Jump to content



Photo
* * * * * 6 votes

FX-82/-83GT/-115/-991ES PLUS Hacking


  • Please log in to reply
512 replies to this topic

#41 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 22 August 2016 - 02:43 PM

By the way, what happens when you store "a" in a variable and then put the variable into the table?



#42 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 22 August 2016 - 02:57 PM

Oh, that's cool. What happens if you try storing a sequence like a(r(b(AnsAnsr into a variable?



#43 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 22 August 2016 - 03:45 PM

Hm, interesting. Try corrupting the memory with the hackstrings I've mentioned.



#44 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 22 August 2016 - 04:54 PM

It freezes, most likely because r is in it and that just freezes on my model

I meant assigning variables with them. You can try replacing r with a or b instead.



#45 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 09:11 AM

By the way, the forensic result for my fx-991ES PLUS said: 9.00000000733338. I don't know why though.

EDIT: That value is unique to fx-115ES and fx-300ES. I guess that's another different chip or firmware.

Explains why some glitches that work on fx-82ES and fx-83GT do not work on my calculator.


Edited by SopaXorzTaker, 23 August 2016 - 09:18 AM.


#46 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 09:26 AM

DATASHEET FOUND!

See the first post.



#47 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 06:45 PM

Apparently, fx-991ES != fx-991ES PLUS, but fx-991ES == fx-115ES. I am pretty sure that fx-991ES PLUS uses the OKI chip mentioned above.



#48 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 07:06 PM

Omg how did you find this? You are awesome. I am going to try and translate the pdf

Google-fu, literally "fx-991ES OKI"


@kaikun97, what are the checksums on your calculators?

Using those we can group them up by the chip used.


Edited by SopaXorzTaker, 23 August 2016 - 07:09 PM.


#49 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 07:10 PM

GY465X VerG
SUM 7A03 OK
Pd- Read OK
Press AC
So the checksum is 7A03

 

That's fx-83GT I suppose, right?



#50 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 23 August 2016 - 07:11 PM

I wonder if ePS6800 is compatible with the nX-U8 core. If it is, the ROM image might apply for our models too.



#51 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 12:28 PM

Datasheet for ePS6800: link.

I wonder if it shares the instruction set with the OKI or Hitachi chips.

By the way, what's the forensic result on HP's calculators?  Might tell something about the chip used.



#52 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 01:43 PM

HP SmartCalc ROM recovered. Appears to be ePS6800 assembly. Writing a disassembler.



#53 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 01:54 PM

The rom we idealy want to be looking at is the HP 300s+ rom, one of the zip files I linked has that, it is from the HP smartcalc series, is that the file you have?

Yes, exactly that one. I wrote a script to recover the nibble order, so now I have the ROM image read to be decompiled.



#54 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 03:43 PM

I'm writing a disassembler. If you are familiar with Python, please help adding instructions to it.

 

Also, there's an IDE for that microcontroller, could you please download it (link) and try disassembling the file that I'll send you?


Edited by SopaXorzTaker, 24 August 2016 - 03:51 PM.


#55 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 03:53 PM

Oh sorry I only know C# and Javascript

I'll either try and port this to C# or take a look at python

As for the nX-U8 instruction set, C# has some interop stuff I can use with the U8 dlls that came with the fx82es emulator so I will also try and see what I can do with those

What do the U8 dll's do with the emulator if it does not actually emulate the system behavior?

And also, please see the note that I added to my previous post.



#56 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 04:04 PM

I'm not sure, Maybe the ROM is inside the emulator but in code form but either way those U8 dlls will definately be related to emulating the nX-U8 architecture or something related

 

I can't install the IDE because it wants a serial number

So, please try calling those DLL's, and also, could you upload them for me to look into?



#57 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 04:07 PM

They are inside this zip [redacted link]

Thanks, will dig into them. Maybe they would reveal the instruction set.


Edited by flyingfisch, 04 November 2016 - 01:10 PM.
Removed link to copyrighted material


#58 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 07:46 PM

What do I do with the IDE? It won't install, it wants a serial number

Hm, maybe ask Elan?



#59 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 24 August 2016 - 07:50 PM

That would likely involve having to pay for a license and I don't want to do that haha.

I wasn't so serious, but they could provide an evaluation copy if you ask politely :D



#60 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 August 2016 - 06:52 AM

So, kaikun97, could you please rewrite the disassembler in C#?

The instructions are described in the datasheet, as patterns of bits. The instruction set is apparently nibble-oriented, and that explains the weird format of the ROM.

You just have to read the nibbles and decode the instructions from them.



#61 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 August 2016 - 07:29 AM

By the way, what's the nX-U8's instruction set? It may help us with hackstrings.


Edited by SopaXorzTaker, 25 August 2016 - 07:35 AM.


#62 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 August 2016 - 07:52 AM

I dont know I tried to google for it but no luck

So, maybe try interfacing those DLL's?



#63 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 August 2016 - 01:54 PM

So, kaikun97, could you please rewrite the disassembler in C#?

The instructions are described in the datasheet, as patterns of bits. The instruction set is apparently nibble-oriented, and that explains the weird format of the ROM.

You just have to read the nibbles and decode the instructions from them.

@kaikun97



#64 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 25 August 2016 - 02:38 PM

I had a look but its quite confusing, it doesnt seem to work too well with C#, I am not the best at C# either which doesn't help. But shouldn't we focus on the OKI chipset, or does it use same instruction set as the Elan chipset?

AFAIK the OKI one is not the same as Elan. Elan is mostly used in the clones, while OKI is used in the original models. As I can't gather nX-U8's documentation without buying a developer kit, I think we should dig into the Elan one now.



#65 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 26 August 2016 - 10:29 AM

@kaikun97, I almost have finished the disassembler. Want me to send you the disassembled ROMs?


Edited by SopaXorzTaker, 26 August 2016 - 10:29 AM.


#66 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 26 August 2016 - 11:09 AM

So, here it is: [redacted link]

There are some instructions which my disassembler was unable to parse, no idea why.

But overall, that looks pretty usable.


Edited by flyingfisch, 04 November 2016 - 01:15 PM.
Removed links to copyrighted material


#67 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 28 August 2016 - 09:13 AM

So yeah. Apparently nX-U8 and the Elan ePS6800 are completely different chips, as proven by this nX-U8 assembly example that I found.



#68 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 28 August 2016 - 09:21 AM

Ah then we need to try and focus on the OKI/Lapis one because thats the model we are trying to get ASM execution on

That's the nX-U8 architecture, which lacks documentation. We could try emailing Lapis Semiconductor for the document, but I doubt they'd answer.

We need the document called "nX-U8/100 Core Instruction Manual".



#69 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 31 October 2016 - 03:39 PM

EDIT Google search for some redacted links:

+ #87: "ES模拟器简单分析" with quotes: decompiled C file. (That will link to an archive page and there is a link to a page with this title)

+ #86: https://tiplanet.org...pic.php?t=15695 : HP calculators. (HP provide its emulator for free so no illegal)

+ #105: see #160

 

EDIT2​ For some reason, kaikun97 / kasio deleted all his posts. (Most of) they are still stored in the Internet Archive (archive.org).

----------------------------

 

Have you done the project? What are you stuck at? Perhaps I can help.

I am focus on the 570 vn+ because it has (cracked) emulator on computer. Currently I am using Cheat Engine to find the memory structure.

Do you have any idea of doing that hack on emulators?

Since firmware of nonplus models are the same I created a 570es emulator from a 82es.


Edited by user202729, 04 January 2017 - 08:36 AM.


#70 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 01 November 2016 - 03:36 PM

Sorry, what is "CPU architecture"? I googled for that but come up with a lot of properties (addressing mode, register, instruction set, etc.), which one do you want?


Edited by user202729, 01 November 2016 - 03:37 PM.


#71 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 02 November 2016 - 03:54 AM

Are you sure that -ES, -ES Plus and Classwiz calculators use the same instruction set? I have five different sources (bold below) of SimU8.dll and SimU8engine.dll, all from Casio calculator emulator.

 

+ The one from you and the one in fx-es plus manager trial are identical.

+ I also have a pair of dll from another fx-82es emulator, when you replace both files in your emulator with that one it work normally, but not when you replace one file.

+ The one from 570VN PLUS are completely different, but is the same as the one of Classwiz model. That's why the empty-box hack on Classwiz can work on 570VN PLUS.

 

Edit: Although we knew that fx-991es and fx-991es plus use different chips, your fx-82es emulator have dll identical to the one in fx-es plus manager trial. Or that may be an error of the fx-es plus manager?


Edited by user202729, 02 November 2016 - 09:09 AM.


#72 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 02 November 2016 - 05:16 PM

Alright, guys. I am going to get a fx-82ES PLUS which can be spared for experimentation by connecting my logic analyzer to it.

I don't want to kill my fx-991ES PLUS which is very nice.



#73 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 02 November 2016 - 05:22 PM

By the way, the pads P0 and P1 change the Pd value in the self test.

I was able to get Pd?, Pd0, Pd1, Pd2, and Pd3 by shorting them with a pencil.

 

Perhaps these are intended for choosing a calculator model to limit some software functionality.


Edited by SopaXorzTaker, 02 November 2016 - 05:24 PM.


#74 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 03 November 2016 - 10:17 AM

@kaikun97 I think he talks about the plus models since on non-plus models it is just "P0" instead of "Pd0".

-----

I think the new bug is on both VN PLUS and Classwiz is not because of different instruction set but because of new feature automatically add bracket to clarify meaning. (for example 1/AB will be converted to 1/(AB) where / is division)

So I will try to disassemble the fx-570vn plus emulator and see if I can get instruction set.

-----

You can do the similar hack on fx-570VN PLUS and fx-570ES PLUS in mode EQN:

Mode, 5, AC, ON (On after ~0.5 seconds after AC)

Compare to STAT r hack, this one is much harder to get the timing exact.

If you success then you will be presented with a blank screen which keep there even if you press ON, like locking the calculator.

However if you wait for 1-2 minutes in that state it will display a screen which mostly consists of "ERROR".

Not sure if this can do anything...

 

I think this can also be done on other modes, INEQ, DIST and RATIO.

It is impossible to press AC then ON in emulators, but instead we have to explicitly set sub-mode (at [SimU8.dll+16CE6C]+80fa ) to 0.



#75 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 03 November 2016 - 10:29 AM

Apart from stat that set sub-mode to 1..8, base-n set sub-mode to (n-1) (in dec, n=10, submode=9, etc.), ineq set sub-mode to (degree+1), dist set sub-mode to 1..7, ratio to 3, eqn to 1..4, rest to 0, and our available hack make use of stat have sub-mode 0, we can also make stat​ has different sub-modes, for example 9 or 15 (from base-n​ mode). In stat 9​, call small-A does not shutdown the computer instead show a blank screen. Also I managed to get "NULL ERROR" and "                     " on 570vn plus calculator.

---------------------------------------------------------------------------------------------

@SopaXorzTaker Also, what is "logic analyzer"?


Edited by user202729, 03 November 2016 - 10:48 AM.


#76 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 03 November 2016 - 03:04 PM

Yes, it freeze on STAT 0 (if you use cheat engine on the emulator fx-570vn plus then there is a byte for what I call "sub-mode"), but what I say is that you can get it to work differently on STAT 9 or STAT 15.

You can try this: (I don't have any CASIO calculator, I use a VINACAL fx-570ES PLUS II one (only in Vietnam, I think), and I often borrow from my classmates, so I can't test it now)

 

Open BASE-N DEC. (570es plus and similar models only)

Press MODE 3 (STAT) and then AC ON. If you remain in BASE-N then you press ON too soon, if you are already in STAT without Reg (STAT 1) then you press ON too late, you have to enter BASE-N DEC again, you know.

 

That is the STAT 9 mode. STAT 15 can be accessed similarly but use HEX instead of DEC.

 

I think it may work to get different behavior on smallA (it actually got different behavior on my 570 vn plus emulator, blank/ERROR instead of shutdown) and/or r.

 

And, of course I have read all previous posts.



#77 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 03 November 2016 - 03:47 PM

One question is that the Emulators might contain the calculator ROM if the U8 dll is required (meaning it might be indeed a proper emulator.) I decompiled the Exe and got no ROM file so chances are its coded into the EXE however if you us HxD hex editor on Windows there is an option to view the RAM of a program, I was able to find some data that could be the ROM loaded on the fx82es emulator as it had some plain text strings like "Syntax ERROR" around the hex data, i'll look more into it

Oh, that's very nice. Could you please dump the memory of a running emulator and publish the dump? That sounds very promising.

I guess that I couldn't find these strings in the executable or the DLLs because the ROM image was stored compressed or encrypted.



#78 anon34

anon34

    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 03 November 2016 - 04:15 PM

@kaikun97 See that [deleted]

It is in Vietnamese because VINACAL calculators are Vietnam-specific, but you can translate it.


Edited by user202729, 04 November 2016 - 03:38 PM.


#79 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 03 November 2016 - 04:29 PM

kaikun97, could you please invoke the self-testing procedure in the emulator and take a screenshot of the checksum screen? I want to test something.



#80 SopaXorzTaker

SopaXorzTaker

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 155 posts
  • Gender:Male
  • Interests:Electronics and programming.

  • Calculators:
    fx-991ES PLUS

Posted 03 November 2016 - 04:49 PM

Oh, that's a non-plus emulator. Is there any for the PLUS models? I need a RAM dump of a PLUS emulator.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users