π
<-
Chat plein-écran
[^]

Casio scientific calculator bugs / hack

:fxesp32b: :fxesp32n: :fxesp32v:

Re: Casio scientific calculator bugs / hack

Message non lude critor » 25 Juin 2018, 08:51

user202729 a écrit:Can you try this: (I've already tested this on the emulator but it may give different result on real calculator. Just to be sure)

A.

1. Get a box. Screen should show |⎕ (where | is the cursor)
2. Press
1
2
3
SUPPR


Result on emulator: Screen should show ⎕|

Same screen on the real calculator.

user202729 a écrit:B.

1. Get a box.
2. Press
1
2
1
2

3. Press
0
SUPPR
SUPPR


Result on emulator: Screen shows ⎕|212.

Same screen on the real calculator.
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 77.4%
 
Messages: 30729
Images: 7280
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Casio scientific calculator bugs / hack

Message non lude user202729 » 25 Juin 2018, 13:23

Nice!

Now can somebody please do this? (this is going to take a bit longer to execute, and I'm not sure what will happen. The expected behavior is that an error screen (possibly without any error message) appears, then the calculator freeze or something, but because the SFRs may be written to, I'm not sure)

This is similar to method B above, but with different step 2 and added step 4.

D.

1. Get a box.
2. Press
, then type
-
100 times. (total 200 keypresses)
3. Press
0
SUPPR
SUPPR

4. Press
=
.
Dernière édition par user202729 le 29 Juin 2018, 15:47, édité 1 fois.
Avatar de l’utilisateur
user202729
Niveau 5: MO (Membre Overclocké)
Niveau 5: MO (Membre Overclocké)
Prochain niv.: 50%
 
Messages: 16
Inscription: 29 Oct 2016, 10:42
Genre: Non spécifié

Re: Casio scientific calculator bugs / hack

Message non lude critor » 26 Juin 2018, 23:06

Tried 2 times. Just a syntax error. What were you expecting ?
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 77.4%
 
Messages: 30729
Images: 7280
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Casio scientific calculator bugs / hack

Message non lude user202729 » 27 Juin 2018, 17:08

Actually I expected it to cause some kind of error screen. If it's just a syntax error... I can't check if it's a "normal" syntax error or it's caused by the hackstring.

Expected result:

  • Get a box: |⎕
  • After step 2: |◀ (or it may be |⎕ on the real calculator, I am not sure, but the cursor should be |, not )
  • After step 3: ⎕█-⊢-⊢- ... ▶ (where the ... represents some characters, and the is the cursor, it should overlap the next character -) If you scroll around, there should be exactly 200 characters in the formula
  • After step 4: an error screen appears.

The emulator crashes after step 3 (actually I did it with some hacks).

So can someone please try:

    Do the method "D." above, but with "
    -
    " replaced with "
    2
    0
    ".

If the calculator crashes/freezes/shutdown then the syntax error is caused by the hackstring, and I succeeded.

Note: I predict that (according to experience in ES PLUS calculators) if less than 200 characters (100 pairs) are typed in step 2, the calculator will cause a normal syntax error; if more than 200 characters but less than 256 characters are typed in step 2, the behavior is the same as if exactly 200 characters was typed.

----------

I think it was not a good idea to choose the error screen as an example (as it can be easily confused with the normal error screen), but I can't get anything else. The number of bytes that can be entered is too limited.
Avatar de l’utilisateur
user202729
Niveau 5: MO (Membre Overclocké)
Niveau 5: MO (Membre Overclocké)
Prochain niv.: 50%
 
Messages: 16
Inscription: 29 Oct 2016, 10:42
Genre: Non spécifié

Re: Casio scientific calculator bugs / hack

Message non lude user202729 » 29 Juin 2018, 08:22

Define a "hackstring" as a formula with exactly 200 bytes.

Define the method to "execute" a hackstring as method D, but in step 2 replace ⊢-⊢-⊢-...⊢- with that hackstring.

Assuming that, executing 121212...12 indeed crashes the calculator, this causes a buffer overflow and corrupt the stack, therefore allow for return-oriented programming. (but I'm quite surprised that ⊢-⊢-⊢-...⊢- can cause a syntax error, as the function at 2:2b16 is emulator-specific)

I guess +(+(+(...+( (address 2:60a6) would wait for some key presses (I expect that the cursor will keep flashing, but the calculator freezes after some keys are pressed)

It probably won't work because there are 100 nested open parentheses...

------

If however, executing 121212...12 also causes a syntax error, it's very likely that there is something wrong with my method. It would help if I can know what exactly is displayed on the calculator at each step.
Dernière édition par user202729 le 30 Juin 2018, 15:27, édité 1 fois.
Avatar de l’utilisateur
user202729
Niveau 5: MO (Membre Overclocké)
Niveau 5: MO (Membre Overclocké)
Prochain niv.: 50%
 
Messages: 16
Inscription: 29 Oct 2016, 10:42
Genre: Non spécifié

Re: Casio scientific calculator bugs / hack

Message non lude critor » 29 Juin 2018, 12:59

Retried method D with 20, just a syntax error again.
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 77.4%
 
Messages: 30729
Images: 7280
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Re: Casio scientific calculator bugs / hack

Message non lude user202729 » 29 Juin 2018, 17:14

After testing it more carefully, I realize that there is an error in the method. This should fix it. Sorry for the inconvenience.

E.

  1. Get a box.
  2. Press
    1
    EXE
    SUPPR
    . Expected screen content after this step: |⎕
  3. Press
    , then type
    2
    0
    100 times. (total 200 keypresses)
  4. Press
    0
    SUPPR
    SUPPR
    . Expected screen content: ⎕|0202020...▶
  5. Press
    EXE
    .

Should freeze the calculator when last step is finished.
Dernière édition par user202729 le 03 Juil 2018, 03:38, édité 1 fois.
Avatar de l’utilisateur
user202729
Niveau 5: MO (Membre Overclocké)
Niveau 5: MO (Membre Overclocké)
Prochain niv.: 50%
 
Messages: 16
Inscription: 29 Oct 2016, 10:42
Genre: Non spécifié

Re: Casio scientific calculator bugs / hack

Message non lude user202729 » 01 Juil 2018, 16:23

When a hackstring is executed, the stack is overwritten with the hackstring, which allows for return-oriented programming.

However, to write return-oriented programming chains, it's necessary to know the addresses of functions, which involves reading the calculator ROM.

I have the ROM of the emulator, and its disassembly, however the position of the code is likely to be different from the position of the code in the real calculator.

The render function on the emulator is at 0x8A8C. I think on the real calculator it's around 0x8700 - 0x8A00 (which corresponds to RanInt#, PGCD, PPCM, Arond), so the hackstring would be 100 pairs of AB where B should be one of above (most significant byte in the word) while A should be divisible by 4. (example: 8 x × ⌟)

---

I put most of my work on this in a github repository, named fxesplus (but the repository contains some possibly copyrighted content, such as some calculator or emulator ROM, so I won't link it here)
Avatar de l’utilisateur
user202729
Niveau 5: MO (Membre Overclocké)
Niveau 5: MO (Membre Overclocké)
Prochain niv.: 50%
 
Messages: 16
Inscription: 29 Oct 2016, 10:42
Genre: Non spécifié

Re: Casio scientific calculator bugs / hack

Message non lude critor » 02 Juil 2018, 22:06

user202729 a écrit:After testing it more carefully, I realize that there is an error in the method. This should fix it. Sorry for the inconvenience.

E.

  1. Get a box.
  2. Press
    1
    EXE
    SUPPR
    . Expected screen content after this step: |⎕
  3. Press
    , then type
    2
    0
    100 times. (total 200 keypresses)
  4. Press
    0
    SUPPR
    SUPPR
    . Expected screen content: ⎕|0202020...▶
  5. Press
    =
    .

Should freeze the calculator when last step is finished.


First try.
I didn't get the ⎕|0202020...▶ screen content, but I still got some kind of a freeze. No key was reacting except
ON
.
Image
Avatar de l’utilisateur
critorAdmin.
Niveau 18: DC (Deus ex Calculatorum)
Niveau 18: DC (Deus ex Calculatorum)
Prochain niv.: 77.4%
 
Messages: 30729
Images: 7280
Inscription: 25 Oct 2008, 00:00
Localisation: Montpellier
Genre: Homme
Calculatrice(s):
Classe: Lycée
YouTube: critor3000
Twitter: critor2000
Facebook: critor.ti

Précédente

Retourner vers Casio (fx-82/83/85/92/95/115/300/350/500/570/991, Collège)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 0 invités

-
Rechercher
-
Sujets à la une
Triconcours universel de la rentrée - 2000 euro de prix !
"NumWorks++": Challenge de modification matérielle pour rajouter une puce de mémoire Flash !
Offre TI-Planet/Jarrety pour avoir la TI-83 Premium CE avec son chargeur pour 79,79€ port inclus !
Offre TI-Planet/Jarrety pour avoir la TI-Nspire CX CAS à seulement 130€ TTC port inclus!
Jailbreake ta TI-Nspire avec Ndless et profite des meilleurs jeux et applications !
Transforme ta TI-Nspire CX en console Game Boy Advance!
123456
-
Donations/Premium
Pour plus de concours, de lots, de tests, nous aider à payer le serveur et les domaines...
PayPal : paiement en ligne sécurisé - secure online payments
Découvrez les avantages d'un compte donateur !
JoinRejoignez the donors and/or premium!les donateurs et/ou premium !


-
Sélections fichiers
Partenaires et pub
Notre partenaire Jarrety 
-
Stats.
472 utilisateurs:
>443 invités
>24 membres
>5 robots
Record simultané (sur 6 mois):
6892 utilisateurs (le 07/06/2017)
-
Autres sites intéressants
Texas Instruments Education
Global | France
 (English / Français)
Banque de programmes TI
ticalc.org
 (English)
La communauté TI-82
tout82.free.fr
 (Français)