Random Casio Prizm hacking related stuff I found

gistfile1.txt

When accessing the test mode on the main menu through a timer hack (install timer calling test mode on slot 3):
There's no value for the "child now" field
the values for the main process vary. If I let the timer run and open multiple test modes on top of each other, the value will decrease and at some point, there'll be a system error (stack full).
And since the timer keeps running even with a system error, the system errors will keep accumulating with different types of errors, targets and pcs.
When calculator reboots, the main memories will have been cleared with a message declaring it (they were overwritten with code...).

RAM AREAS:
0xA80CCE18 - registered add-in list
0xFD8013E4 - Fkey color (byte). near this there are some other settings like the link cable type, probably more interesting settings are here too.
Between end of main memory (0xA80E3000) and beginning of system stack (0xA80F000) there seems to be unused RAM space which is cleared when another add-in/app is started, but not when switching between Menu and the running add-in.
Between end of VRAM and start of Main Memory there's mostly empty space but with some bits here and there. It's also where the registered add-in list lives. CGDOOM may use this as buffer (?) and that's why sometimes Menu becomes empty/strange after quitting the game.
On the emulator OS 1.02, at address 0xFD801528, there's this string: "Fugue FAT File System 2004-03-03 00:00"
0xFD800BE0: "LY755"
0xFD801058: "CASIOWIN"
(this 0xFD800000 area seems like some junk/unallocated RAM area)

0xFD8... writeable memory (16376 bytes):
Start: 0xFD800000
End: 0xFD803FF8
This area is changed by the OS, but not on app change. Looks like this stores some random bytes and buffers.
By doing a memset on this memory region, emulator hangs for a while, then resets and shows the "MAIN MEMORIES CLEARED" message.
Then when we go inspecting the memory region, we see that some of the areas were overwritten with stuff, while others keep the content of our memset.
There are sparse regions which were overwritten but some big ones were left intact. 0xFD803000 to 0xFD803FF8 did not show any signs of change, for example. Doing a memset on that region doesn't hang the emulator for a while.

Conclusion:
Data on this area SURVIVES emulator OS reboots, even though parts of it are changed by the OS on power up (and maybe when doing other things too). 0xFD803000 to 0xFD803FF8 seems to never be modified.
Is this region even in RAM? May it be some sort of EEPROM?

--
Interesting areas in the OS dump (1.04/file called prizm3070):
Note, these addresses are relative to the dump, these are not memory areas on the calculator!
0x313F12: SYSTEM ERROR strings and the paths for the Physium, Geometry, PictPlot and Conv add-ins.
0x315D58: "BaseFunc Menu" and "Stack Overflow!"
0x31DB0A: gb24.fnt and gb16.fnt (the PrintC and PrintMini fonts?)
0x329168: ERROR/UNDEF/TRUE/FALSE/-INFINITY/INFINITY non-digit BCD results
0x33E741: deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
0x33EB5F: TEST MODE strings
0x43B9CF: DIAGNOSTIC MODE strings
0x553E2F: Some interesting strings like EACTWORK.tmp, COM1 through 9 and LPT1 through 9 (names like DOS).
0x556435: File System ERROR messages, seem related somehow to EACTWORK.tmp
0x5777CF: what appears to be some MCS folder names, the difference is that these include things like @CAS, @ALGEBRA and @TUTOR.
0x5EEF65: Some "invalid" messages
0x5EFB43: "inflate 1.2.3 Copyright 1995-2005 Mark Adler". the "invalid" messages probably belong to this


Syscall discoveries:

0x1381 (Simon calls: APP_LINK)
Really is the Link app.
---
0x1382
When run, it PrintXYs the current language name (i.e. message number 0) to the third or fourth line of the homescreen... may be a leftover of something old or something debug related.
--
0x1383
When run, it draws on screen everything the USB screen has ("Do not disconnect USB", "Suggestions", etc. EXCEPT the background.
This is not the real USB mode, just a part of it (your code keeps running, you can exit to Menu, etc.)
--
0x1384 (Simon calls: link_transmit_select_dialog)
Takes you to the same screen you see when you press F1 at the Link app. Transmitting a Main Memory file works (and ultimately fails with a transmission error on the emulator). Trying to bring up the SMEM file selection screen results in a system error (on the emulator at least)
--
0x1385
Cable type select (works even on the emulator, accurately changing the setting)
--
0x1386
Auto connection setting screen (works on the emulator, accurately changing the setting)
--
0x1387
Capture mode setting screen
--
0x1388 (Simon calls: AnyMemTransmitSelectDialog)
Select transmission type (Select/Current screen). "Select" results in a system error on the emulator at least, "Current" does nothing.
--
0x1389
Shows 4-line message box saying "No :[F6]" on the second line and "Press:[EXIT]" on the fourth line. F6 does nothing, EXIT closes the box and keeps with our code.
--
0x138A
Shows 5-line message box. 1st line blank, 2nd line "Transmit OK?", 3rd line blank, 4th line "Yes:[F1]" and 5th line "No :[F6]".
F1 closes box and our program continues, F6 the same (probably this syscall returns the reply to the question in some way). EXIT closes the box too.
--
0x138B
"Already exists" screen shown during file transfer when a file already exists on the receiving calc. Has a blank space for the file name (which means it probably takes a parameter with it).
F1: Yes, F6: No, AC: Cancel.
Pressing F1 copies the "Transmitting...\n\nAC : Cancel" screen shown during file transmission to VRAM. And so does F6 and AC.
Most likely this syscall returns the reply to the overwrite question.
--
0x138C (Simon calls: AnyMem_OpenDialog)
Called first time does nothing on screen, called second time results in a system error (important note: pressing Menu at this system error still works. Wonderful Casio system)
--
0x138D
Shows 4-line message box with "Proj Mode!" in the 2nd line and the usual "press exit" message on the 4th line.
EXIT and your code keeps running.
--
0x138E,0x138F,0x1390,0x1391
No effect on screen. Can be called multiple times without any difference.
--
0x17E5
No effect on screen. Can be called multiple times without any difference.
--
0x17E6 and 0x17E7 (SCREENSHOT TOOL(s))
Both show 4-line message box "Store In Capture Memory" "Capture[1~20]:" with blinking cursor. One can write a number, if it's out of range it will show an "out of domain" error message, and when you press EXIT it returns to your code.
If the given number is in range, screenshot is taken and saved to SMEM. Wonderful.
--
0x17E8
Copies 4-line message box to VRAM. "Store In Capture Memory" "Capture[1~20]:"
THIS IS NOT the complete screenshot tool.
--
0x17E9 - OpenFileDialog (opening g3p)
--
0x17EA, 0x17EB, 0x17EC, 0x17ED
These just show "Invalid type" message box asking you to press EXIT as usual. Your program keeps running after you do it. MAY THESE BE a configurable-filetype open/save-file-dialog that's waiting to get a filetype in one of the parameters?
--
0x17EE, 0x17EF
No effect on screen. Can be called multiple times without any difference.
--
0x17F0
Just shows "No Card/press exit" message and then your program keeps running. May be a "open file on SD card" syscall.
--
0x17F1
"Polynomial" equation solving app/screen. You can solve equations and the set up menu works (Shift+Menu).
Pressing [EXIT] at the main screen returns to your program.
--
0x17F2
Part of the polynomial solving thing... when called with no parameters, it shows "+a" in blue as the title, then there's a table with multiple columns but with "a" being the only one with title, and its contents show ERROR. Pressing "Solve" results in a "Memory ERROR".  Deleting coefficients does nothing. Pressing "Clear" takes you back to your program.
Editing allows you to edit the "ERROR" string (pressing enter to confirm editing results in a "Memory ERROR".
One can access the Shift+Menu setup screen.
Looks like this time Casio did error handling right.
--
0x17F3
Just shows "Memory ERROR/press exit" message box. Most likely still part of the polinomial thing.
--
0x17F4
Draws little opening bracket (" [ ") on the same position where it usually shows on the polinomial solving screen.
--
0x17F5, 0x17F6
No effect on screen. Can be called multiple times without any difference.
--
0x17F7 - MsgBoxPush
--
0x17F8
Draws... um... a strange blue bar at the top of the screen... um... could be the bottom of some kind of rounded message box/tabbed message box (as seen in the conversion unit selection), drawn at the y specified by a parameter I didn't specify.
--
0x17F9 - MsgBoxPop
--
0x17FA
no effect on screen, can be called multiple times...
--
0x17FB BoxYLimits (may command 0x17F8/0x17FC)
--
0x17FC - same strange drawing as with 0x17F8
--

--
0x1EA2
when run it renders Menu (but not with the running app selected, instead it's as if Run-Mat was running) to VRAM (you can draw on it).
After menu has been drawn, you can not use the menu key to return to menu!

What's its use? Well, on the Diag Mode there are battery tests that display a locked/fake menu and count the number of hours.
It's not a bitmap, because the menu sayings vary with the system language.
--
0x1EA3
similar to 0x1EA2, except that Menu is rendered the way it was the last time you left it (running add-in or last selected item). ALSO, after using this syscall you can go back to menu with menu-key.
--