June 20, 2021

Bus Pirate

If you’re trying to identify a firmware interface so you can try to interact with an embedded board, Bus Pirate will speak most of the common protocols like JTAG, SPI, I2C or whatever, and allow you to directly interface with the debug headers on your DUT (Device Under Test). It’s a handy Swiss Army Knife of firmware debuggging, and also can allow you to retrieve the firmware from the board and analyze it. It’s like $35 from the fine folks at Dangerous Prototypes and you can get it from various places like Seed studios (and others). Here, I’m using v3.6 with a Linux box.

You have to hook it up right to both the JTAG headers and your computer, and you have to figure out which pins map to what function on your bus pirate to do that. Here’s what your typical setup will look like:

Here, I’m using an old WRT54G router because I don’t care if I kill it, you should start by getting a donor board you don’t care about, you’ll feel better if you smoke it that way.

Notice I hooked up the ribbon cable coming out of the Bus Pirate to the header I had to solder onto the WRT54G, my router just had some blank holes, so I got some pins from Mouser for dirt cheap and soldered them in so I could fit the connector wires on the end of the BP harness to them. You can do this lots of ways, just make sure your wires make good connection so you don’t get wonky readings. Here’s a closer look at how I set up those pins. I just took a big long string of those test pins and cut off a chunk based on how many I needed. In this case, I cut off 5, then realized I put them in the wrong place (on left), so I cut 6 more and soldered them on the right header (on the right), plus a single pin for ground on the lower right. This is what happens, you wind up experimenting until you get something working.

Here’s the reference for figuring out which pins you need:

courtesy: mixdown.ca

So this means if you want to hook up JTAG pins, you’d need those four wires listed by JTAG.

Now I try to power up the Bus Pirate, which is powered by my USB port. You can see the red PWR light comes on when you hook up the USB cable.

Now you have to go to your Linux machine and hook up to the Bus Pirate, I used minicom. You first have to set up minicom, and to do that, you need to know which dev is hooked to your USB/serial thing:

dmesg | tail
[64721.823796] usb 2-2: Product: FT232R USB UART
[64721.823797] usb 2-2: Manufacturer: FTDI
[64721.823798] usb 2-2: SerialNumber: AB0K6CJS
[64721.917076] usbcore: registered new interface driver usbserial_generic
[64721.917203] usbserial: USB Serial support registered for generic
[64721.927534] usbcore: registered new interface driver ftdi_sio
[64721.927985] usbserial: USB Serial support registered for FTDI USB Serial Device
[64721.928162] ftdi_sio 2-2:1.0: FTDI USB Serial Device converter detected
[64721.928530] usb 2-2: Detected FT232RL
[64721.930650] usb 2-2: FTDI USB Serial Device converter now attached to ttyUSB0

This means your device is /dev/ttyUSB0, so now configure minicom with it:

sudo minicom -s
+-----[configuration]------+
| Filenames and paths      |
| File transfer protocols  |
| Serial port setup        |
| Modem and dialing        |
| Screen and keyboard      |
| Save setup as dfl        |
| Save setup as..          |
| Exit     
| Exit from Minicom        |
+--------------------------+
Serial port setup
 +-----------------------------------------------------------------------+
 | A -    Serial Device      : /dev/ttyUSB0                              |
 | B - Lockfile Location     : /var/lock                                 |
 | C -   Callin Program      :                                           |
 | D -  Callout Program      :                                           |
 | E -    Bps/Par/Bits       : 115200 8N1                                |
 | F - Hardware Flow Control : No                                        |
 | G - Software Flow Control : No                                        |
 |                                                                       |
 |    Change which setting?                                              |
 +-----------------------------------------------------------------------+
Save setup as dfl

Okay, if it saved, the next time you run minicom it will just load that profile. If all this worked, you’ll get the HiZ> prompt, that means you’re hooked up to your Bus Pirate! After that, just press ? and it will show you the commands you could use:

sudo minicom
[sudo] password for user: 
Welcome to minicom 2.7.1              
 
OPTIONS: I18n                   
Compiled on May  6 2018, 08:02:47.    
Port /dev/ttyUSB0, 22:54:32                   
Press CTRL-A Z for help on special keys  
 
General                                 Protocol interaction  
---------------------------------------------------------------------------
This help                       (0)     List current macros          
=X/|X   Converts X/reverse X            (x)     Macro x                          
~       Selftest                        [       Start                     
#       Reset                           ]       Stop                
$       Jump to bootloader              {       Start with read              
&/%     Delay 1 us/ms                   }       Stop          
a/A/@   AUXPIN (low/HI/READ)            "abc"   Send string        
b       Set baudrate                    123
c/C     AUX assignment (aux/CS)         0x123
d/D     Measure ADC (once/CONT.)        0b110   Send value
f       Measure frequency               r       Read
g/S     Generate PWM/Servo              /       CLK hi
h       Commandhistory                  \       CLK lo
i       Versioninfo/statusinfo          ^       CLK tick
l/L     Bitorder (msb/LSB)              -       DAT hi
m       Change mode                     _       DAT lo
o       Set output type                 .       DAT read
p/P     Pullup resistors (off/ON)       !       Bit read
s       Script engine                   :       Repeat e.g. r:10
v       Show volts/states               .       Bits to read/write e.g. 0x55.2
w/W     PSU (off/ON)            <x>/<x= >/<0>   Usermacro x/assign x/list all

First, you have to determine which protocol you want to use and set that up. Since the WRT54G uses JTAG, we set that up:

HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)

I didn’t have JTAG listed in my list, so I had to update the firmware on the Bus Pirate. To do that, I cloned the git repository by doing:

https://github.com/BusPirate/Bus_Pirate.git

Then you have to download a Microship mplab-x-ide to program the Bus Pirate using your updated firmware.

apt install libxext6:i386 libx11-6:i386 libexpat1:i386
cd /whereyoudownloadedMPLABX-v5.whatever-linux-installer.tar
tar -xf MPLABX-v5.35-linux-installer.tar
sudo ./MPLABX-v5.35-linux-installer.sh

It should show a GUI installer, just step through the prompts. After it finished, load it by entering bootloader first:

HiZ>$
Are you sure? y
BOOTLOADER

Now open another tutorial and do:

cd package/BPv3-firmware/
sudo chmod +x ./pirate-loader_lnx
sudo ./pirate-loader_lnx --dev=/dev/ttyUSB0 --hex=BPv3-firmware-v6.3.something.hex