On this page

Command Reference

HiZ> i

This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
(1) this device may not cause harmful interference, and 
(2) this device must accept any interference received, including interference that may cause undesired operation.

Bus Pirate 5 REV10
https://BusPirate.com/
Firmware main branch @ unknown (May 20 2025 16:04:21)
RP2040 with 264KB RAM, 128Mbit FLASH
S/N: 3317570B33CC62E4
Storage:   0.10GB (FAT16 File System)

Configuration file: Loaded
Active binmode: SUMP logic analyzer
Available modes: HiZ 1WIRE UART HDUART I2C SPI 2WIRE 3WIRE DIO LED INFRARED JTAG
Active mode: HiZ

Display format: Auto

HiZ>

The Bus Pirate is a versatile debugging and development tool for working with various communication protocols like I2C, SPI, UART, and more. It acts as a bridge between a computer and embedded devices, allowing users to talk to chips without writing code. It is especially useful for prototyping, testing, and reverse engineering hardware.

info

It’s always best to use the latest firmware. There are continuous improvements and new features. See the upgrade guide for the simple drag and drop update process.

User terminal

Connect to the Bus Pirate command line with your favorite serial terminal software. On Windows we like the latest version of Tera Term.

info

Talk to the Bus Pirate from a serial terminal of your choice. The serial port is emulated over USB, so the serial port speed setting should not matter. It is traditional to use “115200bps, 8/N/1” if you need configure your terminal, but it should not actually matter.

VT100 terminal emulation

VT100 compatible color mode? (Y/n)>

Press enter to show the command prompt if your terminal is blank.

If the Bus Pirate has just restarted you will be prompted to choose the terminal emulation mode.

VT100 mode - Supports color and a live view statusbar at the bottom of the terminal. This should be your first choice unless you specifically need the legacy ASCII mode.
ASCII mode - Legacy monochrome text only mode.

The terminal mode can be changed from the configuration menu. Open the configuration menu with the c command followed by enter.

info

If you choose VT100 mode and see lots of garbage characters in the terminal, check that your terminal emulator has VT100 support and that VT100 support is enabled.

Command line

HiZ>

The Bus Pirate has a simple Linux-like command line interface. Enter a command followed by optional parameters and then press enter to execute.

HiZ mode

The Bus Pirate always starts in high impedance mode (HiZ), a safe mode with all outputs disabled. HiZ mode intends to protect any connected devices from conditions beyond their specifications. From the HiZ prompt, a bus mode can be selected to use a specific protocol with the m mode command.

Terminal control

Keyboard Key	Action
`left arrow`	Moves the cursor left one character
`right arrow`	Moves the cursor right one character
`up arrow`	Copies the previous command in the command history buffer to the command line
`down arrow`	Copies the next command in the command history buffer to the command line
`home`	Moves the cursor to the beginning of the line
`end`	Moves the cursor to the end of the line
`backspace`	Erases the character to the left of the cursor and moves the cursor left one character
`delete`	Erases the character under (or to the right of) the cursor and moves the cursor left one character

The terminal understands some common control keys. Left and right move the cursor, up and down scroll through the command history. Home and end move the cursor to the beginning or end of the line. Backspace and delete erase characters.

Default options

HiZ> m i2c

Mode: I2C
I2C speed
 1kHz to 1000kHz
 x. Exit
kHz (400kHz*) > 
Clock stretching
 1. OFF*
 2. ON
 x. Exit
OFF (1) > 
I2C>

Most prompts have a default value shown in ( ) or marked with *, and the option to exit without making changes.

Press enter to select the default option.
Press x followed by enter to exit a menu without changes.

Saved options

HiZ> m i2c

Mode: I2C

Use previous settings?
 I2C speed: 400 kHz
 Clock stretching: OFF 

y/n, x to exit (Y) > y

I2C>

Many options will be saved to flash storage. You will be prompted to reloaded previous settings the next time.

Getting help

The latest help for commands and modes is available in the help menu. This will always be more up to date than the documentation you’re currently reading.

? or help - show the help menu with all available commands and options.
help mode or ? mode - show the help menu with all available commands and options for the current mode.
<command> -h - show command specific help. For example, W -h shows help for the W command.

Global command list

Bpv52-help

? or help - show the help menu with all available commands and options.

Mode help

INFRARED-(RAW)> help mode

INFRARED mode commands:
test	Test IR RX/TX Toy plank
tvbgone	TV-B-Gone, turn off many brands of TV
irtx	Transmit IR signals (aIR format)
irrx	Receive, record, retransmit IR signals (aIR format)

INFRARED-(RAW)>

help mode or ? mode - show the help menu with all available commands and options for the current mode.

Command help

I2C> W -h
usage:
w|W	<v> <i>
Disable: w
Enable, with menu: W
Enable 5v, 50mA limit: W 5 50
Enable 3.3v, 300mA default limit: W 3.3
Enable 3.3v, no limit: W 3.3 0

onboard power supply with programmable fuse
w	Disable onboard power supply
W	Enable onboard power supply, show configuration menu
<v>	Voltage, 0.8-5.0volts
<i>	Current limit, 0-500mA

I2C>

<command> -h - show command specific help. For example, W -h shows help for the W command.

Configuration

Command	Description
`i`	Version information
`c`	Configuration options menu
`m`	Set bus mode
`l`/`L`	Set MSB/LSB first
`o`	Data output display format
`d`	Display mode
`~`	Self-test
`reboot`	Reboot the Bus Pirate
`$`	Jump to bootloader for updates
`cls`	Clear and redraw terminal
`ovrclk`	Overclock the CPU

`i` Version information

HiZ> i

This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
(1) this device may not cause harmful interference, and 
(2) this device must accept any interference received, including interference that may cause undesired operation.

Bus Pirate 5 REV10
https://BusPirate.com/
Firmware main branch @ unknown (May 20 2025 16:04:21)
RP2040 with 264KB RAM, 128Mbit FLASH
S/N: 3317570B33CC62E4
Storage:   0.10GB (FAT16 File System)

Configuration file: Loaded
Active binmode: SUMP logic analyzer
Available modes: HiZ 1WIRE UART HDUART I2C SPI 2WIRE 3WIRE DIO LED INFRARED JTAG
Active mode: HiZ

Display format: Auto

HiZ>

Display the hardware, firmware, and microcontroller version information. If a mode is selected, additional information about the mode is displayed.

i - show the current version information.

`c` Configuration options menu

HiZ> c

Configuration options
 1. Language / Jezik / Lingua / 语言
 2. ANSI color mode
 3. ANSI toolbar mode
 4. LCD screensaver
 5. LED effect
 6. LED color
 7. LED brightness
 x. Exit
 > x

Configuration file: Saved

HiZ>

Configure language, LED effects, terminal output and other options. On exit settings are saved to bpconfig.bp on the Bus Pirate flash storage.

c - show the configuration menu.
x - exit the configuration menu and save the current settings to flash storage.

`m` Set bus mode

I2C> m

Mode selection
 1. HiZ
 2. 1WIRE
 3. UART
 4. HDUART
 5. I2C
 6. SPI
 7. 2WIRE
 8. 3WIRE
 9. DIO
 10. LED
 11. INFRARED
 12. JTAG
 x. Exit
Mode > 1
Mode: HiZ
HiZ>

The Bus Pirate starts in HiZ mode, a safe mode with all outputs disabled. The m command selects a bus mode. The Bus Pirate supports many different protocols, including I2C, SPI, UART, 1-Wire, and more. Each protocol has its own set of commands and options.

m - show the bus mode menu and change modes.

I2C> m hiz

Mode: HiZ
HiZ>

An optional mode parameter can be specified to skip the mode menu. For example, m i2c selects I2C mode.

m <mode> - change bus mode without showing the menu.

`l/L` Set MSB/LSB first

2WIRE> l
Bitorder: MSB 0b10000000
2WIRE> L
Bitorder: LSB 0b00000001
2WIRE>

The l/L commands determine the bit order for reading and writing bytes.

l - most significant bit (MSB) first. This is the default setting.
L - least significant bit (LSB) first.

info

The current bit order configuration is displayed on the extended information screen using the i command while in a mode other than HiZ.

`o` Data output display format

2WIRE> o

Number display format
 Current setting: Auto
 1. Auto
 2. HEX
 3. DEC
 4. BIN
 5. ASCII
 x. Exit
Mode > 1
Mode: Auto
2WIRE>

The Bus Pirate can display values as hexadecimal, decimal, binary and raw ASCII bytes.

Auto display mode mirrors input formatting. Each value is displayed in the HEX/DEC/BIN format entered.

Change the setting in the data display format menu with the o command. The default display format is Auto.

o - show the data display format menu.

info

The current display format is shown on the extended information screen using the i command while in a mode other than HiZ.

`d` Display mode

HiZ> d
Display selection
 1. Default
 2. Scope
 x. Exit
Display > 2
Display: Scope

d selects the LCD display mode.

Default: Pin labels and voltage
Scope: Oscilloscope mode

`~` Self-test

HiZ> ~
SELF TEST STARTING
DISABLE IRQ: OK
ADC SUBSYSTEM: VUSB  5.08V OK
DAC READ/WRITE: OK
FLASH STORAGE: OK
PSU ENABLE: OK
BIO FLOAT TEST (SHOULD BE 0/0.2V)
BIO0 FLOAT: 0/0.04V OK
BIO1 FLOAT: 0/0.04V OK
BIO2 FLOAT: 0/0.04V OK
BIO3 FLOAT: 0/0.04V OK
BIO4 FLOAT: 0/0.04V OK
BIO5 FLOAT: 0/0.04V OK
BIO6 FLOAT: 0/0.04V OK
BIO7 FLOAT: 0/0.04V OK
BIO HIGH TEST (SHOULD BE >3.0V)

Perform a factory self-test. The Bus Pirate is capable of twiddling pins and checking for hardware faults. See the Bus Pirate self-test guide for a complete list of tests and the problems they detect.

~ - run the self-test.

report

Disconnect all wires and devices from the Bus Pirate before running the self-test. Any connected devices may be damaged or cause the test to fail.

info

Self-test is only available in HiZ mode. If you are in a different mode, the Bus Pirate will prompt you to change to HiZ mode before running the test.

`reboot` Reboot

HiZ> reboot

VT100 compatible color mode? (Y/n)>

Reboot the Bus Pirate.

reboot - reboot the Bus Pirate.

info

Depending on your serial terminal software you may need to reconnect to the Bus Pirate serial port. The latest versions of many terminal emulators, such as Tera Term, reconnect automatically.

`$` Jump to bootloader

HiZ> $
Jump to bootloader for firmware upgrades

Bus Pirate 5 REV10
Firmware download:
https://forum.buspirate.com/t/bus-pirate-5-auto-build-main-branch/20/999999
Hardware revision: 10
Firmware file: bus_pirate5_rev10.uf2
A USB disk named "RPI-RP2" will appear
Drag a firmware file to the disk to upgrade
Later Alligator!

Activate the Bus Pirate bootloader for firmware updates. The bootloader appears as a USB disk drive connected to your computer. Drag a .uf2 firmware file into the disk. After an update the Bus Pirate resets. See firmware downloads and upgrade instructions.

$ - jump to bootloader mode.

info

When jumping to bootloader mode, the Bus Pirate displays the hardware version, download link, and the name of the firmware file to use.

`cls` Clear and redraw terminal

HiZ> cls -h
usage:
cls
Clear and refresh the terminal screen: cls
Note: will attempt to detect and initialize VT100 ANSI terminal

HiZ>

cls - clear the screen and redraw the status bar.

Useful when connecting to an already running Bus Pirate with a new terminal window.

`ovrclk` Overclock the CPU

HiZ> ovrclk -h
!!ovrclk is in demonstration mode!!
To enable overclocking, recompile with BP_OVERCLOCK_ENABLED defined

usage:
ovrclk 	[-m <MHz> | -k <kHz>] [-v <core mV>]
Overclock: ovrclk -m 135
Change core voltage: ovrclk -v 1150 (850-1300mV valid)

HiZ>

ovrclk [-m <MHz> | -k <kHz>] [-v <core mV>] - set the CPU clock speed and core voltage.

report

ovrclk is disabled by default. It must be enabled at compile time.

Utilities

Command	Description
`w`/`W`	Power supply (off/ON)
`v`/`V`	Power supply voltage report (once/CONTINUOUS)
`p`/`P`	Pull-up resistors (off/ON)
`g`/`G`	Frequency generator (off/ON)
`f`/`F`	Measure frequency (once/CONTINUOUS)
`=`X	Convert X to HEX/DEC/BIN number format
`\|` X	Reverse bits in byte X
`a`/`A`/`@`	Auxiliary pin control (low/HIGH/input)

`w/W` Power supply (off/ON)

2WIRE> W
Power supply
Volts (0.80V-5.00V)
x to exit (3.30) > 5
Maximum current (1mA-500mA), 0 for unlimited
x to exit (300.00) > 50
5.00V requested, closest value: 5.00V
50.0mA requested, closest value: 50.0mA

Power supply:Enabled
Vreg output: 5.0V, Vref/Vout pin: 5.0V, Current: 2.8mA

2WIRE>

A ‘Programmable Power Supply Unit’ (PPSU) has several handy features:

1-5volts adjustable output
0-500mA current sense
0-500mA current limit with digital fuse
One-way valve to protect the PPSU when an external voltage is applied to the VREF/VOUT pin

Uppercase W enables the onboard power supply unit. You will be prompted for the output voltage and an optional current limit. Default current limit is 300mA, or 0 for no current limit.

W - Enable the power supply unit. Show interactive menu to set voltage and current limit.
W <voltage> <current limit> - Enable the power supply unit with voltage and current limit specified.
W <voltage> - Enable the power supply unit with voltage specified. Current limit is set to 300mA.
w - Disable the power supply unit.

Check the voltage and current in the live view statusbar if active, or show the power supply voltage report using the v command.

When the programmed current limit is exceeded the PPSU hardware fuse disables the power supply. The terminal colors invert repeatedly, an alarm bell will sound, an error message is shown and command execution is halted. Use the W command to restart the PPSU again.

report

300mA is the rated maximum of the PPSU, but we added some headroom in the current limit to account for current spikes.

info

The PPSU is capable of 0.8 to 5volts output. However, the maximum working range is limited to 1-5volts because of the maximum Vgs of the P-channel MOSFET in the one-way valve. Many will be capable of the full range, but some may not. The Bus Pirate IO buffers are only rated to 1.65volts, so in practice this isn’t an issue over the specified working range.

2WIRE> W 5 50
5.00V requested, closest value: 5.00V
50.0mA requested, closest value: 50.0mA

Power supply:Enabled
Vreg output: 5.0V, Vref/Vout pin: 5.0V, Current: 2.5mA

2WIRE>

W <voltage> <current limit> - Set the voltage and current limit. The voltage is in volts, the current limit is in mA. The current limit is optional, if not specified the default is 300mA, or use 0 for no current limit.

2WIRE> w
Power supply: Disabled

2WIRE>

Lowercase w disables the PPSU.

w - Disable the power supply.

`v/V` Power supply voltage report

The voltage report shows the current state of all the Bus Pirate pins and peripherals. This is a duplicate of the information shown on the live view statusbar.

v - Show the power supply voltage report once.
V - Show the power supply voltage report, update continuously. Press any key to exit.

`p/P` Pull-up resistors

I2C> P
Pull-up resistors: Enabled (10K ohms @ 3.3V)

I2C> p
Pull-up resistors: Disabled
I2C>

p and P toggle the pull-up resistors off and on. Pull-up resistors are required for open collector/open drain bus types such as 1-Wire and I2C.

P - Enable the pull-up resistors.
p - Disable the pull-up resistors.

The onboard pull-up resistors are powered through the VREF/VOUT pin of the IO header, either by the onboard power supply or an external voltage applied to the VREF/VOUT pin.

info

A warning is displayed if there’s no voltage on the VREF/VOUT pin. Check the status bar or voltage report v to verify that a voltage is present on VOUT/VREF.

`g/G` Frequency generator

DIO> G
Generate frequency
Choose available pin:
 0. IO0
 1. IO1
 2. IO2
 3. IO3
 4. IO4
 5. IO5
 6. IO6
 7. IO7
 x. Exit
 > 0
Period or frequency (ns, us, ms, Hz, kHz or Mhz) > 12.4khz
Frequency: 12.400kHz = 12400Hz (12.40kHz)
Period: 80645ns (80.65us)

Actual frequency: 12401Hz (12.40kHz)
Actual period: 80640ns (80.64us)

Duty cycle (%) > 35%
Duty cycle: 35.00% = 28224ns (28.22us)
Actual duty cycle: 28227ns (28.23us)
Divider: 16, Period: 10079, Duty: 3528

Generate frequency: Enabled on IO0

DIO>

Uppercase G displays the frequency generation menu. Choose an available pin and enter the period or frequency, including the units (ns, us, ms, Hz, KHz or Mhz). Enter a duty cycle as a percent, don’t forget the %. The Bus Pirate will find the closest match and generate a frequency on the pin.

G - show the frequency generation menu.
g - disable frequency generator, show menu if multiple frequency generators are active.
g <pin> - disable frequency generator on <pin>.

The frequency generator will be displayed in the live view statusbar and on the LCD with the label PWM.

report

Not all pins will be available due to the PWM structure of the Raspberry Pi chip used in the Bus Pirate, and adjacent pairs must share the same frequency.

DIO> g
Disable frequency generation
Choose available pin:
 0. IO0
 2. IO2
 4. IO4
 x. Exit
 > 4
Generate frequency: Disabled on IO4
DIO>

g - disable frequency generator, show menu if multiple frequency generators are active.

DIO> g 0

Generate frequency: Disabled on IO0
DIO>

g <pin> - disable frequency generator on <pin>.

`f/F` Measure frequency

LED-()> F
Frequency measurement
Choose available pin:
 1. IO1
 3. IO3
 5. IO5
 7. IO7
 x. Exit
 > 7
Frequency measurement: Enabled on IO7
Frequency IO7: 12.40KHz 80.65us (12400Hz), Duty cycle: 35.0%

LED-()>

Frequency measurement is available on odd numbered pins (1,3,5,7). A frequency can be sampled once or continuously.

F - show the frequency measurement menu, measure continuously and display in the status bar.
f - Disable continuous frequency measurement, show menu if multiple frequency generators are active.
F <pin> - measure the frequency and duty cycle on pin <pin> continuously. Press any key to exit.
f <pin> - measure the frequency and duty cycle on pin <pin> once.

The frequency will be measured continuously and displayed in the live view statusbar and LCD with the label FREQ.

report

Not all pins will be available due to the PWM structure of the Raspberry Pi chip used in the Bus Pirate, and adjacent pairs share the same PWM slice.

DIO> f
Disable frequency measurement
Choose available pin:
 1. IO1
 3. IO3
 5. IO5
 x. Exit
 > 1
Frequency measurement: Disabled on IO1
DIO>

f - Disable continuous frequency measurement, show menu if multiple frequency generators are active.

LED-()> f 7
Frequency IO7: 12.40KHz 80.65us (12400Hz), Duty cycle: 35.0%
LED-()>

f <pin> - measure the frequency and duty cycle on pin <pin> once.

LED-()> F 7
Press any key to exit
Frequency IO7: 12.40KHz 80.65us (12400Hz), Duty cycle: 35.0%

F <pin> - measure the frequency and duty cycle on pin <pin> continuously. Press any key to exit.

LED-()> f 6
IO6 has no frequency measurement hardware!
Freq. measure is currently only possible on odd pins (1,3,5,7).

Only half of the pins support frequency measurement. The Bus Pirate will warn you if hardware isn’t available. To see which pins are currently available use the F command.

`=X` Convert to HEX/DEC/BIN number format

DIO> = 0b1100
 =0x0C =12 =0b00001100
DIO> = 0x6
 =0x06 =6 =0b00000110
DIO> = 6
 =0x06 =6 =0b00000110
DIO>

Convert between HEX, DEC and BIN number formats easily. Type = followed by a number to see the HEX/DEC/BIN equivalent.

= <number> - Display the HEX/DEC/BIN equivalent of <number>.

info

To change the Bus Pirate output display format see the o command.

`| X` Reverse bits

DIO> | 0b11110000
 | 0x0F | 15 | 0b00001111
DIO>

Reverse bit order of a number. Displays the HEX/DEC/BIN value of the reversed number.

| <number> - Reverse the bits in <number>.

info

To change the Bus Pirate read/write bit order see the l/L command.

`a/A/@` Auxiliary pin control (low/HIGH/read)

DIO> a 1
IO1 set to OUTPUT: 0

DIO> A 1
IO1 set to OUTPUT: 1

DIO> @ 1
IO1 set to INPUT: 0

DIO>

Pins that are not assigned a function can be controlled from the command line.

a <pin> - set IO <pin> low (0V).
A <pin> - set pin X high (VCC).
@ <pin> - set pin X to input (HiZ) and read the pin state. The pin state is reported as 0 or 1.

warning

Pins already assigned a function, such as PWM or mode/protocol pins, cannot be changed with the a/A/@ commands. The Bus Pirate will report an error.

info

Commands a/A/@ are followed by a space and the pin number to control. This is different than syntax a/A/@ which use the a.<pin> notation.

`logic` Logic analyzer control

The logic command configures the logic analyzer core, and can display logic capture graphs directly in the terminal. It supports the “follow along” logic analyzer mode that triggers each time you send data to a bus. It eliminates the need setup triggers and arm a second tool for debugging.

The Bus Pirate can be used as a logic analyzer in multiple ways:

HiZ> logic -h
usage:
logic analyzer usage
logic	[start|stop|hide|show|nav]
	[-i] [-g] [-o oversample] [-f frequency] [-d debug]
start logic analyzer: logic start
stop logic analyzer: logic stop
hide logic analyzer: logic hide
show logic analyzer: logic show
navigate logic analyzer: logic nav
configure logic analyzer: logic -i -o 8 -f 1000000 -d 0
undocumented: set base pin (0=bufdir, 8=bufio) -b: logic -b 8

logic analyzer control
start	start logic analyzer
stop	stop logic analyzer
hide	hide logic graph
show	show logic graph
nav	navigate logic graph with arrow keys, x to exit
-i	show configuration info
-o	set oversample rate, multiplies the sample frequency
-f	set sample frequency in Hz
-0	set character used for low in graph (ex:_)
-1	set character used for high in graph (ex:*)
-d	set debug level: 0-2
-h	Get additional help

HiZ>

Disk Commands

Linux-like commands are used to navigate the flash storage from the Bus Pirate command line.

Command	Description
`ls`	List files and directories
`cd`	Change directory
`mkdir`	Make directory
`rm`	Remove file or directory
`cat`	Print file contents as text
`hex`	Print file contents in HEX
`format`	Format storage disk (FAT16)
`label`	Get or set the disk label
`dump`	Perform multiple reads with the `r` command, save to a file
`image`	Display a bitmap image file on the LCD

These common commands are supported in the firmware as of this update, but always use help or ? to see the latest commands available. Add -h to any command for extended help: hex -h.

`ls` List directory contents

HiZ> ls
        39 bpi2c.bp
0 dirs, 1 files

HiZ>

List the contents of a directory in flash storage.

ls - list the contents of the current directory.
ls <directory> - ls followed by a directory name lists the contents of that directory.

`mkdir` Make directory

HiZ> mkdir test

HiZ> ls
        39 bpi2c.bp
   <DIR>   test
1 dirs, 1 files

HiZ>

Make a new directory at the current location in the flash storage.

mkdir <directory> - create a new directory.

`cd` Change directory

HiZ> cd test
/TEST

HiZ> ls
0 dirs, 0 files

HiZ>

Change directory.

cd <directory> - change to a subdirectory.
cd .. - change to the parent directory.

`rm` Remove file or directory

HiZ> ls
        39 bpi2c.bp
   <DIR>   test
1 dirs, 1 files

HiZ> rm test

HiZ> ls
        39 bpi2c.bp
0 dirs, 1 files

HiZ>

Remove file or directory (if empty).

rm <file | directory> - remove a file or empty directory.

`cat` Print file contents

HiZ> cat bpi2c.bp
{
"baudrate": 400,
"clock_stretch": 0
}

HiZ>

Print the contents of a file.

cat <file>

`hex` Hex dump file

HiZ> hex bpi2c.bp

7b 0a 22 62 61 75 64 72 
61 74 65 22 3a 20 34 30 
30 2c 0a 22 63 6c 6f 63 
6b 5f 73 74 72 65 74 63 
68 22 3a 20 30 0a 7d 

HiZ>

Print the content of a file in hexadecimal format.

hex <file>

`label` Set disk label

HiZ> label set my_pirate

HiZ> label get
disk label: MY_PIRATE
HiZ>

Set and get the disk label.

label set <label> - set the disk label. The label can be up to 11 characters long and must not contain spaces or special characters.
label get - display the current disk label.

`format` Erase and format disk

HiZ> format
Erase the internal storage?
y/n> y
Are you sure?
y/n> y

Formatting...
Format success!
Storage mounted:    0.10 GB FAT16


HiZ>

Erase the internal flash storage and format it with a FAT16 file system. ALL DATA WILL BE LOST!

format - format the entire flash storage, confirm twice. This will erase all files and directories on the disk.

`dump` Dump read data to file

HiZ> dump -h
usage:
dump <bytes> <file>
First, manually setup a read from the device
Then, run this command to read X bytes to a file
Read X bytes to a file: dump 256 example.bin

HiZ>

dump <bytes> <file> - read data using the current mode r bus command and save it to a file.

info

dump is the equivalent of using the r command to read data from a device, but instead of displaying the data on the terminal, it saves it to a file.

This command is useful when you want to save data from a device to a file. While the Bus Pirate has commands to dump many chips, the dump command is a generic read command that can be used with any device.

First, manually send the commands to put the target device in read mode. Then use the dump command to read the data and save it to a file.

`image` Display bitmap image on LCD

HiZ> image -h
usage:
Read BMP info and display image file on LCD
Usage: image <file> [-d] [-h]
Read info: image example.bmp
Draw on display: image example.bmp -d
Read formats: BITMAPINFOHEADER V1 (40Bytes), V2 (52B), V3 (54B)
Draw formats: 16-bit (565) and 24-bit bitmaps, 240x320 pixels
-h	Get additional help

HiZ>

image <file> - shows the header info from ANY recognized BMP format (v1/2/3)
image <file> -d - draw the file content on the LCD. Checks if the file is the correct height/width and a supported pixel format (16bits/565, or 24bit/888)

Load a bitmap image file and display it on the LCD. The Bus Pirate supports BMP format images. The image must be 128x64 pixels in size, and the pixel format must be 16bits/565 or 24bit/888.

Software support

The Bus Pirate has two USB serial ports.

One is used for the command line terminal.
The other supports support software running on a PC (binmode).

“binmode” supports a variety of protocols and software.

SUMP logic analyzer protocol for sigrok/PulseView
Binmode test framework
Arduino CH32V003 SWIO
Follow Along Logic Analyzer protocol for sigrok/PulseView
Legacy Binary Mode for Flashrom and AVRdude
aIR for AnalysIR.

`binmode` Change binary mode

HiZ> binmode

Select binary mode
 1. SUMP logic analyzer
 2. Binmode test framework
 3. Arduino CH32V003 SWIO
 4. Follow along logic analyzer
 5. Legacy Binary Mode for Flashrom and AVRdude (EXPERIMENTAL)
 6. IRMAN IR decoder (LIRC, etc)
 7. AIR capture (AnalysIR, etc)
 x. Exit
 >

Use the binmode command see the currently supported binary modes and to select the active binmode.

PulseView logic analyzer

Two modes are available for the PulseView logic analyzer. The SUMP mode is the default and is compatible with the SUMP protocol. The FALADATA mode is a custom protocol for the Bus Pirate.

AVRdude AVR programmer

The Bus Pirate can serve as a programmer and dumper for AVR chips, using the command-line utility AVRDUDE.

For those who prefer a graphical user interface, AVRDUDESS offers a user-friendly front-end for AVRDUDE. Both tools together provide a powerful setup for working with AVR chips.

Flashrom flash programmer

flashrom.exe --progress -V -c "W25Q64JV-.Q" -p buspirate_spi:dev=COM54,serialspeed=115200,spispeed=1M -r flash_content.bin

The Bus Pirate can serve as a programmer and dumper for flash memory chips, using the command-line utility Flashrom.

Flashrom is a versatile utility for identifying, reading, writing, verifying, and erasing flash chips on a wide range of devices—including mainboards, controller cards, and various programmer modules. It supports hundreds of flash chips, chipsets, and boards.

AnalysIR Infrared remote decoder

Scripting commands

Command	Description
`macro`	Load a set of macros
`script`	Load a set of scripts
`tutorial`	Run a script in tutorial mode
`button`	Assign scripts to the button
`pause`	Pause and wait for user input

warning

Scripting is possible, but still a bit buggy. Scripts can only inject commands into the command line, not prompts or menus. The up arrow (history) will often cause scripts to execute in a loop, it is best avoided.

# Enable power supply
W 3.3 50

This script works, everything is entered on the command line.

# Show power supply menu
W
# Set 3.3 volts
3.3
# Set current limit to 50mA
50

This script does not work. Scripts cannot answer menu prompts.

`macro` Load a set of macros

HiZ> macro -h
usage:
macro <#>
	[-f <file>] [-a] [-l] [-h(elp)]
Load macros: macro -f <file>
List macros: macro -l
Run macro 1: macro 1
Macro 1 help: macro 1 -h
Macro system help: macro -h
List macro files: macro -a

Macro files:
 Macros are stored in text files with the .mcr extension
 Lines starting with '#' are comments
 Lines starting with '#!' are macro usage instructions
 Every macro line includes an id (>0), a separator ':', and bus syntax
Example:
 # This is my example macro file
 #! Read 5 bytes from an I2C EEPROM
 1:[0xa0 0][0xa1 r:5]

HiZ>

`script` Load a set of scripts

HiZ> script -h
usage:
script <file> [-p(ause for <enter>)] [-d (hiDe comments)] [-e(xit on error)] [-h(elp)]
Run script: script example.scr

Script files:
Script files are stored in text files with the .scr extension
Lines starting with '#' are comments
Other lines are inserted into the command prompt
Example:
# This is my example script file
# The 'pause' command waits for any key press
pause
# Did it pause?

HiZ>

`tutorial` Run a script in tutorial mode

HiZ> tutorial -h
usage:
tutorial <file> [-h(elp)]
Run tutorial: tutorial example.tut

Tutorial files:
Tutorial files are stored in text files with the .tut extension
Lines starting with '#' are comments
Other lines are inserted into the command prompt
Example:
# This is my example tutorial file
# The 'pause' command waits for any key press
pause
# Did it pause?

HiZ>

`button` Assign scripts to the button

HiZ> button -h
usage:
button [short|long] [-f <file>] [-d (hiDe comments)] [-e(xit on error)] [-h(elp)]
Assign script file to short button press: button short -f example.scr
Assign script file to long button press: button long -f example.scr
Exit script on error option: button short example.scr -e
Default script files are 'button.scr' and 'buttlong.scr' in the root directory

Assign script file to button press
short	Assign script file to short button press
long	Assign script file to long button press
-f	Script file to assign to button press
-d	Hide comments
-e	Exit script on error
-h	Get additional help

HiZ>

Scripts can be assigned to the Bus Pirate button.

`pause` Pause and wait for user input

HiZ> pause -h
usage:
pause and wait for any key: pause
pause and wait for button press: pause -b
pause and wait for button or any key: pause -b -k
'x' key to exit (e.g. script mode): pause -x

Pause for user input, optional exit
-k	Press any key to continue (default)
-b	Press the Bus Pirate button to continue
-x	'x' key to exit (e.g. script mode)
-h	Get additional help

HiZ>

pause - pause and wait for user input. Press any key to continue.

Pause and wait for user input. Useful for pausing during a script or macro.

Developer commands

Command	Description
`bug`	Replicate a silicon bug
`otpdump`	Dump the OTP memory
`dummy`	Template for new commands

A set of command useful or used during development. These commands are not intended for end users, but are available in the firmware.

`bug` Replicate silicon bugs

HiZ> bug -h
usage:
replicate hardware bugs
Test errata E9: bug e9
-h	Get additional help

HiZ>

bug <errata> - replicate a silicon bug in the Raspberry Pi Chip.

This command is used for testing and debugging purposes.

`otpdump` Dump OTP memory (BP 6+)

HiZ> otpdump -h
Invalid command: otpdump. Type ? for help.
HiZ>

otpdump - dump the OTP memory of the Raspberry Pi chip.

Valid only on RP2350 or later chips with OTP memory (Bus Pirate 6+).

`dummy` New command template

HiZ> dummy -h
usage:
dummy [init|test]
	[-b(utton)] [-i(nteger) <value>] [-f <file>]
Initialize: dummy init
Test: dummy test
Test, require button press: dummy test -b
Integer, value required: dummy -i 123
Create/write/read file: dummy -f dummy.txt
Kitchen sink: dummy test -b -i 123 -f dummy.txt

Dummy commands valid in position 1
init	Dummy init command
test	Dummy test command

Dummy flags
-b	-b require Bus Pirate button to be pushed. Takes no parameters
-i	-i <integer>. Requires integer number parameter
-f	-f <file>. Create/write/read <file>. Requires file string parameter

HiZ>

dummy is a template that demonstrates how to create a new command.

If you want to add a new command to the Bus Pirate firmware, you can use this template as a starting point.

Bus commands

Command	Description	Command	Description
`[`/`{`	Bus START condition	`^`	Clock pin tick
`>`	Execute bus commands (no START)	`/`	Clock pin high
`]`/`}`	Bus STOP condition	`\`	Clock pin low
`r`	Read byte	`-`	Data pin high
`0b01`	Write this binary value	`_`	Data pin low
`0x01`	Write this HEX value	`.`	Read data pin
`0d01`	Write this DEC value
`"abc"`	Write this ASCII string
	Value delimiter
`d`/`D`	Delay (us/ms)
`:`	Repeat command
`.`	Specify bits to read/write
`v.<pin>`	Read voltage on <pin>
`a.<pin>`/`A.<pin>`/`@.<pin>`	Auxillary pin control (low/HIGH/input)

SPI> [0x31 r:5]
CS Select (0)
TX: 0x31
RX: 0x00 0x00 0x00 0x00 0x00
CS Deselect (1)
SPI>

A simple bus commands are used to interact with devices in various protocols. Bus command characters have the same general function in each bus mode, such as r to read a byte of data.

This example sends a bus start, the value 0x31, and then reads 5 bytes, followed by bus stop. Up to 255 characters may be entered into the Bus Pirate terminal at once, press enter to execute the commands.

info

Bus commands must start with [, {, or >.

`[ or {` Bus START condition

SPI> [
CS Select (0)
SPI>

START commands generate a START condition (I2C), a RESET (1-Wire, LED), chip select (SPI) and have similar START type functions in most modes. A line beginning with START is interpreted as bus commands.

[ - send the START condition for the currently selected bus mode.
{ - send the alternate START condition for the currently selected bus mode.

info

Lines beginning with [ and { are interpreted as bus commands, data will be sent to the device in the current protocol selected with the m command.

`>` Execute bus commands (no START)

SPI> > 0x55 0xaa

TX: 0x55 0xAA 
SPI>

If you want to execute bus commands without sending a START, use the > bus command. Lines beginning with > are also executed as bus commands.

> - start a line with > to send bus commands without sending a START condition.

info

The > command is used to send syntax without sending a START command to the bus.

`] or }` Bus STOP condition

SPI> >]
CS Deselect (1)
SPI>

Many protocols have a STOP condition. In various modes ] and } STOPs (I2C), deselects (SPI), or closes (UART).

] - send the STOP condition for the currently selected bus mode.
} - send the alternate STOP condition for the currently selected bus mode.

`r` Read byte

SPI> >r
RX: 0x00
SPI>

r - read a byte from the bus. Use with the repeat command (r:1…255) for bulk reads.

info

The > before r tells the Bus Pirate we want to send bus commands.

`0b01` Write this binary value

SPI> >0b01
TX: 0b00000001
SPI>

Binary values are commonly used in electronics because the 1s and 0s correspond to register ‘switches’ that control various aspects of a device. When used as part of a bus command, the Bus Pirate will write the value in the currently selected bus protocol.

Begin a binary number with 0b, followed by the bits. Padding 0’s are not required, 0b00000001=0b1. Can be used with the repeat command (0b110:1…255) for bulk writes.

0b0 - binary “0”.
0b1 - binary “1”.
0b11111111 - binary “255”.

info

The > before 0b01 tells the Bus Pirate we want to send bus commands.

`0x01` Write this HEX value

SPI> >0x01
TX: 0x01
SPI>

Hexadecimal values are base 16 numbers that use a-f for the numbers 10-15, this format is very common in computers and electronics. When used as part of a bus command, the Bus Pirate will write the value in the currently selected bus protocol.

Begin a hexadecimal number with 0x or 0h, followed by the hex digits. A-F can be lowercase or uppercase letters. Padding 0’s are not required, 0x05=0x5. Hexadecimal numbers can be used with the repeat command (0xff:1…255) for bulk writes.

0x0 - hexadecimal “0”.
0x1 - hexadecimal “1”.
0xff - hexadecimal “255”.

info

The > before 0x01 tells the Bus Pirate we want to send bus commands.

`0-255` Write this decimal value

SPI> >1
TX: 1
SPI>

Any number not started with 0b, 0x or 0h is interpreted as a decimal value. Decimal values are common base 10 numbers. Just enter the value, no special prefix is required. Decimal numbers can be used with the repeat command (10:1…255) for bulk writes.

0 - decimal “0”.
1 - decimal “1”.
255 - decimal “255”.

info

The > before 1 tells the Bus Pirate we want to send bus commands.

`"abc"` Write this ASCII string

SPI> >"abc"
TX: 'a' 0x61 'b' 0x62 'c' 0x63

Characters enclosed in " " are sent to the bus as their ASCII equivalent codes. Useful for writing text strings when programming flash chips, interfacing UARTs, etc.

"abc" - Write the ASCII string “abc” to the bus, equivalent to 0x61 0x62 0x63.

info

The > before "abc" tells the Bus Pirate we want to send bus commands.

`space` Value delimiter

SPI> [1 2 3  rr]
CS Select (0)
TX: 1
TX: 2
TX: 3
RX: 0x00
RX: 0x00
CS Deselect (1)
SPI>

Use a space to separate numbers.

- space is used to separate numbers on the command line.

info

No delimiter is required between non-number commands.

`d/D` Delay 1uS/MS

SPI> >d
Delay: 1us
SPI> >d:10
Delay: 10us
SPI> >D
Delay: 1ms
SPI> >D:10
Delay: 10ms
SPI>

Delay in microseconds or milliseconds. Delays can be extended with the repeat command (d:1…255).

d - delays 1us.
d:10 - delay 10us.
D - delays 1ms.
D:10 - delay 10ms.

info

The > before d tells the Bus Pirate we want to send bus commands.

`:` Repeat (e.g. r:10)

SPI> [ 0x55:2 D:3 r:3]
CS Select (0)
TX: 0x55 0x55
Delay: 2ms
RX: 0x00 0x00 0x00
CS Deselect (1)
SPI>

Many commands can be repeated by adding :, followed by the number of times to repeat. To read five bytes, enter r:5, etc.

0x55:2 - write 0x55 to the bus twice.
D:3 - delay 3ms.
r:3 - read 3 bytes from the bus.

info

Repeat values can also be HEX/DEC/BIN formatted.

`.` Specify number of bits to read/write

SPI> >0x5a.4
TX: 0x0A.4
SPI>

Write/read partial bytes (where enabled by hardware) using the . option. 0x75.4 will write 0x5 (4 bits) to the bus.

SPI> >r.4
RX: 0x05.4
SPI>

Read 4 bits from the bus.

SPI> >0x5432.12
TX: 0x0432.12
SPI>

Write 12 bits of 0x5432 to the bus.

SPI> >0x5a.4:2
TX: 0x0a.4 0x0a.4
SPI>

Partial write/reads can be combined with the repeat command.

`v` Measure voltage

SPI> > v.1 v.2 v.3

Volts on IO1: 3.2V
Volts on IO2: 3.2V
Volts on IO3: 3.2V
SPI>

It is possible to measure the voltage of any IO pin while executing bus commands.

v.<pin> - measure the voltage on IO pin <pin>

info

The > before v.1 v.2 v.3 tells the Bus Pirate we want to send bus commands.

`a/A/@` Auxiliary pin control (low/HIGH/read)

UART> >a.1
IO1 set to OUTPUT: 0

UART> >A.1
IO1 set to OUTPUT: 1

UART> >@.1
IO1 set to INPUT: 0

UART>

Sometimes it’s useful to control IO pins directly when executing bus commands.

a.<pin> - set <pin> low (0V).
A.<pin> - set <pin> high (VCC).
@.<pin> - set <pin> to input (HiZ) and read the pin state. The pin state is reported as 0 or 1.

warning

Pins already assigned a function, such as PWM or mode/protocol pins, cannot be changed with the a/A/@ commands. The Bus Pirate will report an error.

info

Bus commands a/A/@ use the a.<pin> notation, the syntax is followed by a . and the pin number to control. This is different than the commands a/A/@, which are followed by a space and the pin number to control.

`^` Clock pin tick (limited)

2WIRE> >^

Tick clock: 1
2WIRE>

Send a single clock tick to the bus. The clock pin is set high (VCC) for a short time, then set low (0V).

warning

“Bitwise” commands provide low-level control over the clock and data pins, allowing precise manipulation of their states. These commands are only available in specific modes, such as 2WIRE and 3WIRE.

/ Clock pin high (limited)

2WIRE> >/

Set clock: 1
2WIRE>

Set the clock pin high (VCC).

warning

\ Clock pin low (limited)

2WIRE> >\

Set clock: 0
2WIRE>

Set the clock pin low (0V).

warning

- Data pin high (limited)

2WIRE> >-

Set data: 1
2WIRE>

Set the data pin high (VCC).

warning

_ Data pin low (limited)

2WIRE> >_

Set data: 0
2WIRE>

Set the data pin low (0V).

warning

. Read data pin (limited)

2WIRE> >.

Read data: 0
2WIRE>

Read the current state of the data pin.

warning

HiZ

Bus: High impedance (HiZ)
Connections: none
Output type: not allowed
Pull-up resistors: not allowed
Maximum voltage: 5 volts

HiZ is the default Bus Pirate mode. It is a safe mode: all outputs and hardware are disabled.

To change into a protocol mode, use the m command.

info

HiZ is a safe mode. If something goes wrong with your target device, switch to safe mode to disable all outputs and hardware.

1-Wire

Bus: 1-Wire
Connections: one data pin (OWD) and ground
Output type: open drain/open collector
Pull-up resistors: always required (2K - 10K ohms)
Maximum voltage: 5volts

1-Wire is a single wire bus for low speed interfaces.

Pull-up resistors

1-Wire is an open-collector bus, it requires pull-up resistors to hold the data line high and create the data ‘1’. 1-Wire parts don’t output high, they only pull low. Without pull-up resistors there can never be a ‘1’.

Enable the Bus Pirate onboard pull-up resistors with the P command.

info

1-Wire requires a pull-up resistor to hold the data line high.
1-Wire parts don’t output high, they only pull low.
Without pull-up resistors there can never be a ‘1’.
Enable the Bus Pirate onboard pull-up resistors with the P command.

Connections

Bus Pirate	Direction	Circuit	Description
OWD	↔	OWD	1-Wire Data
GND	⏚	GND	Signal Ground

Bus commands

Command	Description
{ or [	Issue 1-Wire reset, detect device presence.
r	Read one byte. (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

Global commands are available everywhere, while mode commands are specific to the currently selected mode. Type help to see all commands in every mode, or help mode for the currently available mode commands.

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`scan` 1-Wire address search

1WIRE> scan
1-Wire ROM search:
1: 28 5c aa 13 0a 00 00 19 (DS18B20 digital thermometer)

1WIRE>

scan - perform a 1-Wire ROM search.

scan performs a 1-Wire ROM search to detect the ID of every connected 1-Wire device. The type of device is shown if the family ID is known.

`ds18b20` Read temperature

1WIRE> ds18b20
RX: 7b 01 00 00 7f ff 05 10 e5
Temperature: 23.688

1WIRE>

ds18b20 - read the temperature from a single DS18B20 device.

ds18b20 reads the temperature from a single 18B20 temperature sensor. The temperature is displayed in Celsius.

warning

The device is accessed with the skip ROM command, so it will only work with a single DS18B20 device connected.

Device demos

DS18B20 Temperature Sensor

UART

Bus: UART, MIDI (universal asynchronous receiver transmitter)
Connections: two data pins (RX/TX) and ground
Output type: push-pull (1.65-5volts). Powered by onboard supply or an external voltage on the VOUT/VREF pin
Maximum Voltage: 5volts

warning

UART is also known as the common PC serial port. The PC serial port operates at full RS232 voltage levels (-13volts to +13volts) though, which are not compatible with the Bus Pirate without an RS232 adapter.

Connections

Bus Pirate	Direction	Circuit	Description
TX	→	RX	Bus Pirate Transmit
RX	←	TX	Bus Pirate Receive
GND	⏚	GND	Signal Ground

Connect the Bus Pirate transmit pin (TX) to the UART device receive pin (RX). Connect the Bus Pirate receive pin (RX) to the UART device transmit pin (TX).

Configuration options

HiZ> m uart

Mode: UART
UART speed
 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200 etc
 x. Exit
Baud (115200*) > 
Data bits
 5 to 8 bits
 x. Exit
Bits (8*) > 
Parity
 1. None*
 2. Even
 3. Odd
 x. Exit
Parity (1) > 
Stop bits
 1. 1*
 2. 2
 x. Exit
Bits (1) > 
Hardware flow control
 1. None*
 2. RTS/CTS
 x. Exit
Flow control (1) > 
Signal inversion
 1. Non-inverted (Standard)*
 2. Inverted
 x. Exit
Invert signals (1) > 
Actual speed: 115207 baud
UART>

Bus commands

Command	Description
[	Open UART, use `r` to read bytes.
{	Open UART, display data as it arrives asynchronously.
] or }	Close UART.
r	Check UART for byte, or fail if empty. (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`bridge` USB to serial bridge

UART> bridge -h
usage:
bridge	[-h(elp)] [-t(oolbar)]
Transparent UART bridge: bridge
Exit: press Bus Pirate button

open UART with raw data IO, usb to serial bridge mode
-t	ENABLE toolbar while bridge is active (default: disabled)
-h	Get additional help

UART>

Transparent UART bridge. Bidirectional UART pass-through to interact with other serial devices from inside the Bus Pirate terminal. Press the Bus Pirate button to exit.

info

Use bridge -h to see the latest options and features.

`gps` Decoding GPS NMEA sentences

UART> gps -h
usage:
gps	[-h(elp)]
Decode GPS NMEA packets: gps
Exit: press any key

parse NMEA GPS data
-h	Get additional help

UART>

Most GPS modules output NMEA sentences through a serial UART. The gps command decodes common sentences using minmea. The raw data and decoded data are printed in the terminal. Press any key to exit.

info

Use gps -h to see the latest options and features.

`glitch` Glitch hacking framework

UART> glitch -h
usage:
glitch	[-h(elp)] [-c(onfig)]
UART glitch generator.  Note that times are in terms of nanoseconds * 10; therefore, a setting of 3 = 30ns
Exit: press Bus Pirate button

UART glitcher
-h	Get additional help
-c	show configuration info

UART>

A glitch hacking framework.

MIDI

MIDI is a command set used by electronic (music) instruments. It travels over a standard serial UART configured for 31250bps/8/n/1.

MIDI is a ring network, each node has an input and output socket. Each node passes messages to the next in the ring. The input and outputs are opto-isolated. The signaling is at 5volts, 5ma (current-based signaling). An adapter is required: example 1, example 2.

Device demos

NMEA GPS module

HDUART

Bus: Half-duplex UART, MIDI (universal asynchronous receiver transmitter), RX and TX on the same wire
Connections: one data pin (RXTX) and ground
Output type: open collector/open drain
Pull-up resistors: always required (2K - 10K ohms)
Maximum Voltage: 5volts

info

Half-duplex UART is a common serial UART, but receive and transmit share a single data line. This is used to interface mobile phone SIM cards and bank IC cards, among other devices.

Connections

Bus Pirate	Direction	Circuit	Description
RXTX	←→	RXTX	Bus Pirate Transmit and Receive
GND	⏚	GND	Signal Ground

Configuration options

HiZ> m hduart

Mode: HDUART
UART speed
 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200 etc
 x. Exit
Baud (115200*) > 
Data bits
 5 to 8 bits
 x. Exit
Bits (8*) > 
Parity
 1. None*
 2. Even
 3. Odd
 x. Exit
Parity (1) > 
Stop bits
 1. 1*
 2. 2
 x. Exit
Bits (1) > 
HDUART>

Pull-up resistors

Half-duplex UART is an open-collector bus, it requires pull-up resistors to hold the data line high to create the data ‘1’. The Bus Pirate doesn’t output high, it only pulls low. Without pull-up resistors there can never be a ‘1’.

Enable the Bus Pirate onboard pull-up resistors with the P command.

info

Half-duplex UART requires pull-up resistors to hold the data line high.
Without pull-up resistors there can never be a ‘1’.
Enable the Bus Pirate onboard pull-up resistors with the P command.

Bus commands

Command	Description
[	Open UART, display data as it arrives asynchronously.
]	Close UART.
{	RST pin (IO2) high
}	RST pin (IO2) low
r	Check UART for byte, or fail if empty. (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`bridge` USB to serial bridge

HDUART> bridge -h
usage:
bridge	[-h(elp)]
Transparent UART bridge: bridge
Exit: press Bus Pirate button

open UART with raw data IO, usb to serial bridge mode
-t	ENABLE toolbar while bridge is active (default: disabled)
-s	Suppress local echo, don't echo back sent data
-h	Get additional help

HDUART>

Transparent UART bridge. Bidirectional UART pass-through to interact with other serial devices from inside the Bus Pirate terminal. Press the Bus Pirate button to exit. Useful for reading SIM cards with pySim.

info

Use bridge -h to see the latest options and features.

Device demos

Mobile SIMs & Bank IC Cards

I2C

Bus: I2C (eye-squared-see or eye-two-see)
Connections: two data pins (SDA/SCL) and ground
Output type: open drain/open collector
Pull-up resistors: always required (2K - 10K ohms)
Maximum voltage: 1.2 to 5 volts
Common speed: 100kHz, 400kHz, 1MHz

I2C Protocol Overview

I2C (Inter-Integrated Circuit) is a 2-wire protocol used for communication between devices. It uses two lines: SDA (data) and SCL (clock). The protocol supports multiple devices on the same bus, with each device identified by a unique 7-bit address.

Start and Stop Conditions

S - Each transaction begins with a start condition by pulling SDA low while SCL remains high.
P - Each transaction ends with a stop condition by releasing SDA high while SCL remains high.
Sr - A repeat start condition starts a new transaction with the same device, without sending a stop condition. It can be replaced with a stop condition followed by a start condition, but the repeat start is more efficient.

Byte Transmission

Data is transmitted 8 bits at a time, starting with the most significant bit (MSB).
A/N - After each byte there is a 9th ACK/NACK bit. The receiver sends an ACK (acknowledge) by pulling SDA low or a NACK (not acknowledge) by leaving SDA high. NACK is typically used to tell a chip that we are done reading data from it.

Addressing

The first byte sent after a start condition contains the 7-bit device address and a read/write bit. In the logic analyzer trace the 7-bit address is 0b1010000 (0x50).
- W - 0 for write operations (0b10100000 = 0xA0).
- R - 1 for read operations (0b10100001 = 0xA1).

Configuration options

HiZ> m i2c

Mode: I2C
I2C speed
 1kHz to 1000kHz
 x. Exit
kHz (400kHz*) > 
Clock stretching
 1. OFF*
 2. ON
 x. Exit
OFF (1) > 
I2C>

Pull-up resistors

I2C is an open-collector bus, it requires pull-up resistors to hold the clock and data lines high and create the data ‘1’. I2C parts don’t output high, they only pull low, without pull-up resistors there can never be a ‘1’. This will cause common errors such as the I2C address scanner reporting a response at every address.

Enable the Bus Pirate onboard pull-up resistors with the P command.

info

I2C requires pull-up resistors to hold the clock and data lines high.
I2C parts don’t output high, they only pull low.
Without pull-up resistors there can never be a ‘1’.
Enable the Bus Pirate onboard pull-up resistors with the P command.

Connections

Bus Pirate	Direction	Circuit	Description
SDA	↔	SDA	Serial Data
SCL	→	SCL	Serial Clock
GND	⏚	GND	Signal Ground

Bus commands

Command	Description
{ or [	Issue (repeated) I2C start condition.
] or }	Issue I2C stop condition.
r	Read one byte, send ACK. (r:1…255 for bulk reads)
0b	Write this binary value, check ACK. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value, check ACK. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value, check ACK. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`scan` I2C address search

I2C> scan
I2C address search:
0x50 (0xA0 W) (0xA1 R)
0x51 (0xA2 W) (0xA3 R)
0x52 (0xA4 W) (0xA5 R)
0x53 (0xA6 W) (0xA7 R)
0x54 (0xA8 W) (0xA9 R)
0x55 (0xAA W) (0xAB R)
0x56 (0xAC W) (0xAD R)
0x57 (0xAE W) (0xAF R)

Found 16 addresses, 8 W/R pairs.

I2C>

The scan command searches for I2C device addresses.

You can find the I2C address for most I2C-compatible chips in the datasheet. But what if you’re working with an unknown chip, a dated chip with no datasheet or you’re just too lazy to look it up?

I2C> scan -h
usage:
scan	[-v(erbose)] [-h(elp)]
Scan I2C address space: scan
Scan, list possible part numbers: scan -v

scan I2C addresses, with optional part number
-v	Verbose mode, print potential part numbers
-h	Get additional help

I2C>

The Bus Pirate has a built-in address scanner that checks every possible I2C address for a response. This brute force method is a fast and easy way to see if any chips are responding, and to uncover undocumented access addresses.

I2C chips respond to a 7bit address, so up to 128 devices can share the same two communication wires. An additional bit of the address determines if the operation is a write to the chip (0), or a read from the chip (1).

Scanner details

The scan command in I2C mode runs the address scanner.

For I2C write addresses: the BP sends a start, the write address, looks for an ACK, then sends a stop.
For I2C read addresses: the BP sends a start, the read address, looks for an ACK. If there is an ACK, it reads a byte and NACKs it. Finally it sends a stop.

When the I2C chip responds to the read address, it outputs data and will miss a stop condition sent immediately after the read address (bus contention). If the I2C chip misses the stop condition, the address scanner will see ghost addresses until the read ends randomly. By reading a byte after any read address that ACKs, we have a chance to NACK the read and properly end the I2C transaction.

`sniff` I2C bus sniffer

I2C> sniff -h
usage:
sniff [-q]
Start the I2C sniffer: sniff
Supress (quiet) ACK in output: sniff -q

pico-i2c-sniff by @jjsch-dev https://github.com/jjsch-dev/pico_i2c_sniffer
Max speed: 500kHz

I2C sniffer
q	Quiet mode, don't show ACKs
h	Get additional help

I2C>

Sniff I2C packets up to 500kHz.

`si7021` Read temperature and humidity

I2C> si7021
Read temperature and humidity from SI7021/HTU21/SHT21 sensor
Humidity: 71.05% (0x9d 0xca)
Temperature: 18.79C (0x5f 0xa0)
Serial Number: 0xffff0000000015ff

I2C>

Command to read temperature and humidity from a SI7021 sensor.

`ms5611` Read temperature and pressure

I2C> ms5611 -h
Read temperature and pressure from MS5611 sensor
Device not detected (no ACK)

I2C>

Command to read temperature and pressure from a MS5611 sensor.

`tsl2561` Read light intensity

I2C> tsl2561
Read light intensity (LUX) from TSL2561 sensor
ID: 5 REV: 0
Chan0: 13868 Chan1: 13868 LUX: 81

I2C>

Command to read light intensity from a TSL2561 sensor.

Device demos

SPI

Bus: SPI (serial peripheral interface)
Connections: four data pins (MOSI/MISO/CLOCK/CHIP_SELECT) and ground
Output type: push-pull (1.65-5volts)
Maximum voltage: 5volts

info

SPI is a common 4 wire full duplex protocol. Separate connections for data-in and data-out allow communication to and from the controller at the same time. Multiple sub devices can share the bus, but each will need an individual Chip Select (CS) connection. Chip Select is generally active when low.

Connections

Bus Pirate	Direction	Circuit	Description
MOSI	→	MOSI	Master Out Sub In
MISO	←	MISO	Master In Sub Out
CS	→	CS	Chip Select
CLK	→	CLK	Clock signal
GND	⏚	GND	Signal Ground

Configuration options

HiZ> m spi

Mode: SPI
SPI speed
 1 to 62500kHz
 x. Exit
kHz (100kHz*) > 
Data bits
 4 to 8 bits
 x. Exit
Bits (8*) > 
Clock polarity
 1. Idle LOW*
 2. Idle HIGH
 x. Exit
Polarity (1) > 
Clock phase
 1. LEADING edge*
 2. TRAILING edge
 x. Exit
Phase (1) > 
Chip select
 1. Active HIGH (CS)
 2. Active LOW (/CS)*
 x. Exit
CS (2) > 
Actual speed: 99kHz
SPI>

Bus commands

Command	Description
[	Chip select (CS) active
{	Chip Select (CS) active, show the SPI read byte while writing
] or }	Chip Select (CS) disable
r	Read one byte by sending dummy byte (0xff). (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`flash` Read/Write/Erase common flash chips

The flash command can read, write, and erase common SPI flash memory chips directly in the Bus Pirate terminal. The Serial Flash Universal Driver at the heart of the flash command attempts to identify the flash chip and select the appropriate settings. Most modern flash chips contain SFDP tables that describe the chip capabilities. If a chip doesn’t have SFDP tables, the driver has a database of common chips on which to fall back.

SPI> flash -h
usage:
flash [init|probe|erase|write|read|verify|test]
	[-f <file>] [-e(rase)] [-v(verify)] [-h(elp)]
Initialize and probe: flash probe
Erase and program, with verify: flash write -f example.bin -e -v
Read to file: flash read -f example.bin
Verify with file: flash verify -f example.bin
Test chip (full erase/write/verify): flash test
Force dump: flash read -o -b <bytes> -f <file>

read, write and erase flash chips using SFDP info if available
init	Reset and initialize flash chip. Default if no options given. flash
probe	Probe flash chip for ID and SFDP info. flash probe
erase	Erase flash chip. flash erase [-v(erify)]
write	Write file to flash chip. flash write -f <file> [-e(rase)] [-v(erify)]
read	Read flash chip to file. flash read -f <file>
verify	Verify flash chip against file. flash verify -f <file>
test	Erase and write full chip with dummy data, verify. flash test
-f	File flag. File to write, read or verify. flash verify -f <file>
-e	Erase flag. Add erase before write. flash write -f <file> -e
-v	Verify flag. Add verify after write or erase. flash write -f <file> -v

SPI>

Flash initialization

SPI> flash init
Probing:
		Device ID	Manuf ID	Type ID		Capacity ID
RESID (0xAB)	0x13
REMSID (0x90)	0x13		0xef
RDID (0x9F)			0xef		0x40		0x14

Initializing SPI flash...
Flash device manufacturer ID 0xEF, type ID 0x40, capacity ID 0x14
SFDP V1.5, 0 parameter headers
		Type		Ver.	Length	Address
Table 0		JEDEC (0x00)	1.5	64B	0x000080
JEDEC basic flash parameter table info:
MSB-LSB  3    2    1    0
[0001] 0xFF 0xF1 0x20 0xE5
...
[0009] 0x00 0x00 0xD8 0x10
4 KB Erase is supported throughout the device (instruction 0x20)
Write granularity is 64 bytes or larger
Flash status register is non-volatile
3-Byte only addressing
Capacity is 1048576 Bytes
Flash device supports 4KB block erase (instruction 0x20)
Flash device supports 32KB block erase (instruction 0x52)
Flash device supports 64KB block erase (instruction 0xD8)
Found a Winbond  flash chip (1048576 bytes)
Flash device reset success

flash, flash init, and flash probe provide various levels of details about a flash chip. The flash command tries three common methods to identify a flash chip (RESID, REMSID, RDID), then attempts to read the SFDP tables.

info

Use flash -h to see the latest options and features.

Read a flash chip

SPI> flash read -f example.bin
Reading 1048576 bytes from flash to example.bin
[-------C o o o o o]

Read the contents of a flash chip to a file with the flash read command. The file name is specified with the -f flag.

Write a flash chip

SPI> flash write -f example.bin -e -v
Erasing 1048576 bytes
[-----------------C]
Writing 1048576 bytes from example.bin to flash
[-----------------C]
Verifying 1048576 bytes from example.bin to flash
[-------c o o o o]

Write a file to a flash chip with the flash write command. The file name is specified with the -f flag. Use the -e flag to erase the chip before writing, and the -v flag to verify the write.

Verify a flash chip

SPI> flash verify -f example.bin
Verifying 1048576 bytes from example.bin to flash
[-------c o o o o]

Verify the contents of a flash chip against a file with the flash verify command. The file name is specified with the -f flag.

Test a flash chip

SPI> flash test
Erasing 1048576 bytes
[-----------------C]
Writing 1048576 bytes to flash
[-----------------C]
Verifying 1048576 bytes
[-------c o o o o]

The flash test command erases the chip, writes dummy data, and verifies the write. This is a way to test a chip.

Options and flags

Option	Description
`flash init`	Reset and initialize flash chip. Default if no options given.
`flash probe`	Probe flash chip for ID and SFDP info.
`flash erase`	Erase flash chip.
`flash write`	Write file to flash chip. Specify file with -f flag. Use -e flag to erase before write
`flash read`	Read flash chip to file. Specify file with -f flag
`flash verify`	Verify flash chip against file. Specify file with -f flag
`flash test`	Erase and write full chip with dummy data, verify.

Options tell the flash command what to do.

Flag	Description
`-f`	File flag. File to write, read or verify.
`-e`	Erase flag. Add erase before write.
`-v`	Verify flag. Add verify after write or erase.

Flags pass file names and other settings.

Device demos

2-WIRE

Bus: 2 wire bus with bidirectional data (SDA) line and a clock (SCL) line
Connections: two data pins (SDA/SCL) and ground. An additional pin is reserved for RESET, and is controlled by the {/} commands.
Output type: open drain/open collector
Pull-up resistors: always required (2K - 10K ohms)
Maximum voltage: 5volts

info

2-wire is a generic 8bit protocol mode with a bidirectional data line (SDA) and a clock line (SCL). 2-wire can be used to interface with SLE4442 smart cards, half-duplex SPI devices and other 2 wire busses that don’t use a full I2C implementation.

Connections

Bus Pirate	Direction	Circuit	Description
SDA	↔	SDA	Serial Data
SCL	→	SCL	Serial Clock
RST	→	RST	Reset signal for some devices
GND	⏚	GND	Signal Ground

Configuration options

HiZ> m 2wire

Mode: 2WIRE
2WIRE speed
 1kHz to 1000kHz
 x. Exit
kHz (400kHz*) > 
2WIRE>

Pull-up resistors

2-Wire is an open-collector bus, it requires pull-up resistors to hold the clock and data lines high and create the data ‘1’. In 2-Wire mode, the Bus Pirate doesn’t output high, it only pulls low. Without pull-up resistors there can never be a ‘1’.

Enable the Bus Pirate onboard pull-up resistors with the P command.

info

2-Wire requires pull-up resistors to hold the clock and data lines high.
Without pull-up resistors there can never be a ‘1’.
Enable the Bus Pirate onboard pull-up resistors with the P command.

Bus commands

Command	Description
[	Issue I2C-style START condition. Some devices don’t follow the I2C standard, but still use a similar START condition.
]	Issue I2C-style STOP condition. Some devices don’t follow the I2C standard, but still use a similar STOP condition.
{	RST/reset pin high
}	RST/reset pin low
r	Read one byte. (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.
^	One clock tick, low to high to low transition.
/	Set clock pin high.
\	Set clock pin low.
_	Set data pin low.
-	Set data pin high.
.	Read data pin.

info

2WIRE supports bitwise operations on the clock and data lines. The commands ^, /, \, _, - and . control the clock and data lines directly. This is useful for some devices that require precise timing or specific signal patterns.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`sniff` 2WIRE bus sniffer

2WIRE> sniff -h
usage:
sniff [-q]
Start the 2WIRE sniffer: sniff

Sniffs SLE4442 style 8bit I2C-like protocols (no NAK/ACK)
Based on pico-i2c-sniff by @jjsch-dev https://github.com/jjsch-dev/pico_i2c_sniffer
Max speed: 500kHz

I2C sniffer
h	Get additional help

2WIRE>

Sniff 8 bit I2C-like protocols that don’t use an ACK/NAK bit, for example the SLE4442 smart card.

`sle4442` Work with SLE4442 smart cards

The sle4442 command in the Bus Pirate’s 2-WIRE mode automates the process of reading, writing and unlocking a SLE4442 smart card.

info

Use sle4442 -h to see the latest options and features.

SLE4442 Answer to Reset (ATR)

2WIRE> sle4442 init
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Security memory: 0x07 0x00 0x00 0x00
Remaining attempts: 3 (0x7)

2WIRE>

sle4442 and sle4442 init reset the card and decodes the Answer To Reset (ATR) response.

sle4442 init - reset the card and decode the ATR

Dump SLE4442 card memory

2WIRE> sle4442 dump
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Security memory: 0x07 0x00 0x00 0x00
Remaining attempts: 3 (0x7)
Protection memory: 0xff 0xff 0xff 0xff
Memory:
0xa2 0x13 0x10 0x91 0xff 0xff 0x81 0x15 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xd2 0x76 0x00 0x00 0x04 0x00 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 

2WIRE>

sle4442 dump reads and displays the main, security and protection memory areas. The card does not need to be unlocked to read the contents. The passcode is only required to write to the card.

sle4442 dump - read and display the main, security and protection memory areas

Unlock SLE4442 card with passcode

2WIRE> sle4442 unlock -p 0xffffff
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Security memory: 0x07 0x00 0x00 0x00
Remaining attempts: 3 (0x7)
Unlocking with PSC: 0xFFFFFF
Using free security bit: 0x03
Card unlocked, security bits reset
Security memory: 0x07 0xff 0xff 0xff
Remaining attempts: 3 (0x7)

2WIRE>

sle4442 unlock unlocks the card using the Programmable Security Code (PSC). Use the -p flag to specify the PSC.

sle4442 unlock -p <psc> - unlock the card with the current PSC

info

New cards usually have a default PSC of 0xffffff.

Write data to SLE4442 card

2WIRE> sle4442 write -a 0xff -v 0x88
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Security memory: 0x07 0xff 0xff 0xff
Remaining attempts: 3 (0x7)
Writing 0x88 to 0xff

2WIRE>

sle4442 write writes a single byte of data to the card. Specify the address with the -a flag and the data value with the -v flag.

sle4442 write -a <address> -v <value> - write a byte of data to the card

warning

The card must be unlocked before writing data.

Change SLE4442 passcode/PSC

2WIRE> sle4442 psc -p 0xffffff -n 0x123456
--SLE44xx decoder--
ATR: 0xa2 0x13 0x10 0x91
Protocol Type: S 10
Structure Identifier: General Purpose (Structure 1)
Read: Read to end
Data Units: 256
Data Units Bits: 8
Security memory: 0x07 0xff 0xff 0xff
Remaining attempts: 3 (0x7)
Unlocking with PSC: 0xFFFFFF
Using free security bit: 0x03
Card unlocked, security bits reset
Security memory: 0x07 0xff 0xff 0xff
Remaining attempts: 3 (0x7)
Updating with PSC: 0x123456
PSC updated to: 0x123456
Security memory: 0x07 0x12 0x34 0x56
Remaining attempts: 3 (0x7)

2WIRE>

sle4442 psc changes the Programmable Security Code (PSC). Use the -p flag to specify the current PSC and the -n flag to specify the new PSC.

sle4442 psc -p <current_psc> -n <new_psc> - change the PSC

Options and flags

2WIRE> sle4442 -h
usage:
sle4442 [init|dump|unlock|write|erase|psc]
	[-a <address>] [-v <value>] [-p <current psc>] [-n <new psc>] [-f <dump file>] [-h(elp)]
Initialize and probe: sle4442 init
Dump contents: sle4442 dump
Unlock card: sle4442 unlock -p 0xffffff
Write a value: sle4442 write -a 0xff -v 0x55
Erase memory: sle4442 erase
Update PSC: sle4442 psc -p 0xffffff -n 0x000000
Dump contents to file: sle4442 dump -f dump.bin
Dump format: DATA[0:255],SECMEM[256:259],PRTMEM[260:263]

SLE4442 smart card interface
init	Initialize card with ISO7816-3 ATR. Default action
dump	Display main, security and protect memory
unlock	Unlock card with Programmable Security Code (PSC)
write	Write data to card (requires unlock)
erase	Erase data from range 0x32-0x255 (requires unlock)
psc	Change Programmable Security Code (PSC)
-a	Write address flag
-v	Write value flag
-p	Current Programmable Security Code (PSC) flag
-n	New Programmable Security Code (PSC) flag
-f	Dump file name flag

2WIRE>

info

Use sle4442 -h to see the latest options and features.

Option	Description
sle4442 init	Initialize and probe the card Answer To Reset
sle4442 dump	Display main, security and protect memory
sle4442 unlock	Unlock card with Programmable Security Code (PSC)
sle4442 write	Write data to card (requires unlock)
sle4442 erase	Erase data from range 0x32-0x255 (requires unlock)
sle4442 psc	Change Programmable Security Code (PSC)

Options tell the SLE4442 command what to do.

Flag	Description
-a	Write address flag
-v	Write value flag
-p	Current Programmable Security Code (PSC) flag
-n	New Programmable Security Code (PSC) flag

Flags pass file names and other settings to the command.

Device demos

SLE4442 Smart Card

3-WIRE

Bus: SPI-like bus with granular control of the clock and data lines
Connections: four data pins (MOSI/MISO/CLOCK/CHIP_SELECT) and ground
Output type: push-pull (1.65-5volts)
Maximum voltage: 5volts

info

3WIRE is like SPI with extra commmands to control the clock and data lines individually.

Connections

Bus Pirate	Direction	Circuit	Description
MOSI	→	MOSI	Master Out Sub In
MISO	←	MISO	Master In Sub Out
CS	→	CS	Chip Select
CLK	→	CLK	Clock signal
GND	⏚	GND	Signal Ground

Configuration options

HiZ> m 3wire

Mode: 3WIRE
Speed
 1 to 3900kHz
 x. Exit
kHz (100kHz*) > 
Chip select
 1. Active HIGH (CS)
 2. Active LOW (/CS)*
 x. Exit
CS (2) > 
3WIRE>

Bus commands

Command	Description
[	Chip select (CS) active
{	Chip Select (CS) active, show the SPI read byte while writing
] or }	Chip Select (CS) disable
r	Read one byte. (r:1…255 for bulk reads)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.
^	One clock tick, low to high to low transition.
/	Set clock pin high.
\	Set clock pin low.
_	Set MOSI pin low.
-	Set MOSI pin high.
.	Read MISO pin.

info

3WIRE supports bitwise operations on the clock and data lines. The commands ^, /, \, _, - and . control the clock and data lines directly. This is useful for some devices that require precise timing or specific signal patterns.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

DIO

Bus: DIO (digital input/output)
Connections: all IOs available for use
Output type: tristate (push-pull, high impedance) (1.65-5volts)
Maximum voltage: 5volts

info

DIO is a mode with no specific protocol. All the Bus Pirate pins are free for use as input/ouputs, frequency generators, frequency measurement, etc.

LED

Bus: WS2812/SK6812/‘NeoPixel’ one wire, APA102/SK9822 two wire
Connections: one or two data pins (SDO, SCL), and ground
Output type: 1.65-5volts
Maximum voltage: 5volts

WS2812/SK6812 and APA102/SK9822 are common RGB LEDs with a one and two wire interface.

report

LEDs are power hungry, up to 60mA each at full brightness. The programmable power supply is rated for 300mA maximum. The LEDs will need an external power supply when driving more than a few in a strip.

Connections

WS2812/SK6812/‘NeoPixel’

Bus Pirate	Direction	Circuit	Description
SDO	→	DIN	Serial Data Out
GND	⏚	GND	Signal Ground

APA102/SK9822

Bus Pirate	Direction	Circuit	Description
SDO	→	SDI	Serial Data Out
SCL	→	CKI	Serial Clock
GND	⏚	GND	Signal Ground

Configuration options

HiZ> m led

Mode: LED
LED type
 1. WS2812/SK6812/'NeoPixel' (single wire interface)*
 2. APA102/SK9822 (clock and data interface)
 3. Onboard LEDs (18 SK6812s)
 x. Exit
Type (1) > 
LED-(WS2812)>

Bus commands

Command	Description
[ or {	Reset (APA102: low for >280us), Start Frame (WS2812: 0x00000000)
] or }	End Frame (WS2812: 0xffffffff)
0b	Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.
0x	Write this HEX value. Format is 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.
0-255	Write this decimal value. Any number not preceded by 0x or 0b is interpreted as a decimal value.
`space`	Value delimiter. Use a space to separate numbers. No delimiter is required between non-number values: {0xa6 0 0 16 5 0b111 0xaF rrrr}.

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

Device demos

INFRARED

Bus: Infrared (IR) remote control (raw, RC5, NEC)
Connections: one data pin (IR) and ground
Output type: push-pull (1.65-5volts)
Maximum voltage: 5volts

info

Infrared is a mode for sending and receiving infrared signals. The Bus Pirate can send and receive RC5 and NEC protocols, and raw IR signals. Compatible with the IR Toy v3 plank.

Connections

Bus Pirate	Direction	Circuit	Description
LERN (IO1)	←	LEARNER	20-60kHz IR learner receiver
BARR (IO3)	←	38K BARRIER	38kHz IR barrier receiver
IRTX (IO4)	→	TRANSMIT	IR transmitter LED
38K (IO5)	←	38K DEMODULATOR	36-40kHz IR demodulator
56K (IO7)	←	56K DEMODULATOR	56kHz IR demodulator

Configuration options

HiZ> m infrared

Mode: INFRARED
Protocol
 1. RAW (aIR format)*
 2. NEC
 3. RC5
 x. Exit
Protocol (1) > 
TX modulation
 20kHz to 60kHz
 x. Exit
kHz (38kHz*) > 
RX sensor
 1. 38kHz barrier
 2. 36-40kHz demodulator*
 3. 56kHz demodulator
 x. Exit
RX sensor (2) > 
INFRARED-(RAW)>

Bus commands

Other Commands

info

Most Bus Pirate commands have extended help. Add the -h flag to any command to see the latest available options and usage examples.

`tvbgone`

info

TV-B-Gone, turn off many brands of TV

`irtx`

info

Transmit IR signals (aIR format)

`irrx`

info

Receive, record, retransmit IR signals (aIR format)

Device demos

Infrared Remote Controls

JTAG

Bus: JTAG
Connections: varries
Output type: push-pull (1.65-5volts)
Maximum voltage: 5volts

info

JTAG mode is NOT for working directly with JTAG devices (yet!). JTAG mode hosts blueTag, an open source JTAG and SWD pin finder.

`bluetag` JTAG & SWD pinout finder

blueTag is an open source JTAG and SWD pin finder integrated into the Bus Pirate firmware. It can identify the JTAG/SWD pins on a target device by sending a series of test signals and analyzing the responses.

Connections

Connect the Bus Pirate IO pins to the suspected JTAG/SWD pins on the target device.
Start with IO0 and work your way up to IO7.
If possible, look for ground pours and power pins on the JTAG or SWD port and avoid connecting IO pins to them.
Connect the Bus Pirate ground pin to the target device ground.
Power the device.

warning

Measure the target device supply/pin voltage. The Bus Pirate IO pins should set to match with the W power supply command.

info

If the target has an obvious voltage out pin, then you can power the Bus Pirate IO pins from that. Attach the Bus Pirate VOUT pin to the target voltage out pin and skip the W power supply command setup step.

Search for JTAG pins

JTAG> bluetag jtag -c 8
Number of channels set to: 8

     Progress: [##########################] 100.00%

     [  Pinout  ]  TDI=IO0 TDO=IO3 TCK=IO4 TMS=IO2 TRST=N/A

     [ Device 0 ]  0x59602093 (mfg: 'Xilinx', part: 0x9602, ver: 0x5)

JTAG>

bluetag jtag -c <channels> - search for JTAG pins on the target device. The -c flag specifies the number of channels to search, starting from IO0.

This chip is identified as a Xilinx device with the pinout: TDI=IO0 TDO=IO3 TCK=IO4 TMS=IO2 TRST=N/A.

info

If the scan fails, you can try again with the -d flag to disable pin pulsing. This may help find stubborn JTAG pins.

Search for SWD pins

JTAG> bluetag swd -c 8
Number of channels set to: 8

     Progress: [##########################] 100.00%

     [  Pinout  ]  SWDIO=IO5 SWCLK=IO6

     [ Device 0 ]  0x0BC12477 (mfg: 'ARM Ltd', part: 0xbc12, ver: 0x0)

JTAG>

bluetag swd -c <channels> - search for SWD pins on the target device. The -c flag specifies the number of channels to search, starting from IO0.

This chip is identified as an ARM device with the pinout: SWDIO=IO5 SWCLK=IO6.

info

The Bus Pirate can find its own SWD pins. Connect IO0-IO2 to the three debug pins on the bottom of the Bus Pirate and then run bluetag swd -c 3.

`bluetag` Options

JTAG> bluetag -h
usage:
bluetag [jtag|swd] [-c <channels>] [-v(ersion)] [-d(isable pulsing)]
blueTag interactive interface: bluetag
JTAG scan, 6 channels: bluetag jtag -c 6
SWD scan, 4 channels: bluetag swd -c 4
Show version: bluetag -v
Disable JTAG pin pulsing: bluetag jtag -c 6 -d

blueTag by @Aodrulez https://github.com/Aodrulez/blueTag

blueTAG options
jtag	Scan for JTAG pins
swd	Scan for SWD pins

Flags
-c	Number of channels to scan (starting from IO0)
-v	Show version
-d	Disable pin pulsing (JTAG mode)

JTAG>

Option	Description
`-c <channels>`	Number of channels to search, starting from IO0.
`-v`	Show blueTag version.
`-d`	Disable pin pulsing, may help if normal search fails.
`-h`	Show help message.

Device demos

JTAG & SWD pinout finder

Download Firmware

Bus Pirate Hardware

Command Reference

User terminal #

VT100 terminal emulation #

Command line #

HiZ mode #

Terminal control #

Default options #

Saved options #

Getting help #

Global command list #

Mode help #

Command help #

Configuration #

i Version information #

c Configuration options menu #

m Set bus mode #

l/L Set MSB/LSB first #

o Data output display format #

d Display mode #

~ Self-test #

reboot Reboot #

$ Jump to bootloader #

cls Clear and redraw terminal #

ovrclk Overclock the CPU #

Utilities #

w/W Power supply (off/ON) #

v/V Power supply voltage report #

p/P Pull-up resistors #

g/G Frequency generator #

f/F Measure frequency #

=X Convert to HEX/DEC/BIN number format #

| X Reverse bits #

a/A/@ Auxiliary pin control (low/HIGH/read) #

logic Logic analyzer control #

Disk Commands #

ls List directory contents #

mkdir Make directory #

cd Change directory #

rm Remove file or directory #

cat Print file contents #

hex Hex dump file #

label Set disk label #

format Erase and format disk #

dump Dump read data to file #

image Display bitmap image on LCD #

Software support #

binmode Change binary mode #

PulseView logic analyzer #

AVRdude AVR programmer #

Flashrom flash programmer #

AnalysIR Infrared remote decoder #

Scripting commands #

macro Load a set of macros #

script Load a set of scripts #

tutorial Run a script in tutorial mode #

button Assign scripts to the button #

pause Pause and wait for user input #

Developer commands #

bug Replicate silicon bugs #

otpdump Dump OTP memory (BP 6+) #

dummy New command template #

Bus commands #

[ or { Bus START condition #

> Execute bus commands (no START) #

] or } Bus STOP condition #

r Read byte #

0b01 Write this binary value #

0x01 Write this HEX value #

0-255 Write this decimal value #

"abc" Write this ASCII string #

space Value delimiter #

d/D Delay 1uS/MS #

: Repeat (e.g. r:10) #

. Specify number of bits to read/write #

v Measure voltage #

a/A/@ Auxiliary pin control (low/HIGH/read) #

^ Clock pin tick (limited) #

/ Clock pin high (limited) #

\ Clock pin low (limited) #

- Data pin high (limited) #

User terminal

VT100 terminal emulation

Command line

HiZ mode

Terminal control

Default options

Saved options

Getting help

Global command list

Mode help

Command help

Configuration

`i` Version information

`c` Configuration options menu

`m` Set bus mode

`l/L` Set MSB/LSB first

`o` Data output display format

`d` Display mode

`~` Self-test

`reboot` Reboot

`$` Jump to bootloader

`cls` Clear and redraw terminal

`ovrclk` Overclock the CPU

Utilities

`w/W` Power supply (off/ON)

`v/V` Power supply voltage report

`p/P` Pull-up resistors

`g/G` Frequency generator

`f/F` Measure frequency

`=X` Convert to HEX/DEC/BIN number format

`| X` Reverse bits

`a/A/@` Auxiliary pin control (low/HIGH/read)

`logic` Logic analyzer control

Disk Commands

`ls` List directory contents

`mkdir` Make directory

`cd` Change directory

`rm` Remove file or directory

`cat` Print file contents

`hex` Hex dump file

`label` Set disk label

`format` Erase and format disk

`dump` Dump read data to file

`image` Display bitmap image on LCD

Software support

`binmode` Change binary mode

PulseView logic analyzer

AVRdude AVR programmer

Flashrom flash programmer

AnalysIR Infrared remote decoder

Scripting commands

`macro` Load a set of macros

`script` Load a set of scripts

`tutorial` Run a script in tutorial mode

`button` Assign scripts to the button

`pause` Pause and wait for user input

Developer commands

`bug` Replicate silicon bugs

`otpdump` Dump OTP memory (BP 6+)

`dummy` New command template

Bus commands

`[ or {` Bus START condition

`>` Execute bus commands (no START)

`] or }` Bus STOP condition

`r` Read byte

`0b01` Write this binary value

`0x01` Write this HEX value

`0-255` Write this decimal value

`"abc"` Write this ASCII string

`space` Value delimiter

`d/D` Delay 1uS/MS

`:` Repeat (e.g. r:10)

`.` Specify number of bits to read/write

`v` Measure voltage

`a/A/@` Auxiliary pin control (low/HIGH/read)

`^` Clock pin tick (limited)

/ Clock pin high (limited)

\ Clock pin low (limited)

- Data pin high (limited)

_ Data pin low (limited)