The Z80's secret feature discovered after 40 years!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the Zilog z80 has a protected mode. To those of you who knows what a z80 is and what protected mode is, this should be impossible. In fact, it has been impossible for more than 40 years, since the introduction of the original Z80 in 1976. That is until now. Hi, I'm Andy and welcome to my retro attic. [Music] foreign [Music] how this seemingly impossible feed is pulled off this is the Zilog Z80, the CMOS version of it to be precise if you don't know what a d8 is there are lots and lots of videos on YouTube that are far better at explaining it than I am therefore I won't go into the details about the history or architecture of this chip feel free to pause this video and watch those if you need a recap on a d80 links in the description below in short the deity is one of the most popular CPUs in history alongside the 6502 it is the heart of condos home commuters game consoles arcade machines and more including this beautiful Sony hitbit MSX 2 right next to me however you didn't click this video to see what the d80 can do but what it cannot or should I say what it's not supposed to do the zad doesn't have a protected mode which means it cannot run through preemptive multitasking OS it cannot perform memory protection it cannot be virtualized and most importantly and cannot stop misbehaving on malicious program from overriding system variables or accessing sensitive data the last one is the most frustrating for programmers since it means like a half-written buggy program May easily scramble system Ram values and crash the Entire Computer making debugging virtually impossible these limitations are not simply a result of primitive operating systems of the 80s all programmers not wanting to spend time and space support in this feature it was in the hardware protected mode requires specific support within the logic Circuit of the CPU itself support that the z80 does not have or at least not as a part of its documented features [Music] so today's topic is about secret undocumented instruction which enables a secret protected mode right well not really you see the z80 happens to be one of the most studied and most documented CPUs features left out by the official documentation has been dug out by people who wants to know more about their favorite microprocessor there are many blogs about reverse engineering the z80 at silicon level and like the 6502 the z80 has its own visual z80 visualization website showing the role of each individual transistor in live action there is even a book named the undocumented z80 documented explaining all secret undocumented instruction in great detail therefore the meaning of the thumbnail of this video is actually twofold the z80 can possibly support a protected mode and second even if it does this feature can possibly go unnoticed for 40 years or can it it turns out that the z80 does have a little known feature hidden in playing site in order to understand it we start off at one of its most well-known features the IL bus I think it's safe to assume that most people making this far into the video would have known that the z80 use a separate address space for the memory and I O operations as a result it has an i o request or iorq pane to indicate that it is doing iio operation now imagine we hooked the eye open directly to the non-maskable interrupt paying all nmi pin of the CPU this will trigger a non-muscle interrupt each time a program does an i o operation what does that do you may ask well at this moment pretty much nothing but it gives us a chance to examine the output operation in order to translate the i o access take the SBI 328 and the MSX as an example assume we want to run MSX software on the svi 328 we can capture each i o access made by the program determine which device it is accessing and forward that access to the corresponding i o port on the SBI 328 there is only one small problem the eyeball operation issued by our translation program will also trigger a non-muscular interrupt creating an infinite Loop and ultimately overflowing our stack therefore we need some sort of circuit to prevent this from happening here we use a single RS flip flop we connect one of the inputs to the Ami Pane and the output Q to an or gate alongside the iorq line finally we use the output of the or gate as the new nmi input as a result an nmi will set a flip up preventing further interrupts how to reset the flip flop simple just hook the reset signal to your unused device select on this board is accessed the filter go to the original state waiting for the next i o access to occur another translation program can return control to the original program order right well not so fast remember that the original i o right operation the one that triggers the interrupt it didn't go to nowhere if a device is present on the wrong I O Port it will still receive a piece of information let's imagine our MSX program makes a right to the vtp register at Port 98 hacks our translator will catch the right and forward it to Port 80 heads on the SBI however Port 98 hacks on the SBI is the a port of the 8255 pdpil programmable peripheral interface as a result the data on the pbi's GPI opening is probably altered which can potentially damage our system solve this problem we just need to add another wire connecting the output of the flip-flop to the enabling of the i o decoder if our OS is written carefully enough to reset the flip-flop each time the control is returned to our user program this circuit will ensure that each and every of our i o operation is performed by the OS not some random potentially buggy and potentially even malicious user code and suddenly a little d80 is now running in protected mode believe it or not we are 90 there the only things left are memory protection and a way for our user program to actually call the system routines other than make a read or write to a port and wait for the season to translate it the first one is easy enough since the manual management unit or the mmu commonly found in 386s or 60 or 30s it's just a super beefed up version of the memory chips for 8-bit computers and many members are controlled by i o ports which are already protected by the circuit we just talked about our OS just need to bank out the system variables in Ram so that they are not visible to the user program and back them back in whenever a system routine is executed here I choose the simplest kind of mapper a 256 byte static run connected to the high bind of the address bus this will have an added benefit of being able to fill the membrane with a single otdr instruction another second task is not difficult either thanks to another feature of the z80 its RSD or reset command more like the ink command of the x86 is encoded with 5 ones and 3 bits to indicate the reset address this makes it very easy to detect by just ending those pens together with the inverted M1 signal we can then add a gate to the input of the Zippo so the kernel mode is entered whenever an nmi or reset instruction is issued plus such an instruction caused into a routine within the zero page of memory it makes a perfect way to do system calls and that's pretty much it I also added other features but they are all design choices and mostly just to speed things up or provide extra functionality for example I use bigger mapper RAM chips to provide Hardware accelerated task swapping added a second map run to increase the maximum physical RAM size supported still two physical address lines to Mark a page as non-writable and non-executable in order to tighten memory Access Control added a bunch of peripheral chips to provide Graphics sound a timer some gpio and your input phase so final conclusion here is this really a secret z80 feature that's been hidden for years no it's not it's just a clever combination of several documented features and an external circuit technically this can be done to any 8-bit processors like the 8085 the 8080 and even the 6502 and 6800 but it will be much more difficult and require much more external circuit because this circuit does rely on some of the z80's unique features to work efficiently namely the separate i o address space the block I O command with register B output to the high byte of the address bus and special encoding of the reset instruction however it is almost certain that the z80 is not designed to be used in this way since many of the geds other features will be rendered completely useless like the powerful interrupt mode 2 the entire multiple interrupt System including many instructions dedicated to it such as the reti and retn EI and Di and the iff registers and the second set of genuine purpose registers for fast contact switch I think it's safe to say that Mr [ __ ] designed the z80 to work with his own dedicated chipset run engineering well-tested programs mainly in embedded systems ironically most cities found themselves in desktop and home computers with an Intel chipset running whatever program that you user throws at them then is this video a clickbait yes now big disclaimer I hate clickbait videos but I did it anyway in the title and thumbnail of this video to be fair I did include a hint that this required external Harbor at the beginning of this video so that professionals can understand the whole thing and click away at that point if they pay enough attention nonetheless I have made a clickbait video the type of video that I hate to see but I guess this is what you will get from a small YouTuber watching other big virtual channels getting hundreds of thousands of views as soon as a new video is released but do I think this is cool though oh boy I do just imagine what can be achieved by this technique you can virtualize your computer to create independent virtual machines you can tweak those virtual machines to emulate different platforms like the clicker Vision the Sega X3 1000 the sy328 the MSX and even the rear MTX 512 made my memo Tech as they share similar Hardware there can be slowdowns and incompatibilities but the truth is that few games make use of full CPU time and will run just fine you can run many programs concurrently you can Implement a virtual VDB in the OS and set aside some run to create a shadow v-run and drag all VDB access of one program say a spreadsheet to that virtual VDP then direct that of a noun program say again to the actual screen then you can use a boss key to tell the system to swap the contents of the vram and Shadow vram and exchange the registers of the physical and virtual VDB within second so that your boss won't notice you playing Gallagher at work you can even add another physical VDB to your system and run dual monitor with different programs going further you can also add multiple keyboard or gain controller and map those to different virtual environments creating a linear stacked style two Gamers one CPU experience but with all the 80s retro fashion that's about it for this video but before the end of it I have a small story to tell during the making of this video I remember seeing somewhere claiming that the reason why the z80 has so many undocumented instructions is that Falcon used sparespaces in edge of the Silicon die to implement them as actual instructions however early production units show that those instructions work unreliably as a result Falcon just dropped those instructions out of the documentation to artificially boost you since he had now Market ships that don't execute those instructions as good ones as the fabrication process made sure most chips run those instructions just fine but the instruction set was not updated for consistency as those instructions were originally documented once they are very reliable and useful so many software started using them causing them to be re-edited in many of the deities upgraded versions like the z180 and r800 as extensions to the instruction set I think this story is fun but I cannot find where I saw it so I left it out of the script if anyone know whether this story is true or not or can point me to the website where I saw it no matter if it's a true story please leave a comment below I would appreciate it but that's it for today's video for real this time bye [Applause]

Info

Channel: Andy Hu

Views: 708,255

Rating: undefined out of 5

Keywords:

Id: DLSUAVPKeYk

Channel Id: undefined

Length: 16min 7sec (967 seconds)

Published: Mon Oct 03 2022