So-Called Unused Opcodes#

from Apple Assembly Line 03/81

The 6502 has 104 so-called unused opcodes. The various charts and reference manuals I have checked either leave them blank or call them "unused", "no-operation", or "future expansion". The 6502 has been around since 1976; I think we have waited long enough to know there will be no "expansion". But are they really unused? Do they have any effect if we try to execute them? Are they really no-ops? If so, how many bytes does the processor assume for each one?

These questions had never bothered me until I was looking through some disassembled memory and thought I found evidence of someone USING the "unused". It turned out they were not, but my curiosity was aroused. Just for fun, I built a little test routine and tried out the $FF opcode. Lo and behold! The 6502 thinks it is a 3-byte instruction, and it changes the A-register and some status bits!

About 45 minutes later I pinned it down: FFxxyy performs exactly the same as the two instructions FExxyy and FDxxyy. It is just as though I had executed one and then the other. In other words, anywhere in a program I find:

I can substitute:
     .HS FF

You might wonder if I will ever find that sequence. I did try writing a program to demonstrate its use. It has the advantage of saving 3 bytes, and 4 clock cycles. (The SBC instruction is executed DURING the 7 cycles of the INC instruction!)

          LDA #10       FOR COUNTER(X)=10 TO 39
          STA COUNTER,X
          LDA #39       LIMIT
          .HS FF        DO INC AND SBC
          BCS .1        NEXT

Are there any more? Before I could rest my curiosity, I had spent at least ten more hours, and had figured out what all 104 "unused opcodes" really do!

The center-fold chart shows the fruit of my detective work. The shaded opcodes are the "unused" ones. I don't know if every 6502 behaves the same as mine or not. Mine appears to be made by Synertek, and has a date code of 7720 (20th week of 1977). It could be that later versions or chips from other sources (MOS Technology or Rockwell) are different. If you find yours to be different, please let me know!

Twelve of the opcodes, all in column "x2", hang up the 6502; the only way to get out is to hit RESET or turn off the machine.

There are 27 opcodes which appear to have no effect on any registers or on memory. These could be called "NOP", but some of them are considered by the 6502 to have 2 or 3 bytes. I have labeled them "nop", "nop2", and "nop3" to distinguish how many bytes the 6502 thinks it is using. You could call nop2 "always skip one byte" and nop3 "always skip two bytes".

The action most of the rest perform can be deduced by looking at the other opcodes in the same row. For example, all of the xF column (except 8F and 9F) perform two instructions together: first the corresponding xE opcode, and then the corresponding xD opcode. In the same way, most of the opcodes in column x7 combine the x6 and x5 opcodes. The x3 column mirrors the x7 and xF columns, but with different addressing modes. And finally, the xB column mimics the other three columns, but with more exceptions. Most of the exceptions are in the 8x and 9x rows.

A few of the opcodes seem especially interesting and potentially useful. For example, A3xx performs three steps: first it loads xx into the X-register; then using this new value of X, it moves the byte addressed by (xx,X) into both the A- and X- registers. Another way of looking at this one is to say that whatever value xx has is doubled; then the two pagezero bytes at 2*xx and 2*xx+1 are used as the address for loading the A- and X-registers. You could use this for something, couldn't you?

There are five instructions which form the logical product of the A- and X-registers (without disturbing either register) and store the result in memory. If we call this new instruction "SAX", for "Store A&X", we have:

     83   SAX (z,X)             8F   SAX a
     87   SAX z                 9F   SAX a,X
     97   SAX z,Y

We get seven forms of the combination which shift a memory location using ASL, and then inclusive OR the results into A with an ORA instruction. If we call this new instruction ALO, we have:

     03   ALO (z,X)             1B   ALO a,Y
     13   ALO (z),Y             0F   ALO a
     07   ALO z                 1F   ALO a,X
     17   ALO z,X

The same seven forms occur for the combinations ROL-AND, LSR-EOR, and ROR-ADC. Note that if you don't care what happens to the A-register, and the status register, these 28 instructions make two extra addressing modes available to the shift instructions: (z,X) and (z),Y.

Opcodes 4B and 6B might also be useful. You can do an AND-immediate followed by LSR or ROR on the A-register.

Opcodes 93, 9B, and 9E are really weird! It took a lot of head-scratching to figure out what they do.

     93   Forms the logical product of the A-register
          and byte the at z+1 (which I call "hea")
          and stores it at (z),Y.
     9B   Forms the logical product of the A- and X-
          registers, and stores the result in the S-
          register (stack pointer)!  Ouch!
          Then it takes up the third byte of the
          instruction (yy from 9B xx yy) and adds one
          to it (I call it "hea+1").  Then it forms
          the logical product of the new S-register
          and "hea+1" and stores the result at "a,Y".

     9E   Forms the logical product of the X-register
          and "hea+1" and stores the result at "a,Y".

We get six forms of the new "LAX" instruction, which loads the same value into both the A- and X-registers:

     B3   LAX (z),Y             AB   LAX #v
     A7   LAX z                 AF   LAX a
     B7   LAX z,Y               BF   LAX a,Y

I skipped over BB, because it is another extremely weird one. It forms the logical product of the byte at "a,Y" and S-register, and stores the result in the A-, X-, and S-registers. No wonder they didn't tell us about it!

Right under that one is the CB instruction. Well, good buddy (please excuse the CB talk!), it forms the logical product of the A- and X-registers, subtracts the immediate value (second byte of CB xx), and puts the result into the X-register.

The Cx and Dx rows provide us with seven forms that do a DEC on a memory byte, and then CMP the result with the A-register. Likewise, the Ex and Fx rows give us seven forms that perform INC followed by SBC.

It is a good thing to be aware that the so-called "unused" opcodes can be quite dangerous if they are accidentally executed. If your program goes momentarily wild and executes some data, chances are something somewhere will get strangely clobbered.

Since all of the above information was deduced by testing and observation, I cannot be certain that I am 100% correct. I may have overlooked or mis-interpreted some results, or even made a clerical error. Furthermore, as I said before, my 6502 may be different from yours. You can test your own, to see if it works like mine.

And if the whole exercise seems academic to you, you can at least enjoy the first legible and complete hexadecimal opcode chart for the 6502.

    x0      x1         x2      x3

0x  BRK     ORA (z,X)  hang    ASL (z,X)
                               ORA (z,X)

1x  BPL r   ORA (z),Y  hang    ASL (z),Y
                               ORA (z),Y

2x  JSR a   AND (z,X)  hang    ROL (z,X)
                               AND (z,X)

3x  BMI r   AND (z),Y  hang    ROL (z),Y
                               AND (z),Y

4x  RTI     EOR (z,X)  hang    LSR (z,X)
                               EOR (z,X)

5x  BVC r   EOR (z),Y  hang    LSR (z),Y
                               EOR (z),Y

6x  RTS     ADC (z,X)  hang    ROR (z,X)
                               ADC (z,X)

7x  BVS r   ADC (z),Y  hang    ROR (z),Y
                               ADC (z),Y

8x  nop2    STA (z,X)  nop2    A&X
                               --> (z,X)

9x  BCC r   STA (z),Y  hang    A&hea
                               --> (z),Y

Ax  LDY #v  LDA (z,X)  LDX #v  LDX #v
                               LDA (z,X)
                               LDX (z,X)

Bx  BCS r   LDA (z),Y  hang    LDA (z),Y
                               LDX (z),Y

Cx  CPY #v  CMP (z,X)  nop2    DEC (z,X)
                               CMP (z,X)

Dx  BNE r   CMP (z),Y  hang    DEC (z),Y
                               CMP (z),Y

Ex  CPX #v  SBC (z,X)  nop2    INC (z,X)
                               SBC (z,X)

Fx  BEQ r   SBC (z),Y  hang    INC (z),Y
                               SBC (z),Y

x4       x5       x6       x7

nop2     ORA z    ASL z    ASL z
                           ORA z

nop2     ORA z,X  ASL z,X  ASL z,X
                           ORA z,X

BIT z    AND z    ROL z    ROL z
                           AND z

nop2     AND z,X  ROL z,X  ROL z,X
                           AND z,X

nop2     EOR z    LSR z    LSR z
                           EOR z

nop2     EOR z,X  LSR z,X  LSR z,X
                           EOR z,X

nop2     ADC z    ROR z    ROR z
                           ADC z

nop2     ADC z,X  ROR z,X  ROR z,X
                           ADC z,X

STY z    STA z    STX z    A&X
                           --> z

STY z,X  STA z,X  STX z,Y  A&X
                           --> z,Y

LDY z    LDA z    LDX z    LDX z
                           LDA z

LDY z,X  LDA z,X  LDX z,Y  LDX z,Y
                           LDA z,Y

CPY z    CMP z    DEC z    DEC z
                           CMP z

nop2     CMP z,X  DEC z,X  DEC z,X
                           CMP z,X

CPX z    SBC z    INC z    INC z
                           SBC z

nop2     SBC z,X  INC z,X  INC z,X
                           SBC z,X

x8   x9       xA   xB

PHP  ORA #v   ASL  AND #v

CLC  ORA a,Y  nop  ASL a,Y
                   ORA a,Y

PLP  AND #v   ROL  AND #v

SEC  AND a,Y  nop  ROL a,Y
                   AND a,Y

PHA  EOR #v   LSR  AND #v

CLI  EOR a,Y  nop  LSR a,Y
                   EOR a,Y

PLA  ADC #v   ROR  AND #v

SEI  ADC a,Y  nop  ROR a,Y
                   ADC a,Y

DEY  nop2     TXA  #v&X
                   --> A

TYA  STA a,Y  TXS  A&X-->S
                   --> a,Y

TAY  LDA #v   TAX  LDA #v

CLV  LDA a,Y  TSX  a,Y & S

INY  CMP #v   DEX  A&X-#v
                   --> X

CLD  CMP a,Y  nop  DEC a,Y
                   CMP a,Y

INX  SBC #v   NOP  SBC #v

SED  SBC a,Y  nop  INC a,Y
                   SBC a,Y

xC       xD       xE       xF

nop3     ORA a    ASL a    ASL a
                           ORA a

nop3     ORA a,X  ASL a,X  ASL a,X
                           ORA a,X

BIT a    AND a    ROL a    ROL a
                           AND a

nop3     AND a,X  ROL a,X  ROL a,X
                           AND a,X

JMP a    EOR a    LSR a    LSR a
                           EOR a

nop3     EOR a,X  LSR a,X  LSR a,X
                           EOR a,X

JMP (a)  ADC a    ROR a    ROR a
                           ADC a

nop3     ADC a,X  ROR a,X  ROR a,X
                           ADC a,X

STY a    STA a    STX a    A&X
                           --> a

nop3     STA a,X  X&hea+1  A&X
                  --> a,Y  --> a,X

LDY a    LDA a    LDX a    LDX a
                           LDA a

LDY a,X  LDA a,X  LDX a,Y  LDX a,Y
                           LDA a,Y

CPY a    CMP a    DEC a    DEC a
                           CMP a

nop3     CMP a,X  DEC a,X  DEC a,X
                           CMP a,X

CPX a    SBC a    INC a    INC a
                           SBC a

nop3     SBC a,X  INC a,X  INC a,X
                           SBC a,X

A     A-register (Accumulator)
S     S-register (Stack Pointer)
X     X-register
Y     Y-register

a     2-byte absolute address
r     1-byte relative address
v     1-byte immediate value
z     1-byte pagezero address

hea   high-byte of effective address
      93:  the byte at z+1
      9B:  3rd byte of instruction
      9E:  3rd byte of instruction

&     and-function (logical product)

hang  computer hangs up, only way to
      regain control is to hit RESET

nop   1-byte instruction, no operation
nop2  2-byte instruction, no operation
nop3  3-byte instruction, no operation

-->   "result is stored in"

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 04-Apr-2010 19:52 by Carsten Strotmann