Jump to content

* * * * * 3 votes

FX-82/-83GT/-115/-991ES PLUS Hacking

  • Please log in to reply
323 replies to this topic

#321 .kklicker



  • Members
  • Pip
  • 1 posts

  • Calculators:
    Casio fx-92 Ver A

Posted 03 February 2018 - 08:41 AM

I'm the (un)happy owner of a (casio,obvs) fx-92 Ver A calculator which is the french/belgian version of the fx-82 series.
As I told @SopaXorzTaker in the chat, I know quite a few things in the binary exploitation field(On PCs but also some embedded devices).

I'm following the topic since a while (like the first page) so I was wondering if I could join/eventually try to help and maybe try to adapt the exploits already found to my calculator model  -I don't know if it uses the same chipset atm, I hope so- because the firmware is different and a bit limited compared to fx-82's functions.
(I yet found what I think could be an exploitable buffer overflow, gonna try to read and search about the arch when I get time)

Edited by .kklicker, 03 February 2018 - 08:46 AM.

#322 nm111



  • Members
  • Pip
  • 1 posts

Posted 14 February 2018 - 10:29 AM


I think what you're doing here is quite cool, so I've made an account to join in. Do you know what I could do to try and help?

I heard you need a wiki, and I found a good site called wiki-site.com. I have made a wiki there: http://casiohacking.wiki-site.com/. You can make an account on that site and you should be able to create pages.

#323 user202729


    Casio Freak

  • Members
  • PipPipPipPip
  • 171 posts

Posted Yesterday, 02:54 PM

# An attempt at writing a tutorial so that everyone can understand


(please interpret this as markdown, I don't like BBCode)


### Stack


The stack is used for static memory allocation. Read Wikipedia: https://en.wikipedia...mory_allocation


Short explanation:


* When a function need an amount of memory, it decreases the stack pointer (SP) by that many bytes, and own the memory pointed to by SP.

* When a function no longer need that memory, it increases the stack pointer.


### Function call


For the nX/U8 core, when a function calls another functions, the address of the caller is stored in the `LCSR:LR` register, and the arguments are (often) stored into the registers `R0-R15` (and occasionally pushed on the stack, although I can't recall any example right now).


For example, if the function `f` taking 1 1-byte argument in `r2`, has the structure



0:1234    st    r2, 08124h

0:1236    rt



and a snippet of code



0:2466    mov    r2, #3

0:2468    bl        0:1234h

0:246c    mov    r0, #0



is executed, the following will happen:


* At `0:2466`, `r2` is set to decimal value `3`.

* At `0:2468`, when the command `bl 0:1234h` is called,

    * The `LCSR:LR` register value is set to `0:246ch` (the address of the command right after the `bl` command) (that is, `LCSR = 0` and `LR = 246ch`)

    * The `CSR:PC` register value is set to `0:1234h`.

* Next, `0:1234` is executed.

* After 1 command, at `0:1236`, when the `rt` command is called, the value of `CSR:PC` is set to the value of `LCSR:LR` (which is `0:246ch`).


* Then, the command `0:246ch` is executed.




Ok, next. When a function `a` that is called by another function `parent` needs to call yet another function `child`, it needs to remember the value of `LCSR:LR` when it was called (by `parent`). That is done by the command



push lr



which allocates 4 bytes of memory on the stack, and store the value of `lcsr` and `lr` there.


When the function returns, instead of



pop lr



(which is supposed to return the value of `lr` and `lcsr` and then do the normal return), it executes



pop pc




For more detailed instruction, read the nX/U8 core instruction manual. But basically, the LR (2 bytes) is on the top, then the LCSR (1 byte), then an unused byte.


Note that, although the CPU allows up to 16 code/data segments, the calculators only uses 2 segments, so only the least significant bit of `lcsr` is important, all other bits are always 0. Moreover because of word alignment of `PC`, the least significant bit of the PC is always zero.




So, how does that help with arbitrary code execution?


As we observed, there are a lot of `pop pc` commands in the code. And those commands set the program counter to whatever on the top of the stack. Therefore, if we executes a `pop pc` command and can control what is in the stack, we can make the PC to jump to arbitrary location.


The remaining problem is to write a program in ROP.




### TODO: Should I add some example programs and explain how they works? I think there are enough programs (scattered in the topic).


### TODO: Is there any unclear part (that you can't understand)?

Edited by user202729, Yesterday, 05:20 PM.

#324 SopaXorzTaker


    Casio Freak

  • Moderator
  • PipPipPipPip
  • 150 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted Yesterday, 06:05 PM

@user202729: Thank you, it's pretty clear, I suggest adding some examples (directly in your post) and explaining how they work (which addresses do they jump to, etc).

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users