Casio scientific calculator bugs / hack

[critor]

Can you try this: (I've already tested this on the emulator but it may give different result on real calculator. Just to be sure)

A.

1. Get a box. Screen should show |⎕ (where | is the cursor)
2. Press

→

1

2

3

←

←

←

SUPPR

Result on emulator: Screen should show ⎕|

Same screen on the real calculator.

B.

1. Get a box.
2. Press

→

1

2

1

2

3. Press

→

→

0

SUPPR

SUPPR

Result on emulator: Screen shows ⎕|212.

Same screen on the real calculator.

[user202729]

Nice!

Now can somebody please do this? (this is going to take a bit longer to execute, and I'm not sure what will happen. The expected behavior is that an error screen (possibly without any error message) appears, then the calculator freeze or something, but because the SFRs may be written to, I'm not sure)

This is similar to method B above, but with different step 2 and added step 4.

D.

1. Get a box.
2. Press

→

, then type

⊢

-

100 times. (total 200 keypresses)
3. Press

→

→

0

SUPPR

SUPPR

4. Press

=

.

[critor]

Tried 2 times. Just a syntax error. What were you expecting ?

[user202729]

Actually I expected it to cause some kind of error screen. If it's just a syntax error... I can't check if it's a "normal" syntax error or it's caused by the hackstring.

Expected result:

• Get a box: |⎕
• After step 2: |◀ (or it may be |⎕ on the real calculator, I am not sure, but the cursor should be |, not █)
• After step 3: ⎕█-⊢-⊢- ... ▶ (where the ... represents some characters, and the █ is the cursor, it should overlap the next character -) If you scroll around, there should be exactly 200 characters in the formula
• After step 4: an error screen appears.

The emulator crashes after step 3 (actually I did it with some hacks).

So can someone please try:

Do the method "D." above, but with "

⊢

-

" replaced with "

2

0

".

If the calculator crashes/freezes/shutdown then the syntax error is caused by the hackstring, and I succeeded.

Note: I predict that (according to experience in ES PLUS calculators) if less than 200 characters (100 pairs) are typed in step 2, the calculator will cause a normal syntax error; if more than 200 characters but less than 256 characters are typed in step 2, the behavior is the same as if exactly 200 characters was typed.

----------

I think it was not a good idea to choose the error screen as an example (as it can be easily confused with the normal error screen), but I can't get anything else. The number of bytes that can be entered is too limited.

[user202729]

Define a "hackstring" as a formula with exactly 200 bytes.

Define the method to "execute" a hackstring as method D, but in step 2 replace ⊢-⊢-⊢-...⊢- with that hackstring.

Assuming that, executing 121212...12 indeed crashes the calculator, this causes a buffer overflow and corrupt the stack, therefore allow for return-oriented programming. (but I'm quite surprised that ⊢-⊢-⊢-...⊢- can cause a syntax error, as the function at 2:2b16 is emulator-specific)

I guess +(+(+(...+( (address 2:60a6) would wait for some key presses (I expect that the cursor will keep flashing, but the calculator freezes after some keys are pressed)

It probably won't work because there are 100 nested open parentheses...

------

If however, executing 121212...12 also causes a syntax error, it's very likely that there is something wrong with my method. It would help if I can know what exactly is displayed on the calculator at each step.

[critor]

Retried method D with 20, just a syntax error again.

[user202729]

After testing it more carefully, I realize that there is an error in the method. This should fix it. Sorry for the inconvenience.

E.

1. Get a box.
2. Press

   ←

   1

   EXE

   ←

   ←

   SUPPR

   ←

   . Expected screen content after this step: |⎕
3. Press

   →

   , then type

   2

   0

   100 times. (total 200 keypresses)
4. Press

   →

   →

   0

   SUPPR

   SUPPR

   . Expected screen content: ⎕|0202020...▶
5. Press

   EXE

   .

Should freeze the calculator when last step is finished.

[user202729]

When a hackstring is executed, the stack is overwritten with the hackstring, which allows for return-oriented programming.

However, to write return-oriented programming chains, it's necessary to know the addresses of functions, which involves reading the calculator ROM.

I have the ROM of the emulator, and its disassembly, however the position of the code is likely to be different from the position of the code in the real calculator.

The render function on the emulator is at 0x8A8C. I think on the real calculator it's around 0x8700 - 0x8A00 (which corresponds to RanInt#, PGCD, PPCM, Arond), so the hackstring would be 100 pairs of AB where B should be one of above (most significant byte in the word) while A should be divisible by 4. (example: 8 x × ⌟)

---

I put most of my work on this in a github repository, named fxesplus (but the repository contains some possibly copyrighted content, such as some calculator or emulator ROM, so I won't link it here)

[critor]

After testing it more carefully, I realize that there is an error in the method. This should fix it. Sorry for the inconvenience.

E.

1. Get a box.
2. Press

   ←

   1

   EXE

   ←

   ←

   SUPPR

   ←

   . Expected screen content after this step: |⎕
3. Press

   →

   , then type

   2

   0

   100 times. (total 200 keypresses)
4. Press

   →

   →

   0

   SUPPR

   SUPPR

   . Expected screen content: ⎕|0202020...▶
5. Press

   =

   .

Should freeze the calculator when last step is finished.

First try.
I didn't get the ⎕|0202020...▶ screen content, but I still got some kind of a freeze. No key was reacting except

ON

.

[Emmanuelchimex]

Sorry, I don't have the 570/991 versions

Any interesting/useful discoveries ?

I have no idea if Casio is really checking forums to find bugs to fix.

What About The Casio Fx-991ms