π
<-

## Casio scientific calculator bugs / hack

### Re: Casio scientific calculator bugs / hack

user202729 a écrit:Can you try this: (I've already tested this on the emulator but it may give different result on real calculator. Just to be sure)

A.

1. Get a box. Screen should show |⎕ (where | is the cursor)
2. Press
→
1
2
3
←
←
←
SUPPR

Result on emulator: Screen should show ⎕|

Same screen on the real calculator.

user202729 a écrit:B.

1. Get a box.
2. Press
→
1
2
1
2

3. Press
→
→
0
SUPPR
SUPPR

Result on emulator: Screen shows ⎕|212.

Same screen on the real calculator.

### Re: Casio scientific calculator bugs / hack

Nice!

Now can somebody please do this? (this is going to take a bit longer to execute, and I'm not sure what will happen. The expected behavior is that an error screen (possibly without any error message) appears, then the calculator freeze or something, but because the SFRs may be written to, I'm not sure)

This is similar to method B above, but with different step 2 and added step 4.

D.

1. Get a box.
2. Press
→
, then type
⊢
-
100 times. (total 200 keypresses)
3. Press
→
→
0
SUPPR
SUPPR

4. Press
=
.
user202729

### Re: Casio scientific calculator bugs / hack

Tried 2 times. Just a syntax error. What were you expecting ?

### Re: Casio scientific calculator bugs / hack

Actually I expected it to cause some kind of error screen. If it's just a syntax error... I can't check if it's a "normal" syntax error or it's caused by the hackstring.

Expected result:

• Get a box: |⎕
• After step 2: |◀ (or it may be |⎕ on the real calculator, I am not sure, but the cursor should be |, not █)
• After step 3: ⎕█-⊢-⊢- ... ▶ (where the ... represents some characters, and the █ is the cursor, it should overlap the next character -) If you scroll around, there should be exactly 200 characters in the formula
• After step 4: an error screen appears.

The emulator crashes after step 3 (actually I did it with some hacks).

Do the method "D." above, but with "
⊢
-
" replaced with "
2
0
".

If the calculator crashes/freezes/shutdown then the syntax error is caused by the hackstring, and I succeeded.

Note: I predict that (according to experience in ES PLUS calculators) if less than 200 characters (100 pairs) are typed in step 2, the calculator will cause a normal syntax error; if more than 200 characters but less than 256 characters are typed in step 2, the behavior is the same as if exactly 200 characters was typed.

----------

I think it was not a good idea to choose the error screen as an example (as it can be easily confused with the normal error screen), but I can't get anything else. The number of bytes that can be entered is too limited.

user202729

### Re: Casio scientific calculator bugs / hack

Define a "hackstring" as a formula with exactly 200 bytes.

Define the method to "execute" a hackstring as method D, but in step 2 replace ⊢-⊢-⊢-...⊢- with that hackstring.

Assuming that, executing 121212...12 indeed crashes the calculator, this causes a buffer overflow and corrupt the stack, therefore allow for return-oriented programming. (but I'm quite surprised that ⊢-⊢-⊢-...⊢- can cause a syntax error, as the function at 2:2b16 is emulator-specific)

I guess +(+(+(...+( (address 2:60a6) would wait for some key presses (I expect that the cursor will keep flashing, but the calculator freezes after some keys are pressed)

It probably won't work because there are 100 nested open parentheses...

------

If however, executing 121212...12 also causes a syntax error, it's very likely that there is something wrong with my method. It would help if I can know what exactly is displayed on the calculator at each step.
user202729

### Re: Casio scientific calculator bugs / hack

Retried method D with 20, just a syntax error again.

### Re: Casio scientific calculator bugs / hack

After testing it more carefully, I realize that there is an error in the method. This should fix it. Sorry for the inconvenience.

E.

1. Get a box.
2. Press
←
1
EXE
←
←
SUPPR
←
. Expected screen content after this step: |⎕
3. Press
→
, then type
2
0
100 times. (total 200 keypresses)
4. Press
→
→
0
SUPPR
SUPPR
. Expected screen content: ⎕|0202020...▶
5. Press
EXE
.

Should freeze the calculator when last step is finished.
user202729

### Re: Casio scientific calculator bugs / hack

When a hackstring is executed, the stack is overwritten with the hackstring, which allows for return-oriented programming.

However, to write return-oriented programming chains, it's necessary to know the addresses of functions, which involves reading the calculator ROM.

I have the ROM of the emulator, and its disassembly, however the position of the code is likely to be different from the position of the code in the real calculator.

The render function on the emulator is at 0x8A8C. I think on the real calculator it's around 0x8700 - 0x8A00 (which corresponds to RanInt#, PGCD, PPCM, Arond), so the hackstring would be 100 pairs of AB where B should be one of above (most significant byte in the word) while A should be divisible by 4. (example: 8 x × ⌟)

---

I put most of my work on this in a github repository, named fxesplus (but the repository contains some possibly copyrighted content, such as some calculator or emulator ROM, so I won't link it here)

user202729

### Re: Casio scientific calculator bugs / hack

First try.
I didn't get the ⎕|0202020...▶ screen content, but I still got some kind of a freeze. No key was reacting except
ON
.

### Re: Casio scientific calculator bugs / hack

Does the cursor still flash after
SUPPR
is pressed and before
EXE
is pressed? (I expect yes)

Because I have little information about the calculator, it would be helpful if you can describe exactly what happens. I have the emulator, but in unexpected circumstances its behavior is likely to be completely different from the real calculator.

On the emulator, after the last
SUPPR
in step 4 the calculator immediately freezes. I expected that it's not the case on the real calculator. If the real calculator does freeze however, I have no idea.

(another mistake. In step 5,
=
should be
EXE
. But it only matters if the calculator doesn't crash before step 5, as I mentioned above)

user202729

