Hacker News new | ask | show | jobs
by rasz 40 days ago
Keyboards were always dangerous.

Very first 1981 IBM PC 5150 had special diagnostic backdoor routine hidden in POST code:

https://minuszerodegrees.net/5150/post/5150%20-%20POST%20-%2...

IF REQUESTED, LOAD DIAG. CODE "Take the clock pin in the motherboard's keyboard DIN connector LOW for 40 ms. (Done by the KBD_RESET subroutine.) If the attached device responds with the byte of 65h, the attached device is a special IBM device that supplies diagnostic/test code to the 5150 via the keyboard port. If 65h received, load in the diagnostic/test code (255 bytes) via the keyboard port, then execute the code."

Not that dangerous as it was only active for a split second during boot. But it gave peopple ideas. Zenith Data Systems implemented something similar in its ZBIOS, except meant to be active _at all times_ when computer runs :o

seg000:7B03 in https://github.com/raszpl/Zenith_ZBIOS/blob/main/Zenith%20Z-... :

    seg000:7B03 Backdoor_loader proc near              ; CODE XREF: Keyboard_Process_Modifiers+30↑p
      cli
      mov     ah, IO_Port_64h_KBC_CMD_60_WRITE_CONFIG
      call    Keyboard_KBC_command
      call    Keyboard_KBC_wait_input_ready
      mov     al, 5                                    ; magic Keyboard command to initialize backdoor code upload
      out     IO_Port_60h_KBD_Command, al
      call    Keyboard_Read_Synchronous
      mov     cl, al
      call    Keyboard_Read_Synchronous
      mov     ch, al
      mov     ax, 0
      mov     es, ax
      mov     di, offset 500h                          ; payload lands at 500h
    
    backdoor_load_loop:
      call    Keyboard_Read_Synchronous
      stosb
      loop    backdoor_load_loop
      jmp     far ptr 0:500h                           ; executing our payload
    Backdoor_loader endp
triggered by pressing [T while holding Ctrl:

    check_Backdoor_init_key:                           ; CODE XREF: Keyboard_Process_Modifiers+E↑j
       cmp     ch, 1Bh                                 ; Set-1 scancode [ (Left Bracket) key
       jnz     short check_Backdoor_trigger_key
       or      byte ptr cs:0CEh, 1
       jmp     error_exit

    check_Backdoor_trigger_key:
       cmp     ch, 14h                                 ; Set-1 scancode T key
       jnz     short clear_backdoor_gate
       test    byte ptr cs:0CEh, 1
       jz      short clear_backdoor_gate
       call    Backdoor_loader
Good news for Zenith customers from 1989 someone with more sense disabled this in final bios, but dead code is still there :)
1 comments
dormento 38 days ago
These are the kinds of comments i keep coming back to hn for.

Thanks for this piece of history.

link