Finding undocumented 8086 instructions via microcode
Video gamers know cheat codes, but assembly language programmers are often looking for undocumented instructions. One way to find them is to map all opcodes on a CPU and where there are gaps, try those values and see what happens. Not good enough for [Ken Shirriff]. He prefers to look at the CPU microcode and deduce what each part does.
Microcode is a feature of many modern processors. The CPU executes multiple "microcode" instructions to process a single opcode. For the Intel 8086, there are 512 microinstructions, each with 21 bits. Each instruction has two parts: one part that moves a source to a destination, and another that performs another operation, such as an ALU operation. [Ken] explains everything in the article, including several hidden registers that you can't see, but the microcode can.
Checking for holes in the opcode table.Some of the undocumented instructions are probably not useful. They are either impractical or duplicate a function that you can already perform in another way. Not all instructions are there for technical reasons. For example, the D6 opcode, commonly referred to as SALC for "Set AL to Carry", seems to exist only as a trap for anyone making an exact copy of Intel's microcode. When other companies like NEC created 8086 clones, having an undocumented instruction would strongly suggest that they simply copied Intel's intellectual property (in NEC's case, they didn't ).
Other cases occur where a statement just doesn't make sense. For example, you can pop all segment registers, and although it's not documented, you can assume that POP CS should be opcode 0F. The problem is that there is no reasonable reason to remove CS from the stack. The instruction works; it's just not useful. 60-6F opcodes are conditional jumps that are no different from 70-7F instructions due to decoding. There is no reason to document both identical instruction ranges.
The plot thickens when you switch to double-byte instructions. You will find many instructions of dubious value. You don't hear much about undocumented instructions anymore. For what? Because modern processors have enough circuits to dedicate some to detecting illegal instructions and stopping the processor. But the 8086 was too tight to allow for such luxury. It's a good thing for people like us who like to solve puzzles.
You can still get a modern CPU to tell you more about instructions, even though it won't execute them. Even the 80286 had secret opcodes.
Video gamers know cheat codes, but assembly language programmers are often looking for undocumented instructions. One way to find them is to map all opcodes on a CPU and where there are gaps, try those values and see what happens. Not good enough for [Ken Shirriff]. He prefers to look at the CPU microcode and deduce what each part does.
Microcode is a feature of many modern processors. The CPU executes multiple "microcode" instructions to process a single opcode. For the Intel 8086, there are 512 microinstructions, each with 21 bits. Each instruction has two parts: one part that moves a source to a destination, and another that performs another operation, such as an ALU operation. [Ken] explains everything in the article, including several hidden registers that you can't see, but the microcode can.
Checking for holes in the opcode table.Some of the undocumented instructions are probably not useful. They are either impractical or duplicate a function that you can already perform in another way. Not all instructions are there for technical reasons. For example, the D6 opcode, commonly referred to as SALC for "Set AL to Carry", seems to exist only as a trap for anyone making an exact copy of Intel's microcode. When other companies like NEC created 8086 clones, having an undocumented instruction would strongly suggest that they simply copied Intel's intellectual property (in NEC's case, they didn't ).
Other cases occur where a statement just doesn't make sense. For example, you can pop all segment registers, and although it's not documented, you can assume that POP CS should be opcode 0F. The problem is that there is no reasonable reason to remove CS from the stack. The instruction works; it's just not useful. 60-6F opcodes are conditional jumps that are no different from 70-7F instructions due to decoding. There is no reason to document both identical instruction ranges.
The plot thickens when you switch to double-byte instructions. You will find many instructions of dubious value. You don't hear much about undocumented instructions anymore. For what? Because modern processors have enough circuits to dedicate some to detecting illegal instructions and stopping the processor. But the 8086 was too tight to allow for such luxury. It's a good thing for people like us who like to solve puzzles.
You can still get a modern CPU to tell you more about instructions, even though it won't execute them. Even the 80286 had secret opcodes.
What's Your Reaction?
