Basic overflow is a state of the calculator, when the position of the cursor is larger than the length (in bytes) of the formula in the input area.


For calculators with Σ and [CALC]

Π or or d/dx (the commands which takes a formula as input) will also work.

First, find a formula consisting of a Σ, without closing parentheses, contains a variable. For example Σ(X,1,1. Call this ƒ.

Do the following steps:

  • Go to LineIO mode.
  • Enter a formula at least 4 bytes longer than ƒ. For example X=Σ(X,1,123.
  • Press [=] ([EXE] on some calculator models) or [CALC].
  • Enter X=ƒ. Using ther variables instead of X is fine. (note that in this step, it's possible to reuse the previous step, for example by pressing [◀])
  • Press [CALC] [=]. A Syntax ERROR (or equivalent in other languages) should appear.
  • Press [▶].

For calculators without Σ but with parentheses automatically added on ambiguous division

Try evaluating 1÷3(4). If the calculator changes it to 1÷(3(4)) then that calculator has the feature.

Follow this tutorial on

For calculators which can enter mode 68

Do the following steps:

  • Enter mode 68.
  • Choose LineIO input method. (or equivalent)
  • Enter 2^(2, press [=].
  • Press [Shift] [9] [1] [=] [AC] (menu Clear → option Setup → select Yes)
  • Press [▲]. Screen should display 2^(2 now.
  • Press [▶] [▶] [DEL]. Screen should display |⎕^(2.
  • Press [◀] [DEL] [DEL] [◀] to delete ^(2. Screen should display |⎕.
  • Press [▶].

Entering unsupported symbols using the unstable byte

Normally, only some particular symbols can be entered in a particular mode. For example, in COMP/LineIO mode, ∫( can be entered, but the imaginary symbol 𝐢 cannot. Using this method, it is possible to enter any symbol (except the null symbol).


  • Invoke basic overflow.
  • Put the cursor at index 208. The cursor is before index 208 right after basic overflow is executed, therefore it's possible to repeatedly type characters to advance the cursor.
  • Enter any symbol. This should overwrite the existing token to the right of the cursor.
  • Do nothing, wait for the cursor to flash.
  • Use [◀] or [▶] to move the cursor. The symbol entered will be advanced according to the symbol table.
  • After having obtained the correct character, it's possible to press [DEL] when the cursor is before the character to shift the character back.

Pressing [=] when there are more than 99 characters on the screen

Note: For more information about the registers pc, lr, csr, lcsr, see page 1-8 to 1-10 (18-20), nX-U8/100 Core Instruction Manual.

The part of the calculator RAM after 0x8154 (input area), which includes the calculator stack, is filled with repeated copies of 100 bytes in 0x8154 - 0x81B8.

Because the stack is corrupted, when pop pc is executed, it is possible to execute code at a chosen location. Usually, it is desirable for the destination to be one of the following:

  • Some commands, and pop pc. In this case, it is possible to execute those commands, then jump to another chosen location.
  • Right after the push lr command of a function. Similar to the above, the calculator will execute the specified function, then jump to another chosen location.
  • Some commands, and rt. After executing those commands, the code at the address of lcsr:lr will be executed, therefore it is necessary to make lcsr:lr have a "good" value (usually at a pop pc command) before having this destination in the ROP chain.