Month: July 2019

Investigating the HCF (Halt & Catch Fire) instruction on Motorola 6800

While adding support for the Motorola 6800 on the Universal Chip Analyzer, I remembered the famous HCF instruction supposed to be present on that CPU. The Half & Catch Fire opcode is an undocumented and semi-mythical machine instructions with destructive side-effects, supposedly included for test purposes on several well-known architectures going as far back as the IBM System/360. The Motorola 6800 was the first – and almost only one – to have a HCF instruction well-known by the developers back in the 70s. It doesn’t really destroy the CPU, but makes it switch into a kind of debugging mode. Allegedly, HCF instruction on the 6800 should toggle the address lines in order very quickly. Legend added: up to the point that some support component might catch fire!

I read many resources online, including the Wikipedia page, about the HCF opcode and I found many contradictory information. It seems very few people actually tested the 6800’s behavior by themselves. Good news: the UCA has been created for this kind of experiment!

According to Wikipedia, the HCF opcode is 0x9D and 0xDD. I also found some other source locating it at 0x14, 0x15 or 0xCD, like on this Motorola 6809 and Hitachi 6309 Programmer’s Reference.

And here is another (different!) opcode matrix from here :

I have also investigated some other undocumented opcode (0xBD, 0xEB, 0xFB). All tests has been done on a Motorola MC6800P with a 1 MHz clock.

  • 0x14 / 0x15

Inserting 0x15 opcode doesn’t seem to have any effect on the CPU at all. Both opcode seems to be treated as NOPs, wasting 2 machine cycles. Registers unchanged. 0x14 executes a AND between both accumulator (A & B) and stores the result in A. However, only the later MC6800P seems to support this. An early XC6800 prototype does not to fetch the 0x14 opcode correctly.

  • 0xCD / 0xED

Both instructions crash the 6800 and make it unable to execute any more code until a full RESET is triggered. Exactly 64 ms after the opcode has been fetched, the CPU starts to toggle address line almost in order, but with many glitches and only for A0-A6. A7-A15 remain erratic.

Result of 0xCD or 0xED undocumented opcodes on a Motorola 6800 on lower address lines

But more interesting, I noticed a strange behavior on the upper address line. The 5 upper address line (A15-A11) started to count in reverse order from 0b11111 to 0b00000 at a very slow, human-readable, rate :

Same on upper address lines

The whole process (similar with both instruction) takes ~8 seconds with the 0xCD opcode and much longer (~60 seconds) with the 0xED opcode. Has this been added for simple human debugging (without oscilloscope or logic analyzer, costly in the 70s), or is it just a glitch? Hard to tell.

  • 0x9D / 0xDD

Here we find the expected “HCF” debug instructions. 64 ms after being fetched (which is quite long), the CPU starts to toggle all address lines in order, very fast (500 kHz for a 1 MHz clock) and with a clean square wave.

Famous HCF (0x9D/0xDD) opcode

After the HCF has been fetched, the 6800 stops responding to interrupts. A hard RESET is the only way to resume operations.

  • 0xFD

While messing with invalid opcode, I found another HCF instruction on the 6800. This one seems to behave exactly like the 0x9D/0xDD HCF, but is twice slower : 250 kHz instead of 500 kHz.

It seems 0x9D/0xCD/0xDD/0xED/0xFD are all related to HCF, but only 0x9D, 0xDD and 0xFD produce a clean (glitch-free) output.

The U.C.A. now supports Motorola 6800!

Finally, two years after a Intel 8088 (almost) booted for the first time on a very early UCA, I’m glad to announce the support for the last major 8-bit CPU : the famous Motorola 6800 !

The Motorola 6800, released in 1974, was one of the most advanced CPU in the 70s. Being TTL-compatible and only requiring 5V power, it was also  easy to use for hobbyist (albeit a two-phase clock was mandatory). Unfortunately, its high price prevented the 6800 to reach the DIY “mainstream” market. Many computer pioneer preferred the MOS 6500 and the Intel 8080, but Motorola  soon released a much cheaper, MCU-revision of the 6800 – the 6809 – that has been very successful.

The architecture of the 6800 is quite simple but efficient. It uses two accumulators, a 8-bit bidirectional data bus, a 16-bit stack pointer, and a 16-bit dedicated address bus that could address 64 KB of memory. Unlike the Intel 8080, the Motorola 6800 uses memory-mapped I/O : it doesn’t include specific instructions for I/O and they are handled as standard memory accesses.

Implementing support for the 6800 on the Universal Chip Analyzer (U.C.A.) wasn’t too difficult. The dual-phase clock was the main issue, as timings are usually tighter than with single-phase clock. Another issue was the UCA adapter. I designed it to support both MOS 65xx and Motorola 68xx, but the cheap chinese ZIF Socket (3M clone) I soldered on was crappy. The contact between the adapter and the main ZIF Socket wasn’t also very good, due to the standard 2.54mm pin header. Too thick, too square. So I build another adapter with a much more efficient Socket (an ARIES low-profile, burn-in ZIF Socket) and some new pin headers that mimic a real CPU :

The new Socket with “real” CPU pins (front) VS the old one (back)

Everything worked as expected and very reliably with that new adapter! Here is the UCA testing a Motorola MC6800P at 2 MHz and a very rare prototype (Motorola XC6800B) at 1 MHz :

Testing frequency can be set at 1.0 / 1.5 / 2.0 or 3.0 MHz to match the most popular 68xx.

Support for Motorola 6801/6802/6803/6808/6809 is planned soon.

More important, a brand new era is coming for the UCA, as I can now focus on much more advanced, 32-bit CPU. Many news planned soon!