So to extract the OS from the installer provided on Casio's website, you'll need prizmosdecomp, but it only works with OS 1.02 and lower. Today, I found the way for OS 1.03 and later.

So you'll need the .exe on Casio's website, it's a simple InstallShield wizard. From here, the manipulations are similar to OS 1.02, run the executable until you have the connect your calc screen and you'll find files in C:\Documents and Settings\<your login>\Application Data\CASIO\fx-CG10 OS Update\{EF1BD945-AF60-43FD-A487-0D430D3D7911}. But this time, you'll find fx-CG Series OS Update.msi and 1036.MST. The .msi one is the file responsible for the connect your calc screen, so it must contain the OS.

You'll want to extract it with a MSI extractor instead of running it, in my case I used Universal Extractor. Run it on the .msi you got and you should get those files. (In my case, I ran it in a Windows XP VM, then shared a folder with the Mac OS X host, hence the UNIX commands.)


Code:
miku:fx-CG Series OS Update julien$ ls -l
total 22832
-rw-r--r--  1 julien  staff   169272 20 sep 13:44 Binary.ISSELFREG.DLL
-rw-r--r--  1 julien  staff  1965158 20 sep 13:44 Binary.ISSetup.dll
-rw-r--r--  1 julien  staff    58680 20 sep 13:44 Binary.ISSetupFilesHelper
-rw-r--r--  1 julien  staff     1033 20 sep 13:44 Binary.NewBinary1
-rw-r--r--  1 julien  staff     4534 20 sep 13:44 Binary.NewBinary10
-rw-r--r--  1 julien  staff     4534 20 sep 13:44 Binary.NewBinary11
-rw-r--r--  1 julien  staff     3262 20 sep 13:44 Binary.NewBinary12
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary13
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary14
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary15
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary16
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary17
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary18
-rw-r--r--  1 julien  staff      318 20 sep 13:44 Binary.NewBinary2
-rw-r--r--  1 julien  staff    15368 20 sep 13:44 Binary.NewBinary21
-rw-r--r--  1 julien  staff     3340 20 sep 13:44 Binary.NewBinary22
-rw-r--r--  1 julien  staff      318 20 sep 13:44 Binary.NewBinary3
-rw-r--r--  1 julien  staff     3262 20 sep 13:44 Binary.NewBinary4
-rw-r--r--  1 julien  staff     4534 20 sep 13:44 Binary.NewBinary6
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary7
-rw-r--r--  1 julien  staff      766 20 sep 13:44 Binary.NewBinary8
-rw-r--r--  1 julien  staff    10134 20 sep 13:44 Binary.NewBinary9
-rw-r--r--  1 julien  staff   128320 20 sep 13:44 Binary.SetAllUsers.dll
-rw-r--r--  1 julien  staff   418098 20 sep 13:44 Data1.cab
-rw-r--r--  1 julien  staff  7887872 20 sep 13:44 ISSetupFile.SetupFile1
-rw-r--r--  1 julien  staff    65536 20 sep 13:44 ISSetupFile.SetupFile2
-rw-r--r--  1 julien  staff   757808 20 sep 13:44 ISSetupFile.SetupFile3
-rw-r--r--  1 julien  staff   110592 20 sep 13:44 Icon.ARPPRODUCTICON.exe


Okay, now we're wondering which one the OS is, or if it's even in a DLL, the filenames aren't helping. Let's find out.


Code:
miku:fx-CG Series OS Update julien$ file *
Binary.ISSELFREG.DLL:      PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Binary.ISSetup.dll:        PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Binary.ISSetupFilesHelper: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Binary.NewBinary1:         JPEG image data, JFIF standard 1.02
Binary.NewBinary10:        MS Windows icon resource - 2 icons, 48x48, 256-colors
Binary.NewBinary11:        MS Windows icon resource - 2 icons, 48x48, 256-colors
Binary.NewBinary12:        MS Windows icon resource - 1 icon
Binary.NewBinary13:        MS Windows icon resource - 1 icon
Binary.NewBinary14:        MS Windows icon resource - 1 icon
Binary.NewBinary15:        MS Windows icon resource - 1 icon
Binary.NewBinary16:        MS Windows icon resource - 1 icon
Binary.NewBinary17:        MS Windows icon resource - 1 icon
Binary.NewBinary18:        MS Windows icon resource - 1 icon
Binary.NewBinary2:         MS Windows icon resource - 1 icon
Binary.NewBinary21:        JPEG image data, JFIF standard 1.01
Binary.NewBinary22:        JPEG image data, JFIF standard 1.01
Binary.NewBinary3:         MS Windows icon resource - 1 icon
Binary.NewBinary4:         MS Windows icon resource - 1 icon
Binary.NewBinary6:         MS Windows icon resource - 2 icons, 48x48, 256-colors
Binary.NewBinary7:         MS Windows icon resource - 1 icon
Binary.NewBinary8:         MS Windows icon resource - 1 icon
Binary.NewBinary9:         MS Windows icon resource - 6 icons, 16x16, 16-colors
Binary.SetAllUsers.dll:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Data1.cab:                 Microsoft Cabinet archive data, 418098 bytes, 2 files
ISSetupFile.SetupFile1:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
ISSetupFile.SetupFile2:    PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
ISSetupFile.SetupFile3:    Dyalog APL version 189 .175
Icon.ARPPRODUCTICON.exe:   PE32 executable for MS Windows (GUI) Intel 80386 32-bit


Most of them are DLLs and icon ressources oh wait what is ISSetupFile.SetupFile3 I'm pretty sure I saw this filetype somewhere else.


Code:
[julien@haruhi demo]$ file demo.g3a
demo.g3a: Dyalog APL version 189 .175


ISSetupFile.SetupFile3 is detected as having the same file format as a g3a add-in, so it must be our OS.

There we go, we have our OS binary, so have fun ^_^
Very cool stuff, Juju; thanks for sharing! That seems like something that should end up on a WikiPrizm page, if you happen to have the time to copy-and-paste it over there. So now we need to know what exactly we can do with the OS; a full disassembly might be a good start towards finding out what features and system calls we haven't found in our investigations yet.
OS 1.03 shouldn't be too different from OS 1.02 (and Simon and others have disassembled that already, otherwise we wouldn't know about most syscalls). OS 1.04, however, looked a bit different (at least in terms of translations, so they may have changed something else) when I saw it on a mate's Prizm.
Quote:
ISSetupFile.SetupFile3 is detected as having the same file format as a g3a add-in, so it must be our OS.


Sure, it seems like an OS, but which?.

There is an OS update payload and the OS itself. I would first assume that this is the updater, not the Prizm OS.
At this point I'd say the updater loaded on the calc (and IMO, it makes sense to have the updater be run like an add-in) may be more interesting than the OS itself...
Remember that both are OSes. The updater will have the USB code, the protocol (MSD UFI/P7), as well as flash routines and restart sequence.
Hey you might be right. There's a 7MB DLL next to it, I might check if it works with prizmosdecomp.
Hi guys, I want to let you know that I hacked Goplat's tool (he didn't respond for months) to support newer Prizm DLLs and even fx-9860G/GII ones. Laughing

Have a look here: http://ourl.ca/17058/317420
Cfxm, do you mean that you decompiled it and recompiled it? What did you need to change/add for the new support?
Quote:
Cfxm, do you mean that you decompiled it and recompiled it? What did you need to change/add for the new support?

Well, I just had to change a few bytes. What resource IDs, for loop index, what "magic byte" - something missing from the compressed resources, but essential and included in a simple routine inside the DLL.

Used: IDA disassembler 6.1 + hex-rays decompiler (big help as I'm not very experienced in x86 asm) + WinHex hex-editor.
I think ISSetupFile.SetupFile1 is the OS updater (and it seems to contain the OS inside, because it's the file with biggest size; or did Casio split the OS among multiple files?).
After disassembling this file with a resource extractor, there's one big resource with 5,2 MB. I'm doubtful the OS only takes 5,2 MB... but everything's possible as you're going to see:

On this resource, at offset 175F9, there's a more or less readable string: "Getke"... and at 176EC, "LoweE[0x01]Up=" (go to the Equation menu, press F3... there you have Lower and Upper).
More interesting "broken strings" at offsets: 13ECC, 153BD, 15884.
And if you ever see a complete OS crash at startup, it will most likely look like "OS ERROR"\n"Please update" (see offset BEF1).

Do I need to go on? (I just didn't expect the OS to take 5,2 MB when something like Physium takes more than 1MB. May it be compressed?).

Next to this big resource in the DLL, there's a 50 KB one which seems to be the OS update payload AHelper described. It seems to contain code for USB communication, judging by the "CASIO ColorGraph" string that appears at offset 0x7507. "RENESAS SH7355" is at offset 0xB3A8.

Let's now look at the remaining files that aren't installer resources.
ISSetupFile.SetupFile2 may be some kind of library for communicating with the Prizm when it is in OS Update mode (Protocol 7).

ISSetupFile.SetupFile3 is the new Geometry.g3a for OS 1.04. It doesn't seem to be packed in anything.

Have fun! Wink

EDIT: forgot to say, but the offsets are for OS 1.04 CG20. The procedure for extracting it should be the same for all OS (and cfxm's hacked Goplat's tool probably already does it, I just wanted to go the manual way to understand how it's done).
That garbled text is probably the result of a form of compression. Since Casio uses zlib in the OS, I would guess that the OS updater uses it as well. Also, the OS should be over 10MB in size when on-calc.
At the end of the 5,2 MB file, I see some sort of repetitive padding which I think that wouldn't be present if the file was compressed. However, that padding may be out of the part that is flashed on the calc and out of compressed section.

Is there a way to check for zlib compressed stuff? Some sort of signature?
KermM knows, but he refuses to say anything on that topic.
AHelper wrote:
KermM knows, but he refuses to say anything on that topic.
Kerm isn't saying because he doesn't want it to be too easy for people to replicate his work in decoding the .g3b/p format, not that he has done so. I have a very vested interest in keeping Casio happy with us.
my question: why decrypt? Just dump the ROM from the Prizm. Done. The payload shouldn't be compressed at all.
And instructions on dumping the ROM from the Prizm are here... oh wait, they aren't.

Looks like here you won't do more than code games. I should have taken that conclusion from my image viewer development efforts, anyway.

EDIT: Goplat's tool hacked by cfxm properly extracts the resources from the DLL, and also properly decompresses them. The size of the resulting OS file is 11,9 MB, like it was expected.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are GMT - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement