Basic overflow

See basic-overflow for more details.

Entering new character using variables

Apart from the variables that can be entered normally (ABCDEFxyM, and z on some models), the symbols with codepoint 4C, 4D, 4E, 4F and 25 are considered variables too. It's possible to assign values to them with [CALC], and they're mapped to some memory area that the calculator uses for other purposes.

In particular, assigning 1.0000FD2023 to variable 4D will change the first formula in the calculation history to an (codepoint FD20).

Note that a faster method is known for getting an, see basic-overflow.

Exploits with an

an is similar to r on ES PLUS calculator that it executes some unintended piece of code. On fx-580VN X emulator, it changes the stack value depends on where the an is located on the stack.

For example: Pressing [=] or [CALC] [=] when there are 110 characters before the an, if the formula evaluates cleanly, will:

  • Clear the screen
  • Set the stack pointer such that: the copy of the formula to the undo buffer (using smart_strcpy, this happens in linear mode when [=] is pressed) will overwrite the top of the stack — in particular the first POP PC that is affected (the one inside smart_strcpy} will have SP value before POP PC at 0xd522+34. So if the formula is at least 34 bytes long the PC will be corrupted.


  • The SP value is equal to the number of characters before an plus a fixed offset.
  • Before being copied to the undo buffer, depending on the calculator model, the formula may be transformed (÷AB is transformed to ÷(AB). ÷ and ÷R are affected) which changes the formula. Note: Always double-check if any parentheses are added (for example with the emulator), because there's some corner cases where it's not easy to see (for example the formula <FE FE> ÷R 0 ) is transformed into <FE FE> ÷R ( 0 ) ) despite ÷R 0 ) are not usually transformed) Alternatively it's possible to simply fill all of the remaining spaces (total 199 bytes), no parentheses will be added in this case.

Number format exploit

It's possible to obtain some particular invalid number values (Number format) with variables (see the section above)