Jump to content



Photo
* * * * * 2 votes

FX-82/-83GT/-115/-991ES Hacking


  • Please log in to reply
255 replies to this topic

#241 zephray

zephray

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    CASIO CFX-9850/X-82ES/PB-700
    HP 12C/20S/28C/30b/38G/39gs
    SHARP PC-1500/PC-E500/EL-5160
    TI 81/83/83+/84+/89ti/92/92+/CX/CM

Posted 12 March 2017 - 11:08 PM

@zephray According to the emulator the (Vinacal) calculator use Elan microprocessor.

 

Is there any ROM dump from the emulator? I do got a 192KB file from the BIN section of the emulator EXE, but it doesn't look like a ROM...

 

Alright, I've dumped it correctly. I'm not sure where to publish it... It used a ePS6900 processor (very similar to ePS6800 but with larger ROM). By the way here is my ePS6800 disasm tool: https://github.com/nbzwt/ePS6800-Tools, planning to write assembler and emulator.


Edited by zephray, 13 March 2017 - 04:37 AM.


#242 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 117 posts

Posted 13 March 2017 - 03:53 PM

Is there any ROM dump from the emulator? I do got a 192KB file from the BIN section of the emulator EXE, but it doesn't look like a ROM...

 

Alright, I've dumped it correctly. I'm not sure where to publish it... It used a ePS6900 processor (very similar to ePS6800 but with larger ROM). By the way here is my ePS6800 disasm tool: https://github.com/nbzwt/ePS6800-Tools, planning to write assembler and emulator.

In fact SopaXorzTaker wrote the disassembler before (use for a different format). I have also got this file, but I can't understand its format. What is it?

Be aware that this calculator clone (not sure if it is actually a clone) is completely different from that of Casio. It is more similar to Canon calculators.

What are you going to do with that?



#243 zephray

zephray

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    CASIO CFX-9850/X-82ES/PB-700
    HP 12C/20S/28C/30b/38G/39gs
    SHARP PC-1500/PC-E500/EL-5160
    TI 81/83/83+/84+/89ti/92/92+/CX/CM

Posted 13 March 2017 - 05:01 PM

In fact SopaXorzTaker wrote the disassembler before (use for a different format). I have also got this file, but I can't understand its format. What is it?

Be aware that this calculator clone (not sure if it is actually a clone) is completely different from that of Casio. It is more similar to Canon calculators.

What are you going to do with that?

 

I own one Canon calculators and I'm quite interested in its exploits. I rewrote the disassembler simply because SopaXorzTaker's have several bugs but I do not know Python so I can't fix it...

The ROM file in the Vinacal emulator is "encrypted" with one LUT, I'm not sure if the file you get was encrypted. If you open the file and see a lot of 0x02, then it's encrypted, they are supposed to be 0x00.

Here is the LUT: https://github.com/n...S6800/table.bin you can clearly see that 0x02 should be a 0x00. By the way the ROM was encoded with LittleEndian and 16bit Word width. My disassembler was expecting a BigEndian file, so you need to swap every two bytes in the file to convert it to a Big Endian file. Converted ROM and disassembled code are also in the repo, named 570es.bin and 570es.asm



#244 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 17 March 2017 - 08:17 PM

@zephray
Can you translate:
Screenshot_2017_03_15_16_44_35.png

and

Screenshot_2017_03_15_16_44_28.png

Edited by Wertyu1, 17 March 2017 - 08:18 PM.


#245 zephray

zephray

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    CASIO CFX-9850/X-82ES/PB-700
    HP 12C/20S/28C/30b/38G/39gs
    SHARP PC-1500/PC-E500/EL-5160
    TI 81/83/83+/84+/89ti/92/92+/CX/CM

Posted 17 March 2017 - 10:38 PM

 @Wertyu1

 

Text in the first picture:

 

The white calculator with sticker is a fx-991ES plus (with 82es plus case)

The balck calculator is a fx-82es plus

The 991+ in the subtitle means plus

Description of all the content in this video can be found at http://tieba.baidu.com/p/1918631058

If you have any questions about this video, you can send me a PM at Baidu Forum, my ID is yls_1996.

 

Text in the second picture:

 

Everything is authentic and not PSed

 

Things in the second pictures are called "拼字", which is using some expoilt to display arbitarty text or image on the display.



#246 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 117 posts

Posted 18 March 2017 - 09:00 AM

Continue disassemble fx 570vn plus:
 
Disassemble (570 vn+ im)
00:3782 -> 00:37EC

Input: No parameter on stack. No calling.
(byte) R0 = ch (interpreted as input character, not ascii)
ER2 = dest_adr

Output: The input character name ("sin(" for A0, for example) is
copied to [dest_adr] as a null-terminate string.

Local variable: name_adr = ER2

Backup ER4;
EA = ER2; // ER2 = dest_adr
R1 = R0;
if (R0 != 0) {
	cmd_378A:
	if !(R0 < 200d || R0 >= 203d) { // 200h = code(MatA); 203d = code(MatAns)
		cmd_3792: R1 = [080F9h]; // mode_adr
		if (R1 == MODE_COMP) { // MODE_COMP = 193d
			// branch to 0:37DAh
			R0 += 56d; // move R0 range to [0..2]
			R1 = 0; // ER0 = R0
			ER4 = 207Ch + 2 * ER0;
			name_adr = [ER4];
			ER4 = 208Ah;
			goto cmd_37AA;
		}
		// C8,C9,CA is PreAns,@,@ in Comp, and MatA,MatB,MatC otherwise
	}
	cmd_379A:
	R1 = 0; // ER0 = R0 = ch;
	ER4 = 1B38h + 2 * ER0;
	name_adr = [ER4];
	ER4 = 1D38h;
	
	cmd_37AA:
	ER4 += ER0;
	R0 = [ER4];
	
	// dispose variable ch now, only name_adr = [1B38h + 2*ch] and
	// R0 = [1D38h + ch]
	cmd_37AE:
	R4 = R0;
	R0 &= 15;
	R4 >>= 4; // logical / unsigned
	R1 = R0;
	if (R4 != 15d) {
		R5 = 0; // ER4 = R4. Only use for next command.
		name_adr += ER4;
	} // if it is not a function then edit the address a bit
	cmd_37BE: do { // this block of "do" command copy a block of
			// r1 bytes from [name_adr] to [ea] = [dest_adr]
		R5 = [name_adr];
		nop(); // hardware wait?
		[ea+] = R5;
		name_adr++;
		r1--;
	} while (R1 != 0);
	cmd_37CA:
	if (R4 == 15) {
		R5 = 40d; // 28h = "(", specify that is a function
		[ea+] = R5;
		R0++;
	}
}
cmd_37D4:
[EA] = R1; // null-terminate the string. R1 must be 0.
return;

-------------------------

M (byte 10) is accessed 2 times on press [ON] (initialization)
00:DE40 -call-> 00:58E8h ~> 00:5910 (check all variables) -call-> 01:C98E (from 01:C986 to 01:C99C, purpose: check one variable with address [ER0])

-------------------------

Disassemble 1:C986 -> 1:C99C:

Purpose: Check the validity of the variable pointed to by ER0.

R2 = [ER0] & 0Fh; // R2 = first significant digit, if floating-point format
if (R2 >= 0Ah) return 1;
R2 = [ER0 + 9] & 0F0h; // 10th byte, most significant nibble
if (R2 != 0) return 1;
return 0;

-------------------------

Disassemble 00:58E8 -> 00:592E:

Purpose: check if we should reset. Return 1 if true, 0 if false. Called at pressing [ON] by 00:DE40.

Return value stored to R0.


Backup: XR4
EA = 0860Eh; // diagnostic check byte
R0 = 0Fh;
do {
    if ([EA+] != R0) return 1;
    cmd_58F8: R0 --;
} while (R0 != 0);

// Normally the block 10h bytes starting from 0860Eh contains value "0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00". When enter diagnostic mode or the calculator have some (hardware) error it is different.

cmd_58FC:
if (((signed byte) [08112h]) > 01Dh) return 1; // [08112h] is the byte the
if (((signed byte) [08112h]) < 004h) return 1; // calculator use to store contrast.

cmd_5908:
R6 = 10;
ER4 = 8226h; // address of variable M
do {
    if (1 == func_1C986(ER0 = ER4)) // check variable validity
        return 1;
    ER4 += 10d;
    R6--;
} while (R6 != 0);

cmd_591C:
R0 = [80DCh]; // unknown purpose
R0 = R0 & 0F8h; // mask 5 most significant bits
if (R0 == 0) return 0; else return 1;

-----------------


if abnormal then "BL      00h:0E528h" at 00:DE48
function 00h:0E528h -> 00h:0E556h: perhaps reset all

00:B948 (if abnormal only)

01:B28A (perhaps check for light on)

when reset all: 00:B948


Edited by user202729, 27 March 2017 - 10:09 AM.


#247 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 18 March 2017 - 09:59 AM

@zephray

@Wertyu1

Text in the first picture:

Text in the second picture:

Things in the second pictures are called "拼字", which is using some expoilt to display arbitarty text or image on the display.

Thanks

Edited by Wertyu1, 18 March 2017 - 10:09 AM.


#248 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 132 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 March 2017 - 09:28 AM

@user202729, I think we should write an emulator in C to allow us to see the actual CPU state at every point.

 

Questions:

Where is the ROM execution started? 0:0000 or somewhere else?

How many data segments are actually used?

Are there any quirks like data-to-code segment writes?



#249 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 25 March 2017 - 11:59 AM

@user202729, I think we should write an emulator in C to allow us to see the actual CPU state at every point.


Is there any special reason to use C? I would go for C#, since it is well supported, has a good free IDE and Debugger (VisualStudio) and is very similar to Java and C in syntax. And you can create very good looking GUIs and prototype very very fast. I've been using it 2years+.
But it depends on what you guys can program

#250 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 117 posts

Posted 25 March 2017 - 12:59 PM

I have always used Cheat Engine to step through the program on the emulator. Although that's quite time-consuming and absolutely more annoying than using a debugger, it works.

 

If you can "see the actual CPU state at every point", what will you do next?

 

@fishkiller2 I sure that most of the code are not much related to the programming language you are using, either C or C#.

 

------------------------------------

 

 

1. The execution is started at the command that is specified by the "reset vector" that is stored in the ROM segment 0,

 

the initial value for the stack pointer at address 0 and the reset routine entry points at addresses 2 and 4. 

 

(page 1-15, nX-U8/100 core instruction manual)

In the emulator, the entry point when [ON] is pressed is at address 2.

 

2. According to the emulator, data segment 0 is used frequently, and data segment 1 is used only once at initialization (press [ON]) as the copy source of the first (deepest) bytes of the stack.

 

Although the microcontroller support up to 16 segments, I think the calculator only use 2 data segments, and (probably) only segment 0 is writable. According to the checksum procedure of the emulator, segment 8 is the segment 0 of program/code memory space.

 

3. The CSR of the real calculator only have its last bit kept, all other bits are zeroed. You can only execute segment 0 (program/code) or segment 1, and as you said earlier, unless the memory are flash, it's not writable.



#251 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 132 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 29 March 2017 - 10:09 AM

user202729, which memory model (SMALL or LARGE) is used?

Seems like there's at least two code segments, which implies the latter.

 

EDIT:

Also, could you please provide the periphernal memory map (where in the RAM is the LCD buffer, etc), the keypad read subroutine/GPIO interrupt vector and the appropriate key scan codes?



#252 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 117 posts

Posted 31 March 2017 - 11:47 AM

-- What are you going to do with rewriting the simulator? --

pastebin.com/1PnX6in3
That is all I know about hardware map. View in Cheat Engine. There is LCD buffer ("Screen 0") and some things.
The parts related to keypad is probably at address 8E00 - 8E02 but I have not succeed in controlling that.

input/output interrupt vector: maskable interrupts, address 000Ah - 007Eh.
0008h is for NMI interrupt.
Each takes 2 bytes (entry point for interrupt), there are "up to 59 maskable" interrupts. Currently I am not sure which is actually used.

#253 Flashed

Flashed

    Newbie

  • Members
  • Pip
  • 3 posts

  • Calculators:
    CASIO FX-350ES
    CASIO FX-82ES+

Posted 01 April 2017 - 10:05 PM

@zephray
Can you translate:
Screenshot_2017_03_15_16_44_35.png

and

Screenshot_2017_03_15_16_44_28.png

Dafuq!?

 

So well... what exacly are you working for on this calculators. Unlocking? Random execution? Emulation?



#254 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 132 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 03 April 2017 - 03:57 PM

Dafuq!?

 

So well... what exacly are you working for on this calculators. Unlocking? Random execution? Emulation?

 

Arbitrary code execution and emulation.


user202729, could you make a table of known subroutine names to make it easier to understand the disassembly, for example

 

0:123A foobar
1:2345 LCD_reset


#255 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 117 posts

Posted 04 April 2017 - 10:27 AM

Why do you want to (re-)emulate the calculator?

I have disassembled "known" functions in my above posts. Just not summarized to a purpose-only list.

#256 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 132 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 04 April 2017 - 10:50 AM

Why do you want to (re-)emulate the calculator?

To make debugging easier. Adding macros would be a possibility too, that'd help automate the testing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users