If Casio know about this topic and a lot of errors that we (and other peoples on cncalc and baidu tieba) discovered, they will fix those errors. Thus we can no longer hack the calculator. What do you think about this?
So, I found it (arbitrary code part execution) after a lot of exhaustive works. I managed to jump the IP to the "ON" command which is similar to press [ON].
Those can be done on the emulator, but I can't give link to download the emulator. Just search google for "Casio fx570vn plus emulator" (the pages are not in English and be careful with viruses, if any). There are cracked version and not-cracked version. The latter is harder to install because you have to do the hacks yourself.
Instruction: (Windows machines only)
1. Just to be sure, before opening the emulator, go to folder %TEMP% (usually "C:\Users\<your user name>\AppData\Local\Temp") and delete all temporary files of the emulator there.
2. (Of course) Open the emulator. You can reset all if you want.
3. [MODE] (LineIO)
4. Input " [)] [CALC] [3-dimensional log] [)] [)] [)] [*]  [^] "
Now screen show
5. [CALC] [=] [LEFT] [CALC] [=] [RIGHT]
6. Enter 14 groups of (). Other characters will likely to work, but do that will make it easier to count.
7. Press , and then enter [Least significant byte of IP] [Most significant byte of IP] [(arbitrary nibble) (code block)] instead of as usual.
8. And then enter , and count this group as the 15th one.
9. Now continue to enter groups until you done the 24th group. (So you have to enter another 9 groups) and then .
10. By now you have entered 247 characters, and the screen should show
and the cursor is before the first X.
11. [LEFT] [=].
To jump to the ON command, it is at IP=757A of code block 0. So you have
Most significant byte of IP = 75 = character "x^2"
Least significant byte of IP = 7A = character "C1" (const 29)
Code block = 0 so you can enter 30 = character 0 whose least significant nibble is 0.
In block 15, enter "
[x^2] " instead of " ".
The code block 0 is the one contains the "Syntax ERROR" string and is executed often, the code block 1 is the one contains "LY710XA" string and is executed only during calculation or key press.
Code block 2 to 7 seems contains all zeroes (hopefully they can be changed ---> programming EDIT it seems that they can't be changed), and code block 8 to F are invalid.
If code block is 5 and IP is 1234, it is interpreted as if code block is 1 and IP is 41234. (code_block << 0x10 + IP == 51234)
Edited by user202729, 20 November 2016 - 03:20 PM.