EightBit/M6502/documentation/6502-NMOS.extra.opcodes.txt

643 lines
19 KiB
Plaintext
Raw Normal View History

"Extra Instructions Of The 65XX Series CPU"
By: Adam Vardy (abe0084@infonet.st-johns.nf.ca)
[File created: 22, Aug. 1995... 27, Sept. 1996]
The following is a list of 65XX/85XX extra opcodes. The operation codes
for the 6502 CPU fit in a single byte; out of 256 possible combinations,
only 151 are "legal." This text describes the other 256-151= 105 operation
codes. These opcodes are not generally recognized as part of the 6502
instruction set. They are also referred to as undefined opcodes or
undocumented opcodes or non-standard opcodes or unofficial opcodes. In
"The Commodore 64 Programmer's Reference Guide" their hexadecimal values
are simply marked as future expansion. This list of opcodes was compiled
with help from "The Complete Inner Space Anthology" by Karl J. H. Hildon.
I have marked off the beginning of the description of each opcode with a
few asterisks. At times, I also included an alternate name in parenthesis.
All opcode values are given in hexadecimal. These hexadecimal values are
listed immediately to the right of any sample code. The lowercase letters
found in these examples represent the hex digits that you must provide as
the instruction's immediate byte value or as the instruction's destination
or source address. Thus immediate values and zero page addresses are
referred to as 'ab'. For absolute addressing mode the two bytes of an
absolute address are referred to as 'cd' and 'ab'.
Execution times for all opcodes are given alongside to the very right of
any sample code. A number of the opcodes described here combine the
operation of two regular 6502 instructions. You can refer to a book on the
6502 instruction set for more information, such as which flags a particular
instruction affects.
ASO *** (SLO)
This opcode ASLs the contents of a memory location and then ORs the result
with the accumulator.
Supported modes:
ASO abcd ;0F cd ab ;No. Cycles= 6
ASO abcd,X ;1F cd ab ; 7
ASO abcd,Y ;1B cd ab ; 7
ASO ab ;07 ab ; 5
ASO ab,X ;17 ab ; 6
ASO (ab,X) ;03 ab ; 8
ASO (ab),Y ;13 ab ; 8
(Sub-instructions: ORA, ASL)
Here is an example of how you might use this opcode:
ASO $C010 ;0F 10 C0
Here is the same code using equivalent instructions.
ASL $C010
ORA $C010
RLA ***
RLA ROLs the contents of a memory location and then ANDs the result with
the accumulator.
Supported modes:
RLA abcd ;2F cd ab ;No. Cycles= 6
RLA abcd,X ;3F cd ab ; 7
RLA abcd,Y ;3B cd ab ; 7
RLA ab ;27 ab ; 5
RLA ab,X ;37 ab ; 6
RLA (ab,X) ;23 ab ; 8
RLA (ab),Y ;33 ab ; 8
(Sub-instructions: AND, ROL)
Here's an example of how you might write it in a program.
RLA $FC,X ;37 FC
Here's the same code using equivalent instructions.
ROL $FC,X
AND $FC,X
LSE *** (SRE)
LSE LSRs the contents of a memory location and then EORs the result with
the accumulator.
Supported modes:
LSE abcd ;4F cd ab ;No. Cycles= 6
LSE abcd,X ;5F cd ab ; 7
LSE abcd,Y ;5B cd ab ; 7
LSE ab ;47 ab ; 5
LSE ab,X ;57 ab ; 6
LSE (ab,X) ;43 ab ; 8
LSE (ab),Y ;53 ab ; 8
(Sub-instructions: EOR, LSR)
Example:
LSE $C100,X ;5F 00 C1
Here's the same code using equivalent instructions.
LSR $C100,X
EOR $C100,X
RRA ***
RRA RORs the contents of a memory location and then ADCs the result with
the accumulator.
Supported modes:
RRA abcd ;6F cd ab ;No. Cycles= 6
RRA abcd,X ;7F cd ab ; 7
RRA abcd,Y ;7B cd ab ; 7
RRA ab ;67 ab ; 5
RRA ab,X ;77 ab ; 6
RRA (ab,X) ;63 ab ; 8
RRA (ab),Y ;73 ab ; 8
(Sub-instructions: ADC, ROR)
Example:
RRA $030C ;6F 0C 03
Equivalent instructions:
ROR $030C
ADC $030C
AXS *** (SAX)
AXS ANDs the contents of the A and X registers (without changing the
contents of either register) and stores the result in memory.
AXS does not affect any flags in the processor status register.
Supported modes:
AXS abcd ;8F cd ab ;No. Cycles= 4
AXS ab ;87 ab ; 3
AXS ab,Y ;97 ab ; 4
AXS (ab,X) ;83 ab ; 6
(Sub-instructions: STA, STX)
Example:
AXS $FE ;87 FE
Here's the same code using equivalent instructions.
STX $FE
PHA
AND $FE
STA $FE
PLA
LAX ***
This opcode loads both the accumulator and the X register with the contents
of a memory location.
Supported modes:
LAX abcd ;AF cd ab ;No. Cycles= 4
LAX abcd,Y ;BF cd ab ; 4*
LAX ab ;A7 ab ;*=add 1 3
LAX ab,Y ;B7 ab ;if page 4
LAX (ab,X) ;A3 ab ;boundary 6
LAX (ab),Y ;B3 ab ;is crossed 5*
(Sub-instructions: LDA, LDX)
Example:
LAX $8400,Y ;BF 00 84
Equivalent instructions:
LDA $8400,Y
LDX $8400,Y
DCM *** (DCP)
This opcode DECs the contents of a memory location and then CMPs the result
with the A register.
Supported modes:
DCM abcd ;CF cd ab ;No. Cycles= 6
DCM abcd,X ;DF cd ab ; 7
DCM abcd,Y ;DB cd ab ; 7
DCM ab ;C7 ab ; 5
DCM ab,X ;D7 ab ; 6
DCM (ab,X) ;C3 ab ; 8
DCM (ab),Y ;D3 ab ; 8
(Sub-instructions: CMP, DEC)
Example:
DCM $FF ;C7 FF
Equivalent instructions:
DEC $FF
CMP $FF
INS *** (ISC)
This opcode INCs the contents of a memory location and then SBCs the result
from the A register.
Supported modes:
INS abcd ;EF cd ab ;No. Cycles= 6
INS abcd,X ;FF cd ab ; 7
INS abcd,Y ;FB cd ab ; 7
INS ab ;E7 ab ; 5
INS ab,X ;F7 ab ; 6
INS (ab,X) ;E3 ab ; 8
INS (ab),Y ;F3 ab ; 8
(Sub-instructions: SBC, INC)
Example:
INS $FF ;E7 FF
Equivalent instructions:
INC $FF
SBC $FF
ALR ***
This opcode ANDs the contents of the A register with an immediate value and
then LSRs the result.
One supported mode:
ALR #ab ;4B ab ;No. Cycles= 2
Example:
ALR #$FE ;4B FE
Equivalent instructions:
AND #$FE
LSR A
ARR ***
This opcode ANDs the contents of the A register with an immediate value and
then RORs the result.
One supported mode:
ARR #ab ;6B ab ;No. Cycles= 2
Here's an example of how you might write it in a program.
ARR #$7F ;6B 7F
Here's the same code using equivalent instructions.
AND #$7F
ROR A
XAA ***
XAA transfers the contents of the X register to the A register and then
ANDs the A register with an immediate value.
One supported mode:
XAA #ab ;8B ab ;No. Cycles= 2
Example:
XAA #$44 ;8B 44
Equivalent instructions:
TXA
AND #$44
OAL ***
This opcode ORs the A register with #$EE, ANDs the result with an immediate
value, and then stores the result in both A and X.
One supported mode:
OAL #ab ;AB ab ;No. Cycles= 2
Here's an example of how you might use this opcode:
OAL #$AA ;AB AA
Here's the same code using equivalent instructions:
ORA #$EE
AND #$AA
TAX
SAX ***
SAX ANDs the contents of the A and X registers (leaving the contents of A
intact), subtracts an immediate value, and then stores the result in X.
... A few points might be made about the action of subtracting an immediate
value. It actually works just like the CMP instruction, except that CMP
does not store the result of the subtraction it performs in any register.
This subtract operation is not affected by the state of the Carry flag,
though it does affect the Carry flag. It does not affect the Overflow
flag.
One supported mode:
SAX #ab ;CB ab ;No. Cycles= 2
Example:
SAX #$5A ;CB 5A
Equivalent instructions:
STA $02
TXA
AND $02
SEC
SBC #$5A
TAX
LDA $02
Note: Memory location $02 would not be altered by the SAX opcode.
NOP ***
NOP performs no operation. Opcodes: 1A, 3A, 5A, 7A, DA, FA.
Takes 2 cycles to execute.
SKB ***
SKB stands for skip next byte.
Opcodes: 80, 82, C2, E2, 04, 14, 34, 44, 54, 64, 74, D4, F4.
Takes 2, 3, or 4 cycles to execute.
SKW ***
SKW skips next word (two bytes).
Opcodes: 0C, 1C, 3C, 5C, 7C, DC, FC.
Takes 4 cycles to execute.
To be dizzyingly precise, SKW actually performs a read operation. It's
just that the value read is not stored in any register. Further, opcode 0C
uses the absolute addressing mode. The two bytes which follow it form the
absolute address. All the other SKW opcodes use the absolute indexed X
addressing mode. If a page boundary is crossed, the execution time of one
of these SKW opcodes is upped to 5 clock cycles.
--------------------------------------------------------------------------
The following opcodes were discovered and named exclusively by the author.
(Or so it was thought before.)
HLT ***
HLT crashes the microprocessor. When this opcode is executed, program
execution ceases. No hardware interrupts will execute either. The author
has characterized this instruction as a halt instruction since this is the
most straightforward explanation for this opcode's behaviour. Only a reset
will restart execution. This opcode leaves no trace of any operation
performed! No registers affected.
Opcodes: 02, 12, 22, 32, 42, 52, 62, 72, 92, B2, D2, F2.
TAS ***
This opcode ANDs the contents of the A and X registers (without changing
the contents of either register) and transfers the result to the stack
pointer. It then ANDs that result with the contents of the high byte of
the target address of the operand +1 and stores that final result in
memory.
One supported mode:
TAS abcd,Y ;9B cd ab ;No. Cycles= 5
(Sub-instructions: STA, TXS)
Here is an example of how you might use this opcode:
TAS $7700,Y ;9B 00 77
Here is the same code using equivalent instructions.
STX $02
PHA
AND $02
TAX
TXS
AND #$78
STA $7700,Y
PLA
LDX $02
Note: Memory location $02 would not be altered by the TAS opcode.
Above I used the phrase 'the high byte of the target address of the operand
+1'. By the words target address, I mean the unindexed address, the one
specified explicitly in the operand. The high byte is then the second byte
after the opcode (ab). So we'll shorten that phrase to AB+1.
SAY ***
This opcode ANDs the contents of the Y register with <ab+1> and stores the
result in memory.
One supported mode:
SAY abcd,X ;9C cd ab ;No. Cycles= 5
Example:
SAY $7700,X ;9C 00 77
Equivalent instructions:
PHA
TYA
AND #$78
STA $7700,X
PLA
XAS ***
This opcode ANDs the contents of the X register with <ab+1> and stores the
result in memory.
One supported mode:
XAS abcd,Y ;9E cd ab ;No. Cycles= 5
Example:
XAS $6430,Y ;9E 30 64
Equivalent instructions:
PHA
TXA
AND #$65
STA $6430,Y
PLA
AXA ***
This opcode stores the result of A AND X AND the high byte of the target
address of the operand +1 in memory.
Supported modes:
AXA abcd,Y ;9F cd ab ;No. Cycles= 5
AXA (ab),Y ;93 ab ; 6
Example:
AXA $7133,Y ;9F 33 71
Equivalent instructions:
STX $02
PHA
AND $02
AND #$72
STA $7133,Y
PLA
LDX $02
Note: Memory location $02 would not be altered by the AXA opcode.
The following notes apply to the above four opcodes: TAS, SAY, XAS, AXA.
None of these opcodes affect the accumulator, the X register, the Y
register, or the processor status register!
The author has no explanation for the complexity of these
instructions. It is hard to comprehend how the microprocessor could handle
the convoluted sequence of events which appears to occur while executing
one of these opcodes. A partial explanation for what is going on is that
these instructions appear to be corruptions of other instructions. For
example, the opcode SAY would have been one of the addressing modes of the
standard instruction STY (absolute indexed X) were it not for the fact that
the normal operation of this instruction is impaired in this particular
instance.
One irregularity uncovered is that sometimes the actual value is stored in
memory, and the AND with <ab+1> part drops off (ex. SAY becomes true STY).
This happens very infrequently. The behaviour appears to be connected with
the video display. For example, it never seems to occur if either the
screen is blanked or C128 2MHz mode is enabled.
--- Imported example ---
Here is a demo program to illustrate the above effect. SYS 8200 to try it.
There is no exit, so you'll have to hit Stop-Restore to quit. And you may
want to clear the screen before running it. For contrast, there is a
second routine which runs during idle state display. Use SYS 8211 for it.
After trying the second routine, check it out again using POKE 53269,255 to
enable sprites.
begin 640 say->sty
D"""B`*`@G``%Z$P,("P1T##[+!'0$/NB`*`@G``%Z-#Z3!,@
`
end
--- Text import end ---
WARNING: If the target address crosses a page boundary because of indexing,
the instruction may not store at the intended address. It may end up
storing in zero page, or another address altogether (page=value stored).
Apparently certain internal 65XX registers are being overridden. The whole
scheme behind this erratic behaviour is very complex and strange.
And continuing with the list...
ANC ***
ANC ANDs the contents of the A register with an immediate value and then
moves bit 7 of A into the Carry flag. This opcode works basically
identically to AND #immed. except that the Carry flag is set to the same
state that the Negative flag is set to.
One supported mode:
ANC #ab ;2B ab ;No. Cycles= 2
ANC #ab ;0B ab
(Sub-instructions: AND, ROL)
OPCODE 89
Opcode 89 is another SKB instruction. It requires 2 cycles to execute.
LAS ***
This opcode ANDs the contents of a memory location with the contents of the
stack pointer register and stores the result in the accumulator, the X
register, and the stack pointer. Affected flags: N Z.
One supported mode:
LAS abcd,Y ;BB cd ab ;No. Cycles= 4*
OPCODE EB
Opcode EB seems to work exactly like SBC #immediate. Takes 2 cycles.
That is the end of the list.
This list is a full and complete list of all undocumented opcodes, every
last hex value. It provides complete and thorough information and it also
corrects some incorrect information found elsewhere. The opcodes MKA and
MKX (also known as TSTA and TSTX) as described in "The Complete Commodore
Inner Space Anthology" do not exist. Also, it is erroneously indicated
there that the instructions ASO, RLA, LSE, RRA have an immediate addressing
mode. (RLA #ab would be ANC #ab.)
[Recent additions to this text file]
Here are some other more scrutinizing observations.
The opcode ARR operates more complexily than actually described in the list
above. Here is a brief rundown on this. The following assumes the decimal
flag is clear. You see, the sub-instruction for ARR ($6B) is in fact ADC
($69), not AND. While ADC is not performed, some of the ADC mechanics are
evident. Like ADC, ARR affects the overflow flag. The following effects
occur after ANDing but before RORing. The V flag is set to the result of
exclusive ORing bit 7 with bit 6. Unlike ROR, bit 0 does not go into the
carry flag. The state of bit 7 is exchanged with the carry flag. Bit 0 is
lost. All of this may appear strange, but it makes sense if you consider
the probable internal operations of ADC itself.
SKB opcodes 82, C2, E2 may be HLTs. Since only one source claims this, and
no other sources corroborate this, it must be true on very few machines.
On all others, these opcodes always perform no operation.
LAS is suspect. This opcode is possibly unreliable.
OPCODE BIT-PATTERN: 10x0 1011
Now it is time to discuss XAA ($8B) and OAL ($AB). A fair bit of
controversy has surrounded these two opcodes. There are two good reasons
for this. 1 - They are rather weird in operation. 2 - They do operate
differently on different machines. Highly variable.
Here is the basic operation.
OAL
This opcode ORs the A register with #xx, ANDs the result with an immediate
value, and then stores the result in both A and X.
On my 128, xx may be EE,EF,FE, OR FF. These possibilities appear to depend
on three factors: the X register, PC, and the previous instruction
executed. Bit 0 is ORed from x, and also from PCH. As for XAA, on my 128
this opcode appears to work exactly as described in the list.
On my 64, OAL produces all sorts of values for xx: 00,04,06,80, etc... A
rough scenario I worked out to explain this is here. The constant value EE
disappears entirely. Instead of ORing with EE, the accumulator is ORed
with certain bits of X and also ORed with certain bits of another
"register" (nature unknown, whether it be the data bus, or something else).
However, if OAL is preceded by certain other instructions like NOP, the
constant value EE reappears and the foregoing does not take place.
On my 64, XAA works like this. While X is transfered to A, bit 0 and bit 4
are not. Instead, these bits are ANDed with those bits from A, and the
result is stored in A.
There may be many variations in the behaviour of both opcodes. XAA #$00 or
OAL #$00 are likely quite reliable in any case. It seems clear that the
video chip (i.e., VIC-II) bears responsibility for some small part of the
anomalousness, at least. Beyond that, the issue is unclear.
One idea I'll just throw up in the air about why the two opcodes behave as
they do is this observation. While other opcodes like 4B and 6B perform
AND as their first step, 8B and AB do not. Perhaps this difference leads
to some internal conflict in the microprocessor. Besides being subject to
"noise", the actual base operations do not vary.
All of the opcodes in this list (at least up to the dividing line) use the
naming convention from the CCISA Anthology book. There is another naming
convention used, for example in the first issue of C=Hacking. The only
assembler I know of that supports undocumented opcodes is Power Assembler.
And it uses the same naming conventions as used here.
One note on a different topic. A small error has been pointed out in the
64 Programmers Reference Guide with the instruction set listing. In the
last row, in the last column of the two instructions AND and ORA there
should be an asterisk, just as there is with ADC. That is the indirect,Y
addressing mode. In another table several pages later correct information
is given.
(A correction: There was one error in this document originally. One
addressing mode for LAX was given as LAX ab,X. This should have been
LAX ab,Y (B7). Also note that Power Assembler apparently has this same
error, likely because both it and this document derive first from the same
source as regards these opcodes. Coding LAX $00,X is accepted and
produces the output B7 00.)
References
o Joel Shepherd. "Extra Instructions" COMPUTE!, October 1983.
o Jim Butterfield. "Strange Opcodes" COMPUTE, March 1993.
o Raymond Quirling. "6510 Opcodes" The Transactor, March 1986.
o John West, Marko M<>kel<65>. '64doc' file, 1994/06/03.