Jump to content



Photo
- - - - -

Casio fx-82 MS hacking


  • Please log in to reply
9 replies to this topic

#1 pedro-javierf

pedro-javierf

    Newbie

  • Members
  • Pip
  • 1 posts
  • Gender:Male

  • Calculators:
    fx-82MS (old)
    fx-82MS (new)

Posted 01 June 2018 - 05:09 PM

Hello  :rolleyes:

 

I'm an owner of several Casio calculators, all from the fx-82MS series. In Spain (where I live) they are very common because they are really cheap.

 

So, I wanted to hack it of course. I already have experience in reverse engineering and exploit development (https://github.com/pedro-javierf/). Nevertheless the calculator scenario is much more complex, at least for the casio fx-82ms which isn't programable.

 

So far I know there's this software glitch (sometimes called overflow but I don't really know if it's a classic stack overflow or someone just gave it the name):

which basically unlocks every mode from the superior model (fx-82ES I think?) on this 10eur calculator (though not all of them are really usable)

 

This is patched in the newer model, which (when turning off) prints the casio logo.

 

Also, the hardware is completely different. I'll post some images in the following days from the newer model, but a Spanish colleague already reversed the hardware for the old model: http://nitehack.blog...k-incluido.html

the most interesting thing is that he found that the hardware beneath the buttons is in fact a matrix keyboard. There are more pins (keyboard combinations) that were actual buttons in the calculator, so he analyzed that and found that some combinations can be triggered to directly activate extra modes from the superior model. I have a hardware setup for that I'll show off as soon as possible. The software layer is still pretty much unexplored, so that's why I'm here  :greengrin:

 

I've seen you people have done a lot of research into better, newer and more complex models (even ROP chains If I'm not wrong!) which is amazing. How could I apply some of that knowledge to reverse the fx-82MS? I've read something about official casio emulators?

 

Thank you!

 

PS: Since I don't have any newer model I can't really help, but I will try if y'all need something :)



#2 frankmar98

frankmar98

    Casio Freak

  • Moderator
  • PipPipPipPip
  • 127 posts
  • Gender:Male
  • Location:Spain
  • Interests:Science, programming

  • Calculators:
    CFX-9970G
    Graph 90+E (fx-GC50)
    fx-9860G SD
    Classpad 300
    HP Prime
    TI-84+ CE-T
    x2 TI-83+
    TI-81
    fx-4800p, fx-3650PII
    fx-991SPX, fx-991ES PLUS, fx-100W

Posted 01 June 2018 - 06:34 PM

Hi, pedro-javierf, welcome to UCF!

 

The research on hacking basic calculators is really interesting. This fx-82 MS is a good platform to research with.

 

I invite you to post here all your research in this model. I've splitted your post from the other thread, because it is other model. This is for organization reasons. To help the users to find your post easiliy.

 

I really understand the popularitiy of this calculator in Spanish classes, I have studied ESO and Bachillerato in a highschool in a town in Málaga, and almost everyone had the fx-82MS.

 

This occurs because the teachers and the students don't have any knowledgment about calculators, for example, a fx-991ES plus or an used graphing calculator are cheap also (I got my fx-9750G for 3€ used), and have many functions more.

 

Although the research in this models hacking is really interesting.

 

The old version of fx-82MS, has the same hardware than fx-570MS, 100MS, 115MS, 991MS, well function suited models, the predecesors of fx-ES plus series.

 

1998:  fx-82W, 85W, 100W, 115W, 570W, 991W

 

2001: fx-82MS, 83MS, 85MS, 100MS, 115MS, 270MS, 300MS, 350MS, 570MS, 991MS

 

2004:  fx-82ES, 83GT, 85ES, 115ES, 350ES, 570ES, 991ES

 

2008:  fx-82ES plus, 83GT plus, 85ES plus, 115ES plus, 350ES plus, 570ES plus, 991ES plus

 

2015: fx-82, 350, 570, 991 EX/SPX/DEX, etc.

 

The better (unlocked) calculators are the fx-570 - 991, and in the MS series, this calculators are discontinued, the 82MS is still in production but with a cheaper PCB.

 

Regards!



#3 user202729

user202729

    Casio Freak

  • Members
  • PipPipPipPip
  • 227 posts

Posted 05 June 2018 - 01:53 PM

I know about that glitch (and some other ones), all of them involves pressing '0' before '1'. Because only '0' works (and nothing else) I suspect that's an Easter egg Casio left in the calculator.

I also have some calculators in the old MS series (where I can test the bugs).

Unfortunately, I have no idea how the glitch works because:

* There are no "correct" emulator of any calculator, that I can extract the ROM and expect it to be "reasonably similar" to the ROM of the real calculator.
* I don't know the details of the hardware (CPU model, etc.) although I guess it's the same kind as the ES and ES PLUS series.
* I can't find out a way to read the calculator ROM.

If anyone succeeded in obtaining the ROM of the calculator series, please post it.

#4 Sonic The Hedgehog

Sonic The Hedgehog

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    fx-82MS (old)

Posted 24 January 2019 - 04:31 PM

Sorry for being 7 months late, but I will give you some useful info.

 

 

 

which basically unlocks every mode from the superior model (fx-82ES I think?) on this 10eur calculator (though not all of them are really usable)

 

You have to press a different button sequence.

 

Video: https://youtu.be/YY19aeKGN1M (Text version is in the description for if you can't follow the video.

 

In short: press 9 before the M+ thing, and use 5353535... instead of 1313131...

The above method may sometimes fail, if it fails, try a reset or a different hack (like the "matrix hack") before trying again.

 

I've found 1 other video adapting my method: https://youtu.be/t583XTyuEnk all others use the method you've used.

 

I've performed all sample calculations from the fx-570MS manual, and they all worked.

 

BTW It's the fx-570MS model.


Edited by Sonic The Hedgehog, 24 January 2019 - 05:14 PM.


#5 MJim

MJim

    Newbie

  • Members
  • Pip
  • 5 posts
  • Gender:Male

  • Calculators:
    Casio fx-9750GII SH4
    Casio fx-9750GII SH3 - Deceased
    Casio fx-991W
    Casio fx-115ES Plus
    Casio fx-95MS
    Casio fx-82MS
    Casio fx-82 (original 1982 version)
    Sharp El-W516X
    HP-49G+

Posted 12 November 2019 - 10:47 AM

Is raising the dead after 10 months ok; a little bit of decay adds character right... :D

Probably not a good start for post number 2....my apologies if this is a problem.

The above hack works fairly reliably on my fx-82MS ('5353..' instead of '1313..', cheers Sonic!).  It seems that using 1 instead of 9 for [M+] seems to work fine as well (tested matrix calculations and it worked fine).

A couple of things though I noticed however:

 

When the hack is reset (power goes off or if you hit the [ON] button), you wont be able to perform it again until you use the 'Matrix' hack (similar to the above, except using '1313..' and then hitting DELDEL instead of AC/on at the end to show all the 13131's to the right of the cursor and deleting them until the '0' is under the cursor and the rapidly alternating sintansintan until a full reboot happens).

If you do attempt this hack again before performing the 'matrix' hack, you can get some weird LCD segment issues, or the calculator may just switch off.  I found that a full memory clear is insufficient to reboot the calculator fully* (I just discovered that removing the battery and shorting the cap which should reset the calculator proper bought up a 'matherror' message, but the hack still worked.  After another battery reset I had mixed success with the hack, but once the 'matrix' hack is used it seems to work every time, so there might be something sticking around in memory even after the matrix hack).

While applying this hack works on my fx-95MS, it won't allow you to perform Matrix or Vector operations.  The key layout does seems to be the same as the fx-570MS and all the additional functionality seems to work except for Matrices and Vectors (Equation solver, integration, differentiation, constants, conversions).  I also noticed that the the fx-82MS is slightly faster than the fx-95MS.

Also worth noting is that display flags set while the hack is active are kept even after the hack is reset (power off or [ON] button).  Mostly this doesn't mean anything, but if you enable ENG symbol display mode it will stick around even after power off if you want to keep that engineering symbol notation.

The PCB's have some different markings, but look to be at a quick glance very similar.  Maybe a closer look might reveal some differences.  If anyone is interested in some pictures, I could look at giving my old Nikon a bit of exercise and get some pictures of the boards.

fx-82MS:
GY313-1
HA210314A-1
04266 (year, day, month?)

fx-95MS:
GY315-1
HA210303A
07246

Edit:

Just decided to add the PCB images:

 

fx-82MS:

Spoiler

 

fx-95MS:

Spoiler


Edited by MJim, 13 November 2019 - 12:09 AM.


#6 Sonic The Hedgehog

Sonic The Hedgehog

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    fx-82MS (old)

Posted 26 November 2019 - 07:30 PM

 

When the hack is reset (power goes off or if you hit the [ON] button), you wont be able to perform it again until you use the 'Matrix' hack (similar to the above, except using '1313..' and then hitting DEL DEL instead of AC/on at the end to show all the 13131's to the right of the cursor and deleting them until the '0' is under the cursor and the rapidly alternating sin tan sin tan until a full reboot happens).

 

In my case, I was able to perform the fx-570ms upgrade hack multiple times in a row, with only a ON press in between. But, I do a 'matrix hack' in between in the case when it doesn't work.

Also, that is a different 'Matrix hack' than I was referring to, that one involves pressing ' :3: :0: :3: :0: ...' (Here is an example video: https://www.youtube....h?v=3kPirRKpCgo)

 

 

While applying this hack works on my fx-95MS, it won't allow you to perform Matrix or Vector operations.  The key layout does seems to be the same as the fx-570MS and all the additional functionality seems to work except for Matrices and Vectors (Equation solver, integration, differentiation, constants, conversions).  I also noticed that the the fx-82MS is slightly faster than the fx-95MS.

 

The fx-95ms has the EQuatioN solver mode, but notice that the EQN mode is on the the same screen as the MATrix and VeCTor modes on the fx-570ms. So, those modes are likely disabled at hardware level, and likely cannot be enabled with a software level hack.

 

 

If you do attempt this hack again before performing the 'matrix' hack, you can get some weird LCD segment issues, or the calculator may just switch off.  I found that a full memory clear is insufficient to reboot the calculator fully* (I just discovered that removing the battery and shorting the cap which should reset the calculator proper bought up a 'matherror' message, but the hack still worked.  After another battery reset I had mixed success with the hack, but once the 'matrix' hack is used it seems to work every time, so there might be something sticking around in memory even after the matrix hack).

 

Same for me. Even removing the battery doesn't seem to clear the memory completely, I once left the calculator without a battery for a whole day so all capacitors are drained as well, and I still got mixed results.

So, the success of a hack is really dependent on whatever data is currently in memory.

 

 

Also worth noting is that display flags set while the hack is active are kept even after the hack is reset (power off or [ON] button).  Mostly this doesn't mean anything, but if you enable ENG symbol display mode it will stick around even after power off if you want to keep that engineering symbol notation.

 

Not only the display settings are kept, but also the last used mode is still active, but will be in a broken state.

 

 

The PCB's have some different markings, but look to be at a quick glance very similar.  Maybe a closer look might reveal some differences.  If anyone is interested in some pictures, I could look at giving my old Nikon a bit of exercise and get some pictures of the boards.

 

I have read somewhere (I can't remember what site it was) that older models of those calculators didn't have the big black piece in the middle of the PCB, and that the black piece is preventing us from hardware-hacking the part of the PCB that determines what modes can be selected.



#7 MJim

MJim

    Newbie

  • Members
  • Pip
  • 5 posts
  • Gender:Male

  • Calculators:
    Casio fx-9750GII SH4
    Casio fx-9750GII SH3 - Deceased
    Casio fx-991W
    Casio fx-115ES Plus
    Casio fx-95MS
    Casio fx-82MS
    Casio fx-82 (original 1982 version)
    Sharp El-W516X
    HP-49G+

Posted 27 November 2019 - 12:29 AM

I'm not sure how to break up quotes, so I'll just copy and paste:

 

"In my case, I was able to perform the fx-570ms upgrade hack multiple times in a row, with only a ON press in between. But, I do a 'matrix hack' in between in the case when it doesn't work.

Also, that is a different 'Matrix hack' than I was referring to, that one involves pressing ' 3.jpg0.jpg3.jpg0.jpg ...' (Here is an example video: https://www.youtube....h?v=3kPirRKpCgo)"

 

The matrix hack I used was actually done on the fx-991ms, but works as well on my fx-82ms:  https://youtu.be/Rn0EvhtOANA

 

It seems I can't do the '3030' matrix hack; as there is something else in memory rather than what is shown on the video.  I'll try to do a full battery reset first, since if this matrix hack only needs to be used once, that will make it much better then the one I'm using (which needs to be applied every time).

 

"The fx-95ms has the EQuatioN solver mode, but notice that the EQN mode is on the the same screen as the MATrix and VeCTor modes on the fx-570ms. So, those modes are likely disabled at hardware level, and likely cannot be enabled with a software level hack."

 

After a bit more messing about I think you are right about this.  My theory was that the missing pins 88, 89 & 90 might have something to do with selecting the actual model of the calculator.  I scraped away a bit of the coating on pin 90 and found it was tied to the negative terminal or ground on the calculator.  During the wire bonding process (before putting that black gunk on the top of the CPU), perhaps a combination of pins 88,89 & 90 are wire bonded to this ground to select the model.  Unfortunately I'm not really an electronics person and only have a rudimentary knowledge of electronic stuff.  I started however slowly drilling into the black gunk between the CPU (very slowly with a screwdriver) and where I believe the wires might be bonded to to see if there were any there.  I didn't hit any after making about 1mm of progress, but decided I didn't want to risk permanently disabling the calculator without actually learning anything useful that I could use on the fx-95MS.

 

"Same for me. Even removing the battery doesn't seem to clear the memory completely, I once left the calculator without a battery for a whole day so all capacitors are drained as well, and I still got mixed results.

So, the success of a hack is really dependent on whatever data is currently in memory."

 

That is unusual.  I did short the capacitor for a minute or so to make sure it properly reset, and it usually did the trick since the '53535' hack wouldn't work unless I did the '131313' matrix hack first, indicating to me what I thought was a successful reset.  Though I can't rule out that I'm not successfully resetting my calculator to despite how it seems.

 

"Not only the display settings are kept, but also the last used mode is still active, but will be in a broken state."

 

That is interesting to know.

 

"I have read somewhere (I can't remember what site it was) that older models of those calculators didn't have the big black piece in the middle of the PCB, and that the black piece is preventing us from hardware-hacking the part of the PCB that determines what modes can be selected."

 

Do you mean the COB (Chip On Board, that black gunk covered chip), was easily accessible?, that would be rather handy and make life easier as you could compare the wire bonding between different models.  I figure that the actual calculator software is hardcoded on the ROM to save costs, but it would be interesting if the software was actually contained on a built in EEPROM.

 

 

EDIT:

I Can't actually do that '303030' hack even after shorting the capacitor for a minute or so without power.  I just get different result from what is shown ('Stack Error' instead of 'Math Error' and nothing like the letters shown after deleting all the 3030's for example).


Edited by MJim, 27 November 2019 - 12:54 AM.


#8 Sonic The Hedgehog

Sonic The Hedgehog

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    fx-82MS (old)

Posted 01 December 2019 - 04:37 PM

 

That is unusual.  I did short the capacitor for a minute or so to make sure it properly reset, and it usually did the trick since the '53535' hack wouldn't work unless I did the '131313' matrix hack first, indicating to me what I thought was a successful reset.  Though I can't rule out that I'm not successfully resetting my calculator to despite how it seems.

 

From your previous post I gathered that you got mixed results, and now you're saying you don't?

 

As long no one has found a way to look at all the memory externally, we cannot really be sure if all memory is cleared.

 

 

I Can't actually do that '303030' hack even after shorting the capacitor for a minute or so without power.  I just get different result from what is shown ('Stack Error' instead of 'Math Error' and nothing like the letters shown after deleting all the 3030's for example).

 

Thanks for the reminder, It took me 50 or even 100 tries before I finally got the '3030 matrix hack' to work on my calc.

 

Different results of hacks may also be caused by slightly different ROM versions.

 

 

I'm not sure how to break up quotes, so I'll just copy and paste

 

The quote button is the button with the speech balloon, between the Code (<>) and Twitter (t) buttons, simply click the button and copy-paste the text inside the created quote block.



#9 MJim

MJim

    Newbie

  • Members
  • Pip
  • 5 posts
  • Gender:Male

  • Calculators:
    Casio fx-9750GII SH4
    Casio fx-9750GII SH3 - Deceased
    Casio fx-991W
    Casio fx-115ES Plus
    Casio fx-95MS
    Casio fx-82MS
    Casio fx-82 (original 1982 version)
    Sharp El-W516X
    HP-49G+

Posted 02 December 2019 - 10:58 PM

 

From your previous post I gathered that you got mixed results, and now you're saying you don't?

 

As long no one has found a way to look at all the memory externally, we cannot really be sure if all memory is cleared.

 

As long as I do the '1313' matrix hack first after disconnecting the battery and shorting the capacitor before applying the '5353' hack, I can upgrade to the fx-570MS with no issue.  After this first upgrade I always need to do the '1313' matrix hack in between each '5353' upgrade hack, but by following this procedure, I've so far been able to upgrade to the fx-570MS every time (provided I enter the digits all correctly).  I was just accepting the possibility that if it isn't resetting properly for you even with the power disconnected, it is possible that even though it seems to be resetting properly for me, it may not be (eg there is the possibility that some non-volatile flash memory is being affected by the software hack).

 

 

Thanks for the reminder, It took me 50 or even 100 tries before I finally got the '3030 matrix hack' to work on my calc.

 

Different results of hacks may also be caused by slightly different ROM versions.

 

Does the video you linked to work on your fx-82MS?

I get vastly different character strings so I can't perform this hack unfortunately.  If it took you 50 or even 100 tries what did you do to eventually get it to work for you?

 

 

The quote button is the button with the speech balloon, between the Code (<>) and Twitter (t) buttons, simply click the button and copy-paste the text inside the created quote block.

 

Thanks, using that now :D


Edited by MJim, 02 December 2019 - 11:10 PM.


#10 Sonic The Hedgehog

Sonic The Hedgehog

    Newbie

  • Members
  • Pip
  • 4 posts
  • Gender:Male

  • Calculators:
    fx-82MS (old)

Posted 04 December 2019 - 06:30 PM

 

 

Does the video you linked to work on your fx-82MS?
I get vastly different character strings so I can't perform this hack unfortunately.  If it took you 50 or even 100 tries what did you do to eventually get it to work for you?

 

The linked video was just an example, there exist a lot of different variations of this hack. What I did, was just trying all the variations I could find, and at some point one of them finally worked for me.
 

 

As long as I do the '1313' matrix hack first after disconnecting the battery and shorting the capacitor before applying the '5353' hack, I can upgrade to the fx-570MS with no issue.  After this first upgrade I always need to do the '1313' matrix hack in between each '5353' upgrade 

 

BTW, what method do you use to short the capacitor?
 
Also, to check if memory is cleared I assign a value other than zero to a variable, short the cap without battery, after powering the calculator, I check if the variable I assigned to is reset to zero.
 
I've done a "full reset" (Steps described in above line) 3 times, with inconsistent results:
  1. one '5353 hack' worked, second time the calc just turned off, third time LCD segment issues, after one '1313 matrix hack' the '5353 hack' seems to work every time.
  2. two '5353 hacks' worked in a row, third time the calc turned off, fourth time LCD segment issues, after one '1313 matrix hack' the '5353 hack' worked once, after another '1313 matrix hack' the '5353 hack' seems to work every time.
  3. one '5353 hack' worked, second time LCD segment issues, after one '1313 matrix hack' my calc got into what I call the 'Dim ERROR loop' (this means the '5353 hack' works every time, and every time after the '1' you press after the '0' on the 'EditOFF ESC' screen, the calc displays the message 'Dim ERROR')

The calc will break out of the above mentioned 'Dim ERROR loop' if either memory is reset (Reset All or battery removed) or if a different hack ('1313 hack',  '3030 hack', etc.) is applied.

 

Something interesting from the manual: "If the above steps do not correct the problem, press the 'ON' key. The calculator performs a self-check operation and deletes all data stored in memory if any abnormality is detected "

 

When the '1313 upgrade hack' is applied and 'ON' is pressed, all variables and mode settings are cleared. This means the '1313 hack' puts the calculator into such "abnormal state" mentioned in the manual, while the '5353 hack' does not, the current display and mode settings are kept in that case.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users