Documentation

• 1: Getting Started
• 2: How to use
• 3: Unbrick
• 4: Binary I/O
• 5: Firmware Update
• 6: AVRDude
• 7: Flashrom

1 - Getting Started

Just bought a full Buzzpirat kit with everything included and want to start using it, but have no idea about mathematics, electronics, or hardware hacking? This is your starting point, let’s go!

What is the Buzzpirat?

The Buzzpirat is a hardware hacking tool that allows you to talk with chips. It is based on the Bus Pirate v3, a universal bus interface that talks to electronics from a computer serial terminal. The Buzzpirat is a Bus Pirate clone with a few modifications to make it more secure+complete for hardware hacking

What is hardware hacking?

Hardware Hacking is the art of breaking and/or modifying electronics for fun, profit, and the advancement of technology. Hardware hacking is not limited to electronics, but it often is. Other examples of hardware hacking include modifying cars, bicycles, and other mechanical systems.

Our first time communicating with a chip

Let’s start with a simple example. We will use the Buzzpirat to communicate with a chip and read its content. For this example, we will use a AT24C256 I2C EEPROM 5V board. This board is included in our full kit for practice purposes. You can purchase another one on Aliexpress, Amazon, or eBay.

Intimidated by seeing a schematic and a board with lots of strange components? Don’t worry, we’ll take it step by step to understand what’s going on.

For this case, simply use the official Buzzpirat cables with the female Dupont connector they come with; there’s no need to use SMD IC clips. Connect the Buzzpirat to the AT24C256 board by attaching the +5v(SW5V0) to VCC, CLK to SCL, MOSI(SDA) to SDA, and GND to GND, ensuring each connection is secure for proper functionality.

2 - How to use

Once you have understood the ‘Getting Started’ section, here you can delve deeper into the use of Buzzpirat.

The Buzzpirat is controlled by text commands entered through the serial terminal. If the terminal is blank, press enter to show the command prompt. Press ‘?’, followed by enter, to show the help menu.

Menus configure various Buzzpirat options like pull-up resistors, terminal speed, data display format (DEC, HEX, BIN), etc. Type the menu command, followed by enter, to display the options. Syntax is used to interact with a device connected over a bus. Commands are mostly single characters, such as ‘r’ to read a byte. Enter up to 4000 characters of syntax, press enter to execute the sequence.

Most menus have a default option shown in () before the prompt:

Output type:
1. High-Z outputs (H=input, L=GND)
2. Normal outputs (H=Vcc, L=GND)
(1) > <<< option 1 is the default

Press enter to select the default option.

Terminal

Talk to the Buzzpirat from a serial terminal set to 115200bps, 8/N/1

The Buzzpirat understands some VT-100 (ANSI C0) terminal emulation.

Configuration commands

‘?’ Help menu with latest menu and syntax options

Print a help screen with all available menu and syntax options in the current firmware and hardware.

HiZ>?
 General                                        Protocol interaction
 ---------------------------------------------------------------------------
 ?      This help                       (0)     List current macros
 =X/|X  Converts X/reverse X            (x)     Macro x
 ~      Selftest                        [       Start
 #      Reset the BP                    ]       Stop
 $      Jump to bootloader              {       Start with read
 &/%    Delay 1 us/ms                   }       Stop
 a/A/@  AUXPIN (low/HI/READ)            "abc"   Send string
 b      Set baudrate                    123
 c/C    AUX assignment (aux/CS)         0x123
 d/D    Measure ADC (once/CONT.)        0b110   Send value
 f      Measure frequency               r       Read
 g/S    Generate PWM/Servo              /       CLK hi
 h      Commandhistory                  \       CLK lo
 i      Versioninfo/statusinfo          ^       CLK tick
 l/L    Bitorder (msb/LSB)              -       DAT hi
 m      Change mode                     _       DAT lo
 o      Set output type                 .       DAT read
 p/P    Pullup resistors (off/ON)       !       Bit read
 s      Script engine                   :       Repeat e.g. r:10
 v      Show volts/states               .       Bits to read/write e.g. 0x55.2
 w/W    PSU (off/ON)            <x>/<x= >/<0>   Usermacro x/assign x/list all
 e/E    TP0 (input-low+READ/output-low) (TP0 is connected to VPU)
HiZ>

‘i’ Hardware, firmware, microcontroller version information

The information menu displays the hardware, firmware, and microcontroller version.

HiZ> i
Buzzpirat v3.5 <<<hardware version
Community Firmware v7.1 - buzzpirat.com by Dreg LASTDEV [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5 <<<firmware and bootloader version, project webpage
DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8) <<<PIC device ID and revision
http://dangerousprototypes.com <<<dangerousprototypes webpage

HiZ>

If a bus mode is configured additional information about the configuration options is printed.

*----------*
POWER SUPPLIES OFF
Voltage monitors: 5V: 0.0 | 3.3V: 0.0 | VPULLUP: 0.0 |
a/A/@ controls AUX pin
Normal outputs (H=V+, L=GND)
Pull-up resistors ON
MSB set: MOST sig bit first

* ----------*
RAW2WIRE>

’m’ Set bus mode (1-Wire, SPI, I2C, JTAG, UART, etc)

Select a bus mode. The command resets the Buzzpirat and immediately disables all pins, pull-up resistors, and power supplies.

The default mode is HiZ, a safe mode with all pins set to high-impedance and all peripherals disabled.

HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>

‘h’ Command history

The previous 10 commands can be replayed from the command history menu.

SPI> h
1. h
2. [10 r:3]
3. m
4. i
x. exit

(0)> 2 <<<replay #2
CS ENABLED
WRITE: 0x0A
READ: 0x00 0x00 0x00
CS DISABLED
SPI>

‘c’/‘C’ Toggle AUX control between AUX and CS/TMS pins

Sometimes it’s useful to control the CS pin from the user terminal. The c/C configures the a/A/@ commands to control the AUX or CS pins.

3WIRE> c
a/A/@ controls AUX pin
3WIRE> C
a/A/@ controls CS/TMS pin
3WIRE>

’l’/‘L’ Set MSB/LSB first in applicable modes

The l/L command determines the bit order for reading and writing bytes in some bus modes. The bitorder command is available in all modes

3WIRE> l
MSB set: MOST sig bit first
3WIRE> L
MSB set: LEAST sig bit first
3WIRE>

‘o’ Data display format (DEC, HEX, BIN, or raw)

The Buzzpirat can display values as hexadecimal, decimal, binary, and a raw ASCII byte. Change the setting in the data display format menu (o). The default display format is HEX.

The RAW display mode sends values to the terminal as raw byte values without any text conversion. This is useful for ASCII serial interfaces. It can also be used to speed up the display of bus sniffers and other high-speed functions where converting raw bytes to text takes too much time. Adjust the display format in your serial terminal to see the raw values as HEX/DEC/BIN.

HiZ> o
1. HEX
2. DEC
3. BIN
4. RAW

(1)>
Display format set
HiZ>

‘b’ Set PC side serial port speed

Adjust the speed of the serial port facing the computer (and USB->serial converter chip).

After choosing a speed you must adjust the serial terminal and press space to continue. The Buzzpirat will pause until the space key is pressed to verify that the terminal speed is correct.

(9)> 10
Enter raw value for BRG

(34)> 34
Adjust your terminal
Space to continue
HiZ>

There is an option to set a custom baud rate with a raw BRG value. The value can be calculated according to the datasheet or with a utility (key constants: PIC24, 32MHz/16MIPS, BRGH=1): https://github.com/therealdreg/buzzpirat/tree/main/bin/picbaud/

230400 baud is ‘16’ (2.2% error) 460800 baud is ‘8’ (3.3% error) 921600 baud is ‘3’ (8.51% error) One thing to note is that on some early PIC revisions (A3) the UART is weird and the exact values won’t work. On these chips try a value +/-1.

HiZ> b
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value

(9)>
Adjust your terminal
Space to continue
HiZ>

‘~’ Perform a self-test

Perform a hardware self-test. Requires jumpers between +5 and Vpu, +3.3 and ADC.

HiZ> ~
Disconnect any devices
Connect (Vpu to +5V) and (ADC to +3.3V)
Space to continue

‘#’ Reset

Reset the Buzzpirat.

HiZ>#
RESET

Buzzpirat v3.5
Community Firmware v7.1 - buzzpirat.com by Dreg LASTDEV [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5
DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)
http://dangerousprototypes.com
HiZ>

‘$’ Jump to bootloader

Bootloader v4.5 will respond with a version string if a key is pressed while it’s active.

HiZ> $
Are you sure? y
BOOTLOADER

Enter the bootloader for a firmware update without connecting the PGC and PGD pins. Remember to disconnect your terminal program before the upgrade.

BL4+BL4+

Utilities commands

‘w’/‘W’ Power supplies (off/ON)

Toggle the switchable 1.8volt, 2.5volt, 3.3volt and 5.0volt power supplies with the w/W command. Capital ‘W’ enables the supplies, lowercase ‘w’ disables them. The power supplies on the Buzzpirat can supply up to 300mA

1-WIRE> w
POWER SUPPLIES OFF
1-WIRE> W
POWER SUPPLIES ON
1-WIRE>

‘v’ Power supply voltage report

The voltage report shows the current state of all the Buzzpirat pins and peripherals.

The first line is the pin number, according to the silk screen on the v3 PCB, and the wire color. T

The second line is the pin function in the current bus mode. The power supplies (1.8v, 2.5v, 3.3v, 5.0v), ADC, Vpu, and AUX pins are available in all modes. The other four pins will differ depending on the mode. In 1-Wire mode only one pin is used, one wire data (OWD).

The third line shows the current direction of each pin. I is an input pin, O is an output pin, P is a power supply.

The fourth line shows the current state of each pin. A voltage measurement is displayed for analog pins. The current pin reading, H high and L low, is printed for each digital pins.

I2C>v
Pinstates:
1.(BR)  2.(RD)  3.(OR)  4.(YW)  5.(GN)  6.(BL)  7.(PU)  8.(GR)  9.(WT)  0.(Blk)
GND     3.3V    5.0V    ADC     VPU     AUX     SCL     SDA     -       -
P       P       P       I       I       I       I       I       I       I
GND     3.31V   4.87V   0.00V   2.44V   L       H       H       H       H

1.(BR)  2.(RD)  3.(OR)
2.5V    1.8V    TP0
P       P       I
2.50V   1.79V   H
I2C>

‘p’/‘P’ Pull-up resistors

p and P toggle the pull-up resistors off and on.

The on-board pull-up resistors must be powered through the Vpullup pin of the IO header. A warning is displayed if there’s no voltage on the Vpullup pin. Check the voltage report (‘v’) and verify that Vpu is attached to a power supply. See the practical guide to Buzzpirat pull-up resistors for a simple introduction.

Pull-up resistors are generally used with open collector/open drain bus types. A warning is displayed when the pull-ups are enabled if the Buzzpirat is configured for normal pin output.

I2C>P
Pull-up resistors ON
I2C>

‘f’ Measure frequency on the AUX pin

Measures frequency from 0Hz to 40MHz on the AUX pin, the method is an actual 1 second tick count. If the frequency is lower than a few MHz, the Buzzpirat does an ‘autorange’ and measures the frequency again for an additional second.

2WIRE> f
Frequency on AUX pin: autorange 50,283 Hz
2WIRE>

‘g’ Frequency generator/PWM on the AUX pin

Enable the frequency generator with g, then set frequency and duty cycle. Frequencies from 1kHz to 4MHz are possible. Use g again to disable the PWM.

Note that the resolution at 4MHz is only 1 bit. Anything other than 50% duty cycle will be 100% off or 100% on.

2WIRE> g
1KHz-4,000KHz PWM/frequency generator
Frequency in KHz
(50)> 2000
Duty cycle in %
(50)>
PWM active
2WIRE> g
PWM disabled
2WIRE>

‘S’ Servo

S positions the servo arm to the desired angle, 0-180 degrees. The servo value can be updated as needed, press enter or x to exit. Use ‘S’ or ‘g’ again to disable the servo.

1-WIRE>S
Position in degrees
(90)>20
Servo active
(x)>100
Servo active
(x)>30
Servo active
(x)>
1-WIRE>S
PWM disabled
1-WIRE>S 90 %:5000 S 180
Servo active
DELAY 5000ms
Servo active
1-WIRE>

‘=’ Convert to HEX/DEC/BIN number format

Base conversion command, available in all modes. Press ‘=’ and enter any byte value to see the HEX/DEC/BIN equivalent. Firmware v2.1+

2WIRE> =0b110
0x06 = 6 = 0b00000110
2WIRE> =0xa
0x0A = 10 = 0b00001010
2WIRE> =12
0x0C = 12 = 0b00001100
2WIRE>

‘|’ Reverse bits in byte

Reverse bit order in byte X. Displays the HEX/DEC/BIN value of the reversed byte.

I2C> |0b10101010
0x55 = 85 = 0b01010101
I2C> |0b10000000
0x01 = 1 = 0b00000001
I2C> |1
0x80 = 128 = 0b10000000
I2C>

’s’ BASIC script engine

Simple BASIC scripts can automate repetitive and tedious tasks.

2WIRE> s
2WIRE(BASIC)> list

65535 bytes.
Ready.
2WIRE(BASIC)>

’d’/‘D’ Measure from voltage probe (once/CONTINUOUS)

A lowercase d takes a measurement from the voltage measurement probe (ADC pin on the IO header).

A capital D takes continuous measurements from the voltage probe, press any key to exit.

The Buzzpirat voltage probe can measure up to 6.0volts (max 6.6volts, but with some margin for error).

HiZ> d
VOLTAGE PROBE: 3.31V
HiZ> D
VOLTMETER MODE
Any key to exit
VOLTAGE PROBE: 3.30V

‘a’/‘A’/’@’ Control axillary pin (low/HIGH/read)

The axillary pin is a general purpose digital pin that can be controlled from the Buzzpirat terminal. Capital A makes it a 3.3volt output (25mA max). Lowercase a makes it sink to ground (25mA max). @ makes in an input and reads the current state (5volt maximum input).

a/A/@ can also be used to control the CS pin using the ‘c’/‘C’ commands.

UART> A
AUX HIGH
UART> a
AUX LOW
UART> @
AUX INPUT/HI-Z, READ: 0
UART>

Macros, user macros

Macros perform complex actions, like scanning for I2C addresses, interrogating a smart card, or probing a JTAG chain. Macros are numbers entered inside (). Macro (0) always displays a list of macros available in the current bus mode.

(0) List mode macros

I2C> (0)
0.Macro menu
1.7bit address search
2.I2C sniffer
I2C>

Macro (0) always displays a list of macros available in the current bus mode.

(#) Run macro

I2C>(1)<<<I2C search macro
Searching 7bit I2C address space.
Found devices at:
0xA0(0x50 W) 0xA1(0x50 R)
I2C>

Execute a macro by typing the macro number between ().

<x= > Assign user macro

I2C> <1=[0xa1 r:8]>
I2C>

5 user macros can be stored to automate common commands. Each position can store 32 chars (including space).

<0> List user macros

I2C> <0>
1. <[0xa1 r:8]>
2. <>
3. <>
4. <>
5. <>
I2C>

User macro <0> lists the currently stored use macros.

<#> Run user macro

I2C> <1>
I2C> [0xa1 r:8]

Enter the macro number to recall the command. Press enter to execute.

Bitwise bus commands

Bitwise commands are only available in certain bus modes.

‘^’ Send one clock tick

2WIRE> ^
CLOCK TICK
2WIRE>

Send one clock tick. ^:1…255 for multiple clock ticks.

‘/’ or ‘\’ Toggle clock level high (/) and low (\)

2WIRE> /\
CLOCK, 1
CLOCK, 0
2WIRE>

Set the clock signal high or low. Includes clock delay.

‘-’ or ‘_’ Toggle data state high (-) and low (’_’)

2WIRE> -_
DATA OUTPUT, 1
DATA OUTPUT, 0
2WIRE>

Set the data signal high or low. Includes data setup delay

‘!’ Read one bit with clock

2WIRE> !
READ BIT:
0 *pin is now HiZ
2WIRE>

Send one clock tick and read one bit from the bus.

On a bus with a bi-directional data line (raw2wire, 1-Wire), the data pin is left as a high-impedance input after this command.

‘.’ Read data pin state (no clock)

2WIRE> .
0 *pin is now HiZ
2WIRE>

Make the data pin an input and read, but do not send a clock. This can be used as /.\ to achieve the same thing as the ! command.

On a bus with a bi-directional data line (raw2wire, 1-wire), the data pin is left as a high-impedance input after this command.

Bus interaction commands

These commands actually manipulate the bus and interacts with chips. These commands have the same general function in each bus mode, such as ‘r’ to read a byte of data. See the individual bus mode guides for each protocol.

‘{’ or ‘[’ Bus start condition

I2C> [
I2C START BIT
I2C>

This command generally starts bus activity. In various modes it starts (I2C), selects (SPI), resets (1-wire), or opens (UART).

‘]’ or ‘}’ Bus stop condition

SPI> ]
CS DISABLED
SPI>

This command generally stops bus activity. In various modes it stops (I2C), deselects (SPI), or closes (UART).

‘r’ Read byte

I2C> r
READ: 0x00
I2C> r:3
READ: ACK 0x00 ACK 0x00 ACK 0x00
I2C>

r reads a byte from the bus. Use with the repeat command (r:1…255) for bulk reads.

0b01 Write this binary value

I2C> 0b1001
WRITE: 0x09 ACK
I2C> 0b1001:2
WRITE: 0x09 ACK 0x09 ACK
I2C>

Enter a binary value to write it to the bus.

Binary values are commonly used in electronics because the 1’s and 0’s correspond to register ‘switches’ that control various aspects of a device. Enter a binary number as 0b and then the bits. Padding 0’s are not required, 0b00000001=0b1. Can be used with the repeat command.

0x01 Write this HEX value

SPI> 0x15
WRITE: 0x15
SPI> 0xfa:5
WRITE: 0xFA 0xFA 0xFA 0xFA 0xFA
SPI>

Enter a HEX value to write it to the bus.

Hexadecimal values are base 16 numbers that use a-f for the numbers 10-15, this format is very common in computers and electronics. Enter HEX values as shown above, precede the value with 0x or 0h. Single digit numbers don’t need 0 padding, 0x01 and 0x1 are interpreted the same. A-F can be lower-case or capital letters.

0-255 Write this decimal value

SPI> 18
WRITE: 0x12
SPI> 13:5
WRITE: 0x0D 0x0D 0x0D 0x0D 0x0D
SPI>

Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value and sent to the bus.

Decimal values are common base 10 numbers. Just enter the value, no special designator is required.

“abc” Write this ASCII string

SPI> "abcd"
WRITE: "abcd"
SPI>

The ASCII values enclosed in "" are sent to the bus.

’ ’ (space), Value delimiter

SPI> [1 2,3rr]
CS ENABLED
WRITE: 0x01
WRITE: 0x02
WRITE: 0x03
READ: 0x0A
READ: 0x0A
CS DISABLED
SPI>

Use a coma or space to separate numbers. Any combination is fine, no delimiter is required between non-number values.

‘&’/’%’ Delay 1uS/MS

SPI> &
DELAY 1us
SPI> &:10
DELAY 10us
SPI> %
DELAY 1ms
SPI> %:10
DELAY 10ms
SPI>

& delays 1us, % delays 1ms. Use the repeat command for multiple delays.

‘:’ Repeat (e.g. r:10)

SPI> &:10
DELAY 10us
SPI> r:0b10
READ: 0x00 0x00
SPI> 5:0x3
WRITE: 0x05 0x05 0x05
SPI>

Many Buzzpirat commands can be repeated by adding ‘: ’ to a command, followed by the number of times to repeat the command. To read five byte, enter r:5, etc. The repeat values can be HEX/DEC/BIN.

‘;’ Partial (<16 bit) read/write (e.g. 0x55;3)

2WIRE> 0xaa;4
WRITE: 0x0A;4

Will write 0x0a (4 bits) to the bus.

2WIRE> 0xFFFF;12
WRITE: 0x0FFF;12

Will write 0x0FFF (12 bits) to the bus.

2WIRE> 0x55:4;2
WRITE: 0x01;2 0x01;2 0x1;2 0x01;2

Can be combined with the repeat command.

NOTE: works currently only with the raw2wire and raw3wire busses.

1-Wire

• Bus: 1-Wire (Dallas/Maxim 1-Wire protocol).
• Connections: one pin (OWD) and ground.
• Output types: open drain/open collector, pull-up resistor required.
• Pull-up resistors: always required (2K – 10K, 2K or less for parasitic power parts).
• Maximum voltage: 5.5volts (5volt safe).

1-Wire uses a single data signal wire. Most devices also require a power and ground connection. Some parts draw power parasitically through the 1-Wire bus and don’t require a separate power source.

Syntax

Macro

Notes:

1-Wire specifies a 2K or smaller resistor when working with parasitically powered devices. Since v3a the on-board pull-up resistor on MOSI are 2K. Use an external 2K pull-up resistor if you have a v2go. Parasitically powered parts may appear to work with resistors larger than 2K ohms, but will fail certain operations (like EEPROM writes).

The 1-wire reset command can detect two bus errors. If no 1-wire chips respond to the reset command by pulling the bus low, it will report *No device detected (0x02). If the bus stays low for too long after the reset, because the pull-up resistor isn’t working or there’s a short circuit, it will report *Short or no pull-up (0x01).

One wire is a time sensitive protocol. There’s no actual data wire to set high or low with the - and _ commands, so I just store the desired value and send it with the next clock tick (^).

The _ and - commands just set the data state that will be used on the next clock tick command (^). Example: previously you could write 4 high bits with -^^^, now you must use -^^^^. I feel this is more consistent with the operation of the other modes.

UART

• Bus: UART, MIDI (universal asynchronous receiver transmitter).
• Connections: two pins (RX/TX) and ground.
• Output types: 3.3volt normal output, or open collector pull-up resistors required.
• Pull-up resistors: required for open collector output mode (2K – 10K).
• Maximum Voltage: 5.5volts (5volt safe).

UART is also known as the common PC serial port. The PC serial port operates at full RS232 voltage levels (-13volts to +13volts) which are not compatible with the Buzzpirat.

Configuration options

• Speed (bps): 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200, 31250, BRG.
• Data bits and parity: 8/none, 8/even, 8/odd, 9/none.
• Stop bits: 1, 2.
• Receive polarity: idle 1, idle 0.
• Output type: open drain/open collector (high=Hi-Z, low=ground), normal (high=3.3volts, low=ground). Use open drain/open collector output types with pull-up resistors for multi-voltage interfacing.

Syntax

‘r’ read a byte

UART mode requires special handling compared to the other Buzzpirat modes because data can arrive at any time. UART mode displays framing and parity errors, and automatically clears buffer overruns.

Parity and framing errors

READ: -p -f 0×40 <<<-p -f flag set

The Buzzpirat reports framing errors (-f) and parity errors (-p) when reading a byte from the UART. It’s unlikely you’ll see these errors unless the UART speed is mismatched with the sender.

Buffer overrun errors

The Buzzpirat hardware has a four-byte UART buffer that holds data until you read it with an ‘r’ command, or until it can be printed to the terminal if live display is enabled with ‘[’. After it fills, new data will be lost. This is called a buffer overrun.

READ: 0x40 *Bytes dropped*<<<bytes dropped error

The Buzzpirat detects buffer errors, clears them, and alerts you of dropped bytes. The overrun bit is cleared any time you use the r, {, or [commands. If you close the live UART display (]) and more than 5 bytes come in, the next read command (r) will clear the error and print the bytes dropped warning.

Prevent buffer problems by reducing the amount of data the Buzzpirat transfers over USB for each byte of UART data. Raw display mode reduces the four byte hex value 0×00 to a single raw byte value. A better way is to use macro (1) or (2) to view unformatted UART output, this is a 1:1 transfer of bytes that should work at the highest possible speeds.

Custom baud rate

A custom baud rate is set with the BRG option. Use a PIC UART calculator to find the correct value.

Set the calculator with the Buzzpirat values: PIC24, 32MHz clock. Enter the desired baud rate and hit calculate. Use the value from the BRGH=1 section. For 9700bps enter 411 at the Buzzpirat BRG prompt.

Macros

Transparent UART bridge

UART>(1)<<<macro 1, transparent UART bridge
UART bridge. Space continues, anything else exits.
Reset to exit.

The transparent UART mode macro (1) creates a simple serial->USB bridge. The only way to exit this mode is to reset the Buzzpirat hardware.

Buffer overrun errors that occur during bridge mode are automatically cleared so that data continues as normal (firmware v3.0+). The MODE LED will turn off to alert you of the buffer overrun error.

Macro (3) is a second UART bridge mode that includes the CTS and RTS flow control signals. CTS is on the CS pin (PIC input from external circuit is passed to FTDI USB->serial chip). RTS is on the CLOCK pin (PIC output mirrors output from FTDI chip).

Note that the Buzzpirat serial port UART facing the computer (the one that connects to the USB->serial converter chip and sends text to your computer) is NOT adjusted to the same speed as the UART bridge. The USB-side serial port UART will continue to operate at the default setting (115200bps) unless adjusted with the ‘b’ menu.

If you use the UART bridge with a computer program that opens the virtual serial port at a different baud rate, say 9600bps, the exchange will be garbled because the Buzzpirat expects 115200bps input from the computer. Adjust the computer-side serial speed first with the ‘b’ menu, then start the serial bridge at the desired speed.

Live UART monitor

UART>(2)<<<macro 2, UART monitor
Raw UART input. Space to exit.
UART>

The UART monitor macro (2) shows a live display of UART input as raw byte values without any type of formatting. Press any key to exit the live monitor. This mode works best with a terminal that can display raw byte values in a variety of formats.

This macro is like the transparent UART macro (1) but without transmission abilities, and it can be exited with a key press. It’s useful for monitoring high-speed UART input that causes buffer overrun errors in other modes.

MIDI

MIDI is a command set used by electronic (music) instruments. It travels over a standard serial UART configured for 31250bps/8/n/1. Since firmware v2.7 MIDI is a speed option in the UART library.

MIDI is a ring network, each node has an input and output socket. Each node passes messages to the next in the ring. The input and outputs are opto-isolated. The signaling is at 5volts, 5ma (current-based signaling). An adapter is required.

Connections

Connect the Buzzpirat transmit pin (TX/MOSI) to the UART device receive pin (RX). Connect the Buzzpirat receive pin (RX/MISO) to the UART device transmit pin (TX).

For macros and modes with flow control: CTS is on the CS pin (PIC input from external circuit is passed to FTDI USB->serial chip). RTS is on the CLOCK pin (PIC output mirrors output from FTDI chip)

I2C

• Bus: I2C (eye-squared-see or eye-two-see)
• Connections: two pins (SDA/SCL) and ground
• Output types: open drain/open collector
• Pull-up resistors: pull-ups always required (2K - 10K ohms)
• Maximum voltage: 5.5volts (5volt safe)

I2C is a common 2-wire bus for low speed interfaces.

I2C implementation does not currently support clock stretching.

Configuration options

• Speed: I2C has three speed options:~50kHz, ~100kHz, and ~400kHz.

HiZ>m<<<open the mode menu
1. HiZ
…
4. I2C
…
(1) >4<<<choose I2C mode
Set speed:
1. 50KHz
2. 100KHz
3. 400kHz
(1) >1<<<choose I2C speed
I2C READY
I2C>

Pull-up resistors

I2C is an open-collector bus, it requires pull-up resistors to hold the clock and data lines high and create the data ‘1’. I2C parts don’t output high, they only pull low, without pull-up resistors there can never be a ‘1’. This will cause common errors such as the I2C address scanner reporting a response at every address. Read more about open drain/open collector bus types, and the Buzzpirat’s on-board pull-up resistors.

I2C requires pull-up resistors to hold the clock and data lines high. I2C parts don’t output high, they only pull low. Without pull-up resistors there can never be a ‘1’.

Syntax

Macro

I2C address search scanner macro

You can find the I2C address for most I2C-compatible chips in the datasheet. But what if you’re working with an unknown chip, a dated chip with no datasheet, or you’re just too lazy to look it up?

The Buzzpirat has a built-in address scanner that checks every possible I2C address for a response. This brute force method is a fast and easy way to see if any chips are responding, and to uncover undocumented access addresses.

I2C chips respond to a 7bit address, so up to 128 devices can share the same two communication wires. An additional bit of the address determines if the operation is a write to the chip (0), or a read from the chip (1).

I connected the Buzzpirat to the 3EEPROM explorer board. The 7bit base address for the 24LC/AA I2C EEPROM is 101 0000 (0x50 in HEX). It answers at the write address 1010 0000 (0xA0) and the read address 1010 0001 (0xA1).

I2C>(1)
Searching 7bit I2C address space.
Found devices at:
0xA0(0x50 W) 0xA1(0x50 R)
I2C>

Macro 1 in the I2C library runs the address scanner. The scanner displays the raw addresses the chip acknowledged (0xA0, 0xA1), and the 7bit address equivalent (0x50) with write or read bit indicators (W/R). Datasheets usually list the 7bit address, but the 8bit value is more recognizable on a logic analyzer, snooper, debugger, etc.

I2C> (1)
Searching I2C address space. Found devices at:
Warning: *Short or no pull-up
I2C>

The scanner will find a chip at every address if there’s no pull-up resistors on the I2C bus. This is a really common error. the scanner checks for pull-ups, and exits with an error if the bus isn’t pulled up.

Scanner details

Details about the address scanner macro are at the end of this post and around here in the source.

• For I2C write addresses: the BP sends a start, the write address, looks for an ACK, then sends a stop.

• For I2C read addresses: the BP sends a start, the read address, looks for an ACK. If there is an ACK, it reads a byte and NACKs it. Finally it sends a stop.

When the I2C chip responds to the read address, it outputs data and will miss a stop condition sent immediately after the read address (bus contention). If the I2C chip misses the stop condition, the address scanner will see ghost addresses until the read ends randomly. By reading a byte after any read address that ACKs, I have a chance to NACK the read and properly end the I2C transaction.

I2C Bus Sniffer macro

The I2C sniffer is implemented in software and seems to work up to 100kHz (firmware v5.3+). It’s not a substitute for a proper logic analyzer, but additional improvements are probably possible.

• [/] – Start/stop bit
• +/- – ACK/NACK

I2C start and stop bits are represented by the normal Buzzpirat syntax.

I2C> (2)
Sniffer
Any key to exit
[0x40-][0x40-0x40-0x30-0x56-0x77-]
I2C>

Sniffed data values are always HEX formatted in user mode. Press any key to exit the sniffer.

Notes The sniffer uses a 4096byte output ring buffer. Sniffer output goes into the ring buffer and gets pushed to the PC when the UART is free. This should eliminate problems with dropped bytes, regardless of UART speed or display mode. A long enough stream of data will eventually overtake the buffer, after which bytes are dropped silently (will be updated after v5.3).

Any commands entered after the sniffer macro will be lost.

Pins that are normally output become inputs in sniffer node. MOSI and CLOCK are inputs in I2C sniffer mode.

The I2C sniffer maximum speed is around 100kHz.

ACK/NACK management

These examples read and write from the RAM of a DS1307 RTC chip.

I2C> [0xd1 rrrr]
I2C START CONDITION
WRITE: 0xD1 GOT ACK: YES<<<read address
READ: 0×07 ACK <<<sent ACK[
READ: 0x06 ACK
READ: 0x05 ACK
READ: 0x04 NACK <<<last read before STOP, sent NACK
I2C STOP CONDITION
I2C>

I2C read operations must be ACKed or NACKed by the host (the Buzzpirat). The Buzzpirat automates this, but you should know a few rules about how it works.

The I2C library doesn’t ACK/NACK a read operation until the following command. If the next command is a STOP (or START) the Buzzpirat sends a NACK bit. On all other commands it sends an ACK bit. The terminal output displays the (N)ACK status.

I2C> [0xd1 r:5]
I2C START CONDITION
WRITE: 0xD1 GOT ACK: YES
BULK READ 0×05 BYTES:
0×07 ACK 0×06 ACK 0×05 ACK 0×04 ACK 0×03 NACK
I2C STOP CONDITION
I2C>

Nothing changes for write commands because the slave ACKs to the Buzzpirat during writes. Here’s an example using the bulk read command (r:5).

I2C>[0xd1 r <<<setup and read one byte
I2C START CONDITION
WRITE: 0xD1 GOT ACK: YES
READ: 0x07 *(N)ACK PENDING <<<no ACK sent yet
I2C>r<<<read another byte
ACK <<<ACK for previous byte
READ: 0x06 *(N)ACK PENDING <<<no ACK yet
I2C>] <<<STOP command
NACK <<<next command is STOP, so NACK
I2C STOP CONDITION
I2C>

A consequence of the delayed ACK/NACK system is that partial transactions will leave read operations incomplete.

Here, I setup a read operation ([0xd1) and read a byte (r). Since the Buzzpirat has no way of knowing if the next operation will be another read (r) or a stop condition (]), it leaves the ninth bit hanging. The warning “*(N)ACK PENDING” alerts you to this state.

Our next command is another read (r), so the Buzzpirat ACKs the previous read and gets another byte. Again, it leaves the (N)ACK bit pending until the next command.

The final command is STOP (]). The Buzzpirat ends the read with a NACK and then sends the stop condition.

Connections

SPI

• Bus: SPI (serial peripheral interface).
• Connections: Four pins (MOSI/MISO/CLOCK/CS) and ground.
• Output type: 3.3 volt normal, or open collector pull-up resistors required.
• Pull-up resistors: Required for open drain output mode (2K – 10K).
• Maximum voltage: 5.5 volts (5 volt safe).
• Last documentation update: v5.8.

Configuration options

• Speed: 30, 125, 250 kHz; 1, 2, 2.6, 4, 8 MHz
• Clock polarity: Idle low, idle high.
• Output clock edge: Idle to active, active to idle.
• Input sample phase: Middle, end.
• Output type: Open drain/open collector (high=Hi-Z, low=ground), normal (high=3.3 volts, low=ground). Use open drain/open collector output types with pull-up resistors for multi-voltage interfacing.

Syntax

Macro

SPI Bus sniffer

The Buzzpirat can read the traffic on an SPI bus.

Warning! Enter sniffer mode before connecting the target!! The Buzzpirat SPI CLOCK or DATA lines could be grounded and ruin the target device! Reset with the CS pin to clear garbage if needed

Pin connections are the same as normal SPI mode. Connect the Buzzpirat clock to the clock on the SPI bus you want to sniff. The data pins MOSI and MISO are both inputs, connect them to the SPI bus data lines. Connect the CS pin to the SPI bus CS pin.

• [/] – CS enable/disable
• 0xXX – MOSI read
• (0xXX) – MISO read

SPI CS pin transitions are represented by the normal Buzzpirat syntax. The byte sniffed on the MISO pin is displayed inside ().

SPI> (0)
0.Macro menu
1.Sniff CS low
2.Sniff all traffic
SPI> (1)
Sniffer
Any key to exit
[0x30(0x00)0xff(0x12)0xff(0x50)][0x40(0x00)]

The SPI sniffer can read all traffic, or filter by the state of the CS pin. The byte sniffed on the MOSI pin is displayed as a HEX formatted value, the byte sniffed on the MISO pin is inside the ().

There may be an issue in the sniffer terminal mode from v5.2+. Try the binary mode sniffer utility for best results. Notes

The sniffer uses a 4096byte output ring buffer. Sniffer output goes into the ring buffer and gets pushed to the PC when the UART is free. This should eliminate problems with dropped bytes, regardless of UART speed or display mode.

Warning! Enter sniffer mode before connecting the target!! The Buzzpirat SPI CLOCK or DATA lines could be grounded and ruin the target device! Reset with the CS pin to clear garbage if needed

• A long enough stream of data will eventually overtake the buffer, after which the MODE LED turns off (v5.2+). No data can be trusted if the MODE LED is off - this will be improved in a future firmware.
• The SPI hardware has a 4 byte buffer. If it fills before I can transfer the data to the ring buffer, then the terminal will display “Can’t keep up” and drop back to the SPI prompt. This error and the ring buffer error will be combined in a future update.
• Any commands entered after the sniffer macro will be lost.
• Pins that are normally output become inputs in sniffer mode. MOSI, CLOCK, MISO, and CS are all inputs in SPI sniffer mode.
• Since v5.3 the SPI sniffer uses hardware chip select for the CS low sniffer mode. The minimum time between CS falling and the first clock is 120ns theoretical, and less than 1.275us in tests. The software CS detect (CS high sniffer mode) requires between 27usec and 50usec minimum delay between the transition of the CS line and the start of data. Thanks to Peter Klammer for testing and updates.
• The sniffer follows the output clock edge and output polarity settings of the SPI mode, but not the input sample phase.

Clock edge/clock polarity/sample phase macros

Macros 10-15 change SPI settings without disabling the SPI module. These macros were added at a user’s request, but they never reported if it worked.

SPI> (10)(11)(12)(13)(14)(15)
SPI (spd ckp ske smp csl hiz)=( 3 0 1 0 1 1 )
SPI (spd ckp ske smp csl hiz)=( 3 1 1 0 1 1 )
SPI (spd ckp ske smp csl hiz)=( 3 1 0 0 1 1 )
SPI (spd ckp ske smp csl hiz)=( 3 1 1 0 1 1 )
SPI (spd ckp ske smp csl hiz)=( 3 1 1 0 1 1 )
SPI (spd ckp ske smp csl hiz)=( 3 1 1 1 1 1 )
SPI>

Connections

Raw 2-wire

• Bus: General purpose 2-wire library with bitwise pin control.
• Connections: Two pins (SDA/SCL) and ground.
• Output type: 3.3 volt normal, or open collector pull-up resistors required.
• Pull-up resistors: Required for open drain output mode (2K – 10K).
• Maximum voltage: 5.5 volts (5 volt safe).
• Last documentation update: v5.6.

The raw 2 wire library is similar to I2C, but it doesn’t handle acknowledge bits and it has bitwise pin control. I2C could be built using the basic elements in the raw2wire library.

Configuration options

• Speed: High (~50kHz) and low (~5kHz).
• Output type: Open drain/open collector (high=Hi-Z, low=ground), normal (high=3.3 volts, low=ground). Use open drain/open collector output types with pull-up resistors for multi-voltage interfacing.

Syntax

Macro

Connections

Raw 3-wire

• Bus: General purpose 3-wire library with bitwise pin control.
• Connections: Four pins (MOSI/MISO/CLOCK/CS) and ground.
• Output types: 3.3 volt normal, or open drain/open collector pull-up resistors required.
• Pull-up resistors: Required for open drain output mode (2K – 10K).
• Maximum voltage: 5.5 volts (5 volt safe).
• Last documentation update: v5.6.

The raw 3 wire library is like SPI, but includes bitwise pin control.

Configuration options

• Speed: High (~50kHz) and low (~5kHz).
• Output type: Open drain/open collector (high=Hi-Z, low=ground), normal (high=3.3 volts, low=ground). Use open drain/open collector output types with pull-up resistors for multi-voltage interfacing.

Syntax

Connections

HD44780 LCDs

• Bus: HD44780 LCD test library.
• Adapter: 74HCT595-based LCD adapter board

The Buzzpirat can test HD44780 LCDs but it needs an IO expander chip. Currently, it uses a simple 74HCT595 adapter

Syntax

Macro

PC keyboard

• Bus: PC keyboard interface library.
• Connections: Two pins (KBD/KBC) and ground.
• Output type: Open drain/open collector.
• Pull-up resistors: None, keyboard has internal pull-ups.
• Maximum voltage: 5 volts.

This library interfaces PC keyboards. A PC keyboard operates at 5 volts and has its own internal pull-up resistors to 5 volts. The keyboard issues a clock signal that drives all transactions, the library includes a time-out (v0h+) so the Buzzpirat won’t freeze if the keyboard doesn’t respond.

Syntax

Macro

DIO

This mode gives the user 100% control over the Buzzpirat IO pins from the terminal.

Send same command values as the binary bitbang mode to set pin direction and state.

BASIC script reference

BASIC script mode is entered by typing ’s’ at the Buzzpirat commandline. You need to take care of entering the correct mode and set it up (things like speed, Hiz, etc.).

This isn’t intended as a guide in learning how to program. General programming knowledge is assumed. Be aware that only basic checking is done and there are no warnings printed to the terminal (except those intended by the program with print statements). The editor is very rudimentary and does not check if the syntax is right. The language is loosely based on BASIC.

Enter script mode:

HiZ> s
HiZ(BASIC)>

NEW

The memory is cleared by entering the NEW command.

HiZ(BASIC)> new
Ready.
HiZ(BASIC)>

NOTE: With firmware before version 5.8 this command was mandatory before entering anything else in the basic editor!!

LIST

From the basic commandline programs can be entered. The basicinterpreter uses linenumbers followed by statements. After this the program can be listed by the command ‘LIST’

HiZ(BASIC)> list

100 REM BASICDEMO
110 PRINT "HELLO WORLD!"
120 PRINT "HELLO AGAIN"
65535 END
52 bytes.
Ready.
HiZ(BASIC)>

RUN

You can also run it with the command run:

HiZ(BASIC)> run
HELLO WORLD!
HELLO AGAIN

Ready.
HiZ(BASIC)>

Variables

A..Z (26) variables are possible. The variable are internally 16bit signed

LET

assigns a variable. Another variable, constants or functions that returns a value (e.g. RECEIVE)

10 LET A=B+1

IF {ifstat} THEN {truestat} ELSE {falsestat}

Evaluate the {ifstat} if it evaluate to a value that is not zero {truestat} get executed otherwise {falsestat}.

10 IF A=1 THEN GOTO 100 ELSE PRINT "A IS NOT 1"

GOTO {line}

jumps to line {line}, without remembering where it came from (see also GOSUB)

10 GOTO 100
20 PRINT "line 20"
100 PRINT "line 100"

line 20 doesn’t get executed

GOSUB {line} and RETURN

jumps to line {line}, executes from there till a RETURN and return to the line after the GOSUB.

10 GOSUB 1000
20 PRINT "line 20"
30 END
1000 PRINT "line 1000"
1010 RETURN

Stack is 10 levels deep, so 10 nested gosubs are possible.

REM {text}

Puts a remark into the code, but gets skipped.

10 REM A WONDERFULL PROGRAM

Don’t use REM between DATA statements!

PRINT {text}

Prints {text} to the terminal. Variable and statement can be mixed and are seperated with a ‘;’. A ‘;’ at the end suppresses a newline.

10 PRINT "A = ";A
20 PRINT "RECEIVED: ";RECEIVE
30 PRINT "B = ";
40 PRINT B

INPUT {question},{var}

Ask {question} and put the answer the user gave into {var}

10 INPUT "A = ",A

FOR {var}={minvalue} TO {maxvalue} {stats} NEXT {var}

Assigns value {minvalue} to variable {var}, executes statements {stats} until NEXT is encountered. Variable {var} wil be increased by one, {stats} is again executed, until {var} has the value {maxvalue}.

10 FOR A=1 TO 10
20 PRINT "A = ";A
30 NEXT A

for/nexts can be nested 4 deep.

READ {var} & DATA {val1}, {val2}, .. {val1}, {val2},

Read a value into variable {var}. The values are stored in DATA statements.

10 READ A
20 PRINT "A = ";A
30 READ A
40 PRINT "A = ";A
1000 DATA 10,20

START

Same as the Buzzpirat ‘[’ command

10 START

STOP

Same as the Buzzpirat ‘]’ command

10 STOP

STARTR

Same as the Buzzpirat ‘{’ command

10 STARTR

STOPR

Same as the Buzzpirat ‘}’ command

10 STOPR

SEND {val/var}

Sends a value {val} or variable {var} over the bus.

10 SEND 10
20 SEND A

Some protocols send/receive at the same time. This is also possible:

10 LET A=SEND 100
20 PRINT "SEND 100 GOT ";A

RECEIVE

Receives data from the bus. With some protocols it returns value >255 to signal busstates (like no data, got ACK, etc), other protocols are 16 bit (like pic).

10 LET A=RECEIVE
20 PRINT "A = ";A

CLK {val}

Controls the CLK line, its behaviour depends on val; 0=low, 1=high, 2=pulse.

10 CLK 2

DAT {val}

Controls the DAT line, its behaviour depends on val; 0=low, 1=high.

10 DAT 0

DAT value can also be read:

10 LET A=DAT
20 PRINT "A = ";A

BITREAD

Same as the Buzzpirat ‘!’ command.

10 LET A=BITREAD
20 PRINT "A = ";A

ADC

Reads the ADC. Value returned is 10bits (no conversion!).

10 LET A=ADC
20 PRINT "A = ";A

AUX {val}

Controls the AUX line, its behaviour depends on val; 0=low, 1=high.

10 AUX 1

AUX value can also be read:

10 LET A=AUX
20 PRINT "A = ";A

AUXPIN {val}

Controls which pin is controlled by the AUX statement; 0=AUX; 1=CS

10 AUXPIN 1

PSU {val}

Controls the onboard voltage regulators; 0=off, 1=on

10 PSU 1

PULLUP {val}

Controls the onboard pullup resistors; 0=off, 1=on

10 PULLUP 0

DELAY {var}

Delays {var} ms

10 DELAY 100

FREQ {var} & DUTY {var}

Controls the onboard PWM generator. Frequency of 0 disables it. (same limits apply as regular PWM command (‘g’))

10 freq 100
20 duty 25

3 - Unbrick

Have you tried updating the bootloader of Buzzpirat or Bus Pirate v3 and it doesn’t work? Doesn’t it even enter bootloader mode when bridging the PGD and PGC pins? Don’t worry, there are several ways to fix it.

Unbrick using another Bus Pirate v3

The Bus Pirate v3 can be used as an inexpensive PIC programmer.

Total cost: ~40$

• Buy a Bus Pirate v3 + USB mini -> USB A cable
• Buy 5 dupont cables FEMALE-FEMALE

Downgrade your Bus Pirate v3 firmware

Download BPv3-Firmware-v5.9-extras.hex firmware from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/oldfirm

Download the last buzzloader app (There are versions available for Windows, Linux and Mac) from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/buzzloader

• put a jumper/dupont_wire connecting the PGD pin to the PGC pin

• connect the Bus Pirate v3 to your computer via a usb cable

• check for the new COM port assignment in the device manager (e.g., COM29)

Make sure to close Tera Term or any other software that might be using the COM port to free it up and execute:

buzzloader.exe --dev=COM29 --hex=BPv3-Firmware-v5.9-extras.hex

Erasing page 41, a400...OK
Writing page 41 row 328, a400...OK
Writing page 41 row 329, a480...OK
Writing page 41 row 330, a500...OK
Writing page 41 row 331, a580...OK
Writing page 41 row 332, a600...OK
Writing page 41 row 333, a680...OK
Writing page 41 row 334, a700...OK
Writing page 41 row 335, a780...OK

Firmware updated successfully :)!
Use screen com30 115200 to verify

Remove the jumper/Dupont cable, then reconnect the device to the USB port, and you’re all set! You should now have the firmware installed.

Run the ‘i’ command and perform a self-test with the ‘~’ command to ensure everything has gone smoothly.

i
Bus Pirate v3b
Firmware v5.9 (r529) [HiZ 2WIRE 3WIRE KEYB LCD DIO] Bootloader v4.5
DEVID:0x0447 REVID:0x3046 (24FJ64GA002 B8)
http://dangerousprototypes.com
HiZ>

Connect to the Bus Pirate v3 to Bricked Buzzpirat / Bricked Bus Pirate v3

Locate the PIC programming pins on the bricked device. Look for the pin named: MCLR.

Connect the pins using Dupont cables in the following manner:

Burn a new bootloader and firmware to the bricked device

If you are unbricking a Buzzpirat. Download the last bootloader + firmware .hex file from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm

If you are unbricking a Bus Pirate v3. Download the last bootloader + firmware .hex file from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm/bpv3comp

Download the last picprog app from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/picprog

Ensure that both the bricked device and the Bus Pirate v3 are connected to the PC via USB

Make sure to close Tera Term or any other software that might be using the COM port to free it up and execute: (my Bus Pirate v3 is on COM29):

picprog.exe -p buspirate -u COM29 -s 115200 -c 24FJ64GA002 -t HEX -w BZ-pickit-firmware-v7.1.6969-bootloader-v4.5.hex -E

Skipping page 333 [ 0x014d00 ], not used
Skipping page 334 [ 0x014e00 ], not used
Writing page 335, 14f00...
Writing page 336, 15000...
Writing page 337, 15100...
Writing page 338, 15200...
Writing page 339, 15300...
Skipping page 340 [ 0x015400 ], not used
Skipping page 341 [ 0x015500 ], not used
Skipping page 342 [ 0x015600 ], not used
Writing page 343, 15700...

Remove the Dupont cables from MCLR, PGD, PGC, GND, +3v3 pins, then reconnect the bricked device to the USB port, and you’re all set! You should now have the bootloader+firmware installed.

Run the ‘i’ command and perform a self-test with the ‘~’ command to ensure everything has gone smoothly.

HiZ>i
Bus Pirate v3.5
Community Firmware v7.1 - buzzpirat.com by Dreg BZ SIXTHOUSANDNINEHUNDREDSIXTYNINE [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5
DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)
http://dangerousprototypes.com
HiZ>

Now, reinstall the latest firmware on your Bus Pirate v3 (the one you used as a PIC programmer).

Unbrick using clones like PICkit3.5

Buy a PICkit3.5 from Aliexpress (an inexpensive PIC programmer).

Total cost: ~30$

Download & install the last pickit minus app from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/pickitminus

If you are unbricking a Buzzpirat. Download the last bootloader + firmware .hex file from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm

If you are unbricking a Bus Pirate v3. Download the last bootloader + firmware .hex file from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm/bpv3comp

Connect Buzzpirat / Bus Pirate pins to the pins located furthest to the right of the Pickit:

Connect Buzzpirat / Buspirate & Pickit to PC USB

Open the pickitminus app

Go to Tools -> Download PICkit Operating System

Make sure the PIC has been detected: PIC DEVICE FOUND, PIC24FJ64GA002

Select .hex for pickit minus use

Go to File -> Import Hex

And select the Buzzpirat / Buspirate “bootloader + firmware” .hex file (with pickit in its name, example: BZ-pickit-firmware-v7.1.9-bootloader-v4.5.hex)

Click on Write

Done!

Disconnect Buzzpirat / Buspirate & Pickit from PC USB

Unbrick using official MPLAB PICkit 5

Buy a PICkit 5 from Microchip.

Total cost: ~100$

Download & install the last MPLAB X IDE from this page:

https://www.microchip.com/en-us/tools-resources/develop/mplab-x-ide

Connect Buzzpirat / Bus Pirate pins to the pins located furthest to the right of the Pickit:

Connect Buzzpirat / Buspirate & Pickit to PC USB

Open MPLAB IPE (included with MPLAB X IDE):

Select your Pickit Programmer, PIC24FJ64GA002

And click on Connect, after that check that the PICKIT & PIC has been detected: PIC DEVICE FOUND, PIC24FJ64GA002:

Go to Browse and select the Buzzpirat / Buspirate “bootloader + firmware” .hex file (with pickit in its name, example: BZ-pickit-firmware-v7.1.9-bootloader-v4.5.hex)

And click on Program

Done!

Disconnect Buzzpirat / Buspirate & Pickit from PC USB

4 - Binary I/O

The bitbang protocol uses a single byte for all commands. The default start-up state is pin input (HiZ).

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Check in between if BBIO1 is returned.
• Send 0x0F to exit raw bitbang mode and reset the Buzzpirat.
• Other raw protocol modes are accessible from within bitbang mode, 0x00 always returns to raw bitbang mode and prints the version string.
• There is a slight settling delay between pin updates, currently about 5us.

MAIN b00000000 (0x00) - Reset, responds “BBIO1”

This command resets the Buzzpirat into raw bitbang mode from the user terminal. It also resets to raw bitbang mode from raw SPI mode, or any other protocol mode. This command always returns a five byte bitbang version string “BBIO1”, where 1 is the current protocol version.

Some terminals send a NULL character (0x00) on start-up, causing the Buzzpirat to enter binary mode when it wasn’t wanted. To get around this, you must now enter 0x00 at least 20 times to enter raw bitbang mode.

After entering bitbang mode, you can enter other binary protocol modes.

MAIN b00000001 (0x01) - Enter binary SPI mode, responds “SPI1”

Commands are a single byte, except bulk SPI transfers. The Buzzpirat responds to SPI write commands with the data read from the SPI bus during the write. Most other commands return 0x01 for success, or 0x00 for failure/unknown command.

SPI Mode, Key points

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Pause briefly after sending each 0x00 to check if BBIO1 is returned. Example binary mode entry functions.
• Enter 0x01 in bitbang mode to enter raw SPI mode.
• Return to raw bitbang mode from raw SPI mode by sending 0x00 one time.
• Operations that write a byte to the SPI bus also return a byte read from the SPI bus.
• Hex values shown here, like 0x00, represent actual byte values; not typed ASCII entered into a terminal.

Once you have successfully entered the mode, you can use the following commands:

SPI b00000001 (0x01) - Enter raw SPI mode, display version string

Once in raw bitbang mode, send 0x01 to enter raw SPI mode. The Buzzpirat responds ‘SPI1’, where 1 is the raw SPI protocol version. Get the version string at any time by sending 0x01 again.

SPI b0000001x (0x02-0x03) - CS high (1) or low (0)

Toggle the Buzzpirat chip select pin, follows HiZ configuration setting. CS high is pin output at 3.3volts, or HiZ. CS low is pin output at ground. Buzzpirat responds 0x01.

SPI b000011xx (0x0C-0x0F) - Sniff SPI traffic when CS low(10)/all(01)

The SPI sniffer is implemented in hardware and should work up to 10MHz. It follows the configuration settings you entered for SPI mode. The sniffer can read all traffic, or filter by the state of the CS pin.

• [/] - CS enable/disable
• \xy - escape character (\) precedes two byte values X (MOSI pin) and Y (MISO pin)

Sniffed traffic is encoded according to the table above. The two data bytes are escaped with the ‘' character to help locate data in the stream.

Send the SPI sniffer command to start the sniffer, the Buzzpirat responds 0x01 then sniffed data starts to flow. Send any byte to exit.

If the sniffer can’t keep with the SPI data, the MODE LED turns off and the sniff is aborted.

The sniffer follows the output clock edge and output polarity settings of the SPI mode, but not the input sample phase.

SPI b0001xxxx (0x10-0x1F) - Bulk SPI transfer, send/read 1-16 bytes (0=1byte!)

Bulk SPI allows direct byte reads and writes. The Buzzpirat expects xxxx+1 data bytes. Up to 16 data bytes can be sent at once, each returns a byte read from the SPI bus during the write.

Note that 0000 indicates 1 byte because there’s no reason to send 0. BP replies 0x01 to the bulk SPI command, and returns the value read from SPI after each data byte write.

The way it goes together:

• The upper 4 bit of the command byte are the bulk read command (0001xxxx)
• xxxx = the number of bytes to read. 0000=1, 0001=2, etc, up to 1111=16

If I want to read (0001) four bytes (0011=3=read 4) the full command is 00010011 (0001 + 0011 ). Convert from binary to hex and it is 0x13

SPI b0100wxyz (0x40-0x4F) - Configure peripherals w=power, x=pull-ups, y=AUX, z=CS

Enable (1) and disable (0) Buzzpirat peripherals and pins. Bit w enables the power supplies, bit x toggles the on-board pull-up resistors, y sets the state of the auxiliary pin, and z sets the chip select pin. Features not present in a specific hardware version are ignored. Buzzpirat responds 0x01 on success.

SPI b01100xxx (0x60-0x67) - SPI speed

000=30kHz, 001=125kHz, 010=250kHz, 011=1MHz, 100=2MHz, 101=2.6MHz, 110=4MHz, 111=8MHz

This command sets the SPI bus speed according to the values shown. Default startup speed is 000 (30kHz).

SPI b1000wxyz (0x80-0x8F) - SPI config, w=HiZ/3.3v, x=CKP idle, y=CKE edge, z=SMP sample

This command configures the SPI settings. Options and start-up defaults are the same as the user terminal SPI mode. w= pin output HiZ(0)/3.3v(1), x=CKP clock idle phase (low=0), y=CKE clock edge (active to idle=1), z=SMP sample time (middle=0). The Buzzpirat responds 0x01 on success.

Default raw SPI startup condition is 0010. HiZ mode configuration applies to the SPI pins and the CS pin, but not the AUX pin. See the PIC24FJ64GA002 datasheet and the SPI section of the PIC24 family manual for more about the SPI configuration settings.

SPI b00000100 (0x04) - Write then read & b00000101 (0x05) - Write then read, no CS

This command was developed to help speed ROM programming with Flashrom, asprogrammer dreg mod. It might be helpful for a lot of common SPI operations.

• b00000100 - Write then read: It enables chip select, writes 0-4096 bytes, reads 0-4096 bytes, then disables chip select.
• b00000101 - Write then read, no CS: writes 0-4096 bytes, reads 0-4096 bytes (CS transitions are NOT automated/included).

All data for this command can be sent at once, and it will be buffered in the Buzzpirat. The write and read operations happen all at once, and the read data is buffered. At the end of the operation, the read data is returned from the buffer. The goal is to meet the stringent timing requirements of some ROM chips by buffering everything instead of letting the serial port delay things.

Write then read command format:

1. send 1 byte: b00000100 (Write then read command) or b00000101 (Write then read, no CS)
2. send 2 bytes: number of write bytes 0-4096 (first byte High8, second Low8)
3. send 2 bytes: number of read bytes 0-4096 (first byte High8, second Low8)
4. If the number of bytes to read or write are out of bounds, the Buzzpirat will send 0x00 now
5. send 0-4096 bytes: bytes to write (specified by step 2)
6. read 1 byte: success/0x01
7. read 0-4096 bytes: bytes to read (specified by step 3)

Key Points:

• There is no acknowledgment that a byte is received.
• All write bytes are sent at once (before that CS goes low for b00000100 - Write then read command)
• Read starts immediately, all bytes are put into a buffer at max SPI speed (no waiting for UART)
• At the end of the read, CS goes high for b00000100 - Write then read command

SPI b00000110 (0x06) - AVR Extended Commands

Return Success 0x01 when entering in this mode

• b00000000 (0x00) - Null operation - verifies extended commands are available. Return Success 0x01.
• b00000001 (0x01) - Return version (2 bytes). Return Success 0x01. And after Success, return version (AVR Extended Commands version 1): 0x00 0x01
• b00000010 (0x02) - Bulk Memory Read from Flash: you must send to Buzzpirat:
  • 4 bytes: address
  • 4 bytes: lenght
  • Buzzpirat return 0x01 on success or 0x00 on error
  • Buzzpirat returns the data located on address (length size)

Example of use:

• Send to Buzzpirat: 0x06 0x02 0x00 0x00 0x00 0x40 0x00 0x00 0x00 0x80
  • 0x06 means AVR Extended Commands
  • 0x02 means Bulk Memory Read from Flash
    • 0x00 0x00 0x00 0x40: address 0x00000040
    • 0x00 0x00 0x00 0x80: length 0x00000080
• Buzzpirat returns:
  • 0x01 (0x06 ack)
  • 0x01 (0x02 Bulk Memory Read ack)
  • Content bytes requested: 128 (0x80) bytes in this case

To read the next page (0x00000080) you must send to Buzzpirat: 0x06 0x02 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x80

SPI b11111110 (0xFE) - Execute Buzz Commands

Buzz Commands allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

You have access to the same commands as when you enter Buzz Mode using 0x0A. A list of the supported commands is available further below.

Buzzpirat returns 0x01 if it has successfully entered this mode.

SPI Buzz Commands (0x97-0xFF)

Each protocol has reserved the range from 0x97 to 0xFF for protocol-specific Buzz commands. However, none have been defined for this protocol yet.

MAIN b00000010 (0x02) - Enter binary I2C mode, responds “I2C1”

Enter binary I2C mode by first entering bitbang mode, then send 0x02 to enter I2C mode.

Most I2C mode commands are a single byte. Commands generally return 1 for success, 0 for failure.

I2C Mode, Key points

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Pause briefly after sending each 0x00 to check if BBIO1 is returned. Example binary mode entry functions.
• Enter 0x02 in bitbang mode to enter raw I2C mode.
• Return to raw bitbang mode from raw I2C mode by sending 0x00 one time.
• Hex values shown here, like 0x00, represent actual byte values; not typed ASCII entered into a terminal.

Once you have successfully entered the mode, you can use the following commands:

I2C b00000001 (0x01) – Display mode version string, responds “I2C1”

Once in binary I2C mode, send 0x01 to get the current mode version string. The Buzzpirat responds ‘I2C1’, where x is the raw I2C protocol version (currently 1). Get the version string at any time by sending 0x01 again. This command is the same in all binary modes, the current mode can always be determined by sending 0x01.

I2C b00000010 (0x02) – I2C start bit

Send an I2C start bit. Responds 0x01.

I2C b00000011 (0x03) - I2C stop bit

Send an I2C stop bit. Responds 0x01.

I2C b00000100 (0x04) - I2C Read Byte

Reads a byte from the I2C bus and returns the byte. You must manually ACK or NACK each byte!

I2C b00000110 (0x06) - ACK bit

Send an I2C ACK bit after reading a byte. Tells a slave device that you will read another byte. Responds 0x01.

I2C b00000111 (0x07) - NACK bit

Send an I2C NACK bit after reading a byte. Tells a slave device that you will stop reading, next bit should be an I2C stop bit. Responds 0x01.

I2C b00001111 (0x0F) - Start bus sniffer

Sniff traffic on an I2C bus.

• [/] - Start/stop bit
• \ - escape character precedes a data byte value
• +/- - ACK/NACK

Sniffed traffic is encoded according to the table above. Data bytes are escaped with the ‘' character. Send a single byte to exit, Buzzpirat responds 0x01 on exit.

I2C b0001xxxx (0x10-0x1F) – Bulk I2C write, send 1-16 bytes (0=1byte!)

Bulk I2C allows multi-byte writes. The Buzzpirat expects xxxx+1 data bytes. Up to 16 data bytes can be sent at once. Note that 0000 indicates 1 byte because there’s no reason to send 0.

BP replies 0x01 to the bulk I2C command. After each data byte the Buzzpirat returns the ACK (0x00) or NACK (0x01) bit from the slave device.

I2C b0100wxyz (0x40-0x4F) – Configure peripherals w=power, x=pullups, y=AUX, z=CS

Enable (1) and disable (0) Buzzpirat peripherals and pins. Bit w enables the power supplies, bit x toggles the on-board pull-up resistors, y sets the state of the auxiliary pin, and z sets the chip select pin. Features not present in a specific hardware version are ignored. Buzzpirat responds 0x01 on success.

I2C b011000xx (0x60-0x63) - Set I2C speed, 3=~400kHz, 2=~100kHz, 1=~50kHz, 0=~5kHz

0110000x - Set I2C speed, 1=high (50kHz) 0=low (5kHz)

The lower bits of the speed command determine the I2C bus speed. Binary mode currently uses the software I2C library, though it may be configurable in a future update. Startup default is high-speed. Buzzpirat responds 0x01 on success.

I2C b00001000 (0x08) - Write then read

This command internally sends I2C start, writes from 0-4096 bytes, then reads 0-4096 bytes into the Buzzpirats internal buffer, ACKing each byte internally until the final byte at which point it sends an NACK stop bit.

All data for this command can be sent at once, and it will be buffered in the Buzzpirat. The write and read operations happen once the completed command has been passed to the Buzzpirat. Any write data is internally buffered by the Buzzpirat. At the end of the operation, any read data is returned from the buffer, be aware that the write buffer is re-used as the read buffer, as such any write data needs to be re-loaded if the command is re-executed.

Write then read command format:

1. send 1 byte: b00001000 (Write then read command)
2. send 2 bytes: number of write bytes 0-4096 (first byte High8, second Low8)
3. send 2 bytes: number of read bytes 0-4096 (first byte High8, second Low8)
4. If the number of bytes to read or write are out of bounds, the Buzzpirat will send 0x00 now
5. send 0-4096 bytes: bytes to write (specified by step 2. The initial byte can serve as the I2C address. Therefore, in step 2, it’s necessary to specify at least one byte for writing).
6. read 1 byte: success/0x01, would be 0x00 If an I2C write is not ACKed by a slave device, then the operation will abort.
7. read 0-4096 bytes: bytes to read (specified by step 3).

Key points:

• The Buzzpirat sends an I2C start bit, then all write bytes are sent at once.
• All read bytes are ACKed, except the last byte which is NACKed, this process is handled internally between the Buzzpirat and the I2C device.
• At the end of the read process, the Buzzpirat sends an I2C stop
• Except as described above, there is no acknowledgment that a byte is received.

I2C b00001001 (0x09) Extended AUX command

Provides extended use of AUX pin. Requires one command byte. Buzzpirat acknowledges 0x01.

Command Function

• b00000000 (0x00) - AUX/CS low
• b00000001 (0x01) - AUX/CS high
• b00000010 (0x02) - AUX/CS HiZ
• b00000011 (0x03) - AUX read
• b00010000 (0x10) - use AUX
• b00100000 (0x20) - use CS

I2C b11111110 (0xFE) - Execute Buzz Commands

Buzz Commands allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

You have access to the same commands as when you enter Buzz Mode using 0x0A. A list of the supported commands is available further below (the first one is 0x00)

Buzzpirat returns 0x01 if it has successfully entered this mode.

I2C Buzz Commands (0x97-0xFF)

Each protocol has reserved the range from 0x97 to 0xFF for protocol-specific Buzz commands. However, none have been defined for this protocol yet.

MAIN b00000011 (0x03) - Enter binary UART mode, responds “ART1”

Enter binary UART mode by first entering bitbang mode, then send 0x03 to enter UART mode.

Most UART mode commands are a single byte. Commands generally return 1 for success, 0 for failure.

UART Mode, Key points

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Pause briefly after sending each 0x00 to check if BBIO1 is returned. Example binary mode entry functions.
• Enter 0x03 in bitbang mode to enter raw UART mode.
• Return to raw bitbang mode from raw UART mode by sending 0x00 one time.
• Hex values shown here, like 0x00, represent actual byte values; not typed ASCII entered into a terminal.

Once you have successfully entered the mode, you can use the following commands:

UART b00000001 (0x01) – Display mode version string, responds “ART1”

Once in binary UART mode, send 0x01 to get the current mode version string. The Buzzpirat responds ‘ART1’, where 1 is the raw UART protocol version. Get the version string at any time by sending 0x01 again. This command is the same in all binary modes, the current mode can always be determined by sending 0x01.

UART b0000001x (0x02-0x03) – Start (0)/stop(1) echo UART RX

In binary UART mode the UART is always active and receiving. Incoming data is only copied to the USB side if UART RX echo is enabled. This allows you to configure and control the UART mode settings without random data colliding with response codes. UART mode starts with echo disabled. This mode has no impact on data transmissions.

Responds 0x01. Clears buffer overrun bit.

UART b00000111 (0x07) – Manual baud rate configuration, send 2 bytes

Configures the UART using custom baud rate generator settings. This command is followed by two data bytes that represent the BRG register value. Send the high 8 bits first, then the low 8 bits.

Use the UART manual or an online calculator to find the correct value (key values: fosc 32mHz, clock divider = 2, BRGH=1) . Buzzpirat responds 0x01 to each byte. Settings take effect immediately.

UART b00001111 (0x0F) - UART bridge mode (reset to exit)

Starts a transparent UART bridge using the current configuration. Unplug the Buzzpirat to exit.

UART b0001xxxx (0x10-0x1F) – Bulk UART write, send 1-16 bytes (0=1byte!)

Bulk UART allows multi-byte writes. The Buzzpirat expects xxxx+1 data bytes. Up to 16 data bytes can be sent at once. Note that 0000 indicates 1 byte because there’s no reason to send 0. Buzzpirat replies 0x01 to each byte.

UART b0100wxyz (0x40-0x4F) – Configure peripherals w=power, x=pullups, y=AUX, z=CS

Enable (1) and disable (0) Buzzpirat peripherals and pins. Bit w enables the power supplies, bit x toggles the on-board pull-up resistors, y sets the state of the auxiliary pin, and z sets the chip select pin. Features not present in a specific hardware version are ignored. Buzzpirat responds 0x01 on success.

UART b011000xx (0x60-0x63) - Set UART speed

Set the UART at a preconfigured speed value: 0000=300, 0001=1200, 0010=2400,0011=4800,0100=9600,0101=19200,0110=31250 (MIDI), 0111=38400,1000=57600,1010=115200

Start default is 300 baud. Buzzpirat responds 0x01 on success. A read command is planned but not implemented in this version.

UART b100wxxyz (0x80-0x9F) – Configure UART settings

• w=pin output HiZ(0)/3.3v(1)
• xx=databits and parity 8/N(0), 8/E(1), 8/O(2), 9/N(3)
• y=stop bits 1(0)/2(1)
• z=RX polarity idle 1 (0), idle 0 (1)

Startup default is 00000. Buzzpirat responds 0x01 on success. A read command is planned but not implemented in this version.

UART b11111110 (0xFE) - Execute Buzz Commands

Buzz Commands allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

You have access to the same commands as when you enter Buzz Mode using 0x0A. A list of the supported commands is available further below (the first one is 0x00)

Buzzpirat returns 0x01 if it has successfully entered this mode.

UART Buzz Commands (0x97-0xFF)

Each protocol has reserved the range from 0x97 to 0xFF for protocol-specific Buzz commands. However, none have been defined for this protocol yet.

MAIN b00000100 (0x04) - Enter binary 1-Wire mode, responds “1W01”

Enter binary 1-Wire mode by first entering bitbang mode, then send 0x04 to enter 1-Wire mode. Most 1-Wire mode commands are a single byte. Commands generally return 1 for success, 0 for failure.

1-Wire Mode, Key points

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Pause briefly after sending each 0x00 to check if BBIO1 is returned. Example binary mode entry functions.
• Enter 0x04 in bitbang mode to enter raw 1-Wire mode.
• Return to raw bitbang mode from raw 1-Wire mode by sending 0x00 one time.
• Hex values shown here, like 0x00, represent actual byte values; not typed ASCII entered into a terminal.

Once you have successfully entered the mode, you can use the following commands:

1-Wire b00000001 (0x01) – Display mode version string, responds “1W01”

Once in binary 1-Wire mode, send 0x01 to get the current mode version string. The Buzzpirat responds ‘1W01’, where 1 is the raw 1-Wire protocol version. Get the version string at any time by sending 0x01 again. This command is the same in all binary modes, the current mode can always be determined by sending 0x01.

1-Wire b00000010 (0x02) – 1-Wire reset

Send a 1-Wire reset. Responds 0x01.

1-Wire b00000100 (0x04) – Read byte

Reads a byte from the bus, returns the byte.

1-Wire b00001000 (0x08) - ROM search macro (0xF0)

1-Wire b00001001 (0x09) - ALARM search macro (0xEC)

Search macros are special 1-Wire procedures that determine device addresses. The command returns 0x01, and then each 8-byte 1-Wire address located. Data ends with 8 bytes of 0xff.

1-Wire b0001xxxx (0x10-0x1F) – Bulk 1-Wire write, send 1-16 bytes (0=1byte!)

Bulk write transfers a packet of xxxx+1 bytes to the 1-Wire bus. Up to 16 data bytes can be sent at once. Note that 0000 indicates 1 byte because there’s no reason to send 0. BP replies 0x01 to each byte.

1-Wire b0100wxyz (0x40-0x4F) – Configure peripherals w=power, x=pullups, y=AUX, z=CS

Enable (1) and disable (0) Buzzpirat peripherals and pins. Bit w enables the power supplies, bit x toggles the on-board pull-up resistors, y sets the state of the auxiliary pin, and z sets the chip select pin. Features not present in a specific hardware version are ignored. Buzzpirat responds 0x01 on success.

1-Wire b11111110 (0xFE) - Execute Buzz Commands

Buzz Commands allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

You have access to the same commands as when you enter Buzz Mode using 0x0A. A list of the supported commands is available further below (the first one is 0x00)

Buzzpirat returns 0x01 if it has successfully entered this mode.

1-Wire Buzz Commands (0x97-0xFF)

Each protocol has reserved the range from 0x97 to 0xFF for protocol-specific Buzz commands. However, none have been defined for this protocol yet.

MAIN b00000101 (0x05) - Enter binary RAW-WIRE mode, responds “RAW1”

Enter binary RAW-WIRE mode by first entering bitbang mode, then send 0x05 to enter RAW2WIRE mode.

Most RAW-WIRE mode commands are a single byte. Commands generally return 1 for success, 0 for failure.

RAW-WIRE Mode, Key points

• Send 0x00 to the user terminal (max.) 20 times to enter the raw binary bitbang mode. Pause briefly after sending each 0x00 to check if BBIO1 is returned.
• Enter 0x05 in bitbang mode to enter raw RAW-WIRE mode.
• Return to raw bitbang mode from raw RAW-WIRE mode by sending 0x00 one time.
• Hex values shown here, like 0x00, represent actual byte values; not typed ASCII entered into a terminal.

Once you have successfully entered the mode, you can use the following commands:

RAW-WIRE b00000001 (0x01) – Display mode version string, responds “RAW1”

Once in binary RAW-WIRE mode, send 0x01 to get the current mode version string. The Buzzpirat responds ‘RAW1’, where 1 is the raw RAW-WIRE protocol version. Get the version string at any time by sending 0x01 again. This command is the same in all binary modes, the current mode can always be determined by sending 0x01.

RAW-WIRE b0000001x (0x02-0x03) - I2C-style start (0) / stop (1) bit

Send an I2C start or stop bit. Responds 0x01. Useful for I2C-like 2-wire protocols, or building a custom implementation of I2C using the raw-wire library.

RAW-WIRE b0000010x (0x04-0x05) - CS low (0) / high (1)

Toggle the Buzzpirat chip select pin, follows HiZ configuration setting. CS high is pin output at 3.3volts, or HiZ. CS low is pin output at ground. Buzzpirat responds 0x01.

RAW-WIRE b00000110 (0x06) - Read byte

Reads a byte from the bus, returns the byte. Writes 0xff to bus in 3-wire mode.

RAW-WIRE b00000111 (0x07) - Read bit

Read a single bit from the bus, returns the bit value.

RAW-WIRE b00001000 (0x08) - Peek at input pin

Returns the state of the data input pin without sending a clock tick.

RAW-WIRE b00001001 (0x09) - Clock Tick

Sends one clock tick (low->high->low). Responds 0x01.

RAW-WIRE b0000101x (0x0A-0x0B) - Clock low (0) / high (1)

Set clock signal low or high. Responds 0x01.

RAW-WIRE b0000110x (0x0C-0x0D) - Data low (0) / high (1)

Set data signal low or high. Responds 0x01.

RAW-WIRE b0001xxxx (0x10-0x1F) – Bulk transfer, send 1-16 bytes (0=1byte!)

Bulk write transfers a packet of xxxx+1 bytes to the bus. Up to 16 data bytes can be sent at once. Note that 0000 indicates 1 byte because there’s no reason to send 0. BP replies 0x01 to each byte in 2wire mode, returns the bus read in 3wire (SPI) mode.

RAW-WIRE b0010xxxx (0x20-0x2F) - Bulk clock ticks, send 1-16 ticks

Create bulk clock ticks on the bus. Note that 0000 indicates 1 clock tick because there’s no reason to send 0. BP replies 0x01.

RAW-WIRE b0011xxxx (0x30-0x3F) - Bulk bits, send 1-8 bits of the next byte (0=1bit!)

Bulk bits sends xxxx+1 bits of the next byte to the bus. Up to 8 data bytes can be sent at once. Note that 0000 indicates 1 byte because there’s no reason to send 0. BP replies 0x01 to each byte.

This is a PIC programming extension that only supports 2wire mode. All writes are most significant bit first, regardless of the mode set with the configuration command.

RAW-WIRE b0100wxyz (0x40-0x4F) – Configure peripherals w=power, x=pullups, y=AUX, z=CS

Enable (1) and disable (0) Buzzpirat peripherals and pins. Bit w enables the power supplies, bit x toggles the on-board pull-up resistors, y sets the state of the auxiliary pin, and z sets the chip select pin. Features not present in a specific hardware version are ignored. Buzzpirat responds 0x01 on success.

RAW-WIRE b011000xx (0x60-0x63) - Set bus speed, 3=~400kHz, 2=~100kHz, 1=~50kHz, 0=~5kHz

The last bit of the speed command determines the bus speed. Startup default is high-speed. Buzzpirat responds 0x01.

RAW-WIRE b1000wxyz (0x80-0x8F) – Config, w=HiZ/3.3v, x=2/3wire, y=msb/lsb, z=not used

Configure the raw-wire mode settings. w= pin output type HiZ(0)/3.3v(1). x= protocol wires (0=2, 1=3), toggles between a shared input/output pin (raw2wire), and a separate input pin (raw3wire). y= bit order (0=MSB, 1=LSB). The Buzzpirat responds 0x01 on success.

Default raw startup condition is 000z. HiZ mode configuration applies to the data pins and the CS pin, but not the AUX pin.

RAW-WIRE b10100100 (0xA4) - PIC write. Send command + 2 bytes of data, read 1 byte

An extension for programming PIC microcontrollers. Writes 20bits to the 2wire interface.

Payload is three bytes.

The first byte is XXYYYYYY, where XX are the delay in MS to hold the PGC pin high on the last command bit, this is a delay required at the end of a page write. YYYYYY is a 4 or 6 bit ICSP programming command to send to the PIC (enter 4 bit commands as 00YYYY, commands clocked in LSB first).

The second and third bytes are 16bit instructions to execute on the PIC.

See the PIC 16F/18F programming specifications for more about ICSP.

RAW-WIRE b10100101 (0xA5) - PIC read. Send command, read 1 byte of data

An extension for programming PIC microcontrollers. Writes 12bits, reads 8bits.

Payload is one byte 00YYYYYY, where YYYYYY is a 4 or 6 bit ICSP programming command to send to the PIC. Enter 4 bit commands as 00YYYY, all commands are clocked in LSB first.

The Buzzpirat send the 4/6bit command, then 8 ‘0’ bits, then reads one byte. The read byte is returned.

See the PIC 16F/18F programming specifications for more about ICSP.

RAW-WIRE b11111110 (0xFE) - Execute Buzz Commands

Buzz Commands allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

You have access to the same commands as when you enter Buzz Mode using 0x0A. A list of the supported commands is available further below (the first one is 0x00)

Buzzpirat returns 0x01 if it has successfully entered this mode.

RAW-WIRE Buzz Commands (0x97-0xFF)

Each protocol has reserved the range from 0x97 to 0xFF for protocol-specific Buzz commands. However, none have been defined for this protocol yet.

MAIN b00000110 (0x06) - Enter OpenOCD JTAG mode

OpenOCD mode is documented in the source only.

MAIN b00001010 (0x0A) - Enter Buzz mode

This mode is exclusive to Buzzpirat and allows for actions such as reading all voltages (similar to the ‘v’ command), manipulating the TP0 pin, etc.

Buzzpirat returns 0x01 if it has successfully entered this mode.

Once you have successfully entered to the Buzz mode via b00001010 (0x0A) (from the main bitbang) or via b11111110 (0xFE) (from a protocol mode), you can use the following Buzz mode commands:

Buzz b01101001 (0x69) - NULL COMMAND

This command doesn’t do anything; it does not return any response. It is designed for when you only want to check if the Buzz mode exists and don’t want to execute anything.

Buzz b10010110 (0x96) - Check if firmware is BPv3

For each firmware version, I also generate a firmware that is 100% compatible with the Bus Pirate v3 hardware.

• returns 0x01 if the firmware currently running is the version for BPv3 hardware.

• returns 0x00 if the firmware currently running is the official version for Buzzpirat hardware.

Buzz b00000000 (0x00) - Take voltage measurement from all sources

Take a measurement from the Buzzpirat voltage sources.

1. Returns a 2 byte ADC reading for 5v0 PWR, high 8bits come first.
2. Returns a 2 byte ADC reading for 3v3 PWR, high 8bits come first.
3. Returns a 2 byte ADC reading for 2v5 PWR, high 8bits come first.
4. Returns a 2 byte ADC reading for 1v8 PWR, high 8bits come first.
5. Returns a 2 byte ADC reading for VPU, high 8bits come first.
6. Returns a 2 byte ADC reading for ADC PROBE, high 8bits come first.
7. returns 0x01

Buzz b00000001 (0x01) - TP0 INPUT LOW

Configure TP0 as INPUT LOW.

returns 0x01 if it has successfull.

Buzz b00000010 (0x02) - TP0 OUTPUT LOW

Configure TP0 as OUTPUT LOW.

returns 0x01 if it has successfull.

Buzz b00000011 (0x03) - Read TP0 status

Return 0x01 or 0x00 depending on the status of TP0 (1=HIGH, 0=LOW).

returns 0x01 if it has successfull.

Buzz b00010000 (0x10) - Check for short circuits in the power supply units

Inspect the power supply units for short circuits across the 5V, 3.3V, 2.5V, and 1.8V lines.

Return 0x01 if any PSU voltage is abnormally low, indicating a potential short circuit.

Return 0x00 if all PSU voltages are within normal parameters.

Buzz b00010010 (0x12) - Setup pulse-width modulation (requires 5 byte setup)

Configure and enable pulse-width modulation output in the AUX pin.

Requires a 5 byte configuration sequence.

Equations to calculate the PWM frequency and period are in the PIC24F output compare manual.

• Bit 0 and 1 of the first configuration byte set the prescaler value.
• The Next two bytes set the duty cycle register, high 8bits first.
• The final two bytes set the period register, high 8bits first.

Responds 0x01 after a complete sequence is received.

Buzz b00010011 (0x13) - Clear/disable PWM

Clears the PWM, disables PWM output. Responds 0x01.

Buzz b00010100 (0x14) - Take voltage probe measurement (returns 2 bytes)

Take a measurement from the Buzzpirat voltage probe. Returns a 2 byte ADC reading, high 8bits come first. To determine the actual voltage measurement: (ADC/1024)x3.3voltsx2; or simply (ADC/1024)x6.6.

Buzz b00010101 (0x15) - Continuous voltage probe measurement

Sends ADC data (2bytes, high 8 first) as fast as UART will allow. A new reading is not taken until the previous finishes transmitting to the PC, this prevents time distortion from the buffer. Added for the oscilloscope script.

To exit this mode, send any single character.

Buzz b00010110 (0x16) - Frequency measurement on AUX pin

Takes frequency measurement on AUX pin. Returns 4byte frequency count, most significant byte first.

MAIN b00001111 (0x0F) - Reset Buzzpirat

The Buzzpirat responds 0x01 and then performs a complete hardware reset. The hardware and firmware version is printed (same as the ‘i’ command in the terminal), and the Buzzpirat returns to the user terminal interface. Send 0x00 20 times to enter binary mode again. Note: there may be garbage data between the 0x01 reply and the version information as the PIC UART initializes.

MAIN b00010000 (0x10) - Buzzpirat Short self-test & b00010001 (0x11) Long self-test

Self-test commands

b00010001 (0x11) Long test (requires jumpers between +5 and Vpu, +3.3 and ADC)

The full test is the same as self-test in the user terminal, it requires jumpers between two sets of pins in order to test some features. The short test eliminates the six checks that require jumpers.

After the test is complete, the Buzzpirat responds with the number of errors. It also echoes any input plus the number of errors. The MODE LED blinks if the test was successful, or remains solid if there were errors. Exit the self-test by sending 0xff, the Buzzpirat will respond 0x01 and return to binary bitbang mode.

MAIN b00010010 (0x12) - Setup pulse-width modulation (requires 5 byte setup)

Configure and enable pulse-width modulation output in the AUX pin.

Requires a 5 byte configuration sequence.

Equations to calculate the PWM frequency and period are in the PIC24F output compare manual.

• Bit 0 and 1 of the first configuration byte set the prescaler value.
• The Next two bytes set the duty cycle register, high 8bits first.
• The final two bytes set the period register, high 8bits first.

Responds 0x01 after a complete sequence is received.

MAIN b00010011 (0x13) - Clear/disable PWM

Clears the PWM, disables PWM output. Responds 0x01.

MAIN b00010100 (0x14) - Take voltage probe measurement (returns 2 bytes)

Take a measurement from the Buzzpirat voltage probe. Returns a 2 byte ADC reading, high 8bits come first. To determine the actual voltage measurement: (ADC/1024)x3.3voltsx2; or simply (ADC/1024)x6.6.

MAIN b00010101 (0x15) - Continuous voltage probe measurement

Sends ADC data (2bytes, high 8 first) as fast as UART will allow. A new reading is not taken until the previous finishes transmitting to the PC, this prevents time distortion from the buffer. Added for the oscilloscope script.

To exit this mode, send any single character.

MAIN b00010110 (0x16) - Frequency measurement on AUX pin

Takes frequency measurement on AUX pin. Returns 4byte frequency count, most significant byte first.

MAIN b010xxxxx (0x40-0x5F) - Configure pins as input(1) or output(0): AUX|MOSI|CLK|MISO|CS

Configure pins as an input (1) or output(0). The pins are mapped to the lower five bits in this order:

• AUX|MOSI|CLK|MISO|CS.

The Buzzpirat responds to each direction update with a byte showing the current state of the pins, regardless of direction. This is useful for open collector I/O modes.

MAIN b1xxxxxxx (0x80-0xFF) - Set on (1) or off (0): POWER|PULLUP|AUX|MOSI|CLK|MISO|CS

The lower 7bits of the command byte control the Buzzpirat pins and peripherals. Bitbang works like a player piano or bitmap. The Buzzpirat pins map to the bits in the command byte as follows:

• 1|POWER|PULLUP|AUX|MOSI|CLK|MISO|CS

The Buzzpirat responds to each update with a byte in the same format that shows the current state of the pins.

ADC Calculation

Python 3

#!/usr/bin/env python3

adc_high = 0x03
adc_low = 0x08

adc_buzz = (adc_high << 8) + adc_low
print(f"Combined ADC value (hex): {hex(adc_buzz)}")

result = (adc_buzz / 1024) * 6.6
print(f"Result for ADC value {adc_buzz} (hex {hex(adc_buzz)}): {result}")

Output:

Combined ADC value (hex): 0x308
Result for ADC value 776 (hex 0x308): 5.0015624999999995

C

#include <stdio.h>

int main() {
    unsigned char adc_high = 0x03;
    unsigned char adc_low = 0x08;

    unsigned int adc_buzz = (adc_high << 8) + adc_low;
    printf("Combined ADC value (hex): 0x%x\n", adc_buzz);

    double result = (((double)adc_buzz) / 1024.0) * 6.6;
    printf("Result for ADC value %u (hex 0x%x): %f\n", adc_buzz, adc_buzz, result);

    return 0;
}

Output:

Combined ADC value (hex): 0x308
Result for ADC value 776 (hex 0x308): 5.001562

PWM Computation

Python 3

Here is a Python Script for computing the PWM for Buzzpirat.

For example, setup PWM with Period of 1msec, 50% duty cycle. Using 1:1 Prescaler.

Modify only the 3 lines:

Prescaler=1 # 1:1
PwmPeriod=1e-3  # 0.1msec
DutyCycleInPercent=.5 # 50%

It will output:

======================
PwmPeriod: 0.00100000000000000002 sec.
Tcy: 0.00000006250000000000 sec.
Prescaler: 1
PR2: 0x3e7f = 15999
OCR: 0x1f3f = 7999
5 Byte Setup:
1st Byte: 0x00
2nd Byte: 0x1f
3rd Byte: 0x3f
4th Byte: 0x3e
5th Byte: 0x7f

Use the 5byte setup to set the PWM.

#!/usr/bin/env python3

'''
Python Script 00.08.00
    - by 7 mod by Dreg
'''

# 32MHz Crystal Oscillator
Fosc = 32e6  # DONT MODIFY THIS

Prescaler = 1  # [1, 8, 64, 256]
PwmPeriod = 1e-3  # 0.1 msec
DutyCycleInPercent = 0.5  # 50%

###################################################
#### ---------------------------------------- #####
#### -- DON'T MODIFY ANYTHING BELOW THIS LINE #####
#### ---------------------------------------- #####
###################################################

'''
Configure and enable pulse-width modulation output in the AUX pin.
Requires a 5 byte configuration sequence.
Responds 0x01 after a complete sequence is received.
The PWM remains active after leaving binary bitbang mode! 
Equations to calculate the PWM frequency and period are in the PIC24F
output compare manual. Bit 0 and 1 of the first configuration byte
set the prescaler value. The Next two bytes set the duty cycle register,
high 8 bits first. The final two bytes set the period register, high 8 bits first.
'''

PrescalerList = {1: 0, 8: 1, 64: 2, 256: 3}
Tcy = 2.0 / Fosc
PRy = PwmPeriod / (Tcy * Prescaler)
PRy = PRy - 1
OCR = PRy * DutyCycleInPercent

print("======================")
print(f"PwmPeriod: {PwmPeriod:.20f} sec.")
print(f"Tcy: {Tcy:.20f} sec.")
print(f"Prescaler: {int(Prescaler)}")
print(f"PR2: 0x{int(PRy):x} = {int(PRy)}")
print(f"OCR: 0x{int(OCR):x} = {int(OCR)}")
#####
print("5 Byte Setup:")
print(f"1st Byte: 0x{int(PrescalerList[Prescaler]):02x}")
print(f"2nd Byte: 0x{(int(OCR) >> 8) & 0xFF:02x}")
print(f"3rd Byte: 0x{int(OCR) & 0xFF:02x}")
print(f"4th Byte: 0x{(int(PRy) >> 8) & 0xFF:02x}")
print(f"5th Byte: 0x{int(PRy) & 0xFF:02x}")

C

#include <stdio.h>

int main() {
    // 32MHz Crystal Oscillator
    double Fosc = 32e6;  // DON'T MODIFY THIS

    unsigned int Prescaler = 1;    
    //unsigned int Prescaler = 8;  
    //unsigned int Prescaler = 64; 
    //unsigned int Prescaler = 256;  
    double PwmPeriod = 1e-3;  // 0.1 msec
    double DutyCycleInPercent = 0.5;  // 50%

    // DON'T MODIFY ANYTHING BELOW THIS LINE

    // Configure and enable pulse-width modulation output in the AUX pin
    unsigned int listv;
    switch (Prescaler) {
        case 1:
            listv = 0;
            break;
        case 8:
            listv = 1;
            break;
        case 64:
            listv = 2;
            break;
        case 256:
            listv = 3;
            break;
        default:
            listv = 0;
            break;
    }
    double Tcy = 2.0 / Fosc;
    double PRy = PwmPeriod / (Tcy * Prescaler);
    PRy = PRy - 1;
    double OCR = PRy * DutyCycleInPercent;

    printf("======================\n");
    printf("PwmPeriod: %.20f sec.\n", PwmPeriod);
    printf("Tcy: %.20f sec.\n", Tcy);
    printf("Prescaler: %u\n", Prescaler);
    printf("PR2: 0x%x = %u\n", (unsigned int)PRy, (unsigned int)PRy);
    printf("OCR: 0x%x = %u\n", (unsigned int)OCR, (unsigned int)OCR);
    printf("5 Byte Setup:\n");
    printf("1st Byte: 0x%02x\n", listv);
    printf("2nd Byte: 0x%02x\n", ((unsigned int)OCR >> 8) & 0xFF);
    printf("3rd Byte: 0x%02x\n", (unsigned int)OCR & 0xFF);
    printf("4th Byte: 0x%02x\n", ((unsigned int)PRy >> 8) & 0xFF);
    printf("5th Byte: 0x%02x\n", (unsigned int)PRy & 0xFF);

    return 0;
}

Output:

======================
PwmPeriod: 0.00100000000000000002 sec.
Tcy: 0.00000006250000000000 sec.
Prescaler: 1
PR2: 0x3e7f = 15999
OCR: 0x1f3f = 7999
5 Byte Setup:
1st Byte: 0x00
2nd Byte: 0x1f
3rd Byte: 0x3f
4th Byte: 0x3e
5th Byte: 0x7f

5 - Firmware Update

Download the last firmware from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm

Download the last buzzloader app (There are versions available for Windows, Linux and Mac) from this page:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/buzzloader

• put a jumper/dupont_wire connecting the PGD pin to the PGC pin

• connect the buzzpirat to your computer via a usb cable

• check for the new COM port assignment in the device manager (e.g., COM29)

Make sure to close Tera Term or any other software that might be using the COM port to free it up and execute:

buzzloader.exe --dev=COM29 --hex=BZ-firmware-v7.1.6969.hex

Just ignore a800…ERROR[50] error message, it’s a known issue and the firmware is updated correctly.

Writing page 41 row 331, a580...OK
Writing page 41 row 332, a600...OK
Writing page 41 row 333, a680...OK
Writing page 41 row 334, a700...OK
Writing page 41 row 335, a780...OK
Erasing page 42, a800...ERROR [50]

Error updating firmware :(

Remove the jumper/Dupont cable, then reconnect the device to the USB port, and you’re all set! You should now have the latest firmware installed.

Run the ‘i’ command and perform a self-test with the ‘~’ command to ensure everything has gone smoothly.

Buzzpirat firmware for BPv3 hardware

For each firmware version, I also generate a firmware that is 100% compatible with the Bus Pirate v3 hardware.

So, users with the Bus Pirate v3 hardware can benefit from Buzzpirat features:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/stablefirm/bpv3comp

To ensure compatibility with Buzzpirat firmware, you need to install bootloader 4.5

More information on how to update it can be found here:

• http://dangerousprototypes.com/forum/index.php?topic=8498.0

Last community BPv3 firmware & bootloader

Any firmware and bootloader from the original Bus Pirate v3 will work well with Buzzpirat. Here are some that I have tested.

4.5 Bootloader upgrade from v4x:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/oldfirm/BPv3-bootloader-upgrade-v4xtov4.5_Aug-2023_USBEprom.hex

Last community firmware:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/oldfirm/BPv3-firmware-v7.1-JTAG_SAFE_1_Aug-2023_USBEprom.hex

Legacy BPv3 firmware & bootloader

4.4 Bootloader:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/oldfirm/BPv3-Bootloader-v4.4.hex

6.3-r2151 Firmware:

• https://github.com/therealdreg/buzzpirat/tree/main/bin/oldfirm/BPv3-firmware-v6.3-r2151.hex

6 - AVRDude

AVRDude, which stands for AVR Downloader Uploader, is a software utility used for programming the onboard memory of Microchip’s AVR microcontrollers, typically found in popular Arduino boards. This tool allows for the downloading and uploading of data to the chip’s Flash and EEPROM memory. Additionally, when supported by the programming protocol, AVRDUDE can program fuse and lock bits, which are essential for configuring the microcontroller’s settings and security features. A distinctive feature of AVRDUDE is its direct instruction mode. This mode empowers users to send any programming instruction directly to the AVR chip, bypassing the limitations of the software’s built-in functions. This flexibility makes it an invaluable tool for developers working with AVR-based systems, particularly in the Arduino ecosystem, where customization and direct hardware control are often required

Update AVRDude & Buzzpirat

AVRDude supports Buzzpirat out of the box

Ensure you have the latest stable firmware installed; learn how in the Firmware Update section.

Finally, make sure to use the latest development version of AVRDude:

• https://github.com/avrdudes/avrdude/releases

A nice GUI for avrdude is AVRDUDESS:

• https://github.com/ZakKemble/AVRDUDESS
• https://blog.zakkemble.net/avrdudess-a-gui-for-avrdude/

Image avrdudess:

Tutorial Arduino UNO (ATmega328P)

For this case, simply use the official Buzzpirat cables with the female Dupont connector they come with; there’s no need to use SMD IC clips. Connect the Buzzpirat to the Arduino UNO board by attaching the +5v0(SW5V0) to VCC, CS to RESET, MISO to MISO, GND to GND, CLK to SCK, and MOSI to MOSI, ensuring each connection is secure for proper functionality

To detect the AVR chip, run the following command:

avrdude -c buspirate -P COM59 -b 115200 -p m328pb

AVR chip detected is ATmega328PB, which is the microcontroller used in the Arduino UNO board. The output of the command will look like this:

avrdude -c buspirate -P COM59 -b 115200 -p m328pb
attempting to initiate BusPirate binary mode ...
avrdude: paged flash write enabled
avrdude: AVR device initialized and ready to accept instructions
avrdude: device signature = 0x1e9516 (probably m328pb)
avrdude error: did not get a response to power off command

avrdude done.  Thank you.

The command uses the following parameters:

• -c buspirate: Specifies the programmer type. In this case, it’s set to buspirate, indicating that the Buzzpirat is used for programming.

• -P COM59: Specifies the port where the Buzzpirat is connected. The COM port number may vary depending on your system’s configuration. You can find the COM port number by opening the Device Manager in Windows and looking for the Bus Pirate device under the Ports (COM & LPT) section.

• -b 115200: Sets the baud rate for serial communication between the computer and the Buzzpirat to 115200 bits per second. This is a common baud rate for serial communication.

• -p m328pb: Specifies the AVR microcontroller model. In this case, it’s set to m328pb, which is the model used in the Arduino UNO board.

If the AVR chip is detected successfully, you can proceed with programming the chip using the appropriate commands. For example, to upload a HEX file to the chip, you can use the following command:

avrdude -c buspirate -p m328pb -P COM59 -b 115200 -U flash:w:"C:\Users\dreg\Desktop\Blink\build\arduino.avr.uno\Blink.ino.with_bootloader.hex":i

The command uses the following parameter:

• -U flash:w:“C:\Users\dreg\Desktop\Blink\build\arduino.avr.uno\Blink.ino.with_bootloader.hex”:i: Specifies the operation to perform. In this case, it’s set to write (w) the contents of the specified HEX file to the flash memory of the AVR chip. The path to the HEX file should be replaced with the actual path to the file on your system.

How to read flash memory:

avrdude -c buspirate -p m328pb -P COM59 -b 115200 -U flash:r:"C:\Users\dreg\Desktop\dump.hex":i

The command uses the following parameter:

• -U flash:r:“C:\Users\dreg\Desktop\dump.hex”:i: Specifies the operation to perform. In this case, it’s set to read (r) the contents of the flash memory of the AVR chip and save it to the specified HEX file. The path to the output file should be replaced with the actual path on your system.

How to read EEPROM:

avrdude -c buspirate -p m328pb -P COM59 -b 115200 -U eeprom:r:"C:\Users\dreg\Desktop\eeprom_dump.hex":i

The command uses the following parameter:

• -U eeprom:r:“C:\Users\dreg\Desktop\eeprom_dump.hex”:i: Specifies the operation to perform. In this case, it’s set to read (r) the contents of the EEPROM memory of the AVR chip and save it to the specified HEX file. The path to the output file should be replaced with the actual path on your system.

How to read EEPROM binary:

avrdude -c buspirate -p m328pb -P COM59 -b 115200 -U eeprom:r:"C:\Users\dreg\Desktop\eeprom_dump.bin":r

7 - Flashrom

Flashrom is a versatile utility for managing flash chips, capable of identifying, reading, writing, verifying, and erasing them. It’s particularly adept at flashing BIOS/EFI/coreboot/firmware/optionROM images on a variety of hardware, including mainboards, network/graphics/storage controllers, and other programmer devices.

Key features include:

• Support for over 476 flash chips, 291 chipsets, 500 mainboards, 79 PCI devices, 17 USB devices, and a range of programmers via parallel/serial ports.
• Compatibility with parallel, LPC, FWH, and SPI flash interfaces, and various chip packages like DIP32, PLCC32, DIP8, SO8/SOIC8, TSOP32, TSOP40, TSOP48, BGA, and more.
• Operable without physical access; root access is typically sufficient, with some programmers not requiring it.
• No need for bootable media, keyboard, or monitor; capable of remote flashing via SSH.
• Allows flashing within a running system with no immediate reboot required; the new firmware activates on the next boot.
• Supports crossflashing and hotflashing, given electrical and logical compatibility of flash chips.
• Scriptable for simultaneous flashing across multiple machines.
• Faster than many vendor-specific flash tools.
• Portable across various operating systems including DOS, Linux, FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, Solaris-like systems, Mac OS X, and other Unix-like OSes, as well as GNU Hurd. Partial Windows support is available, excluding internal programmer support."

Update Flashrom & Buzzpirat

Flashrom supports Buzzpirat out of the box

Ensure you have the latest stable firmware installed; learn how in the Firmware Update section.

Finally, make sure to use the latest development version of flashrom or our mod:

• Windows mod: https://github.com/therealdreg/flashrom_build_windows_x64
• mod code (For Unix): https://github.com/therealdreg/flashrom-dregmod
• Official repo: https://github.com/flashrom/flashrom

Help

A required dev parameter specifies the Buzzpirat device node and an optional spispeed parameter specifies the frequency of the SPI bus. The parameter delimiter is a comma. Syntax is:

flashrom -p buspirate_spi:dev=/dev/device,spispeed=frequency

where frequency can be 30k, 125k, 250k, 1M, 2M, 2.6M, 4M or 8M (in Hz). The default is the maximum frequency of 8 MHz.

The baud rate for communication between the host and the Buzzpirat can be specified with the optional serialspeed parameter. Syntax is:

flashrom -p buspirate_spi:serialspeed=baud

where baud can be 115200, 230400, 250000 or 2000000 (2M). The default is 2M baud.

An optional pullups parameter specifies the use of the Buzzpirat internal pull-up resistors. This may be needed if you are working with a flash ROM chip that you have physically removed from the board. Syntax is:

flashrom -p buspirate_spi:pullups=state

where state can be on or off.

When working with low-voltage chips, the internal 10k pull-ups of the Buzzpirat might be too high. In such cases, it’s necessary to create an external pull-up using lower-value resistors.

For this, you can use the hiz parameter. This way, the Buzzpirat will operate as an open drain. Syntax is:

flashrom -p buspirate_spi:hiz=state

where state can be on or off.

The state of the Buzzpirat power supply pins is controllable through an optional psus parameter. Syntax is:

flashrom -p buspirate_spi:psus=state

where state can be on or off. This allows the Buzzpirat to power the ROM chip directly. This may also be used to provide the required pullup voltage (when using the pullups option), by connecting the Buzzpirat’s Vpu input to the appropriate Vcc pin.

An optional aux parameter specifies the state of the Buzzpirat auxiliary pin. This may be used to drive the auxiliary pin high or low before a transfer. Syntax is:

flashrom -p buspirate_spi:aux=state

where state can be high or low. The default state is high.

Tutorial Winbond 3v3 64M-BIT w25q64fv board

This board is included in our full kit for practice purposes. You can purchase another one on Aliexpress, Amazon, or eBay.

For this case, simply use the official Buzzpirat cables with the female Dupont connector they come with; there’s no need to use SMD IC clips. Connect the Buzzpirat to the w25q64fv board by attaching the +3v3(SW3V3) to VCC, CS to CS, MISO to DO, GND to GND, CLK to CLK, and MOSI to DI, ensuring each connection is secure for proper functionality

To read the content of a flash memory chip using flashrom with Buzzpirat, execute the following command:

flashrom.exe --progress -V -c "W25Q64BV/W25Q64CV/W25Q64FV" -p buspirate_spi:dev=COM8,spispeed=1M,serialspeed=115200 -r flash_content.bin 

• --progress: This parameter shows the progress of the operation, providing visual feedback in the terminal.
• -V: Stands for ‘verbose’. It increases the verbosity of the program, providing detailed output about the operations being performed. This is useful for debugging or getting more information about the process.
• -c “W25Q64BV/W25Q64CV/W25Q64FV” in flashrom is used to specify the exact model of the flash chip that you intend to interact with. When you run flashrom without the -c parameter, the tool attempts to automatically detect the types of flash memory chips that are present in your system.
• -p buspirate_spi: Specifies the programmer type. In this case, it’s set to buspirate_spi, indicating that the Buzzpirat is used for SPI (Serial Peripheral Interface) programming.
  • dev=COM8: This part of the parameter specifies the device name.

    Warning

    COM8 refers to the COM port where the Buzzpirat is connected. This will vary depending on your system’s configuration. You can find the COM port number by opening the Device Manager in Windows and looking for the Bus Pirate device under the Ports (COM & LPT) section.
  • spispeed=1M: Sets the SPI communication speed to 1 MHz. Adjusting the SPI speed can be necessary depending on the flash chip’s specifications and the quality of the connections.
  • serialspeed=115200: Sets the serial communication speed (baud rate) between the computer and the Buzzpirat to 115200 bits per second. This is a common baud rate for serial communication.
• -r flash_content.bin: This part of the command tells flashrom to read the flash memory’s content and save it into a file named flash_content.bin

The read operation may take about 15 minutes to complete. Once it’s done, you can use a hex editor / binwalk etc to open the flash_content.bin file and inspect its contents.

To write the content of a flash memory chip using flashrom with Buzzpirat, execute the following command:

flashrom.exe --progress -V -c "W25Q64BV/W25Q64CV/W25Q64FV" -p buspirate_spi:dev=COM8,spispeed=1M,serialspeed=115200 -w flash_content.bin 

The difference between the read and write commands is the -w parameter, which tells flashrom to write the content of the flash_content.bin file to the flash memory chip.

Tutorial Winbond 1.8V 64M-BIT W25Q64FW board

After testing with the 3.3V memory, buy a 1.8V Winbond W25Q64FW. Desolder the 3.3V memory and solder the 1.8V one in its place. Ensure the chip’s orientation remains the same as the original one.

For this case, simply use the official Buzzpirat cables with the female Dupont connector they come with; there’s no need to use SMD IC clips. Connect the Buzzpirat to the w25q64fv board by attaching the +1v8(SW1V8) to VCC, CS to CS, MISO to DO, GND to GND, CLK to CLK, and MOSI to DI, ensuring each connection is secure for proper functionality.

flashrom.exe --progress -V -c "W25Q64.W" -p buspirate_spi:dev=COM8,spispeed=30k,serialspeed=115200,pullups=on -r flash_content.bin 

pullups=on means that the pull-ups are activated + the Buzzpirat is in hi-z mode.

The read operation may take about 15 minutes to complete. Once it’s done, you can use a hex editor / binwalk etc to open the flash_content.bin file and inspect its contents.