We with @kaikun97 are trying to find glitches on these calculator models that would allow executing arbitrary code.
Known so far:
- CFX-9850, fx-82ES, -115ES and -991ES (including the PLUS models) presumably share the same chipset architecture
, with the CPU being SH-1 or SH-2 (however there are some doubts). This was deduced by looking up the forensic result (9.00000000733343) and finding that these and 10 other Casio calculators have it the same.
- CFX-9850 has a custom-built Hitachi HCD62121 CPU as proven by the Service Manual.
- There is an emulator for that CPU in MAME. See this GitHub repository.
When compared to a SuperH instruction list, some instructions from the emulator match the listed ones. That probably isn't the case, as many instructions still don't.
- There is a bug in fx-82ES, -115ES and -991ES (including the PLUS models) which allows the user to corrupt the calculator's RAM via abruptly interrupting the process of saving data to the EEPROM, please see this thread.
- Perhaps crafting strings that produce arbitrary bytes is possible. See the thread linked above. Also, this character map might help.
If you want to help us with our research, feel free to reply!
UPDATE: fx-991ES's chip found! According to this forum thread at hpmuseum, the calculator uses an OKI (now Lapis Semiconductor) ML610901 chip. Need more research.
The CPU's architecture is nX-U8.
My fx-991ES PLUS has the following checksum:
GY455X VerE SUM 8928 OK Pd- Read OK Press AC
In comparsion, kaikun97's fx-83GT PLUS says:
GY465X VerG SUM 7A03 OK Pd- Read OK Press AC
Not all calculators use the OKI chip.
You can identify the chip used in your calculator by the forensic result (see above).
Calculators based on the Hitachi HCD62121 or a similar chip have this result: 9.00000000733343.
The newer calculators based on the OKI ML610901 have this one: 9.00000000733338.
You can find the remaining digits by subtracting 9 and multiplying the number by, say 1000000000.
We have an IRC channel now, click here to join. (irc.purplesurge.com #casioes)
Edited by SopaXorzTaker, 09 November 2016 - 04:26 PM.