136 replies to this topic

[huhn_m]

I'm good at assembley (and could learn the SH architecture I think) and willing to help. I also found a calc for 70? but thats still too much I'm a student and can't afford this.
So either the prices drop further to ~ 50? (for a used one!!) or I habe
to get second at the contest.

I would really much like to help.

[LordNPS]

Yes, Indeed I haven't been around much lately, so have you guys. Well we have school now, and the fisrt 2 weeks are unforgiving...
Well I ceirtanly agree that we need to reactivate the topic.
Hey, huhn, you could still help us out even thought you don't have an 9860, We have the OS .bin, an SH3 decompiler, programming manuals, and some sites like RENESAS or Hitachi regarding Super H architecture.

In the OS.bin file there is a refernce to renesas 73****** in a string somewhere, If you look up it is a major eletronics manufacturer and they do have Super H processors.
I've looked up in the european site and I could find anything with that exact reference but there were some very close to that.
Kucalc, perhaps we would do best in making availble for anyone who would like to contribute the OSupdate.bin and the ExeUpdate.bin... and the Hitachi manuals perhaps...

I'm going to spend some time on it from now on...
As I said the first 2 weeks of school are unforgiving. Sorry for my absence.

[kucalc]

Huhn_m, I'm going to email you a link where you could download the ROM, so you could help us out.

As for releasing to ROM to everyone, I don't know if Casio would like that.

Anyway, it's glad to see you're back LordNPS! School takes up so much time, I could achieve great things if given more time...

[LordNPS]

Perhaps the IRC would be of service now, and about releasing the OS to everyone, I mean everyone that wants it , Why woudl casio care?? after all, we all bought CASIO calculators, Casio should be ashamed for the lack of support they provide to developers...
Casio wouldn't need to know if were to host the file somewhere...


I'll take a look at that IRC channel...

[huhn_m]

The reverse assembled file might be useless. I looked at it and figured it contained some kind of disk images (Look for DOS with the hex editor). So it is no actual binary but an image.

We first need to find a binary that gets executed. This could then be dissassembled.

Anyhow, I can't be here for the next week unless i (finally) get DSL at my
home in Dresden (Screw freenet *grumble*) - I'll try my best till then.

Have fun and keep it up!

[kucalc]

The disassembly listing I sent you was just a demo I did of the binary the first time I used IDA Pro. If you want to see how the BIN files are used in downloading the ROM, you could disassemble the OSupdate.exe and probably figure it out.

I was able to reassemble the listings outputed from IDA Pro and was able to make an exact duplicate of the OS. However, the SHASM from Microsoft, adds in this COFF data junk which I have to strip off... It's really annoying....

Well anyway, see you later and have a safe trip to Dresden. If you have a phone line at your home, I've heard of companies that give free dial-up. However, I'm not sure if it's available in your area....

[Manuel Naranjo]

Hi everyone.
I just bought my first Casio Graphic Calc!!! I finally bought a fx-9860SD. It is amazing, it's very fast in deed. I didn't thought it was going to be this fast
But... I WANT to programm this thing to make it a bit better. And I don't mean making some simple Basic Scripts. I want some POWER. Let me know how can I help, I have the package that Kucalc sended me.
I have made a <{GNULINUX}> Module in the past, so I will see if I can make a Module for this calc... I HATE WINDOWS.
What about using Gnu Tools instead of DIA? Doesn't GNU have support for the HS processor?
Cheers,
Manu

[kucalc]

Congrats on your purchase of the fx-9860 Manuel Naranjo! If you think the current speed of your fx-9860 is fast (40MHz), the CPU could go even incredibly much more faster (100MHz and up)!

There are tools for the SH on <{GNULINUX}>: http://www.sh-linux.org/

Although I don't really know if there is an disassembler for SH on <{GNULINUX}>... Maybe if you could use WINE for <{GNULINUX}>... Also have you read the programming manuals I sent you? The CPU in the fx-9860 is SH3.

I looked at it and figured it contained some kind of disk images (Look for DOS with the hex editor). So it is no actual binary but an image.

You find DOS in the ROM, I believe because it's needed to support FAT12 file system for SD card support. It reads MSDOS5.0 because of the partition structure header needed for FAT12 compatibility.

[Manuel Naranjo]

Congrats on your purchase of the fx-9860 Manuel Naranjo! If you think the current speed of your fx-9860 is fast (40MHz), the CPU could go even incredibly much more faster (100MHz and up)!

Great!!

There are tools for the SH on <{GNULINUX}>: http://www.sh-linux.org/

I will check that out.

Although I don't really know if there is an disassembler for SH on <{GNULINUX}>... Maybe if you could use WINE for <{GNULINUX}>... Also have you read the programming manuals I sent you? The CPU in the fx-9860 is SH3.

I can use Wine, is just that I don't like to use DIA. About the manual sorry I couldn't even start to read it.

[Manuel Naranjo]

I have a question... Wouldn't it be better to decompile one of the AddIn packages first, so we can generate an small SDK, or there is any reason why this can't work.

[kucalc]

LordNPS, would you try disassembling the add-ins? I think they are hybrids. By this I mean, there is a format for a header so the OS can identify it, but then the rest could be executed SuperH machine instructions. I think add-ins could also call functions from the OS rom. That's probably why the emulator cannot support add-ins -> It doesn't emulate the SuperH environment! The emulator (well, it's not really entirely an emulator, it's a complete x86 program not a single bit of SuperH...) could do other stuff like E-activities becuase it interprets the e-activity file which doesn't call SuperH functions. So I think in order to make your own add-ins you have to have a good understanding of how the fx-9860 hardware works. Which is why I'm asking for a high res pics of a the fx-9860's PCB.

I already thought of doing this a while ago. I've been disassembling add-ins for a while now...

[Manuel Naranjo]

Sorry didn't knew of this, did you get any result from doing this?

BTW I have emailed Casio, and they told me they were going to release an SDK, but they don't know when, and they either know if someone is working on that... I hate emailing with customer support, and not directly to the people in charge of the design.

Cheers,

[kucalc]

I emailed them also a while before (before this thread was even started) and they gave me some weird reply telling me to look up "Casio gas". I think he made a typo and meant "games".

Anyway, you should try disassembling the add-ins yourself if you want. The add-ins header structure shouldn't be too hard to figure out. I think I've almost got it figured out. It also looks like add-ins use SH instructions. But then, I could be wrong. I need other people to check this out.

[Manuel Naranjo]

I emailed them also a while before (before this thread was even started) and they gave me some weird reply telling me to look up "Casio gas". I think he made a typo and meant "games".

I
Is strange, because GAS is the same name that Gnu Assembler has... Strange

Anyway, you should try disassembling the add-ins yourself if you want. The add-ins header structure shouldn't be too hard to figure out. I think I've almost got it figured out. It also looks like add-ins use SH instructions. But then, I could be wrong. I need other people to check this out.

Ok I will give it a try, but I can say when
Cheers

[LordNPS]

Someone once mentioned the thought that those .bin's we have could be an image rather than pure SH code...
Bearing that in mind, perhaps we should consider caturing an USB transmition to the calc... that shouldn't be too hard on a <{GNULINUX}> system... , on windows I just don't see a way, whithout building apps for the purpose:(

Regarding the disassembly of the add-ins, well we have to decide where do we stand : Is the .g1a script for an OS interpreter, or is it pure code ?

By the size of the add-ins compared to their .exe equivalents, I would risk the script( and the idea of having an already implemented scripting language is nice is nice as well ) Compare the physium.exe for the AFX (90 kb) against physium.g1a (30 kb) of course it could be explained as the Fx9860's OS having more librarys / system functions that the AFX didn't so would have to be in the add in code itself .

It's up to you to decide, however it the add-ins were mostly code just with an header for the OS to place in the menu, our reverse assembly's would return much more code that they do.
oh and by the way, I haven't had a look yet at those "new" manuals you found , could you please e-mail them to me (LordNPS at gmail.com) ?

Nice to see you here manuel

[kucalc]

LordNPS, I'm sending you the manual to you right now....

Someone once mentioned the thought that those .bin's we have could be an image rather than pure SH code...
Bearing that in mind, perhaps we should consider caturing an USB transmition to the calc... that shouldn't be too hard on a <{GNULINUX}> system... , on windows I just don't see a way, whithout building apps for the purpose:(

huhn_m said that, and I believe he is mistaken, but then I could be wrong... If that were to be true though, you wouldn't need a USB capturing program. You would just disassemble the OSupdate.exe program which should tell you how it reads the BIN files and downloads them into you calculator.

Anyway, maybe it is more important to look at a add-in than the OS itself, so we can develop our own add-ins....

[LordNPS]

Perhaps, however I must say that for us to unleash the full capabilities of the add-ins we are bound to know the os Very well... of course Casio isn't beign our best friend in this matter nonetheless, work goes on...

About school, I discussed to a teacher of mine who happens to be an eletronics engineer as yourself, he said he would take a look at what we got once he gets some free time, he happens to be real good, as he's head of the digital eletronics department (read microchips), which is not my area (I'm in informatics), he said that they have a Virtual Machine tester, with which he can simulate most processing architectures and machines... something really expensive by the sound of it... you can add modules to it, to reproduce acuratly a Cell phone or any complex eletronic device.
I'm getting hopefull about that, however he said it would be nasty with a calculator, as he had no experience in that....

that was 3 days ago, I haven't talked to him ever since...

[kucalc]

Glad to know that there are other electronics engineers (more specifically, I'm a electronics embedded design engineer)! Anyway, I don't think there is a Virtual Machine that exists for the SH.

Did you get my email yet?

[LordNPS]

Yes I got your e-mail, I haven't had time yet, today is CS day dor me just some brief pauses which I use for basic needs (such as coke).

Nice, mr.embedded Design eletronics Engineer, (written like that makes it sound inportant ) so, there is an emulator for SH3 which I have already seen it's an E6000 or something, not really sure... it's not that one though, its a fully functional modular device emulator ( expensive ) it's something I wouldn't dare touching, it has an hardware part and some software emulation too...
I'm not really sure if it supports SH3, I'll know monday...

[huhn_m]

Well, thanks to a verry verry kind donator I got an 9860 now. I already started disassembling.

I think this is a OS image since it contains the language files. I don't think that they are compiled in the programs but that they rather are extra files. Also the many 0xFFFFh bytes indicate that this is flash memory and that the whole image of the memory (just like a disc image) is published (just like the CFX files were).

I got some more results and already developed some programs. I will publish some more information during the next 2 days.

Huhn_m

[Manuel Naranjo]

Well, thanks to a verry verry kind donator I got an 9860 now. I already started disassembling.

GREAT!!! Good for you

I think this is a OS image since it contains the language files. I don't think that they are compiled in the programs but that they rather are extra files. Also the many 0xFFFFh bytes indicate that this is flash memory and that the whole image of the memory (just like a disc image) is published (just like the CFX files were).

Mhh... Great deduction. I will see if I can give you a hand on this then.

I got some more results and already developed some programs. I will publish some more information during the next 2 days.

Let me know if you need a hand. I can do Java and C/C++ programming.

Cheers,
Manuel

[LordNPS]

Lol ... Huhn gets a calc, and in the next 2 days he's got things working
Comparing to our 6 months so far without sounding results ... (actually today is the 1/2 aniversary of this topic 6/4/2006 ----6/10/2006 )

I think I speak for us all when I say we are looking forward to your next post Huhn.

[Manuel Naranjo]

I think I speak for us all when I say we are looking forward to your next post Huhn

I totally agree.

I will ask something that noone has asked before, suppose that we can make a SDK sometime in the future, can we relase it as GPL? Or there is anything Ilegal arround our work, besides doing reverse engeniering.

[kucalc]

Well, thanks to a verry verry kind donator I got an 9860 now. I already started disassembling.

I think this is a OS image since it contains the language files. I don't think that they are compiled in the programs but that they rather are extra files. Also the many 0xFFFFh bytes indicate that this is flash memory and that the whole image of the memory (just like a disc image) is published (just like the CFX files were).

I got some more results and already developed some programs. I will publish some more information during the next 2 days.

Huhn_m

That sound like good news. Are you using the BIN files that I extracted? Or did you get them yourself? If you've got a better disassembly listing, could you please email me...

[alias4399]

Well, thanks to a verry verry kind donator I got an 9860 now. I already started disassembling.

Congratulations huhn_m! And thanks again to the donator!
Keep us posted, won't ya?

[huhn_m]

File HEadders:

Headder: 

0000:	14 Bytes	0xAAAC 0xBDAF 0x9088 0x9A8D 0x0CFF 0xEFFF 0xEFFF	- Actuall Headder
000E:	07 Bytes	?		-	Copy Protection
0015:	11 Bytes	0x00h		-	Filler (?)
0020:	01 Bytes	@ (0x40h)	-	Indicates beginning of Name
0021:	10 Bytes	*		-	Name (needs to be equal to file name without the .g1a)
002B:	01 Bytes	0x01h		- 	?
002C:	04 Bytes	0x00h		-	Filler (?)
0030:	10 Bytes	??.??.????	-	Version
003A:	02 Bytes	0x00h		-	Filler (?)
003C:	14 Bytes	????.????.????	-	Date (YYYY.MMDD.????)
004A:	02 Bytes	0x00h		-	Filler (?)
004C:	68 Bytes	*		-	Bitmap
0090:	36 Bytes	*		-	Name
00B4:	44 Bytes	*		-	Small Bitmap
00E0:   244Bytes	0x00h		-	Free Space in Headder
01D4:	28 Bytes	*		-	Name
01F0:	04 Bytes	Filesize (Total)-	Filesize
01F4:	12 Bytes	0x00h		-	Filler (?)

OK. Nearly everything but the 1 is figured out. THe main problem is the "copy protection". I can't figure out these 7 bytes, but the are some kind of checksum for the headder. If they are changed (or bytes in the header are changed) then the FA-124 displays COPY PROTECTION error.

I'll keep testing.

The OS has a "backup" system that allows you to retransfer the OS if it is errornous. HOWEVER, the backup system seems to be contained in the OS image as well. So if you transfer an completely corrupt OS image (filled with 0FFh) I don't know what will happen. Maybe you'll unrecoverably damage the calc (I wont try that )

More INFO and the g1a analyzer to come ...

[huhn_m]

Updates:

The "copy protection" checks the first 32 bytes, so it seems to be some kind of "Checksum" .

However. Probably the FA-124 is badly coded (again) and so we can circumvent this protection by just changing the files first few bytes.

Just change the first AA to AC and the Copy Protection Bytes are ignored.

Strange isn't it?

The g1a files do not contain any other type of checksum as I see it.

*edit*

G1A Viewer is now available: Download here: dead link

G1A Modder will be made available soon. Also the OS analyzer and the OS Logo changer will be published in the folowing work as soon as I figure out the OS checksum.

[LordNPS]

I am stuned

Could you perhaps post the source of your little app?, if it wouldn't be asking too much of course .

oh, and by the way have you been sucessfull in having something running in your calc so far? (like a NOP program just for a test )

[kucalc]

That's some impressive work you've got there huhn_m!

I do have this question though: Was my assumption of the ability to allocate more flash memory correct? Also more user RAM?

[huhn_m]

LordNPS:

I'll publish the code tomorrow. All code released is under GPL and all documentation is released under Creative Commons.
NOP Program: I'm currently trying to disassemble the g1a format and wrote some little tools for this. As soon as this is finished I'll try injecting code.

As for kucalc:

Hardware: I am not so far. Also I don't know if I'll find this out in the near future.

[Manuel Naranjo]

I'll publish the code tomorrow. All code released is under GPL and all documentation is released under Creative Commons.

What about creating a project at SourceForge (or any other site) to host it?

[huhn_m]

hm ... I don't like sourceforge so much.

Just take the sources, modify them if you like and if you have suggestions you may also tell them to me.

Sources: dead link

[Manuel Naranjo]

hm ... I don't like sourceforge so much.

Ok, don't worry. I was just sugesting that site, so that the code has a place to live.
I will check this source, and see if I can be of any help
Cheers

[huhn_m]

Just that you do not think I'm sleeping:

I continued examining the g1a format. There are several forms. One where the strings are stored in "Language" segements (this is supposedly the default for files > 32KB) and the one used in PHYSIUM.

I wrote an analyzer / disassembler for the G1A format that is capable of analyzing pointers, bitmaps and strings in the g1a files. If those are eliminated the rest should be easier to analyze.

I will publish the G1A-Dism tomorrow together with an example file.

Please be a little more patient, but I think we are not too far from cracking the file format. Any further help is verry much appreciated! (information on the pointer format for the segmented files is not yet discovered e.g., so if you have time on your hands go ahead!)

[kucalc]

Hmmm, that sounds good. Maybe I could help out if I have spare time. I'll have to wait for the G1A dism....

[huhn_m]

sorry, delayed till tomorrow.

Got some "social connections" to make tonight (e.g. visit the students club ) and had to put together a table over the day ...

Tomorrow i'll publish it. promised. (only the demo file is missing. the app is already finished, at least the features that are in there)

[huhn_m]

There it is. Included is a g1x file for physium. References are currently only working with physium, since it is the only small (e.g. unsegmented) file.

Please place G1A-Dis.exe physium.g1x and physium.g1a (not included) in the same directory before loading physium.g1a.

The usage of the program should be pretty intuitive. Maybe I'll write a doc when it becomes more complex.

*edit*

OOps.... forgot the url
dead link

[huhn_m]

I'll do this over the weekend, but no guarantee.

[huhn_m]

no. not just yet... I'm stilly analyzing. I need to find out what the jump commands are and how they are used. I found all the jumps and where they belong to, but altering the jumps (so that one menu entry jumps to another menu) is crashing programs. I'm not sure if this will lead us to the goal.

Maybe we need to reverse engineer the OS and then execute real machine code (still asuming that this is no machine code in the add ins what is verry probable).

This however would need another OS update. Before this I can not really find out things.

[kucalc]

OK, I'm back. I've just recently just finished reading a book on assembly and architecture. I sat down and took a look again at the add-ins.

At 0x0200h in the add-ins contain 0x4F22h which designates where the code segment starts. I wrote a utility that strips the header and outputs the pure code. I am now currently looking further into this.