So writing one data segment actually writes the code one.
Also, could you provide a hackstring that produces a noticeable effect on fx-82ES PLUS, so that I can check if it does the same for me?
Posted 18 January 2017 - 01:20 PM
So writing one data segment actually writes the code one.
Also, could you provide a hackstring that produces a noticeable effect on fx-82ES PLUS, so that I can check if it does the same for me?
Posted 18 January 2017 - 01:43 PM
Edited by user202729, 18 January 2017 - 01:48 PM.
Posted 18 January 2017 - 01:54 PM
Yes, I have only a fx-991ES PLUS, but it's very similar to the fx-82ES PLUS, so I want to check if the behavior is the same.
Also, I don't really understand the translated Baidu threads, so could you provide an example hackstring?
Posted 18 January 2017 - 03:15 PM
Posted 18 January 2017 - 03:22 PM
Okay, I am sorry for my ignorance, but are there any hackstrings that work on the fx-991ES PLUS?
If there are, how do they work?
Posted 18 January 2017 - 03:33 PM
Edited by user202729, 18 January 2017 - 03:35 PM.
Posted 18 January 2017 - 04:24 PM
"Basic overflow" is the sigma(X,1,1 thing?
Please tell me, step by step, how it's done, because I think I am doing something wrong.
Posted 19 January 2017 - 12:17 PM
Edited by user202729, 19 January 2017 - 12:47 PM.
Posted 19 January 2017 - 02:21 PM
Oh, it works as you described. Now, instead of the 1 (that is not displayed) I can enter the hackstring?
I also got to Dimension ERROR by entering some symbols by bashing the keyboard, and while entering that, an M symbol appeared, because it corrupts the M variable. I pressed
to get a syntax error, and then replaced some symbols in the expression with M, pressing AC again.
EDIT: Typing "MM" also works.
Switching the modes and attempting to enter M yields a syntax error, and when returning to the COMP mode and entering M, a single message "ERROR" is displayed in the place where the value should be, instead of soft-hanging the calculator.
Posted 19 January 2017 - 02:57 PM
Edited by user202729, 19 January 2017 - 03:13 PM.
Posted 19 January 2017 - 05:15 PM
Hm, so how are the variables stored?
I don't really feel like visiting Baidu and reading that Chinese-English again...
I tried it now, so apparently it requires registration to go to the next thread page, and I don't really want to register on a dubious Chinese website.
EDIT: Well, nevermind, I found how to switch the pages, so what's the thread URL again?
Posted 20 January 2017 - 11:12 AM
Here it is: http://tieba.baidu.c...2793407170?pn=1
It does take me time to find the posts. It actually save time if I knew already where it is, but I don't know in this case. I found out that by search on fx-es(ms) main page for the word "变量存储", which is Chinese Google translate of "variables store", and found the post as the 40th one. It even appear on the main (final summary) page of the group, at
http://tieba.baidu.com/p/3395822027
, part 1.4.2.
[edit] That post is new to me, and the integral method to get "ERROR" works on fx-570vn+, while the table method does not work.Anyway that is not focus now, we need to focus on character spillover (explanation: Basic overflow, press series of characters (enough character), AC, left, equal, and character infinite copy as I described above), because that overwrite the stack and control the program flow.Hopefully the variable-hack method can do something, for example, special matrix pointer, and that may help reading calculator internal ROM. Very hard, however.
Failed.
Remaining 9 bytes are not found useful.
(post 26)
-------------------------------------------
Some words that machine translators translate to that I feel weird in normal English, and specific of calculator:
black house = "A kind of punishment that bans someone from posting things in the forum before expiration."
(The translator doesn't know that, so I have a lot of difficulty understanding that. That is not important in the content, but so you can understand what it is)
top = user want to mention that there is no important content after that post
dig grave = bump topic
unstable character = the one that changes its value every time the cursor make a half-cycle, but require press left/right for the screen to update
brush unstable character = use unstable character to type in characters you want
mad press = press repeatedly and fast (kasio mentioned this before)
blasting machine = screen show appear-to-be-random pixels, and change fast
character spill = characters being copied to several parts of the memory because of the infinite copy I mentioned above
input cache = what is copied to the screen if you press AC then [left]
"than number" or "number than" = ":"
"finishing sticking" = the topic that summary all information
score (the translator may translate correctly or not) = fraction
Also note that sometimes some quote is lost, cause some sentences in the form of "6 multiply 5 multiply multiply", which is often translated incorrectly by the translator, and sometimes the translator truncate some (important) part, so better see both the original text and the translated. Even
[(] [(] [(] [)]
may be translated incorrectly (due to the brackets)
Edited by user202729, 13 March 2017 - 01:40 PM.
Posted 20 January 2017 - 05:36 PM
Okay, I'll look into it. Also, how does basic overflow work? Why interrupting the solve and replacing a character causes this?
I found that when entering a hackstring, some characters (probably the memory content) appear on the screen, and when scrolling them, they change. Probably some variable where the cursor position is stored.
Posted 21 January 2017 - 03:15 AM
how does basic overflow work? Why interrupting the solve and replacing a character causes this?
when scrolling them, they change.
I found that when entering a hackstring, some characters (probably the memory content) appear on the screen
Posted 22 January 2017 - 05:04 PM
Oh, another discovery: I can erase the text before the unstable characters and thus I can use them in expressions.
Also, by using the CONST symbols (lower than 10) in a hackstring, I was able to corrupt M, but still get it displayed.
It's now displayed like _| > x 10^98. (fraction symbol, greater than, x10, 98).
I think that "M" appears when the exponent is nonzero.
The value is stored as 8 BCD bytes for mantissa (00h-99h) and then the one for the exponent.
value = sgn(exponent)*mantissa*10^abs(exponent)
Oh, here's a character map from Baidu with the format: http://imgsrc.baidu....a292cf578c6.jpg
Posted 02 February 2017 - 03:46 PM
---------- The character spillover ends at exactly address 0x8E00 ----------(570vn+ specific)
[(50 characters) cv08 integrate 1 - X X - - - - - - {12}^19 ]Where "-" is any-character, XX is 2 characters specify position to set the ER0 to. The memory at [ER0] (16 bytes or null-terminated) will be displayed on screen as ASCII.
Edited by user202729, 04 February 2017 - 08:44 AM.
Posted 03 February 2017 - 06:36 PM
Posted 04 February 2017 - 07:43 AM
Hi. I'v made account to join the research. I'v got casio fx-350ES PLUS. Can i help you?
Yes, of course!
The first thing we'd like you to try is the Basic Overflow bug.
EDIT: I didn't notice that your calculator doesn't have a sum symbol (
, ). You can still try this on fx-570ES PLUS or greater, see below for more information.
First, reset your calculator -
, , , [=].Then, press
, [MODE], to choose the LineIO mode.
Next, enter:
, [)], , [CALC], , , , [)], , [)], , , [)], , [x10^], , the screen should now look like this (spaces for clarity):X=∑(X,1,1 x10 9
Press [CALC], [=], then immediately press
, then [<-], , , , . The calculator should now display:X=∑(X,1,2
Press [CALC], [=] again. The calculator will display a syntax error, press [<-].
If the cursor appears before the X, like this:
|X=∑(X,1,2
then the basic overflow works on your calculator.
Now, entering any symbols will corrupt the calculator's RAM and you'll be able to observe various glitches, for example try entering [.] before the memory indicator appears on the screen, that corrupts the memory variable.
If you press
after and enter [M+] [=], you'll see either ERROR or the calculator will hang up.
EDIT: That probably does not work on the fx-350ES PLUS, as it doesn't have a sum symbol, unfortunately. We are focused on fx-570ES PLUS and fx-991ES PLUS, but you can search for bugs in your own model, too, and it would be helpful to us.
Also, this thread on Baidu is describing various hacks in the fx-ES calculators that others have found, please have a look. http://tieba.baidu.com/p/3395822027
Posted 04 February 2017 - 07:46 AM
fx-350es plus is similar to fx-82es plus. That method does not apply to this kind of calculator. However there are other methods to get to basic overflow. First can you try the way LP700_(4) described to get the "similar effect"?
If I remember correctly, the same behavior can be achieved on 82es plus by entering A8 3A at byte #57 #58 (IineIO basic overflow required).
Note that there is actually character space " " on fx-991ES PLUS (character 20h), although that is little used.
-----------------------
Checksum method for reading ROM memory success!
(Only read, not write yet, that may be impossible)
Hack-string:
[(50 bytes) cv06 integrate 1 - 0 0 . . . . X X . . . . . . . . cv36 integrate 1 - . . . . . . cs40 Q1 2 integrate 1 - (14 bytes)
The "0 0" = 3030 is the number start subtracting from. The result displayed on screen is
3030 - (sum of XX bytes at first of segment 0 program/code memory) - (sum of all bytes of segment 1)
Note that X is little-endian.
Also this hackstring is used to read text data:
[{12}^25 cv08 integrate 1 - X X (8 bytes) {12}^19]
read the data memory space at address XX, 16 bytes or until null is encountered.
That is the results:
(I use the results get from those tests to compare with the emulator ROM)
(tag) #219
(Segment 0, address in hexadecimal)
real = imag , diff 0160 = 0160 , 000 09D4 = 09D4 , 000 3001 = 3003 , 002 3006 = 3008 , 002 4130 = 42D0 , 1A0 4330 = 44D0 , 1A0 4441 = 45E1 , 1A0 4468 = 4608 , 1A0 (4 lines of ASCII) 44EA = ???? (see below for more details) 4598 = 46B2 , 11A 4630 = 474A , 11A 4F34 = 504E , 11A 59B6 = 5AD0 , 11A 6001 = 6149 , 148 8234 = 89B0 , 77C 9830 = 9FAC , 77C C231 = CB83 or CB93
The emulator seems to be always use more memory than the real calculator.
-------------------------------------------------------------------------------------
Font of calculator fx-570vn plus:
Similar to that of fx-570ES PLUS, except:
Character 7F -> division operator of France "|-"
Character 8E -> Uppercase Pi
Character 97 -> double-stroke down arrow
(extract from the emulator)
Edited by user202729, 13 March 2017 - 02:49 PM.
Posted 04 February 2017 - 12:06 PM
Edited by Wertyu1, 04 February 2017 - 01:41 PM.
Posted 04 February 2017 - 12:48 PM
user202729, could you please describe the hackstring notation that you use, for example, what does {12}^25 mean?
Posted 04 February 2017 - 01:34 PM
Edited by user202729, 04 February 2017 - 01:35 PM.
Posted 04 February 2017 - 02:22 PM
Posted 04 February 2017 - 04:15 PM
Broken link
Yes, it was obsolete and I deleted the forum thread, as its creator asked me.
Posted 05 February 2017 - 07:39 AM
0044EA 11 9B 47 F0 ST R11, 0F047h 0044EE 8F FE NOP 0044F0 10 90 40 F0 L R0, 0F040h 0044F4 71 A0 TB R0.7 0044F6 01 C8 BC NE, 044FAh 0044F8 01 1C ADD R12, #1That can't be found in the emulator. The emulator even never use the address 0F047h, so I don't know what that is.
Edited by user202729, 07 February 2017 - 11:25 AM.
Posted 19 February 2017 - 02:25 PM
Edited by Wertyu1, 19 February 2017 - 05:04 PM.
Posted 20 February 2017 - 11:09 PM
Right, First say 'hello' to everybody
I have been looking this forum during a few months and i'm really interested about casio hacking. First I want to know what's the objetive of 'hacking' those calculator, is it the fact of unlocking other Roms via soft hacking? Or just understand how those works? (I know that one thing leads to another)
So, I'd like to know the current status of the Casio calculator hacking, specially PLUS models. I want to know the development in this point and also you'd probably recommend me a pdf guide or something like that which can help me understand how the different chipsets of this calculator works.
Thanks everybody!
Posted 21 February 2017 - 03:13 PM
Posted 21 February 2017 - 04:18 PM
Right, First say 'hello' to everybody
I have been looking this forum during a few months and i'm really interested about casio hacking. First I want to know what's the objetive of 'hacking' those calculator, is it the fact of unlocking other Roms via soft hacking? Or just understand how those works? (I know that one thing leads to another)
So, I'd like to know the current status of the Casio calculator hacking, specially PLUS models. I want to know the development in this point and also you'd probably recommend me a pdf guide or something like that which can help me understand how the different chipsets of this calculator works.
Thanks everybody!
We're aiming to execute arbitrary code, to allow writing programs for the calculator.
Posted 04 March 2017 - 11:09 PM
We're aiming to execute arbitrary code, to allow writing programs for the calculator.
It means run third-party programs, unofficially? LOL That looks pretty cool, but a bit difficult because for that you will need to do a EEPROM dump and...
I don't know if the idea is to create unofficial programs on the pc, able to run on the calculator architecture? Is this what I shoud understand?
Posted 05 March 2017 - 01:54 AM
Although we aim to execute arbitrary code, but it is probably impossible to do. The reason is explained in my previous posts....
Posted 06 March 2017 - 12:25 PM
Edited by fishkiller2, 06 March 2017 - 12:32 PM.
Posted 06 March 2017 - 12:37 PM
Although we aim to execute arbitrary code, but it is probably impossible to do. The reason is explained in my previous posts.
We can only execute simple functions on the calculator using its built-in function. However that require a lot of (manual) decompile which I don't want to do.
Execute in assembly is impossible, and even if we were able to run nX/U8 assembly on the calculator it would take a lot of time writing the program to the calculator. The calculator have no USB port. Even read its memory is difficult.
Posted 09 March 2017 - 04:06 PM
Edited by user202729, 10 March 2017 - 01:54 PM.
Posted 09 March 2017 - 07:43 PM
Yep I discovered the baidu board about 10 mins after my last post
I've seen some post from you there, one of them describes an "A-type-converter" which to my understanding converts a prefix to another one. Maybe you could explain that a bit further, as I don't really know what to do there.
Also the baidu board really helped me to understand the empty box hack.
By the way, as I don't have a Classwiz I may sometimes ask you to test something on that calculator.
I'll pm you my email as youd reach me much faster using my email but most of my research is currently done in boring school lessons where phones are mostly forbidden so it could take some time for me to answer
Posted 10 March 2017 - 02:10 PM
Posted 10 March 2017 - 03:28 PM
But what about converting a prefix to another one?
Just as an example, lets say I want to convert Pa>atm (FE 1A) to M+ (FB 1A) what do I need to enter to achieve this? (using the empty box hack of course)
Posted 12 March 2017 - 12:02 AM
Greetings!
I'm the former admin of Baidu fx-es(ms) forum and current admin of cnCalc.org. I'm quite interested in your project, so if you are having any trouble reading Chinese, just contact me! Most of the members are junior or senior high school students, they play with their CASIO calculators since classes are boring... Then they post any glitches they found in the forum
What interest me is that there are many clones of fx-ES calculator. One is HP SmartCalc 300s. these clones use a pretty similar ROM with genuine ones, but they are running on totally different processors. If CASIO didn't sell them the source code, where the code come from? So HP (actually not HP but the "solution provider") disassembled CASIO's code?
Also, SunPlus' SPL08x processor (LCD controller integrated) is also known to be used in several clones, but I'm not sure which (maybe Canon F-789SGA?). According to the datasheet, it used a 6502 core, but I'm not sure. There are even clones using processors without LCDC, but I havn't figured out the CPU model.
VINACAL should be one of these clones, have anyone here checked its processor yet?
Edited by zephray, 12 March 2017 - 01:54 AM.
Posted 12 March 2017 - 03:32 AM
@fishkiller2 I can't find that information on fx-es(ms) group, but you can use that to separate a character from its prefix (for example you can get 20 from FE 20):
1. Brush out of the box, press
2. Enter a compound character (FE 20)
3. Press [left]
. The separated character should be to the right of the box, and you can combine that with other prefix as usual.
You can separate 19 (box) from FE 19 in order to get another box if you need.
That may work, but I am not sure, because I don't have real calculator. It seems that you cannot separate character 1A to 1F.
@zephray According to the emulator the (Vinacal) calculator use Elan microprocessor.
Posted 12 March 2017 - 06:13 AM
Edited by user202729, 12 March 2017 - 11:34 AM.
0 members, 3 guests, 0 anonymous users