Nocom heatmap of the overworld, from -245k to +245k, from early 2020 to mid-2021
|Date First Used||July 2018|
|Date Leaked||July 2021|
|Date Patched||July 2021|
|Discoverer||0x22 and Babbaj|
From mid-2018 to mid-2021, the exploit known as nocom[notes 1] was used by Nerds Inc. Considered to be the most severe exploit in 2b2t history, it began when a server lagging/crashing exploit was patched in PaperMC, a Minecraft server software used on 2b2t. The exploit allowed Nerds Inc to observe the player movements of every player on 2b2t.
The initial exploit allowed a player to force the server to load arbitrary chunks with packet with no rate limit, causing the main thread of the server to block until all of the packets were processed. By varying the number of packets the server could freeze for just a few seconds, or until the watchdog thread killed the whole server. In the queue server, it was possible to send enough packets to keep the network thread busy with the exploiter's packets for so long that the server thought the connection for every other player in the queue was dead and disconnected them, thus allowing the queue to be skipped. 0x22 and Babbaj would utilize the exploit to intentionally crash the server, expecting that Hausemaster would report the exploit to Paper. The exploit was fixed in July 2018 by; however, the fix allowed for the ability to check if any chunk in the world was currently loaded. Nerds Inc exploited this new vulnerability by scanning the world in a spiral pattern, sending thousands of packets per second. Although the approach was primitive, it was effective up to about 1 million blocks. In 2019, Hausemaster, in response to off-hand switch sound lag exploit, added a rate limit that severely limited the effectiveness of the packet spamming approach and usage of the exploit temporarily stopped. In 2020, Nerds Inc enlisted Leijurv, the lead developer of Baritone, to create a completely new system that was effective with the strict rate limit by tracking players as they move. In addition to tracking players, nocom was able to slowly remotely download bases.
Nerds Inc employed a disinformation campaign to downplay coordinate exploits in an effort to ensure nocom's secrecy. Other exploits, such as the pet teleportation exploit, were used as covers for nocom. Nocom has been attributed to the destruction of Space Valkyria 3 V2, as well as Niflheim, Acheron, Avalonia, and Yggdrasil; several other bases were destroyed under the guise of the "Dipper Nation", a series of images and memes. Nocom was also used to fund several projects started by the SpawnMasons using stashes located through the exploit. Nocom's existence was threatened by 0Neb, who attempted to raise suspicion of Nerds Inc, and the Infinity Incursion, who recreated a less powerful version of the exploit and used it against Fit.
In July 2021, Hausemaster implemented a fix to nocom—and similar exploits—limiting the range the server would return chunk information for. Several days later, Nerds Inc released information on nocom, including its existence and statistics. The source code for nocom was released in February 2022 dating back to Leijurv's involvement in March 2020.
Overview and flaw of exploit
Nocom utilizes a flaw in PaperMC for Minecraft 1.12.2, introduced in a patch. As it is a flaw within the PaperMC server software, said flaw does not exist in vanilla Minecraft. The patch, titled "Fix block break desync" , was implemented in July 2018 by Paper team member electronicboy, and added the following line of code:
if (worldserver.isChunkLoaded(blockposition.getX() >> 4, blockposition.getZ() >> 4, true)) // Paper - Fix block break desync - Don't send for unloaded chunks
The patch changes the behavior of Minecraft servers running Paper; when a player sends a packet mining a block that is in an unloaded chunk, a packet is not sent back to the player. This could, in turn, allow a player to determine if a chunk is loaded or not, dependent on if the server returns a response.
Initial ghost block patch and lag exploit
In vanilla Minecraft, a
CPacketPlayerDigging packet is simply ignored entirely when it is over six blocks away from the player. However, due to lag, the server and client can disagree on where the player is. It is possible, then, for some good-faith block digging packets to be discarded by this policy. Since the server simply ignores the client, a "ghost block" is created, where the block exists on the server's end, but not the client's.
In January 2017, a user known as prplz submitted a pull request to fix this issue, by sending a
PacketPlayOutBlockChange packet when a player attempts to mine a block more than six blocks away, resolving the server-client ghost block dispute. The pull request adds the following line to the
this.sendPacket(new PacketPlayOutBlockChange(worldserver, blockposition)); // Paper - Fix block break desync
By sending a packet for each block change, the patch created a vulnerability within Paper. To send the
PacketPlayOutBlockChange packet back to the user, the server needs to load the chunk at the block position specified by the constructor. As loading chunks increases the computational load of a Minecraft server, sending continuous
CPacketPlayerDigging packets to blocks at unloaded chunks creates immense server lag.
In July 2018, 0x22 and Babbaj created a coordinate exploit, using the groundwork laid out in the lag exploit. The two theorized that, if the server didn't return a response for unloaded chunks, but returned a response for loaded chunks, the rough location of players in 2b2t could be approximated. However, prplz's patch returned a response regardless of whether a chunk was loaded or unloaded, requiring a second patch to Paper that would only return a response if the chunk was loaded.
Knowing that the issue would be resolved if Hausemaster reported it to Paper, likely through the method they laid out, 0x22 and Babbaj began intentionally, repeatedly, and blatantly sending
CPacketPlayerDigging packets, causing the Paper watchdog process to output a stack trace, which included the line added by prplz. Hausemaster reported the issue on July 11, 2017, and the issue was fixed by electronicboy the following day by only returning a response for loaded chunks. The commit added a check—
if (worldserver.isChunkLoaded(blockposition.getX() >> 4, blockposition.getZ() >> 4, true))—if a player is in a loaded chunk.
Following the patch, a player could obtain the status of a chunk by attempting to break a block within the chunk. If the chunk is unloaded, the server returns nothing; if the chunk is loaded, the server returns a
SPacketBlockChange packet and the block type of the block the player attempted to break, regardless of if the player loaded that chunk themselves.
|Vanilla Minecraft server||January 2017 patch||July 2018 patch|
|Less than 6 blocks away||The block is broken and the |
|More than 6 blocks away and in a currently loaded chunk||No response is sent.||The server returns the block at that coordinate, but does not break the block.|
|More than 6 blocks away and not in a currently loaded chunk||The server loads the chunk or generates it from the seed and returns the block at that coordinate, but does not break the block.||No response is sent.|
The block detection mechanism of nocom was not a novel approach; Orebfuscator, a server plugin designed to combat X-ray techniques, obscures the contents of a block until a player approaches it, and used this technique before electronicboy's patch.
On July 13, 2018, Hausemaster implemented electronicboy's patch into 2b2t. Fr1kin, a member of Nerds Inc, created a ForgeHax exploit to search chunks in 2b2t in a spiral pattern, writing down coordinates to a file and in chat. The contents of this file were uploaded to a website visible to members of Nerds Inc. A bot using Baritone was set up, and chunks could be downloaded for remote viewing. Using mixin to alter chunk rendering in freecam, a module could remotely load a base using nocom. This technique was used until late 2019, when Hausemaster implemented a packet rate limit, preventing brute force attempts to calculate coordinates. In addition, the spiral technique had several drawbacks; most notably, large bases were indistinguishable from dirt huts.
Leijurv, the lead developer of Baritone, joined the project in March 2020. Leijurv implemented an adaptive tracking system to tactfully determine precise coordinates for a player. To achieve this, dozens of bots were used in the overworld and the Nether, with offset shift schedules to ensure uptime. Bots in the Nether mainly observed the Nether highways, tracking players and coordinating with the overworld bots. nocom tracked the time a player spent in one location; this was used to mark chunks where a player had spent more than 90 minutes at. These statistics were tracked in a PostgreSQL database and analyzed through direct queries and a web UI.
Players were located through straight-line checks on every axis and diagonal highway in the Nether, in a process that would take 33 minutes. After being located, a Monte Carlo particle filter was used to keep up with the player. nocom's implementation of a Monte Carlo particle filter simulates 1,000 different potential player positions and velocities, referred to as "particles". As players traveled in the Nether, the Monte Carlo particle filter improved, furthered by the low-degree in variance in player movement. To guess a location, sequential importance sampling was used. The adaptive tracking system works using the following equation.
Four main scanners were used: a Nether highway scanner, a ring scanner, a spiral scanner, and a cluster retry scanner. These scanners were assigned different priorities; the Nether highway scanner, for instance, was given mid-priority, while the spiral scanner received the lowest priority, with each bot running through each scanner in priority order. Priorities were used to handle Hausemaster's packet limit. A central manager, dubbed the "tracky tracky manager", coordinated these scanners, and implemented a Monte Carlo particle filter for each new player. The cluster retry scanner rechecked bases at random.
To analyze the data from nocom, an aggregator analyzed the hits (loaded chunks). Once a chunk was loaded for more than five minutes, it was added to a GiST index and labeled as a node. High-activity areas were labeled as "core" nodes, and core nodes created clusters that could be combined with other clusters, creating a disjoint-set data structure. Path compression and unions were implemented by rank. Simultaneously, an associator used this data with player log-offs. Clusters were also used by a "slurper", which allowed Nerds Inc to download bases. Using "chunk seeding", a base could be determined in a chunk. Blocks, such as shulker boxes, stained glass, beacons, and chests, were used to determine if a chunk is a base, and nocom would then recreate the chunk in a separate instance of Minecraft.
nocom was deployed on a DigitalOcean droplet located in New York to ensure the lowest amount of latency between the bots and 2b2t's servers. A version of Minecraft was deployed on the servers using a single instance of Java. Bots were coordinated in a network. The status of the bots was visible in Grafana in a Docker container with WireGuard.
The Infinity Incursion were able to recreate nocom and implemented it within their cheating clients. The Infinity Incursion would use their exploit against Fit, and attempted to sell his logout coordinates for real-world money.
nocom observed 3,250,000 player sessions and 300,000 unique players. Using its definition of a base, 15,000 bases were tracked, of which two thirds had a world download. These world downloads have the full block-by-block timeline of the base's history at 30 minute intervals. This was only done for bases hundreds of thousands of blocks away from spawn. 400,000 "association events" were tracked, where a player logged out at a tracked base. The table of blocks has over 10,000,000,000 rows, and took up over a terabyte for the table and its associated indexes. The table of hits, has 3,000,000,000 rows, while the table of tracks, which is a grouping of hits into which ones were collected as a part of one continuous track, has 10,000,000 rows.
Use in griefing
nocom has been attributed to the destruction of multiple bases and structures, including Space Valkyria 3 V2, Valerian, Hopen, Avalonia, Yggdrasil, Niflheim, Acheron, and Victoria. Coordinates for certain bases were leaked on r/2b2t under the guise of the "Dipper Nation", a facetious redneck group.
0x22, Bubbaj, and Leijurv used their access to nocom to find stashes, the locations of which would be shared with the Spawnmasons. Notably, Dectonic obtained hundreds of coordinates through Leijurv.
Use on other anarchy servers
nocom was patched in July 2021, and Nerds Inc released a write-up of nocom several days later. The source code for nocom was released on February 8, 2022.
- Portmanteau of no comment
- prplz. Fix block break desync. GitHub. January 8, 2017.*
- ghost. odd crash/hang. GitHub. July 11, 2018.*
- electronicboy. Don't send digged block updates for unloaded chunks. GitHub. July 12, 2018.*
- Orebfuscator/ChunkManager.java. GitHub. May 15, 2017.*
- The Fast Cast. The Fast Cast - NOCOM Exploit. YouTube. July 26, 2021.*
- Leijurv. nocom-explanation/README.md. GitHub. July 23, 2021.*
- FitMC. The Fall of Minecraft's 2b2t. YouTube. July 24, 2021.*
- nocomment-master/HighwayScanner.java. GitHub.*
- nocomment-master/MonteCarloParticleFilterMode.java. GitHub.*
- nocomment-master/TrackyTrackyManager.java. GitHub.*
- SalC1. How This Public Image was Used to Find 1000s of 2b2t Bases. YouTube. September 9, 2021.*