IBM PCjr: Zero-day Data-destroy vulnerability

An IBM PCjr with two joysticks. That’s all you need to destroy your data

IBM PCjr zero-day data-destroy vulnerability (AKA: Joykill).


This vulnerability allows local and remote attackers to destroy the contents of the floppy diskette. User interaction is required to exploit this vulnerability. The issue results from the lack of proper validation when starting the manufacturing system test.

Exploit (local):

  1. Plug the two joysticks into the IBM PCjr
  2. Insert diskette in floppy drive (data will get destroyed!)
  3. Press Ctrl + Alt + Ins. to enter into diagnostics mode
  4. Immediately after, press:
    1. Joystick 1 button B
    2. Joystick 2 buttons A + B
  5. Diskette data will get destroyed

Exploit (remote):

A step-by-step of how to remotely exploit the vulnerability
  1. Build two IBM PCjr joysticks with 50-meter long cables
  2. Ship them to the target user with a letter saying:

Dear customer,

As a token of our gratitude, we are sending you these two joysticks that will let you do an online backup of your most valued diskettes.

Please, plug them in your PCjr, and leave the controllers outside your house. Call us at our support call-center {insert your phone number} once you are ready for the online backup.

Don’t forget to insert your most valued diskette in the floppy drive!


IBM PCjr tech support.

  1. Wait until the user places the two joysticks outside his house and wait for his call. Once he/she calls you, press the joysticks buttons described above and respond with:

Thank you for calling IBM PCjr online backup service.

Please, press Ctrl+Alt+Ins in your PCjr to initiate the online backup service.

Ka-boom! The user data will get destroyed!

Responsibility disclosure:

  • Retro Moe called 1-800-222-PCjr multiple times. The person on the other end of the line seems to know nothing about the IBM PCjr computer. In fact, it seems that he/she knows nothing about IBM.
Official IBM PCjr phone number support

Technical description:

IBM PCjr contains built-in diagnostics code in the ROM. This diagnostics code has undocumented features to perform the manufacturing and service tests:

  • Manufacturing burn-in mode: All 4 buttons pressed
  • Manufacturing system-test mode: All 4 buttons pressed except Joystick 1 button A
  • Service loop-post mode: All buttons pressed except Joystick 1 button B
  • Service system-test mode: All buttons pressed except Joystick 2 button A

When entering in “Manufacturing system-test mode”, all internal tests (diskette, video, joystick, sound, printer, modem) will be performed without user interaction. The first test, and without any warning, is the diskette test that will destroy the diskette data. Since there is no visual indication of what’s happening, port 0x10 will have the test number that is being executed.

Why IBM did this:

Retro Moe strongly believes that IBM left the code undocumented on purpose to prevent people from performing their own in-depth diagnostics. That way IBM could charge you extra money for that.

Retro Moe knows that by disclosing this vulnerability many IBM PCjr Technical Support employees might loose their jobs (since they will no longer be needed). But Retro Moe also believes in Power to the people, and knowledge is power!

For more information all the undocumented features, including a Joystick test performed with keyboards go:


Retro Moe does stuff related to joysticks (like the UniJoystiCle and this vulnerability) and some other stuff not related to joysticks at all.

Published by ricardoquesada

cocos2d, unicyclist, commodore 8-bit

12 thoughts on “IBM PCjr: Zero-day Data-destroy vulnerability

  1. I get that the remote exploit part is a joke but– were it not for the infeasibility of the 50 cables and having to get the user to leave them dangling outside, I could see someone falling for the phone call part.

    Furry cows moo and decompress.

  2. Page 2-6 of the PCjr Hardware Maintenance and Service Manual talks about a “service plug” that should be installed to unlock “advance diagnostics”. I think what you found was certain cross connects that happen with the joysticks installed rather than the service plug. Interesting, but I wonder what else is in there if you actually had the legit service plug that connects the two ports?

    1. IIRC (from my findings dissasembling the BIOS), the “legit service plug” behaves like a joystick… but we need to have a “legit service plug” to confirm it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: