# FX-82/-83GT/-115/-991ES PLUS Hacking

512 replies to this topic

### #121 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 11 November 2016 - 02:34 PM

So you means if the ROM is 01 02 03 04 05 06 07 08 then the checksum is (0102 + 0304 + 0506 + 0708 + 0807 + 0605 + 0403 + 0201) mod 10000 (hex)? If so checksum (of the part I mentioned) is 000000006CD646DD. If only little endian is sum then the sum is 0000000045628E7D.

No, not like this.

If the bytes are 01 02 03 04 05 06 07 08, a big-endian checksum would be:

((0x0102 + 0x0304) mod 0x10000) + ((0x0506 + 0x0708) mod 0x10000) mod 0x10000.

A little-endian one would be calculated like this:

((0x0201 + 0x0403) mod 0x10000) + ((0x0605 + 0x0807) mod 0x10000) mod 0x10000.

### #122 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 11 November 2016 - 03:08 PM

Why do you need so many mod 0x10000? big-endian checksum is only

(0102 + 0304 + 0506 + 0708) mod 10000

is enough.

The big-endian is in my older post, (09 November 2016 - 05:04 PM) - `the sum of 0x8000 words is 000000002773B860, different from 0xD457`. The little-endian is in my latest post 0000000045628E7D.

### #123 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 11 November 2016 - 03:55 PM

@kaikun97 There is no ML610xxx.DCL just M610xxx.DCL.

​EDIT​ Yes it actually seems to be file name error since the correct name is inside the file. But I don't know why the file name must be that, since even if adding the "L" would not exceed 8 characters, not to say Windows support many characters.

Edited by user202729, 14 November 2016 - 01:36 PM.

### #124 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 12 November 2016 - 03:30 PM

the Plus series will use likely a newer variant. The OKI ML610901 is discontinued, but the Plus models are still being made so that means they must be using a similar chipset that is still being made, is the OKI ML610413P which has similar specs perhaps the one being used in the plus models?

Calculators based on the Hitachi HCD62121 or a similar chip have this result:    9.00000000733343.

The newer calculators based on the OKI ML610901 have this one:                      9.00000000733338.

For the non plus Casio ES models they all use the OKI ML610901 chipset.

So we are still inconclusive about the chip calculators use? I will look into the M610xxx.DCL. We are only sure about the core nX/U8-100?

Also what does those "P" and "Q" means?

The product name is changed.

ML610413  -> ML610413P

ML610Q413-> ML610Q413P

(in the ML610413P pdf)

Edited by user202729, 12 November 2016 - 04:08 PM.

### #125 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 12 November 2016 - 04:14 PM

The EQN hack on fx-570VN+ display (different from that display in the emulator):
(I hope that this is correct because I copy this to a piece of paper) (Be careful with O and zero)
(The first and last line are truncated but I guess)
```      0R      0R ERROR0
-1io47RR ERRORR     0
0RR ERROR0 ERRORR
ERROR0R ERROR0     0R-
ERROR7R     0R     00
```
(io is *10^ ; iȯ (not here) is *10^- )
fx-570ES+: (expect to be the same as fx-991ES+ due to only 1 byte different, I guess)
```-4io799 ERRORR-1io768 ER
ERRORR ERRORR     0  ER
ERRORR ERROR  ERROR6
09 ERRORR-4io566 ER
ERRORR 4  10R ERROR0 E
```
fx-500VN+:
```-4io798 ERROR0 ERROR2
R ERROR  ERRORR
0R ERROR0 ERRORR ER
ERROR9-4io28R   -10R
0     ??? ERRORR ??
```
(I can't guess the ?'s partially due to bad image quality)

The ROM is actually stored in .exe file but in that form:

```0042726C - 8D 85 B0B6FFFF        - lea eax,[ebp-00004950]
00427272 - 50                    - push eax
00427273 - 6A 10                 - push 10 { 16 }
00427275 - 68 B0100000           - push 000010B0 { 4272 }
0042727A - C7 85 B0B6FFFF 6E746178 - mov [ebp-00004950],7861746E { "ntax" }
00427284 - C7 85 B4B6FFFF 20455252 - mov [ebp-0000494C],52524520 { " ERR" }
0042728E - C7 85 B8B6FFFF 4F52004D - mov [ebp-00004948],4D00524F { 1291866703 }
00427298 - C7 85 BCB6FFFF 61746820 - mov [ebp-00004944],20687461 { "ath " }
004272A2 - FF D6                 - call esi
004272A4 - 8D 8D 90B6FFFF        - lea ecx,[ebp-00004970]
004272AA - 51                    - push ecx
004272AB - 6A 10                 - push 10 { 16 }
004272AD - 68 C0100000           - push 000010C0 { 4288 }
004272B2 - C7 85 90B6FFFF 4552524F - mov [ebp-00004970],4F525245 { "ERRO" }
004272BC - C7 85 94B6FFFF 5200496E - mov [ebp-0000496C],6E490052 { 1850277970 }
004272C6 - C7 85 98B6FFFF 73756666 - mov [ebp-00004968],66667573 { "suff" }
004272D0 - C7 85 9CB6FFFF 69636965 - mov [ebp-00004964],65696369 { "icie" }
004272DA - FF D6                 - call esi
```

(from Cheat Engine disassembler)

The part write this is named "SimU8core.CSimU8core::m_SetCodeMemory​DefaultCode"

What is "code memory"? Can there be "code" inside there?

### #126 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 12 November 2016 - 07:07 PM

The EQN hack on fx-570VN+ display (different from that display in the emulator):
(I hope that this is correct because I copy this to a piece of paper) (Be careful with O and zero)
(The first and last line are truncated but I guess)
```      0R      0R ERROR0
-1io47RR ERRORR     0
0RR ERROR0 ERRORR
ERROR0R ERROR0     0R-
ERROR7R     0R     00
```
(io is *10^ ; iȯ (not here) is *10^- )
fx-570ES+: (expect to be the same as fx-991ES+ due to only 1 byte different, I guess)
```-4io799 ERRORR-1io768 ER
ERRORR ERRORR     0  ER
ERRORR ERROR  ERROR6
09 ERRORR-4io566 ER
ERRORR 4  10R ERROR0 E
```
fx-500VN+:
```-4io798 ERROR0 ERROR2
R ERROR  ERRORR
0R ERROR0 ERRORR ER
ERROR9-4io28R   -10R
0     ??? ERRORR ??
```
(I can't guess the ?'s partially due to bad image quality)

The ROM is actually stored in .exe file but in that form:

```0042726C - 8D 85 B0B6FFFF        - lea eax,[ebp-00004950]
00427272 - 50                    - push eax
00427273 - 6A 10                 - push 10 { 16 }
00427275 - 68 B0100000           - push 000010B0 { 4272 }
0042727A - C7 85 B0B6FFFF 6E746178 - mov [ebp-00004950],7861746E { "ntax" }
00427284 - C7 85 B4B6FFFF 20455252 - mov [ebp-0000494C],52524520 { " ERR" }
0042728E - C7 85 B8B6FFFF 4F52004D - mov [ebp-00004948],4D00524F { 1291866703 }
00427298 - C7 85 BCB6FFFF 61746820 - mov [ebp-00004944],20687461 { "ath " }
004272A2 - FF D6                 - call esi
004272A4 - 8D 8D 90B6FFFF        - lea ecx,[ebp-00004970]
004272AA - 51                    - push ecx
004272AB - 6A 10                 - push 10 { 16 }
004272AD - 68 C0100000           - push 000010C0 { 4288 }
004272B2 - C7 85 90B6FFFF 4552524F - mov [ebp-00004970],4F525245 { "ERRO" }
004272BC - C7 85 94B6FFFF 5200496E - mov [ebp-0000496C],6E490052 { 1850277970 }
004272C6 - C7 85 98B6FFFF 73756666 - mov [ebp-00004968],66667573 { "suff" }
004272D0 - C7 85 9CB6FFFF 69636965 - mov [ebp-00004964],65696369 { "icie" }
004272DA - FF D6                 - call esi
```

(from Cheat Engine disassembler)

The part write this is named "SimU8core.CSimU8core::m_SetCodeMemory​DefaultCode"

What is "code memory"? Can there be "code" inside there?

The code memory is used to store the executable code for the nX-U8 in the emulator, I think.

### #127 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 13 November 2016 - 03:34 AM

I found another part of the memory that contains string "LY710XA" and possibly be the part that checksum is calculated. It is from offset 0x5AB4BC in the dump file I sent to @SopaXorzTaker.

(BE: big endian, LE: little endian, B: byte)

D457 is still not found in those checksum, and even those subtracted from FFFF.

That is more likely because 570es+ and 991es+ different in a byte of model name (GY454XE and GY455XE) and in checksum. But the checksum procedure may be subtracting from FFFF or something?

@kaikun97 Can you help me with finding those in my previous post (Posted 09 November 2016 - 09:21 PM) ? I can't find them.

Edited by user202729, 18 November 2016 - 03:24 AM.

### #128 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 13 November 2016 - 10:10 AM

I hope that the EQN hack can help executing arbitrary code, however full bytes is not possible as the character map. Also it is very slow because the screen have to update every time you move cursor. So if you need to move 35 rows that take you more than an hour already.

I think the chance for the execute code to fall exactly at the formula is very low as it is only 99 bytes.

I found a part that is access when the screen is displayed and lie in the same block as the LY710XA string that I hope to be opcode to run command write to screen (it can be code-page too)

EDIT

If you change value at [SimU8.dll+16CE88]+EB3B from 80 to FF the screen do something weird when replay.

If you change value at [SimU8.dll+16CE88]+EB0D from 70 to 71 (in hex) you can't move cursor. Change it to FF hang the calculator.

(these parts are near the one I wrote "memory access when pr to scr (hope code) _ cmd: SimU8engine.CSimU8core::m_Execute+279E" in cheat table)

So they are likely to be code.

EDIT

It seems that Cheat Engine official site no longer keep CT files.

fx-570EX_991EX Emulator.CT: pastebin.com/DGfi5h6U
Casio fx570vn plus.CT: pastebin.com/1PnX6in3

Also:

@SopaXorzTaker can you revert flyingfisch's edits that mistakenly delete not-copyrighted material together with explanation why are they not copyrighted? (for future reference)

Edited by user202729, 12 March 2017 - 04:47 AM.

### #129 frankmar98

frankmar98

Casio Freak

• Moderator
• 127 posts
• Gender:Male
• Location:Spain
• Interests:Science, programming

• Calculators:
CFX-9970G
Graph 90+E (fx-GC50)
fx-9860G SD
HP Prime
TI-84+ CE-T
x2 TI-83+
TI-81
fx-4800p, fx-3650PII
fx-991SPX, fx-991ES PLUS, fx-100W

Posted 13 November 2016 - 03:54 PM

Awesome, guys!

You're doing a nice work.

You can make a group in Google Drive for share whatever you want.

### #130 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 16 November 2016 - 04:25 AM

I have found a position in the memory that looks like the instruction pointer (IP) at SimU8.dll+16CEB4 (2 bytes). With that we can know exactly which part of the memory is executed. Does each command in nX/U8 core take 2 bytes? (From the PDF: − Instruction system: 16-bit instructions )

EDIT: Here is a record how the IP changed.

```..... E706 E70A E70E E710 E712 E714 E716 E71A E71C E720 E722 E6F6 E6F8 E6FA E752 E754 E756 E758 E75C E75E E762 E764 E768 E76A .....
```

Since the code at 59C2 is (possibly) the "wait" command, you see the IP as if it were always 59C2.

So each command is either 2 or 4 bytes. And there is a (conditional or not) jump at address E722.

Apart from that IP, there is another value at SimU8.dll+16CEB4 (1 byte) that is either 00 or 01. If it is 01 then the code to be executed lie in the memory block (10000 bytes I guess) contains "LY710XA". If it is 00 then the code lie in the block that contains "Syntax ERROR" and many other strings (include some unused ones). (I may have mistake 00 and 01 here)

Edited by user202729, 16 November 2016 - 06:04 AM.

### #131 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 16 November 2016 - 09:41 AM

Some (Chinese, some are duplicates) pages discussing glitches of those calculators

```https://www.youtube.com/watch?v=Bk8uyjc0omQ&feature=youtu.be
http://www.cncalc.org/forum.php?mod=forumdisplay&fid=53&page=1&mobile=no
http://tieba.baidu.com/p/4663446751
http://www.cncalc.org/archiver/tid-11203.html
http://tieba.baidu.com/p/1806176917?pid=23342562310&cid=0#23342562310
http://tieba.baidu.com/p/1800667172
http://tieba.baidu.com/p/191863420```

Remember, some are duplicates. I just compile it here.

Some ones that I believe to be new:

`http://tieba.baidu.com/p/1336903118`

That is the 991es hack. That also work on my VINACAL 570 ES PLUS II and the fx-570VN PLUS emulator. So if we can exploit that it should be easier since we have emulator. and I have investigated the emulator very deep

Some sites that I believe to have a emulator:

```http://www.cncalc.org/thread-3746-1-1.html

Edited by user202729, 18 November 2016 - 12:29 PM.

### #132 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 16 November 2016 - 02:59 PM

user202729, I did not understand http://tieba.baidu.com/p/1336903118. Could you please write a keystroke sequence to reproduce that?

I have found a position in the memory that looks like the instruction pointer (IP) at SimU8.dll+16CEB4 (2 bytes). With that we can know exactly which part of the memory is executed. Does each command in nX/U8 core take 2 bytes? (From the PDF: − Instruction system: 16-bit instructions )

EDIT: Here is a record how the IP changed.

```..... E706 E70A E70E E710 E712 E714 E716 E71A E71C E720 E722 E6F6 E6F8 E6FA E752 E754 E756 E758 E75C E75E E762 E764 E768 E76A .....
```

Since the code at 59C2 is (possibly) the "wait" command, you see the IP as if it were always 59C2.

So each command is either 2 or 4 bytes. And there is a (conditional or not) jump at address E722.

Apart from that IP, there is another value at SimU8.dll+16CEB4 (1 byte) that is either 00 or 01. If it is 01 then the code to be executed lie in the memory block (10000 bytes I guess) contains "LY710XA". If it is 00 then the code lie in the block that contains "Syntax ERROR" and many other strings (include some unused ones). (I may have mistake 00 and 01 here)

Could you dump the whole memory of SimU8.dll, please?

### #133 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 17 November 2016 - 11:24 AM

I have tried this (sigma to 10^9) bug on fx-570ES+ and fx-570VN+, they produce similar result. fx-570ES have a bit different result but it also have that bug.

However I can't follow all steps. What I have done is (why are all things wrapped in square brackets not converted to buttons?)

​ALL buttons are AC

[=] (Reset all)

[MODE] (SETUP)

[)] (X) [calc] (the 3D one) (∑) [)] (X) [)] (,) [)] (,) [0] [^]

(By now screen should show

`X=∑(X,1,1*10^(9`

)

[calc] [=] [right]

(repeat until you deleted the 1*10^(9)

[calc] [=]

(Screen show "Syntax ERROR")

[right]

Now press many buttons until the cursor turn into the solid box.

(Not very related this also make the character "cycle through all 256 characters" or the least significant byte of what I call RTC in my cheat table appear, so you can enter any character)

Now the original page say " [right] [=] [right] [=] ..."

However after the first "=" the screen show a horizontal bar, and after wait for some time and press some keys randomly the horizontal bar disappear gradually only two pixels remains.

-----------------------

If you have other behavior then you can reply and I will translate the rest. However there is a part that I don't understand "enter the penultimate box" or "enter the last box" (translated by google translate and microsoft translate respectly).

Do you know how to dump a DLL? And why do you need its dump? The part contains "LY710XA" and "Syntax ERROR" all lie in the file I provided to you. (dump of Casio fx-570VN plus)

Also if you dump the process multiple times the blocks will lie in different positions.

Edited by user202729, 17 November 2016 - 11:41 AM.

### #134 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 17 November 2016 - 12:12 PM

I have tried this (sigma to 10^9) bug on fx-570ES+ and fx-570VN+, they produce similar result. fx-570ES have a bit different result but it also have that bug.

However I can't follow all steps. What I have done is (why are all things wrapped in square brackets not converted to buttons?)

​ALL buttons are AC

[=] (Reset all)

[MODE] (SETUP)

[)] (X) [calc] (the 3D one) (∑) [)] (X) [)] (,) [)] (,) [0] [^]

(By now screen should show

`X=∑(X,1,1*10^(9`

)

[calc] [=] [right]

(repeat until you deleted the 1*10^(9)

[calc] [=]

(Screen show "Syntax ERROR")

[right]

Now press many buttons until the cursor turn into the solid box.

(Not very related this also make the character "cycle through all 256 characters" or the least significant byte of what I call RTC in my cheat table appear, so you can enter any character)

Now the original page say " [right] [=] [right] [=] ..."

However after the first "=" the screen show a horizontal bar, and after wait for some time and press some keys randomly the horizontal bar disappear gradually only two pixels remains.

-----------------------

If you have other behavior then you can reply and I will translate the rest. However there is a part that I don't understand "enter the penultimate box" or "enter the last box" (translated by google translate and microsoft translate respectly).

Do you know how to dump a DLL? And why do you need its dump? The part contains "LY710XA" and "Syntax ERROR" all lie in the file I provided to you. (dump of Casio fx-570VN plus)

Also if you dump the process multiple times the blocks will lie in different positions.

I can't run the emulator on my machine, as I use Linux and Wine did not run it when I tried.

Yes, the glitch works for me, you can translate the rest. The calculator just hangs up after doing it, but in process of mashing the buttons, sometimes the cursor rolls off to the beginning of the string.

### #135 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 17 November 2016 - 01:47 PM

What I want to say that the calculator should not​ hang up after doing it.

That is, on a fx-570ES plus that I try, I can't process through the last step (the second "[right] [=]"). It show a horizontal bar of pixels after the first [=], and after some time it disappear gradually. Do you get different behavior? If so can you capture a video and post it somewhere?

EDIT OK perhaps that is correct but the "10 Ans" is "Press [Ans] ten times", not "[0][Ans]".

In the last part I can't understand "the penultimate box" part.

EDIT it may means "reciprocal". (raise to power of negative one). The "on the right of power of 2" is the "power" button, [x^?]

(I am not a Chinese and my knowledge of English is not better than Google Translate, so I can't help you doing that part)

Yes I know you do not use Windows. What I want to say is ​I found no point in dumping the dll and I don't know how to dump a dll. I think the memory of the dll is also dumped in my memory dump of the process I sent to you.

--------------------

I found one person (zhj) who seems to successfully cracked (no-cd only, still limit to 30-days) the emulator here (Google Translate link). However the link is broken now. One person on this site (critor) seems to have downloaded the program, but critor have been quite inactive recently so we can't expect anything.

--------------------

Not only (Sigma sum), (Pi product), (Integral) and (Derivative) also work. Just that integral and derivative is very fast, and product create math error quickly. So you have to press AC quickly.

--------------------

Also how to use [...] to create any buttons? At least [ = ] should work. Or I have to type ? But it is [ = ] !

Why is a button but [0] is not?

Also I found another page describe the same glitch here. (with translator)

Edited by user202729, 18 November 2016 - 12:03 PM.

### #136 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 18 November 2016 - 01:58 AM

Tested on another fx-570ES+. It has different behavior: not a horizontal bar of pixels, but something like barcode. Also the behavior is different between first time doing the glitch and later times, so the glitch must change some memory that Reset All and ++[ON] [ON] can't restore. EDIT On the emulator, "31 32" (character map numbers corresponding to "12") is filled everywhere in the memory and the IP change a lot.

It only show that behavior (barcode) when I press 12121212..., and not other number sequences.

------------------------------

Tested on Classwiz fx-ex emulator. The glitch remain, but the behavior is different.

------------------------------

The "return to start" is caused by the fact that the cursor position is stored by only 1 byte and once you filled to 255, it return to 0. The same behavior can be seen by empty-box hack. The "fill everywhere" is caused by overflowing (enter more than 99 bytes).

Edited by user202729, 18 November 2016 - 02:41 AM.

### #137 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 18 November 2016 - 06:43 AM

The description here seems to be easier to understand, but not have as many contents as the last one. (I use microsofttranslate.com). Post 16 and 17.

### #138 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 03:55 AM

Yes, overflow of input (>99 bytes) cause filling everywhere in the memory including the IP. However I'm afraid that in those exceptional cases the emulator may not do its work correctly. I am debugging the code and see that the code will execute whatever we enter, in case of the "X=Sigma(X,1,1*10^9" overflow.

Still debugging...

### #139 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 08:45 AM

ARBITRARY CODE PART EXECUTION NEARLY FOUND!

I will post details later. That is "code part", so you can't use this to program yet.

### #140 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 10:10 AM

If Casio know about this topic and a lot of errors that we (and other peoples on cncalc and baidu tieba) discovered, they will fix those errors. Thus we can no longer hack the calculator. What do you think about this?

-----------------------------------------------------------------------------------

​So, I found it (arbitrary code part execution) after a lot of exhaustive works. I managed to jump the IP to the "ON" command which is similar to press [ON].

Those can be done on the emulator, but I can't give link to download the emulator. Just search google for "Casio fx570vn plus emulator" (the pages are not in English and be careful with viruses, if any). There are cracked version and not-cracked version. The latter is harder to install because you have to do the hacks yourself.

Instruction: (Windows machines only)

​1. Just to be sure, before opening the emulator, go to folder %TEMP% (usually "C:\Users\<your user name>\AppData\Local\Temp") and delete all temporary files of the emulator there.

​2. (Of course) Open the emulator. You can reset all if you want.

​3. [MODE] (LineIO)

​4. Input "  [)]   [CALC]   [3-dimensional log]   [)]   [)]     [)]    [*]    [0]  [^]    "

​Now screen show

`X=∑(X,1,1*10^(9`

5. [CALC] [=] [LEFT] [CALC] [=] [RIGHT]

6. Enter 14 groups of ([0]). Other characters will likely to work, but do that will make it easier to count.

7. Press , and then enter [Least significant byte of IP] [Most significant byte of IP] [(arbitrary nibble) (code block)] instead of as usual.

8. And then enter , and count this group as the 15th one.

9. Now continue to enter groups until you done the 24th group. (So you have to enter another 9 groups) and then .

10. By now you have entered 247 characters, and the screen should show

`X=∑(X,1,2`

and the cursor is before the first X.

11. [LEFT] [=].

To jump to the ON command, it is at IP=757A of code block 0. So you have

Most significant byte of IP = 75 = character "x^2"

Least significant byte of IP = 7A = character "C1" (const 29)

Code block = 0 so you can enter 30 = character 0 whose least significant nibble is 0.

In block 15, enter " [x^2] [0]" instead of "".

The code block 0 is the one contains the "Syntax ERROR" string and is executed often, the code block 1 is the one contains "LY710XA" string and is executed only during calculation or key press.

Code block 2 to 7 seems contains all zeroes (hopefully they can be changed ---> programming EDIT it seems that they can't be changed), and code block 8 to F are invalid.

If code block is 5 and IP is 1234, it is interpreted as if code block is 1 and IP is 41234. (code_block << 0x10 + IP == 51234)

Edited by user202729, 20 November 2016 - 03:20 PM.

### #141 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 19 November 2016 - 10:37 AM

If Casio know about this topic and a lot of errors that we (and other peoples on cncalc and baidu tieba) discovered, they will fix those errors. Thus we can no longer hack the calculator. What do you think about this?

They already fix them with the new models.

I suppose that by "code blocks" you mean ROM pages. So did you find a way to set IP to an arbitrary value?

### #142 SopaXorzTaker

SopaXorzTaker

Casio Freak

• Moderator
• 155 posts
• Gender:Male
• Interests:Electronics and programming.

• Calculators:
fx-991ES PLUS

Posted 19 November 2016 - 10:42 AM

Now, we only need to know the nX-U8 instruction set. That way, we can write programs and hack them into the RAM so they get executed.

### #143 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 12:32 PM

I actually don't know what "ROM pages" is. This is only a way for the memory address determine what to execute stored in the emulator.

Actually my way to set IP and code-block only work for two blocks: the block contains "Syntax ERROR" and the one contains "LY710XA". It do not work for the RAM. I can't find any way to hack those blocks, but I will find. Or we have to find a command in the ROM that says "Load from the RAM and execute".

Remember I don't know what Rom pages is.

And remember, we can't find nX-U8 instruction set, unless we disassemble the SimU8engine.dll. The m_Execute function.

We have an assembler, but not a disassembler. However we can try to assemble each command and see what they produce.

### #144 DE_user

DE_user

Newbie

• Members
• 4 posts

• Calculators:
casio fx-86DE Plus
casio afx 2.0

Posted 19 November 2016 - 01:37 PM

hey,

... ive been folowing this thread for quite a while now.

I have a "Casio fx-86DE Plus" calculator.

Properties:
```LY723X VerA
SUM 5D78 OK
forensic result:
9.00000000733338

It is possible to get the Reg menu.
But all characters have no effect.
Using them with equal [=] resets the calc most of the time.
Storing them as variables [M+] or [STO] freezes the calc.

Something that I realized and noone mentioned before: If I try to assign x^ or y^ to a variable or M, it gives me a syntax-error.

I have some experience in assembler and processor architecture but cant help with disassebling dlls.

If you want me to test something on my calc or something else feel free to message me. (English is not my first language)

### #145 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 01:39 PM

@DE_user, what your calculator display in EQN hack? What about SopaXorzTaker's 991ES? I expect to be the same as the 570ES I tried.

@SopaXorzTaker You know how new the EX series is. And the sigma glitch still remain at those EX calculators. Also, I spent a lot of times to find those glitches, and I don't believe Casio spend that much time searching. So far I only know Casio fixed:

+ The Pol( screen-overflow hack.

+ The MS series' Edit-OFF 0 1 hack. (I believe that's intentional by Casio)

+ The Classwiz box. (Or those calculators don't have auto-add-bracket feature at all)

Also, I notice that, in my hack, if you press "234" as usual (so block 4, IP = 0x3332), the calculator can't return to normal by pressing ON after that, although IP still jump to 757A, execute to 7586 or 7592 something and then stuck there.

Edited by user202729, 19 November 2016 - 02:11 PM.

### #146 DE_user

DE_user

Newbie

• Members
• 4 posts

• Calculators:
casio fx-86DE Plus
casio afx 2.0

Posted 19 November 2016 - 01:58 PM

@DE_user, what your calculator display in EQN hack?

its not possible on my calc because there is no EQN, INEQ, DIST or RATIO mode.
I could borrow a fx-991DE Plus though and try it out on that model (991DE has a very similar behaviour)

### #147 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 02:11 PM

@kaikun97, can you find the registers of the emulators? I uploaded new cheat table.

Edited by user202729, 19 November 2016 - 02:15 PM.

### #148 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 19 November 2016 - 02:16 PM

@kaikun97 If I knew it, I would do it myself. I expect someone who is better at hacking than me can do it.

### #149 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 20 November 2016 - 07:11 AM

n = 1101(bin) = 13(dec)

It means that R13 is used by the instruction. AFAIK there are sixteen 16-bit registers.

By tracing where the values of calculator's variable (for example "A") go to, I found out they go to the address SimU8.dll+16CEA0+4+X, where X is a number from 0 to 0xF = register number. But I think that there are sixteen 8-bit registers.

### #150 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 20 November 2016 - 10:42 AM

You should find some information about Cheat Engine and you should understand what I means. You know, I mostly get information by disassembling / debugging the emulators, so I don't have a 83GT+ emulator --> I can't make it do anything except hang on a blank screen. What do you know about register size? 16-bit or 8-bit?

### #151 DE_user

DE_user

Newbie

• Members
• 4 posts

• Calculators:
casio fx-86DE Plus
casio afx 2.0

Posted 20 November 2016 - 02:16 PM

There is another tool for reverse engineering programs, its called OllyDbg.

https://en.m.wikiped...rg/wiki/OllyDbg

It can debug any program and trace data movement.
I dont know how usefull this may be on an emulator. Im not very familiar with Cheat Engine but OlyDbg may be an easier alternative.

### #152 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 20 November 2016 - 02:43 PM

@kaikun97 / @kasio I think the registers are 8 bit like the CPU and each instruction is (a multiple of) 16 bit.

@DE_user And I am not familiar with OllyDbg (I knew it already). Also read this. We obviously do not need patching, and about code analysis (I think, and if I understand correctly) a de-compiler is better. What about the 991DE+ eqn hack? And, if the 991DE+ have sigma, can you try the IP hack and post here the result (tomorrow)?

Edited by user202729, 20 November 2016 - 02:47 PM.

### #153 DE_user

DE_user

Newbie

• Members
• 4 posts

• Calculators:
casio fx-86DE Plus
casio afx 2.0

Posted 20 November 2016 - 06:06 PM

What about the 991DE+ eqn hack? And, if the 991DE+ have sigma, can you try the IP hack and post here the result (tomorrow)?

Ill try both hacks tomorrow and will share my results here.

### #154 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 21 November 2016 - 11:31 AM

SopaXorzTaker, what is "logic analyzer"?

--------------------------------------------

Results of my test on a real 570ES+ and 570VN+:

(I will describe a hack similar to my IP-hack as characters in square bracket, for example my original IP hack is

[ {1234567890}^14 1 C1 ^2 0 567890 {1234567890}^9 1234567 ]

1. On the real 570VN+, my IP-hack up there just hang the calculator. I guess it is because apart from the IP, other important memory regions and registers are also corrupted. We need to find correct data to put in other places instead of just 1234567890.

2. In the hack [ {12}^123 1 ] (or equivalently [ {1212121212}^24 1212121 ] ) the screen show a horizontal line of pixels, which remain some trace after a Reset all. I guess that may be harmful to the display of the screen.

3. Similar to the hack above, [ {1212121212}^14 1219121212 {1212121212}^9 1212121 ] freeze the 570VN+. (Only a 2 is replaced by 9). In the emulator code-block from 9 to F freeze the calculator, and so is the real calculator. So I believe that position (4th character in the 15th block) will be stored to code-block.

4. The hack above on 570ES+ will produce something like "Matrix hack" on the screen. SopaXorzTaker you can try that on your calculator and record the pixels. I guess that is overflow from what you enter to the screen buffer​ (not the real screen).

Explanation: If you debug the calculator emulator with Cheat Engine attached and with my cheat table (Windows only), then you will see that

- screen buffer:

+ use 12 bytes per line

+ is not changed when enter a menu (for example press MODE)

+ do not have cursor blink

+ the emulator's screen do not change instantly when it is changed by Cheat Engine but it change when you enter a menu and return

+ being filled gradually when press ON in EQN mode

- real screen:

+ use 16 bytes per line (4 last bytes are always 00)

+ is changed when enter a menu

+ the emulator's screen change instantly when it is changed by Cheat Engine and is deleted when enter a menu and return

+ being copied from buffer when done filling in EQN mode

(In some hack on 570ES+ like the [ {1234567890}^14 1999567890 {1234567890}^14 1234567 ] if I remember correctly. On the screen you can easily see the bits)

5. On 570ES+, [ {1212121212}^14 121<Conv 40>​121212 {1212121212}^9 1212121 ] make a matrix screen that you can easily see that it is overflowed from what you entered.

--------------------------------------------

......

Edited by user202729, 21 November 2016 - 11:57 AM.

### #155 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 21 November 2016 - 01:45 PM

I think you can try those

http://tieba.baidu.com/p/1918631058

http://tieba.baidu.com/p/1800667172

if those are new to you...

About my previous post, I guess:

- fx 570ES do not hang when code-block > 8 (the hack [ (square root)^247 ] work well although that is block 8, IP = 9898

- The emulator do not emulate exceptional cases well (after [ {1234567890}^24 1234567 ] the emulator can't turn on and the emulator never overflow to screen buffer)

### #156 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 21 November 2016 - 02:09 PM

Can you translate those? They are so hard to understand, even with Google Translate...

SopaXorzTaker has 991ES+ so perhaps he can try (but that is not related to arbitrary code execution anyway)

### #157 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 21 November 2016 - 02:51 PM

Moreover, there are many things that is based on what they discussed before (something like "enter abnormal mode 15"), and we can't find them. Well, it is exactly google translate because Chrome is created by google.

I often use Google Translate to try to translate each word / two consecutive words in a paragraph to understand some things like the "penultimate" - reciprocal.

EDIT Well the Chinese seems to find many sources (not just application) of bugs, another one is http://tieba.baidu.com/p/1633998602 (link from one of the links I posted above) (post 7)

fx-991ES plus table overflow hack?

Edited by user202729, 21 November 2016 - 03:01 PM.

### #158 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 22 November 2016 - 12:33 PM

1. How do you think about the fact that the screen can have contrast different at different position?

2. When you turn on, does it leave traces on the screen? In the 570ES+ / VN+, actually there is a bit pattern on the line, that is some pixels fade out first, yours may be pattern (FF) (I don't think so because it is 21°24°27°)

I found a site (still Chinese) about glitches ("finishing paste") of 991ES+ at http://tieba.baidu.com/p/1949542063 . Seems to be easier to understand.

By now we have to:

1. Since we can't buy anything include the nX/U8 document, so I think the best what we can do is try to assemble each command to see what they produce.

2. Distinguish kinds of memory of the emulator. (Obviously the calculator can't write to ROM)

3. With a list of commands let's see if we can find a command that execute from what is writable to.

-

Edited by user202729, 22 November 2016 - 12:38 PM.

### #159 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 22 November 2016 - 01:13 PM

We can easily see those commands in the assembly file:

bz bnz tb beq lea mov blt add bal l bl b

I guess "b" is branch, just like x86's "j".

Searching google for those commands doesn't come up with a lot of useful results but there is one

I think we can assemble the files in order to produce result like that, but mapping to opcode is quite difficult.

EDIT Well, the "prn" files has mapping to code already. So we can get the instruction set providing enough source code. And pudn.com seems to have a lot of source codes (not for download)

By the way, what is "P" and "Q" in model name?

Edited by user202729, 22 November 2016 - 01:17 PM.

### #160 anon34

anon34

Casio Freak

• Members
• 268 posts

Posted 22 November 2016 - 01:46 PM

Yes I also assume so. But if so can the screen be broken? Anyone want to try to left it in this way for 24 hours?

--------------------------------------

The assembly instructions are similar to instruction of other architectures, so we can pick information from other chips and guess. For example:

(from page 25)

BAL stands for Branch And Link

We knew mov, add and lea, obviously.

All the functions from the IDA disassembler of SimU8engine.dll is at http://pastebin.com/R57Qsug5 . (paste raw data into Notepad in non-word wrap type for better table format). Perhaps the name can hint something?

Edited by user202729, 22 November 2016 - 02:54 PM.

#### 1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users