Omnimaga
Calculator Community => Casio Calculators => Topic started by: DJ Omnimaga on February 25, 2011, 02:37:47 am
-
I always wondered something about the Casio CFX series of calculators, which were the ones with a color screen. They do not support ASM language natively, but it is possible to run ASM on it if we touch the ROM. But that process requires opening the calc. Not everyone wants to do that just to run assembly on their machine.
The TI-82 and 85 calculators won't natively support assembly execution and the TI-73 only supports it through add-ins (which, on TI calcs, are called Flash applications or Flash apps). However, since the mid 1990's, it's possible on the TI-82 and TI-85 and since 2005 on the TI-73. Those calcs allows you to send RAM backups to your computer or vice-versa. However, it is even possible to send hacked backup files to the calculator (modified on the computer)! I do not know how it works and what the backup contains because I am ASM-illiterate, but basically it inserts some sort of shell on your calculator that lets you select assembly games compiled for use with that shell. For the TI-82 there's CrASH and a few others and for the TI-85 there's Zshell and a few others, Zshell dating back in 1994.
So here's the question: Has such method ever been attempted on the CFX-9850G series? The CFX series dates back in 1996 and has been discontinued for a while, so we would expect such hacking attempt to have been done, but the Casio community is much smaller than the TI community, which means there are much fewer developers who could have potentially tried every possible idea. This calc is discontinued so it has a much smaller userbase, but after all, the TI-81 was hacked 19 years after launch. So I was wondering if it would be worth a try to attempt at bringning ASM on the CFX series in the same way people did in 1994-95 on the TI-85 and some other calcs?
Since ASM allows more controls, maybe games could have sprites and even full control on the 4 levels of contrasts, allowing things such as this (but blurrier):
(http://i-lost-the-ga.me/nesstylecfxcolorpalette.gif)
Or if the calc CPU and LCD driver are fast enough, we could even adapt some TI-83 Plus grayscale display methods (alternating a checkered pattern) to display extra colors on the CFX screen like this (note, swapping between colors would only really work well between adjacent colors)?
(http://i-lost-the-ga.me/ditheringexample.gif)
I do not know if that would be realistic and worth it, but on a hacking point of view, I think it might be worth a try. If TI-82/85, then why not CFX?
-
So I was wondering if it would be worth a try to attempt at bringning ASM on the CFX series in the same way people did in 1994-95 on the TI-85 and some other calcs?
/me lost The Game
Anyway, I think it's always worth it to hack something. If a TI-81 can run ticalc, then a cfx could probably run Watson or NORAD.
-
First up, some documentation. What I write pertains to the CFX-9850GB PLUS, though some of it applies in part to the CFX-9850G (note, no PLUS here).
I'm really only aware of two hacks that can be done w/o a cable.
Get your pencil ready, because you'll be hitting the reset button a lot here. You will be crashing your calculator like mad.
First one is the DrawDyna hack, which allows you to look at RAM.
Use up at least 16KB of RAM (a 32x64 matrix will work), then set graph Y1=0. Make a program that just does DrawDyna, and run it. Once it's rendered, AC/ON to break, then tap left or right. You're now looking at RAM.
This is often used to enable "XMS" (eXpanded Matrix System) which is a way of screwing around with RAM using a matrix (I did not call it this, it's possibly the most well-known CASIO hack and it can be done by sending a modified backup back to the calc). There's some information somewhere, and if you intend on doing this, I suggest this setup of matrices:
Mat A = 1 x 1
Mat B = 1 x 2
Mat C = 2 x 1
Mat D = 2 x 2
Mat E = 32 x 64
Look for something that looks a bit like ffpffppp or fffppfpp, then change the first two "f" s (they're femtos) to the Pol( symbol or something like that (OPTN -> angl -> Pol(, yes that parenthesis is there). Note that you'll be looking at RAM backwards. This could be useful if you have a software library and want to find out the passwords or depassword a program (you can look up the passwords of the software library programs on the net - search for "20397551 casio" w/o quotes, that's the AU MANDLBRT program password btw).
If you're interested: Try filling the area you're first presented with, with a few simple notes (say, H^2 = A^2 + B^2). Then reset. Then do the hack again. It'll still be there. (A 32KB CFX actually has 128KB of RAM, apparently, though I'm not sure if this is what causes it.)
Now for the second hack - the Fill hack.
The second hack WILL break the first so be VERY SURE you're not worried about it. If you have a cable, I suggest you back up your calc. Fortunately, I have, though I've yet to restore the image (my friend has a cable).
Go to the matrix menu, then select Mat A. Type: 20, right, MENU. (You want a something-by-0 uninitialised matrix.) Now go into RUN mode and use the matrix Fill( command. What you want is something like this:
Fill(1.11111111111111,Mat A)
It'll put a bit of light garbage on the screen and then do some stuff for quite some time. Then it'll return with a Syn ERROR.
Congratulations, you've just broken the DrawDyna hack. But on the other hand, you've got a hack which can do some truly weird stuff. Try deleting things from the memory menu.
An observation.
I've seen some truly bizarre stuff done to the screen, including the LCD going out of phase and scrolling out, then turning off. But in some glitchings, I've encountered a very unusual situation, where if I select anything on the menu, it does a glitch sequence, then goes through to the menu item. I'm thinking this could be a possible entry point, but I'd need to somehow send a backup to work that out, and I'd have to go to my mate's place to do that.
So yeah, those are my notes on this topic so far.
EDIT: Oh yeah. If someone is able to do a ROM dump, I would MUCH appreciate one from a PLUS model (fx-9750G, CFX-9850G, CFX-9850GB, CFX-9950GB, either of the latter two would be brilliant as they're basically the same calc but with a wire link setting changed). Apparently the ROM isn't one of those stupid black blob things, but an actual chip.
-
Have a look at Martin Poupe's website: http://martin.poupe.org/casio/
Or at Marco Kaufmann's page (in German): http://www.pageofmarco.de/cfxasm.php
-
Yeah I saw those websites, but his ideas seemed to involve modifying the ROM chip, which my topic idea tries to avoid (not everyone have electronic knowledge or the tools to perform hardware mods). ON the TI-85, you don't even need to open your calc with a screwdriver or anything like that: you just send a modified RAM backup file using a linking software.
-
Bump: GreaseMonkey I'll perform your other tests later when I have some time, but also I am bumping this to show non-CFX owners how the screen looks like depending of what contrast settings you choose. This is why I brought up color palettes:
http://i-lost-the-ga.me/casiocfx9850g.wmv
-
I am fully aware of those two websites, and I think I'll look at Marco's site again for the time being because it might be quite useful.
I've attempted to use the matrix fill bug to overwrite stack, and I've tried two approaches.
First approach was to jump around enough "Do"s (start of a Do/LpWhile x loop), do a dodgy fill, and then do enough "LpWhile x"s to somehow screw something over. It reports a Syn ERROR.
Second approach was to do enough Prog "" calls (I did 8) and then do a dodgy matrix fill. It also reports a Syn ERROR. I suspect this stores the program name.
Something I've noticed: If you try to use a LpWhile to jump to a While or anything that isn't a Do, it'll throw a Syn ERROR. I believe there's something that's noted down.
I believe that the entries put on the stack (start from top and go down - the other way is what I call the "heap") when you do a Do/While/For are 3 bytes long. I suspect two bytes are used for a code pointer and one byte is used as a check. If this is true, then there were 31 bytes it could not chew.
Here's something you might find useful:
Clear draw memory, then do: PxlTest 1,1 (it's under Sketch / shift-f4). You'll get a Mem ERROR, but it'll show a piece of RAM. Note that the screen goes from the bottom-right, up first, and then left. I believe there's two layers here, one following another (unlike draw memory which is 4 layers), so if you have an fx-9750G PLUS then it might be a bit easier to observe stuff.
I can't seem to get a good shot of some stack-flooding session, though. Maybe I need to borrow a friend's "press button to spam photos" camera.
-
Here's something you might find useful:
Clear draw memory, then do: PxlTest 1,1 (it's under Sketch / shift-f4). You'll get a Mem ERROR, but it'll show a piece of RAM. Note that the screen goes from the bottom-right, up first, and then left. I believe there's two layers here, one following another (unlike draw memory which is 4 layers), so if you have an fx-9750G PLUS then it might be a bit easier to observe stuff.
So, this is like 2 different buffers?
This caught my attention b/c I have a 9750 hacked into a 9860.
-
By the way I tried the DrawDyna thing and for me I could move around weird code in the program after following your steps. Other operations such as choosing a main menu option froze the calc, tho.
-
No, it's a single buffer, but it's a two-layered image. Actually, I think I misunderstood here. There's the graphics memory itself and then there's draw memory. So I guess there are two different buffers.
Also what's this 9750 hacked into a 9860 thing? Please tell, it could be useful.
-
Critor on TI-BANK website has posted a tutorial to turn a FX-9750GII into a FX-9860GII (without the backlight). On the 9750GII there is flash memory but it is not useable by the user. It has enough to turn the calc into a 9860GII and even use add-ins.
Original discussion in english can be found at http://www.casiocalc.org/?showtopic=4959 and the tutorial in french at http://casio.bank.free.fr/index.php?mod=news&ac=commentaires&id=13
-
Oh. I'm pretty sure the GII is a completely different line with an officially documented CPU.
But yeah, the sooner we get access to a ROM dump, the sooner we can look for security holes... well, more importantly, the sooner we can find out how to code the thing. Both ZX and GY ROMS could be useful (I have a GY357 calc).
-
I wonder if Martin actually has ROM dumps?
-
I wonder if Martin actually has ROM dumps?
Hello,
I have ROM dump of the cfx9850G from 1997. This model has physically 32 KB RAM (not 128 KB as written above).
I tried many examinations of ROM to enable asm on original device and I did nearly proof, that this is not possible (on the old models).
-
I wonder if Martin actually has ROM dumps?
Hello,
I have ROM dump of the cfx9850G from 1997. This model has physically 32 KB RAM (not 128 KB as written above).
I tried many examinations of ROM to enable asm on original device and I did nearly proof, that this is not possible (on the old models).
Does some kind of emulato exist for those models?
What's the CPU?
-
I think there used to be CasEmul, but it didn't seem to be a real emulator. It worked similarly to the TI-Nspire student software or something.
I'm still wondering if there wouldn't be any way to send a hacked file to the calculator, even if it required a third-party linking software to be made, like Ndless? It almost seems impossible that there's absolutely no way to launch ASM on these old calcs. After all, we did it with the TI-81 20 years after it came out, even if the calc got no link cable. :P
-
Does some kind of emulato exist for those models?
What's the CPU?
Real emulator seems to be in development - see http://mamedev.org/source/src/emu/cpu/hcd62121/hcd62121.c.html
The CPU seems to be hcd62121
If you need only simulator (not CPU emulator, but program, which interprets Casio casic language), I have written that in 1998, it is available on my page (http://martin.poupe.org/casio/download.html)
Screenshot:
<img src="http://martin.poupe.org/casio/images/example.gif">
-
Oh thanks for that, I'll have to check it out.
EDIT: Aw, it doesn't run on 64-bit Windows 7 :(
-
EDIT: Aw, it doesn't run on 64-bit Windows 7 :(
It is old (good) MS-DOS application - it may work in dosbox.
Source code is at http://martin.poupe.org/casio/hackdload.html
(any volunteer to port it to windows ? :-)
-
Ah ok. I'll have to try Dosbox then. Someone should maybe port it to Windows 7 or maybe even make an emulator for the Prizm :P
-
The fx-9750GA Plus has a modern and straightforward PCB design. It was manufactured in 2008 and has the classic CFX software running on it (without colors).
Is there a way to dump the ROM without desoldering the NOR flash chip (which cannot be programmed/erased by the CPU)?
E.g., by using some bugs, RAM backup hacking, or assembly code injection which would either print the ROM content on the LCD or send it via 3-pin cable to some other device (e.g. fx-9860G) or the PC.
See my post on casiocalc.org: http://community.casiocalc.org/topic/7630-fx-9750ga-plus-rom-dumping/