515 replies to this topic

[TheAwesomer]

I have been testing some things out on my fx-83GT PLUS, and I have found a few interesting exploits. I'm not exactly sure how they work, but I'll detail the most interesting:

 

Glitched String: In STAT submode 0, enter 'ᴀᴀ+x̂' (small A (SHIFT 1 5 1), small A, plus, x hat (SHIFT 1 5 4)), then press equals. This should throw a math error. Use the arrow buttons to exit out of the error, then delete the two 'ᴀ's and the plus, and input a number before the x hat (I use 3, but others work - I'm not sure the requirements). It should look like this: '3x̂'. Then press equals. Nothing should appear to happen, but press an arrow button and a glitched string appears!

 

I think this puts you into a glitched error state, but as I say, I'm not sure.

 

Tested on an fx-83GT PLUS (not mine) and I can confirm that this works. Nice find Eris600! This does not work on my fx-991ES PLUS VerE, so this seems specific to GT models.

 

EDIT: This definitely corrupts some memory somewhere, as pressing the equals button again just hangs the calculator like everything else does.

 

EDIT2: You can put anything before the x hat, of any length, as long as it wont cause any error screens to appear. Also, what are these other exploits like? One of them may not seem interesting but perhaps could cause buffer overflow or some other corruption/glitch that would lead to arbitrary code execution or just some other cool effects. Also, it appears that you can put anything instead of the + in the ᴀᴀ+x̂ part of the exploit and the length of it doesnt matter.

Edited by TheAwesomer, 26 March 2019 - 01:53 PM.

[TheAwesomer]

POTENTIALLY MAJOR DISCOVERY FOR FX-GT SERIES

 

I got bored and was messing around on an fx-gt83 PLUS and found a glitch quite similar to a glitch that can be found on the fx-es non-plus series. Heres what I did.

 

Got into stat submode 0.

typed this in: (ᴀ)÷(ʙ)

and pressed enter. Got a math error.

Pressed left arrow and changed what was typed to (ᴀ)÷ʙx̂

Then pressed enter. The cursor would be glitched and the calculator would enter a glitched state were you typed stuff in, but it did not appear to do anything, but upon pressing enter, you would see that it did, and it would return to normal. You could also get a |< on the screen by typing past the screen so that the screen would scroll in normal usage.

Edited by TheAwesomer, 04 April 2019 - 09:38 AM.

[anon34]

Probably basic overflow on 83GT+. However it would unlikely to be useful to other GT calculators.

There's an emulator of 83GT+ provided by CASIO, although it's not very accurate it's still possible to extract some
information from it.

If you are interested, you can get the calculator ROM... (to compile programs for that calculator)

On the emulator, this simply freezes.

You can also test the following:

1. How many [left] key presses are required to make the cursor no longer stuck?
2. How many keys need to be pressed until the cur core come at the left side of the formula?

The sum of the two values above should be 256 minus the formula length.

3. Is it true that pressing [right] exits the state?

Edited by user202729, 03 April 2019 - 01:53 PM.

[TheAwesomer]

1. 6 left key presses, although you dont see what you typed. Pressing enter crashes the calculator and I did once get it to show what I typed to get to this glitch mode, so it could be like an overflow glitch or similar.

2. It never appears to do this. Interestingly enough though, if you press SHIFT+DEL the cursor changes like it should, but then wont change back if you press the keys again.

3. Never seems to do anything.

Edited by TheAwesomer, 04 April 2019 - 09:38 AM.

[CUZLOCKED]

Has anyone managed to find a basic overflow on the fx-100AU PLUS? All the ones I've found don't work because it doesn't have a calc key.

[anon34]

Has anyone managed to find a basic overflow on the fx-100AU PLUS? All the ones I've found don't work because it doesn't have a calc key.

First use method 2 in http://casiocalc.wik...om/mode-68#toc3 to enter mode 68, then follow
http://casiocalc.wik...c-overflow#toc3 . (the method is the same as on fx-82ES PLUS calculators and similar)

[TheAwesomer]

I just found a very interesting hackstring by accident, but cant seem to replicate it.

 

If I get it again I will try and put it here.

 

A glitched screen with lots of random characters (that looked mostly intact) and a couple of bars at the top.

 

Looking very closely at the screen, you could see many lines of pixels flickering faintly but quite rapidly.

[jsa]

Hello there,

I just found this forum while searching for things to do with my fx-83GT PLUS now that I no longer need it for school... (I also have an fx-85GT PLUS, although the screen is sadly cracked.)

 

I see you have all found a lot of interesting things to do with the FX calculators, so I was wondering are there any good places to begin experimenting with my 83GT+?

Edited by jsa, 30 June 2019 - 12:01 PM.

[anon34]

The known exploits with 83GT+ are entering mode 68 by pressing ON while reset all (http://casiocalc.wikidot.com/mode-68)
and submode 0 of STAT by pressing ON after AC in STAT submode selection (http://casiocalc.wik...ring#get-r-stat).

it's possible to invoke basic overflow from mode 68, which in turn can cause stack corruption.

To write "interesting" hackstrings it's necessary to get the calculator ROM, which is not a very easy task (although I've
done that for 570ES+ and 82ES+A calculators)

[mrfrakes]

Hi,

 

What hardware display controller do the Classwiz models use?

 

Thanks in advance, mrfrakes

[Undeyapper812]

I have been testing some things out on my fx-83GT PLUS, and I have found a few interesting exploits. I'm not exactly sure how they work, but I'll detail the most interesting:

 

Glitched String: In STAT submode 0, enter 'ᴀᴀ+x̂' (small A (SHIFT 1 5 1), small A, plus, x hat (SHIFT 1 5 4)), then press equals. This should throw a math error. Use the arrow buttons to exit out of the error, then delete the two 'ᴀ's and the plus, and input a number before the x hat (I use 3, but others work - I'm not sure the requirements). It should look like this: '3x̂'. Then press equals. Nothing should appear to happen, but press an arrow button and a glitched string appears!

 

I think this puts you into a glitched error state, but as I say, I'm not sure.

I tried this on a fx-85GT PLUS and it worked the exact same way and I found out that if you press M+ or shift STO {any letter} instead of equals it will stay on the same screen until you press the arrow buttons it will show M+ or the letter you pressed.

Edited by Undeyapper812, 09 February 2020 - 11:45 AM.

[Undeyapper812]

POTENTIALLY MAJOR DISCOVERY FOR FX-GT SERIES

 

I got bored and was messing around on an fx-gt83 PLUS and found a glitch quite similar to a glitch that can be found on the fx-es non-plus series. Heres what I did.

 

Got into stat submode 0.

typed this in: (ᴀ)÷(ʙ)

and pressed enter. Got a math error.

Pressed left arrow and changed what was typed to (ᴀ)÷ʙx̂

Then pressed enter. The cursor would be glitched and the calculator would enter a glitched state were you typed stuff in, but it did not appear to do anything, but upon pressing enter, you would see that it did, and it would return to normal. You could also get a |< on the screen by typing past the screen so that the screen would scroll in normal usage.

 

 

Probably basic overflow on 83GT+. However it would unlikely to be useful to other GT Calculators... 

When I tried this on a fx-85GT PLUS it worked the same way then I tried it again but after I pressed equals I pressed the S->D button then it showed a glitch string on the top row of the display (also works if you press shift S->D or shift FACT) if I pressed the arrow button it would be invisible and the cursor would stay in the glitched place if you press the right arrow button 9 times (to make sure the cursor is on the furthest right) and press delete once and press equals it should say error and exit the error using the arrow buttons the it says (a)+b because the letters were invisible but were registered in the calculator and you removed x̂ which crashes the calculator. If you try this glitch without the brackets or divide symbol it works but the S->D glitch symbol is slightly different. 

Edited by Undeyapper812, 09 February 2020 - 11:46 AM.

[Undeyapper812]

Should work on some Casio Calculators (83GT/85GT PLUS and test on more) (Don't press AC or ON until finished)(ALL OF < REPRESENT < TURNED 90° CLOCKWISE) Get into stat mode submode 0 and enter 2.8×10<62 then enter shift then STO (is RCL button) then X which is ")",(Don't press Alpha) then equals then press AC NOT ON,and using letters given by pressing shift,1,5 type "a<(b". (Small "a" is shift,1,5,1),(Small"b" is shift 1,5,2.) and "<(" is the "x<" button on the calculator) press equals and it should say error, now type aANSXexby also small a,x,b and y are given by pressing shift,1,5 and are chosen from a menu, Small "e" is Alpha ×10< and ANS is a single button Big "X" is Alpha ")"

Make sure that the cursor looks like "l" not"_" by pressing "shift, del", now move the cursor to the furthest right and press equals, if everything goes well you should see the "Complete! press AC to continue" menu which is also show after a reset (if you don't see this menu, restart the glitch and replace "e" in "aANSXexby" with the pi symbol), now press ON,there is a chance that you stay in stat mode if not go back into stat mode submode 0 to do the next glitch.To do another version of the glitch, delete "a" in "aANSXexby" and at the end of the glitch move the curser before "e" in "ANSXexby" and everything else is the same and before you press anything after pressing equals you might see glitched symbols and if you move the cursor you will see less of them or you might see the press AC menu. To do another version of the glitch repeat the first glitch but "e" in "aANSXexby" is replaced with RAN# (shift "." button) so it's "aANSXRAN#xby" Delete "a" so its"ANSXRAN#xby" it should open a menu called conversion number where you enter a number between 1 and 40 and after you enter a number it goes back to before and if it crashes press ON. Please reply if you found something new about these glitches and new calculators it works on.

Edited by Undeyapper812, 09 February 2020 - 11:53 AM.

[Undeyapper812]

The glitch menu trick I tried on my fx-85gt calculator can be done by entering Stat submode 0 then typing in "Ran#[To the power of -1]xax" 

([To the power of -1] is the x-1 button on the calculator , 

small x is shift 154 , small a is shift 151 and Ran# is shift [Dot button]) 

Now if you press equals you should see a menu called conversion number now first enter 13 if it crashes press ON and repeat all steps then keep trying other numbers in this order 12,11,09,18,21,10,23,22,35 and if that still doesn't work try random numbers. Then it might go back to "Ran#[To the power of -1]xax" press equals and it will go to another menu that you can exit by pressing ON (repeat all steps to do the glitch this post is about) it should show glitch symbols and if you press the up arrow button it will show more glitched symbols and you can see more if you press the down arrow.

Edited by Undeyapper812, 09 February 2020 - 11:54 AM.

[siealex]

Tried it on 991ES Plus - it hangs or crashes after entering a^(b (or the other sequence from the next post) and pressing "=".

[siealex]

All ES Plus series calculators have two option jumpers P0 and P1. Are they processed in the firmware?

[TheAwesome98]

How do I even start?! I don’t know what do do first! I have a Casio fx 83GT + if that helps.

[siealex]

Today I found a very strange behavior in Mode 68 (991ES Plus). Enter Mode 68, type any rather complex formula with subscripts and superscripts, execute it (it must execute without errors), then switch to LineIO and recall the formula. All "level change" places (normal to subscript/superscript/fraction etc.) will become bold A..E letters. WTF?

[siealex]

An even more strange thing with my 991ES Plus. Enter Mode 68, type 2 3/4 (mixed fraction), [=], switch to LineIO, recall the formula and erase the @ character in front. Save the number into a memory register (e. g. A) and try to calculate 1/A (the reciprocal key will also work). You'll get an error without an error message. Two empty lines, AC/on Cancel, [<-] [->] Goto. WTF???

Edited by siealex, 08 February 2020 - 09:34 PM.

[Undeyapper812]

How do I even start?! I don’t know what do do first! I have a Casio fx 83GT + if that helps.

https://youtu.be/jPtv3FDH3wk Follow from 1:22 until 3:00 and this is how you get into Stat Submode 0 which is useful for several glitches

Edited by Undeyapper812, 08 February 2020 - 09:59 PM.

[siealex]

You'll get an error without an error message.

With some other combinations of A's, B's and E's stored into a variable you can also get a syntax error after using this variable. 

[Undeyapper812]

With some other combinations of A's, B's and E's stored into a variable you can also get a syntax error after using this variable. 

For an fx-85gt+ you can get ERROR as the ANS value if you: {any number}<(b  in stat submode 0. which allows you to get the letters ERROR in the bottom right corner as the answer and if you dont change the ANS value you can use it as the f(X) value when you change the mode setup to table if you square root ANS then you will get error values in the table. <( this is what the power symbol looks like in stat submode 0

[siealex]

For an fx-85gt+ you can get ERROR as the ANS value if you: {any number}<(b  in stat submode 0.

On a 991ES Plus I get a freeze, a 991 DE Plus turns off.

[anon34]

Today I found a very strange behavior in Mode 68 (991ES Plus). Enter Mode 68, type any rather complex formula with subscripts and superscripts, execute it (it must execute without errors), then switch to LineIO and recall the formula. All "level change" places (normal to subscript/superscript/fraction etc.) will become bold A..E letters.

Read this page: [Linear formula representation - CASIO fx-ES PLUS calculators exploits](http://casiocalc.wik...-representation)

The "representations" table may be found somewhere in the fx-es(ms) forum, but I can't find it.

Edited by user202729, 09 February 2020 - 04:33 PM.

[siealex]

http://tieba.baidu.com/p/6055959163

How to enter this hackstring? I can't understand the second character after 52 numbers (after tan-1).

[anon34]

http://tieba.baidu.com/p/6055959163

How to enter this hackstring? I can't understand the second character after 52 numbers (after tan-1).

 

With the unstable character. 

[siealex]

To write "interesting" hackstrings it's necessary to get the calculator ROM, which is not a very easy task (although I've

done that for 570ES+ and 82ES+A calculators)

Does the 82ES+A ROM contain all 570ES+ modes? Or only the modes present in 82ES+?

[siealex]

Are there some other glitches for FX83GT+? Today I found this device on our flea market, all glitches from this topic work fine.

PS, today I found a strange mode in FX-83GT plus. To enter it, try to reset all and immediately press ON (the interval must be very small, less than 0.1 s), in the same way as described for Mode 68. The device remembers the history (as in Mode 68), but (unlike Mode 68 on 991ES Plus) is ALWAYS in LineIO, with comma instead of decimal point and without the angle unit indicator (but actually it uses degrees). What is it?

Edited by siealex, 11 February 2020 - 06:56 PM.

[siealex]

Actually ES Plus / Gt Plus series calculators have not two, but THREE Pd jumpers. The third one (Pd4) is the P146 point on the PCB, short it to the common line of Pd1 and Pd2. 

PS, are these pins processed in the firmware? If not, what is their purpose?

Edited by siealex, 11 February 2020 - 04:35 PM.

[anon34]

Does the 82ES+A ROM contain all 570ES+ modes? Or only the modes present in 82ES+?

 
I didn't check it, but I believe there's only modes it requires, plus a basic subset of base-N. There are methods to get into that base-n mode (if I recalled correctly), and they observed that the base-N menu is corrupted.

PS, today I found a strange mode in FX-83GT plus. To enter it, try to reset all and immediately press ON (the interval must be very small, less than 0.1 s), [...]

Just one of the unsupported modes.
 

Actually ES Plus / Gt Plus series calculators have not two, but THREE Pd jumpers. The third one (Pd4) is the P146 point on the PCB, short it to the common line of Pd1 and Pd2. 
PS, are these pins processed in the firmware? If not, what is their purpose?

 
http://casiocalc.wikidot.com/keyboard - "Pd pins" section.

Edited by user202729, 12 February 2020 - 06:08 AM.

[jol1411]

Hello,

 

I thought I should join this forum so that I can learn more about Casio calculator hacking. I have multiple calculators, but the ones I'm really interested in hacking (because the others are programmable) are the fx-85GT Plus and the Classwiz fx-83GT X (which the latter is probably much harder to hack due to its youngness). I'm also considering on getting an fx-991 ES Plus or an fx-570 ES Plus to do a bit of more advanced hacking on as I currently am only using user202729's emulator for the fx-570 ES Plus!

 

So with regards to the fx-570 ES Plus, I've of course downloaded fxesplus and got the emulator running, but I just would like to learn more about the usage/syntax of the ROP programming system!

 

So my questions (specifically for fx-570 ES Plus):

 

In the 570esp directory, I run the following:

./compiler.py < ../asm_ropchain/hard119.asm

However, I get an error back from Python:

Traceback (most recent call last):
  File "./compiler.py", line 14, in <module>
    read_rename_list('labels')
  File "../libcompiler.py", line 243, in read_rename_list
    assert addr < len(disasm), f'{addr:05X}'
AssertionError: 02750

Can you tell me what's wrong/what I'm doing wrong here (please explain like I'm 5 years old lol)? I'm using the most recent version of fxesplus, and I'm just trying to compile hard119.asm to see if I can get at least something that looks like a hackstring/keypress list. I can give you more specific details if you need to debug this error!

 

Also, I'd love to know more about the syntax of the .asm (assembly language) files such as what flavour of asm it is (eg. Intel? ARM? Okay, maybe not them exactly!) so that I can start running hacks on these cool calculators! I'd love to get something like Hello, world! working on it, but that'll be probably in the slightly-distant future.

 

Love the work you're doing so far btw guys!

 

Thanks,

-James .

Edited by jol1411, 26 February 2020 - 08:15 PM.

[anon34]

So my questions (specifically for fx-570 ES Plus):
 
In the 570esp directory, I run the following:

./compiler.py < ../asm_ropchain/hard119.asm

However, I get an error back from Python:

Traceback (most recent call last):
  File "./compiler.py", line 14, in <module>
    read_rename_list('labels')
  File "../libcompiler.py", line 243, in read_rename_list
    assert addr < len(disasm), f'{addr:05X}'
AssertionError: 02750

Can you tell me what's wrong/what I'm doing wrong here (please explain like I'm 5 years old lol)? I'm using the most recent version of fxesplus, and I'm just trying to compile hard119.asm to see if I can get at least something that looks like a hackstring/keypress list. I can give you more specific details if you need to debug this error!

 

(I didn't make the program very user-friendly. There isn't many users who use it anyway, so
usually I just don't know what to improve.)

so check if the content of the disassembly file `disas.txt` is correct. You need to run the disassembler
(which is included with the emulator) to generate the disassembly file. With the correct path setting (if you're on Linux),
it can be done by running the `r_disas.sh` file.
 

Also, I'd love to know more about the syntax of the .asm (assembly language) files such as what flavour of asm it is (eg. Intel? ARM? Okay, maybe not them exactly!) so that I can start running hacks on these cool calculators! I'd love to get something like Hello, world! working on it, but that'll be probably in the slightly-distant future.

It's just a text file format I made up to simplify the process of writing ROP chains. Not any existing
flavor.
(in retrospect, I think I should just use Python or some programming language instead. Lisp is often used
for that, but other languages would work just as well, if not a bit more verbose)

Currently there's no documentation for that, only the comments in the `libcompiler.py` file.

Because this is ROP, there are a lot of limitations(you can lookup ROP online).
It's not as easy as programming in assembly.

However there are still some people who can figure it out and even use it to write something useful.

Edited by user202729, 28 February 2020 - 10:28 AM.

[jol1411]

Right, I see the problem: didn't run the r_disas.sh file!

I'll try it in a bit when I'm back on my PC

 

Update: Seems to be working now, the compiler runs and outputs keypresses.    Thank you!

Edited by jol1411, 27 February 2020 - 05:15 PM.

[cetus9]

Hi guys,

 

I have some (experimental) radare2 disassembly and analysis plugins for the nX-U8/100 architecture:

 

here

 

Feedback is welcomed.

 

 

[aidswidjaja]

Hi everyone, new to the forums but have been lurking for a while without an account now. Currently I am looking into a specific phenomenon where 5*9 (9-pixel height) characters are converted into 5*6 (6-pixel height) characters by inputting a relatively simple hackstring. Usually when you use a input with the A and B coefficients in the 5:Reg menu in abnormal STAT mode, you should just get garbage, but for some reason I've managed to output a result that really is just a human-readable small font variation of the input.

 

It's a bit hard to explain, so I've made a separate thread here: https://community.ca...g-poib-project/

and a Google Docs here: https://tinyurl.com/fxesplus-convert

and for Mainland China users, they can access the resources here: https://docs.qq.com/...1dnVnhoT1pTaERH

 

See below for instructions

 

After accessing abnormal stat mode (instructions found either in the below document or at this Tieba post: https://tieba.baidu....tag=i3044162056), using a hackstring in the form:

ANYTEXT(A/B))))))

where:

     (A/B) is the A/B coefficients, which can be located anywhere in the hackstring before the brackets
     ANYTEXT is any arbitrary string, can be as short or as long as you want. It can take the form of numbers, variable letters (e.g A, B, C, D, E, F, X, Y, M) or functions (e.g sin(, cos(, tan(, log()
      ))))) are brackets (0920) ranging from a quantity of 5+

 

The result should be that your arbitrary string (and trailing brackets) are converted from their standard, 5*9 size, to the corresponding 5*6 size.

 

Let me know if there are any questions

 

Thanks

aidswidjaja~

[EnderFire09]

I have some cool hacks for the fx-82AU PLUS II (LY711X VerA)

 

First the STAT submode 0 hacks.

 

1. small 'A' by it self - Enters Mode 68

2. 1(1(1(1r - Enters Mode 68 with MathIO

3. A(BCr - Puts the input into table input mode and corrupts the ram, causing the hackstrings to have different results until you press [ON].

4. 1sqrt(1sqrt(1sqrt(1sqrt(1sqrt(1sqrt(1r - teleport cursor far to the right, past the start of the cache, causing basic overflow.

 

 

Now for the COMP, MathIO hacks

 

First, to get 'r', enter Pol(1,0) then press [=], then press ÷, then 9 and then press [LEFT BRACKET] until you cant type any more left brackets. Then press [=], then AC/on, ▲, AC/on, [BACK].

Now you should have 'r' and a few other characters. Delete everything except for 'r'

 

Now for the hacks.

 

1. (7979(7979(7979(7979r - Enters Vector mode, which is not supported by the fx-82AU PLUS II

2. A(BCr->M v/[] (Square root) - Enters Mode 68 with LineIO without crashing the calculator, Press AC/on, then [BACK], delete every thing except for the box. Now move the cursor to the left of the box, then press [RIGHT] once. Initially, you cant see what you are typing until you have typed about a dozen characters. You have now achieved basic overflow.

[EnderFire09]

I have started a new thread on hacking the fx-82AU PLUS II

 

https://community.ca...lus-ii-hacking/

 

Come and visit maybe arbitrary code execution can be achieved and the rom can be dumped.

[aidswidjaja]

I've been looking into ROP recently and have a few questions if anyone can answer...

 

If I'm not mistaken, ROP relies on hackstrings which corresponds to addresses... then the "code" is executed in memory (and not ROM). Please correct me if I'm wrong on this.

 

Also, what are the limitations surrounding ROP? I saw SXT's video on a ROP demo - it appeared to have a few limitations, but ofc I don't know.

 

I know most of the resources for ROP were developed for the 991/570-ES PLUS - and 82ESPA, etc calculator hacks aren't as developed. But would I also be correct to say that ROP programming similar to what has already been established on the 991, is also applicable to the lesser versions like the 82? And in this case, I know there's quite the amount of resources for these models, could someone make a similar version (basically port it) for other models.

 

Basically, the goal here is ACE, but not _just_  ACE, but a decent program that could be executed and respond to user input. I have a feeling not... or it would be exceptionally difficult.

 

Final question, apart from ROP, what other methods (if any) lie for ACE

 

Thanks in advance for anyone who can help with this

[anon34]

Obviously ACE is Turing-complete, but it takes effort to write some reasonable program with that.

 

I can't find any documentation on how to execute code that the program can write to.

[siealex]

https://tieba.baidu....2793407170?pn=1 (translated into English):

The ERROR value can be used to trigger the CMPLX overflow mode.

 

What is this mode and how to activate it?