Basic overflow is a state of the calculator, when the position of the cursor is larger than the length (in bytes) of the formula in the input area.


For calculators with Σ and [CALC]

Π or or d/dx (the commands which takes a formula as input) will also work.

First, find a formula consisting of a Σ, without closing parentheses, contains a variable. For example Σ(X,1,1. Call this ƒ.

Do the following steps:

  • Go to LineIO mode.
  • Enter a formula at least 4 bytes longer than ƒ. For example X=Σ(X,1,123.
  • Press [=] ([EXE] on some calculator models) or [CALC].
  • Enter X=ƒ. Using ther variables instead of X is fine. (note that in this step, it's possible to reuse the previous step, for example by pressing [◀])
  • Press [CALC] [=]. A Syntax ERROR (or equivalent in other languages) should appear.
  • Press [▶].

For calculators without Σ but with parentheses automatically added on ambiguous division

Try evaluating 1÷3(4). If the calculator changes it to 1÷(3(4)) then that calculator has the feature.

Follow this tutorial on

For calculators which can enter mode 68

Do the following steps:

  • Enter mode 68.
  • Choose LineIO input method. (or equivalent)
  • Enter 2^(2, press [=].
  • Press [Shift] [9] [1] [=] [AC] (menu Clear → option Setup → select Yes)
  • Press [▲]. Screen should display 2^(2 now.
  • Press [▶] [▶] [DEL]. Screen should display |⎕^(2.
  • Press [◀] [DEL] [DEL] [◀] to delete ^(2. Screen should display |⎕.
  • Press [▶].

Entering unsupported symbols using the unstable byte

Normally, only some particular symbols can be entered in a particular mode. For example, in COMP/LineIO mode, ∫( can be entered, but the imaginary symbol 𝐢 cannot. Using this method, it is possible to enter any symbol (except the null symbol).


  • Invoke basic overflow.
  • Put the cursor at index 208. The cursor is before index 208 right after basic overflow is executed, therefore it's possible to repeatedly type characters to advance the cursor.
  • Enter any symbol. This should overwrite the existing token to the right of the cursor.
  • Do nothing, wait for the cursor to flash.
  • Use [◀] or [▶] to move the cursor. The symbol entered will be advanced according to the symbol table.
  • After having obtained the correct character, it's possible to press [DEL] when the cursor is before the character to shift the character back.

Pressing [=] when there are more than 99 characters on the screen

Note: For more information about the registers pc, lr, csr, lcsr, see page 1-8 to 1-10 (18-20), nX-U8/100 Core Instruction Manual.

This only apply for the ES-plus calculators. EX calculators have 200 bytes of memory for the input and last formula area.

Normally, the input area (100-byte char array starting from 0x8154) is copied to the cache (last formula) area (100-byte char array starting from 0x81B8, right after the input area) using an implementation of `strcpy` that looks like this:

char* strcpy(char* dest, char* src){
  char* olddest=dest;
  char tmp;
  return olddest;

As you can see, when length of input area is more than 99 bytes and strcpy(0x81B8, 0x8154) is executed, the first 100 bytes will be repeated over and over…

However, the memory from address 0x8E00 to 0xEFFF is not writable, and reading from them always give 0, therefore strcpy would stop when it hits that area.

After that, the part of the calculator RAM after 0x8154 (input area), which includes the calculator stack, is filled with repeated copies of 100 bytes in 0x8154 - 0x81B8.

Because the stack is corrupted, when pop pc is executed, it is possible to execute code at a chosen location. See rop-chain-explanation for more details.