Close
0%
0%

Calculator Hack

This project aims to unlock the hidden options of the Casio fx-82ES, such as Complex numbers, Matrix and Vector operations and other.

Similar projects worth following
Scientific calculators are the best -when we know how to use them-, but not all are the same. I've owned one for years, since I started college, and at the time I bought the one that fit my needs, the Casio fx-82ES. While going further with my career I started to use complex numbers (among other things), and it's a heavy math to do on a non-complex calculator, and the Casio fx-991es did had it.
Buy a new calculator? No f** way, it's a lot of money, and a new calculator for just a few more functions.
Luckily my good friend Google came up. My calculator could be transformed into a Casio fx-991es with just pressing some keys.. a lot of them.
However, the problem is that every time it's rebooted/turned off, it goes back to how it was. So every time I needed to use complex I would have to enter the combination.
Never Again!

I already have it working on a breadboard:

I'm waiting for the boards to be released from customs :-/

The total code size is given at the end of the compilation thanks to the cmake-arduino tool, and it's size is ~886bytes. That was double checked with avr-size tool.

Here is an screenshot of the tool:

In the video publish above you can see the power consumption of the while system. About 2uA@3v, and near 1uA on stand by. (Look at the multimeter scale).

The source code, including a detailed explanation of how and why I did what I did is in the bitbucket repository.

  • 1 × Arduino Mini (3.3v @ 8MHz) It's preferred an ATMega328p running at 3.3v@8MHz, because of the power consumption of the regulator and leds on the board
  • 1 × Calculator Casio fx-82es Must be available to open up and solder the lines to the outside
  • 4 × HEF4066 Switches and Multiplexers / Analog Switches and Multiplexers
  • 1 × Push button
  • 1 × 1KOhm resistore
  • 1 × Led Fiber Optics / Emitters to test it
  • 1 × 220 Ohm resistor

  • 1

    The columns and rows names k* and ki* aren't just because, but Those are the names labeled in the calculator board, so I kept them to make things easier.

    For each of them one must solder a cable, like the picture:

    And then, after opening a hole on the calc case, pass the cables (flat cable was my choice) and solder them to a connector. Care must be taken with the names, or you'll have to redo all the config_key.sh file to match the code and the atmega board.


View all instructions

Enjoy this project?

Share      

Discussions

Richard Aplin wrote 01/14/2017 at 12:58 point

Ah this short video looks like someone found a config jumper on the pcb that defines what mode the rom runs in... ? Not really scrutinized, just FYI

  Are you sure? yes | no

Richard Aplin wrote 01/14/2017 at 12:45 point

I guess we're kinda taking the guy's word for it that this is an optimal hack, and that within this button-mashing madness is not actually a much simpler secret backdoor key combo that was left by the programmer. Just throwing that idea out there, because like you my mind boggles at the amount of work to create this if it really is a stack-smashing exploit (which I agree it appears to be).  Even if you had the frickin' source code for the cpu and had it hooked up to a debugger it wouldn't be a trivial exercise...

  Are you sure? yes | no

SopaXorzTaker wrote 01/15/2017 at 17:38 point

Well, I am currently running a project dedicated to find more bugs and loopholes in the firmwares of these calculators, and we already know the CPU and have decompiled the firmware.

  Are you sure? yes | no

SopaXorzTaker wrote 01/13/2017 at 15:15 point

Hello! I started a project aimed to find bugs in the firmware of the fx-ES PLUS models. Would you like to contribute? The calculator model that you are using now is not the right one unfortunately, we look at the fx-(82/991)ES PLUS.

We are trying to find ways to execute arbitrary code on them, and we found many interesting things, for example that the CPU used is based on the nX-U8 architecture and Googling that doesn't yield anything else than datasheets (and our casiocalc.org thread :D). We already have a disassembler written and are currently finding ways actually make the CPU execute the keystrokes as opcodes. You could help with checking them on real hardware :D

  Are you sure? yes | no

esot.eric wrote 01/06/2017 at 07:15 point

Weird! Cool hack, with the auto-entry!

  Are you sure? yes | no

Arduino Enigma wrote 01/06/2017 at 05:31 point

  Are you sure? yes | no

Arduino Enigma wrote 01/06/2017 at 05:31 point

It's a buffer overflow exploit. Brilliant. I wonder how this was discovered. You can see garbage being displayed on the LCD.

  Are you sure? yes | no

Aguilera Dario wrote 01/06/2017 at 06:23 point

Indeed, how someone would discover something like this baffles me. 

  Are you sure? yes | no

Richard Aplin wrote 01/14/2017 at 12:31 point

That is marvelous and insane. It does occur to me that since this is very clearly a mask-rom CPU that's understandably being used in several products, that almost certainly there's a pin or two that's tied high or low to configure it. Rewiring that pin would be an awful lot easier.  However, I see it's a chip-on-board, which may make that impossible.   Anyway yeah, someone figuring out that buffer overflow is beyond crazy.

  Are you sure? yes | no

Does this project spark your interest?

Become a member to follow this project and never miss any updates