Motorola M680x support is incomplete

[notxvilka]

Motorola 680x (8-bit) Family — Complete ISA Variant Map for Disassembler Implementation

All variants descend from the Motorola 6800 (1974). They share a von Neumann, memory-mapped I/O philosophy, but have diverged into several distinct ISA branches. This is the family handled by M680X in Capstone — completely separate from the 16/32-bit M68K/680x0 lineage (which only shares the "68" naming convention) ¹.

---

Part 1: ISA Variant Tree

M6800 (1974) ─── base ISA, 72 instructions, 7 addressing modes
├── M6802 / M6808(original) ─── ISA-identical to 6800 (HW differences only)
├── M6801 / M6803 ─── superset of 6800 (adds MUL, D accumulator, ADDD, SUBD, LDD/STD, ABX, PSHX/PULX)
│   ├── HD6301 (Hitachi) ─── superset of 6801 (adds XGDX, SLP, AIM/OIM/EIM/TIM bit-manipulation)
│   ├── M68HC11 ─── superset of 6801 (adds Y index reg, IDIV, FDIV, XGDY, BSET/BCLR/BRSET/BRCLR, CPD...)
│   │   ├── M68HC12 / CPU12 ─── 16-bit successor; mostly source-compatible with HC11
│   │   │   ├── HCS12 / CPU12X ─── enhanced CPU12 (global addressing, TMP regs, extended MOVB/MOVW)
│   │   │   └── S12Z ─── **complete ISA redesign**, variable-length 1–11 byte insns, NOT binary-compatible
│   │   └── 68HC16 / CPU16 ─── 16-bit extension of HC11 with 20-bit addressing (rare)
│   └── 68300 / CPU32 ─── blended into 68000-style 16/32-bit (out of scope for M680X)
├── M6805 / M68HC05 ─── **reduced** 8-bit core; single accumulator A, 8-bit X, no B/D registers
│   ├── M68HC08 (HC08) ─── enhanced HC05; 16-bit H:X index, adds MOV, CBEQ, DBNZ, DIV, MUL, NSA, DAA,
│   │                       SP-relative addressing
│   │   └── HCS08 / S08 (Freescale) ─── slight extension of HC08 (adds BGND debug instruction)
│   └── RS08 (Freescale) ─── **ultra-reduced** subset; ~30 instructions, no index register, no stack
└── M6809 ─── **advanced redesign**; two stacks (U, S), DP register, powerful indexed modes, position-independent
    └── HD6309 (Hitachi) ─── superset of 6809 (adds E, F, W, V registers; TFM, DIVD/DIVQ, MULD, native mode)

---

Part 2: Detailed ISA Differences

2.1 Main Line (6800 → 6801 → HC11 → HC12)

M6800 (1974) — The Root

• Registers: A (8-bit), B (8-bit), X (16-bit index), SP (16-bit), PC (16-bit), CCR (6 flags: H, I, N, Z, V, C)
• 72 instructions, 197 opcodes total
• Addressing modes (7): Inherent, Immediate, Direct (8-bit addr), Extended (16-bit addr), Indexed (X + 8-bit unsigned offset), Relative (branches), Accumulator ²
• Key instructions: LDAA/LDAB/STAA/STAB, ADDA/ADDB/SUBA/SUBB, ABA, CBA, CMPA/CMPB, ANDA/ANDB/ORAA/ORAB/EORA/EORB, ASL/ASR/LSR/ROL/ROR, BRA/BCC/BCS/BEQ/BNE/BMI/BPL/BVS/BVC/BGE/BGT/BLE/BLT/BHI/BLS, BSR/JSR/RTS, DAA, PSHA/PSHB/PULA/PULB, TAB/TBA/TAP/TPA/TSX/TXS, SWI/RTI/WAI, NOP, INC/DEC/CLR/NEG/COM/TST (memory and accumulator), INX/DEX/CPX

M6802 / Original M6808

• ISA-identical to M6800. Only hardware differences (on-chip oscillator, RAM). The original "6808" chip has nothing to do with the later 68HC08 family.

M6801 / M6803 (1978)

• Strict superset of M6800
• New register: D = A:B concatenated as a 16-bit accumulator
• New instructions (~10 added):
  • MUL (A × B → D, unsigned)
  • ABX (B + X → X)
  • ADDD, SUBD (16-bit add/subtract on D)
  • LDD, STD (load/store D)
  • PSHX, PULX (push/pull X)
  • JSR direct (direct addressing mode for JSR, not available on 6800)
  • BRN (branch never — useful as 2-byte NOP)
  • LSRD (logical shift right D)
• M6803 is ISA-identical to M6801 (reduced pin count variant)

HD6301 (Hitachi, ~1983)

• Strict superset of M6801
• New instructions:
  • XGDX — exchange D and X registers
  • SLP — sleep / low-power halt
  • Bit manipulation on memory: AIM (AND immediate to memory), OIM (OR immediate to memory), EIM (EOR immediate to memory), TIM (test immediate against memory) — these use a unique addressing mode (immediate + indexed/direct)
• These bit manipulation instructions are notable because they perform read-modify-write atomically on memory

M68HC11 (1984)

• Superset of M6801, most significant enhancement in the main line
• New register: Y (16-bit index register), expanding indexed addressing significantly
• CCR extended to 8 bits (adds X = XIRQ mask, S = STOP disable)
• New instructions (~30+ added) ³:
  • IDIV (16÷16 integer divide, D/X → X quotient, D remainder)
  • FDIV (16÷16 fractional divide)
  • XGDX, XGDY (exchange D with X or Y)
  • CPD (compare D, 16-bit)
  • ABY (B + Y → Y)
  • BSET, BCLR (bit set/clear in memory using mask)
  • BRSET, BRCLR (branch if bits set/clear in memory)
  • All Y-indexed variants of existing instructions (INY, DEY, CPY, LDY, STY, etc.)
  • STOP (stop all clocks)
• Encoding: uses page prefixes $18 (page 2), $1A (page 3), $CD (page 4) to access Y-register and extended opcodes. This means many Y-indexed instructions are simply the X-indexed opcode preceded by $18
• Still 64 KB address space

M68HC12 / CPU12 (~1996)

• 16-bit MCU, mostly source-compatible with HC11 but not binary-compatible ⁴
• Same programmer-visible registers as HC11 (A, B, D, X, Y, SP, PC, CCR)
• Completely re-encoded instruction set — denser, more orthogonal
• Major ISA additions:
  • Fuzzy logic: MEM (membership function), REV/REVW (rule evaluation), WAV (weighted average)
  • Loop primitives: DBEQ, DBNE (decrement and branch), IBEQ, IBNE (increment and branch), TBEQ, TBNE (test and branch)
  • Table interpolation: TBL, ETBL
  • Min/Max: MINA, MINM, MAXA, MAXM, EMIND, EMAXD (also with 16-bit variants)
  • Block moves: MOVB, MOVW (byte/word memory-to-memory)
  • Multiply-accumulate: EMACS (16×16→32 signed multiply-accumulate to memory)
  • Long branches for all conditions (16-bit relative offset)
  • CALL/RTC for banked memory subroutine calls
  • LEAS, LEAX, LEAY (load effective address)
  • EXG, TFR (exchange/transfer any register to any register — 6809-like)
  • SEX (sign extend, 8→16)
• Enhanced addressing modes:
  • Constant offset: 5-bit, 9-bit, or 16-bit signed
  • Auto pre/post increment/decrement by 1–8
  • Accumulator offset (A, B, or D added to X, Y, SP, or PC)
  • Indirect indexed: [D,X], [16-bit,X], etc.
• Some HC11 instructions removed or changed: e.g., IDIV/FDIV replaced by EDIV/EDIVS

HCS12 / CPU12X

• Extension of CPU12, not a new ISA — adds:
  • Global addressing beyond 64 KB (paged access made more transparent)
  • Internal temporary registers TMP1, TMP2 become architecturally visible
  • Enhanced MOVB/MOVW forms
  • Additional transfer modes
• Often treated as the same ISA as CPU12 with minor extensions

S12Z (Freescale)

• Complete ISA redesign — shares conceptual heritage but is NOT binary-compatible with CPU12/HCS12
• Variable-length instructions: 1 to 11 bytes
• New register file: D0–D7 (each can be 8/16/24/32 bits), X, Y, S, PC, CCR
• 24-bit linear addressing (no banking)
• New OPR addressing system with encoded operand descriptors
• Entirely new opcode map — requires a completely separate decoder

68HC16 / CPU16

• 16-bit extension of HC11 with 20-bit addressing (1 MB address space)
• Adds a few MAC/DSP-like instructions
• Rare, used in some automotive/industrial controllers
• Separate from the CPU12 lineage

---

2.2 Reduced Branch (6805 → HC05 → HC08 → HCS08 / RS08)

M6805 / M68HC05

• Reduced ISA derived from 6800, targeting low-cost embedded ⁵
• Registers: A (8-bit) only, X (8-bit index — reduced from 16-bit!), SP (limited), PC, CCR
• No B accumulator, no D register
• Key differences from 6800:
  • Simpler instruction encoding, generally shorter instructions
  • Bit manipulation: BSET n, BCLR n (set/clear bit n in direct-page memory), BRSET n, BRCLR n (branch if bit n set/clear)
  • MUL (A × X → A:X)
  • WAIT, STOP (low-power modes)
  • No 16-bit arithmetic (no ADDD, SUBD, etc.)
  • Limited indexed addressing (X + 8-bit offset, X + 0 offset, or X + 16-bit offset)
• ~60 base instructions
• 64-byte stack (hardcoded location in some variants)

M68HC08 (HC08)

• Strict superset of HC05 — all HC05 binaries run unmodified ⁶
• Key enhancements:
  • H:X — the hidden H register extends X to 16-bit (H is the high byte), enabling 16-bit indexed addressing
  • SP-relative addressing — new addressing modes using SP + 8-bit or SP + 16-bit offset (crucial for C compilers)
  • Indexed with post-increment: for efficient block operations
• New instructions (~20+):
  • MOV (memory-to-memory move — direct↔direct, imm→direct, ix+→direct, direct→ix+)
  • CBEQ (compare and branch if equal — very useful for search/match)
  • DBNZ (decrement and branch if not zero — loop primitive)
  • DIV (H:A ÷ X → A quotient, H remainder)
  • MUL (same as HC05 but formalized)
  • NSA (nibble swap accumulator — swap upper/lower nibbles of A)
  • DAA (decimal adjust accumulator)
  • LDHX, STHX (load/store H:X as 16-bit)
  • CPHX (compare H:X, 16-bit)
  • AIS (add immediate to SP), AIX (add immediate to H:X)
  • TAP, TPA (transfer A to/from CCR)
  • CLRH (clear H register)
  • PSHH, PULH (push/pull H)

HCS08 / S08 (Freescale — same thing, different names)

• Tiny extension of HC08 ⁷:
  • Adds BGND instruction (enter background debug mode)
  • Everything else ISA-identical to HC08
• "S08" and "HCS08" are interchangeable names — "S08" is the marketing name, "HCS08" is the technical designation
• Replaced the HC05 and HC08 families for new designs

RS08 (Freescale)

• Ultra-reduced architecture — NOT a superset or subset of HC05/HC08 in binary terms
• ~30 instructions with unique encoding
• Registers: A (8-bit), one shadow register pair (SPC — Shadow PC) for pseudo-subroutines
• No index register — memory access is through paging/windowing
• No hardware stack — uses SHA/SLA (swap high/low address of PC with shadow) for call/return
• Tiny address space (typically 0–63 bytes "tiny" area, paged access to rest)
• Addressing modes: Tiny (6-bit address), Short (partial direct), Direct (8-bit), Immediate
• Designed for absolute minimum gate count MCUs
• Unique opcode map — completely incompatible with everything else

---

2.3 Advanced Redesign Branch (6809 → HD6309)

M6809 (1978)

• Major architectural redesign — not a simple superset of 6800 ⁸
• Source-level concepts are similar but instruction encoding is completely different from 6800/6801
• Registers: A, B, D(=A:B), X (16), Y (16), U (user stack pointer), S (system stack pointer), DP (direct page register), PC, CCR
• Key ISA features:
  • Two stack pointers (U and S) — allows true reentrant code, nested interrupts
  • Direct page register (DP) — the 8-bit DP selects which 256-byte page is used for direct addressing (6800 hardcoded page 0)
  • Position-independent code — PC-relative addressing modes, long relative branches
  • EXG/TFR — exchange or transfer between any pair of equal-sized registers
  • PSHS/PULS/PSHU/PULU — push/pull with register mask (any combination of registers)
  • LEA — load effective address (LEAX, LEAY, LEAS, LEAU)
  • MUL (A × B → D, unsigned)
  • SEX (sign-extend B → D)
  • CWAI (clear CCR bits and wait for interrupt — atomic)
  • SYNC (synchronize to interrupt)
  • Long branches for all conditions (16-bit relative offset)
• Advanced indexed addressing modes:
  • Constant offset: 0, 5-bit, 8-bit, 16-bit signed from X/Y/U/S
  • Accumulator offset: A, B, or D offset from X/Y/U/S
  • Auto increment by 1 or 2 / auto decrement by 1 or 2
  • PC-relative: 8-bit or 16-bit offset
  • Indirect variants of most of the above: [offset,X], [D,X], [address], [offset,PC]
• ~59 base mnemonics but many more effective opcodes via page prefixes ($10, $11)

HD6309 (Hitachi, ~1988)

• Strict superset of 6809 — undocumented by Hitachi, reverse-engineered by community ⁹
• New registers: E (8-bit), F (8-bit), W (= E:F, 16-bit), V (16-bit), Q (= D:W, 32-bit), MD (mode register)
• Native mode (set via MD register): changes cycle timing, some instructions become faster
• New instructions (~30+):
  • Block transfers: TFM in 4 modes (r+,r+ / r-,r- / r+,r0 / r0,r+) — hardware-accelerated memory copy/fill
  • 32-bit multiply: MULD (D × W → Q, signed)
  • Division: DIVD (D ÷ r8 → B quotient, A remainder), DIVQ (Q ÷ r16 → D quotient, W remainder)
  • SEXW (sign-extend W → Q)
  • Register-to-register ALU: ADDR, ADCR, SUBR, SBCR, ANDR, ORR, EORR, CMPR — operate between any two registers
  • Bit manipulation on memory: AIM, OIM, EIM, TIM (same mnemonics as HD6301)
  • LDMD, BITMD (load/test mode register)
  • PSHSW, PULSW, PSHUW, PULUW (push/pull W register)
  • NEGD, COMD, DECD, INCD, TSTD, CLRD (and W variants)
  • Various load/store/compare for E, F, W, Q, V

---

Part 3: Summary — Where Do the Specific MCUs Fit?

MCU Family	Branch	ISA Base	Key Facts
68HC05	6805 reduced branch	Reduced 6800	Single acc. (A), 8-bit X, no B/D. Bit manipulation. Legacy, replaced by HC(S)08 5
68HC08	6805 reduced branch	HC05 superset	16-bit H:X, MOV/CBEQ/DBNZ/DIV/MUL/NSA, SP-relative addressing. Fully code-compatible with HC05 6
HCS08 / S08	6805 reduced branch	HC08 superset	Adds only BGND. "S08" = "HCS08" (same thing). Current production family 7
RS08	6805 reduced branch (extreme)	Unique ultra-minimal	~30 insns, no index reg, no stack. Unique encoding. NOT binary-compatible with HC05/HC08
68HC11	6801 main line	6801 superset	Adds Y register, IDIV, FDIV, bit manipulation. Very widely used 3
68HC12	6801 main line	HC11 successor	16-bit MCU. Re-encoded ISA. Fuzzy logic, loop primitives, enhanced addressing. Mostly source-compatible with HC11 4

ISA Compatibility Chains

• 6800 → 6801 → HD6301 (strict binary supersets)
• 6800 → 6801 → HC11 (strict binary superset)
• HC11 → HC12 (mostly source-compatible, NOT binary-compatible — completely re-encoded)
• 6805 → HC05 → HC08 → HCS08 (strict binary supersets within this sub-branch)
• RS08 — dead-end reduction with unique encoding
• 6809 → HD6309 (strict binary superset)
• The 6809 is NOT binary-compatible with the 6800/6801 despite conceptual similarity

---

Part 4: Analysis of Capstone & Rizin Implementation

What Capstone M680X Currently Supports

Based on the include files in capstone/arch/M680X/:

File	ISA Variant
m6800.inc	Motorola 6800
m6801.inc	Motorola 6801
m6805.inc	Motorola 68HC05
m6808.inc	Motorola 68HC08
m6809.inc	Motorola 6809
m6811.inc	Motorola 68HC11
cpu12.inc	Motorola 68HC12/HCS12 (CPU12)
hcs08.inc	Freescale HCS08 (S08)
hd6301.inc	Hitachi HD6301
hd6309.inc	Hitachi HD6309

Total: 10 CPU modes

What Rizin Exposes

The asm_m680x_cs.c file lists the same ten CPU modes:

6800, 6801, 6805, 6808, 6809, 6811, cpu12, 6301, 6309, hcs08

The analysis_m680x_cs.c provides IL/analysis lifting for these same modes.

What Is Missing (and Should Be Implemented)

High Priority — Distinct ISAs with No Current Support

Missing ISA	Why It Matters	Implementation Effort
Freescale RS08	Completely unique encoding (~30 insns). Used in many ultra-low-cost NXP MCUs. Cannot be decoded by any existing M680X mode.	Medium — small instruction set but needs entirely new opcode tables
HCS12X / CPU12X	Distinct from CPU12 — adds global addressing, TMP1/TMP2 registers, extended instructions. No CPU12X table exists in Capstone despite code comments referencing it.	Medium — incremental extension of CPU12 tables
Freescale S12Z	Entirely different ISA — variable-length instructions (1–11 bytes), new opcode map, OPR addressing, 24-bit linear addressing. Binary-incompatible with CPU12. Widely used in NXP automotive MCUs.	High — completely new decoder needed; cannot reuse M680X infrastructure easily
68HC16 / CPU16	16-bit extension of HC11 with 20-bit addressing. Rare but architecturally distinct. Used in some automotive/industrial applications.	Medium — extends HC11 model with new opcodes and addressing

Medium Priority — Refinements and Correctness

Issue	Details
CPU12 vs. HCS12 differentiation	The current cpu12.inc likely covers base CPU12 but may not include HCS12-specific enhancements. These should either be unified with documentation or split.
6803 explicit alias	ISA-identical to 6801 — adding a named alias improves user discoverability
6802 / original-6808 aliases	ISA-identical to 6800 — having aliases prevents confusion. Currently "6808" mode maps to HC08, which is extremely misleading since the original M6808 chip is an ISA-identical variant of M6800.
Naming/description bug in Rizin	The asm_m680x_cs.c description for "6808" reads "Motorola 6808: Variant of the 6800 microprocessor" — this is factually incorrect for what the mode actually does (it disassembles HC08 code). Should read "Motorola 68HC08" or similar.

Rizin-Specific Gaps

Gap	Details
IL/ESIL lifting completeness	The analysis_m680x_cs.c maps Capstone opcodes to IL operations. Completeness should be audited especially for: HC08-specific instructions (MOV, CBEQ, DBNZ, NSA, DIV, AIS, AIX), CPU12 fuzzy logic ops (MEM, REV, REVW, WAV), CPU12 loop primitives (DBEQ, DBNE, IBEQ, IBNE), HD6309 extended ops (TFM, DIVD, DIVQ, MULD, register-to-register ALU). Any unlifted instruction will silently produce incorrect analysis.
RS08 completely absent	Neither disassembly nor analysis. Would need a new Capstone CPU type first.
S12Z completely absent	Would likely need an entirely new architecture module rather than a new M680X mode, due to the radically different encoding.
No differentiation of addressing mode semantics	Some modes (e.g., HC08 SP-relative, CPU12 indirect indexed) have unique semantics that affect analysis. These should be verified in the analysis plugin.

Recommended Actions (Priority Order)

1. Fix the "6808" naming/description in Rizin — it currently describes the original M6808 but the Capstone mode is HC08. This is actively misleading to users.
2. Add CPU aliases for 6802, 6803, original-6808 (mapping to 6800, 6801, 6800 respectively) to eliminate confusion and improve UX.
3. Add RS08 as a new Capstone CPU type — small ISA, entirely new opcode table, but bounded effort.
4. Add CPU12X/HCS12X as an extension of CPU12 — incremental work.
5. Audit IL/analysis lifting for all 10 existing modes — particularly HC08-specific and CPU12-specific instructions.
6. Add S12Z as a new architecture — significant effort, may warrant a separate M6S12Z arch rather than fitting into M680X.
7. Consider 68HC16/CPU16 for completeness — niche but distinct.

References:

Footnotes

1. Motorola 6800 ↩

2. Motorola 6800 ↩

3. Motorola 68HC11 ↩ ↩²

4. Motorola 68HC12 - Wikipedia ↩ ↩²

5. Motorola 68HC05 - Wikipedia ↩ ↩²

6. Motorola 68HC08 ↩ ↩²

7. Motorola S08 ↩ ↩²

8. Motorola 6809 - Wikipedia ↩

9. cpu-collection.de >> by Class >> 680x ↩