The Zilog Z80 Undocumented instructions

The undocumented Z80 instructions are corresponding to 'holes' in the opcodes.

Undocumented index operations

In this section, IX operations will be described. 
IY operations, obtained by replacing DDs with FDs, behave identically. 
A DD preceding an instruction causes, in general, the following ('main') instruction to be processed as normal, except that:

- any access to (HL) gets treated as an access to (IX+d) 
- any access to HL gets treated as an access to IX 
- any access to H gets treated as an access to IXh 
- any access to L gets treated as an access to IXl

If the main instruction does not access any of (HL), HL, H and L, then the DD effectively acts as a NOP.  (In addition, a series of DDs and FDs acts as a series of NOPs with the DD/FD actually obeyed being the 
last one in the series.)

There are exceptions to the general rule, however.  These are:

Main instruction                Effect of preceding DD

LD H,(HL)                       Causes LD H,(IX+d) 
LD (HL),H                       Causes LD (IX+d),H 
LD L,(HL)                       Causes LD L,(IX+d) 
LD (HL),L                       Causes LD (IX+d),L 
EX DE,HL                        None (left as EX DE,HL) 
EXX                             None (left as EXX) 
EDxx                            None (left as EDxx) 
CBxx                            See below

DDCB sequences always cause the byte following the CB to be taken as a displacement, and always cause an access to (IX+d).  If the sequence produces output other than in the flags (i.e. all except BIT), then the result gets placed both into (IX+d) and the register one would normally expect to be altered.

For example,

DDCB0100 causes RLC (IX+1) and copies the result into B. 
DDCB02FF causes SET 7,(IX+2) and copies the result into A. 
DDCB0373 causes BIT 6,(IX+3). 

Undocumented shift operations

There are 248 different CB opcodes. The block CB 30 to CB 37 is missing from the official list. These instructions, usually denoted by the mnemonic SLL, Shift Left Logical, shift left the operand and make bit 0 always one.  The effect is therefore like SLA except b0 is set instead of being reset. These instructions are quite commonly used.

Undocumented EDxx operations

Instructions in the range ED00 to ED3F have no effect. 
Instructions in the range ED80 to EDBF, except those documented as block loads, compares, ins or outs, have no effect. 
Instructions in the range EDC0 to EDFF have no effect. 
The holes in the range ED40 to ED7F typically duplicate documented instructions:

NEG       at ED4C, ED54, ED5C, ED64, ED6C, ED74, ED7C 
NOP       at ED77, ED7F 
RETN      at ED55, ED65, ED75 
RETI      at ED5D, ED6D, ED7D 
IM ?      at ED4E, ED6E 
IM 0      at ED66 
IM 1      at ED76 
IM 2      at ED7E 
IN F,(C)  at ED70 
OUT (C),0 at ED71

IM ? sets the interrupt mode flip-flops to an undefined state, which seems to act like IM 0 or IM 1. 
IN F,(C) performs the input operation, setting the flags as normal, but throws the input value away. 
OUT (C),0 outputs $FF to the port.

Note : it would output zero if the Z80 used were the NMOS variant rather than the CMOS variant used in the Z88.

The complete list: (* = not official)

           ED40   IN B,(C)                 ED60   IN H,(C) 
        ED41   OUT (C),B                ED61   OUT (C),H 
        ED42   SBC HL,BC                ED62   SBC HL,HL 
        ED43   LD (nn),BC               ED63   LD (nn),HL 
        ED44   NEG                      ED64 * NEG 
        ED45   RETN                     ED65 * RET 
        ED46   IM 0                     ED66 * IM 0 
        ED47   LD I,A                   ED67   RRD 
        ED48   IN C,(C)                 ED68   IN L,(C) 
        ED49   OUT (C),C                ED69   OUT (C),L 
        ED4A   ADC HL,BC                ED6A   ADC HL,HL 
        ED4B   LD BC,(nn)               ED6B   LD HL,(nn) 
        ED4C * NEG                      ED6C * NEG 
        ED4D   RETI                     ED6D * RET 
        ED4E * IM 0/1                   ED6E * IM 0/1 
        ED4F   LD R,A                   ED6F   RLD 
        ED50   IN D,(C)                 ED70 * IN (C) 
        ED51   OUT (C),D                ED71 * OUT (C),0 
        ED52   SBC HL,DE                ED72   SBC HL,SP 
        ED53   LD (nn),DE               ED73   LD (nn),SP 
        ED54 * NEG                      ED74 * NEG 
        ED55 * RET                      ED75 * RET 
        ED56   IM 1                     ED76 * IM 
        ED57   LD A,I                   ED77 * NOP 
        ED58   IN E,(C)                 ED78   IN A,(C) 
        ED59   OUT (C),E                ED79   OUT (C),A 
        ED5A   ADC HL,DE                ED7A   ADC HL,SP 
        ED5B   LD DE,(nn)               ED7B   LD SP,(nn) 
        ED5C * NEG                      ED7C * NEG 
        ED5D * RET                      ED7D * RET 
        ED5E   IM 2                     ED7E * IM 2 
        ED5F   LD A,R                   ED7F * NOP

About the R register

This is not really an undocumented feature, although I have never seen any thorough description of it anywhere. The R register is a counter that is updated every instruction, where DD, FD, ED and CB are to be regarded as separate instructions. So shifted instruction will increase R by two. There's an interesting exception: doubly-shifted opcodes, the DDCB and FDCB ones, increase R by two too. LDI increases R by two, LDIR increases it by 2 times BC, as does LDDR etcetera. The sequence LD R,A/LD A,R increases A by two, except for the highest bit: this bit of the R register is never changed. This is because in the old days everyone used 16 Kbit chips. Inside the chip the bits where grouped in a 128x128 matrix, needing a 7 bit refresh cycle. Therefore ZiLOG decided to count only the lowest 7 bits. 

Undocumented flags F3 and F5

Bits 3 and 5 of the F register are not used. They can contain information, as you can readily figure out by PUSHing AF onto the stack and then POPping some it into another pair of registers. Furthermore, sometimes their values change. The values of bits 7, 5 and 3 follow the values of the corresponding bits of the last 8 bit result of an instruction that changed the usual flags. 
For instance, after an ADD A,B those bits will be identical to the bits of the A register (Bit 7 of F is the sign flag, and fits the rule exactly). An exception is the CP x instruction (x=register, (HL) or direct argument). In this case the bits are copied from the argument. If the instruction is one that operates on a 16 bit word, the 8 bits of the rule are the highest 8 bits of the 16 bit result - that was to be expected since the S flag is extracted from bit 15.

Interrupt flip-flops IFF1 and IFF2

There seems to be a little confusion about these. These flip flops are simultaneously set or reset by the EI and DI instructions. IFF1 determines whether interrupts are allowed, but its value cannot be read. The value of IFF2 is copied to the P/V flag by LD A,I and LD A,R. When an NMI occurs, IFF1 is reset, thereby disallowing further [maskable] interrupts, but IFF2 is left unchanged. This enables the NMI service routine to check whether the interrupted program had enabled or disabled maskable interrupts.

Interrupt Modes (IM x)

Interrupt modes can be set with the IM x instructions. They only affect mask-able interrupts. When a mask-able interrupt occurs, the interrupting device must supply a value. The Z88 only uses the IM1. All maskable interrupts are managed by the RST $38. The Non-Maskable Interrupt causes a jump to $0066.

IM 0: The value the interrupting device supplies is interpreted as an 8 bit opcode which is executed (usually RST p) 
IM 1: A call is made to address 38h. The value the interrupting device supplies is ignored. 
IM 2: A call is made to an address read from address (register I × 256 + value from interrupting device). 

Z80 hardware bugs

There are several bugs in the NMOS version of the CPU. One of them is with regard to the buggy IFF2->parity flag performance in the LD A,I and LD A,R instructions. An error can occur when an INTACK runs near these instructions, the parity flag will be showing 0 when it should have been 1. We are not sure but this bug concerns the CMOS Z80 too. A Zilog app. note is around somewhere talking about this.

Information source

This page is based on combined information from articles written by

Sean Young, 
Mark Rison, 
Marat Fayzullin,

The original PDF contains more details, click on link to read / download, z80-documented-v0.91.pdf.