136 replies to this topic

[LordNPS]

Well... I guess are hopes now are that you get 2nd place at the juexcasio contest then...

[huhn_m]

damn! I nearly forgot about this! thanks loads for telling me about it again.

I registered with the contest already, but forgot it over the troubles of the
last 2 weeks.

[LordNPS]

I have found a very interessting Wikibook about reverse assemembling.
Reverse Engineering
Perhaps it is worth reading
It is focused on the x86 ( big surpize) and it has some comprehensive explanations that might help us getting somewhere nonetheless, it is a good reading subject for anyone who lkes programming or computer science.

[kucalc]

If someone knew how the OS update installtion program worked and could extract the ROM, then I could start diassembling. Maybe we could capture the signal feed from the USB when the update program is downloading the ROM.... Does the emulator for the fx-9860 contain the ROM that we could extract? I doubt it contains the complete ROM though. The emulator lacks the ability for add-ins.

[LordNPS]

Well, I guess we could run a diff in the First OS update and the second... that way we would get a clue where the "OS image" is, as the difrent part is definativly OS.

About capturing the signal... well, it is possible... you will get a nice bin file. And you don't know the processor architecture, so you can't desassemble it...
Even if you had a ROM image, what would you do with it? (no offense)
put in in a hex editor? and then what? It is most likely it is not x86 compatible, (it might be, yet it is not likely).

Now other thing, I have tried to change some strings in the physium add in, and the FA 124 refused to transmit, claimed it was in the wrong format (despite it being obviously a g1a) , so my guess is that there is some kind of checksum that confirms the authenticity of the add in.
There would be 2 ways to detour this:
Crack the Fa124 so it does not check for the add-in check sum (and the calculators OS as it probably does the checksum too)
or
with the three add ins that we got so far, atempt to try find the piece of hex where the checksum value is.
Then try to change the strings modifying this piece of hex acordingly...
(this is just crapy theory I really am not seeing how we are going to do this for real).

[kucalc]

There is a checksum, most likely. I was able to change some parts of the Physium add-in just for fun a while ago. I was able to do this easily just using the EDIT program in DOS (command prompt) in binary mode. Just press the Insert key (to make sure I write over), and I was able to write over text strings and change them. I then fed it to my calc through FA-124 and had a few chuckles at what I changed in Physium.

If I had the ROM image, I would try any disassembler I could get my hands on and see if it would work. The oscillator is clocked at 40MHz right? It could be VERY HIGHLY that the fx-9860 is using ARM architecture. ARM is very popular now, almost 75% of all 32 bit embedded products (PDA, mobile phones, media players and calculators) use it. Also has low power consumption. It is very likely the ARM is being used in the fx-9860.

[kucalc]

Now , do you know a way to loopback a USB transmition? kind of a driver that would allow us virtual USB ports.?

Sorry wanted to bring the talk to back here in this thread. Sounded more logical. Now I'm currently looking for a way to that. Looking it up on Google, tech forums, etc...

[2072]

for the AFX, the.cfx files have a checksum but it was not a CRC, a simple sum if I remember well...

[kucalc]

LOL! Doing a Google search on USB Port Monitor gives you a bunch of software that will let you capture USB data feed. http://www.google.co...G=Google Search
People who own a fx-9860 can now try capturing the ROM now, provided that you didn't upgrade yet. It won't download the ROM if you already have the latest version.

[LordNPS]

Any known way to regress the OS's version?
Perhaps a Hard Reset?

[LordNPS]

How do you know this?

Is there any proof of this?

[kucalc]

SH, huh? I remember reading about it in a magazine, it's a Hitachi right? Maybe that Guest could help us...

[LordNPS]

SH stands for SuperH, and yes, it is from HITACHI.
Well IDA pro suports most of the SH processors in disassembling... I am going to see if I can find it in the p2p network...then I'll try some g1a files...

[kucalc]

Eureka! Great news! I have been able to get the ROM from the update program!!!!!!!! I am so glad now! Knowing it's using a SH and now that we have a ROM, the dream of an SDK for the fx-9860 may come true! Just hold on while I get things set up, then...

[alias4399]

Hey! I dont know much about this stuff, but it sounds like a breakthrough! Nice work!

[kucalc]

Yep, after looking at the ROM, it is using SH architecture. There is a tag in here in the ROM that reads: RENESAS SH733701. There are two binary files in the OS update. One I believe is a bootloader that help loads up the other binary file, which is the complete updated ROM. I'm gonna look for datasheets and the CPU user manual...

LordNPS, I tried emailing you my findings. You're email address, LordNPS AT hotmail.com doesn't seem to work. I get a postmaster error from hotmail.com. It's saying your email account is full and that my email is too big to get to you...

[LordNPS]

Plese do email me your findings for I am very interested in them try my e-mail at gmail : (surprize !) LordNPS AT gmail.com

very Good work Kuacalc, I have a little bunch of tools for the SH processor, tipped of by the guest user, I decided to install the SDK for the Classpad 300 and it contained a file call SH tools, which contains an assembler and some other tools, who are most likely to prove themselves usefull to us.

Now I am looking forward for being able to examine those bin files myself from the OS update.

Edit: I did not find a IDA pro at the gnutella network, I don't really see how I am getting a disassembler for the SH... doeas any one know a good disassembler that supports SH?

Edit, Edit : It is strange, my hotmail account has still plenty of space and it is active... I don't know why it didn't work...oh well, I think that Msn is affiliated with microsoft...

[2072]

hehe it reminds me when we were reversing the AFX more than 6 years ago.... Good work

[kucalc]

LordNPS, did you get my email?

While I was looking at the ROM, found some interesting stuff:

* There's functions for inputing a date, time and year. Is there a real time clock in the fx-9860?
* There's even a secret testing menu (can't figure out the combination to keys thought, if there is a combo...) like in the old FX and CFX

1. PATTERN 4. VERSION
2. FUNC 5. SERVICE
3. TEST 6. CONTRAST

* Some remnants of SD functions even in the non SD update. Could clean that up...

[LordNPS]

Well I did get your e-mail, and replyied.

So, hidden menu eh? well just what key combination would it be?
It shoud be something sounding involving the main buttons of the calc.
About the timing a date thing, it would be nice, however I think If casio had the oprtunity, they would have incorporated all they could into their machine right? They would noy spare the chance to get back at Ti , who happens to have timing and date in their calcs...

I really don't know what to think, I am going to conduct my own exams to the processor, as I said, I think it is the same as class pads, which I happen to have the processor manual... If you want I'll e-mail it to you.

Edit: From the processor manual to, in the appendix there is something about the data file structure, and the OS update uses that data structure... for example 8 characters file names in the headers... : CASIOABC and programs and list names may only contain 8 characters of name...

[kucalc]

Yes, LordNPS I got your reply. You were asking how am I able to download a new OS into the fx-9860. While I was extracting stuff out of the OS Update program, there was a special OSupdate program which downloads the binary file for you. If I were to manipulate the ROM and save it in the same name as the updated binary, I could run that program and it would download the new ROM into the calc for you.

Disassembly works with instruction sets of SH3, SH4 and higher. (Guess it's not using SH1 or SH2). My friend gave me his copy of IDA Pro Advanced. But I'm overwhelmed by the vast amount of assembly routines in the ROM. I'm trying to look for an SH Emulator, so I could see my experimentations with the ROM. If you could email me the User Manual for the ClassPad CPU, that would be helpful, as I don't really understand much of this CPU archeticture.

[2072]

About the timing a date thing, it would be nice, however I think If casio had the oprtunity, they would have incorporated all they could into their machine right? They would noy spare the chance to get back at Ti , who happens to have timing and date in their calcs...

Well the AFX have an RTC clock but we had to discover it and create program to set and read the date... Casio never made any clock program.

[kucalc]

LordNPS, I made a reply to your last email. Did you get it? What I really want to know is how add-ins work in the fx-9860. I'm trying to look in the ROM for functions that do these stuff.

[kucalc]

LordNPS, I sent you another email. This time I sent you an assembly listing of what I have been able to get done. Unfortuntely the listing is not really good, if I could just have a faster computer to get things done..... Could have had more time for the computer to re-analyze..... Check your gmail account and please take a look at it. Still trying to learn the SuperH archeticture. Right now I'm trying to work on a fx-9860 emulator to make it so we can emulate modified ROMs.

[LordNPS]

Nice to hear that:)
I haven't checkked my e-mail yet, but I will shortly.

Are you trying to modify the emulator for supporting add ins? Wow, thats big...
I don't know how does de emulator works, but I guess it would be quite hard to do that? How exactly do you sugest? My guess is that the emulator, does not emulate the SuperH architecture and then uses the rom, but emulates the Rom itself, making add-ins impossible...

I haven't done much resarch yet. As soon as I get the time, I will dedify myself more to that.
When school start again, I'll have a bunch of programming teachers, who might help me with this thing.

[kucalc]

Errrr.... I don't know why Casio did this.....

The total flash memory is 4MB. The ROM file is currently at 2.5MB. That leaves you with only 1.5MB flash memory as the ad says. Although, you actually could have more flash memory. They put in a whole bunch of junk code (or should I say blank code), to make the ROM size as close as 2.5MB so you would only have 1.5MB left. Oh well, I have never used up all the 1.5MB storage... I believe, you can easily free up another 500kb of flash so you can have 2MB. I also don't understand why they allocate 64Kb for the user, and leave 448kb for the OS to do whatever it wants. It doesn't even need all the 448kb.... Why aren't they making their calculators the best it could be?

Perhaps they did it to make it look more friendly for students and little kids. I wonder how Casio would react (they would probably be very angry or such...), if we were to release our own OS updates....

Anyway, I really need a high-res picture of the fx-9860 PCB. I don't have the correct screwdriver type for opening mine up. If anyone could send me this, I would really appreciate it.

[LordNPS]

Well, I have been working on the Emulator, now that I have IDA, it is quite easy ( honestly that program is tottaly awsome) , so, my computer has finnished analysis, and the output is quite good , at has plenty of C level functions, and has identified most of the string adresses, in a way that the code is tottaly readble, as it xrefs everything correctly, so instead of you reading :
db ink2405F23

you read

db 'Error Memory Full'

Now, about the not beign emulating the processor but the OS it was as I thought.
Everything, ore most is X86, and there is no Data file with the OS in the emulator, I've run a Diff and there isn't. Anything considerable.

Another thing, for disassembling the OS, what settings did you use for memory and Rom?

Now about us releasing a software update ourselves, that would be great, and if it pissed off Casio, even better.

And another thing:

About Casio doing this, it is quite simple and logical.
The reason why casio purposfully diminuishes the quality of the 9860 is because in the ads, it must look as if it is slighly better, because they have other calc to sell.
If you were casio and you were stuck with 300 000 CFXs what would you do?
You would jump throw a calculator worlds apart from you own? leaving every other in the shelf?
No, you would improve it a little and raise the price, making it as a better alternetive to the CFX, else no one would buy them anymore.

So in order for things not getting out of control, they Clock the processor at 40 Mhz even though it could sustain 160 or so, they fill their memory chips with plenty of junk data, and assign to the system 9/10 ths of the RAM.
If you really think about it, it makes sense. If it doesn't drink a few of beers and it will.

[kucalc]

I guess I could understand why Casio did this. Although it would be nice to have the calc to be clocked at 80MHz or even faster, have 500kb of user RAM and 2.0MB flash memory.... I could probably fix that and release my own OS update. Although I think they clocked it at 40Mhz to mantain power consumption.

For IDA Pro, I let it detect ROM and memory settings. Have you figured out how add-ins work. Don'y have much time for this now, since I'm going back to school... Maybe on the weekends....

[LordNPS]

God damn bloody shcool. Return to school day is coming to us at an amazing speed , mine luckily start only in about 2 weeks...lucky me
I have to spend well these last summer days...while I still can, (by spending them well I mean, not spending them looking at the sutpid ASM code of the 9860's OS), you should do the same, miss classes or something.
But about that add-in thing... well just say something, what do you know for instanance.

[kucalc]

LordNPS, would you try disassembling the add-ins? I think they are hybrids. By this I mean, there is a format for a header so the OS can identify it, but then the rest could be executed SuperH machine instructions. I think add-ins could also call functions from the OS rom. That's probably why the emulator cannot support add-ins -> It doesn't emulate the SuperH environment! The emulator (well, it's not really entirely an emulator, it's a complete x86 program not a single bit of SuperH...) could do other stuff like E-activities becuase it interprets the e-activity file which doesn't call SuperH functions. So I think in order to make your own add-ins you have to have a good understanding of how the fx-9860 hardware works. Which is why I'm asking for a high res pics of a the fx-9860's PCB.

I'm not sure if my theory is correct however. Someone else will have to check this, because high school is hogging up my time, with my college level AP courses, honors, engineering and drafting leads to so much homework.... Teachers are trying to pressure me to get an TI-83+, when my Casio fx-9860 is so much better! Teachers have heard of Casio, but they don't feel like (or are lazy) learning how to use them. Casio could benefit schools, with cheaper yet better technology than TI's (If only teachers would know more about this program). Take a look at it yourself: http://www.casioeduc...om/testimonials

Me and my friends are also trying to set up a channel for Casio calculators, which could provide some sort of instant messenging so people could ask questions, get answers instantly and talk about other developments: http://www.casiocalc...?showtopic=2877. You have to log on to see the topic though....

[LordNPS]

Yes I will try reverse engineer add-ins.
Now that I have the tools...Why won't you open your calculator, and look in yourself (you only need a small goldsmith screwdriver(I don't really know if that's the correct translation from portuguese "chave inglesa de relojoeiro"), you can find a set of these at any common tool shop or chinese bazar...)?
I E-mailed you yesterday about that, I don't have any hi res pics of the PCB ( printed circuit board I guess...) howevere if I right recall, CFX Master had some he sent to Huhn...
Perhaps if he still has them, he can send them to you.

About the Add-ins, I think that the header is no mistery... I'll try swap a couple of thinhgs just to see what happens... i just hope it does not mess up with my calc...
You said you were able to change some strings without problem right?
I think we once concluded it was interpreted code, for the size is rather smaller than a asm program for AFX...
I don't know what to think... perhaps the OS has a set of functions that make things simpler... best thing we could hope for, a full size programming environment. I highly doutbt that, but I'll try to use my limited reverse engineering skills into solving the g1a.

[kucalc]

Yep, a PCB is short for Printed Circuit Board.

Anyway, I think add-ins are hybrids. I think they make external calls to functions in the OS, such as for displaying text, gathering user input, manage use of data, etc. Anyway, I'll try figuring it out on the weekend. I have started forming a list of structures on how the format header in add-ins works. Maybe when I have the time to organize my things, I'll post it....

[kucalc]

Well, that sucks.......

Oh well, I'll just have to go to Home Depot, and buy the correct type of screwdriver to open up my calc. By the way, I got Microsoft Visual Studio which contains the SHASM assembler. Now I can reassemble my own binaries of the OS ROM. The problem is though, SHASM gives out an output of an object format (COFF). Does anyone know a converter that converts COFF to BIN? Non-official OS updates will be released soon once I figure this out.

[huhn_m]

You can convert object files using this tool:

http://www.gnu.org/s...binutils_3.html

objcopy (GNU Binary Utilties)

[kucalc]

Ok thanks, huhn_m, I'll take a look into that.

[kucalc]

LordNPS, you haven't been active for weeks (I think...). Let's re-activate this project. Been so busy with school that I could do only quick posts, but now I have been able to find some time.

Also I'm recruiting people who want to help develop the SDK. LordNPS and I can't only do it by ourselves. If anyone is good with electronics, assembly or SuperH architecture, post here or PM me and I'll show you what we have figured out so far...

[alias4399]

Sorry, I don't know too much about electronics, but im glad to see that your bringing this topic back to life! I was beginning to get worried, especially after you had seemed to be so close ...