515 replies to this topic

[variyak]

Welp oof

[itay2805]

I just found about this couple of days ago and decided to start looking into this as well, currently I am just figuring everything and documenting it for myself because the information is scattered all over the place and is not really friendly to new comers....

[anon34]

Can't be helped. Documentation is not easy.

 

At least (I think) the wiki is editable by everyone.

 

... (the wiki is HTTP-only?)

Edited by anon34, 02 April 2021 - 12:00 PM.

[itay2805]

Yeah this topic is quite a complex one, this is the documentation I have so far. 

 

I am probably rewriting and rediscovering alot of things but I think it is pretty important if I want to create proper in-depth documentation about it.

 

I am using github just because I find it nicer and more accessible to have the code and documentation under the same project.

 

Of course if you find anything wrong in my explanations I will be happy to fix it and expand it

[anon34]

Correction: it's possible to type any non-null character with the "unstable character" (2 last bytes of the random seed).

 

It's hard and time-consuming, but still better than impossible.

 

The loader can "run" ROP programs larger than 100 bytes (and with null bytes) (although null won't work with strcpy (for stack restore for example),  memcpy can still be used)

 

About the getkeycode thing, it's also possible to simply add two getkeycode value together (I think it's used in the previous loader. It is sufficient to represent all byte values; however it's not easy to derive the two keys to press manually)

 

It might be required if the more complex solution cannot fit in 100 bytes.

Edited by anon34, 02 April 2021 - 04:08 PM.

[itay2805]

yeah, I should add about the unstable char/counter thing. And yeah given the loader can input any character it is just waste of time to use it.

[variyak]

Oh, cool. Hope some more work is done on this. This is my first time seeing a project like this but I was disappointed that there wasn't enough material I could read up on, but thanks for the docs, they seem pretty informative.

[itay2805]

If you have any questions or things you think should be added to the docs feel free to ask

I will probably continue working on it more this weekend.

[EnderFire09]

I have decided to set up a discord server for hacking casio calculators in hopes for making it more popular again.

 

Here is the invite: https://discord.gg/QjGpH6rSQQ

[anon34]

That isn't really the problem, is it?...

Rather, it's just that nobody have anything to say/do.

The Chinese forum is (or not? I didn't actually check) still somewhat active.

Edited by anon34, 07 May 2021 - 03:13 PM.

[variyak]

Which is the Chinese forum?

[anon34]

 

Which is the Chinese forum?

 

http://tieba.baidu.c.../f?kw=fx-es(ms)

[Hlib2]

Well, which problem you are solving can be used in practical calculations. If I don`t have enough functions in the calculator, then I usually load the libraries built into the OS aka in hp-50g or in ti-83+. :-)

[anon34]

Well, which problem you are solving can be used in practical calculations. If I don`t have enough functions in the calculator, then I usually load the libraries built into the OS aka in hp-50g or in ti-83+. :-)

I don't think it's practical at all -- although in theory you could do something useful with sufficient effort, as long as it fits in the memory.

[kspatlas]

Hello, I have an old fx-83gt PLUS lying around, any hackstrings I can use for that?

[anon34]

Not much is known. Most things are discovered by the people (students?) in the Chinese forum, and 83gt is unpopular there. If you understand the low-level reverse-engineering things you can try to discover/"brute force" things yourself however.

 

--------

 

(by the way I realize that information on the fx-es(ms) forum is scattered over time...

 

fx-es(ms) post collection: https://tieba.baidu.com/p/3395822027 -- this was originally a "pinned" post, but through some Baidu mass post deletion or something a few years ago it got deleted/unpinned. For accessing second page etc. append "?pn=2" to the URL

 

Backup version of posts for that deletion: https://fxesms1.github.io/ -- looks like that by now most posts are restored so this is useless. Access particular page by going to "<main URL>/f/#<post id>".

 

"unofficial wiki": http://casiocalc.wikidot.com/

)

Edited by anon34, 06 May 2022 - 12:36 PM.

[kspatlas]

Should I just try converting assembly instructions to codepage characters?

[anon34]

Doesn't sound feasible, current methods use ROP instead of assembly (there's no known way to execute custom assembly in the calculator.)

Try learning if you want, but I won't be of too much help.

[siealex]

https://tieba.baidu...._tag=0146836969

Post "Timing mode" (if translated via Google). I can't understand the first step. Can anyone explain?

 

PS, I managed to do this on a 991ES Plus, but not on a 82ES Plus. The problem is in the input mode: on a 82ES Plus the basic overflow forces the Math mode, but to input roots and powers infinitely we need Line mode.

Edited by siealex, 05 August 2022 - 12:13 AM.

[anon34]

I don't have a 82 myself but let me see.

I guess something went wrong with Baidu's censorship and some posts remain deleted.

(back in 2017 or so there was a mass post deletion, nowadays most but not all are restored. There's an archive uploaded somewhere, or online version at https://fxesms1.github.io. Use https://web.archive.org/ for the rest)


I reproduce 6F here. Regarding how to enter "N-point mode".

抱怨一句：百度回复文本框会自动把剪贴板中的换行、回车符和谐掉，所以可能发得比较慢……
4.乱点模式
发现人：Wuydfz
方法：1.进入基本溢出模式
2.32个[分数线]
3.[8][8][8][SHIFT][Ans][3]，重复26次
4.[AC][右]
5.如果出现的字符中前4个是8g88,进入下一步，否则回到第1步重来
6.[=]，重复n次，n即对应n次乱点模式（如n=15即991+中的15乱点模式）
7.[AC]
现象：与991+乱点模式现象基本一致
----
4. Chaos Mode
Discover: wuydfz
Method: 1. Enter the basic overflow mode
2.32 [score line]
3. [8] [8] [8] [shift] [aNS] [3], repeat 26 times
4. [AC] [Right]
5. If the first four of the characters appear are 8G88, enter the next step, otherwise return to the first step to come back
6. [=], repeat N times, n is the corresponding n -messy mode (such as n = 15 is the 15 chaos in 991+)
7. [AC]
Phenomenon: Basically consistent with the 991+ chaos mode phenomenon

Edited by anon34, 05 August 2022 - 01:22 AM.

[siealex]

YES!!! It works!

[siealex]

Today I've found a 570VN Plus on our local auction. Are there any known hacks for it?

[anon34]

Not sure.

Basic overflow obviously works (as well as stat-submode-0 mode and reset-all 68 mode), but to do anything else you need to know the function addresses and the current best way for that is brute force.

There's the emulator, which should help a bit in terms of finding addresses.

Edited by anon34, 06 August 2022 - 06:00 AM.

[siealex]

Are their any "r" related hacks for it?

[anon34]

no idea. (as mentioned above you can get a "r" in linear mode with the "unstable character", or a "r" in stat-0 mode, but the problem is what to do with it for "interesting" result)

[siealex]

Are there any owners of FX-115ES PLUS here? Is it identical (in software) to FX-570VN PLUS or not? What model and version does it report in the diag mode?

[anon34]

Identical, obviously not. For one 115 has VERIF mode while 570VN has RATIO mode. the other one you can probably find online somewhere.

[siealex]

Major discovery on 83GT Plus!

(A year ago on Discord, but unnoticed here...)

 

 

Hi, I have an FX-83GT plus and have found a deterministic way to enter mode 68, allowing for easy access to basic overflow - Enter stat submode 0 (You can check the wiki if you don't know how to do it
- Enter 183 [x^2] [x hat]
- Press [=]
- Press [ON] to unfreeze the calculator
- You're now in mode 68 and can achieve basic overflow, allowing hackstrings to be entered

Edited by siealex, 10 August 2022 - 08:30 PM.

[siealex]

136 [x^2] [x hat] [=] entered TWICE in a row = Complete! Press AC/on key.

PS, it works not always, possibly after other similar strings, e. g. 135 x^2 x-hat.

Edited by siealex, 10 August 2022 - 08:55 PM.

[siealex]

Another discovery (83GT Plus/85GT Plus). In the strings "three or four numbers, x^2, x-hat" only the SECOND and the THIRD numbers are relevant, the first one is usually not. Also x^2 can be replaced by x^3 in most cases. 

[siealex]

Any hacks for FX-300ES Plus (LY726X Ver. A)?

[siealex]

Try to guess the model!

ROM 017
MODE P0 
Press AC

Hint: its name contains "È" 

Edited by siealex, 04 October 2022 - 05:18 PM.

[loklol]

Does anyone know any hackstrings for th fx 991 es plus version f?

[7alken]

It is actually very boring to do so that's why I wrote general purpose disassembler.

And, I use replace regex function of Notepad++ to write the instruction set file format.

 

BTW I wrote a (Windows) program that simplify the process of key press of emulator (you press keyboard and the program control your mouse to click at button)

 

--- Key presser for calculator emulator ---

http://pastebin.com/RVcv7qav

hi, thanks for this "key presser", its fixing the missing STO for fx-CG50 emulator (legal one)) for me :-) ... great 

[theodeo]

--- How to enter a hackstring (translated to English) ---
[991ES+ and 570ES+ only]

+ Hackstring always have 100 characters.
+ The basic memory layout of the RAM is
 

[ --- Input part, 100 bytes ---][ --- Cache part, 100 bytes --- ][ --- Random seed, 8 bytes --- ][ --- Counter, 2 bytes ---]

where:
 

Input part: The part used to store the formula displaying on the screen.
Cache part: "backlog" called by LBPHacker. To avoid confusion with the replay memory, that part is also used in STAT mode, and is cleared after pressing ON, even in 68 mode.
Random seed: Change every time Ran# or RanInt# is called by some random number generator formula (which one I don't know)
Counter: Increase by 1 every time the cursor flash, also called "unstable character". This will be useful later.

+ All hackstring takes exactly 100 bytes.
+ How to enter the hackstring:

* Execute basic overflow. (see post #208) (post number may change if someone delete their post)

By now the cursor is already to the right of a null character.

* Enter 91 (any) bytes.

After having entered 90 bytes screen should show something like
 

◄8901234567890|

               0

and after entered 1 more byte screen should show
 

◄9012345678901|X►

               0

(assuming you enter 12345678901234...)

* Now you should enter 100 characters of the hackstring.
* Then, to verify you entered the correct amount of character, enter 8 more bytes. Most of the time (when the lower byte of the counter is not null, there should be some character appear to the right of your cursor, just like how the "X" character appear to the right of your cursor when you have entered 91 bytes.

* Whether you have verified or not, press {AC} {◄} {=}
(I decide to wrap buttons in {curly brackets} to avoid special BBCode)

Done.

To test your understanding, try to enter this hackstring:
[991ES+ and 570ES+ only]
 

<52 characters> cv24 M 1 - F cv26 cv40 - Integrate econst 0 - tan^-1( D 0 - cs26 cv26 cs16 D 1 - cv12 = 0 - sin( 2 0 - 0 cv34 Integrate econst 0 - (-) cs32 0 - ⅃ Ans ^( cs32 0 - <2 remaining characters>

Some clarification:

+ All characters are separated by a space.
+ (-) is negative symbol.
+ econst = cs23.
+ tan^-1( is arctan function ( {Shift} {tan} )
+ ^( is the exponential sign in LineIO mode. ( 2 ^( 3 ) = 8 )

Warning:
* previously kaikun97 and SopaXorzTaker call hackstring = "whatever appear before character 'r' in glitched STAT mode". Now that should be "basic overflow hackstring".

 

 

does this work on the fx-991EX, since it has 200 bytes of storage for formulas instead of 100, wont i have to type more than 91 bytes before the hackstring?

[lantern]

i mean, the post says it's ES-PLUS only...
also, this forum is dead lol