From wixer!cactus.org!milano!cs.utexas.edu!uunet!pipex!sunic!news.funet.fi!ousrvr.oulu.fi!ousrvr!jopi Sat Mar  6 21:17:27 1993
Newsgroups: comp.sys.cbm
Path: wixer!cactus.org!milano!cs.utexas.edu!uunet!pipex!sunic!news.funet.fi!ousrvr.oulu.fi!ousrvr!jopi
From: jopi@stekt.oulu.fi (Jouko Valta)
Subject: Re: UUENCODED Undoc Opcodes
In-Reply-To: massive@lakes.trenton.sc.us's message of Fri, 05 Mar 93 02:12:41 EST
Message-ID: <JOPI.93Mar5213646@stekt5.oulu.fi>
Lines: 202
Sender: news@ousrvr.oulu.fi
Organization: University of Oulu, Dept. of EE, Finland
References: <uJgXZB6w165w@lakes.trenton.sc.us>
Distribution: comp
Date: Fri, 5 Mar 1993 19:36:46 GMT

In article <uJgXZB6w165w@lakes.trenton.sc.us> massive@lakes.trenton.sc.us (Massive Onslaught) writes:

 (this is a test, please flame ;)


>	Undocumented Opcodes
>
> AAX and accumulator with X
> 
> Operaton: A & X -> M	    	NZCIDV
>				xx----

   Also known as SAX (Store A & X)
   But if I haven't misunderstood the signs, this instruction 
   DOES NOT SET ANY FLAGS since it's located in the "store" section.  

   Well, I would like to know which name should be used ?
   Please tell me what is your opinion, since you'll have to cope
   with our decision ...


> AXS  and accumulator with X to stack
>
> Operaton:  A & X -> S 	     NZCIDV
>	     A & X & $11 -> M        xx----

  Guess what happened when a 8502 decided to pull stack instead ...
  In fact it "crossed over" the whole undocumented part of the instruction
  set ie. ROR <-> LSR,  ROL <-> ASL etc.
  Has anyone else got similiar results ?


> A word of warning. Not all of these have been tested. The flag settings
> should be correct, once again all three quintrillion possibilities have
> not been tested. As you can see I did not reseach the number of cycles used.
> If cycles could be researched, or anything else is found incorrect, please
> let me now so I can update my file.


   Full documentation is found on C-Hacking issue 1.

> 
> Some notes on the various OP CODES.
> 
>  CRS -  These do nothig except crash the
>       computer, HARD!


   It just triggers the thyristors which interlock the busses...
     so all you can do is to switch off the power.


>  DCP  - Decrement the memory first, then
>       compare it to the accum.
>  ISB  - icrement the memory first, then
>       do a normal SBC. For exampe 
>       ISB #11 would be the same as
>       SBC #12.
>  LAN  - Rolls memory to the left, than
>       ANDs the result with the accum.
>  NOP  - All these are NOP replacements.
>       The number of cycles may be 
>       different.
>  RAM  - AND accum with memory the rotate
>       result to right. The 7th bit
>       becomes the carry, and the carry
>       becomes the 7th bit of the accum.
>       Remember the carry becomes the
>       7th bit of the original accum,
>       not the result.
>  RBM  - AND accum with memory and shift
>       to the left. The carry becomes 
>       1st bit of the AND.
>  SBC  - This is exactly the same as the
>       documented SBC OP.
>  SKP  - This is similar to the BIT OP
>       except it does not change any 
>       flags.
>  TEA  - These are intesting OPS. The 
>  TEX  - >+1 stands for the high operand
>  TEY  - For example TEA $C000,Y the >+1
>       will be $C1.
> 
> Well there you have it a documented list of the 6510 undocumnted OP codes.
> No Warranties implied. No Money Back.


  Well, this is the version I've been using this far:
  And yes, several people have tested *all these* :)
   I have tested both 6510 and 8502.

		6510 instructions by addressing modes

	++++++++ Positive ++++++++++	-------- Negative ----------
	00	20	40	60	80	a0	c0	e0	mode

+00	BRK	JSR	RTI	RTS	NOP*	LDY	CPY	CPX  Impl/immed
+01	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC  (indir,x)
+02	 t	 t	 t	 t	NOP*	LDX	NOP*	NOP*   ? /immed
+03	SLO*	RLA*	SRE*	RRA*	SAX*	LAX*	DCP*	ISB* (indir,x)
+04	NOP*	BIT	NOP*	NOP*	STY	LDY	CPY	CPX  Zeropage
+05	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC	-"-
+06	ASL	ROL	LSR	ROR	STX	LDX	DEC	INC	-"-
+07	SLO*	RLA*	SRE*	RRA*	SAX*	LAX*	DCP*	ISB*	-"-

+08	PHP	PLP	PHA	PLA	DEY	TAY	INY	INX  Implied
+09	ORA	AND	EOR	ADC	NOP*	LDA	CMP	SBC  Immediate
+0a	ASL	ROL	LSR	ROR	TXA	TAX	DEX	NOP  Accu/impl
+0b	ANC**	ANC**	ASR**	ARR**	ANE**	LXA**	SBX**	SBC* Immediate
+0c	NOP*	BIT	JMP	JMP	STY	LDY	CPY	CPX  Absolute
+0d	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC	-"-
+0e	ASL	ROL	LSR	ROR	STX	LDX	DEC	INC	-"-
+0f	SLO*	RLA*	SRE*	RRA*	SAX*	LAX*	DCP*	ISB*	-"-

+10	BPL	BMI	BVC	BVS	BCC	BCS	BNE	BEQ  Relative
+11	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC  (indir),y
+12	 t	 t	 t	 t	 t	 t	 t	 t	?
+13	SLO*	RLA*	SRE*	RRA*	SHA**	LAX*	DCP*	ISB* (indir),y
+14	NOP*	NOP*	NOP*	NOP*	STY	LDY	NOP*	NOP* Zeropage,x
+15	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC	-"-
+16	ASL	ROL	LSR	ROR	STX y)	LDX y)	DEC	INC	-"-
+17	SLO*	RLA*	SRE*	RRA*	SAX* y)	LAX* y)	DCP	ISB	-"-

+18	CLC	SEC	CLI	SEI	TYA	CLV	CLD	SED  Implied
+19	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC  Absolute,y
+1a	NOP*	NOP*	NOP*	NOP*	TXS	TSX	NOP*	NOP* Implied
+1b	SLO*	RLA*	SRE*	RRA*	SHS**	LAS**	DCP*	ISB* Absolute,y
+1c	NOP*	NOP*	NOP*	NOP*	SHY**	LDY	NOP*	NOP* Absolute,x
+1d	ORA	AND	EOR	ADC	STA	LDA	CMP	SBC	-"-
+1e	ASL	ROL	LSR	ROR	SHX**y)	LDX y)	DEC	INC	-"-
+1f	SLO*	RLA*	SRE*	RRA*	SHA**y)	LAX* y)	DCP	ISB	-"-

	t	Jams the machine
	*	Undocumented command
	**	Unusual operation
	y)	indexed using YR instead of XR



			6510 Undocumented Commands


	ANE $8B		AC = (AC | #$EE) & XR & #byte
			AC = ((AC & #$11 & XR) | ( #$EE & XR)) & #byte

			In real 6510/8502 the internal parameter #$11 may
			occasionally be #$10, #$01 or even #$00.


	SHA $93,$9F     Store (AC & XR & (ADDR_HI +1))
	SHX $9E		 -"-	  XR
	SHY $9C 	 -"-	  YR
	SHS $9B	 	SHA and TXS, where X is replaced by (AC & XR).

			Note: The value to be stored is copied also
			to ADDR_HI if page boundary is crossed.


	LXA $AB 	C-lehti: AC and XR = ANE
			tested:  AC and XR = (AC & #byte)

	SBX $CB	 	Carry flag is ignored but set in substraction.
			This may be due to CMP command, which is used
			instead of the real SBC.


	SHA is very strange command since it is the only command which has
	only indexed addressing modes !

   <Sorry, the rest of this article is not translated yet>


 6510 bugs
   o  The BREAK (B) flag is set when SR is pushed to stack. In fact this
      is the value of the IRQ input buffer.

   o  JMP indirect handles page boundary crossing incorrectly

   o  ADC and SBC set the Negative (N) Overflow (V) and Zero (Z) flags
      according to the binary mode also while operating in decimal mode.
      Also, adding or subtracting figures between 0xa and 0xf in decimal
      mode may cause strange results.

   o  BRK reads an absolute address like JSR but ignores it.

   o  Some undefined opcodes may give really unpredictable results.



 NOTES
 See MCS 6500 Microcomputer Family Programming Manual for more information.

 References:
  6510 Block Diagram   C64 Programmer's Reference Guide  p. 404
  Instruction Set      C64 Programmer's Reference Guide pp. 416-417
  			"C-Lehti" magazine 4/87	
  

   *(a++)+=--jopi();     /* jopi@{stekt,zombie}.oulu.fi */
                         /* -- the most disoriented user */
__________________________________________________________________________
        ***  A real Hacker never vacuum-cleans his computer !!  ***

