The A20 Hack

by Charles Miller on June 22, 2006

In an article about how X-Box security was bypassed to allow home-brew software and mod-chips, the author describes how hackers managed to bypass Microsoft's secret ROM:

Unfortunately there were some 8086/8088 application that broke, because they required the wraparound for some reason. It wasn't Intel who found that out, but IBM, when they designed the IBM AT, and it was too late to modify the behavior of the 286, so they fixed it themselves, by introducing the A20 Gate ("A20#"). An unused I/O pin in the keyboard controller was attached to the 20th address line, so that software could pull down address line 20 to 0, thus emulating the 8086/8088 behaviour.

This behaviour was later moved into the CPU, which means every Intel-based PC built in the last twenty years (including the X-Box) has contained a variant on this quick-and-dirty hack, for those few 8086 applications that expected a couple of segments of memory above 1MB to wrap around.

I think there are a few lessons in here about how unused code can still be dangerous, or about how hard it is to keep a complex system secure, or just about the inertia that keeps this sort of thing in generation after generation of CPU designs simply because at each step it's easier to keep it than get rid of it.

But mostly, it's just a neat story.

Previously: Science Fiction

Next: Superdickery