Hack a calculator by inputting data

[Sepehr]

There's a video on YouTube demonstrating an interesting method to hack a Casio fx-82ES B calculator to a higher model, making it possible to calculate definite integrals.
My question is how does it work and how did the video poster find out the exact keys and patterns (and even the number of times to press a certain key) for hacking it?
And does it damage the firmware of the calculator?
Here you can watch the video:

[borjam]

I pulled off a similar trick with a Sharp pocket computer, one of those that are programmed in Basic.

I found that there was no bounds checking for the text input. So if you filled up the input buffer (64 characters if I remember well) and you hit "insert" you begun to read memory outside of the buffer. The first surprise was, I kept inserting out of curiosity until I found the password with which I had stored a program in memory. Moreover, as the insert was shifting contents in memory, it was overwritten with "~~~~~~~~".

With this vulnerability you could hack the computer and access the program. You might corrupt a bit of it, but most of it was unharmed.

[Sepehr]

I pulled off a similar trick with a Sharp pocket computer, one of those that are programmed in Basic.

I found that there was no bounds checking for the text input. So if you filled up the input buffer (64 characters if I remember well) and you hit "insert" you begun to read memory outside of the buffer. The first surprise was, I kept inserting out of curiosity until I found the password with which I had stored a program in memory. Moreover, as the insert was shifting contents in memory, it was overwritten with "~~~~~~~~".

With this vulnerability you could hack the computer and access the program. You might corrupt a bit of it, but most of it was unharmed.

So is the same thing causing this hack in this Casio calculator?
Why does the video uploader tell which keys and how many times to press them if the only thing that matters is filling up the input buffer?

[MK14]

I pulled off a similar trick with a Sharp pocket computer, one of those that are programmed in Basic.

I found that there was no bounds checking for the text input. So if you filled up the input buffer (64 characters if I remember well) and you hit "insert" you begun to read memory outside of the buffer. The first surprise was, I kept inserting out of curiosity until I found the password with which I had stored a program in memory. Moreover, as the insert was shifting contents in memory, it was overwritten with "~~~~~~~~".

With this vulnerability you could hack the computer and access the program. You might corrupt a bit of it, but most of it was unharmed.

So is the same thing causing this hack in this Casio calculator?
Why does the video uploader tell which keys and how many times to press them if the only thing that matters is filling up the input buffer?

The calculator (probably) does NOT let you hack it, as regards the input buffer overflow, in most circumstances.
Except in some VERY rare ways.
So the exact keystrokes, steps it through a sequence, which the original designers of the calculator (software/firmware) overlooked.
The exact values may also set certain variables which happen to be just AFTER (or before or somewhere) the buffer. Which then enables the hacking of it.

Slightly more details here:
https://www.azabani.com/2014/01/02/hacking-casio-fx-82ms.html

It is quite possible other sequences will also hack it. But not ALL sequences, because the calculator probably stops/traps most buffer overflows, just not the one shown.
So they are giving you one of the sequences which work.

N.B. I DON'T know the details of this hack. So it might be different to how I described. But they usually have to be performed exactly (or very similar) as shown or they will tend to not work.
Sometimes people make spoof claims and the hacks are NOT true.

EDIT:
In principal, what you said/think may be correct. Only the early keystrokes and last few keystrokes, may be the critical bits. The bulk of the keystrokes in-between, filling out the buffer, may well NOT matter.
But I DON'T think I have access to that particular calculator to try it.

[borjam]

So is the same thing causing this hack in this Casio calculator?
Why does the video uploader tell which keys and how many times to press them if the only thing that matters is filling up the input buffer?

I don't know for sure, but a buffer overflow is a likely candidate.

In my case (Sharp PC-1430) it's not possible to fill the input buffer just by typing text. But once you have filled it, turns out that the programmers forgot bound checking for the "INS" (insert) key. So, when inserting you really begin to write and read out of bounds.

[Vtile]

I'm not certainly sure, but a calculator hacking were really a hot thing with a HP41, which had entry points (a known bugs of sort) as far as I know and then you could inject your own binary to it. They call it as synthetic programming.

https://en.wikipedia.org/wiki/Synthetic_Programming_(HP-41)

[Yansi]

I have an access to a plenty of fx82 calculators B version, so I can test it out. I am also a proud owner of fx82 A version, I have hacked myself in the early days just twiddling the jumpers inside. I don't know the exact year I have bought that calculator, but I am almost sure it must be over 10 yrs ago! 

[Sepehr]

I have an access to a plenty of fx82 calculators B version, so I can test it out. I am also a proud owner of fx82 A version, I have hacked myself in the early days just twiddling the jumpers inside. I don't know the exact year I have bought that calculator, but I am almost sure it must be over 10 yrs ago! 

Please test it and let me know! I have one, but I'm in the middle of exams and I'm afraid if doing that hack would result in damaging it.

[HighVoltage]

BASIC programmable SHARP calculators had lots of undocumented PEEK and POKE commands to make changes to them.

It was interesting, that you could even use POKE when the calculator was password protected and change the very password without knowing it.
In those days I went through the full code of many Sharp calculators and found lots of interesting stuff.

[borjam]

BASIC programmable SHARP calculators had lots of undocumented PEEK and POKE commands to make changes to them.

It was interesting, that you could even use POKE when the calculator was password protected and change the very password without knowing it.
In those days I went through the full code of many Sharp calculators and found lots of interesting stuff.

My model (PC-1430), however, didn't have PEEK or POKE. Another interesting usage of that buffer overflow technique was access to the whole set of symbols present in the character generator, many of which weren't available through the keyboard. I recall that, curiously, it didn't have the typical function to obtain a character from its ASCII code.

For example the character generator had a "square root" symbol.