I always wondered something about the Casio CFX series of calculators, which were the ones with a color screen. They do not support ASM language natively, but it is possible to run ASM on it if we touch the ROM. But that process requires opening the calc. Not everyone wants to do that just to run assembly on their machine.
 
The TI-82 and 85 calculators won't natively support assembly execution and the TI-73 only supports it through add-ins (which, on TI calcs, are called Flash applications or Flash apps). However, since the mid 1990's, it's possible on the TI-82 and TI-85 and since 2005 on the TI-73. Those calcs allows you to send RAM backups to your computer or vice-versa. However, it is even possible to send hacked backup files to the calculator (modified on the computer)! I do not know how it works and what the backup contains because I am ASM-illiterate, but basically it inserts some sort of shell on your calculator that lets you select assembly games compiled for use with that shell. For the TI-82 there's CrASH and a few others and for the TI-85 there's Zshell and a few others, Zshell dating back in 1994.

So here's the question: Has such method ever been attempted on the CFX-9850G series? The CFX series dates back in 1996 and has been discontinued for a while, so we would expect such hacking attempt to have been done, but the Casio community is much smaller than the TI community, which means there are much fewer developers who could have potentially tried every possible idea. This calc is discontinued so it has a much smaller userbase, but after all, the TI-81 was hacked 19 years after launch. So I was wondering if it would be worth a try to attempt at bringning ASM on the CFX series in the same way people did in 1994-95 on the TI-85 and some other calcs?

Since ASM allows more controls, maybe games could have sprites and even full control on the 4 levels of contrasts, allowing things such as this (but blurrier):


Or if the calc CPU and LCD driver are fast enough, we could even adapt some TI-83 Plus grayscale display methods (alternating a checkered pattern) to display extra colors on the CFX screen like this (note, swapping between colors would only really work well between adjacent colors)?


I do not know if that would be realistic and worth it, but on a hacking point of view, I think it might be worth a try. If TI-82/85, then why not CFX?

First up, some documentation. What I write pertains to the CFX-9850GB PLUS, though some of it applies in part to the CFX-9850G (note, no PLUS here).

I'm really only aware of two hacks that can be done w/o a cable.

Get your pencil ready, because you'll be hitting the reset button a lot here. You will be crashing your calculator like mad.

First one is the DrawDyna hack, which allows you to look at RAM.
Use up at least 16KB of RAM (a 32x64 matrix will work), then set graph Y1=0. Make a program that just does DrawDyna, and run it. Once it's rendered, AC/ON to break, then tap left or right. You're now looking at RAM.

This is often used to enable "XMS" (eXpanded Matrix System) which is a way of screwing around with RAM using a matrix (I did not call it this, it's possibly the most well-known CASIO hack and it can be done by sending a modified backup back to the calc). There's some information somewhere, and if you intend on doing this, I suggest this setup of matrices:

Mat A = 1 x 1
Mat B = 1 x 2
Mat C = 2 x 1
Mat D = 2 x 2
Mat E = 32 x 64

Look for something that looks a bit like ffpffppp or fffppfpp, then change the first two "f" s (they're femtos) to the Pol( symbol or something like that (OPTN -> angl -> Pol(, yes that parenthesis is there). Note that you'll be looking at RAM backwards. This could be useful if you have a software library and want to find out the passwords or depassword a program (you can look up the passwords of the software library programs on the net - search for "20397551 casio" w/o quotes, that's the AU MANDLBRT program password btw).

If you're interested: Try filling the area you're first presented with, with a few simple notes (say, H^2 = A^2 + B^2). Then reset. Then do the hack again. It'll still be there. (A 32KB CFX actually has 128KB of RAM, apparently, though I'm not sure if this is what causes it.)

Now for the second hack - the Fill hack.
The second hack WILL break the first so be VERY SURE you're not worried about it. If you have a cable, I suggest you back up your calc. Fortunately, I have, though I've yet to restore the image (my friend has a cable).

Go to the matrix menu, then select Mat A. Type: 20, right, MENU. (You want a something-by-0 uninitialised matrix.) Now go into RUN mode and use the matrix Fill( command. What you want is something like this:
Fill(1.11111111111111,Mat A)
It'll put a bit of light garbage on the screen and then do some stuff for quite some time. Then it'll return with a Syn ERROR.

Congratulations, you've just broken the DrawDyna hack. But on the other hand, you've got a hack which can do some truly weird stuff. Try deleting things from the memory menu.

An observation.

I've seen some truly bizarre stuff done to the screen, including the LCD going out of phase and scrolling out, then turning off. But in some glitchings, I've encountered a very unusual situation, where if I select anything on the menu, it does a glitch sequence, then goes through to the menu item. I'm thinking this could be a possible entry point, but I'd need to somehow send a backup to work that out, and I'd have to go to my mate's place to do that.

So yeah, those are my notes on this topic so far.

EDIT: Oh yeah. If someone is able to do a ROM dump, I would MUCH appreciate one from a PLUS model (fx-9750G, CFX-9850G, CFX-9850GB, CFX-9950GB, either of the latter two would be brilliant as they're basically the same calc but with a wire link setting changed). Apparently the ROM isn't one of those stupid black blob things, but an actual chip.

Yeah I saw those websites, but his ideas seemed to involve modifying the ROM chip, which my topic idea tries to avoid (not everyone have electronic knowledge or the tools to perform hardware mods). ON the TI-85, you don't even need to open your calc with a screwdriver or anything like that: you just send a modified RAM backup file using a linking software.

I am fully aware of those two websites, and I think I'll look at Marco's site again for the time being because it might be quite useful.

I've attempted to use the matrix fill bug to overwrite stack, and I've tried two approaches.

First approach was to jump around enough "Do"s (start of a Do/LpWhile x loop), do a dodgy fill, and then do enough "LpWhile x"s to somehow screw something over. It reports a Syn ERROR.

Second approach was to do enough Prog "" calls (I did and then do a dodgy matrix fill. It also reports a Syn ERROR. I suspect this stores the program name.

Something I've noticed: If you try to use a LpWhile to jump to a While or anything that isn't a Do, it'll throw a Syn ERROR. I believe there's something that's noted down.

I believe that the entries put on the stack (start from top and go down - the other way is what I call the "heap") when you do a Do/While/For are 3 bytes long. I suspect two bytes are used for a code pointer and one byte is used as a check. If this is true, then there were 31 bytes it could not chew.

Here's something you might find useful:

Clear draw memory, then do: PxlTest 1,1 (it's under Sketch / shift-f4). You'll get a Mem ERROR, but it'll show a piece of RAM. Note that the screen goes from the bottom-right, up first, and then left. I believe there's two layers here, one following another (unlike draw memory which is 4 layers), so if you have an fx-9750G PLUS then it might be a bit easier to observe stuff.

I can't seem to get a good shot of some stack-flooding session, though. Maybe I need to borrow a friend's "press button to spam photos" camera.

By the way I tried the DrawDyna thing and for me I could move around weird code in the program after following your steps. Other operations such as choosing a main menu option froze the calc, tho.

Critor on TI-BANK website has posted a tutorial to turn a FX-9750GII into a FX-9860GII (without the backlight). On the 9750GII there is flash memory but it is not useable by the user. It has enough to turn the calc into a 9860GII and even use add-ins.

Original discussion in english can be found at http://www.casiocalc.org/?showtopic=4959 and the tutorial in french at http://casio.bank.free.fr/index.php?mod=news&ac=commentaires&id=13

I wonder if Martin actually has ROM dumps?

Quote from: DJ_O on February 28, 2011, 04:16:36 pm

I wonder if Martin actually has ROM dumps?

Hello,
I have ROM dump of the cfx9850G from 1997. This model has physically 32 KB RAM (not 128 KB as written above).
I tried many examinations of ROM to enable asm on original device and I did nearly proof, that this is not possible (on the old models).

Does some kind of emulato exist for those models?
What's the CPU?