I've been researching on this topic for a long time now and I finally found a memcpy exploit and a way to write to every location in memory.
To understand the exploit, you have to know that the fx 991dex has the following memory map:
[ 200 bytes of input buffer (last byte has to be 0)] [ 200 bytes for a copy of the input buffer if an operation has failed ] [ 8 bytes rng seed ] [ 2 bytes unstable char ] ...
Usually, you cannot write beyond the first 199 bytes by typing numbers. However someone found a bug a while ago to write beyond that limit with a glitched 0x19 box (I will publish a chart explaining all bytes and their meaning.). The bug let's the calculator write after the 0 byte so it thinks that the length of what you typed is always 1 so it will let you write further.
Sadly, it crashes after 200 bytes.
Here comes my exploit:
If you have a corrupted copy buffer (the buffer after the input buffer), you can easily copy it back to the input buffer without a crash.
The resulting input buffer has now a size bigger than 200 bytes.
So far so good. Now, you can hit enter and it will start copying your input buffer into the entire ram until it hangs because of some corrupted memory structure.
It fails copying it to the copy buffer because it cannot find the 0 byte at the end because it is in the copy buffer.
Now we have to find a way to get code execution to ram with some corrupted structures (or the stack).
(btw I've done a rom dump)
I hope this helps you