Killer poke
In computer jargon, a killer poke is a method of inducing physical hardware damage on a machine or its peripherals by the insertion of invalid values, via, for example, BASIC's POKE command, into a memory-mapped control register. The term is typically used to describe a family of fairly well known tricks that can overload the analog electronics in the CRT monitors of computers lacking hardware sanity checking (notable examples being the IBM Portable[1] and Commodore PET.)
Specific examples
Commodore PET
The PET-specific killer poke is connected to the architecture of that machine's video rasterizer circuits. In early PETs, writing a certain value to the memory address of a certain I/O register (POKE 59458,62
[2]) made the machine able to display text on the screen much faster. When the PET range was revamped with updated hardware, it was discovered that performing the old trick on the new hardware led to strange behavior by the new video chip, which could possibly damage the PET's integrated CRT monitor.[3]
Commodore 64
The Commodore 64 had an optional external 5-1/4" floppy drive. The Commodore 1541 contained a 6502 microprocessor which was used to run Commodore DOS and also to manage the drive mechanism. The drives stored data on 40 tracks (#0–39), and the stepper motor could be manually controlled through BASIC by PRINT#-ing "MEMORY-WRITE" commands to the drive (which correspond to the POKE command of BASIC, but write to the drive's internal memory and I/O registers, not those of the computer itself). If the drive was at either end of its range (track 0 or track 39) and it was commanded to continue moving, there was no software or firmware method to prevent drive damage. Continued "knocking" of the drive head against the stop would throw the mechanism out of alignment. The problem was exacerbated by copy protection techniques that used non-standard disk formats with unusual track counts. The Commodore 1571 had an optical head stop instead of a mechanical one.
TRS-80 Model III
The TRS-80 Model III had the ability to switch between a 32-character-wide display and a 64-character display. Doing so actuated a relay in the video hardware, accomplished by writing to a specific memory-mapped control register.[4] Programs that repeatedly switched between 32- and 64-character modes at high speed (either on purpose or accidentally) could permanently damage the video hardware. While this is not a single "killer poke", it demonstrates a software failure mode that could permanently damage the hardware.
Cassette tape relay
The TRS-80 Color Computer, IBM PC, IBM PCjr, Nascom, MSX, Amstrad CPC, and BBC Micro from Acorn Computers all contained a built-in relay for controlling an external tape recorder.[5] Toggling the motor control relay in a tight loop would reduce the relay's longevity.
Commodore Amiga
The floppy drive of the Commodore Amiga personal computer could be made to produce noises of various pitches by making the drive heads move back and forth. A program existed which could play El Cóndor Pasa, more or less correctly, on the Amiga's floppy drive.[6] As some sounds relied on the head assembly hitting the stop, this gradually sent the head out of alignment.
LG CD-ROM drives
Certain models of LG CD-ROM drives with specific firmware used an abnormal command for "update firmware": the "clear buffer" command usually used on CD-RW drives. Linux uses this command to tell the difference between CD-ROM and CD-RW drives. Most CD-ROM drives dependably return an error for the unsupported CD-RW command, but the faulty drives interpreted it as "update firmware", causing them to cease useful functioning (often casually referenced as the device having been "bricked").[7]
iPhone 5s and 6
On versions of iOS older than v9.3, setting the date to January 1, 1970 (the Unix Epoch) will semi-permanently brick the phone. The software can only be fixed by updating the device's firmware using a computer.[8]
MSi Laptops UEFI
Systemd mounts variables used by Unified Extensible Firmware Interface on Linux system's sysfs as writable by the root user of a system. As a result, it is possible for the root user of a system to completely brick a system with a non-conforming UEFI implementation (specifically some MSi laptops) by using the rm
command to delete the /sys/firmware/efi/efivars/
directory, or recursively delete the root directory.[9]
See also
- HCF (Halt and Catch Fire)
- Pentium F00F bug
- Scratch Monkey
- Stuxnet, malware designed to cause physical wear in industrial centrifuges
References
- This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.
- ↑ "Computing Myth #1: Software cannot damage hardware". Oldskooler Ramblings. 2 February 2006.
- ↑ "Commodore PET 2001 computer". oldcomputers.net.
- ↑ Fachat, André. "Killer Poke". PET index. 6502.org.
- ↑ "80-GRAFIX Manual". Vintagecomputer.net. 1980. Retrieved June 8, 2015.
- ↑ Mims, Forrest M. (June 1985). "Computerized security alarms". Creative Computing Magazine. 11 (6): 58.
- ↑ "El Condor Pasa". minimal video. 16 September 2008.
- ↑ "Re: LG CDRoms". [email protected]. The Mail Archive. 29 October 2003.
- ↑ "If you changed the date to May 1970 or earlier and can't restart your iPhone, iPad, or iPod touch". Apple Inc. 17 February 2016.
- ↑ "Mount efivarfs read-only · Issue #2402 · systemd/systemd". 21 January 2016.