Bus Pirate 6 · Volume 12
Bus Pirate 6 Volume 12 — Cheatsheet (the Laminate-Ready Field Card)
One-pagers — syntax language, mode quick-ref, flash pinout, JTAG/SWD blueTag, smart-card commands, troubleshooting flowchart
Contents
1. About this cheatsheet
Laminate-printable single-sheet reference for the Bus Pirate 6 REV2. Distilled from Vols 2-11 — each section here is the field-grade version of an engineer-grade walk in the body of the series. Print double-sided, laminate, drop in the bench kit.
If a section’s content was deeper than fits here, this card is the decision tree; refer back to the corresponding volume for the full walk.
2. Top-level commands quick-ref
Valid in any mode. Single-character mnemonics; case matters (upper/lower = on/off, set/read).
? help (mode-aware) W <V> PSU set + enable (1.0-5.0 V)
?? verbose help w PSU disable
i device info V voltage continuous read
m mode select v voltage snapshot
c config (color/lang/LED) P pull-ups enable
# reset (also line-comment) p pull-ups disable
$ jump to bootloader a AUX low
~ self-test A AUX high
@ AUX read
o output format = convert (bin/dec/hex/ASCII)
l bit order LSB-first | reverse bits
L bit order MSB-first f freq one-shot
F freq continuous
binmode binary mode menu g PWM start
G PWM stop
ls list NAND directory cd <dir> change directory
mkdir <dir> create directory rm <file> delete file
cat <file> print file to terminal format re-init NAND filesystem3. Syntax language quick-ref
Inside a mode. Compact protocol-agnostic language for transactions.
[ ... ] transaction (START + STOP / CS-low + CS-high / 1-Wire reset)
> execute without START (continuation)
0x55 hex literal
0b1010 binary literal
123 decimal literal
"abc" ASCII string literal
r read 1 byte (or 1 bit, mode-dependent)
r:N read N bytes
:N repeat previous token N times
d delay 1 µs
d:N delay N µs
D delay 1 ms
D:N delay N ms
0x5a.4 write low 4 bits of 0x5a
r.4 read 4 bits (return 0-15)
# line comment (Apr 2026+)
<space> numeric separatorWorked examples:
I²C: [0x90 r:4 0x91 r:4] START + write addr / read 4 / write addr / read 4 / STOP
SPI: [0x9F r:3] CS-low + write 0x9F (JEDEC ID) + read 3 / CS-high
UART: [ "HELLO\r\n" r:8 ] write greeting / read up to 8 bytes
1-Wire: [0x33 r:8] reset + Read-ROM + read 8 bytes255-char line limit. Bracket transactions must balance.
4. Protocol mode quick-ref
Mode # Mode name Default pins (IO0..IO7)
1 HiZ (all high-Z, safe)
2 1-WIRE IO0 = DATA
3 UART IO0 = TX, IO1 = RX
4 HDUART IO0 = single-wire bidir
5 I²C IO0 = SDA, IO1 = SCL
6 SPI IO7=MOSI, IO6=CLK, IO5=CS, IO4=MISO, IO3=WP, IO2=HOLD
7 2WIRE (SLE4442 smart card)
8 3WIRE (Microwire 93-series EEPROM)
9 DIO (raw GPIO bit-bang)
10 LED (WS2812/SK6812 chain on IO0)
11 INFRARED (IR LED + RX sensor)
12 JTAG IO0=TCK, IO1=TMS, IO2=TDI, IO3=TDO, IO4=TRST (and SWD via blueTag)5. SPI flash adapter pinout
All three flash adapters (WSON8 / DIP8 / SOP8) share this pinout.
| BP6 IO | Flash chip pin | Function | Cable color |
|---|---|---|---|
| IO7 | 5 | MOSI / DI | White |
| IO6 | 6 | CLK | Gray |
| IO5 | 1 | CS | Brown |
| IO4 | 2 | MISO / DO | Purple |
| IO3 | 3 | WP | Blue |
| IO2 | 7 | HOLD | Green |
| VOUT | 8 | VCC | Red |
| GND | 4 | GND | Black |
Adapter decision:
- SOIC-8 (lead-bearing) → SOP8 adapter for desoldered; Pomona 5250 (150 mil) or 5252 (208 mil) for in-circuit.
- DIP-8 (through-hole) → DIP8 adapter.
- WSON-8 / DFN-8 (lead-less) → WSON8 adapter, desolder required.
6. Probe header + AUX header + cable colors
Main probe header (TJC8A 10-pin keyed locking):
| Pin | Function | Cable color |
|---|---|---|
| 1 | VOUT | Red |
| 2 | IO0 | Orange |
| 3 | IO1 | Yellow |
| 4 | IO2 | Green |
| 5 | IO3 | Blue |
| 6 | IO4 | Purple |
| 7 | IO5 | Brown |
| 8 | IO6 | Gray |
| 9 | IO7 | White |
| 10 | GND | Black |
AUX header (9-pin 1 mm SH, J302) — parallel tap, no VOUT:
| Pin | Function |
|---|---|
| 1-8 | IO0-IO7 |
| 9 | GND |
Cable color → IO is hardware-fixed. IO → protocol role is mode-dependent. No universal “brown = CS” rule.
7. I²C address ranges + common chips
| Range | Common chips |
|---|---|
| 0x0E-0x0F | accelerometers (LIS3DH, etc.) |
| 0x18-0x1F | temperature sensors (LM75, TMP-class) |
| 0x20-0x27 | I²C GPIO expanders (PCF8574, PCA9554) |
| 0x28-0x2F | OLED displays (SSD1306, SH1106) |
| 0x3C-0x3D | OLED displays (alternate) |
| 0x48-0x4F | TMP102, ADS1115, GPIO expanders |
| 0x50-0x57 | 24-series EEPROMs and DDR4/5 SPD-Hub |
| 0x68 | DS1307/3231 RTC, MPU-6050/9250 IMU |
| 0x76-0x77 | BMP280/BME280 pressure |
Address byte = (addr << 1) | R/W. 0x50 with W=0 is 0xA0; with W=1 is 0xA1.
Quick scan: m → I²C → scan → list of ACKed addresses.
24-series EEPROM read: eeprom read <addr> <subaddr> <bytes>. Page write delay = 5 ms.
8. UART baud guesses + serial defaults
Most likely baud rates, in descending order:
115200 most modern bootloaders
9600 older / embedded / industrial
57600
38400
19200
460800 some fast bootloaders
230400
4800
2400
1200
300 ancient (rare; tape modems, some sensors)Defaults: 8N1, idle-high. Cross-wire TX↔RX with target.
MIDI = UART 31250 8N1.
Bridge mode (BP6 as USB-UART converter): enter UART mode, type bridge. Exit with ~. or similar (firmware-specific).
9. JTAG / SWD blueTag cheatsheet
Procedure:
- Power target (BP6 PSU or external).
- Connect BP6 IO0-IO7 to candidate pins on target debug header.
- Connect GND.
m→ JTAG (mode 12).bluetag- Wait 5-30 seconds.
- Output reports JTAG or SWD pin assignment + IDCODE/DPIDR.
OpenOCD handoff (after bluetag identifies pinout):
- Reconfigure JTAG mode with discovered pin assignment.
openocdat JTAG prompt — enters BBIO bridge mode.- On host:
openocd -f interface/buspirate.cfg \
-c "buspirate_port /dev/ttyUSB0; buspirate_speed normal; buspirate_vreg 1" \
-f target/<chip>.cfgFor SWD instead of JTAG: add -c "transport select swd".
Common IDCODEs:
0x0BA01477— Cortex-M0/M0+0x3BA02477— Cortex-M30x4BA00477— Cortex-M40x4BA02477— Cortex-M7
If bluetag returns “no interface found”: try adding external 4.7-10 kΩ pulldown to GND on suspect SWDIO pin (RP2350 errata E9 mitigation; Vol 11 § 5.3).
Speed: BP6 JTAG/SWD is bit-banged 100-400 kHz. For fast flash programming, use J-Link or BMP — BP6 is for recon, not production debug.
10. Smart card commands (SLE4442 + SIM + EMV)
SLE4442 (memory cards — laundry, vending, hotel keys):
2WIRE> sle4442 read dump 256 bytes (no auth)
2WIRE> sle4442 read_protection protection-bits readout
2WIRE> sle4442 auth 0xXXXXXX present PSC (3 attempts before permanent lock!)
2WIRE> sle4442 write <addr> <byte> (after successful auth)⚠ Three failed PSC attempts permanently locks the card. Confirmation prompt enforced.
ISO 7816 / SIM (with SIM and IC card adapter plank):
HDUART> sim atr reset + parse ATR
HDUART> sim select <fid> navigate to file ID
HDUART> sim verify_chv1 <pin> present PIN1 (3 attempts → blocked)
HDUART> sim read_record <num> read record-structured EF
HDUART> sim read_binary <off> <len> read transparent EFCommon SIM file IDs:
3F00— MF (master file / root)7F10— DF Telecom7F20— DF GSM6F3A— EF ADN (phone book)6F40— EF SMS storage6F07— IMSI2FE2— ICCID
EMV (bank cards):
HDUART> emv enumerate list available AIDs
HDUART> emv select <aid> select an application
HDUART> emv read_records read public SFI/record data⚠ Legal: read-only research on own cards is fine; tampering with third-party cards is criminal.
11. DDR5 / DDR4 SPD recipe
For offline DIMM SPD read (forensic identification, custom-timing experimentation).
Setup: DDR5 SPD I²C adapter plank, BP6 → I²C mode (100 / 400 kHz).
Commands:
I2C> scan confirm SPD-Hub at 0x50 (or 0x50-0x57 if multiple)
I2C> ddr5 full 1 KB SPD payload read + parse
I2C> ddr4 sibling for DDR4 (512-byte payload)Decoded output includes: manufacturer (JEP-106), part number, serial, date code, capacity, speed grade, CAS latency, XMP / EXPO profiles.
Most production DIMMs are SPD write-locked — write-back attempts ACK but discard. Only “tweaker” SKUs have unlocked SPDs.
12. Binary mode entry sequences
BBIO (legacy, for flashrom / avrdude / pyBusPirateLite):
On first USB-CDC port, send 0x00 × 20.
Expect banner: BBIO1
Then: 0x01 = SPI, 0x02 = I²C, 0x03 = UART, 0x04 = 1-Wire, 0x05 = raw.
0x0F = exit BBIO.Host-side example:
flashrom --programmer buspirate_spi:dev=/dev/ttyACM0,spispeed=4M -r dump.bin
avrdude -p atmega328p -c buspirate -P /dev/ttyACM0 -U flash:r:dump.hex:iBPIO2 (modern, FlatBuffers + COBS):
At BP6 CLI: binmode → option 2.
Switches second USB-CDC port to BPIO2.
First port stays at CLI — no conflict.
Schema: bpio.fbs in DangerousPrototypes/BusPirate-BPIO2-flatbuffer-interface.SUMP (for PulseView):
binmode → option 3.
PulseView: add Openbench Logic Sniffer device, point at second USB-CDC.13. Firmware update procedure
- Get a UF2 from one of:
firmware.buspirate.com/downloads(tagged releases, rare)forum.buspirate.com/t/bus-pirate-5-auto-build-main-branch/20(last page = latest auto-build)- Build from source:
docker-compose run --rm buildin the firmware repo
- Enter BOOTSEL on the BP6: type
$at CLI OR hold BOOTSEL button while plugging in USB. - The
RPI-RP2USB mass-storage drive appears on the host. - Drop the UF2 (
bus_pirate6_rev2.uf2) onto the drive. - BP6 reboots into the new firmware.
Wrong UF2 (e.g., BP5 UF2 on BP6) = red blink fault. Not bricked — BOOTSEL is mask-ROM. Re-flash with correct UF2 to recover.
Build target names: bus_pirate5_rev8 / bus_pirate5_rev10 / bus_pirate5_xl / bus_pirate6_rev2.
14. Common gotchas
| Symptom | Likely cause | Fix |
|---|---|---|
No I²C devices found by scan | Pull-ups off | P to enable pull-ups |
| SPI flash returns 0xFF for everything | Chip not powered, or WP/HOLD held low | Power chip; verify WP/HOLD tied high (or use adapter PCM12 switches) |
flash command can’t identify chip | Unsupported manufacturer/device ID | Fall back to flashrom (BBIO mode) |
| UART output is gibberish | Wrong baud rate | Try 9600, 57600, 115200 in sequence |
bluetag returns no JTAG/SWD | Errata E9 pulldown issue, or no debug interface present | Try external 4.7-10 kΩ pulldown to GND on suspect SWDIO |
| SLE4442 not responding | Wrong mode (must be 2-Wire, not I²C) | m → 2-Wire |
| BP6 PSU sags below set voltage | Target drawing > 500 mA | Reduce target load or use external PSU |
| Status bar shows wrong pin voltages | CD4067 mux config issue (rare) | Reset BP6, re-enter mode |
| BP6 not enumerating as USB | USB-C cable damaged or power-only | Try a different cable |
| Pomona clip slipping off SOIC | Worn-out spring | Replace clip — knockoffs wear out after ~50 cycles |
| Bus capacitance breaking high-speed I²C | Bus too loaded for internal pull-ups | Add external 2.2-4.7 kΩ pull-ups |
| Firmware seems frozen | Could be in BBIO/BPIO2 mode | Send 0x0F + Enter, or reset |
15. Troubleshooting flowchart
SYMPTOM: BP6 not responding to anything
├── Is the LCD on?
│ ├── No → USB-C cable bad? Try another / try BOOTSEL hardware button
│ └── Yes → Continue
├── Is the prompt responsive in terminal?
│ ├── No → Might be in binary mode. Send 0x0F + Enter, or reset
│ └── Yes → Continue
└── Are commands echoing but operations failing?
├── No power to target? → `W <V>` to enable PSU
├── Wrong mode? → `m` → correct mode
├── Pin assignment wrong? → Re-run mode setup wizard
├── Pull-ups state wrong? → `P` (I²C, 1-Wire need them; SPI/UART/JTAG don't)
└── Bus speed too fast? → Reduce in mode wizard
SYMPTOM: Flash chip dump returns all 0xFF or all 0x00
├── Chip not powered → confirm VOUT to chip pin 8 (or use `v` to verify)
├── WP / HOLD floating → confirm tied high (use adapter PCM12 switches or pull-ups)
├── CS not asserting → `[` should drive CS low; verify with `v` while in transaction
└── Mode 0 vs other → try CPOL/CPHA cycle (modes 0, 1, 2, 3)
SYMPTOM: JTAG/SWD pin-find fails
├── Target not powered → enable PSU at correct voltage
├── Wrong probes connected → reconfirm 4-8 BP6 IOs to candidate target pins
├── Errata E9 → add external 4.7-10 kΩ pulldown to suspect SWDIO
└── Chip debug-locked → some chips are fused to disable JTAG/SWD; no recovery
SYMPTOM: Build from source fails
├── Pico SDK submodule not initialized → git submodule update --init --recursive
├── arm-none-eabi-gcc not found → install + add to PATH
├── Windows-specific → use Docker compose
└── tinyusb missing → manual clone (Vol 11 § 2.4)16. Resources
Documentation:
- BP6 hardware docs:
docs.buspirate.com/docs/hardware/bp6rev2/hardware/ - Firmware reference:
firmware.buspirate.com - Command reference:
docs.buspirate.com/docs/command-reference/commands/ - BPIO2 schema:
github.com/DangerousPrototypes/BusPirate-BPIO2-flatbuffer-interface
Firmware repo: github.com/DangerousPrototypes/BusPirate5-firmware
Auto-build UF2 thread (last page = latest): forum.buspirate.com/t/bus-pirate-5-auto-build-main-branch/20
Shop (cables, adapters, planks): shop.buspirate.com
BP6 unit (sole worldwide source as of mid-2026): dirtypcbs.com/store/designer/details/ian/6667/bus-pirate-6-rp2350b-with-enclosure
Forum / community: forum.buspirate.com
Within the Hack Tools project:
- Vol 1 — Overview and decision tree
- Vol 2 — Hardware schematic-grade walk
- Vol 3 — Firmware architecture
- Vol 4 — Syntax language
- Vol 5 — Power and probing
- Vol 6 — UART / HDUART / I²C / SPI
- Vol 7 — JTAG/SWD / 1-Wire / smart card / I²S / IR / LED
- Vol 8 — Adapter ecosystem
- Vol 9 — Workflows (flash dump / EEPROM / JTAG / DDR5 SPD / smart card)
- Vol 10 — BBIO + BPIO2 + Python automation
- Vol 11 — Building from source + custom firmware + ops hygiene
Cross-tool decision matrix: ../../_shared/comparison.md. Sortable: ../../_shared/capability_matrix.html.
End of the Bus Pirate 6 deep dive. tjscientist’s unit: REV2, RP2350B, S/N 51A99629A9BF944F, firmware 93aefde (2026-04-07). Series authored 2026-05-12.