21 replies to this topic

[kasio]

Hi guys, I've managed to Hack my Casio FX-82ES. This hack basicly writes to the calculator's EEPROM (via the calculator itself, we cannot write to it ourself) to make the calculator buggy after a reboot. This hack will work on the FX82, 83 and 85ES models. FX-991ES, FX-570ES and FX-115ES untested but due to having similar ROMs (Normally Rom 18) I assume it will work on those too. This hack does not work on the Plus models due to having new ROMs where the exploit I used has been fixed.

Bearing in mind, this hack does nothing useful, but still interesting.

Disclaimer: This shouldn't break your calculator how ever I am not responsible for any damaged caused to your calculator by using my hacks.

I have documented this hack in a youtube video here

I will also explain it here. Before I explain how I assume it works, I'll explain the steps.

Prerequisites:
A compatible FX Model,
MathIO Mode,
Wipe all.

1) Pol(0,1) then =
2) Type lots of fractions untill cannot type anymore
3) Go to the end and type 1 then x□
4) =
5) AC
6) Up
7) AC
8) Press left untill the cursor is just after "1"
9) Del

You will now have r=0 0=1

10) Delete everything so you just have the "r" on screen.

Now "r" on this calculator is interesting. It could be some code or point to an address in ROM, I do not know, however "r" can be exploited to do many hacks. I have other hacks ive done but today I will explain the EEPROM hack.

Now we are going to write to the eeprom

11) move the cursor so its before "r"
12) type 1
13) type : (alpha and x3, depends on the model)
14) you should have 1:r on screen
15) Press = twice

You will now be presented with a glitched screen.

16) Press the Mode button. Attempt to enter "Table" mode (Button 3 on 82, 83 and 85ES Models)
17) You calculator will crash, Press ON
18) Now you are in a buggy mode

Now attempting to enter Table mode after 1:r seems to write to the EEPROM. I assume 1:r points "r" to the the address in the EEPROM (the 1: could possibly act as a bootstrap) which store the Mode to load on boot (P3, P0 etc.) And attempting to enter Table mode writes the contents of "r" (possibly garbage data or code) to the EEPROM and messes up the boot data which is used to load the mode on Boot.

In this state, the calculator behaves rather strange as demonstrated in my Video

Proof its EEPROM hack?

Simple,

Turn off: the hack stays and still glitchy.

Removing battery and covering solar panel: the hack stays and still glitchy.

This is also demonstrated in my Video.

To remove this hack, do a wipe all, this resets all values in the EEPROM to the defaults stored in the ROM

So, with no technical details of this calculator being released, this is as far as I can explain. Now that we can write to the EEPROM, this is a step forward for the FX ES series hacking (non plus models)

Edited by kaikun97, 03 October 2014 - 12:19 PM.

[kasio]

I would like to add on that r could possible be a debugging tool. by default without 1:, pressing equals on r itself causes a Wipe All and the calculator turns off (with casio logo)

By putting 1: before r seems to point it to an address in the EEPROM.

My friend also told me that r could be a random memory offset and that it executes at a random part of the memory depending on whats before it (and essentially means it could be the EEPROM or RAM etc.)

I will explain other hacks using r in another thread soon.

Edited by kaikun97, 17 August 2014 - 06:35 PM.

[kasio]

If anyone needs any extra explaining, just reply to the thread

[MicroPro]

Well I'm not sure because I don't have this model, but seeing how it works using a dedicated syntaxes 1:r, etc this might have been a debugging tool casio put there by intention.

 

You sure have discovered some weird corner in the calculator.

[kasio]

Well I'm not sure because I don't have this model, but seeing how it works using a dedicated syntaxes 1:r, etc this might have been a debugging tool casio put there by intention.

You sure have discovered some weird corner in the calculator.

Prefixing r with other stuff seems to corrupt RAM or just full on crash the thing. Ive used it to access other (prototype?) modes (which i will make a post about soon), but its certainly interesting. there is a lot of stuff I can do with r. just cant seem to how it works for definate

[kasio]

Ok guys I may have a ROM dump after decompiling their emulator for this model and getting a few .bin files along with the emulator assest. Im still looking into this and a way to look at the .bin dumps, if you want to help out, PM me

[flyingfisch]

Sounds cool, does the fx-82 have a USB port? Do you think programming it could be possible?

[kasio]

Sounds cool, does the fx-82 have a USB port? Do you think programming it could be possible?

Nope, its a non-programmable model (most FX ES models are non programmable) which is why hacking it is tricky, however its possible with some arbitary code execution but its very limited right now

[Avalier]

Nice, tried it on my fx-83ES, works as expected. However, I was fiddling with the battery (The 83ES is powered by a single AAA, no solar panel) and it might be that your solar powered calculator has enough power to keep the memory intact. The way my calculator seems to work is as follows: If I re-insert the battery within ~3 seconds, the calculator keeps the bugged state and shows the last calculation & answer on the screen, as if there was no interruption. Any longer than that, and it will restore to a blank screen but keep the bugged state, but after 20-25 seconds without power it restores the memory. Not sure what to make of this, I'll hang around and see what other stuff you have to share.

[kasio]

Nice, tried it on my fx-83ES, works as expected. However, I was fiddling with the battery (The 83ES is powered by a single AAA, no solar panel) and it might be that your solar powered calculator has enough power to keep the memory intact. The way my calculator seems to work is as follows: If I re-insert the battery within ~3 seconds, the calculator keeps the bugged state and shows the last calculation & answer on the screen, as if there was no interruption. Any longer than that, and it will restore to a blank screen but keep the bugged state, but after 20-25 seconds without power it restores the memory. Not sure what to make of this, I'll hang around and see what other stuff you have to share.

ok so I disconnected the solar panel and did what u tried, and even after 5 minutes, the hack stays. So the EEPROM on your calculator must have been reset by other means (shift 7 on for example). Its not Battery backed SRAM (it would take shorter time to clear anyway). the Fx-82es has identical PCb to 83 and 85es just with capacitor and a few briges to make it work with solar panel.

[kasio]

Nice, tried it on my fx-83ES, works as expected. However, I was fiddling with the battery (The 83ES is powered by a single AAA, no solar panel) and it might be that your solar powered calculator has enough power to keep the memory intact. The way my calculator seems to work is as follows: If I re-insert the battery within ~3 seconds, the calculator keeps the bugged state and shows the last calculation & answer on the screen, as if there was no interruption. Any longer than that, and it will restore to a blank screen but keep the bugged state, but after 20-25 seconds without power it restores the memory. Not sure what to make of this, I'll hang around and see what other stuff you have to share.

Ok, so I got my friend's fx 83es and started some testing with my solar panel 85es (with solar panel disconnected) and my friends AAA 83es. It seems, the 83es does indeed lose changes after 15 seconds withouf the battery. However the 85es keeps it even after 5 minutes (with no solar panel not battery). This means 1 of 2 things.

1) The Fx 83es uses SRAM and the Fx 85es uses EEPROM

2) The Fx 83es is hard coded to erase the memory after 15 seconds (it takes less that 10 seconds for sram to lose power so 1) may be unlikely)

The last model to test is the 82es (has different modelB pcb compared to 82 and 85es nodel bpcb

[kasio]

On a slightly unrelated note this guy http://community.cas...please/?p=51024 and http://community.cas...please/?p=51051  thinks the Casio fx 991ES models (and therefore the other82es models) has a Renensas 32-bit risc SoC. this is most certainly wrong. These models have a 4 or 8bit Hitachi or OKI SoC. Otherwise these nmodels would be programming. Right now we do not even have abitary code excution working via hacking yet...

Edited by kaikun97, 17 October 2014 - 03:57 PM.

[Valsartan]

Hi, kaikun97. I have a fx 82es plus calculator, and I have seen your video. I have found the way of writing the "r" on the calculator. I know how to use it to use the calculator as a Base-N. But do you know how can I unlock other features with this exploit?
Hi, kaikun97. I have a fx 82es plus calculator, and I have seen your video. I have found the way of writing the "r" on the calculator. I know how to use it to use the calculator as a Base-N. But do you know how can I unlock other features with this exploit?

[kasio]

Hi, kaikun97. I have a fx 82es plus calculator, and I have seen your video. I have found the way of writing the "r" on the calculator. I know how to use it to use the calculator as a Base-N. But do you know how can I unlock other features with this exploit?
Hi, kaikun97. I have a fx 82es plus calculator, and I have seen your video. I have found the way of writing the "r" on the calculator. I know how to use it to use the calculator as a Base-N. But do you know how can I unlock other features with this exploit?

Yes for Base-N that was the Model-B upgrade exploit which appears to modify a value in EEPROM or RAM. And sorry apart from accessing some corrupted mod as demonstrated on this thread, I have not found a way. I have found a weird downgraded mode if you see my other topic but that uses a different method which is here http://community.cas...els-misc-hacks/

Edited by kaikun97, 08 December 2014 - 01:16 PM.

[Valsartan]

So there is no way of upgrading my calculator, even using the "r"?

[kasio]

So there is no way of upgrading my calculator, even using the "r"?

If you have a PLUS model, typing "r" is not possible because CASIO patched the exploit in PLUS models

[Tom]

There is some more stuff on these calculators and messing up the EEPROM on Baidu: http://tieba.baidu.c...pid=52273856647

Unfortunately I can't read Chinese, so if anyone could translate the posts for us for the info, that would be great.

[kasio]

There is some more stuff on these calculators and messing up the EEPROM on Baidu: http://tieba.baidu.c...pid=52273856647
Unfortunately I can't read Chinese, so if anyone could translate the posts for us for the info, that would be great.

Thank you very much for finiding this. google translate does not translate it well enough to understand the steps taken but I see some real goodies in there. Lets hope someone can translate this quickly and acurately

[kasio]

There is some more stuff on these calculators and messing up the EEPROM on Baidu: http://tieba.baidu.c...pid=52273856647
Unfortunately I can't read Chinese, so if anyone could translate the posts for us for the info, that would be great.

Google translate, for now gives this for the first post

STAT exception entry method
Find: 1278297578
methods:
1, Shift [mode] 2, AC/on, after 0.5 seconds (not sure of specific value varies due to the calculator, preferably in the upper right corner of the screen DISP moment before disappearing), [on]
2, then if Shift 1 5 3 should be r, not repeat the previous step.

Im not exactly sure what to do. The Method does nothing, it says to find the number at the top, how exactly do you "find" a number in STAT mode?

post 2 seems to be an improved version using post 1 steps but im still confused on what to do


68 mode entry method
Find: 946,994,919
Method:
After entering the STAT abnormal play R, R before playing four groups (9999 (playing the content is not unique), [ON], enter 68

EDIT: Upon further inspection, this may be for the fx 82es plus models (maybe gt plus models too) if you look at the images at http://tieba.baidu.c...325006253?pn=0 , I have a fx-82gt plus so ill have a look, certainly interesting

Edited by kaikun97, 26 January 2015 - 05:57 PM.

[kasio]

IVE DONE IT! This hack only works on FX Plus models so i'll make a seperate thread

EDIT: OK this hack also works on non-plus models (but trickier). FX GT Plus models only freeze when trying this hack . Anyways this works via eeprom corruption by pressing the ON key straight after press AC on the Select stat mode screen. Ill make a post

Edited by kaikun97, 26 January 2015 - 07:09 PM.

[Wertyu1]

Can you post here link to your post because i cant find it?

[akshaylals2000]

Hi guys, I've managed to Hack my Casio FX-82ES. This hack basicly writes to the calculator's EEPROM (via the calculator itself, we cannot write to it ourself) to make the calculator buggy after a reboot. This hack will work on the FX82, 83 and 85ES models. FX-991ES, FX-570ES and FX-115ES untested but due to having similar ROMs (Normally Rom 18) I assume it will work on those too. This hack does not work on the Plus models due to having new ROMs where the exploit I used has been fixed.

Bearing in mind, this hack does nothing useful, but still interesting.

Disclaimer: This shouldn't break your calculator how ever I am not responsible for any damaged caused to your calculator by using my hacks.

I have documented this hack in a youtube video here

I will also explain it here. Before I explain how I assume it works, I'll explain the steps.

Prerequisites:
A compatible FX Model,
MathIO Mode,
Wipe all.

1) Pol(0,1) then =
2) Type lots of fractions untill cannot type anymore
3) Go to the end and type 1 then x□
4) =
5) AC
6) Up
7) AC
8) Press left untill the cursor is just after "1"
9) Del

You will now have r=0 0=1

10) Delete everything so you just have the "r" on screen.

Now "r" on this calculator is interesting. It could be some code or point to an address in ROM, I do not know, however "r" can be exploited to do many hacks. I have other hacks ive done but today I will explain the EEPROM hack.

Now we are going to write to the eeprom

11) move the cursor so its before "r"
12) type 1
13) type : (alpha and x3, depends on the model)
14) you should have 1:r on screen
15) Press = twice

You will now be presented with a glitched screen.

16) Press the Mode button. Attempt to enter "Table" mode (Button 3 on 82, 83 and 85ES Models)
17) You calculator will crash, Press ON
18) Now you are in a buggy mode

Now attempting to enter Table mode after 1:r seems to write to the EEPROM. I assume 1:r points "r" to the the address in the EEPROM (the 1: could possibly act as a bootstrap) which store the Mode to load on boot (P3, P0 etc.) And attempting to enter Table mode writes the contents of "r" (possibly garbage data or code) to the EEPROM and messes up the boot data which is used to load the mode on Boot.

In this state, the calculator behaves rather strange as demonstrated in my Video

Proof its EEPROM hack?

Simple,

Turn off: the hack stays and still glitchy.

Removing battery and covering solar panel: the hack stays and still glitchy.

This is also demonstrated in my Video.

To remove this hack, do a wipe all, this resets all values in the EEPROM to the defaults stored in the ROM

So, with no technical details of this calculator being released, this is as far as I can explain. Now that we can write to the EEPROM, this is a step forward for the FX ES series hacking (non plus models)

 

My friend told me a way to get the r on fx 82ES Plus version E

It also works on fx 85ES Plus version E

 

 

 

steps

1: in normal mode press mode->stat

2: press AC , while the screen is clearing quickly press on

      if the timing was right you will see the calculator in stat mode

3: press SHIFT -> 1 

     if you see 5: reg in the list continue, else reset and start again from step 1

4: in reg menu you will find the r

5: type this before r

         Rnd(0.25ARnd(0.25ARnd(0.25ARnd(0.25Ar

6: press '=' and you'll see r and some garbage below

7: press on

now you can use Base-N mode

 

the base menu is buggy