05 Dec

Bus Pirate

Bus Pirate is excellent tool for hacking and troubleshooting. I'm not go into deep details of this magnificent device since all is well documented. It is cheap and open source and you can make your own.



We got our board a while ago from Dangerous Prototypes. It is just a bare pcb so sourcing all the parts was next thing to do. Bus Pirate uses some 0603 parts, even tough these are small yet doable by hand soldering. We did not have direct access for proper parts via our local distributors. For example instead of a TTSOP-14 package of 4066 switch we used  a SOP-14  package. It was glued and soldered using dead-bug technique (the chip is faced upside down) and hack wired into pads. Pretty fast it turned out that this is not recommended method, it was pretty hideous to solder all those wiring . We ordered and installed the right TTSOP-14 package. In picture you can see remains of "the dead bug" lurking behind a connection socket.

Another problem came ahead while testing the Bus Pirate. It did not pass all the tests, namely  powering the regulated 5V and 3V3 lines were faulty.  Regulators we were using were  MCP1804 ones from Microchip instead of listed  MCP1801. At first peek they look very same from  feature point of view. But take a look at pinouts. They do have swapped pins 3 and 4, NC (not connected) and SHDN (shutdown), respectively. SHDN is active-low and regulators are controlled by PIC providing HIGH to SHDN pin. With MCP1804, PIC is now connect to NC pin. This was easy to fix, just a bit of hack wire between NC and SHDN pins.

Flashing Firmware

Once the parts are soldered, Bus Pirate pirate is ready for duty. Or did we miss something? Body is ok but soul is missing. To bring Bus Pirate live, lets flash a firmware into it. The pcb contains a ICSP header where you can plugin your favorite programming device. We have a PICKIT 3 and that what we use.


First we flash a bootloader in to Bus Pirate. This allows us to load firmware via USB using ds30 Loader. Note that FTDI drivers needs to be installed while connecting BP to USB.

Next we plugin a jumper to wake up the bootloader, fire up the ds30 Loader application and program the firmware.


Now we should be able to communicate BP via console. Hitting Enter  on console screen yields a command prompt. Note that if you are using Terra Term and nothing shows up, remember to change baud rate to 115200: Setup --> Serial Port. 



So what can you do with Bus Pirate? In first example we use BP and AVRDUDE to burn fuses of  ATmega 328P microcontroller.  Greater details can be found here. To calculate fuses we prefer this online calculator.  Here is an example of command

avrdude -c buspirate -p m328p -P COM6 -v -U lfuse:w:0x62:m -U hfuse:w:0x99:m -U efuse:w:0xFF:m -U lock:w:0xFF:m


For more detailed example, lets connect Bus Pirate to MCP7940M RTC and see if we can read/write something to MCP7940M's SRAM. To communicate with RTC we need I2C protocol. A schematic below shows an example of connecting Bus Pirate to the RTC.


Connect your (BP) MOSI <--> SDA (RTC), (BP) CKL <--> SCL (RTC) and (BP) GND <--> GND (RTC). You may power up the RTC from BP or what ever source you want.

Next, we start Tera Term console for I2C-terminal. In this example, we are going to write one byte to RTC's SRAM and read it back. More details can be found on datasheet  (p. 30). There are two address to remember while communicating with this  RTC. First one, 0xDE, which bus pirate also finds when using  (1)-command (see pic below) is a write address. Second one, 0xDF, is a read address (datasheet prefers these as control bytes).


SRAM starts at 0x20. To read that address first we write '[' which is I2C start bit followed by write control byte 0xDE and address 0x20. Now we have a pointer to that address. Let us write a second start bit by typing '[' followed by control byte 0xDF which indicates that we'd like to read from address 0x20. Read is done with 'r:1' which commands to read one byte. We end reading by stop bit ']'


The byte we read was 0xFF. How about writing? Writing goes same manner. First start with start bit followed by write control byte, the address where to write and a byte which will be written, i.e. 0x01. We don't need another start bit since we are already in "writing mode". We end command with stop bit:

  [0xde 0x20 0x01]

bp_MCP7940M_02If you type another reading command to 0x20 you can see that location now contains our byte 0x01. Time registers start at 0x00. There is no difference to read and write these registers. Remember, however, that time bytes are BCD-coded and some of them contains additional control bits so you need to mask those control bits and make a conversion to decimal numbers.

Improving writing/reading speed

As you may have noticed, it took a quite lot of time programming a MCU. This is not very practical for serious developing e.g. firmwares where you are constantly testing your code on MCU. You can spend your precious time finding  a solution to improve writing/reading speed. If you find one, please let us know.

However, what can you do is that you can change the hardware implementation of Bus Pirate. Instead of using  the Bus Pirate firmware,  go and change the firmware to STK500 device, which is also available inside BP firmware packet.


Writing at 1.9 kB/s is still kinda slow but about 60 times faster than with original BP firmware (30 Bytes/s).