Original Xbox Hacks: The A20 CPU Gate

Summary

In November of this year (2021) we will hit 20 years since the release of the original Xbox. This console was full of vulnerabilities (or misconfiguration) from the software to the hardware and with such a low price point two decades ago for a computer - it was highly popular. For this post we are going to go into a lot of details regarding one mistake Microsoft made which was the A20.All the discoveries and research belongs to The Xbox Linux Project and Michael Steil. Research was obtained between personal memory of the era, a talk and a paper from Steil who was known in the scene as mist.Intel 8088 (1978) - Credit - CPUShackSo lets start with some history with some real old CPUs starting with the Intel 8088, which thanks to the CPUShack reminds us it started production in 1978 and lasted till 1998. This CPU had 20 physical address lines labeled A0 through A19 and each line represents a simple binary (0/1) so you can store 220 bytes or 1 MB of information. A rough drawing of address lines to RAM (A0-A19) on an Intel 8088However, the 4 registers (code segment - CS, data segment - DS, stack segment - SS and extra segment - ES) only had 16 bits. So some form of translation needed to occur to map 16 bit registers to physical address space of 20 bits. This is where the small calculation came to be: segment (shifted 4 bits) + offset = address.Internal Address -> Physical AddressSo I wrote up a quick example to show how addresses translate into a physical address. Since we are shifting 4 bits, we can easily do 24 (2*2*2*2) and get 16 decimal or 0x10 hex to multiple the address by. The thing about this notation is you can represent physical addresses with so many possible internal address + offset pairs. So knowing the early Intel 8088 only had 1MB what would happen if you asked for the memory at segment - 0xF800, with offset 0x8000. I'll save the long math and just say you'll get the physical address at 0x00100000 which is over the limit of a 20 bit address. The last real...