Jump to content

* * * * * 1 votes

Hacking the FX-ES (Non plus models) series of calculators

hacking fx-es non-plus

  • Please log in to reply
3 replies to this topic

#1 TheAwesomer



  • Members
  • Pip
  • 24 posts

Posted 24 January 2019 - 07:55 PM

I have an FX-82ES Model A (Although most of the stuff here should apply to the Model B fx-ESes too) that I have hardware hacked to mode P4 (the same as an FX-991ES.)


I like glitches and programming and towards the end of 2018, I became quite interested in CASIO calculators for their glitches.


And I have discovered quite a few interesting and possibly significant glitches for the fx-ES line of calculators.


All of these will involve the "Pol( Overflow Glitch", which is a method of getting the 'r' character, which is necessary for all of the glitches that I know of that I will document here.


Because I know so many glitches, I am just going to start off this thread with the one that I think is the most significant, and also allows you to do quite a lot of stuff with it.


This glitch may allow arbitrary code execution (to some extent). If it does not however, you may still be able to use it along with some extra steps to do so.


Anyways, I am calling this glitch the "unme mode" (because it is quite common to see 'unme' whilst messing about with this glitch).


Fortunately, I am saved from explaining myself how to do this glitch, because I actually found it by attempting a glitch for the fx-ES PLUS models (which did something completely different). I later came to realize (literally just now actually) that there was 2 instances of this glitch on the internet, one without instructions and one which doesn't actually say that you can do so much more with it or that you can do it differently at all.


Instance 1: 


Instance 2: 


Basically to do the glitch you do everything done in Instance 2, but stop once you get a normal screen after pressing AC after pressing equals after setting up the 'r' glitch. You are now in the "unme mode". You can put in many different things than what he then puts in. One of these I am pretty sure you could execute arbitrary code with.


Arbitrary code execution (?):


After getting to "unme mode" you can put in a mixed fraction, and in the top box add 3 Abs, 2 square roots, 4 brackets and then keep pressing the ^( and ( buttons until you get mp(fraction with []eY at the top and eY at the bottom)[]eY


This 'fraction is wierd'. its actually not a fraction. Infact it seems to copy whatever is typed after it into itself (on the bottom of the fraction it misses the first character).


Keep pressing LEFT until your cursor is after the []eY to the right of the fraction.


Delete the []eY until you are left with mp(and a single dot)


The fraction has turned into a single dot. Do not move the cursor any further to the left or you will not be able to utilize this character. Now you can type stuff and it will be copied into the fraction as you type (but you are limited to a small amount of stack characters (brackets, square roots, powers, abs, fractions, etc)). For this example, type in Ran# × ÷ Ran# + -


Now press the equals button then press LEFT, DEL, DEL, DEL and you should crash/hang the calculator with some lines and dots on top of the fraction. Depending on what you typed after the fraction/dot, different things will happen.


For instance, typing constant 01 (4 times) and then conversion 01 (4 times) crashes with different pixels lit up.


I did also get a blank screen once which upon then pressing ON (not AC) quickly showed a horizontal line which slowly faded away amongst the normal screen but I cant remember what I typed for that.


I would love to type more of my findings here but I have to go in 6 minutes so see you soon!

#2 anon34


    Casio Freak

  • Members
  • PipPipPipPip
  • 268 posts

Posted 30 January 2019 - 03:03 PM

After looking at the emulator, it appears that the behavior of the calculator when 'r' is evaluated is more complex, and
harder to exploit.

(I assume that the emulator and the real calculator is mostly the same because some methods on the real calculator applies
to the emulator)

In particular, I guess that

After 'r' is executed, it jumps to a particular location. This location, coincidentally, also evaluates the expression.
So this becomes an infinite loop, however, not all of the memory is free for the stack, and eventually something overwrites
the stack, and the stack is corrupted.

I still couldn't determine what corrupt the stack.


On the fx-82ES emulator, Evaluates Rec(X-1,0)r with different value of X
produces different result (Math error / Syntax error) (differnt value of X can be get by modifying the "1" in
Pol(1,0 to a different value)

Edited by user202729, 30 January 2019 - 03:40 PM.

#3 TheAwesomer



  • Members
  • Pip
  • 24 posts

Posted 01 February 2019 - 03:45 PM

Found a slightly different glitched mode. by putting M in the top fraction and X in the bottom instead of just 1|1 you get a math error and then upon pressing AC, get what seems to be a slightly more stable version of the  first glitched mode. It is definitely different, because when trying to do the trick with the 5 Abs and spam square root upon pressing the 5th Abs it is executed as a string instead, meaning you cannot use strings from one mode to the other, but maybe that means theres more to be done with these modes than what seems to be at first. 


Thanks for replying, I am about to try that evaluation you mentioned on my fx-82es to see if it is different from what you said the emulator did.

#4 TheAwesomer



  • Members
  • Pip
  • 24 posts

Posted 01 February 2019 - 04:02 PM

I dont think I quite understand how to do this evaluation you're talking about. I couldnt get it to work on emulator nor real calculator. Could you tell me how to do it step by step, or just tell me what to type but dont include the pol( overflow glitch to get r unless i need to change something there? Thanks.

Also tagged with one or more of these keywords: hacking, fx-es, non-plus

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users