FX-82/-83GT/-115/-991ES PLUS Hacking
Posted 01 April 2021 - 06:51 AM
Posted 02 April 2021 - 11:48 AM
Can't be helped. Documentation is not easy.
At least (I think) the wiki is editable by everyone.
... (the wiki is HTTP-only?)
Edited by anon34, 02 April 2021 - 12:00 PM.
Posted 02 April 2021 - 02:25 PM
Yeah this topic is quite a complex one, this is the documentation I have so far.
I am probably rewriting and rediscovering alot of things but I think it is pretty important if I want to create proper in-depth documentation about it.
I am using github just because I find it nicer and more accessible to have the code and documentation under the same project.
Of course if you find anything wrong in my explanations I will be happy to fix it and expand it
Posted 02 April 2021 - 04:03 PM
Correction: it's possible to type any non-null character with the "unstable character" (2 last bytes of the random seed).
It's hard and time-consuming, but still better than impossible.
The loader can "run" ROP programs larger than 100 bytes (and with null bytes) (although null won't work with strcpy (for stack restore for example), memcpy can still be used)
About the getkeycode thing, it's also possible to simply add two getkeycode value together (I think it's used in the previous loader. It is sufficient to represent all byte values; however it's not easy to derive the two keys to press manually)
It might be required if the more complex solution cannot fit in 100 bytes.
Edited by anon34, 02 April 2021 - 04:08 PM.
Posted 02 April 2021 - 04:10 PM
yeah, I should add about the unstable char/counter thing. And yeah given the loader can input any character it is just waste of time to use it.
Posted 05 April 2021 - 07:07 PM
Oh, cool. Hope some more work is done on this. This is my first time seeing a project like this but I was disappointed that there wasn't enough material I could read up on, but thanks for the docs, they seem pretty informative.
Posted 05 April 2021 - 10:49 PM
I will probably continue working on it more this weekend.
Posted 07 May 2021 - 03:11 PM
That isn't really the problem, is it?...
Rather, it's just that nobody have anything to say/do.
The Chinese forum is (or not? I didn't actually check) still somewhat active.
Edited by anon34, 07 May 2021 - 03:13 PM.
Posted 01 October 2021 - 03:46 PM
Posted 03 October 2021 - 04:23 AM
I don't think it's practical at all -- although in theory you could do something useful with sufficient effort, as long as it fits in the memory.
Well, which problem you are solving can be used in practical calculations. If I don`t have enough functions in the calculator, then I usually load the libraries built into the OS aka in hp-50g or in ti-83+. :-)
- Hlib2 likes this
Posted 05 May 2022 - 10:27 AM
Posted 06 May 2022 - 12:19 PM
Edited by anon34, 06 May 2022 - 12:36 PM.
Posted 06 May 2022 - 12:42 PM
Posted 06 May 2022 - 02:19 PM
Doesn't sound feasible, current methods use ROP instead of assembly (there's no known way to execute custom assembly in the calculator.)
Try learning if you want, but I won't be of too much help.
Posted 01 August 2022 - 09:38 PM
Post "Timing mode" (if translated via Google). I can't understand the first step. Can anyone explain?
PS, I managed to do this on a 991ES Plus, but not on a 82ES Plus. The problem is in the input mode: on a 82ES Plus the basic overflow forces the Math mode, but to input roots and powers infinitely we need Line mode.
Edited by siealex, 05 August 2022 - 12:13 AM.
Posted 05 August 2022 - 01:21 AM
I guess something went wrong with Baidu's censorship and some posts remain deleted.
(back in 2017 or so there was a mass post deletion, nowadays most but not all are restored. There's an archive uploaded somewhere, or online version at https://fxesms1.github.io. Use https://web.archive.org/ for the rest)
I reproduce 6F here. Regarding how to enter "N-point mode".
抱怨一句：百度回复文本框会自动把剪贴板中的换行、回车符和谐掉，所以可能发得比较慢…… 4.乱点模式 发现人：Wuydfz 方法：1.进入基本溢出模式 2.32个[分数线] 3.[SHIFT][Ans]，重复26次 4.[AC][右] 5.如果出现的字符中前4个是8g88,进入下一步，否则回到第1步重来 6.[=]，重复n次，n即对应n次乱点模式（如n=15即991+中的15乱点模式） 7.[AC] 现象：与991+乱点模式现象基本一致 ---- 4. Chaos Mode Discover: wuydfz Method: 1. Enter the basic overflow mode 2.32 [score line] 3.    [shift] [aNS] , repeat 26 times 4. [AC] [Right] 5. If the first four of the characters appear are 8G88, enter the next step, otherwise return to the first step to come back 6. [=], repeat N times, n is the corresponding n -messy mode (such as n = 15 is the 15 chaos in 991+) 7. [AC] Phenomenon: Basically consistent with the 991+ chaos mode phenomenon
Edited by anon34, 05 August 2022 - 01:22 AM.
- siealex likes this
Posted 05 August 2022 - 06:08 PM
Today I've found a 570VN Plus on our local auction. Are there any known hacks for it?
Posted 06 August 2022 - 05:53 AM
Basic overflow obviously works (as well as stat-submode-0 mode and reset-all 68 mode), but to do anything else you need to know the function addresses and the current best way for that is brute force.
There's the emulator, which should help a bit in terms of finding addresses.
Edited by anon34, 06 August 2022 - 06:00 AM.
Posted 06 August 2022 - 03:52 PM
Posted 08 August 2022 - 10:55 AM
Are there any owners of FX-115ES PLUS here? Is it identical (in software) to FX-570VN PLUS or not? What model and version does it report in the diag mode?
Posted 08 August 2022 - 06:19 PM
- siealex likes this
Posted 10 August 2022 - 08:29 PM
Major discovery on 83GT Plus!
(A year ago on Discord, but unnoticed here...)
Hi, I have an FX-83GT plus and have found a deterministic way to enter mode 68, allowing for easy access to basic overflow - Enter stat submode 0 (You can check the wiki if you don't know how to do it
- Enter 183 [x^2] [x hat]
- Press [=]
- Press [ON] to unfreeze the calculator
- You're now in mode 68 and can achieve basic overflow, allowing hackstrings to be entered
Edited by siealex, 10 August 2022 - 08:30 PM.
Posted 10 August 2022 - 08:53 PM
136 [x^2] [x hat] [=] entered TWICE in a row = Complete! Presskey.
PS, it works not always, possibly after other similar strings, e. g. 135 x^2 x-hat.
Edited by siealex, 10 August 2022 - 08:55 PM.
Posted 10 August 2022 - 11:02 PM
Another discovery (83GT Plus/85GT Plus). In the strings "three or four numbers, x^2, x-hat" only the SECOND and the THIRD numbers are relevant, the first one is usually not. Also x^2 can be replaced by x^3 in most cases.
Posted 04 October 2022 - 11:58 AM
Try to guess the model!
ROM 017 MODE P0 Press AC
Hint: its name contains "È"
Edited by siealex, 04 October 2022 - 05:18 PM.
1 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users