Jump to content



Photo
* * * * * 2 votes

FX-82/-83GT/-115/-991ES Hacking


  • Please log in to reply
214 replies to this topic

#201 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 02:20 PM

So writing one data segment actually writes the code one.

Also, could you provide a hackstring that produces a noticeable effect on fx-82ES PLUS, so that I can check if it does the same for me?



#202 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 18 January 2017 - 02:43 PM

82ES+? I remember you had only 991ES+, but anyway there are several ones on fx-82es finishing paste (tieba baidu) at

http://tieba.baidu.com/p/1800667172

or
http://tieba.baidu.com/p/3811817266
(that is 82-ES PLUS A)

About noticeable, @kasio found one that possibly change checksum, but we can't find it. Those only have fun effect, not very noticeable (for example after press ON, virtually nothing remains).

------------------------------------
All the errors on 82ES+ are not do-able on emulator, because they require timing of "ON". Even if they are do-able, that would have little effect on the emulator, because the program (ROM) of emulator is different of that of real calculator.

Edited by user202729, 18 January 2017 - 02:48 PM.


#203 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 02:54 PM

Yes, I have only a fx-991ES PLUS, but it's very similar to the fx-82ES PLUS, so I want to check if the behavior is the same.

 

Also, I don't really understand the translated Baidu threads, so could you provide an example hackstring?



#204 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 18 January 2017 - 04:15 PM

How can fx-991ES PLUS be similar, if any, to fx-82ES PLUS?
As I said, page 17 - fx-es plus series research pdf - from baidu page of fx-es(ms) group said explicitly that the program of fx-991ES+ and fx-82ES+ is different. fx-82ES+ cannot access any function that is fx-991ES+ specific, except some basic functions. Because the program is different, then the hackstring must be different. Even the hackstring for emulator and real calculator fx-570VN+ is different.

----------------------------------------------------------
The hacks on fx-991ES+ is quite interesting, in fact, and the finishing paste (being the easiest to understand) is quite easy to understand. Apart from arbitrary code execution, that is really useful.

#205 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 04:22 PM

Okay, I am sorry for my ignorance, but are there any hackstrings that work on the fx-991ES PLUS?

If there are, how do they work?



#206 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 18 January 2017 - 04:33 PM

You know basic overflow? That is, the cursor after the first "null". That will cause the input behave similar to overwrite mode (even if you are in insert mode), and that you can enter more than 100 characters. Only limited by the fact that cursor position is stored in 1 byte, so reach at most 256 characters.
The hackstring is enter by basic overflow. When execute any function, the calculator copy it (interpret as null-terminated) to the cache 100 bytes after the input area. As a programmer you know what will happen if the string has more than 100 characters. Theorically it will copy forever, but in fact it stop when encounter hardware-controlled byte, or non-writable memory contains "0". So, it will eventually stop, but when it stop copying it overflowed into the stack. And then a "POP PC" will set the program counter to the position you can specify.

For some hackstrings of fx-991ES read my #158 (by now) post. It contains the link
http://tieba.baidu.com/p/1949542063

Still unable to change the checksum.

Edited by user202729, 18 January 2017 - 04:35 PM.


#207 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 05:24 PM

"Basic overflow" is the sigma(X,1,1 thing?

Please tell me, step by step, how it's done, because I think I am doing something wrong.



#208 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 19 January 2017 - 01:17 PM

The baidu page of fx-es(ms) group contains everything necessary to hack the calculator. Here I recall the steps to get to basic overflow:

Here I show a specific method, that is found by fx-es(ms) group: (parentheses imply comment)

<Reset All>

Shift [mode] 2 (LineIO)
Alpha [)] Alpha [calc] Shift [logab / log-box] Alpha [)] Shift [)] 1 Shift [)] 1 [x10^] 9
(Enter "X = Sigma(X, 1, 1 x10 9")
[calc] [=] AC/on (that is "AC" not "ON") [left]
DEL DEL DEL 2 (replace the third parameter by 2)
[calc] [=] [left]

Phenomenon: (the translators often translate so that Baidu page contains that word, so I will use it)
The cursor is at the first position, before first "X". If you press 1 now it should not display on the screen (behavior different from when the cursor is at first position).

That is basic overflow.

I don't think there is any problem understanding the translation of baidu page, given you have a calculator. Next time if you don't understand anything, please write down what you have tried according to that page, and what point does your calculator behave/display incorrectly.

Edited by user202729, 19 January 2017 - 01:47 PM.


#209 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 19 January 2017 - 03:21 PM

Oh, it works as you described. Now, instead of the 1 (that is not displayed) I can enter the hackstring?

 

I also got to Dimension ERROR by entering some symbols by bashing the keyboard, and while entering that, an M symbol appeared, because it corrupts the M variable. I pressed AC/on to get a syntax error, and then replaced some symbols in the expression with M, pressing AC again.

 

EDIT: Typing "MM" also works.

 

Switching the modes and attempting to enter M yields a syntax error, and when returning to the COMP mode and entering M, a single message "ERROR" is displayed in the place where the value should be, instead of soft-hanging the calculator.



#210 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 19 January 2017 - 03:57 PM

(As I said earlier several times) I think the Baidu page is very detailed. "Dimension error" is not too surprising.

The problem remains now is to find the correct ROM of the calculators. The fx-570VN+ would be the easiest, because we had the emulator's ROM already. Yet it still remains really hard.

---------------------------------------

Note that (open-square-bracket) AC (close-square-bracket) is replaced with AC/on (or, button "AC/on"). So, better not to use that.

---------------------------------------

There is some page of fx-es(ms) group that describe the way the calculator store variables, and if you make the variable store unintended values, it will display some weird things. Try the M^0 get-the-character-r error. (Post 35/f, numbered 30, method 3)

Edited by user202729, 19 January 2017 - 04:13 PM.


#211 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 19 January 2017 - 06:15 PM

Hm, so how are the variables stored?

I don't really feel like visiting Baidu and reading that Chinese-English again...

 

I tried it now, so apparently it requires registration to go to the next thread page, and I don't really want to register on a dubious Chinese website.

EDIT: Well, nevermind, I found how to switch the pages, so what's the thread URL again?



#212 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 20 January 2017 - 12:12 PM

Here it is: http://tieba.baidu.c...2793407170?pn=1

It does take me time to find the posts. It actually save time if I knew already where it is, but I don't know in this case. I found out that by search on fx-es(ms) main page for the word "变量存储", which is Chinese Google translate of "variables store", and found the post as the 40th one. It even appear on the main (final summary) page of the group, at

http://tieba.baidu.com/p/3395822027

, part 1.4.2.

[edit] That post is new to me, and the integral method to get "ERROR" works on fx-570vn+, while the table method does not work.

Anyway that is not focus now, we need to focus on character spillover (explanation: Basic overflow, press series of characters (enough character), AC, left, equal, and character infinite copy as I described above), because that overwrite the stack and control the program flow.

Hopefully the variable-hack method can do something, for example, special matrix pointer, and that may help reading calculator internal ROM. Very hard, however.

Failed.

Remaining 9 bytes are not found useful.

(post 26)

-------------------------------------------

Some words that machine translators translate to that I feel weird in normal English, and specific of calculator:


black house = "A kind of punishment that bans someone from posting things in the forum before expiration."
(The translator doesn't know that, so I have a lot of difficulty understanding that. That is not important in the content, but so you can understand what it is)
top = user want to mention that there is no important content after that post
dig grave = bump topic


unstable character = the one that changes its value every time the cursor make a half-cycle, but require press left/right for the screen to update
brush unstable character = use unstable character to type in characters you want
mad press = press repeatedly and fast (kasio mentioned this before)
blasting machine = screen show appear-to-be-random pixels, and change fast
character spill = characters being copied to several parts of the memory because of the infinite copy I mentioned above
input cache = what is copied to the screen if you press AC then [left]


score (the translator may translate correctly or not) = fraction


Also note that sometimes some quote is lost, cause some sentences in the form of "6 multiply 5 multiply multiply", which is often translated incorrectly by the translator, and sometimes the translator truncate some (important) part, so better see both the original text and the translated. Even
 [(] [(] [(] [)] 
may be translated incorrectly (due to the brackets)

Edited by user202729, 20 January 2017 - 03:12 PM.


#213 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 20 January 2017 - 06:36 PM

Okay, I'll look into it. Also, how does basic overflow work? Why interrupting the solve and replacing a character causes this?

 

I found that when entering a hackstring, some characters (probably the memory content) appear on the screen, and when scrolling them, they change. Probably some variable where the cursor position is stored.



#214 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 101 posts

Posted 21 January 2017 - 04:15 AM

how does basic overflow work? Why interrupting the solve and replacing a character causes this?


What you are effectively asking that "why does the way entering basic overflow work". The first large sigma (to 1 x10 9) just write to a temporary cache, near where calculation history is saved. That cache is not deleted by pressing ON or change MthIO/LineIO. Instead of that function you can just enter anything long enough. The second sigma (to 1 or 2) work probably because it ignore one character. Note that if you enter the closed parentheses it will not cause basic overflow.

when scrolling them, they change.


That is the unstable character.

I found that when entering a hackstring, some characters (probably the memory content) appear on the screen


Read the post about numerical store, they are stored right after unstable character. You can reach some variables, but not all because the number used to store cursor position is 1-byte so you can reach at most 256 characters.

#215 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 124 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted Yesterday, 06:04 PM

Oh, another discovery: I can erase the text before the unstable characters and thus I can use them in expressions.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users