Joykill: Previously Undisclosed Vulnerability Endangers User Data

Researchers have recently announced a vulnerability in PC hardware enabling attackers to wipe the disk of a victim’s computer. This vulnerability, going by the name Joykill, stems from the lack of proper validation when enabling manufacturing system tests.

Joykill affects the IBM PCjr and allows local and remote attackers to destroy the contents of the floppy diskette using minimal interaction. The attack is performed by plugging two joysticks into the PCjr, booting the computer, entering the PCjr’s diagnostic mode, and immediately pressing button ‘B’ on joystick one, and buttons ‘A’ and ‘B’ on joystick two. This will enable the manufacturing system test mode, where all internal tests are performed without user interaction. The first of these tests is the diskette test, which destroys all user data on any inserted diskette. There is no visual indication of what is happening, and the data is destroyed when the test is run.

A local exploit destroying user data is scary enough, but after much work, the researchers behind Joykill have also managed to craft a remote exploit based on Joykill. To accomplish this, the researchers built two IBM PCjr joysticks with 50-meter long cables.

Researchers believe this exploit is due to undocumented code in the PCjr’s ROM. This code contains diagnostics code for manufacturing burn-in, system test code, and service test code. This code is not meant to be run by the end user, but is still exploitable by an attacker. Researchers have disassembled this code and made their work available to anyone.

As of the time of this writing, we were not able to contact anyone at the IBM PCjr Information Center for comment. We did, however, receive an exciting offer for a Carribean cruise.

Converting an IBM PCjr joystick to USB


Seeing this IBM joystick again really brings back memories. But it can be used on a modern system thanks to this USB conversion project.

This particular model had a connector which is foreign to us. It looks like a boxy USB-A plug, but has an eight-pin sockets which looks like it’s 0.1″ pitch. You could try to make your own male connector using a dual-row pin header, but [Gruso] just went ahead and lopped off the end of the cable. He managed to dig up the pin-out for the device and found that it could be wired up to a gameport — the connector being the only real difference. He gutted a USB gameport adapter, removing the DB15 connector and soldering directly to the board. The boxy old peripheral has just enough room to house that PCB.

If you’re looking for a few more details than this build album provides check out [Gruso’s] comments in the Reddit thread.

Ancient mouse teardown and repair

For a young geek in the 80s, the it computer was the IBM PCjr. On paper, it was a truly remarkable leap in technology. With a wireless keyboard, light pen, and optical mouse it was an impressive, if maligned, piece of hardware. There was a small problem with the optical mouse, though; it required a special mousepad. [Michael], a PCjr aficionado, decided to make his own optical mousepad. It works, and was a lot easier to build than finding a used one for sale.

The PCjr mouse used two photodectors – a red LED and photodector for the horizontal axis, and an IR LED setup for the vertical. Light is shot through two holes in the bottom of the mouse and reflects back onto the photodetectors. [Michael] emulated the old mousepad with a sheet of aluminum foil and a transparency with a printed grid pattern. Surely not as elegant as an original, but it does the job nonetheless.

This clever-for-its-day optical mouse setup wasn’t limited to the lowly PCjr. A number of old Sun workstations had a similar setup that used small dots on the mousepad. There were several generations of mousepads that were generally incomparable with each other (because one type of mousepad wasn’t proprietary enough for Sun), but we would assume a similar build would work for these forgotten mice.

Thanks to [josh] for sending this one in.



Got an IBM PCjr laying around? Why not turn it into a twitter browsing machine? [Alex Grant] did this for the Rochester Institute of Technology’s Creativity and Innovation festival. You can enter search terms into the Twittjr and it will display the top 3 results from twitter. Leave it alone for a minute and it will refresh on its own. To make this happen, the Twittjr is connecting to another computer that is utilizing the twitter API to make the searches. The results are then pushed back to the Twittjr for display. All of this is done via the original modem. While [Alex] takes a moment to explain what twitter is, we feel it might be better to explain what a modem is. You see, back when the PCjr was new, we really did communicate via an analog signal over the phone lines at roughly 300 baud.

[thanks Chris]

PCjr 25 years later


[Trixter], connoisseur of old hardware, is celebrating the 25th anniversary of the PCjr. IBM’s PCjr was killed only 18th months after being revealed and [Trixter] lays out exactly why. Overall, it was designed to be cheap to produce and sell, but many of the choices made it difficult to use. They used the CPU instead of DMA for floppy access; cheaper to make, but you couldn’t do much during disk reads because of it. The video memory scheme left little room for programs that could take advantage of it. It also had compatibility issues that made IBM clones a more attractive choice. [Trixter] ends by pointing out that some good came of it when the Tandy 1000 copyied the good ideas while leaving out the restrictive memory issues. He recommends Mike’s PCjr Page for more information on this classic machine.