Index wersja polskawersja polska

Access to all memory and executing machine code on the Casio FX-8000G

The following information and programs were contributed by Samir Ribic.

Setup

The method to enter to the unprotected mode must be strictly followed, because one omitted step leads to non-success.

  1. Press the reset button.
  2. Mode 2
    Should give 1446 bytes free
  3. Mode 1
  4. Range
        Xmin -10
     max 10
    scl 1
    Ymin -10
     max 10
    scl 1
  5. Press G↔T
  6. Range
        Xmin -10
     max 10
    scl 0
    Ymin -10
     max 10
    scl 0
  7. Press G↔T
  8. Now press AC, then Shift and Alpha and type
    SAVE "A"G
    There should be a space between SAVE and the quote sign, but not between the second quote sign and G.
  9. Press EXE
    You will get SYS error
  10. Press left arrow and EXE to repeat the last command
    Now the message will be Save execution I/O error
  11. Again left arrow and EXE to repeat the last command
    Now the message will be again SYS error
  12. Now press AC and go to mode 3 (PCL). You will see two occupied programs (4 and 5). Delete the program 4 using AC. Now all programs are occupied. Press SHIFT DEL to delete all the programs.
    Free memory is now 1654 bytes. The array indexes are no longer controlled.

To test the new feature type:
1.11111111→A[208]
Press EXE and then G↔T.
You just poked 8 bytes to the graphical video memory!

Usage

The most useful feature of accessing the whole memory is to use the graphic print buffer as a matrix storage between Z[615] and Z[960].

At Z[358] there is machine stack. Writing to this variable a specially constructed value containing the address of the routine makes possible to execute machine code programs on the CASIO fx-8000G. However, BCD nature of the digits on the fx-8000G does not allow arbitrary values to be put into the memory.

Following achievements were possible in this mode:

The trick was discovered together by Zeljko Juric, Samir Ribic and Emir Kapic, in February 1989.

Executing machine code programs

The number (-5÷9)×(1E-44) consists of 8 bytes with values &H55. An address &H5555 is located within the variable A[42] which occupies address range &H5550~&H5557. Therefore, writing value (-5÷9)×(1E-44) to the variable Z[358] executes the code located inside the variable A[42].

A more convenient place to store machine code programs would be the graphical video memory located between &H5A80 and &H5D80. With the command Plot it is possible to put any value in this area. The Cls command fills it with &HFF values and any bit can be set to zero with the Plot command.

The machine code programs in the video memory can be started with following relocator routine:

  ORG  &H5555
  LDW  IX,&H5930
  LDW  IY,0
  ADW  IX,&H90
  LDW  IY,&H11
  LDW  IY,0
  ADW  IX,&H90
  LDW  IY,&H11
  LDW  IY,0
  ADW  IX,&H98
  LDW  IY,&H11
  LDW  IY,0
  IJMP IX

Some weirdness of this code is caused by the limited range of values which can be placed into a variable. The instructions operating on the IY register are used only to fill the space.

Entering the relocator program:

  0.3594→A[42]
  1.00419048E41→A[43]~A[44]
  1.00419848E41→A[45]
  1.0007705E41→A[46]

So looks this code in the memory:

  5550: 99 00 00 00 00 40 59 30
  5558: 41 00 00 48 90 41 00 11
  5560: 41 00 00 48 90 41 00 11
  5568: 41 00 00 48 98 41 00 11
  5570: 41 00 00 50 07 70 00 11

Starting the program:

  (-5÷9)×(1E-44)→Z[358]

Following program writing a byte into the video memory will be used in the examples:

  ORG  &H5AE8
  LDW  IX,&H5B50  ;40 5B 50
  ST   (IX),&HAB  ;D0 AB
  JMP  0          ;70 00 00

Hex loader (1)

This simple loader stores the hex values typed from the keyboard to the video memory starting from address &H5AE8.

Program 0, Mode Comp

  0.3594→A[42]
  1.00419048E41→A[43]~A[44]
  1.00419848E41→A[45]
  1.0007705E41→A[46]
  Range 1,95,0,1,63,0
  Cls
  8→A
  Lbl 0
  53→C
  8→D
  Plot 0,0
  Prog 1
  Lbl 1
  Frac (B÷2)=0⇒Plot A,C
  Int (B÷2)→B
  Isz C
  C=57⇒49→C
  Dsz D
  Goto 1
  Isz A
  Goto 0

Program 1, Mode BASE-n

  Hex
  ?→B
  Dec

Start the Program 0 by typing from the command line:

  Prog 0

Now enter the values, each hex byte separately:

  40 5B 50 D0 AB 70 00 00

Finish with Mode 1, then Mode +

Execute the machine code program using:

  (-5÷9)×(1E-44)→Z[358]

After the reboot press G↔T to see the poked value.

Hex loader (2)

Another version which stores the hex values picked from the Program 1 area to the video memory starting from address &H5AE8.

Program 0, Mode Comp

  Ans→B
  S<2⇒Goto 0
  0.3594→A[42]
  1.00419048E41→A[43]~A[44]
  1.00419848E41→A[45]
  1.0007705E41→A[46]
  Lbl 0
  S=0⇒Goto 1
  Range 1,95,0,1,63,0
  Cls
  8→C
  Lbl 3
  " "
  Dsz C
  Goto 3
  11→A
  Lbl 1
  53→C
  32→D
  B<0⇒B+2xy32→B
  Lbl 2
  Frac (B÷2)=0⇒Plot A,C
  Int (B÷2)→B
  Isz C
  C=57⇒49→C
  Frac ((D-1)÷8)=0⇒Dsz A
  Dsz D
  Goto 2
  A+8→A
  0→S
  Plot 0,0

Program 1, Mode Base-n

  2→S
  Hex
  405B50D0:Prog 0
  AB700000:Prog 0

In the Program 1 you can put the code, by eight digits (four bytes), and after each of them call Prog 0.

Now execute Program 1. The hex loader is limited to 88 bytes written to a fixed location.

Casio fx-8500G adaptation

The following information was contributed by Nadav Vansover.

The jailbreaking procedure of the fx-8000G requires a slight modification to work on the fx-8500G. Adding Defm 22 statement at the beginning of the procedure will make it succeed. There should be 6390 free bytes in the step 2, and 6774 free bytes in the step 12.

A negative side effect of the procedure running on the fx-8500G is a corrupt File Editor. It can still be invoked, but stops working, showing the famous "irregal" error.

While memory locations seem the same for both calculators, there is a consistent shift of 640 positions in array indexes. This means that: