Difference between revisions of "Z80 - undocumented opcodes"
(→Web links) |
(→Web links) |
||
(10 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | The [[Z80]] CPU contains several undocumented opcodes, which can be quite helpful sometimes. The most useful undocumented opcodes are probably these ones, which split up the 16bit index registers IX and IY in 8bit registers called IXL,IXH,IYL and IYH. | + | The [[Z80|Z80]] CPU contains several undocumented opcodes, which can be quite helpful sometimes. The most useful undocumented opcodes are probably these ones, which split up the 16bit index registers IX and IY in 8bit registers called IXL,IXH,IYL and IYH. |
− | Please note, that many Z80 successors like the Z180 are NOT able to execute some of the following opcodes properly. | + | Please note, that many Z80 successors like the Z180 are NOT able to execute some of the following opcodes properly. |
− | This is just an overview. Parts of this article have been copied from the [http://www. | + | This is just an overview. Parts of this article have been copied from the [http://www.myquest.nl/z80undocumented/ "The Undocumented Z80 Documented"] originally by Sean Young and currently maintained by Jan Wilmans, which is one of the most comprehensive descriptions around. |
− | == CB prefix == | + | == CB prefix == |
− | + | Of the 247 opcodes that use the prefix &CB, the block &CB &30 to &CB &37 is undocumented officially. These commands shift the operand register left and set its lowest bit to 1. | |
− | <pre> | + | |
− | CB30 SLL B | + | This is in contrast to SRL (Shift Right Logical), which shifts right and clears the highest bit. Some believe these opcodes were supposed to be Shift Left Logical but that the setting of the lowest bit represents a bug in the Z80, claiming this is why the opcodes are undocumented. Others call the opcodes SLIA, for Shift Left Inverted Arithmetic. |
+ | |||
+ | Regardless of the story behind this operation, its effective result is ''register'' = (''register'' * 2) + 1, something that does have its uses and has been employed in various programming contexts for that reason. | ||
+ | |||
+ | <pre>CB30 SLL B | ||
CB31 SLL C | CB31 SLL C | ||
CB32 SLL D | CB32 SLL D | ||
Line 19: | Line 23: | ||
</pre> | </pre> | ||
− | == DD and FD prefixes == | + | == DD and FD prefixes == |
− | The DD | + | The &DD or &FD prefixes are documented as causing operations using the 16-bit register HL to instead work with either of the 16-bit indexing registers IX or IY; if the operations access a memory location (''i.e.'' normally LD A,(HL), ''etc.''), the opcodes must additionally include an extra byte that specifies a signed displacement (-128 to +127) from IX/IY. |
− | + | ||
− | + | However, Zilog have not documented the fact that these prefixes also affect opcodes that usually refer to the 8-bit components of HL, ''i.e.'' H and L. Thus, one gains access to the additional registers IXH, IXL, IYH, and IYL, for almost all commands that normally use H or L. It is even possible to do things like LD IXH,IXL (although you cannot combine IX and IY in the same instruction, for obvious reasons). These registers can be useful in routines that must process and/or store a lot of numbers. Thankfully, they are not as slow as their 16-bit counterparts: whereas access to (IX+d) is usually slower by 3 NOPs than the equivalent operation upon (HL), using the 8-bit components is (like PUSH IX, ''etc.'') only 1 NOP slower, and this is only due to the need to parse the prefixing byte. | |
− | + | ||
− | + | ||
− | Note: These registers are called LX, LY, HX and HY | + | <pre>DB #DD:LD H,A -> LD IXH,A |
+ | DB #FD:LD B,L -> LD B,IYL | ||
+ | </pre> | ||
+ | Note: These registers are called LX, LY, HX, and HY by [[WinAPE]]'s debugger, although its assembler uses the names given above. | ||
− | == ED prefix == | + | == ED prefix == |
− | There are a number of undocumented EDxx instructions, of which most are duplicates of documented instructions. Any instruction not listed has no effect (same behaviour as 2 NOP instructions). | + | There are a number of undocumented EDxx instructions, of which most are duplicates of documented instructions. Any instruction not listed has no effect (same behaviour as 2 NOP instructions). |
− | The complete list except for the block instructions: | + | The complete list except for the block instructions: |
− | <pre> | + | <pre>ED40 IN B,(C) ED60 IN H,(C) |
− | ED40 IN B,(C) ED60 IN H,(C) | + | |
ED41 OUT (C),B ED61 OUT (C),H | ED41 OUT (C),B ED61 OUT (C),H | ||
ED42 SBC HL,BC ED62 SBC HL,HL | ED42 SBC HL,BC ED62 SBC HL,HL | ||
Line 68: | Line 72: | ||
ED5F LD A,R ED7F NOP * | ED5F LD A,R ED7F NOP * | ||
* = undocumented opcodes | * = undocumented opcodes | ||
− | </pre> | + | </pre> |
− | + | == DDCB prefix == | |
− | == DDCB prefix == | + | |
− | + | ||
− | + | ||
− | <pre> | + | The undocumented DDCB instructions store the result (if any) of the operation in one of the seven all-purpose registers, which one depends on the lower 3 bits of the last byte of the opcode (not operand, so not the offset). |
− | 000 B | + | <pre>000 B |
001 C | 001 C | ||
010 D | 010 D | ||
Line 83: | Line 84: | ||
110 (none: documented opcode) | 110 (none: documented opcode) | ||
111 A | 111 A | ||
− | </pre> | + | </pre> |
− | + | The documented DDCB0106 is RLC (IX+01h). So, clear the lower three bits (DDCB0100) and something is done to register B. The result of the RLC (which is stored in (IX+01h)) is now also stored in register B. Effectively, it does the following: | |
− | The documented DDCB0106 is RLC (IX+01h). So, clear the lower three bits (DDCB0100) and something is done to register B. The result of the RLC (which is stored in (IX+01h)) is now also stored in register B. Effectively, it does the following: | + | <pre>LD B,(IX+01h) |
− | <pre> | + | |
− | LD B,(IX+01h) | + | |
RLC B | RLC B | ||
LD (IX+01h),B | LD (IX+01h),B | ||
− | </pre> | + | </pre> |
− | So you get double value for money. The result is stored in B and (IX+01h). The most common notation is: RLC (IX+01h),B | + | So you get double value for money. The result is stored in B and (IX+01h). The most common notation is: RLC (IX+01h),B |
− | I’ve once seen this notation: | + | I’ve once seen this notation: |
− | <pre> | + | <pre>RLC (IX+01h) |
− | RLC (IX+01h) | + | |
LD B,(IX+01h) | LD B,(IX+01h) | ||
− | </pre> | + | </pre> |
− | That’s not correct: B contains the rotated value, even if (IX+01h) points to ROM. The DDCB SET and RES instructions do the same thing as the shift/rotate instructions: | + | That’s not correct: B contains the rotated value, even if (IX+01h) points to ROM. The DDCB SET and RES instructions do the same thing as the shift/rotate instructions: |
− | <pre> | + | <pre>DDCB10C0 SET 0,(IX+10h),B |
− | DDCB10C0 SET 0,(IX+10h),B | + | |
DDCB10C1 SET 0,(IX+10h),C | DDCB10C1 SET 0,(IX+10h),C | ||
DDCB10C2 SET 0,(IX+10h),D | DDCB10C2 SET 0,(IX+10h),D | ||
Line 108: | Line 105: | ||
DDCB10C6 SET 0,(IX+10h) - documented instruction | DDCB10C6 SET 0,(IX+10h) - documented instruction | ||
DDCB10C7 SET 0,(IX+10h),A | DDCB10C7 SET 0,(IX+10h),A | ||
− | </pre> | + | </pre> |
+ | So for example with the last instruction, the value of (IX+10h) with bit 0 set is also stored in register A. | ||
− | + | The DDCB BIT instructions do not store any value; they merely test a bit. That’s why the undocumented DDCB BIT instructions are no different from the official ones: | |
− | + | <pre>DDCB d 78 BIT 7,(IX+d) | |
− | The DDCB BIT instructions do not store any value; they merely test a bit. That’s why the undocumented DDCB BIT instructions are no different from the official ones: | + | |
− | + | ||
− | <pre> | + | |
− | DDCB d 78 BIT 7,(IX+d) | + | |
DDCB d 79 BIT 7,(IX+d) | DDCB d 79 BIT 7,(IX+d) | ||
DDCB d 7A BIT 7,(IX+d) | DDCB d 7A BIT 7,(IX+d) | ||
Line 123: | Line 117: | ||
DDCB d 7E BIT 7,(IX+d) - documented instruction | DDCB d 7E BIT 7,(IX+d) - documented instruction | ||
DDCB d 7F BIT 7,(IX+d) | DDCB d 7F BIT 7,(IX+d) | ||
− | </pre> | + | </pre> |
+ | == FDCB prefix == | ||
− | + | Same as for the DDCB prefix, though IY is used instead of IX. | |
− | + | == Web links == | |
− | = | + | * [http://www.myquest.nl/z80undocumented/z80-documented-v0.91.pdf "The Undocumented Z80 Documented" by Sean Young Version 0.91, 18th September, 2005] at [http://www.myquest.nl/z80undocumented/ Jan Wilmans' Website] |
+ | * {{BrokenLink|http://www.grimware.org/lib/exe/fetch.php/documentations/devices/z80/z80.memptr.eng.txt|2017|01|22|21|32|33|text=Short information about the internal "MEMPTR" 16bit register of the Z80 and its influence on the F-Register}} | ||
− | |||
− | |||
[[Category:Programming]] | [[Category:Programming]] |
Latest revision as of 06:01, 30 December 2018
The Z80 CPU contains several undocumented opcodes, which can be quite helpful sometimes. The most useful undocumented opcodes are probably these ones, which split up the 16bit index registers IX and IY in 8bit registers called IXL,IXH,IYL and IYH.
Please note, that many Z80 successors like the Z180 are NOT able to execute some of the following opcodes properly.
This is just an overview. Parts of this article have been copied from the "The Undocumented Z80 Documented" originally by Sean Young and currently maintained by Jan Wilmans, which is one of the most comprehensive descriptions around.
CB prefix
Of the 247 opcodes that use the prefix &CB, the block &CB &30 to &CB &37 is undocumented officially. These commands shift the operand register left and set its lowest bit to 1.
This is in contrast to SRL (Shift Right Logical), which shifts right and clears the highest bit. Some believe these opcodes were supposed to be Shift Left Logical but that the setting of the lowest bit represents a bug in the Z80, claiming this is why the opcodes are undocumented. Others call the opcodes SLIA, for Shift Left Inverted Arithmetic.
Regardless of the story behind this operation, its effective result is register = (register * 2) + 1, something that does have its uses and has been employed in various programming contexts for that reason.
CB30 SLL B CB31 SLL C CB32 SLL D CB33 SLL E CB34 SLL H CB35 SLL L CB36 SLL (HL) CB37 SLL A
DD and FD prefixes
The &DD or &FD prefixes are documented as causing operations using the 16-bit register HL to instead work with either of the 16-bit indexing registers IX or IY; if the operations access a memory location (i.e. normally LD A,(HL), etc.), the opcodes must additionally include an extra byte that specifies a signed displacement (-128 to +127) from IX/IY.
However, Zilog have not documented the fact that these prefixes also affect opcodes that usually refer to the 8-bit components of HL, i.e. H and L. Thus, one gains access to the additional registers IXH, IXL, IYH, and IYL, for almost all commands that normally use H or L. It is even possible to do things like LD IXH,IXL (although you cannot combine IX and IY in the same instruction, for obvious reasons). These registers can be useful in routines that must process and/or store a lot of numbers. Thankfully, they are not as slow as their 16-bit counterparts: whereas access to (IX+d) is usually slower by 3 NOPs than the equivalent operation upon (HL), using the 8-bit components is (like PUSH IX, etc.) only 1 NOP slower, and this is only due to the need to parse the prefixing byte.
DB #DD:LD H,A -> LD IXH,A DB #FD:LD B,L -> LD B,IYL
Note: These registers are called LX, LY, HX, and HY by WinAPE's debugger, although its assembler uses the names given above.
ED prefix
There are a number of undocumented EDxx instructions, of which most are duplicates of documented instructions. Any instruction not listed has no effect (same behaviour as 2 NOP instructions).
The complete list except for the block instructions:
ED40 IN B,(C) ED60 IN H,(C) ED41 OUT (C),B ED61 OUT (C),H ED42 SBC HL,BC ED62 SBC HL,HL ED43 LD (nn),BC ED63 LD (nn),HL ED44 NEG ED64 NEG * ED45 RETN ED65 RETN * ED46 IM 0 ED66 IM 0 * ED47 LD I,A ED67 RRD ED48 IN C,(C) ED68 IN L,(C) ED49 OUT (C),C ED69 OUT (C),L ED4A ADC HL,BC ED6A ADC HL,HL ED4B LD BC,(nn) ED6B LD HL,(nn) ED4C NEG * ED6C NEG * ED4D RETI ED6D RETN * ED4E IM 0 * ED6E IM 0 * ED4F LD R,A ED6F RLD ED50 IN D,(C) ED70 IN (C) / IN F,(C) * ED51 OUT (C),D ED71 OUT (C),0 * ED52 SBC HL,DE ED72 SBC HL,SP ED53 LD (nn),DE ED73 LD (nn),SP ED54 NEG * ED74 NEG * ED55 RETN * ED75 RETN * ED56 IM 1 ED76 IM 1 * ED57 LD A,I ED77 NOP * ED58 IN E,(C) ED78 IN A,(C) ED59 OUT (C),E ED79 OUT (C),A ED5A ADC HL,DE ED7A ADC HL,SP ED5B LD DE,(nn) ED7B LD SP,(nn) ED5C NEG * ED7C NEG * ED5D RETN * ED7D RETN * ED5E IM 2 ED7E IM 2 * ED5F LD A,R ED7F NOP * * = undocumented opcodes
DDCB prefix
The undocumented DDCB instructions store the result (if any) of the operation in one of the seven all-purpose registers, which one depends on the lower 3 bits of the last byte of the opcode (not operand, so not the offset).
000 B 001 C 010 D 011 E 100 H 101 L 110 (none: documented opcode) 111 A
The documented DDCB0106 is RLC (IX+01h). So, clear the lower three bits (DDCB0100) and something is done to register B. The result of the RLC (which is stored in (IX+01h)) is now also stored in register B. Effectively, it does the following:
LD B,(IX+01h) RLC B LD (IX+01h),B
So you get double value for money. The result is stored in B and (IX+01h). The most common notation is: RLC (IX+01h),B
I’ve once seen this notation:
RLC (IX+01h) LD B,(IX+01h)
That’s not correct: B contains the rotated value, even if (IX+01h) points to ROM. The DDCB SET and RES instructions do the same thing as the shift/rotate instructions:
DDCB10C0 SET 0,(IX+10h),B DDCB10C1 SET 0,(IX+10h),C DDCB10C2 SET 0,(IX+10h),D DDCB10C3 SET 0,(IX+10h),E DDCB10C4 SET 0,(IX+10h),H DDCB10C5 SET 0,(IX+10h),L DDCB10C6 SET 0,(IX+10h) - documented instruction DDCB10C7 SET 0,(IX+10h),A
So for example with the last instruction, the value of (IX+10h) with bit 0 set is also stored in register A.
The DDCB BIT instructions do not store any value; they merely test a bit. That’s why the undocumented DDCB BIT instructions are no different from the official ones:
DDCB d 78 BIT 7,(IX+d) DDCB d 79 BIT 7,(IX+d) DDCB d 7A BIT 7,(IX+d) DDCB d 7B BIT 7,(IX+d) DDCB d 7C BIT 7,(IX+d) DDCB d 7D BIT 7,(IX+d) DDCB d 7E BIT 7,(IX+d) - documented instruction DDCB d 7F BIT 7,(IX+d)
FDCB prefix
Same as for the DDCB prefix, though IY is used instead of IX.