512 replies to this topic

[sleirsgoevy]

I've made a GDB-like ROP debugger to simply finding bugs in ROP hackstrings. Not sure if anybody here needs such tools, but the code is here: https://drive.google...iew?usp=sharing

[anon34]

[...]

It would be easier for you to create a git repo.
For convenience, I keep the changes you made in github branches and sometimes merge them into master.

I also implemented some basic functionality for debugging ROP hackstrings:
https://github.com/u...common.lua#L120

[dung11112003]

See https://community.ca...ge-8#entry61348 .

Then capture a video of the screen, process it to get the ROM.

What's the character '$' stand for (in hackstring)? And how to make some characters like "xor" and "conjg"?

[anon34]

What's the character '$' stand for (in hackstring)?

'$' can be any character.

And how to make some characters like "xor" and "conjg"?

Using the "unstable character". See http://www.microsoft...om/p/3114375974
(the translated Chinese is hard to understand)

Edited by user202729, 17 January 2019 - 02:56 AM.

[dung11112003]

Using the "unstable character". See http://www.microsoft...om/p/3114375974
(the translated Chinese is hard to understand)

Yeah, it seems very hard to understand "unstable character" part. Do you know how to do this?

[anon34]

Yeah, it seems very hard to understand "unstable character" part. Do you know how to do this?

See also http://casiocalc.wik...ter-unsupported, which should be easier to understand.

[sleirsgoevy]

@user202729, I thought of forking your repository and sending PRs instead of these zips, but your repository has some commits that I'd have to merge. I think that creating a new repository from scratch wouldn't give me any advantages, since I would still have to manually create zips with patches.

 

Sorry for double-posting, I didn't notice that the 10th page appeared, so I thought that my first post was deleted for some reason.

Edited by sleirsgoevy, 24 January 2019 - 02:07 PM.

[anon34]

@user202729, I thought of forking your repository and sending PRs instead of these zips, but your repository has some commits that I'd have to merge. I think that creating a new repository from scratch wouldn't give me any advantages, since I would still have to manually create zips with patches.
 
Sorry for double-posting, I didn't notice that there are 10th page appeared, so I thought that my first post was deleted for some reason.

If you don't want to resolve merge conflicts, you can just branch off the older commit(s), and somebody interested would merge
them later. Personally I find doing git fetch and git mergetool etc. is easier than downloading
a zip and manually apply the changes.

[anon34]

Information: I am getting the ROM of fx-82ES PLUS A with help from 185264646.

Update: It's done, but I fixed some bits manually and don't know if it's correct.

Edited by user202729, 02 March 2019 - 04:17 AM.

[anon34]

Currently there are some research about "hard 119 mode" (keep "hacked" state even when ON is pressed).
See this post.

Edited by user202729, 06 March 2019 - 03:05 PM.

[12345calc]

I've tried following your procedure of entering the 'Hard 119 mode' from this post: http://tieba.baidu.com/p/6055959163. The calculator I've tried it on (fx-991ES PLUS) succesfully boots on after a shutdown in this 'FIX' state (the FIX indicator is lit up), but after trying to enter linear mode (Shift [MODE] 2), right after pressing 2, the calculator freezes with no additional effects. After pressing ON in this freezed state, it just loses power and doesn't respond to anything (not even to [ON]) until I make a hard reset (take out battery + cover the solar panel). Is this the intended behaviour, because I see in your procedure post that it should happen another thing.

[anon34]

Yes.
I'm looking for ways to make it do other things without success.

[TheAwesomer]

So I managed to get an FX-991es Plus VerE GY455X and also managed to successfully execute the demo-program hackstring with the scrolling text on the screen, so if you want me to try anything on my calculator just ask.

[orla]

I don't really understand this, but is it possible to hack a Casio FX-85 GT PLUS?

[TheAwesomer]

Sorry, but not as of yet. Unless someone else says otherwise, I am quite sure you cannot yet hack an FX-85 GT PLUS.

[TheAwesomer]

Hey guys how do I dump the rom of my 991ES plus to use with the emulator?

 

Also when I try to use compiler.py I get this:

Traceback (most recent call last):
  File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\compiler.py", line 6, in <module>
    from lib_570esp import *
  File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\lib_570esp.py", line 25, in <module>
    font = get_font()
  File "C:\Users\joela\Desktop\fxesplus2\fxesplus-master\lib_570esp.py", line 4, in get_font
    file = open(filename, 'r')
FileNotFoundError: [Errno 2] No such file or directory: 'font'

EDIT: i got compiler.py working by creating a Virtual Machine running ubuntu. Still not sure how one dumps a rom though. I understand that you run a hackstring but what i dont get is what one does from there. However, I found the fx-570es plus rom I think so I might be good.

Edited by TheAwesomer, 10 March 2019 - 02:29 PM.

[anon34]

...

Currently there's no fully automated way to get a ROM. Also, you only need to do it once.
You can just use the existing 570es+ rom.


/////

That sounds like a lot of work (I never tried running any VM on my machine, and the image is just too large)
just to run the Python file. That having said, I didn't take portability into consideration while writing the scripts so they can
be incompatible with Windows. Some of them are easier to fix than others if you know Python.

Edited by user202729, 10 March 2019 - 04:59 PM.

[TheAwesomer]

Well I'm perfectly okay with using this method as I have used Ubuntu plenty of times. I've also managed to compile the makefile in casioemu/emulator

 

Quick question though: how do I use the old_loader hackstring. I type it in and I see a tiny graphical glitch (a couple of pixels on one line) and the calculator hangs. I know there is the new_loader hackstring but that requires you to utilize the unstable byte to enter any character, which I havent quite gotten the hang of completely yet and I would rather just use the old_loader anyway, seeing as it's easier to type out and also quicker. I did compile the hackstring, but it just doesnt seem to want to work. I've managed to get the scrolling text demo hackstring working (and even change the text to something completely different). And no I'm not miss-typing anything, I've checked over it a few times and verified it too.

[anon34]

...

Well actually I've never used the loader (programs I write usually fits in 100 bytes) and originally I wrote the loader without the compiler.
The loader assembly files was written by sleirsgoevy (I think so)

[anon34]

It looks like that sleirsgoevy wrote some pretty complex program that involves conditional jump/switch table. See the fork of the fxesplus repo.

[TheAwesomer]

oh do you mean https://github.com/s...305a/loader.txt

 

What does he mean by stuff like XX, TT, ZZ, etc.? I first thought he meant variables but It only goes A-F and X,Y,M So Im not sure how that works.

 

Still gonna try it

 

Unless he means using the unstable byte.

Edited by TheAwesomer, 11 March 2019 - 11:03 AM.

[anon34]

Info: You can use the emulator and manipulate the calculator bytes directly (for example see the
inject function in some Lua file, which takes a hex string (which the compiler outputs
if it gets passed the command line flag `-f hex` and modify the input area of the calculator)

That way it's easier, you can be sure that you don't make any misstroke and you can test the method
before doing it on the real calculator.

Edited by user202729, 11 March 2019 - 01:40 PM.

[TheAwesomer]

Thats a nice feature. But do you know what he means by ZZ and TT for example? I dont see these on the symbol table anywhere

[anon34]

I'm not sure how it works exactly, but I guess these are parameters like in my hackstring.
(output location, etc.?)
I also don't remember what are the parameters in my methods so take a look.

[orla]

How I hack an fx83-GT PLUS then? Can I use an emulator?

Edited by orla, 11 March 2019 - 07:23 PM.

[TheAwesomer]

There is no real way (other than memory hacking with cheat engine for example) currently known to hack the GT PLUS series of CASIO Calculators. Sorry.

[sleirsgoevy]

Answering @TheAwesomer about loader.txt.

 

XX is the address to start writing.

TT is the address of XX, minus 200.

ZZ and YY are addresses passed to strcpy (_start-117, _start-217).

All values are in little endian.

 

I think it's better to just compile new_loader.asm (it shouldn't require using unstable character).

This program was fully written by @user202729, I just changed its base address.

 

EDIT: @user202729 probably means this: https://github.com/s...ain/bitcode.asm

Edited by sleirsgoevy, 12 March 2019 - 02:27 PM.

[anon34]

@orla:
Methods in http://tieba.baidu.c...140#50924223140 may work with 85GT PLUS.
There are emulators for both models, however they're not very close to the real calculator and they're not free.

Edited by user202729, 12 March 2019 - 02:28 PM.

[TheAwesomer]

also when I try the hard 119 hackstring I compiled from the asm file, it just freezes, but doesnt shut itself down and also resets itself

[anon34]

also when I try the hard 119 hackstring I compiled from the asm file, it just freezes, but doesnt shut itself down and also resets itself

That's weird.
1. How are you invoking the compiler? What's the output you see?
2. Are you sure that you're using the correct calculator model? Check if the checksum is correct.

[TheAwesomer]

1. I just typed this in terminal:

 

../compiler.py < ../asm_ropchain/hard119.asm

 

I get a hackstring back from it with no errors. I would tell you the output, but I have to go in 6 minutes so I can't boot up my VM. Im not sure if the path is the exact same here but when I compiled it, there was no errors and there was a hackstring generated

 

 

2. In diagnostic mode I get:

GY455X VerE
SUM 8928 OK
Pd- Read OK
Press AC

It is an fx-991ES PLUS and is genuine.

 

 

EDIT: the hackstring was the same result as what you posted at http://tieba.baidu.com/p/6055959163

Edited by TheAwesomer, 12 March 2019 - 08:06 PM.

[orla]

I don't understand that that topic. I put it through Google Translate and it was saying something about landlords. Please just assume I know nothing and tell me what buttons to press.

[TheBigBuzz]

Hello everyone.
I have casio fx-350ES PLUS wich I think is very simillar to (or even the same as) fx-82ES PLUS. Is there any way to dump ROM and run it on emulator? What is already known about this model?

edit: I have arduino and rpi if it helps with dumping rom

Edited by TheBigBuzz, 13 March 2019 - 07:39 PM.

[TheAwesomer]

I don't think theres much you can do with that model at the moment, except maybe 

 

I also don't think people have figured out a non-destructive way of dumping the rom of that model yet. Correct me if I am wrong here.

 

 

EDIT: Check this https://community.ca...ge-9#entry61762

Edited by TheAwesomer, 14 March 2019 - 10:53 AM.

[TheBigBuzz]

@TheAwesomer

So there is a destructive way to dump rom?






btw.
Does anybody here know chinese so he can translate some stuff from baidu forum? I've found a lot of things I could do with my calculator if only I knew chinese.

[anon34]

So there is a destructive way to dump rom?

Dissolving the chip in acid and take a photograph or something like that might work,
but I don't have any information about the hardware.

 

Does anybody here know chinese

Just use some automatic translator and spend some effort understanding them.
Also note that technical contents (unmatched parentheses, etc). may be translated incorrectly or
shuffled around in the translated text, so always cross check with the original Chinese.
Also read the wikidot wiki page, some of the methods/ttechnical terms may already be listed there.


If you are stuck even after spending some effort you can ask me (show the original text, translated text,
how you understand it and what's wrong (in this topic or via PM),
I don't know Chinese but I'm pretty used to reading translated Chinese.

there are some Chinese users on the forum but I think they are not very active recenty..

Edited by user202729, 15 March 2019 - 01:39 PM.

[TheAwesomer]

MAGIC OF CALC | Noise hackstring?

 

So many of you may have seen this video: 

 

Well, I may have found a hackstring that causes one of the "Noise" glitches by typing in random stuff.

 

So the hackstring goes like this:

 

press log(, then keep repeating these keys until you reach the unstable byte/end of hackstring:

√( √( log( √( log(

When you have done that, press AC and Left as you would normally with a hackstring, and then press equals. The M indicator will light up, but nothing else will seem to happen. Keep pressing AC,Left,= until you get some dots on the bottom of the screen. (This happens after doing it about 10-20 times or so usually.) Do be patient, and when you get the dots, STOP. Now go into MathIO and the glitch looks like it has stopped. it hasn't. This appears to be the same effect as show in the Magic Of Calc video. The video makes it out as if there may be several different variations of this "Noise" glitch, however.

Edited by TheAwesomer, 18 March 2019 - 11:03 AM.

[yosik]

Hi everyone.

I have an FX-991-ex calculator.

As I understand it, the classwiz model needs more characters in the hackstring. Is it right?

[anon34]

Yes, the length of the input area in CLASSWIZ calculators is 200 bytes,
but currently only the ES PLUS calculator models have much discovery on.

Edited by user202729, 20 March 2019 - 03:09 PM.

[Eris600]

I have been testing some things out on my fx-83GT PLUS, and I have found a few interesting exploits. I'm not exactly sure how they work, but I'll detail the most interesting:

 

Glitched String: In STAT submode 0, enter 'ᴀᴀ+x̂' (small A (SHIFT 1 5 1), small A, plus, x hat (SHIFT 1 5 4)), then press equals. This should throw a math error. Use the arrow buttons to exit out of the error, then delete the two 'ᴀ's and the plus, and input a number before the x hat (I use 3, but others work - I'm not sure the requirements). It should look like this: '3x̂'. Then press equals. Nothing should appear to happen, but press an arrow button and a glitched string appears!

 

I think this puts you into a glitched error state, but as I say, I'm not sure.