Jump to content



Photo
* * * * * 6 votes

FX-82/-83GT/-115/-991ES PLUS Hacking


  • Please log in to reply
515 replies to this topic

#481 variyak

variyak

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Interests:C++, mathematical physics, and Minecraft

  • Calculators:
    fx-991ES plus

Posted 28 January 2021 - 05:18 AM

Welp oof



#482 itay2805

itay2805

    Newbie

  • Members
  • Pip
  • 4 posts

  • Calculators:
    fx-991ES PLUS

Posted 01 April 2021 - 06:51 AM

I just found about this couple of days ago and decided to start looking into this as well, currently I am just figuring everything and documenting it for myself because the information is scattered all over the place and is not really friendly to new comers....

#483 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 02 April 2021 - 11:48 AM

Can't be helped. Documentation is not easy.

 

At least (I think) the wiki is editable by everyone.

 

... (the wiki is HTTP-only?)


Edited by anon34, 02 April 2021 - 12:00 PM.


#484 itay2805

itay2805

    Newbie

  • Members
  • Pip
  • 4 posts

  • Calculators:
    fx-991ES PLUS

Posted 02 April 2021 - 02:25 PM

Yeah this topic is quite a complex one, this is the documentation I have so far

 

I am probably rewriting and rediscovering alot of things but I think it is pretty important if I want to create proper in-depth documentation about it.

 

I am using github just because I find it nicer and more accessible to have the code and documentation under the same project.

 

Of course if you find anything wrong in my explanations I will be happy to fix it and expand it :)



#485 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 02 April 2021 - 04:03 PM

Correction: it's possible to type any non-null character with the "unstable character" (2 last bytes of the random seed).

 

It's hard and time-consuming, but still better than impossible.

 

The loader can "run" ROP programs larger than 100 bytes (and with null bytes) (although null won't work with strcpy (for stack restore for example),  memcpy can still be used)

 

About the getkeycode thing, it's also possible to simply add two getkeycode value together (I think it's used in the previous loader. It is sufficient to represent all byte values; however it's not easy to derive the two keys to press manually)

 

It might be required if the more complex solution cannot fit in 100 bytes.


Edited by anon34, 02 April 2021 - 04:08 PM.


#486 itay2805

itay2805

    Newbie

  • Members
  • Pip
  • 4 posts

  • Calculators:
    fx-991ES PLUS

Posted 02 April 2021 - 04:10 PM

yeah, I should add about the unstable char/counter thing. And yeah given the loader can input any character it is just waste of time to use it.



#487 variyak

variyak

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Interests:C++, mathematical physics, and Minecraft

  • Calculators:
    fx-991ES plus

Posted 05 April 2021 - 07:07 PM

Oh, cool. Hope some more work is done on this. This is my first time seeing a project like this but I was disappointed that there wasn't enough material I could read up on, but thanks for the docs, they seem pretty informative.



#488 itay2805

itay2805

    Newbie

  • Members
  • Pip
  • 4 posts

  • Calculators:
    fx-991ES PLUS

Posted 05 April 2021 - 10:49 PM

If you have any questions or things you think should be added to the docs feel free to ask :)

I will probably continue working on it more this weekend.

#489 EnderFire09

EnderFire09

    Newbie

  • Members
  • Pip
  • 23 posts
  • Gender:Male

  • Calculators:
    Casio fx-991ES PLUS Version F
    Casio fx-82AU PLUS II Version A
    Casio fx-5800P

Posted 07 May 2021 - 12:03 PM

I have decided to set up a discord server for hacking casio calculators in hopes for making it more popular again.

 

Here is the invite: https://discord.gg/QjGpH6rSQQ



#490 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 07 May 2021 - 03:11 PM

That isn't really the problem, is it?...

Rather, it's just that nobody have anything to say/do.

The Chinese forum is (or not? I didn't actually check) still somewhat active.


Edited by anon34, 07 May 2021 - 03:13 PM.


#491 variyak

variyak

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Interests:C++, mathematical physics, and Minecraft

  • Calculators:
    fx-991ES plus

Posted 28 September 2021 - 10:18 PM

Which is the Chinese forum?



#492 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 29 September 2021 - 02:49 AM

 

Which is the Chinese forum?

 

http://tieba.baidu.c.../f?kw=fx-es(ms)

#493 Hlib2

Hlib2

    Casio Freak

  • Members
  • PipPipPipPip
  • 142 posts
  • Gender:Male
  • Location:Ukraine
  • Interests:industrial electronics,
    graphing calculators

  • Calculators:
    fx-9860GII-2
    graph-100+
    fx-991DE_X
    ti-89_Titanium
    ti-voyage200
    ti-84+SE

Posted 01 October 2021 - 03:46 PM

Well, which problem you are solving can be used in practical calculations. If I don`t have enough functions in the calculator, then I usually load the libraries built into the OS aka in hp-50g or in ti-83+. :-)

#494 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 03 October 2021 - 04:23 AM

Well, which problem you are solving can be used in practical calculations. If I don`t have enough functions in the calculator, then I usually load the libraries built into the OS aka in hp-50g or in ti-83+. :-)

I don't think it's practical at all -- although in theory you could do something useful with sufficient effort, as long as it fits in the memory.
  • Hlib2 likes this

#495 kspatlas

kspatlas

    Newbie

  • Members
  • Pip
  • 2 posts

  • Calculators:
    fx-83gt PLUS

Posted 05 May 2022 - 10:27 AM

Hello, I have an old fx-83gt PLUS lying around, any hackstrings I can use for that?

#496 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 06 May 2022 - 12:19 PM

Not much is known. Most things are discovered by the people (students?) in the Chinese forum, and 83gt is unpopular there. If you understand the low-level reverse-engineering things you can try to discover/"brute force" things yourself however.
 
--------
 
(by the way I realize that information on the fx-es(ms) forum is scattered over time...
 
fx-es(ms) post collection: https://tieba.baidu.com/p/3395822027 -- this was originally a "pinned" post, but through some Baidu mass post deletion or something a few years ago it got deleted/unpinned. For accessing second page etc. append "?pn=2" to the URL
 
Backup version of posts for that deletion: https://fxesms1.github.io/ -- looks like that by now most posts are restored so this is useless. Access particular page by going to "<main URL>/f/#<post id>".
 
)

Edited by anon34, 06 May 2022 - 12:36 PM.


#497 kspatlas

kspatlas

    Newbie

  • Members
  • Pip
  • 2 posts

  • Calculators:
    fx-83gt PLUS

Posted 06 May 2022 - 12:42 PM

Should I just try converting assembly instructions to codepage characters?

#498 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 06 May 2022 - 02:19 PM

Doesn't sound feasible, current methods use ROP instead of assembly (there's no known way to execute custom assembly in the calculator.)

Try learning if you want, but I won't be of too much help.



#499 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 01 August 2022 - 09:38 PM

https://tieba.baidu...._tag=0146836969

Post "Timing mode" (if translated via Google). I can't understand the first step. Can anyone explain?

 

PS, I managed to do this on a 991ES Plus, but not on a 82ES Plus. The problem is in the input mode: on a 82ES Plus the basic overflow forces the Math mode, but to input roots and powers infinitely we need Line mode.


Edited by siealex, 05 August 2022 - 12:13 AM.


#500 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 05 August 2022 - 01:21 AM

I don't have a 82 myself but let me see.

I guess something went wrong with Baidu's censorship and some posts remain deleted.

(back in 2017 or so there was a mass post deletion, nowadays most but not all are restored. There's an archive uploaded somewhere, or online version at https://fxesms1.github.io. Use https://web.archive.org/ for the rest)


I reproduce 6F here. Regarding how to enter "N-point mode".

抱怨一句:百度回复文本框会自动把剪贴板中的换行、回车符和谐掉,所以可能发得比较慢……
4.乱点模式
发现人:Wuydfz
方法:1.进入基本溢出模式
2.32个[分数线]
3.[8][8][8][SHIFT][Ans][3],重复26次
4.[AC][右]
5.如果出现的字符中前4个是8g88,进入下一步,否则回到第1步重来
6.[=],重复n次,n即对应n次乱点模式(如n=15即991+中的15乱点模式)
7.[AC]
现象:与991+乱点模式现象基本一致
----
4. Chaos Mode
Discover: wuydfz
Method: 1. Enter the basic overflow mode
2.32 [score line]
3. [8] [8] [8] [shift] [aNS] [3], repeat 26 times
4. [AC] [Right]
5. If the first four of the characters appear are 8G88, enter the next step, otherwise return to the first step to come back
6. [=], repeat N times, n is the corresponding n -messy mode (such as n = 15 is the 15 chaos in 991+)
7. [AC]
Phenomenon: Basically consistent with the 991+ chaos mode phenomenon

Edited by anon34, 05 August 2022 - 01:22 AM.

  • siealex likes this

#501 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 05 August 2022 - 09:06 AM

YES!!! It works!



#502 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 05 August 2022 - 06:08 PM

Today I've found a 570VN Plus on our local auction. Are there any known hacks for it?



#503 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 06 August 2022 - 05:53 AM

Not sure.

Basic overflow obviously works (as well as stat-submode-0 mode and reset-all 68 mode), but to do anything else you need to know the function addresses and the current best way for that is brute force.

There's the emulator, which should help a bit in terms of finding addresses.

Edited by anon34, 06 August 2022 - 06:00 AM.


#504 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 06 August 2022 - 12:32 PM

Are their any "r" related hacks for it?



#505 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 06 August 2022 - 03:52 PM

no idea. (as mentioned above you can get a "r" in linear mode with the "unstable character", or a "r" in stat-0 mode, but the problem is what to do with it for "interesting" result)

#506 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 08 August 2022 - 10:55 AM

Are there any owners of FX-115ES PLUS here? Is it identical (in software) to FX-570VN PLUS or not? What model and version does it report in the diag mode?



#507 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 08 August 2022 - 06:19 PM

Identical, obviously not. For one 115 has VERIF mode while 570VN has RATIO mode. the other one you can probably find online somewhere.
  • siealex likes this

#508 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 10 August 2022 - 08:29 PM

Major discovery on 83GT Plus!

(A year ago on Discord, but unnoticed here...)

 

 

Hi, I have an FX-83GT plus and have found a deterministic way to enter mode 68, allowing for easy access to basic overflow - Enter stat submode 0 (You can check the wiki if you don't know how to do it
- Enter 183 [x^2] [x hat]
- Press [=]
- Press [ON] to unfreeze the calculator
- You're now in mode 68 and can achieve basic overflow, allowing hackstrings to be entered

Edited by siealex, 10 August 2022 - 08:30 PM.


#509 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 10 August 2022 - 08:53 PM

136 [x^2] [x hat] [=] entered TWICE in a row = Complete! Press AC/on key.

PS, it works not always, possibly after other similar strings, e. g. 135 x^2 x-hat.


Edited by siealex, 10 August 2022 - 08:55 PM.


#510 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 10 August 2022 - 11:02 PM

Another discovery (83GT Plus/85GT Plus). In the strings "three or four numbers, x^2, x-hat" only the SECOND and the THIRD numbers are relevant, the first one is usually not. Also x^2 can be replaced by x^3 in most cases. 



#511 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 28 August 2022 - 09:34 PM

Any hacks for FX-300ES Plus (LY726X Ver. A)?



#512 siealex

siealex

    Casio Addict

  • Members
  • PipPipPip
  • 70 posts
  • Gender:Male

  • Calculators:
    570w, 570ms, 83es, 570es, 83gt plus, 991es plus, 991de plus, 570spx ii, 9750gii

Posted 04 October 2022 - 11:58 AM

Try to guess the model!

ROM 017
MODE P0 
Press AC

Hint: its name contains "È"  :thumbsup:


Edited by siealex, 04 October 2022 - 05:18 PM.


#513 loklol

loklol

    Newbie

  • Members
  • Pip
  • 8 posts
  • Gender:Male
  • Interests:CALCULATOR minecraft
    hacking programming

  • Calculators:
    fx-82AU plus II 2nd edition CY-863 Version A
    fx-82AU plus II 1st edition LY711X Version A
    fx-991es plus 1st edition GY455X Version F
    fx-82MS 1st edition 25 4
    fx-100
    fx-9750gii SH3 2.04.0200

Posted 12 April 2023 - 06:50 AM

Does anyone know any hackstrings for th fx 991 es plus version f?

:banghead:



#514 7alken

7alken

    Newbie

  • Members
  • Pip
  • 1 posts

  • Calculators:
    fx-5800p fx-cg50 fx-991ex fx-991cw fx-991ms-2E fx-570ms-2E

Posted 15 July 2024 - 02:29 PM

It is actually very boring to do so that's why I wrote general purpose disassembler.

And, I use replace regex function of Notepad++ to write the instruction set file format.

 

BTW I wrote a (Windows) program that simplify the process of key press of emulator (you press keyboard and the program control your mouse to click at button)

 

--- Key presser for calculator emulator ---

http://pastebin.com/RVcv7qav

hi, thanks for this "key presser", its fixing the missing STO for fx-CG50 emulator (legal one)) for me :-) ... great 



#515 theodeo

theodeo

    Newbie

  • Members
  • Pip
  • 2 posts

  • Calculators:
    fx-cg50, fx-991ex, fx-991es, fx-300es Btech fx-82TL, sharp el520w

Posted 07 October 2024 - 07:05 PM

--- How to enter a hackstring (translated to English) ---
[991ES+ and 570ES+ only]

+ Hackstring always have 100 characters.
+ The basic memory layout of the RAM is
 

[ --- Input part, 100 bytes ---][ --- Cache part, 100 bytes --- ][ --- Random seed, 8 bytes --- ][ --- Counter, 2 bytes ---]
where:
 
Input part: The part used to store the formula displaying on the screen.
Cache part: "backlog" called by LBPHacker. To avoid confusion with the replay memory, that part is also used in STAT mode, and is cleared after pressing ON, even in 68 mode.
Random seed: Change every time Ran# or RanInt# is called by some random number generator formula (which one I don't know)
Counter: Increase by 1 every time the cursor flash, also called "unstable character". This will be useful later.
+ All hackstring takes exactly 100 bytes.
+ How to enter the hackstring:

* Execute basic overflow. (see post #208) (post number may change if someone delete their post)

By now the cursor is already to the right of a null character.

* Enter 91 (any) bytes.

After having entered 90 bytes screen should show something like
 
◄8901234567890|

               0
and after entered 1 more byte screen should show
 
◄9012345678901|X►

               0
(assuming you enter 12345678901234...)

* Now you should enter 100 characters of the hackstring.
* Then, to verify you entered the correct amount of character, enter 8 more bytes. Most of the time (when the lower byte of the counter is not null, there should be some character appear to the right of your cursor, just like how the "X" character appear to the right of your cursor when you have entered 91 bytes.

* Whether you have verified or not, press {AC} {◄} {=}
(I decide to wrap buttons in {curly brackets} to avoid special BBCode)

Done.

To test your understanding, try to enter this hackstring:
[991ES+ and 570ES+ only]
 
<52 characters> cv24 M 1 - F cv26 cv40 - Integrate econst 0 - tan^-1( D 0 - cs26 cv26 cs16 D 1 - cv12 = 0 - sin( 2 0 - 0 cv34 Integrate econst 0 - (-) cs32 0 - ⅃ Ans ^( cs32 0 - <2 remaining characters>
Some clarification:

+ All characters are separated by a space.
+ (-) is negative symbol.
+ econst = cs23.
+ tan^-1( is arctan function ( {Shift} {tan} )
+ ^( is the exponential sign in LineIO mode. ( 2 ^( 3 ) = 8 )

Warning:
* previously kaikun97 and SopaXorzTaker call hackstring = "whatever appear before character 'r' in glitched STAT mode". Now that should be "basic overflow hackstring".

 

 

does this work on the fx-991EX, since it has 200 bytes of storage for formulas instead of 100, wont i have to type more than 91 bytes before the hackstring?



#516 lantern

lantern

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    CASIO fx-83ES
    CASIO fx-991ES 2ND EDITION
    CASIO fx-83GT PLUS
    CASIO fx-82MS

Posted 08 October 2024 - 08:36 PM

i mean, the post says it's ES-PLUS only...
also, this forum is dead lol

 


  • theodeo likes this


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users