Oh. I'm pretty sure the GII is a completely different line with an officially documented CPU.

But yeah, the sooner we get access to a ROM dump, the sooner we can look for security holes... well, more importantly, the sooner we can find out how to code the thing. Both ZX and GY ROMS could be useful (I have a GY357 calc).

I am fully aware of those two websites, and I think I'll look at Marco's site again for the time being because it might be quite useful.

I've attempted to use the matrix fill bug to overwrite stack, and I've tried two approaches.

First approach was to jump around enough "Do"s (start of a Do/LpWhile x loop), do a dodgy fill, and then do enough "LpWhile x"s to somehow screw something over. It reports a Syn ERROR.

Second approach was to do enough Prog "" calls (I did and then do a dodgy matrix fill. It also reports a Syn ERROR. I suspect this stores the program name.

Something I've noticed: If you try to use a LpWhile to jump to a While or anything that isn't a Do, it'll throw a Syn ERROR. I believe there's something that's noted down.

I believe that the entries put on the stack (start from top and go down - the other way is what I call the "heap") when you do a Do/While/For are 3 bytes long. I suspect two bytes are used for a code pointer and one byte is used as a check. If this is true, then there were 31 bytes it could not chew.

Here's something you might find useful:

Clear draw memory, then do: PxlTest 1,1 (it's under Sketch / shift-f4). You'll get a Mem ERROR, but it'll show a piece of RAM. Note that the screen goes from the bottom-right, up first, and then left. I believe there's two layers here, one following another (unlike draw memory which is 4 layers), so if you have an fx-9750G PLUS then it might be a bit easier to observe stuff.

I can't seem to get a good shot of some stack-flooding session, though. Maybe I need to borrow a friend's "press button to spam photos" camera.

First up, some documentation. What I write pertains to the CFX-9850GB PLUS, though some of it applies in part to the CFX-9850G (note, no PLUS here).

I'm really only aware of two hacks that can be done w/o a cable.

Get your pencil ready, because you'll be hitting the reset button a lot here. You will be crashing your calculator like mad.

First one is the DrawDyna hack, which allows you to look at RAM.
Use up at least 16KB of RAM (a 32x64 matrix will work), then set graph Y1=0. Make a program that just does DrawDyna, and run it. Once it's rendered, AC/ON to break, then tap left or right. You're now looking at RAM.

This is often used to enable "XMS" (eXpanded Matrix System) which is a way of screwing around with RAM using a matrix (I did not call it this, it's possibly the most well-known CASIO hack and it can be done by sending a modified backup back to the calc). There's some information somewhere, and if you intend on doing this, I suggest this setup of matrices:

Mat A = 1 x 1
Mat B = 1 x 2
Mat C = 2 x 1
Mat D = 2 x 2
Mat E = 32 x 64

Look for something that looks a bit like ffpffppp or fffppfpp, then change the first two "f" s (they're femtos) to the Pol( symbol or something like that (OPTN -> angl -> Pol(, yes that parenthesis is there). Note that you'll be looking at RAM backwards. This could be useful if you have a software library and want to find out the passwords or depassword a program (you can look up the passwords of the software library programs on the net - search for "20397551 casio" w/o quotes, that's the AU MANDLBRT program password btw).

If you're interested: Try filling the area you're first presented with, with a few simple notes (say, H^2 = A^2 + B^2). Then reset. Then do the hack again. It'll still be there. (A 32KB CFX actually has 128KB of RAM, apparently, though I'm not sure if this is what causes it.)

Now for the second hack - the Fill hack.
The second hack WILL break the first so be VERY SURE you're not worried about it. If you have a cable, I suggest you back up your calc. Fortunately, I have, though I've yet to restore the image (my friend has a cable).

Go to the matrix menu, then select Mat A. Type: 20, right, MENU. (You want a something-by-0 uninitialised matrix.) Now go into RUN mode and use the matrix Fill( command. What you want is something like this:
Fill(1.11111111111111,Mat A)
It'll put a bit of light garbage on the screen and then do some stuff for quite some time. Then it'll return with a Syn ERROR.

Congratulations, you've just broken the DrawDyna hack. But on the other hand, you've got a hack which can do some truly weird stuff. Try deleting things from the memory menu.

An observation.

I've seen some truly bizarre stuff done to the screen, including the LCD going out of phase and scrolling out, then turning off. But in some glitchings, I've encountered a very unusual situation, where if I select anything on the menu, it does a glitch sequence, then goes through to the menu item. I'm thinking this could be a possible entry point, but I'd need to somehow send a backup to work that out, and I'd have to go to my mate's place to do that.

So yeah, those are my notes on this topic so far.

EDIT: Oh yeah. If someone is able to do a ROM dump, I would MUCH appreciate one from a PLUS model (fx-9750G, CFX-9850G, CFX-9850GB, CFX-9950GB, either of the latter two would be brilliant as they're basically the same calc but with a wire link setting changed). Apparently the ROM isn't one of those stupid black blob things, but an actual chip.