1992 hardware, no MMU, every payload lands

The Work Boy is a keyboard. Released - barely - in 1992 as a productivity peripheral for the original DMG Game Boy. A QWERTY keypad that plugged into the link port and shipped with a cartridge turning a games handheld into a calculator, address book, and clock. Most units never reached retail. The cartridge ROM was dumped and the hardware documented in 2020. The artifact is a curiosity. The system underneath it is the point.

The Game Boy has no memory protection. None. No MMU, no privilege separation, no execute-permission bit, no address-space randomisation, no stack cookie. There is no kernel and no user mode. There is one execution context, and it has access to everything. Every mitigation a modern exploit chain has to defeat before it lands code is simply absent here. Not weak. Not misconfigured. Not present in the design.

Get the processor right, because precision matters. The DMG CPU is the Sharp LR35902. Its core is an SM83 - a hybrid of the Intel 8080 and the Zilog Z80, not a true Z80. It drops the Z80 index registers, the shadow register set, and the block-move instructions, and adds its own high-RAM addressing modes and a nibble-swap. Eight-bit data bus, sixteen-bit address bus, roughly 4.19 MHz. Every instruction has fixed, documented cycle timing. No microcode variance. No speculative execution. No cache. Given the same memory state, the core does the same thing every time. Execution is deterministic by construction.

The address space is sixteen bits. 64 KB, flat. ROM bank 0 at $0000, switchable ROM at $4000, VRAM at $8000, cartridge RAM at $A000, work RAM at $C000, echo RAM mirroring work RAM at $E000, OAM at $FE00, the I/O registers at $FF00, and high RAM at $FF80. Code and data share that space. Any byte the program counter reaches is decoded as an opcode. Work RAM is writable and executable. High RAM is writable and executable. Cartridge RAM is writable and executable. The processor does not distinguish a return address from a sprite from an instruction. It distinguishes nothing.

That is the bug class, and it is not a bug. It is the absence of every control a real chain spends most of its length building toward. Control-flow hijack needs two things: a write into memory the program will later execute or branch through, and a deterministic layout to aim at. The hardware supplies both as a property of the design. Layout is fixed at power-on. Work RAM starts at $C000 on every boot. The stack pointer is initialised to a known value. Interrupt vectors sit at fixed addresses - $0040 VBlank, $0048 LCD STAT, $0050 timer, $0058 serial, $0060 joypad. RST opcodes jump to fixed page-zero entries. Nothing moves between runs.

So a single write primitive into work RAM - delivered through a corrupted save, malformed serial input, or tampered cartridge RAM - becomes code execution the moment the program counter reaches those bytes. No information leak required; the layout is public and constant. No ASLR to break. No canary to overwrite around. No DEP bit to flip. The primitive that modern exploitation treats as the hard-won objective, an arbitrary write into executable, predictably-located memory, is the starting condition on this platform.

The cartridge is the other half of the trust model, and it has no integrity check worth the name. Beyond 32 KB, the Memory Bank Controller on the cartridge does the mapping. Writes into the ROM address ranges are intercepted by the MBC and reinterpreted as bank-select commands. The mapping of physical address to executable code is controlled entirely by the cartridge. There is no signature, no attestation, no measured boot. The DMG bootrom validates the Nintendo logo bitmap in the header and a one-byte checksum. That is anti-counterfeiting, not code integrity. It verifies a picture, not the program. A flash cartridge maps whatever it wants and the console runs it without objection.

Real-world grounding is well documented, and it is Pokémon. Arbitrary code execution in Red, Blue, Yellow, Gold, Silver, and Crystal has been public for years. The item bag lives in work RAM. The game stores item identifiers as bytes. Glitch the item count and the bag enumerates past its bounds into adjacent work RAM, where attacker-influenced data sits at known offsets. A specific entry, reached through a corrupted menu pointer, transfers control into the item list, and those bytes decode as SM83 opcodes. That is the entire mechanism - data the program later treats as code, in a memory space that draws no line between the two.

TASBot is the same condition, demonstrated at the limit. A bot replaying frame-perfect input has written whole programs into game RAM live, byte by byte through in-game state, then redirected execution into them. On SNES and on Game Boy. The injected payload has drawn images, booted other games, and opened the serial port. The console runs it because the console has no concept of code that should not run.

The Work Boy fits this shape precisely. The keyboard is an input device on the synchronous serial link. The cartridge software parses keystrokes arriving over that channel into buffers in work RAM. A serial parser, written in 1992, on a CPU with no memory protection, reading externally-supplied bytes into fixed buffers. Any length check the firmware omits is a write past the buffer into adjacent executable memory, and the serial interrupt vector at $0058 is a fixed, public target. The peripheral is a clean illustration of an external input channel feeding a system that cannot defend its own memory.

Telemetry is where this stops being nostalgia. There is none. No Sysmon. No EDR agent. No audit record. No syscall boundary to hook, because there are no syscalls - no kernel, no ring transition, no logging surface. The core runs whatever is in front of the program counter and emits nothing about it. A control-flow hijack on this hardware produces zero observable artifact outside the device’s own video and serial output. Detection at the host is not difficult. It is structurally impossible. Nothing in the design is capable of recording that execution left the intended path.

That is the finding that leaves the handheld. The Game Boy is a clean teaching model for a class of systems still in the field: PLCs, bare-metal RTOS targets, automotive ECUs, infusion pumps, building and substation controllers. Eight- and sixteen-bit cores, flat address spaces, no MMU, no W^X, no ASLR, firmware that parses external input into fixed buffers, and no endpoint telemetry. The mitigations practitioners assume as baseline - DEP, ASLR, CFG, stack cookies, an EDR agent watching process creation - are properties of modern general-purpose operating systems. They do not exist on these targets. An exploit there does not bypass mitigations. There are none to bypass. MITRE ATT&CK for ICS describes the consequence side - execution through firmware-exposed functionality, exploitation for evasion, impair process control - but the enabling condition is the architecture the Game Boy puts on a table and demonstrates.

There is no CVE here, and that is the honest framing. No CVSS vector, no affected-version range, no patch boundary. A CVE describes a defect measured against an expectation of safety. The DMG made no such promise, so there is nothing to file against. The architecture is the exposure, and the architecture cannot be patched. The cartridge firmware can be hardened - bound the serial parser, validate save structures, fail closed on malformed input - but the platform beneath it stays exactly as open as it was in 1989. Hardening the application does not retrofit memory protection onto silicon that never had it.

Residual reality: every property that makes Game Boy code execution trivial is present, today, in shipping embedded firmware. Flat memory. Deterministic layout. Executable RAM. Unvalidated input parsers reading from serial, CAN, or radio. No telemetry that survives the device boundary. The Work Boy is a thirty-four-year-old footnote. The architecture it runs on is the architecture running a large fraction of the embedded devices wired into critical infrastructure. The exploitation is not advanced. It is unobstructed. That is why it works on a 1992 keyboard accessory, and that is why the same shape keeps working on systems that carry weight.