Jump to content



Photo
* * * * * 2 votes

FX-82/-83GT/-115/-991ES PLUS Hacking


  • Please log in to reply
308 replies to this topic

#201 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 02:20 PM

So writing one data segment actually writes the code one.

Also, could you provide a hackstring that produces a noticeable effect on fx-82ES PLUS, so that I can check if it does the same for me?



#202 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 18 January 2017 - 02:43 PM

82ES+? I remember you had only 991ES+, but anyway there are several ones on fx-82es finishing paste (tieba baidu) at

http://tieba.baidu.com/p/1800667172

or
http://tieba.baidu.com/p/3811817266
(that is 82-ES PLUS A)

About noticeable, @kasio found one that possibly change checksum, but we can't find it. Those only have fun effect, not very noticeable (for example after press ON, virtually nothing remains).

------------------------------------
All the errors on 82ES+ are not do-able on emulator, because they require timing of "ON". Even if they are do-able, that would have little effect on the emulator, because the program (ROM) of emulator is different of that of real calculator.

Edited by user202729, 18 January 2017 - 02:48 PM.


#203 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 02:54 PM

Yes, I have only a fx-991ES PLUS, but it's very similar to the fx-82ES PLUS, so I want to check if the behavior is the same.

 

Also, I don't really understand the translated Baidu threads, so could you provide an example hackstring?



#204 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 18 January 2017 - 04:15 PM

How can fx-991ES PLUS be similar, if any, to fx-82ES PLUS?
As I said, page 17 - fx-es plus series research pdf - from baidu page of fx-es(ms) group said explicitly that the program of fx-991ES+ and fx-82ES+ is different. fx-82ES+ cannot access any function that is fx-991ES+ specific, except some basic functions. Because the program is different, then the hackstring must be different. Even the hackstring for emulator and real calculator fx-570VN+ is different.

----------------------------------------------------------
The hacks on fx-991ES+ is quite interesting, in fact, and the finishing paste (being the easiest to understand) is quite easy to understand. Apart from arbitrary code execution, that is really useful.

#205 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 04:22 PM

Okay, I am sorry for my ignorance, but are there any hackstrings that work on the fx-991ES PLUS?

If there are, how do they work?



#206 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 18 January 2017 - 04:33 PM

You know basic overflow? That is, the cursor after the first "null". That will cause the input behave similar to overwrite mode (even if you are in insert mode), and that you can enter more than 100 characters. Only limited by the fact that cursor position is stored in 1 byte, so reach at most 256 characters.
The hackstring is enter by basic overflow. When execute any function, the calculator copy it (interpret as null-terminated) to the cache 100 bytes after the input area. As a programmer you know what will happen if the string has more than 100 characters. Theorically it will copy forever, but in fact it stop when encounter hardware-controlled byte, or non-writable memory contains "0". So, it will eventually stop, but when it stop copying it overflowed into the stack. And then a "POP PC" will set the program counter to the position you can specify.

For some hackstrings of fx-991ES read my #158 (by now) post. It contains the link
http://tieba.baidu.com/p/1949542063

Still unable to change the checksum.

Edited by user202729, 18 January 2017 - 04:35 PM.


#207 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 18 January 2017 - 05:24 PM

"Basic overflow" is the sigma(X,1,1 thing?

Please tell me, step by step, how it's done, because I think I am doing something wrong.



#208 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 19 January 2017 - 01:17 PM

The baidu page of fx-es(ms) group contains everything necessary to hack the calculator. Here I recall the steps to get to basic overflow:

Here I show a specific method, that is found by fx-es(ms) group: (parentheses imply comment)

<Reset All>

Shift [mode] 2 (LineIO)
Alpha [)] Alpha [calc] Shift [logab / log-box] Alpha [)] Shift [)] 1 Shift [)] 1 [x10^] 9
(Enter "X = Sigma(X, 1, 1 x10 9")
[calc] [=] AC/on (that is "AC" not "ON") [left]
DEL DEL DEL 2 (replace the third parameter by 2)
[calc] [=] [left]

Phenomenon: (the translators often translate so that Baidu page contains that word, so I will use it)
The cursor is at the first position, before first "X". If you press 1 now it should not display on the screen (behavior different from when the cursor is at first position).

That is basic overflow.

I don't think there is any problem understanding the translation of baidu page, given you have a calculator. Next time if you don't understand anything, please write down what you have tried according to that page, and what point does your calculator behave/display incorrectly.

Edited by user202729, 19 January 2017 - 01:47 PM.


#209 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 19 January 2017 - 03:21 PM

Oh, it works as you described. Now, instead of the 1 (that is not displayed) I can enter the hackstring?

 

I also got to Dimension ERROR by entering some symbols by bashing the keyboard, and while entering that, an M symbol appeared, because it corrupts the M variable. I pressed AC/on to get a syntax error, and then replaced some symbols in the expression with M, pressing AC again.

 

EDIT: Typing "MM" also works.

 

Switching the modes and attempting to enter M yields a syntax error, and when returning to the COMP mode and entering M, a single message "ERROR" is displayed in the place where the value should be, instead of soft-hanging the calculator.



#210 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 19 January 2017 - 03:57 PM

(As I said earlier several times) I think the Baidu page is very detailed. "Dimension error" is not too surprising.

The problem remains now is to find the correct ROM of the calculators. The fx-570VN+ would be the easiest, because we had the emulator's ROM already. Yet it still remains really hard.

---------------------------------------

Note that (open-square-bracket) AC (close-square-bracket) is replaced with AC/on (or, button "AC/on"). So, better not to use that.

---------------------------------------

There is some page of fx-es(ms) group that describe the way the calculator store variables, and if you make the variable store unintended values, it will display some weird things. Try the M^0 get-the-character-r error. (Post 35/f, numbered 30, method 3)

Edited by user202729, 19 January 2017 - 04:13 PM.


#211 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 19 January 2017 - 06:15 PM

Hm, so how are the variables stored?

I don't really feel like visiting Baidu and reading that Chinese-English again...

 

I tried it now, so apparently it requires registration to go to the next thread page, and I don't really want to register on a dubious Chinese website.

EDIT: Well, nevermind, I found how to switch the pages, so what's the thread URL again?



#212 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 20 January 2017 - 12:12 PM

Here it is: http://tieba.baidu.c...2793407170?pn=1

It does take me time to find the posts. It actually save time if I knew already where it is, but I don't know in this case. I found out that by search on fx-es(ms) main page for the word "变量存储", which is Chinese Google translate of "variables store", and found the post as the 40th one. It even appear on the main (final summary) page of the group, at

http://tieba.baidu.com/p/3395822027

, part 1.4.2.

[edit] That post is new to me, and the integral method to get "ERROR" works on fx-570vn+, while the table method does not work.

Anyway that is not focus now, we need to focus on character spillover (explanation: Basic overflow, press series of characters (enough character), AC, left, equal, and character infinite copy as I described above), because that overwrite the stack and control the program flow.

Hopefully the variable-hack method can do something, for example, special matrix pointer, and that may help reading calculator internal ROM. Very hard, however.

Failed.

Remaining 9 bytes are not found useful.

(post 26)

-------------------------------------------

Some words that machine translators translate to that I feel weird in normal English, and specific of calculator:


black house = "A kind of punishment that bans someone from posting things in the forum before expiration."
(The translator doesn't know that, so I have a lot of difficulty understanding that. That is not important in the content, but so you can understand what it is)
top = user want to mention that there is no important content after that post
dig grave = bump topic


unstable character = the one that changes its value every time the cursor make a half-cycle, but require press left/right for the screen to update
brush unstable character = use unstable character to type in characters you want
mad press = press repeatedly and fast (kasio mentioned this before)
blasting machine = screen show appear-to-be-random pixels, and change fast
character spill = characters being copied to several parts of the memory because of the infinite copy I mentioned above
input cache = what is copied to the screen if you press AC then [left]
"than number" or "number than" = ":"

"finishing sticking" = the topic that summary all information

score (the translator may translate correctly or not) = fraction


Also note that sometimes some quote is lost, cause some sentences in the form of "6 multiply 5 multiply multiply", which is often translated incorrectly by the translator, and sometimes the translator truncate some (important) part, so better see both the original text and the translated. Even

 [(] [(] [(] [)] 

may be translated incorrectly (due to the brackets)


Edited by user202729, 13 March 2017 - 02:40 PM.


#213 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 20 January 2017 - 06:36 PM

Okay, I'll look into it. Also, how does basic overflow work? Why interrupting the solve and replacing a character causes this?

 

I found that when entering a hackstring, some characters (probably the memory content) appear on the screen, and when scrolling them, they change. Probably some variable where the cursor position is stored.



#214 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 21 January 2017 - 04:15 AM

how does basic overflow work? Why interrupting the solve and replacing a character causes this?


What you are effectively asking that "why does the way entering basic overflow work". The first large sigma (to 1 x10 9) just write to a temporary cache, near where calculation history is saved. That cache is not deleted by pressing ON or change MthIO/LineIO. Instead of that function you can just enter anything long enough. The second sigma (to 1 or 2) work probably because it ignore one character. Note that if you enter the closed parentheses it will not cause basic overflow.

when scrolling them, they change.


That is the unstable character.

I found that when entering a hackstring, some characters (probably the memory content) appear on the screen


Read the post about numerical store, they are stored right after unstable character. You can reach some variables, but not all because the number used to store cursor position is 1-byte so you can reach at most 256 characters.

#215 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 22 January 2017 - 06:04 PM

Oh, another discovery: I can erase the text before the unstable characters and thus I can use them in expressions.

 

Also, by using the CONST symbols (lower than 10) in a hackstring, I was able to corrupt M, but still get it displayed.

It's now displayed like _| > x 10^98. (fraction symbol, greater than, x10, 98).

 

I think that "M" appears when the exponent is nonzero.

The value is stored as 8 BCD bytes for mantissa (00h-99h) and then the one for the exponent.

value = sgn(exponent)*mantissa*10^abs(exponent)

 

Oh, here's a character map from Baidu with the format: http://imgsrc.baidu....a292cf578c6.jpg



#216 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 02 February 2017 - 04:46 PM

---------- The character spillover ends at exactly address 0x8E00 ----------
(570vn+ specific)

It is possible to read segment 0 at any position, using this hackstring
[(50 characters) cv08 integrate 1 - X X - - - - - - {12}^19 ]
Where "-" is any-character, XX is 2 characters specify position to set the ER0 to. The memory at [ER0] (16 bytes or null-terminated) will be displayed on screen as ASCII.

Why I found it:

By experiment I can find out the address 01:3230 (correspond to 3 characters "121" or "021") write 16/null-terminated bytes at [ER0] to screen. The "cv08 integrate 1 -" = 01:6ADC I found out by noticing that re 01:69F4 = imag 01:69F0, and the 01:(69F4-6AE4) is consecutive function, so I predict re 01:6ADE = imag 01:6AE2 which is POP QR0. By experiment I observe

For imag 01:69F4 -> 01:6B06, adr imag = adr re + 4 byte.

So I pop QR0 with that value, where ER0 get the value "XX", and then the next "POP PC" pop "1212" = 01:3230, which write to screen.

-- So in theory it is possible to know exactly first 0x8000 bytes of segment 0 just that it's very boring. --

Also I am testing the values of CSR, seems unfortunate that, unlike data segments where data[ 8] = code[0], code[2k] = code[0] forall k. Nothing special. The possibility of arbitrary code execution is almost 0.

Edited by user202729, 04 February 2017 - 09:44 AM.


#217 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 03 February 2017 - 07:36 PM

Hi. I'v made account to join the research. I'v got casio fx-350ES PLUS. Can i help you?

#218 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 04 February 2017 - 08:43 AM

Hi. I'v made account to join the research. I'v got casio fx-350ES PLUS. Can i help you?

 

Yes, of course!

The first thing we'd like you to try is the Basic Overflow bug.

 

EDIT: I didn't notice that your calculator doesn't have a sum symbol (Shift, log). You can still try this on fx-570ES PLUS or greater, see below for more information.

 

First, reset your calculator - Shift, 9,  3, [=].

Then, press Shift, [MODE], 2 to choose the LineIO mode.

 

Next, enter: Alpha, [)], Alpha, [CALC], Shift, log, Alpha, [)], Shift, [)], 1, Shift, [)], 1, [x10^], 9, the screen should now look like this (spaces for clarity):

X=∑(X,1,1 x10 9

Press [CALC], [=], then immediately press AC/on, then [<-], DEL, DEL, DEL, 2. The calculator should now display:

X=∑(X,1,2

Press [CALC], [=] again. The calculator will display a syntax error, press [<-].

If the cursor appears before the X, like this:

|X=∑(X,1,2

then the basic overflow works on your calculator.

 

Now, entering any symbols will corrupt the calculator's RAM and you'll be able to observe various glitches, for example try entering [.] before the memory indicator appears on the screen, that corrupts the memory variable.

If you press AC/on after and enter Alpha [M+] [=], you'll see either ERROR or the calculator will hang up.

 

EDIT: That probably does not work on the fx-350ES PLUS, as it doesn't have a sum symbol, unfortunately. We are focused on fx-570ES PLUS and fx-991ES PLUS, but you can search for bugs in your own model, too, and it would be helpful to us.

 

Also, this thread on Baidu is describing various hacks in the fx-ES calculators that others have found, please have a look. http://tieba.baidu.com/p/3395822027



#219 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 04 February 2017 - 08:46 AM

fx-350es plus is similar to fx-82es plus. That method does not apply to this kind of calculator. However there are other methods to get to basic overflow. First can you try the way LP700_(4) described to get the "similar effect"?
 

If I remember correctly, the same behavior can be achieved on 82es plus by entering A8 3A at byte #57 #58 (IineIO basic overflow required).



Note that there is actually character space " " on fx-991ES PLUS (character 20h), although that is little used.
-----------------------

Checksum method for reading ROM memory success!
(Only read, not write yet, that may be impossible)

Hack-string:

[(50 bytes) cv06 integrate 1 - 0 0 . . . . X X . . . . . . . . cv36 integrate 1 - . . . . . . cs40 Q1 2 integrate 1 - (14 bytes)

The "0 0" = 3030 is the number start subtracting from. The result displayed on screen is

3030 - (sum of XX bytes at first of segment 0 program/code memory) - (sum of all bytes of segment 1)

Note that X is little-endian.

Also this hackstring is used to read text data:

[{12}^25 cv08 integrate 1 - X X (8 bytes) {12}^19]

read the data memory space at address XX, 16 bytes or until null is encountered.

That is the results:

(I use the results get from those tests to compare with the emulator ROM)

(tag) #219

 

(Segment 0, address in hexadecimal)

real = imag , diff
0160 = 0160 , 000
09D4 = 09D4 , 000
3001 = 3003 , 002
3006 = 3008 , 002
4130 = 42D0 , 1A0
4330 = 44D0 , 1A0
4441 = 45E1 , 1A0
4468 = 4608 , 1A0 (4 lines of ASCII)
44EA = ???? (see below for more details)
4598 = 46B2 , 11A
4630 = 474A , 11A
4F34 = 504E , 11A
59B6 = 5AD0 , 11A
6001 = 6149 , 148
8234 = 89B0 , 77C
9830 = 9FAC , 77C
C231 = CB83 or CB93

The emulator seems to be always use more memory than the real calculator.

-------------------------------------------------------------------------------------

Font of calculator fx-570vn plus:

Similar to that of fx-570ES PLUS, except:
Character 7F -> division operator of France "|-"
Character 8E -> Uppercase Pi
Character 97 -> double-stroke down arrow
(extract from the emulator)


Edited by user202729, 13 March 2017 - 03:49 PM.


#220 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 04 February 2017 - 01:06 PM

I found on you tube bug that allows me to write r symbol but only in stat mode. First clear memory [shift 9 3 = AC] then press[ mode 2 AC mode 2 ] then press AC and after 0,5 sec ON. If it was done successfully after pressing [shift 1] there shoud be 6 options. Press 5 then 3 to write r.

Edited by Wertyu1, 04 February 2017 - 02:41 PM.


#221 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 04 February 2017 - 01:48 PM

user202729, could you please describe the hackstring notation that you use, for example, what does {12}^25 mean?



#222 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 04 February 2017 - 02:34 PM

Square bracket: Describe a hack. There should be 100 characters inside. They are effective characters. (as what the fx-es(ms) used called it)
Curly bracket and exponent: Simply repeat the characters in bracket a number of times.
Be aware that those hacks are used for fx-570vn plus.

Edited by user202729, 04 February 2017 - 02:35 PM.


#223 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 04 February 2017 - 03:22 PM

[*]There is a bug in fx-82ES, -115ES and -991ES (including the PLUS models) which allows the user to corrupt the calculator's RAM via abruptly interrupting the process of saving data to the EEPROM, please see this thread.

Broken link

#224 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 04 February 2017 - 05:15 PM

Broken link

Yes, it was obsolete and I deleted the forum thread, as its creator asked me.



#225 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 05 February 2017 - 08:39 AM

Code in real 570vn+ calculator: (segment 0)
0044EA   11 9B 47 F0        ST      R11, 0F047h
0044EE   8F FE              NOP
0044F0   10 90 40 F0        L       R0, 0F040h
0044F4   71 A0              TB      R0.7
0044F6   01 C8              BC      NE, 044FAh
0044F8   01 1C              ADD     R12, #1
That can't be found in the emulator. The emulator even never use the address 0F047h, so I don't know what that is.
EDIT That may be shutdown method.

Note: Is that considered post calculator's ROM?



----------------------------

IMPORTANT
Emulator of fx 991ES PLUS found!

****
For anyone who want the emulator of fx 991ES PLUS, apart from hacking purpose, use this alternate calculator emulator which is free:

http://forum.vstem.e...es-plus-zip.26/
(Password: "vstem.edu.vn")
or
http://www.mediafire...SPLUSIIv1.0.exe
****

Now you can read the ROM of the emulator (if you think it worth the effort). It remains impossible to execute arbitrary code.

It may be possible to change the hardware a bit with 00:0F000 - 00:0FFFF, but I don't think that has any effect.

Edited by user202729, 07 February 2017 - 12:25 PM.


#226 Wertyu1

Wertyu1

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    Fx-350ES PLUS

Posted 19 February 2017 - 03:25 PM

I'v found cool hackstring for 350 es plus (propably works on 82 and 85)

AnsAnsAnsAnsAnsAnsAnsAnsAnsAnssin(7777sin(7777sin(7777sin(7777sin(7777((((((((((Abs(r

It shoud show AC break. Press Left then up. Cursor shoud be now at answer line.

Edited by Wertyu1, 19 February 2017 - 06:04 PM.


#227 Flashed

Flashed

    Newbie

  • Members
  • Pip
  • 3 posts

  • Calculators:
    CASIO FX-350ES
    CASIO FX-82ES+

Posted 21 February 2017 - 12:09 AM

Right, First say 'hello' to everybody

I have been looking this forum during a few months and i'm really interested about casio hacking. First I want to know what's the objetive of 'hacking' those calculator, is it the fact of unlocking other Roms via soft hacking? Or just understand how those works? (I know that one thing leads to another)

 

So, I'd like to know the current status of the Casio calculator hacking, specially PLUS models. I want to know the development in this point and also you'd probably recommend me a pdf guide or something like that which can help me understand how the different chipsets of this calculator works.

 

Thanks everybody!



#228 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 21 February 2017 - 04:13 PM

Are there any new findings about the CLASSWIZ calculators?
I'm really looking forward to doing some reverse engineering, but I don't want to start at zero

I got the FX 991 DE X, but I can't find any issues with the other CLASSWIZ tricks, unlike the DE Plus version of the 991ES where almost none of the other hacks work

#229 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 147 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 21 February 2017 - 05:18 PM

Right, First say 'hello' to everybody

I have been looking this forum during a few months and i'm really interested about casio hacking. First I want to know what's the objetive of 'hacking' those calculator, is it the fact of unlocking other Roms via soft hacking? Or just understand how those works? (I know that one thing leads to another)

 

So, I'd like to know the current status of the Casio calculator hacking, specially PLUS models. I want to know the development in this point and also you'd probably recommend me a pdf guide or something like that which can help me understand how the different chipsets of this calculator works.

 

Thanks everybody!

We're aiming to execute arbitrary code, to allow writing programs for the calculator.



#230 Flashed

Flashed

    Newbie

  • Members
  • Pip
  • 3 posts

  • Calculators:
    CASIO FX-350ES
    CASIO FX-82ES+

Posted 05 March 2017 - 12:09 AM

We're aiming to execute arbitrary code, to allow writing programs for the calculator.

It means run third-party programs, unofficially? LOL That looks pretty cool, but a bit difficult because for that you will need to do a EEPROM dump and...

I don't know if the idea is to create unofficial programs on the pc, able to run on the calculator architecture? Is this what I shoud understand?



#231 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 05 March 2017 - 02:54 AM

...

Although we aim to execute arbitrary code, but it is probably impossible to do. The reason is explained in my previous posts.
We can only execute simple functions on the calculator using its built-in function. However that require a lot of (manual) decompile which I don't want to do.
Execute in assembly is impossible, and even if we were able to run nX/U8 assembly on the calculator it would take a lot of time writing the program to the calculator. The calculator have no USB port. Even read its memory is difficult.

Also reply to fishkiller2: In fact there are a lot of CLASSWIZ hacks, probably just as much as those on ES PLUS series.

--------------
Those calculators, according to emulator ROM, have a lot of empty spaces. So there may be something interesting there. (The real calculator also have a lot of empty spaces in ROM so I can't be sure)

#232 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 06 March 2017 - 01:25 PM

But where? I had a big look around this forum and didnt find anything except the "How to Hack Your CLASSWIZ" thread where I already posted.

I'm pretty new to the Calculator Hack community so please excuse any difficulties.

Anyway I might be on a track to finding a way to get r on CLASSWIZ using the method in the CLASSWIZ thread, but again I don't know where to look if anybody did it before me. And I don't even know if you can do anything interesting with r on the CLASSWIZ models.

Edited by fishkiller2, 06 March 2017 - 01:32 PM.


#233 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 06 March 2017 - 01:37 PM

Although we aim to execute arbitrary code, but it is probably impossible to do. The reason is explained in my previous posts.
We can only execute simple functions on the calculator using its built-in function. However that require a lot of (manual) decompile which I don't want to do.
Execute in assembly is impossible, and even if we were able to run nX/U8 assembly on the calculator it would take a lot of time writing the program to the calculator. The calculator have no USB port. Even read its memory is difficult.


That wouldn't be that big of a problem, look a the Super Mario arbitrary Code execution by YouTuber Sethbling. First he writes a very small program into memory to make entering code much more easy. I think probably the same strategy can be used to make entering programs very fast, but thats just an idea

#234 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 09 March 2017 - 05:06 PM

@fishkiller2

Quote: "The reason is explained in my previous posts"

That is, the program/code memory space and data memory space is separated. There is no way to let CSR:PC to point in data memory space, which is the only place that is editable.

By the way, as I don't have a Classwiz I may sometimes ask you to test something on that calculator.

Edited by user202729, 10 March 2017 - 02:54 PM.


#235 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 09 March 2017 - 08:43 PM

Yep I discovered the baidu board about 10 mins after my last post -_-

 

I've seen some post from you there, one of them describes an "A-type-converter" which to my understanding converts a prefix to another one. Maybe you could explain that a bit further, as I don't really know what to do there.

Also the baidu board really helped me to understand the empty box hack.

 

 

By the way, as I don't have a Classwiz I may sometimes ask you to test something on that calculator.

 

I'll pm you my email as youd reach me much faster using my email but most of my research is currently done in boring school lessons where phones are mostly forbidden so it could take some time for me to answer



#236 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 10 March 2017 - 03:10 PM

The speed is not very important. It may takes days for me to reply anyway.

"Boring school lessons" - but you still have to do tests on those subjects, right?

About the converter, the Classwiz series have extended character set. A character either has code ?? which ?? is between 01 and EF, or F? ??. In the second case the "F?" is considered the prefix. The "character converters" are characters of the form "F? F?", which can help you to type any character of the form "F? XY" where the XY can be input from the keyboard. For example with character converter "FE FE" and "31" (number 1) can be input normally you can get character "FE 31".

#237 fishkiller2

fishkiller2

    Newbie

  • Members
  • Pip
  • 7 posts

  • Calculators:
    FX-991 DE X CLASSWIZ
    FX-991 DE PLUS aval in school

Posted 10 March 2017 - 04:28 PM

But what about converting a prefix to another one?

Just as an example, lets say I want to convert Pa>atm (FE 1A) to M+ (FB 1A) what do I need to enter to achieve this? (using the empty box hack of course)



#238 zephray

zephray

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    CASIO CFX-9850/X-82ES/PB-700
    HP 12C/20S/28C/30b/38G/39gs
    SHARP PC-1500/PC-E500/EL-5160
    TI 81/83/83+/84+/89ti/92/92+/CX/CM

Posted 12 March 2017 - 01:02 AM

Greetings!

I'm the former admin of Baidu fx-es(ms) forum and current admin of cnCalc.org. I'm quite interested in your project, so if you are having any trouble reading Chinese, just contact me! Most of the members are junior or senior high school students, they play with their CASIO calculators since classes are boring... Then they post any glitches they found in the forum :P

What interest me is that there are many clones of fx-ES calculator. One is HP SmartCalc 300s.  these clones use a pretty similar ROM with genuine ones, but they are running on totally different processors. If CASIO didn't sell them the source code, where the code come from? So HP (actually not HP but the "solution provider") disassembled CASIO's code?

Also, SunPlus' SPL08x processor (LCD controller integrated) is also known to be used in several clones, but I'm not sure which (maybe Canon F-789SGA?). According to the datasheet, it used a 6502 core, but I'm not sure.  There are even clones using processors without LCDC, but I havn't figured out the CPU model. 

VINACAL should be one of these clones, have anyone here checked its processor yet?


Edited by zephray, 12 March 2017 - 02:54 AM.


#239 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 12 March 2017 - 04:32 AM

@fishkiller2 I can't find that information on fx-es(ms) group, but you can use that to separate a character from its prefix (for example you can get 20 from FE 20):

1. Brush out of the box, press 1

2. Enter a compound character (FE 20)

3. Press [left] 1 DEL DEL DEL. The separated character should be to the right of the box, and you can combine that with other prefix as usual.

 

You can separate 19 (box) from FE 19 in order to get another box if you need.

 

That may work, but I am not sure, because I don't have real calculator. It seems that you cannot separate character 1A to 1F.

 

@zephray According to the emulator the (Vinacal) calculator use Elan microprocessor.



#240 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 160 posts

Posted 12 March 2017 - 07:13 AM

Probably Classwiz calculator can execute arbitrary code in assembly! Segment 4 is editable.
But first you try to get "basic overflow": Press [=] when there are at least 200 characters on the screen. Most of the time the calculator should freeze (just like basic overflow on ES PLUS series)

- Details how to do that -
1. Get an empty box, press [->] to get out of the box.
2. Press 203 characters (preferably numbers)
3. Press [<-] 202 times
4. Press DEL 2 times
5. There should be 202 characters after a box now. Press [=].

Edited by user202729, 12 March 2017 - 12:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users