UPDATE: New firmware with JTAG and more

We’re always excited to get a new chip or SIM card to interface, but our enthusiasm is often dampened by the prototyping process. Interfacing any chip usually means breadboarding a circuit, writing code, and hauling out the programmer; maybe even a prototyping PCB.

A few years ago we built the first ‘Bus Pirate’, a universal bus interface that talks to most chips from a PC serial terminal. Several standard serial protocols are supported at 3.3-5volts, including I2C, SPI, and asynchronous serial. Additional ‘raw’ 2- and 3- wire libraries can interface almost any proprietary serial protocols. Since this has been such a useful tool for us, we cleaned up the code, documented the design, and released it here with specs, schematic, and source code.

Concept Overview









The Bus Pirate is a serial terminal bridge to multiple IC interface protocols. We type commands into a serial terminal on the computer. The commands go to the Bus Pirate through the PC serial port. The Bus Pirate talks to a microchip in the proper protocol, and returns the results to the PC.

All pins output 3.3volts, but are 5volt tolerant. On-board 3.3volt and 5volt power supplies are available to power the connected chip. Software configurable I2C pull-up resistors complete the package.

The serial terminal interface works with any system: PC, Mac, Linux, Palm Pilots, WinCE devices, etc; no crapware required. We considered a USB device, but USB isn’t compatible with the huge number of hand-held devices that have a serial port. We also wanted a 3.3volt device with 5volt tolerant inputs, but most popular through-hole USB microcontollers were 5volt parts (e.g. the PIC18Fx550).

The Bus Pirate currently ‘speaks’ three hardware protocols for high-speed interfacing, and has two software protocol libraries for easy bus manipulation. The theory and specification of each protocol is beyond what we can cover here, but check out some of these tutorials:

I2C

A slow 2 wire bus. Wikipedia is a great place to start for I2C background. I2C-Bus.org, Robot Electronics, Embedded Systems Academy, and Embedded.com have decent I2C tutorials.

SPI

A simple 3 wire bus. Wikipedia has background; Embedded.com has a great tutorial and comparison to I2C.

Universal Asynchronous Receiver Transmitter (UART or serial)

A clock and timing dependent serial protocol best known for its appearance as the PC serial port protocol. Wikipedia has background on asynchronous serial protocols.

Raw 2 wire

This is a generic 2 wire protocol library, similar to I2C but without an ACK bit. I2C and many proprietary 2 wire protocols can be formed using the bus manipulations available in this mode. Use this library to work with non-I2C 2 wire devices, like smartcards or Sensirion SHT11 temperature/humidity sensors.

Raw 3 wire

This is a generic 3 wire protocol library, similar to SPI but without the constraints of a hardware module. Use this library to work with devices that use non-8bit compatible 3-wire protocols, like the Sparkfun Nokia 6100 LCD knock-off. Many 3 wire protocols can be formed using the bus manipulations available in this mode.

Hardware

Click for a full size PCB placement image (PNG). Screw terminals connect to the power supplies. A row of seven pin headers connect to the IO pins. Despite the label, only 7volts DC is required.

PIN SPI I2C RS232 B9 MOSI SDA – B8 CLK SCL – B7 MISO – RX B6 CS – TX B5 AUX AUX AUX Ground GND GND GND

This table shows the pin connections for each bus mode. Raw 2 wire mode uses the same pin configuration as I2C. Raw 3 wire mode uses the same pin configuration as SPI.

Click for a full size circuit image (PNG). The circuit and PCB are designed using the freeware version of Cadsoft Eagle. Download the project archive (ZIP).

PIC 24FJ64GA002

We used a PIC24FJ64GA002 microcontroller in the Bus Pirate; this is the same chip we used in our mini-server project. It’s fast enough to do everything we want (16MIPS), and the peripheral pin select feature allows the hardware SPI, UART, and I2C modules to share output pins. Each power pin needs a decoupling capacitor(C12,13), and the MCLR function requires a resistor (R7) between pin 1 and 3.3volts. The PIC has an internal voltage regulator that requires a 10uF tantalum capacitor (C3), though we used a plain electrolytic capacitor without issue. Read about programming and working with this chip in our PIC24F tutorial. If you don’t have a PIC debugger, several readers recommend the under-$40 ICD2 clones on eBay.

The PIC runs at 3.3volts, but the digital-only pins are 5volt tolerant for interfacing 5volt logic. Pins 14,15,16,17,18,21, and 22, are digital only, which we determined by looking through the datasheet and eliminating any pins with an analog connection type (table 1-2, pages 11-16). According to the datasheet, I2C pins are also 5volt tolerant. There’s a bunch of conflicting information on the web, but datasheet page 230, parameter DI28, clearly states that the max input for a 24FJ64GA002 I2C pin without analog circuitry is 5.5volts.

Pins 21 and 22 (RB10/11) can pull-up SDA/SCL through resistors R4 and R5.

MAX3223CPP

This chip converts 3.3volt serial output to +/-10volt RS232 signals compatible with a PC serial port. The MAX3223CPP is a 3-5volt version of the MAX202, with extra power saving features. MAX RS232 transceivers require four 0.1uF capacitors for a charge pump (C4,5,7,8), and one decoupling capacitor (C17). We used the same capacitors for everything.

We used a MAX3223CPP, which doesn’t seem to be available anymore. MAX3223EEPP+ is a pin-compatible newer version, available at Digikey for $7. Ouch! None of the 3223’s power saving features are used, so a cheaper, simpler 3.3volt RS232 transceiver should be substituted if at all possible.

Power supplies

Most chips can be powered from the Bus Pirate’s on-board 3.3volt and 5volt supplies. 5volts is supplied by a common 7805 regulator (VR2) and two decoupling capacitors (C9,10). An LM317 adjustable regulator (VR1) is set to 3.3volts using two resistors (R2,3), and requires two decoupling capacitors (C6,7). The circuit requires a 7-10volt DC supply (J1).

Part list

Firmware

The firmware is written in C using the free demonstration version of the PIC C30 compiler. Learn all about working with this PIC in our introduction to the PIC 24F series. Download the project archive (ZIP).

main.c – Handles the user terminal interface.

busPirate.c – Abstraction routines that convert syntax to actions on the proper bus.

uartIO.c – IO routines for both hardware UARTs.

m_i2c_1.c – Software I2C routines by [Michael Pearce]. We couldn’t get the PIC hardware I2C to work, so we used this helpful library. The software doesn’t take into account the I2C speed setting, and seems to work at about 5KHz.

SPI.c – Routines that drive the hardware SPI module.

raw2wire.c – Software 2-wire interface library.

raw3wire.c – Software 3-wire (SPI) interface library.

User input is held in a 4000 byte buffer until a newline character (enter) is detected. If the first character of the input is a menu option (see below), the menu dialog is shown, otherwise the string is parsed for data to send over the bus (see syntax). The code consists of an embarrassing number of switch statements and spaghetti code.

Terminal interface

Rather than write a junk piece of software to control the device, we gave it a serial command line interface that will work with any ASCII terminal. The bus pirate responds to commands with three digit result codes and a short message. The codes are designed with PC automation in mind. We’ve included a table of result codes in the project archive (zip).

Menu options

Menu options are single character commands that don’t involve data transfers. Enter the character, followed by <enter>, to access the menu.

? – Show a help menu with commands and syntax.

M – Set the bus mode (SPI, I2C, UART, raw 2 wire, raw 3 wire). Followed immediately by a prompt for speed, polarity, and output state (mode dependent).

Bus speeds: SPI:30, 125, 250, 1000KHz. I2C:100, 400, 1000KHz. UART: 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200bps. Raw modes: 1, 10, 50KHz.

Inverse clock setting sets the idle state opposite of normal (normal SPI:idle low; normal UART:idle high): SPI:idle high; UART:idle low.

Some modes have optional high-z output modes for use with pull-up resistors (Low=ground, High=input).

L – Toggle bit transmit/receive order: most/least significant bit first.

P – SDA/SCL pin pull-up resistor toggle (3.3volts). Only valid in I2C and raw 2 wire modes.

O – Set number output display format. The terminal can display numbers as decimal, hexadecimal, and binary ASCII values. A fourth format sends the raw, unprocessed byte for reading ASCII formatted text.

Syntax

A simple syntax is used to communicate with chips over a bus. Syntax commands have generic functions that generally apply to all bus types.

A/a/@ – Toggle auxiliary pin. Capital “A” sets AUX high, small “a” sets to ground. @ sets aux to input (high impedance mode) and reads the pin value.

[ – Start data write. SPI/raw 3 wire: chip select enabled. I2C/raw 2 wire: start condition. RS232: open UART, discard received bytes.

{ – Start data write with reads. Same as [, except: SPI/raw 3 wire: show the read byte for each write. RS232: display data as it arrives asynchronously.

] or } – End data write. SPI/raw 3 wire: chip select disabled. I2C/raw 2 wire: stop condition. RS232: close UART.

R/r – Read byte. SPI/raw 3 wire: send dummy byte, return read. I2C: read byte with ACK. Raw 2 wire: read 8 bits. RS232: check UART for byte and return, or fail if empty. Use 0r1…255 for bulk reads up to 255 bytes.

0b – Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001.

0h or 0x – Write this HEX value. Format is 0h01 or 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters.

0-255 – Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value.

, or space – Value delimiter. Use a coma or space to separate numbers. Any combination is fine, no delimiter is required between non-number values: {0xa6,0, 0 16 5 0b111 0haF}.

Direct bus manipulation commands for raw 2 wire mode and raw 3 wire mode.

^ – Send one clock tick. Use 0^1…255 for multiple clock ticks.

/ and \ – Toggle clock level high (/) and low (\). Includes clock delay (100uS).

-/_ – Toggle data state high (-) and low (_). Includes data setup delay (20uS).

! – Read one bit with clock.

. – Read data pin state (no clock).

& – Delay 1uS. Use 0&1…255 for multiple delays.

Using it





Here are two examples that show the Bus Pirate in action. Terminals should be set to ASCII mode with local echo, we used the Windows serial terminal. The PC-side serial connection is 115200bps, 8N1. The Bus Pirate should respond to any single line feed type (0x0a, 0x0d), or both (Windows style).

.I2C/SPI – Flash 24LC1025 EEPROM

Microchip’s EEPROMS are popular permanent-storage memory chips, the 24LC1025 has 128Kbytes of storage with an I2C interface. We can test this chip without bread-boarding a big circuit or writing code.

The picture shows an 24LC1025 connected to the Bus Pirate. The EEPROM works from 2.7 to 5volts, so we used the 3.3volt supply from the Bus Pirate to power the circuit. The on-board SDA/SCL pull-up resistors hold the I2C bus high, and eliminate the need for external resistors. A single 0.1uF capacitor decouples the EEPROM from the power supply.

Setup I2C mode

First, we setup the Bus Pirate for I2C mode and enable the pull-up resistors. Since the Bus Pirate currently uses a software I2C library, the speed setting doesn’t really have an effect.

SPI>m <–enter m for mode select

1. SPI

2. I2C

3. UART

4. RAW 2 WIRE

5. RAW 3 WIRE

MODE>2 <–enter 2 for I2C

900 MODE SET

Set speed:

1. 100KHz (Standard)

2. 400KHz (Fast Mode)

3. 1MHz (High Speed)

SPEED>1 <–speed doesn’t really do anything…

901 SPEED SET

202 I2C READY, P/p FOR PULLUPS

I2C>P <–enable the I2C pull-up resistors

205 I2C PULLUP ON

I2C>

Write to EEPROM (I2C)

All I2C operations begin with a start condition { or [, and end with a stop condition } or ]. A write begins by addressing the device (1 byte) and looking for an acknowledgment bit (ACK). If the EEPROM responds, we can send the data location to write (2 bytes) and data payload (n bytes). The Bus Pirate automatically checks for an ACK at the end of each write, and ACKs each read.

The 24LC1025 base address is 1010xxy, where xx is determined by the state of pins 2 and 3, and y is read (1) or write (0) mode. We tied pins 2 and 3 high, making the full write address 1010110. We’ll start writing to the device at the first data location (0 0), and write one to thirteen using a mix of data input formats (1…13).

I2C>{0b10100110 0 0 1 2 3 4 5 6 7 8 9 10 0xb 0xc 13} <–I2C command

210 I2C START CONDITION <–bus start

220 I2C WRITE: 0xA6 GOT ACK: YES <–address sent and ACK received

220 I2C WRITE: 0x00 GOT ACK: YES <–write address

220 I2C WRITE: 0x00 GOT ACK: YES <–write address

220 I2C WRITE: 0x01 GOT ACK: YES <–data

…

220 I2C WRITE: 0x0D GOT ACK: YES

240 I2C STOP CONDITION

I2C>

Read from EEPROM (I2C)

Reading the 24LC1025 takes two steps. First, a write command with no data sets the address pointer. Second, a read command outputs data starting at the location set in step 1.

The first command is a write command, we use the hexadecimal equivalent of the write address (0b10100110 = 0xa6) to save a bit of typing. The address pointer is set to the location where we wrote our data (0 0).

I2C>{0xa6 0 0} <–set write pointer command

210 I2C START CONDITION

220 I2C WRITE: 0xA6 GOT ACK: YES

220 I2C WRITE: 0x00 GOT ACK: YES

220 I2C WRITE: 0x00 GOT ACK: YES

240 I2C STOP CONDITION

With the pointer set, we can start reading data. The read address is the device address, with the last bit set to 1 ( 0b10100111 or 0xa7). We used thirteen r commands to read the data, but we could have used the shorthand version: 0r13.

I2C>{0b10100111 rrrrrrrrrrrrr} <–read command

210 I2C START CONDITION

220 I2C WRITE: 0xA7 GOT ACK: YES <–chip ACKed the read address

230 I2C READ: 0x01 <–data byte 1

230 I2C READ: 0x02 <–data byte 2

…

230 I2C READ: 0x0D <–data byte 13

240 I2C STOP CONDITION

I2C>

We know the operation was a success because the output matches the data we wrote earlier.

UART – EM406 SurfIII GPS

The EM406 is a tiny 5volt GPS module that tracks up to 20 satellites. By default, it outputs NMEA formatted data from a serial port at 4800bps, 8N1. The output format is standard serial, but at 2.8volts it’s incompatible with PC serial ports. The Bus Pirate can interface this GPS without the need for a separate RS232 transceiver or 5volt power supply.

Setup the UART

First, we setup the Bus Pirate UART to receive serial data at 4800bps.

I2C>m <–setup mode

1. SPI

2. I2C

3. UART

4. RAW 2 WIRE

5. RAW 3 WIRE

MODE>3 <–UART

900 MODE SET

Set speed:

(bps)

1. 300

2. 1200

3. 2400

4. 4800

…

9. 115200

SPEED>4 <–4800bps

901 SPEED SET

302 UART READY

UART>

Enable UART and data reads

An important thing to remember about UARTs is that the data arrives asynchronously. Unlike SPI and I2C, where data transfer is controlled by the master, serial data can arrive at the UART at any time. The GPS is a great example of this because it spits out location data continuously, without user intervention.

We developed two read modes to cope with asynchronous data . { echos all incoming data as it arrives. New data will displace and garble data entry, but all input is still accepted normally. [ opens the UART in a send only mode that discards incoming bytes. } or ] closes the UART, regardless of the mode.

UART>{ <–open UART with async reads

310 UART OPEN, } TO CLOSE

330 UART READ: 0x80 <–GPS data

330 UART READ: 0x78

Write to the UART

Type in values to send out the UART. Even if the input is broken up by incoming data, it will be processed on <enter>. We sent 0x40 as an example, but this has no particular meaning to the GPS module.

330 UART READ: 0x80 0x40<–random byte to write

320 UART WRITE: 0x40 <–byte written

Close the UART

“}” followed by <enter> closes the UART.

330 UART READ: 0x78

303 UART READ: 0x60 } <–close UART command

330 UART READ: 0xE6

340 UART CLOSED

UART>

Don’t think you can use this GPS data to track us, we don’t actually get satellite reception down here in mom’s basement.

Taking it further

The Bus Pirate is an important development tool in our lab. We keep updating it as we use it, and we’ll release new firmware as we add protocols and features. Expect to see the Bus Pirate in future articles.

These improvements are at the top of our list. Do you have any suggestions?

New protocols: One Wire, CAN, ???

Controls for polarity and other settings

Adjustable instruction delay

Get hardware I2C module working.

Enable protocol speed settings.

Cheaper, easier to get RS232 transceiver

The project archive (ZIP) has everything you need to build your own Bus Pirate.