Jump to content



Photo
- - - - -

Effect of little 'A' and 'B' on fx-82AU PLUS II

fx-82es hacking

  • Please log in to reply
12 replies to this topic

#1 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 02 August 2020 - 10:23 AM

Effect of little 'A' and 'B' on fx-82AU PLUS II

PoIB Project thread

Edit: updated from fx-82ES PLUS II to fx-82AU PLUS II

 

Hi everyone,

 

I am running a calculator hacking project to document and learn more about a specific calculator phenomenon that builds on the work done by the Chinese-language fx-es(ms) Baidu Tieba (https://tieba.baidu....es(ms)&ie=utf-8) and this forum's own calculator hacking thread (https://community.ca...s-plus-hacking/).

 

Basically, for any fx-82ES PLUS AU 1st edition you can generally convert 9-pixel height characters directly to their 6-pixel version.

 

After accessing abnormal stat mode (instructions found either in the below document or at this Tieba post: https://tieba.baidu....tag=i3044162056), using a hackstring in the form:

ANYTEXT(A/B))))))

where:

     (A/B) is the A/B coefficients, which can be located anywhere in the hackstring before the brackets
     ANYTEXT is any arbitrary string, can be as short or as long as you want. It can take the form of numbers, variable letters (e.g A, B, C, D, E, F, X, Y, M) or functions (e.g sin(, cos(, tan(, log()
      ))))) are brackets (0920) ranging from a quantity of 5+

 

The result should be that your arbitrary string (and trailing brackets) are converted from their standard, 5*9 size, to the corresponding 5*6 size.

 

I will continue to update this thread with major updates, but all of the research is being collated on a Google Docs

 

Google Docs (English + Chinese): https://tinyurl.com/fxesplus-convert   


I will also post this on the Chinese forums in case anyone there is interested. If you are in mainland China you can also use this link since Google Docs is blocked: https://docs.qq.com/...1dnVnhoT1pTaERH

 

I don't know if anyone is interested in this project at all but I will try and keep this thread relatively updated. Feel free to let me know if you have any questions

 

aidswidjaja~


Edited by aidswidjaja, 08 August 2020 - 08:46 AM.

  • aidswidjaja likes this

#2 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 02 August 2020 - 12:25 PM

Some comments:

 

It's easier to predict what basic overflow methods do than r-based method (or small A/B/C) -- so "research" is hard and there's no definite method.

 

 

It's rather unlikely that someone discovered this method, since (as far as I know) the "calculator hacking" is only popular in that Chinese group, and those calculator brands are not common in China.

 

> Please also note that there are only very minor differences between regional variations (ES, AU, GT) and it should not affect the performance of the hack 

 

Generally, small variation in the functionality will lead to complete change of the ROM. Those methods are dependent on the exact addresses of the functions in the ROM.

 

> Here you are overriding the EEPROM to access abnormal STAT mode

 

That's just normal RAM.

 

> direct correlation between input and output

 

Isn't that just "the byte values of the input is the same as the byte values of the output"?...

 

> be advised that I believe there are some characters missing at least from the 5*6 table.

 

It's complete; however a few characters may be different between calculator models.


Edited by user202729, 02 August 2020 - 12:25 PM.


#3 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 02 August 2020 - 01:33 PM

By the way, it's not recommended to post many links in the Baidu forum. There are some automated detection.

 

There are some workarounds, including putting the link in an image, interleave some [delete]/emoji/space between the URL components.



#4 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 03 August 2020 - 06:28 AM

Thanks for your comments @user202729. I didn't know about the baidu detection.

It's easier to predict what basic overflow methods do than r-based method (or small A/B/C) -- so "research" is hard and there's no definite method.

This is true but I think it would help if I could at least explain why its reverting to this behaviour even if its not a full explanation and there are still holes. That would help with getting a reproduction on other roms too.

 


> Please also note that there are only very minor differences between regional variations (ES, AU, GT) and it should not affect the performance of the hack 

 

Generally, small variation in the functionality will lead to complete change of the ROM. Those methods are dependent on the exact addresses of the functions in the ROM.

 

This is actually something I completely overlooked. I sort of assumed that the AU version at least didn't have any changes but upon further research there are quite a few changes (surds not fully simplified, etc basically a dumbed-down version to comply with our local exam requirements) so if in fact this renders the hack useless on ES/GT regions then I'm going to have to go back to the drawing board to see if this hack even is possible outside of this specific ROM. I assume noone has an 82-ES PLUS II handy to test this out but if anyone happens to have one and is happy to run the hackstrings and report back, that would be appreciated.

 

And yea, there is one character in particular I remember I couldn't find on the character table but I would have no idea why it would exist. It's not too important right now since I haven't stumbled across it (its towards the end of the ascii character table - reference A) but I'll leave the note to remind me there could be differences.

 


> direct correlation between input and output

 

Isn't that just "the byte values of the input is the same as the byte values of the output"?...

 

 

you're right about this too, but I'm still curious as to why functions (sin cos tan, x!, x^y) and variables (A, B, C) just correspond to another character in the sequence while operations like *, / (not fraction), +, - seem to exhibit different behaviours.

 



#5 EnderFire09

EnderFire09

    Newbie

  • Members
  • Pip
  • 22 posts
  • Gender:Not Telling

  • Calculators:
    Casio fx-991ES PLUS Version F
    Casio fx-82AU PLUS II Version A

Posted 06 August 2020 - 09:47 PM

Sadly, that hackstring just crashes my fx-82AU PLUS II (LY711X VerA).

 

However I have ones that work.

 

First the STAT submode 0 hacks.

 

1. small 'A' by it self - Enters Mode 68

2. 1(1(1(1r - Enters Mode 68 with MathIO

3. A(BCr - Puts the input into table input mode and corrupts the ram, causing the hackstrings to have different results until you press [ON].

4. 1sqrt(1sqrt(1sqrt(1sqrt(1sqrt(1sqrt(1r - teleport cursor far to the right, past the start of the cache, causing basic overflow.

 

 

Now for the COMP, MathIO hacks

 

First, to get 'r', enter Pol(1,0) then press [=], then press ÷, then 9 and then press [LEFT BRACKET] until you cant type any more left brackets. Then press [=], then AC/on, , AC/on, [BACK].

Now you should have 'r' and a few other characters. Delete everything except for 'r'

 

Now for the hacks.

 

1. (7979(7979(7979(7979r - Enters Vector mode, which is not supported by the fx-82AU PLUS II

2. A(BCr->M v/[] (Square root) - Enters Mode 68 with LineIO without crashing the calculator, Press AC/on, then [BACK], delete every thing except for the box. Now move the cursor to the left of the box, then press [RIGHT] once. Initially, you cant see what you are typing until you have typed about a dozen characters. You have now achieved basic overflow.



#6 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 06 August 2020 - 10:25 PM

@EnderFire09

 

Thanks for letting me know about these hacks! I think I know about a few of these but will definietly try out the ones I haven't seen :D

 

It is strange that the hackstring doesn't work on your calculator since we have the exact same model. You may have not placed enough brackets. p17 of the Google Doc I linked above should demonstrate the effect of brackets.

 

For example, could you try the below (which should work) - 9 brackets

 

AFX–E5-M5)))))))))



#7 EnderFire09

EnderFire09

    Newbie

  • Members
  • Pip
  • 22 posts
  • Gender:Not Telling

  • Calculators:
    Casio fx-991ES PLUS Version F
    Casio fx-82AU PLUS II Version A

Posted 07 August 2020 - 12:26 AM

I looked at the pictures in the document and found out I have seen this hack before. Sometimes, depending what you put before or after the small 'A' the input area of copied above the conversion text. All it does is show a glitched conversion menu, sometimes with what you inputted above, depending what you put before (or after) the small 'A' and puts your calculator in Mode 68 with LineIO only. To me it is one of the more boring hacks and a hack I discovered early on when I started hacking that model.

 

BTW, when I said it crashed my calculator, I meant it showed the glitched conversion menu and what I inputted above.


Edited by EnderFire09, 07 August 2020 - 12:40 AM.


#8 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 07 August 2020 - 01:39 AM

Yea, I had suspected someone has already found this hack. To me this project is more about documenting it and explaining why it happens. It's definitely not as exciting as other hacks but there is still a little bit of research to do to explain why the 5*9 characters translate to 5*6 characters, the strange effects of the division symbol (to be explained) etc.

 

In the future, maybe we can get the hacking threads more active again in order to possibly execute arbitrary code, which to my knowledge hasn't been achieved yet. Easier said than done though, so no Pokemon Red on your fx-82AU for a long time :(

 

But yea, the scope of this thread is pretty narrow in regards to what phenomenon I'm analysing



#9 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 07 August 2020 - 02:51 AM

It's already possible to execute ROP, but it takes some effort to write some meaningful program, I just don't feel like doing that at the moment.

 

There isn't many people (5?) who can understand ROP at the moment.


Edited by user202729, 07 August 2020 - 02:52 AM.


#10 EnderFire09

EnderFire09

    Newbie

  • Members
  • Pip
  • 22 posts
  • Gender:Not Telling

  • Calculators:
    Casio fx-991ES PLUS Version F
    Casio fx-82AU PLUS II Version A

Posted 07 August 2020 - 04:26 AM

I have started a new thread on hacking the fx-82AU PLUS II

 

https://community.ca...lus-ii-hacking/

 

Come and visit maybe arbitrary code execution can be achieved and the rom can be dumped.



#11 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 07 August 2020 - 05:24 AM

iirc the ROM has already been dumped for both the calculator and the emulator. Baidu did it by hand lol but I know that the ROM for the fx82es is available at https://github.com/S...ee/master/dumps and https://github.com/u...ee/master/82esp - (at least the emulator).

 

Arbitrary code execution is definietly the ultimate goal and user202729 already mentioned that ROP is possible... however it is *incredibly* difficult and I'm not at the technical level to understand it yet. So arbitrary code execution sounds nice but currently I'm not technically good enough to be useful at all.

 

if you decide to try and pursue reproduceable arbitrary code execution + make a decent program for it, that would be cool but I can see it being very difficult.



#12 EnderFire09

EnderFire09

    Newbie

  • Members
  • Pip
  • 22 posts
  • Gender:Not Telling

  • Calculators:
    Casio fx-991ES PLUS Version F
    Casio fx-82AU PLUS II Version A

Posted 07 August 2020 - 07:00 AM

iirc the ROM has already been dumped for both the calculator and the emulator. Baidu did it by hand lol but I know that the ROM for the fx82es is available at https://github.com/S...ee/master/dumps and https://github.com/u...ee/master/82esp - (at least the emulator).

 

Arbitrary code execution is definietly the ultimate goal and user202729 already mentioned that ROP is possible... however it is *incredibly* difficult and I'm not at the technical level to understand it yet. So arbitrary code execution sounds nice but currently I'm not technically good enough to be useful at all.

 

if you decide to try and pursue reproduceable arbitrary code execution + make a decent program for it, that would be cool but I can see it being very difficult.

 

The fx-82ES PLUS (GY450X VerE) is completely different from the fx-82AU PLUS II (LY711X VerA).

 

The roms are different, they have different modes and the reg hackstrings are completely 100% incompatible.

 

A rom dump of the fx-82ES PLUS emulator rom would not help anymore than the other dumps. I already know about the rom dumps and emulator on github.

 

Also there is no such thing as the fx-82ES PLUS II. There is the fx-82AU PLUS II and the fx-82ES PLUS but the fx-82ES PLUS II does not exist.

 

Thank you for trying to help :)



#13 aidswidjaja

aidswidjaja

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male
  • Location:Sydney, Australia
  • Interests:Calculators, computers, anime

  • Calculators:
    CASIO fx-82AU PLUS II
    CASIO fx-100AU PLUS

Posted 07 August 2020 - 07:29 AM

Oh yea, you want to dump the AU version right. ROMs are different but you could probably dig into tieba / the other thread and make ROM dumping easier for the AU

Reg hackstrings being 100% incompatible- yes this is true since memory addresses are different and I'm yet to test PoIB project on a ES, and maybe Mode 68 hackstrings will work on ES and AU but even then Mode 68 already has a huge number of different hackstring combinations.

And I'm starting to learn that the FX-82AU is quite different to it's ES counterpart. Should have done more prelim research but even then it is slightly annoying since the ES version is the main de facto intl version but anyway... Will update doc/thread to reflect this.

It's too bad the threads aren't as active anymore and we are in Australia so we can't get as many people working on it as ES. However, we have access to a lot more info now than 5 years ago. So if you're looking to dump ROMs, maybe talk to some of the people who did the original rom dumping for the GT/ES and speed things up? (I don't even know if everyone is still active anymore, but it's highly likely the rom dumping methods are similar and I know that user built a hackstring to dump the rom.)

Anyway, that's all I'm really able to offer. Threads are looking a little dead and AU means people who are able to work on it are much less but if you get arbitrary code running without having to jump through too many hoops, I can see it becoming very popular :D

And don't forget to let me know if you need anyone to test/corroborate stuff for you





Also tagged with one or more of these keywords: fx-82es, hacking

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users