Misplaced Pages

Killer poke: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 03:24, 17 September 2020 editTurboSonic (talk | contribs)Extended confirmed users, Pending changes reviewers, Rollbackers1,071 edits Commodore PETTag: Visual edit← Previous edit Latest revision as of 14:26, 29 August 2024 edit undoLohphat (talk | contribs)231 edits TRS-80 Model III: Added reference to Mod I having the same vulnerabilities 
(38 intermediate revisions by 31 users not shown)
Line 1: Line 1:
{{Short description|Software means of causing computer hardware damage}}
{{Use dmy dates|date=July 2012}} {{Use dmy dates|date=August 2021}}


In ], a '''killer poke''' is a method of inducing physical ] damage on a machine or its ]s by the insertion of invalid values, via, for example, ]'s ] command, into a ] control ]. The term is typically used to describe a family of fairly well known tricks that can overload the ] in the ] ]s of computers lacking hardware ] (notable examples being the ]<ref>{{cite web|url=http://trixter.oldskool.org/2006/02/02/computing-myth-1-software-cannot-damage-hardware/|title=Computing Myth #1: Software cannot damage hardware|publisher=Oldskooler Ramblings|date=2 February 2006}}</ref> and ].) In ], a '''killer poke''' is a method of inducing physical ] damage on a machine or its ]s by the insertion of invalid values, via, for example, ]'s ] command, into a ] control ]. The term is typically used to describe a family of fairly well known tricks that can overload the ] in the ] ]s of computers lacking hardware ]ing (notable examples being the ]<ref name=":0">{{cite web|url=http://trixter.oldskool.org/2006/02/02/computing-myth-1-software-cannot-damage-hardware/|title=Computing Myth #1: Software cannot damage hardware|publisher=Oldskooler Ramblings|date=2 February 2006|access-date=28 December 2010|archive-date=23 February 2011|archive-url=https://web.archive.org/web/20110223114232/http://trixter.oldskool.org/2006/02/02/computing-myth-1-software-cannot-damage-hardware/|url-status=live}}</ref> and ].)


==Specific examples== ==Specific examples==
===Zuse Z1/Z3===
The ] (1938) and ] (1941) computers built by ] contained illegal sequences of instructions which damaged the hardware if executed by accident.<ref name="Rojas_1997"/>


===Commodore PET=== ===Commodore PET===
The ]-specific killer poke is connected to the architecture of that machine's video rasterizer circuits. In early PETs, writing a certain value to the memory address of a certain ] register (<code>POKE 59458,62</code><ref>{{cite web|url=http://oldcomputers.net/pet2001.html|title=Commodore PET 2001 computer|publisher=oldcomputers.net}}</ref>) made the machine able to display text on the screen much faster.<!--Stay tuned: detailed info will be given soon, in the PET article, and linked to from here. The specifics are: setting bit 5 of the 6522 VIA at $E840/59456 to zero. Wernher--> When the PET range was revamped with updated hardware, it was discovered that performing the old trick on the new hardware led to strange behavior by the new video chip, which could possibly damage the PET's integrated ] monitor.<ref>{{cite web|url=http://www.6502.org/users/andre/petindex/poke/index.html |title=Killer Poke |work=PET index |first=André |last=Fachat |publisher=6502.org}}</ref> However this is easily fixable and is not known to have ever cause any permanent damage to the monitor. The ]-specific killer poke is connected to the architecture of that machine's video rasterizer circuits. In early PETs, writing a certain value to the memory address of a certain ] register (<code>POKE 59458,62</code><ref name=":1">{{cite web|url=http://oldcomputers.net/pet2001.html|title=Commodore PET 2001 computer|publisher=oldcomputers.net|access-date=10 January 2011|archive-date=1 January 2011|archive-url=https://web.archive.org/web/20110101165618/http://oldcomputers.net/pet2001.html|url-status=live}}</ref>) made the machine able to display text and graphics on the screen 106% faster. This was accomplished by disabling a "wait to print to screen" safeguard designed to reduce static/noise by preventing the shared VRAM from being read by the display at the same time as it was being written to by the CPU. With this safeguard disabled, graphics could appear on the screen twice as fast, but small bits of static would also appear. Despite the static, some games designed for early PETs included this POKE in their source code in order to benefit from the faster graphics.<ref name=":0" />

When the PET range was revamped with updated hardware, the video rasterizer circuits were redesigned to run at a faster speed and without the need for a "wait to print" safeguard. Thus, the old POKE trick no longer resulted in faster graphics. Instead, performing the old trick on the new hardware led to strange behavior by the new video chip, which could cause ] and possibly damage the PET's integrated ] monitor.<ref>{{cite web |url=http://www.6502.org/users/andre/petindex/poke/index.html |title=Killer Poke |work=PET index |first=André |last=Fachat |publisher=6502.org |access-date=10 November 2010 |archive-date=9 November 2010 |archive-url=https://web.archive.org/web/20101109023601/http://www.6502.org/users/andre/petindex/poke/index.html |url-status=live }}</ref> This is because the exact pin targeted by the POKE command used to control display timing, but in the upgraded video chip, that pin controlled the vertical sync. Thus, running the POKE on the newer hardware caused graphics to compress vertically, sometimes down to an extremely bright horizontal line. Fears that this anomaly might ] to the display led to the nickname "killer poke";<ref name=":1" /> however, it is not known to have ever caused any permanent damage to the monitor.<ref>{{cite video |url=https://www.youtube.com/watch?v=7bMJ0NIuWU0 | archive-url=https://ghostarchive.org/varchive/youtube/20211211/7bMJ0NIuWU0| archive-date=2021-12-11 | url-status=live|title=The Killer POKE}}{{cbignore}}</ref>


===Commodore 1541 Disk Drive=== ===Commodore 1541 Disk Drive===
The ] had an optional external 5-1/4" floppy drive. The ] contained a 6502 microprocessor which was used to run ] and also to manage the drive mechanism. The drives stored data on 40 tracks (#0–39), and the stepper motor could be manually controlled through BASIC by PRINT#-ing "MEMORY-WRITE" commands to the drive (which correspond to the POKE command of BASIC, but write to the drive's internal memory and I/O registers, not those of the computer itself). If the drive was at either end of its range (track 0 or track 39) and it was commanded to continue moving, there was no software or firmware method to prevent drive damage. Continued "knocking" of the drive head against the stop would throw the mechanism out of alignment. The problem was exacerbated by ] techniques that used non-standard disk formats with unusual track counts. The ] had an optical head stop instead of a mechanical one. The ] had an optional external 5-1/4" floppy drive. The ] contained a 6502 microprocessor which was used to run ] and also to manage the drive mechanism. The drives stored data on 35 tracks (#0–34), and the stepper motor could be manually controlled through BASIC by PRINT#-ing "MEMORY-WRITE" commands to the drive (which correspond to the POKE command of BASIC, but write to the drive's internal memory and I/O registers, not those of the computer itself). If the drive was at either end of its range (track 0 or track 39) and it was commanded to continue moving, there was no software or firmware method to prevent drive damage. Continued "knocking" of the drive head against the stop would throw the mechanism out of alignment. The problem was exacerbated by ] techniques that used non-standard disk formats with unusual track counts. The ] had an optical head stop instead of a mechanical one.


===TRS-80 Model III=== ===TRS-80 Model I & III===
The ] had the ability to switch between a 32-character-wide display and a 64-character display. Doing so actuated a relay in the video hardware, accomplished by writing to a specific memory-mapped control register.<ref>{{Cite web|url = http://www.vintagecomputer.net/fjkraan/comp/trs80/grafix80/80grafix.html|title = 80-GRAFIX Manual|date = 1980|accessdate = June 8, 2015|website = Vintagecomputer.net|publisher = |last = |first = }}</ref> Programs that repeatedly switched between 32- and 64-character modes at high speed (either on purpose or accidentally) could permanently damage the video hardware.{{Citation needed|date = June 2015}} While this is not a single "killer poke", it demonstrates a software ] that could permanently damage the hardware. The original ] and ] had the ability to switch between a 32-character-wide display and a 64-character display. Doing so actuated a relay in the video hardware, accomplished by writing to a specific memory-mapped control register.<ref>{{Cite web|url = http://www.vintagecomputer.net/fjkraan/comp/trs80/grafix80/80grafix.html|title = 80-GRAFIX Manual|date = 1980|access-date = 8 June 2015|website = Vintagecomputer.net|archive-date = 27 February 2016|archive-url = https://web.archive.org/web/20160227094802/http://www.vintagecomputer.net/fjkraan/comp/trs80/grafix80/80grafix.html|url-status = live}}</ref> Programs that repeatedly switched between 32- and 64-character modes at high speed (either on purpose or accidentally) could permanently damage the video hardware.{{Citation needed|date = June 2015}} While this is not a single "killer poke", it demonstrates a software ] that could permanently damage the hardware.


The TRS-80 Model I also has a similar cassette motor relay accessible via a memory poke command and could result in damaging the relay.
===Cassette tape relay===
The ], ], ], ], ], ], and ] from ] all contained a built-in ] for controlling an external tape recorder.<ref>{{cite journal|url=http://www.atarimagazines.com/creative/v11n6/58_Computerized_security_ala.php|title=Computerized security alarms |work=Creative Computing Magazine |first=Forrest M. |last=Mims |authorlink=Forrest Mims |volume=11 |number=6 |date=June 1985 |page=58}}</ref> Toggling the motor control relay in a tight loop would reduce the relay's longevity.

===Commodore Amiga===
The floppy drive of the Commodore Amiga personal computer could be made to produce noises of various pitches by making the drive heads move back and forth. A program existed which could play ], more or less correctly, on the Amiga's floppy drive.<ref>{{cite web |url=http://www.minimalvideo.com/weblog/minimalvideo/2008/09/post-17.html |title=El Condor Pasa |publisher=minimal video |date=16 September 2008}}</ref> As some sounds relied on the head assembly hitting the stop, this gradually sent the head out of alignment.


===LG CD-ROM drives=== ===LG CD-ROM drives===
Certain models of LG CD-ROM drives with specific firmware used an abnormal command for "update firmware": the "clear buffer" command usually used on CD-RW drives. Linux uses this command to tell the difference between CD-ROM and CD-RW drives. Most CD-ROM drives dependably return an error for the unsupported CD-RW command, but the faulty drives interpreted it as "update firmware", causing them to stop working (or, in casual parlance, to be "]").<ref>{{cite web |url=http://www.mail-archive.com/newbie@linux-mandrake.com/msg142409.html |title=Re: LG CDRoms |work=newbie@linux-mandrake.com |publisher=The Mail Archive |date=29 October 2003}}</ref> Certain models of LG CD-ROM drives with specific firmware used an abnormal command for "update firmware": the "clear buffer" command usually used on CD-RW drives. Linux uses this command to tell the difference between CD-ROM and CD-RW drives. Most CD-ROM drives dependably return an error for the unsupported CD-RW command, but the faulty drives interpreted it as "update firmware", causing them to stop working (or, in casual parlance, to be "]").<ref>{{cite web |url=http://www.mail-archive.com/newbie@linux-mandrake.com/msg142409.html |title=Re: LG CDRoms |work=newbie@linux-mandrake.com |publisher=The Mail Archive |date=29 October 2003 |access-date=29 December 2009 |archive-date=30 September 2010 |archive-url=https://web.archive.org/web/20100930225309/http://www.mail-archive.com/newbie@linux-mandrake.com/msg142409.html |url-status=live }}</ref>


===MSi Laptops UEFI=== === Flash memory ===
The resource of flash memory is large, but limited. Since writing to storage is an essential operation, most applications have enough privileges to exhaust the resource of flash chips within 24 hours by filling the storage enough to cause ] and continuously rewriting a small file.<ref>https://www.cs.unc.edu/~porter/pubs/fbrick-mobisys-2019.pdf {{Bare URL PDF|date=August 2024}}</ref>
] mounts variables used by ] on ] system's ] as writable by the root user of a system. As a result, it is possible for the ] of a system to completely brick a system with a non-conforming UEFI implementation (specifically some ] laptops) by using the <code>rm</code> command to delete the <code>/sys/firmware/efi/efivars/</code> directory, or recursively delete the ].<ref>{{cite web |url=https://github.com/systemd/systemd/issues/2402|title=Mount efivarfs read-only · Issue #2402 · systemd/systemd|date=21 January 2016}}</ref>


===Game Boy=== ===MSi Laptops UEFI===
] mounts variables used by ] on ] system's ] as writable by the root user of a system. As a result, it is possible for the ] of a system to completely brick a system with a non-conforming UEFI implementation (specifically some ] laptops) by using the <code>rm</code> command to delete the <code>/sys/firmware/efi/efivars/</code> directory, or recursively delete the ].<ref>{{cite web|url=https://github.com/systemd/systemd/issues/2402|title=Mount efivarfs read-only · Issue #2402 · systemd/systemd|website=]|date=21 January 2016|access-date=9 November 2016|archive-date=23 October 2016|archive-url=https://web.archive.org/web/20161023083811/https://github.com/systemd/systemd/issues/2402|url-status=live}}</ref>{{better source|date=March 2024}}
The ]'s LCD screen can be turned off by game software. Doing so outside of the ] can allegedly damage the hardware.<ref>{{cite web|url=http://bgb.bircd.org/pandocs.htm#lcdcontrolregister|title=LCD Control Register|work=Pan Docs}}</ref>


==See also== ==See also==
* ]
* ]
* ]
* ], malware designed to cause physical wear in industrial centrifuges * ], malware designed to cause physical wear in industrial centrifuges
* ], the act of misconfiguring a device so as to make it cease functioning * ], the act of misconfiguring a device so as to make it cease functioning
* ], a virus which corrupted the BIOS
* ], a less destructive operation which halts the CPU but can usually be recovered by power-cycling.


==References== ==References==
{{Reflist}} {{Reflist|refs=
<ref name="Rojas_1997">{{cite journal |title=Konrad Zuse's Legacy: The Architecture of the Z1 and Z3 |author-last=Rojas |author-first=Raúl |author-link=Raúl Rojas |journal=] |volume=19 |number=2 |date=April–June 1997 |pages=5–16 |doi=10.1109/85.586067 |url=http://ed-thelen.org/comp-hist/Zuse_Z1_and_Z3.pdf |access-date=2022-07-03 |url-status=live |archive-url=https://web.archive.org/web/20220703082408/http://ed-thelen.org/comp-hist/Zuse_Z1_and_Z3.pdf |archive-date=2022-07-03 |quote-page=10 |quote=There are a lot of details that the engineer designing the "microprogram" must keep in mind, otherwise short circuits can destroy the hardware. The ] with its mechanical design was still more sensitive in this respect than the ]. Even after it was completed, there were sequences of instructions that the programmer had to avoid in order not to damage the hardware. One of those sequences was inadvertently tried at the ], which led to slight damaging of the reconstructed Z1 in 1994.}} (12 pages)</ref>
{{refbegin}}
}}
* {{FOLDOC}}
{{refend}}


==External links== ==External links==

Latest revision as of 14:26, 29 August 2024

Software means of causing computer hardware damage

In computer jargon, a killer poke is a method of inducing physical hardware damage on a machine or its peripherals by the insertion of invalid values, via, for example, BASIC's POKE command, into a memory-mapped control register. The term is typically used to describe a family of fairly well known tricks that can overload the analog electronics in the CRT monitors of computers lacking hardware sanity checking (notable examples being the IBM Portable and Commodore PET.)

Specific examples

Zuse Z1/Z3

The Z1 (1938) and Z3 (1941) computers built by Konrad Zuse contained illegal sequences of instructions which damaged the hardware if executed by accident.

Commodore PET

The PET-specific killer poke is connected to the architecture of that machine's video rasterizer circuits. In early PETs, writing a certain value to the memory address of a certain I/O register (POKE 59458,62) made the machine able to display text and graphics on the screen 106% faster. This was accomplished by disabling a "wait to print to screen" safeguard designed to reduce static/noise by preventing the shared VRAM from being read by the display at the same time as it was being written to by the CPU. With this safeguard disabled, graphics could appear on the screen twice as fast, but small bits of static would also appear. Despite the static, some games designed for early PETs included this POKE in their source code in order to benefit from the faster graphics.

When the PET range was revamped with updated hardware, the video rasterizer circuits were redesigned to run at a faster speed and without the need for a "wait to print" safeguard. Thus, the old POKE trick no longer resulted in faster graphics. Instead, performing the old trick on the new hardware led to strange behavior by the new video chip, which could cause signal contention and possibly damage the PET's integrated CRT monitor. This is because the exact pin targeted by the POKE command used to control display timing, but in the upgraded video chip, that pin controlled the vertical sync. Thus, running the POKE on the newer hardware caused graphics to compress vertically, sometimes down to an extremely bright horizontal line. Fears that this anomaly might burn in to the display led to the nickname "killer poke"; however, it is not known to have ever caused any permanent damage to the monitor.

Commodore 1541 Disk Drive

The Commodore 64 had an optional external 5-1/4" floppy drive. The Commodore 1541 contained a 6502 microprocessor which was used to run Commodore DOS and also to manage the drive mechanism. The drives stored data on 35 tracks (#0–34), and the stepper motor could be manually controlled through BASIC by PRINT#-ing "MEMORY-WRITE" commands to the drive (which correspond to the POKE command of BASIC, but write to the drive's internal memory and I/O registers, not those of the computer itself). If the drive was at either end of its range (track 0 or track 39) and it was commanded to continue moving, there was no software or firmware method to prevent drive damage. Continued "knocking" of the drive head against the stop would throw the mechanism out of alignment. The problem was exacerbated by copy protection techniques that used non-standard disk formats with unusual track counts. The Commodore 1571 had an optical head stop instead of a mechanical one.

TRS-80 Model I & III

The original TRS-80 and TRS-80 Model III had the ability to switch between a 32-character-wide display and a 64-character display. Doing so actuated a relay in the video hardware, accomplished by writing to a specific memory-mapped control register. Programs that repeatedly switched between 32- and 64-character modes at high speed (either on purpose or accidentally) could permanently damage the video hardware. While this is not a single "killer poke", it demonstrates a software failure mode that could permanently damage the hardware.

The TRS-80 Model I also has a similar cassette motor relay accessible via a memory poke command and could result in damaging the relay.

LG CD-ROM drives

Certain models of LG CD-ROM drives with specific firmware used an abnormal command for "update firmware": the "clear buffer" command usually used on CD-RW drives. Linux uses this command to tell the difference between CD-ROM and CD-RW drives. Most CD-ROM drives dependably return an error for the unsupported CD-RW command, but the faulty drives interpreted it as "update firmware", causing them to stop working (or, in casual parlance, to be "bricked").

Flash memory

The resource of flash memory is large, but limited. Since writing to storage is an essential operation, most applications have enough privileges to exhaust the resource of flash chips within 24 hours by filling the storage enough to cause write amplification and continuously rewriting a small file.

MSi Laptops UEFI

Systemd mounts variables used by Unified Extensible Firmware Interface on Linux system's sysfs as writable by the root user of a system. As a result, it is possible for the root user of a system to completely brick a system with a non-conforming UEFI implementation (specifically some MSi laptops) by using the rm command to delete the /sys/firmware/efi/efivars/ directory, or recursively delete the root directory.

See also

  • Stuxnet, malware designed to cause physical wear in industrial centrifuges
  • Bricking, the act of misconfiguring a device so as to make it cease functioning
  • CIH (computer virus), a virus which corrupted the BIOS
  • Halt and Catch Fire, a less destructive operation which halts the CPU but can usually be recovered by power-cycling.

References

  1. ^ "Computing Myth #1: Software cannot damage hardware". Oldskooler Ramblings. 2 February 2006. Archived from the original on 23 February 2011. Retrieved 28 December 2010.
  2. Rojas, Raúl (April–June 1997). "Konrad Zuse's Legacy: The Architecture of the Z1 and Z3" (PDF). IEEE Annals of the History of Computing. 19 (2): 5–16 . doi:10.1109/85.586067. Archived (PDF) from the original on 3 July 2022. Retrieved 3 July 2022. p. 10: There are a lot of details that the engineer designing the "microprogram" must keep in mind, otherwise short circuits can destroy the hardware. The Z1 with its mechanical design was still more sensitive in this respect than the Z3. Even after it was completed, there were sequences of instructions that the programmer had to avoid in order not to damage the hardware. One of those sequences was inadvertently tried at the Berlin Museum of Technology and Transportation, which led to slight damaging of the reconstructed Z1 in 1994. (12 pages)
  3. ^ "Commodore PET 2001 computer". oldcomputers.net. Archived from the original on 1 January 2011. Retrieved 10 January 2011.
  4. Fachat, André. "Killer Poke". PET index. 6502.org. Archived from the original on 9 November 2010. Retrieved 10 November 2010.
  5. The Killer POKE. Archived from the original on 11 December 2021.
  6. "80-GRAFIX Manual". Vintagecomputer.net. 1980. Archived from the original on 27 February 2016. Retrieved 8 June 2015.
  7. "Re: LG CDRoms". newbie@linux-mandrake.com. The Mail Archive. 29 October 2003. Archived from the original on 30 September 2010. Retrieved 29 December 2009.
  8. https://www.cs.unc.edu/~porter/pubs/fbrick-mobisys-2019.pdf
  9. "Mount efivarfs read-only · Issue #2402 · systemd/systemd". GitHub. 21 January 2016. Archived from the original on 23 October 2016. Retrieved 9 November 2016.

External links

Categories: