Read the ROM of 570ES+ calculator【fx-es(ms)吧】

So, by now, there are some methods that the group can't find, right? For example, large-font 3-line ASCII spelling (if there are enough memory) or the bug at http://tieba.baidu.com/p/5010239187 . This will allow us to find those.
I have asked this to the group several times, and receive no answer. Either because you can't understand what I'm saying, or you don't want to.
Method:
In 100 effective (有效) characters, first 52 characters enter randomly (随便打).
6 next characters from 53 to 58 enter Ans →M 0 0 0 0
4 next characters from 59 to 62 enter randomly.
2 next characters from 63 to 64 control number of bytes.
8 next characters from 65 to 72 enter randomly.
3 next characters from 73 to 75 enter ³√( →M 0
7 next characters from 76 to 82 enter randomly
5 next characters from 83 to 87 enter cm→in @ (character 8D, right after Ran#) m→n mile →D 0
Remaining 13 characters from 88 to 100 enter randomly.
2 characters from 63 to 64 is in little endian. For example, if those are "4 sin(" = (34 A0), then the result show on the screen is 3030 (in hexadecimal), subtract the sum of A034 first bytes of segment 0 (from byte 0000 to A033), subtract the sum of about FFFC first bytes of segment 1.
In particular, here are some results:
- Number of bytes - Checksum -
A033 - CF26
A034 - CE55
A035 - CE55
A036 - CD73
A037 - CC8E
A038 - CB9E
Thus we can conclude 5 bytes from A033 in segment 0 is (D1 00 E2 E5 F0). Comparing to the emulator's ROM (program/code memory space) we can find those bytes at addrss A958.
First I want to find those things (on real calculator, but have to find them on emulator first):
1. Procedure to copy from the screen buffer to the screen.
2. Procedure to reset the calculator.
3. "Wait" procedure. (until user press [Shift] or [AC], etc.)

Sorry, I misunderstood you. The method at http://tieba.baidu.com/p/5010239187/ is already known to the group.

If you overclock the calculator, does the cursor flash faster?
@光光Jerry [Quote] "I do not really know the method or on other calculators."
And what I want to say is a method to find bugs, not any particular bug.
I think I will do dynamic ASCII. But first I have to find the "wait" command.
[Quote] "不过Wuyd确实对拼字没兴趣,纯娱乐没实际意义.(不是我的观点)" So is there anything else found by this group, and what are you going to do? Remember it is impossible to execute assembly, however. Classwiz may be possible.

Continue - Result:
- number of bytes -
9890 ---- 4379 ---- 10
9891 ---- 4369 ---- 90
9892 ---- 42D9 ---- F5
9893 ---- 41E4
C701 ---- 5B9D ---- 2C
C702 ---- 5B71 ---- 00
C703 ---- 5B71 ---- 70
C704 ---- 5B01 ---- 06
C705 ---- 5AFB
34B3 ---- 5263 ---- 0A
34B4 ---- 5259 ---- 00
34B5 ---- 5259 ---- 0C
34B6 ---- 524D

C705 ---- 5AFB ---- C8
C706 ---- 5A33 ---- 88
C707 ---- 59AB
==> C702 re (real calculator) = D4C4 im (emulator). Diff(difference) = DC2.
98B2 ---- 3525 ---- 13
98B3 ---- 3512 ---- 71
98B4 ---- 34A1 ---- 05
98B5 ---- 349C ---- C8
98B6 ---- 33D4 ----
==> 98B2 re = A1D6 im. Diff = 924.

It appears that no one understand what I am doing. I will just post this as an archive.
3641 to 3648:
checksum A713 A623 A60D A55E A55C A55C A4CE A3DC
bytes F0 16 AF 02 00 8E F2 ??
correspondence
0:3644 re = 0:3750 im, diff = 10C
0:AF16 re = 0:B83A im, diff = 924

You may still remembers the "secondary character mode" at post (楼) 31 at tieba.baidu.com/p/1949542063
After some time of manually decompiling the necessary parts of the calculator program, I found out that the controlling byte is 8127h. 0 for input, 1 for output.
We should call that "secondary character" instead of calculator ASCII, because that is different from calculator ASCII.
Here are some code from 570vn+ emulator:
0086FA 5E 78 CMP R8, #94
0086FC 02 C1 BC LT, 08702h
0086FE C0 78 CMP R8, #192
008700 08 C1 BC LT, 08712h
008702 01 04 MOV R4, #1
008704 E0 78 CMP R8, #224
008706 01 C1 BC LT, 0870Ah
You can see, it is identical to input character for 94 <= character < 192 (5Eh <= character <= C0h, for example "sin(" or "Pol(" is not changed to "⁰" or "l", but "!" is changed to "W".
So, the important command is
0086F4 10 90 27 81 L R0, 08127h
0086F8 0C C9 BC EQ, 08712h
If [8127h] is not zero, then we are in secondary character mode. Good.
I will post secondary mode + unstable character guide later.

checksum procedure: (re ---- im ---- diff) = (4922 ---- 4A30 ---- 10E)
Edit post 1: (A033 ---- A957 ---- 924).
number of byte: 5E41 -> 5E4A:
793C 784C 77A7 76B7 76B6 75C6 751A 7491 748D 73AC
Bytes: F0 A5 F0 01 F0 AC 89 04 E1
correspondence:
89AC ---- 92D0 ---- 924
5E41 ---- ???? ---- ????
As usual, there are little concern on programming and disassembling. And you don't know the ability of your findings. For example your 3-line spelling on 991 es plus (991es+) (I should call "error zone spelling" - 报错区拼字) can read up to 32 bytes of memory (ROM), at different position, at once. Perhaps more than 32 times faster than my method. (unfortunately 0x8000 first bytes of segment 0 only)

991es+ - Shifted display range:
From the first effective character, first 52 characters enter randomly, then Ans →M 0 + ! e++++1e++++++++ sinh^-1( →M 0 + ^ √( 0 +, last 20 characters enter randomly.
[ac] [left] [=] as usual. e is 2.718281828....
Change !e to other values will shift left and right.

Can anyone describe the phenomenon of method "编辑ASCII模式" in http://tieba.baidu.com/p/1800667172 ? Preferably by a video. I don't have 82es+ so I can't try this. And is there anything similar on 991es+? Is "二级字符模式" in http://tieba.baidu.com/p/1949542063 similar?
By the way the "secondary ASCII mode" (二级字符模式) does not exist in LineIO mode, so combine that with unstable character is hard. (MthIO overflow can't see input) In MthIO it is controlled by byte 8123 on 991es+ and byte 8127 on 570vn+.

Is 119 still possible on ES PLUS or Classwiz series? (cannot unlock even with Shift+7+On)
Classwiz fx-991ex emulator checksum procedure position is 02:3c36.
The 68 MthIO mode (Method: www.

texpaste.

com/n/ymsl53wd ) is mode E8 = 224 (as if COMP is C1 = 193). I found it by method ×5×5 in that mode.

It appears that, on fx-991EX PLUS, segment 0 program/code memory space is accessed as segment 5. Segment 1, 2, 3 is accessed normally. I hope that segment 4 is actually modifiable.
02:3C36 is the position of the diagnostic procedure on the emulator as I said before, that corresponds to 6 C 2. I'm afraid that this version need to use @ (02) instead of 2.
C can be get by ɣp, and @ (02) can be get by conversion length 2.
The important characters are 115, 116, 117.

I know this topic is quite old, but I don't want the information to be scattered.
All correspondences found: (use fixed width font for better view)
re-- --- im-- --- diff
27fa --- 298c --- 192
3485 --- 8617 --- 192
3518 --- 3624 --- 10C
479c --- 48a8 --- 10c
4922 --- 4A30 --- 10E
4c34 --- 4d42 --- 10E
5E41 --- 6583 --- 742
7777 --- 7eb9 --- 742
7fc2 --- 88e6 --- 924
AF16 --- B83A --- 924
b642 --- bf68 --- 926
C702 --- D4C4 --- DC2
------ Segment 1 ------
0cc2 --- 0cc2 --- 0
54ee --- 54ee --- 0
I won't post the information from the calculator, because it is quite long.
By the way I notice a small mistake in a ASCII font picture. Byte 0C and 0D, small font.
You should check that again on 991ES PLUS, as it may be different from my 570ES PLUS.

Also, there is a misalignment in line 20 - 2F, large font. (the pixels are shifted right for 2 pixels)
When do spelling hack, you may never use any garbled character, but for ROM reading it is necessary.

视频来自：优酷

2 garbled characters appears because of mistake, can be removed.
How can I insert a video without youku, like in tieba.baidu.com/p/5072176315 ?

http://tieba.baidu.com/p/2960346565
No one see the above post? Infinite dynamic ASCII.
What about this? (my calculator screen is normal)

日	一	二	三	四	五	六

Read the ROM of 570ES+ calculator

扫二维码下载贴吧客户端