Bus Pirate Cheat Sheet

Overview

The Bus Pirate is an open-source, universal bus interface tool designed for hardware hacking, embedded system debugging, and protocol analysis. It provides a single device that can communicate with virtually any serial bus protocol including I2C, SPI, UART, JTAG, 1-Wire, HD44780 LCDs, and raw 2/3-wire protocols. The Bus Pirate connects to a computer via USB and presents a terminal-based interface where users can interactively read, write, and sniff data on target buses. It is an essential tool for hardware reverse engineering, IoT security research, and embedded development.

The device features configurable voltage output (3.3V and 5V), pull-up resistors, voltage measurement, frequency counting, and a built-in logic analyzer mode. The Bus Pirate v3.x uses a PIC24 microcontroller, while the newer v5 revision features an RP2040 with significant speed improvements. It can extract firmware from flash chips via SPI, read EEPROM contents over I2C, interact with debug ports via UART, and probe unknown buses to identify protocols. The Bus Pirate is widely used in security research, CTF competitions, and educational settings for learning low-level hardware communication.

Installation

Connect Bus Pirate

# Connect via USB - appears as serial port
# Linux: /dev/ttyUSB0 or /dev/ttyACM0
# macOS: /dev/cu.usbmodem* or /dev/cu.usbserial*
# Windows: COM3 (check Device Manager)

# Find the device
ls /dev/ttyUSB* /dev/ttyACM*
dmesg | grep -i "bus pirate\|ftdi\|ttyUSB"

Terminal Connection

# Using screen
screen /dev/ttyUSB0 115200

# Using minicom
minicom -D /dev/ttyUSB0 -b 115200

# Using picocom
picocom -b 115200 /dev/ttyUSB0

# Using PuTTY (Windows)
# Serial, COM3, 115200 baud

Firmware Update

# Download latest firmware from http://dangerousprototypes.com/docs/Bus_Pirate
# Enter bootloader mode: connect with terminal, type '$' at prompt

# Using pirate-loader
pirate-loader --dev=/dev/ttyUSB0 --hex=BPv3-firmware.hex

Bus Pirate Pinout

Pin	Name	Description
1	GND	Ground
2	+3.3V	3.3V power supply output
3	+5V	5V power supply output
4	ADC	Analog-to-digital converter
5	VPU	Pull-up voltage input
6	AUX	Auxiliary I/O
7	CLK	Clock signal
8	MOSI	Master Out Slave In (data out)
9	CS	Chip Select
10	MISO	Master In Slave Out (data in)

Global Commands

Command	Description
?	Help menu
i	Version and status info
m	Set bus mode
w/W	Power supply on/off
v	Show voltage levels
p/P	Pull-up resistors on/off
f	Frequency measurement on AUX pin
g	Frequency generation on AUX pin
~	Self-test
#	Reset Bus Pirate
$	Enter bootloader for firmware update
o	Output format (DEC/HEX/OCT/BIN)

Bus Mode Selection

HiZ>m
1. HiZ       (High impedance, safe default)
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
x. exit

SPI Mode

Enter SPI Mode

HiZ>m5
Set speed:
 1. 30KHz
 2. 125KHz
 3. 250KHz
 4. 1MHz
 5. 2MHz
 6. 2.6MHz
 7. 4MHz
 8. 8MHz
(1)>4
Clock polarity:
 1. Idle low
 2. Idle high
(1)>1
Output clock edge:
 1. Idle to active
 2. Active to idle
(1)>1
Input sample phase:
 1. Middle
 2. End
(1)>1
CS:
 1. CS
 2. /CS (active low)
(2)>2
Output type:
 1. Open drain
 2. Normal
(1)>2

SPI Commands

# Read flash chip ID (JEDEC ID)
SPI>[0x9f r r r]

# Read SPI flash (first 256 bytes)
SPI>[0x03 0x00 0x00 0x00 r:256]

# Write enable
SPI>[0x06]

# Read status register
SPI>[0x05 r]

# Erase chip
SPI>[0x06][0xc7]

# Read entire flash and dump
# Use flashrom instead for full dumps (see below)

SPI Flash Dump with flashrom

# Install flashrom
sudo apt install flashrom

# Detect flash chip via Bus Pirate
flashrom -p buspirate_spi:dev=/dev/ttyUSB0

# Read flash contents
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r firmware_dump.bin

# Write firmware to flash
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -w new_firmware.bin

# Verify flash contents
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -v firmware_dump.bin

# Specify chip model if detection fails
flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c "W25Q64.V" -r dump.bin

I2C Mode

Enter I2C Mode

HiZ>m4
I2C speed:
 1. ~5KHz
 2. ~50KHz
 3. ~100KHz
 4. ~400KHz
(1)>3

I2C Commands

Syntax	Description
{ / }	Start / Stop condition
[ / ]	Start / Stop (with repeats)
r	Read byte
0x??	Write byte
(1)	Search for I2C devices

# Scan for I2C devices (address search)
I2C>(1)
# Shows all responding addresses

# Read EEPROM (24C02) at address 0xA0
I2C>[0xa0 0x00][0xa1 r:16]
# Write address pointer, then read 16 bytes

# Write to EEPROM
I2C>[0xa0 0x00 0x48 0x65 0x6c 0x6c 0x6f]
# Write "Hello" starting at address 0x00

# Read temperature sensor (LM75)
I2C>[0x90 0x00][0x91 r:2]

# Read accelerometer (MPU6050)
I2C>[0xd0 0x75][0xd1 r]   # Read WHO_AM_I register

UART Mode

Enter UART Mode

HiZ>m3
Set baud rate:
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
 10. Custom
(9)>9
Data bits and parity:
 1. 8, NONE
 2. 8, EVEN
 3. 8, ODD
 4. 9, NONE
(1)>1
Stop bits:
 1. 1
 2. 2
(1)>1
Receive polarity:
 1. Idle 1
 2. Idle 0
(1)>1
Output type:
 1. Open drain
 2. Normal
(1)>2

UART Commands

# Start UART bridge mode (transparent passthrough)
UART>(1)
# Now acts as USB-to-UART adapter
# Type characters to send to target
# Ctrl+C to exit bridge mode

# Send data
UART>0x41 0x54 0x0d 0x0a    # Send "AT\r\n"

# Live monitor (macro 2)
UART>(2)

# UART speed detection
UART>~     # Auto-detect baud rate

# Send string
UART>"Hello World" 0x0d 0x0a

1-Wire Mode

HiZ>m2

# Search for 1-Wire devices (ROM search)
1-WIRE>(1)
# Returns 64-bit ROM codes of all devices

# Read DS18B20 temperature sensor
1-WIRE>{0xcc 0x44}     # Skip ROM, start conversion
# Wait 750ms
1-WIRE>{0xcc 0xbe r:9} # Skip ROM, read scratchpad

Advanced Usage

Voltage Measurement

# Read voltage on ADC pin
HiZ>d
# Shows voltage on ADC pin (0-6V range)

# Continuous voltage monitoring
HiZ>D
# Updates continuously, Ctrl+C to stop

Power Supply Control

# Turn on power supplies
HiZ>W
# Outputs 3.3V on pin 2 and 5V on pin 3

# Turn off
HiZ>w

# Pull-up resistors (use VPU pin as reference voltage)
# Connect VPU to desired voltage (3.3V or 5V)
HiZ>P     # Enable pull-ups
HiZ>p     # Disable pull-ups

Frequency Counter and Generator

# Measure frequency on AUX pin
HiZ>f
# Shows frequency in Hz

# Generate PWM on AUX pin
HiZ>g
# Enter frequency and duty cycle

Logic Analyzer Mode

# Use with sigrok/PulseView
# Install sigrok
sudo apt install sigrok pulseview

# Bus Pirate as logic analyzer (SUMP protocol)
# Enter raw bitbang mode, then use SUMP client

# In PulseView:
# Select "Openbench Logic Sniffer / Bus Pirate"
# Set serial port and sample rate

Scripting with Python (pyBusPirate)

from pyBusPirateLite import SPI

# Connect to Bus Pirate
spi = SPI('/dev/ttyUSB0', 115200)
spi.pins = SPI.PIN_POWER | SPI.PIN_CS
spi.config = SPI.CFG_PUSH_PULL | SPI.CFG_CLK_EDGE
spi.speed = '1MHz'

# SPI transaction
response = spi.transfer([0x9F, 0x00, 0x00, 0x00])
print(f"JEDEC ID: {response.hex()}")

spi.disconnect()

Configuration

Output Format

# Set output display format
HiZ>o
 1. HEX
 2. DEC
 3. BIN
 4. RAW
(1)>1

Bitbang Mode

# Enter binary/bitbang mode (for scripting)
# Send 0x00 twenty times to enter bitbang mode
# Then use binary protocol for automated control
# Mode bytes: 0x01=SPI, 0x02=I2C, 0x03=UART, 0x04=1-Wire

Troubleshooting

Issue	Solution
No response from target	Check wiring, verify voltage levels, add pull-ups
Garbage on UART	Wrong baud rate; try auto-detect with ~
I2C no devices found	Check SDA/SCL wiring, enable pull-ups (P)
SPI flash not detected	Verify CS polarity, check clock speed/polarity
Bus Pirate not recognized	Check USB cable (data-capable), install drivers
Self-test fails	Check for shorts, update firmware
flashrom timeout	Reduce SPI speed, check connections
Voltage too low	Bus Pirate max output: 150mA; use external supply

Self-Test

# Run built-in self-test
HiZ>~
# Follow instructions to connect pins for loopback test
# Tests voltage regulators, I/O pins, pull-ups
# All tests should show PASS

Wiring Tips

# Always connect GND first
# Match voltage levels (3.3V target = 3.3V Bus Pirate)
# Keep wires short (< 15cm) for high-speed protocols
# Use pull-up resistors for I2C (4.7K typical)
# Add 100nF decoupling capacitor near target
# Never connect Bus Pirate to powered target without GND