512 replies to this topic

[anon34]

https://tieba.baidu....2793407170?pn=1 (translated into English):

The ERROR value can be used to trigger the CMPLX overflow mode.

 

What is this mode and how to activate it?

 

It's explained right in the post

 

> 这可以从 CMPLX 溢出模式的种种异常现象研究出来，参考楼主的《【991+】A^0法溢出r！比M^0法节省57%按键次数！》

> this can be researched from the various anomalies of the CMPLX overflow mode, refer to the original poster "【991+】A ^0 method overflows r! It saves 57% of the number of keystrokes than M^0 method! "

 

Search on the forum for the title...

 

results in https://tieba.baidu.com/p/2767270777 . (*)

 

========

 

(*): Some other user said "The CMPLX overflow mode should be the mode at 5L https://tieba.baidu.com/p/1949542063".

Edited by user202729, 23 August 2020 - 02:53 AM.

[LTVA]

Hello all of the active members.

I highly appreciate your activity and things you are doing.

My goal is to invent a method of writing totally new firmware (clean all ROM and past my code (demo?) there) for fx-991es plus 2nd edition. I think that I can somehow connect to MCU via JTAG or ISP.

Its PCB is a bit different from 991es's:

(see groups of 3 small and 4 usual size contact plates)

Also as I've read this data is useful too:



I haven't entered any hackstrings yet.

Also (maybe I've read the wrong datasheet) it is stated that CPU can be clocked from internal ~8MHz oscillator. Would be nice to do so.

Don't know anything about decompilators and assembler (I mean I can't use them, but I roughly understand what they do).

 

P.S. I haven't figured out if we can create a program via hackstrings that is larger than 100 bytes (1 symbol = 1 byte I guess). Somewhere upper something about 2KB was written, or it was free RAM/ROM space? 

Edited by LTVA, 27 October 2020 - 06:02 AM.

[jakiki6]

Hey, does this also work or is it portable for the fx991 dex?

[jol1411]

My goal is to invent a method of writing totally new firmware (clean all ROM and past my code (demo?) there) for fx-991es plus 2nd edition. I think that I can somehow connect to MCU via JTAG or ISP.

 

That sounds interesting, if anyone can write a new firmware for a fx-991ES, that'd be awesome! I suppose it's just the matter of seeing whether you can overwrite the flash memory (or whatever memory bank is read from when the calculator is powered on).

 

Its PCB is a bit different from 991es's:

(see groups of 3 small and 4 usual size contact plates)

Also as I've read this data is useful too:


 

 

Looks like the photos don't exist (I get a 404 when trying to view them), do you mind popping them onto something like Imgur (or any equivalent photo hosting service)? Thanks

 

 

P.S. I haven't figured out if we can create a program via hackstrings that is larger than 100 bytes (1 symbol = 1 byte I guess). Somewhere upper something about 2KB was written, or it was free RAM/ROM space? 

 

To be honest, I haven't even fully figured out how hackstrings are authored (so I don't have much expertise on this particular topic!) but I should imagine that it's possible for a 100-byte hackstring to clear some other region of memory which can then be executed. Think of it as some kind of 'unpacking' process where you execute the payload (the hackstring) and then once the payload has set up a region of memory, it'll set the MCU's program counter to execute arbitrary code in that region. I would think that the only way to implement the larger program that you want to run is for the hackstring execution to put the calculator into some kind of very minimal hex editor where the user can then enter the main program's bytes and then subsequently press a button (maybe =) to start the main program execution... If you get what I mean!

 

Looking forward to seeing where this goes.

[LTVA]

That sounds interesting, if anyone can write a new firmware for a fx-991ES, that'd be awesome! I suppose it's just the matter of seeing whether you can overwrite the flash memory (or whatever memory bank is read from when the calculator is powered on).

 

Yep, since we have disassembler, we can write assembler.

 

The question about writeable flash: on ATMega MCUs I've seen so-called "fuse bits" where you can define a lot AND one bit which is responsible for locking flash (after programming it no read (through programmator), no write). Also I'm sure that calc operates with some sort of freq prescaler (the max frequency (I can be wrong) is 8MHz but calc works at 128KHz or 32.768KHz. Try to calculate sum (through sigma) of fifty or so sines and you'll see how long it takes, it isn't enough for serious demo with music).

 

Looks like the photos don't exist (I get a 404 when trying to view them), do you mind popping them onto something like Imgur (or any equivalent photo hosting service)? Thanks

 

Moved to Discord, Imgur doesn't accept my phone number. Now it should display properly.

 

To be honest, I haven't even fully figured out how hackstrings are authored (so I don't have much expertise on this particular topic!) but I should imagine that it's possible for a 100-byte hackstring to clear some other region of memory which can then be executed. Think of it as some kind of 'unpacking' process where you execute the payload (the hackstring) and then once the payload has set up a region of memory, it'll set the MCU's program counter to execute arbitrary code in that region. I would think that the only way to implement the larger program that you want to run is for the hackstring execution to put the calculator into some kind of very minimal hex editor where the user can then enter the main program's bytes and then subsequently press a button (maybe =) to start the main program execution... If you get what I mean!

 

Good guess, gonna try it after graduating from... school (but you should call it "college"). Now I think about buying a programmator and searching for those plates configuration (where each is connected, to what pin of MCU).

Edited by LTVA, 27 October 2020 - 12:28 PM.

[reaporofdragons]

Hello all of the active members.

I highly appreciate your activity and things you are doing.

My goal is to invent a method of writing totally new firmware (clean all ROM and past my code (demo?) there) for fx-991es plus 2nd edition. I think that I can somehow connect to MCU via JTAG or ISP.

Its PCB is a bit different from 991es's:

(see groups of 3 small and 4 usual size contact plates)

Also as I've read this data is useful too:



I haven't entered any hackstrings yet.

Also (maybe I've read the wrong datasheet) it is stated that CPU can be clocked from internal ~8MHz oscillator. Would be nice to do so.

Don't know anything about decompilators and assembler (I mean I can't use them, but I roughly understand what they do).

 

P.S. I haven't figured out if we can create a program via hackstrings that is larger than 100 bytes (1 symbol = 1 byte I guess). Somewhere upper something about 2KB was written, or it was free RAM/ROM space? 

i have a fx 82plus NS  fx 991 plus the casing is different but the pcb is the same i also wanted to ask I'm completely new . what are the wires connected to ? and if anyone has the 128 pinout diagram or where to get diagrams

[LTVA]

i have a fx 82plus NS  fx 991 plus the casing is different but the pcb is the same i also wanted to ask I'm completely new . what are the wires connected to ? and if anyone has the 128 pinout diagram or where to get diagrams

Wires are from battery and solar battery.

[LTVA]

So, I've performed a test to estimate fx-991es plus v2's default MCU speed (also if anyone can please tell me what exact MCU is inside, because as I remember someone have found it, but I haven't found the exact post upper).

So, I entered the following formula and recorded the time it took to calculate this (actually 16 ±0.1 seconds):

 

So we can assume that sine calculation is way longer that addition, so I simplified it up to "we just calculated 100 sines".

 

And 1 sine was calculated during 0.16 seconds. 6.25 sines per second. So next step is to determine how many clock cycles does it take to calculate a sine.

 

Calculator does, as I assume, single precision floating point calculations, because we every time have 11 digits in significand and I don't think that developers would use other format.

 

Then there goes long arithmetic, because we in best case can calculate only 16-bit (2-byte) variables on one cycle, be it frac/mult or sum/subtract (estimated based on AVR MCUs which are not connected with this calcs but I think in calc there's an MCU capable of this). First we need to calculate significand which takes us around 5 cycles and then an exponent (2 cycles for multiplication and 3 more because it need to be moved somewhere, organized, etc.). 

 

Then we need sine. I haven't found the exact widespread algorithm, only estimations for good old AVR. The whole sine takes from 1600 to 1900 clock cycles. So, if we bring 1600 cycles, it gives us 10000Hz clocking oscillator, which is pretty off standard ones (powers of 2 or 8MHz divided by 1, 2, 4, 8, etc.). 

 

Somewhere upper somebody wrote that there would be 128KHz clock speed, and I can't figure out why. Sines are calculated with better precision? We don't have hardware multiplier? I'm intrigued.

Edited by LTVA, 31 October 2020 - 06:04 PM.

[anon34]

The microcontroller is ML610901, assuming that CASIO uses the same one as in 82ES.
The core is nX-U8/100.

currently in the emulator, (I think) all instructions are emulated in the same time, while in the real CPU it's more likely that some instructions are slower than others. So the clock speed estimation estimation/emulator run time of specific operations might be inaccurate.

There's a 8x8->16 bit multiplier (read the core instruction manual), and the calculator uses BCD (with a BCD exponent) so operations might be slower than necessary.

Edited by user202729, 01 November 2020 - 09:32 AM.

[LTVA]

The microcontroller is ML610901, assuming that CASIO uses the same one as in 82ES.
The core is nX-U8/100.

currently in the emulator, (I think) all instructions are emulated in the same time, while in the real CPU it's more likely that some instructions are slower than others. So the clock speed estimation estimation/emulator run time of specific operations might be inaccurate.

There's a 8x8->16 bit multiplier (read the core instruction manual), and the calculator uses BCD (with a BCD exponent) so operations might be slower than necessary.

CPU − 8-bit RISC CPU (CPU name: nX-U8/100)

− Instruction system:16-bit instructions

− Instruction set:Transfer, arithmetic operations, comparison, logic operations, multiplication/division, bit manipulations, bit logic operations, jump, conditional jump, call return stack manipulations, arithmetic shift, and so on

− On-Chip debug function

And the most important part:

− Minimum instruction execution time Approx 30.5 μs (at 32.768kHz system clock) Approx 0.122 μs (at 8.192MHz system clock)＠VDD = 2.2 to 5.5V

 

So we are operating at 32.768kHz, but can go up to at least 8MHz. Information from another chip, but it is using nX-U8/100 too, as you see. Datasheet.

 

Internal memory

− Internal 128-Kbyte flash ROM(64K × 16-bit) (including unusable 1KByte TEST area)

− Internal 2-Kbyte Data Flash (1-Kbyte × 2)

− Internal 4-Kbyte RAM (4096 × 8 -bit)

Clock

− Low-speed clock (This LSI can not guarantee the operation withoug low-speed clock) Crystal oscillation (32.768 kHz) or Built-in RC oscillation (32.7kHz)

− High-speed clock Built-in oscillation (8.192MHz/8MHz), Crystal/Ceramic oscillation (8MHz), external clock

Yes yes yes, we can go up to 8MHz with internal oscillator. Interesting.

 

And we exactly know how much memory we have. Demo is possible.

Edited by LTVA, 02 November 2020 - 07:03 AM.

[compuguy123]

I'm just here to slap a heatsink on the lapped die and run it at 9MHz OC on liquid metal.

Linus techtips did it by varying resistance around an oscillator on a TI graphing calc or something like that. Any pointers? I've got a heat gun, fine tipped soldering iron, and degreaser spray, acetone... etc. Have a spare FX-82 AU that I can go at as a guinea pig.

Skilled enough to sopder microcaps with nothing but a single soldering iron and some tweezers. The only challenge here might be the potting compound blob around the core I think

[LTVA]

I'm just here to slap a heatsink on the lapped die and run it at 9MHz OC on liquid metal.

 

It's ultra low power MCU, you wouldn't need a heatsink at all.

 

varying resistance around an oscillator

 

It's internal oscillator, not external (inside MCU it is, unfortunately). It should run on exact frequency regardless of what voltage you apply to MCU.

 

The sad part is that we have ROM that we with 0.(9) probability can't rewrite.

Edited by LTVA, 04 November 2020 - 04:59 PM.

[compuguy123]

It's ultra low power MCU, you wouldn't need a heatsink at all.

 

 

It's internal oscillator, not external (inside MCU it is, unfortunately). It should run on exact frequency regardless of what voltage you apply to MCU.

 

The sad part is that we have ROM that we with 0.(9) probability can't rewrite.

Isn't there a way to input a frequency as override to that MCU frequency? Also, perhaps there is a way to bridge 2 pins on the MCU to select the osillator mode? I theoretically can tap into every single trace on the board with some fine copper wire and a very hot soldering iron with a scalpel. But I need to know how this MCU selects the frequency. Can't make too much sense of the datasheet but there seems to be a way to select the oscillation frequency.

Imagine having the choice between 8MHz and some really trash frequency and choosing the really trash frequency just to spite kids that are typing more than 3 characters per second, ty for nothing casio lol

[LTVA]

Isn't there a way to input a frequency as override to that MCU frequency? Also, perhaps there is a way to bridge 2 pins on the MCU to select the osillator mode? I theoretically can tap into every single trace on the board with some fine copper wire and a very hot soldering iron with a scalpel. But I need to know how this MCU selects the frequency. Can't make too much sense of the datasheet but there seems to be a way to select the oscillation frequency.

Imagine having the choice between 8MHz and some really trash frequency and choosing the really trash frequency just to spite kids that are typing more than 3 characters per second, ty for nothing casio lol

 

You can define MCU clock source only via reprogramming it (modifying ROM), which probably isn't possible because we need to find out what pins we should connect to what wires of programmator and casio most probably locked ROM so we can't rewrite it. Also I don't think that MCU will be able to run at 8MHz on voltage that we have from the battery, so 2nd solar panel and battery would be needed. But hey, if ROM is reprogrammable I'd sold there some speaker with R-2R ladder and let the demo begin!

 

Spotted a post about overclocking the calc via manipulating voltage. Why does it work? Voltage somehow affects the oscillator or there's external clock? I don't have oscilloscope so it remains a mystery.

[anon34]

No idea. I'm not the best regarding hardware. (but that seems to make sense...)

 

Also, the documentation of that particular chip (specifically the SFRs) is not available, so it would be hard to program too.

 

ROP is possible, but it doesn't worth the effort. If you have to modify the hardware anyway, you might just throw another microcontroller in (like the recent screen-on-solar-panel mod)

[LTVA]

No idea. I'm not the best regarding hardware. (but that seems to make sense...)

 

Also, the documentation of that particular chip (specifically the SFRs) is not available, so it would be hard to program too.

 

ROP is possible, but it doesn't worth the effort. If you have to modify the hardware anyway, you might just throw another microcontroller in (like the recent screen-on-solar-panel mod)

 

Screen-on-solar-panel mod? 

 

We wrote disassembler, if I'm not mistaken, so we can write assembler. It's question of connecting wires.

 

Installing another MCU is hard.

[EnderFire09]

Does anybody here have discord? Perhaps a discord server might help make CASIO calculator hacking more accessible.

[DSch]

Screen-on-solar-panel mod? 

 

We wrote disassembler, if I'm not mistaken, so we can write assembler. It's question of connecting wires.

 

Installing another MCU is hard.

Well we have an emulator (in code) and can dump the rom of the calc/emulator so writing code for something like an stm32 or esp32 & emulating the cpu shouldn't be that hard
Driving the display and getting the keys is also not that hard, stm32 has fmc for this purpose and esp32 has the i2s engine which is also capable of that tho esp32 would need a port expander for the keyboard

Trying to find out if the rom can be manipulated and what the unused pins do is much more interesting tho, but would need a recap to see where they exactly connect to
It seems like the CPU gets programmed trough the "test" pin and the reset pin so we would have to find where the test pin is and get ahold of a programmer for these chips but it can be that programming is locked

Edit: the nano-ease programmer is actually quite cheap and *should* be able to program the chips, finding the test pin shouldn't be hard because it blinks if it fails to "execute a command" on the target

 

Edited by DSch, 15 November 2020 - 03:26 PM.

[cetus9]

...
It seems like the CPU gets programmed trough the "test" pin and the reset pin so we would have to find where the test pin is and get ahold of a programmer for these chips but it can be that programming is locked

Edit: the nano-ease programmer is actually quite cheap and *should* be able to program the chips, finding the test pin shouldn't be hard because it blinks if it fails to "execute a command" on the target

It likely doesn't use RESET_N. The translated PDF which refers to ML610901 shows TEST1, TEST2 functional blocks.

 

I have an EASE-1000 (same firmware as the EASE-1000v2, but lacks Vpp driving capability, I think). I couldn't find a combination that looked promising on the oscilloscope.

 

Edit: they also mention in that document that the debugging interface may be disabled for power saving, though the English translation does not make this clear.

Edited by cetus9, 15 November 2020 - 05:34 PM.

[cetus9]

Other observations that I've made on both an fx93gtplus and an fx-85gtplus:

 

P155 is probably VDDL, as it has a cap to GND and measures the correct voltages in various states (from low voltage cell to brightly illuminated fx-85gtplus solar panel etc.).

 

The 3 vertical pads to the right of P155 are likely part of PORT4 (as on e.g. ML610Q438) and are interfaced with SFRs F221, F222 and F223 (P4DIR, P4CON0 and P4CON1?). Using a high res. multimeter, they can be observed to change state from high impedance to internal pull down during the 'Pd- Read OK' screen. Also, a ~500KHz clock starts on the bottom pad. It's possible that the debug port is here, but it seems more likely to be one of the serial interfaces starting up.

 

BTW, the calculators will happily run with 3.3V on the battery terminals, to make interfacing easier.

Edited by cetus9, 15 November 2020 - 05:37 PM.

[DSch]

Yes, the calc runs with 3.3v without blowing up but i think it generates an internal voltage because i've only seen 0-~1v on my calcs lcd bus.
Putting 3.3v onto the pins of the calc doesn't break it even if the pins are low (for some reason they do not go into tristate on reset but low or there is a 40ohm pulldown)

I had an idea: write some code and execute it on the calc, which puts all pins high; the 1-2 pins needed for programming should be low

[anon34]

Not that there are many people interested in this thing anyway. At most 5 at the moment, I think.

 

(at least there are some people with a nonzero amount of hardware tools now.)

 

The pins... the only ones that I know how to control from the software are the KI/KO ones, and they're all easy to see which one is which.

The information about the SFR are mostly unknown, except the commonly-used ones (by the calculator program).

I assume that it's possible to reprogram the test regions somehow, but only with specialized tools and it's necessary to know the correct pins.

 

(remark: there's a sequence of prime numbers hidden in the test area of the classwiz calculators)

[DSch]

Hardware attacks could get really useful at some point if casio manages to fix most bugs or make exploitation harder so i dont think that this topic should be ignored.
Getting & writing the internal memory could be made much simpler and faster for example.
Since there are testpoints one can make a "test jig" which breaks out the pins without the need to solder anything.
Things like injecting code can also be interesting.

Devices like the nintendo switch get defeated (and sometimes bricked lol) by some mosfets and a gd32 (clone stm32) so it can be really useful incase casio pimps the security on their calculators

[cetus9]

I already have an fx-83gtplus with test points hooked up to breadboard.

 

Unfortunately, it's the only one of my calculators that I don't particularly care about and I don't think there are any basic overflow methods for this model (correct me if I'm wrong).

 

I'd like to try writing to F220 (P4D?) after setting F221 (P4DIR?) to outputs and F222 and F223 as described in many of the ML610 series user manuals (ML610Q4xx especially). It would be interesting to see if the 3 vertical pads are the only ones affected.

[cetus9]

It's frustrating that we can't seem to upload images. I have a couple of voltage spreadsheets and some other interesting things to share. Is there perhaps a better forum for this sort of thing?

Edited by cetus9, 18 November 2020 - 12:20 AM.

[anon34]

It's possible to post an image here; but I think the site doesn't allow uploading files directly, you can upload it to some other paste bin/image upload sites.

 

For other sites, there's the wiki that last time some people told me to create  http://casiocalc.wikidot.com and tiplanet I think? (and others too) don't frequently visit those sites however.

 

On 82-similar models, the only known exploits involves some precise timing (68-mode, STAT 0 submode) -- but constructing the ROP is the harder (but still possible, obviously) part.

Edited by user202729, 18 November 2020 - 03:32 PM.

[CasioHax0r]

Hi. I have found that on Casio FX-83GT PLUS if I enter Stat Submode 0 and enter any of the below

1200{squared}{x hat}
(120{sqaured}{x hat}
(12{squared}{x hat}

Then press the ON button, the VCT (vector) indicator on the status bar illuminates and pressing SHIFT+1 to open the stat menu no longer works. {squared} can also be substituted for {cubed} with no affect.

The FX-83GT PLUS does not have vector mode so this must be changing something in memory. With a bit of tinkering, maybe this could be used to achieve mode 68?

Edited by CasioHax0r, 30 November 2020 - 07:16 PM.

[Hir0vinacal]

Hello, i am new, ik how to do the basic overflow, but i cant find a hack for vinacal 570es plus ii,
Do you guys have one?

[Hir0vinacal]

Also it would be nice if some one translate this because google suck
在所有模式皆为默认的状态下，输入：
M=积分1右M右9.99999999999999×10^99 CALC 0 = AC
然后 MODE 2 小数点 e的幂按13次 ii右右右右右ii
右右右右右ii M+ AC A=Ai CALC = AC
接着 MODE 1 A^0右 冒号 六个分数线 = Pol(1,0 = 上 左
和M^0法一样，A值是关机保留的。
共计按键次数114次。（如果数错请见谅）

[Hir0vinacal]

Yea help cuz idk when will i even catchup

[Hir0vinacal]

How do i do overflow in CMPLX .-.

[CalcLoverHK]

Also it would be nice if some one translate this because google suck
在所有模式皆为默认的状态下，输入：
M=积分1右M右9.99999999999999×10^99 CALC 0 = AC
然后 MODE 2 小数点 e的幂按13次 ii右右右右右ii
右右右右右ii M+ AC A=Ai CALC = AC
接着 MODE 1 A^0右 冒号 六个分数线 = Pol(1,0 = 上 左
和M^0法一样，A值是关机保留的。
共计按键次数114次。（如果数错请见谅）

I can translate it for you (I am Chinese)

Sorry there may be some confusion as I don't have any of these calcs (^ ^;

 

1. Set your mode to default

2. Press valuable M [=] [Integration] [Right] valuable M [Right] 9.99999999999999×10^99 [CALC] [0] [=] AC/on

3. Switch to MODE 2, press 2 [.] e^13 ii (I think it is imaginary number button?) [Right]x5 ii [Right]x5 ii [M+] AC/on [A] [=] [A]i [CALC] [=] AC/on

4. Switch to MODE 1, A^0 [Right] [Colon] [b/a]x6 [=] [Pol(] 1,0 [=] ▲ [Left]

[Hir0vinacal]

Well guys i found a bug for vinacal calculator(s)
1.Press Squareroot and x□ until you cant press anything else
2.right 2 times and squareroot
3.rigth 2 rimes and x□
4.left 3 times, del all the square roots
5. Add a fraction
6.Delete the tiny dot (look at the image, at the right)
https://cdn.discorda...1203_220810.jpg
7.You get this
https://cdn.discorda...1203_220819.jpg

Your work is amazing guys! Idk when will i even catchup so pls help me Owo

[Hir0vinacal]

I can translate it for you (I am Chinese)
Sorry there may be some confusion as I don't have any of these calcs (^ ^;
 
1. Set your mode to default
2. Press valuable M [=] [Integration] [Right] valuable M [Right] 9.99999999999999×10^99 [CALC] [0] [=] AC/on
3. Switch to MODE 2, press 2 [.] e^13 ii (I think it is imaginary number button?) [Right]x5 ii [Right]x5 ii [M+] AC/on [A] [=] [A]i [CALC] [=] AC/on
4. Switch to MODE 1, A^0 [Right] [Colon] [b/a]x6 [=] [Pol(] 1,0 [=] ▲ [Left]

Hey do you know how to write ASCII character on calculator? I googled it bug no result.

[CalcLoverHK]

Hey do you know how to write ASCII character on calculator? I googled it bug no result.

Like I said, I don't have any of these calculators to hack, so I have no experience in writing ASCII. Wait an expert here to solve your problem.

[Hir0vinacal]

How to type "i love u!" Using overflow? Tiebaidu say type M=1.4920313076652x10^79 and Ans=1.7521202020202x10^-69
but i dont know how to do it, help me pls?

[jol1411]

Hello, I'm back again! user202729, I was wondering if you can help me with this problem I have when trying to create my own ropchains in assembly...

 

So I have my development environment set up perfectly now, the calculator loads up and the Lua prompt allows me to run the inject command, but I'm finding it difficult to actually get the calculator to do something.

 

Here's what I've tried so far:

I created a file in asm_ropchain called shutdown.asm and it simply contains the following contents:

shutdown

(I believe that this should then refer to the shutdown gadget found at line 32 of 570esp/labels

045A6		need_reset  # check magic string and various things
.l_03C		.yes
.l_042		.no
045EE		shutdown
04640		delay       # 04640

# functions used in diagnostic mode
048C2		diagnostic_mode  # display "DIAGNOSTIC / Press AC" text
048F6		diagnostic

I then use compiler.py to get the hex output of shutdown.asm and then run the emulator with emu.sh and use the inject command, but when I've injected it, and then once I've pressed [=], the calculator simply freezes and I get a lot of output from emu.sh. The calculator's screen is still on, meaning that it hasn't accomplished running the shutdown gadget.

 

Here's my terminal's output: https://pastebin.com/5ESkp9f3 (Let me know if this link doesn't work for whatever reason)

 

I'm guessing that there's some simple thing that I'm missing...? I also tried the following for shutdown.asm but with no luck:

home:
    shutdown

Glad I got the emulator all working though.   Any help will be appreciated! 

 

-James

[anon34]

Looks correct. However, because `inject` sets an internal break point (I think I made it like this for convenience) (is that a one-time break point? I can't remember) you need to continue.

 

I think it's `c()`? All the commands are documented in README.

 

Edit: wait, it isn't... everything are badly-organized and badly-documented.

I'm not particularly motivated to fix these things nowadays.

Edited by user202729, 28 December 2020 - 02:16 AM.

[variyak]

Hello, I see that it's been a while in this thread but I just joined the forum. Anyone still working on this?

[anon34]

No.