my problem?

After all, we're talking about a special mode that the 2233RZ goes into for 3D Vision gaming, that only seems to be accessible by the 3D Vision kit and cards... It has custom timings, sure, but the monitor also goes into a special state where, for example, many menu functions are disabled in this mode.


I suspect the monitor is being instructed by the NVidia card to go into 3D Vision mode. And I suspect that this may very well be the same kind of sequence used to enable LightBoost in 3D Vision 2 hardware: some proprietary handshake over DDC, then possibly some custom display timings.

It may even be the exact same handshake - for this, I really am asking the help of ToastyX's experience with reverse-engineering this stuff.

I am not very experienced in this stuff, and most importantly: I don't actually have access to the 3D Vision kit.

But I would love to find out how to trick the monitor into using 3D mode, on any video card, with or without 3D Vision. It would finish my project, and maybe help others who want a DIY shutterglass setup compatible with a 2233RZ monitor (and maybe others)!

If someone is interested, this is a link to the three-year-old project, using some old shutterglasses and the IZ3D driver:

http://www.mtbs3d.com/phpbb/viewtopic.php?f=26&t=13495
I haven't cracked the encryption. I only found a weakness that allowed brute forcing a replay attack. The handshake unlocks 3D mode for the LightBoost monitors, so it's probably the same for all 3D Vision monitors. The problem is each manufacturer has a different ID that affects the results of the encryption, and I only have the DDC captures for the ASUS and BenQ monitors. I would need a DDC capture for the Samsung monitor, which would require an NVIDIA card to activate 3D mode along with a DVI splitter and a logic analyzer to capture the DDC data.

Once the handshake unlocks the monitor, it should stay unlocked unless the monitor loses power. You still need the custom timing to enable 3D mode, which is just CVT reduced blanking ("LCD standard" in CRU) with the vertical blanking/total increased by 5.
Thanks for the info!

I asked around about this on the BlurBusters forum as well, and one user came back with an interesting report: he got the 3D mode enabled on his lg 2363d monitor (also a 1st-gen 3D Vision model), by only changing the vertical total timing like you said. Who knows, maybe I overestimated this a little bit, and the DDC handshake wasn't needed until LightBoost came out. I won't know until I get home in a month and try it out.

Is there any specific reason for the increase of 5 in vertical total? Or is that just a way of signaling "3D vision" to the monitor?

And what exactly is a replay attack? Do you mean you just recorded the encrypted handshake and repeated it exactly?
(06-20-2014 08:42 AM)NarcoticV Wrote: [ -> ]I asked around about this on the BlurBusters forum as well, and one user came back with an interesting report: he got the 3D mode enabled on his lg 2363d monitor (also a 1st-gen 3D Vision model), by only changing the vertical total timing like you said. Who knows, maybe I overestimated this a little bit, and the DDC handshake wasn't needed until LightBoost came out. I won't know until I get home in a month and try it out.
He might have already unlocked 3D mode by enabling it with an NVIDIA card.

(06-20-2014 08:42 AM)NarcoticV Wrote: [ -> ]Is there any specific reason for the increase of 5 in vertical total? Or is that just a way of signaling "3D vision" to the monitor?
That's how it signals 3D mode.

(06-20-2014 08:42 AM)NarcoticV Wrote: [ -> ]And what exactly is a replay attack? Do you mean you just recorded the encrypted handshake and repeated it exactly?
Yes, but it only works 1 out of 255 times. They fixed this weakness in the new BenQ Z-series monitors.
(06-25-2014 05:10 AM)ToastyX Wrote: [ -> ]He might have already unlocked 3D mode by enabling it with an NVIDIA card.

(06-20-2014 08:42 AM)NarcoticV Wrote: [ -> ]Is there any specific reason for the increase of 5 in vertical total? Or is that just a way of signaling "3D vision" to the monitor?
That's how it signals 3D mode.

Just another question: What is the order of events in the Lightboost handshake? is it:

DDC signal from the graphics card -> Reply from monitor -> special display timings enabled

Or:

Special display timings enabled -> monitor starts handshake?

In other words, does the handshake precede the custom resolution setting?

Thanks again!
The software starts the handshake if 3D mode needs to be unlocked, then switches to the special resolution.
After some radio silence, I am now at home and am trying to get this 2233RZ monitor into the 3D mode.

Unfortunately, it seems just using the special display timings (increased vertical total) does not put the monitor in 3D mode. I used the CRU and played with the vertical total - up to an increase or decrease of 10 the monitor still accepts the signal (but doesn't go into 3D mode). Any more or less and the monitor does not accept the signal.

So I guess the most likely is that this monitor also has an encrypted DDC handshake.

I got my hands on a low-end NVidia card, and should have a DVI splitter and logic analyzer lying around somewhere, so I will try to sniff the DDC communications as you said.

Just wondering: you said you "found a weakness" that allowed a replay attack. Does that mean there is more to it than just replaying the exact same DDC communications that you captured once? Do only certain combinations work or do some other steps need to be taken in addition to the replay?

And how does your Strobelight tool actually know that the attack succeeded? Is there a reply from the monitor only if the handshake was accepted?

--Edit-- With the NVidia card, using the 3D Vision Emulator tool floating around somewhere to fool the NVidia driver into thinking there's an emitter connected, I could get the monitor into 3D mode for the first time.
As I read from others, indeed the OSD menu locks some settings and reports weird refresh rate numbers that don't make sense (185kHz hor refresh rate reported, while the standard 120Hz at this resolution would lead to 130-something).
I heard before the the DDC handshake thing is a one-time transaction, after which the special display resolutions are used to trigger 3D mode. So after enabling and then disabling 3D mode through the driver, I tried again to increase the vertical total timing to trigger 3D mode - again no luck.

Cheers!
(08-04-2014 11:49 AM)NarcoticV Wrote: [ -> ]Just wondering: you said you "found a weakness" that allowed a replay attack. Does that mean there is more to it than just replaying the exact same DDC communications that you captured once? Do only certain combinations work or do some other steps need to be taken in addition to the replay?

And how does your Strobelight tool actually know that the attack succeeded? Is there a reply from the monitor only if the handshake was accepted?
Strobelight keeps sending one particular command over and over until it gets the reply it's looking for, then finishes the handshake. If it succeeds, the monitor will report 3D mode is unlocked.
Thanks again for the wealth of information.

One more question, if you don't mind me asking: how have you managed (in the StrobeLight utility) to get direct access to the I2C / DDC line in Windows for both AMD and NVidia cards?

For Windows after searching for quite a while, in terms of libraries all that I came accross was the WinI2C library ($400) and EnTech's communications library softOSD (price unknown). From what I read about Windows' own functions, they don't go lower than using function calls to set VCP fields (still no full control over I2C operation).

I would love to hear how you got around that obstacle.
AMD and NVIDIA have SDKs with I2C/DDC functions. AMD has ADL, and NVIDIA has NVAPI.
Pages: 1 2
Reference URL's