Bus Pirate 6 Volume 7 — Protocol Modes II — JTAG/SWD (blueTag), 1-Wire, Smart Card, I²S, IR, LED — Bus Pirate 6 · Hacking

JTAG/SWD pin-find via blueTag, 1-Wire iButton/DS18B20, SLE4442 + ISO 7816 SIMs, I²S audio, IR Toy compat, WS2812/SK6812

Section	Topic
1	About this volume
2	JTAG mode
· 2.1	Pin assignment (TDI, TDO, TCK, TMS, optional TRST)
· 2.2	IDCODE readout
· 2.3	The `bluetag` pin-finder subcommand (cross-ref to Vol 5)
· 2.4	OpenOCD bridging via BBIO
· 2.5	Speed and the C-loop-bit-banged ceiling
3	SWD (ARM serial-wire debug)
· 3.1	SWDIO + SWCLK pin assignment
· 3.2	DPIDR readout
· 3.3	OpenOCD configuration for BP6-as-SWD
4	1-Wire mode
· 4.1	The 1-Wire bus model
· 4.2	DS18B20 temperature sensor walkthrough
· 4.3	iButton (DS19xx) read
· 4.4	DS24xx EEPROM access
· 4.5	Parasite power
5	Smart card mode — SLE4442 via 2-Wire
· 5.1	What an SLE4442 is
· 5.2	The `sle4442` command
· 5.3	PSC authentication (3 attempts before permanent lock)
· 5.4	Reading the 256-byte memory
· 5.5	Protection-bits readout
6	ISO 7816 (full smart card) via the SIM-and-IC-card adapter
· 6.1	HDUART T=0 protocol
· 6.2	ATR (Answer-to-Reset) parsing
· 6.3	SIM file system walk (3F00 / 7F10 / etc.)
· 6.4	GSM 11.11 commands
· 6.5	EMV (bank-card) AID enumeration
7	I²S mode (audio)
· 7.1	Input mode (capturing audio from a target)
· 7.2	Output mode (driving audio to a target DAC)
8	IR mode
· 8.1	TX — generating NEC / RC5 / Sony carrier-modulated frames
· 8.2	RX — capturing IR remote signals
· 8.3	IR Toy compat layer
9	LED mode (addressable RGB driving)
· 9.1	WS2812 / SK6812 (3-wire timing protocol)
· 9.2	APA102 (4-wire SPI-class)
· 9.3	Driving long chains
10	Cheatsheet updates for Vol 12

1. About this volume

The less-frequent protocol modes — the ones you reach for when the daily-driver four from Vol 6 don’t fit the target. JTAG and SWD are the most consequential of these (they unlock the embedded debug world); 1-Wire and the smart-card modes are niche but useful in specific contexts; I²S, IR, and LED are specialty modes for narrow use cases.

This volume builds on Vol 5 (where the bluetag JTAG/SWD pin-finder workflow lives) and Vol 4 (the syntax language). Forward refs to Vol 8 for the adapters that some of these modes need (SIM card adapter, plank designs).

2. JTAG mode

JTAG (Joint Test Action Group, IEEE 1149.1) is the universal embedded-debug protocol — a 4- or 5-wire serial bus for boundary-scan testing, in-circuit emulation, and flash programming. Every modern microcontroller with debug capabilities supports it, even if SWD is the preferred interface on ARM Cortex-M parts.

2.1 Pin assignment (TDI, TDO, TCK, TMS, optional TRST)

JTAG’s 4 mandatory signals + 1 optional:

TCK — test clock (BP6 drives)
TMS — test mode select (BP6 drives; the TAP state machine input)
TDI — test data in (BP6 drives data into the target’s scan chain)
TDO — target data out (target drives data back to BP6)
TRST — test reset (optional; BP6 drives if connected, to reset the TAP state machine without a chip reset)

Default BP6 assignment:

BP6 IO	JTAG signal
IO0	TCK
IO1	TMS
IO2	TDI
IO3	TDO
IO4	TRST (optional)

The mode setup wizard lets you reassign — especially useful after bluetag (Vol 5 § 7) has discovered the actual pinout on an unknown target.

2.2 IDCODE readout

The simplest JTAG transaction: read the target’s IDCODE — a 32-bit identifier the chip returns when the TAP state machine is reset and put into IDCODE-shift mode.

Once you’re in JTAG mode and pins are connected:

JTAG> idcode
TAP-reset sequence...
IDCODE: 0x3BA02477
  IR length: 4 bits
  Vendor: ARM Ltd. (JEP-106 0x4BB)
  Part: Cortex-M3 (variant 3)
  Revision: 3

The vendor / part / revision decode comes from the firmware’s built-in IDCODE database (commands/jtag/idcode.c for the parser, plus an embedded JSON-ish data table of common parts). Coverage: ARM Cortex-M0/M0+/M3/M4/M7/M33, common MIPS / RISC-V / Xtensa cores, Microchip PIC32, NXP LPC, ST STM32 families, TI MSP432, Espressif ESP32 (which is Xtensa + RISC-V depending on variant).

If IDCODE reads back as 0x00000000 or 0xFFFFFFFF, the connection is wrong — TDO is floating high (FF) or actively pulled low (00). Re-check pins or re-run bluetag.

2.3 The `bluetag` pin-finder subcommand (cross-ref to Vol 5)

The full blueTag walkthrough lives in Vol 5 § 7. Brief reminder of where it fits:

bluetag is a JTAG-mode command (lives at commands/jtag/bluetag.c in the firmware tree).
Run it when you have an unknown target and don’t know which pins are JTAG.
Output: identified TCK/TMS/TDI/TDO pin assignments + IDCODE.
Hand off to OpenOCD (§ 2.4) once pins are known.

2.4 OpenOCD bridging via BBIO

The BP6 can act as an OpenOCD JTAG adapter. Once you’ve identified the target’s pinout (manually or via bluetag):

Configure BP6 JTAG mode with the right pin assignment (the bluetag-discovered one, or your manual choice).
At the JTAG prompt, type openocd to enter the OpenOCD bridge sub-mode. The BP6 negotiates to BBIO binary mode on its USB-CDC serial port and waits for OpenOCD on the host.
On the host, run OpenOCD with the BP6 as the programmer:

openocd -f interface/buspirate.cfg -c "buspirate_port /dev/ttyUSB0; buspirate_speed normal; buspirate_vreg 1" -f target/stm32f1x.cfg

(The exact target config file depends on what chip you’re talking to — pick from OpenOCD’s tcl/target/ directory.)

OpenOCD takes over the BBIO session and drives the target’s JTAG TAP for flash programming, register inspection, GDB-server attachment, breakpoint insertion. The BP6 is invisible at this layer — it’s just the JTAG adapter.

2.5 Speed and the C-loop-bit-banged ceiling

JTAG and SWD on the BP6 are bit-banged in C, not PIO-driven (Vol 3 § 5.3 explains why). Practical clock speed: roughly 100-400 kHz depending on the operation. That’s significantly slower than dedicated debuggers:

Adapter	Typical JTAG/SWD clock	Flash program time (1 MB)
BP6 (bit-banged)	100-400 kHz	~60-90 seconds
picoprobe (CMSIS-DAP)	5-15 MHz	~5-10 seconds
Black Magic Probe	~10 MHz	~5 seconds
Segger J-Link	5-50 MHz	~2-3 seconds

For pin-finding and IDCODE recon, the BP6’s speed is fine. For interactive GDB debugging of a running target, it’s slow but usable. For production flash programming, get a real debugger.

3. SWD (ARM serial-wire debug)

SWD is the 2-wire variant of JTAG used on ARM Cortex-M processors. Same conceptual access (read/write debug registers, access memory, set breakpoints, etc.) but on fewer wires — useful when you only have 2 pins of debug header instead of 4-5.

3.1 SWDIO + SWCLK pin assignment

SWD’s 2 signals:

SWCLK — clock (BP6 drives)
SWDIO — bidirectional data (BP6 and target both drive, alternating)

Default BP6 assignment:

BP6 IO	SWD signal
IO0	SWCLK
IO1	SWDIO

SWD is accessed via the JTAG mode in the BP6 firmware — there’s no separate “SWD mode.” The JTAG mode auto-detects whether the target speaks JTAG or SWD when you run bluetag or idcode.

3.2 DPIDR readout

SWD’s IDCODE-equivalent is DPIDR (Debug Port IDentification Register) — a 32-bit value read by sending the SWD “READ DP register 0” sequence.

JTAG> idcode
SWD detected (not JTAG)
DPIDR: 0x2BA01477
  Vendor: ARM Ltd. (JEP-106 0x4BB)
  Designer: ARM
  Part: Cortex-M4 + FPU
  Revision: 2

If DPIDR returns 0x00000000 or 0xFFFFFFFF, the SWDIO line isn’t seeing target activity — check pin assignment, errata-E9 pulldowns (Vol 5 § 7.6), and target power.

3.3 OpenOCD configuration for BP6-as-SWD

SWD support in OpenOCD: same interface/buspirate.cfg, but with transport select swd instead of transport select jtag:

openocd -f interface/buspirate.cfg -c "buspirate_port /dev/ttyUSB0; transport select swd" -f target/stm32f1x.cfg

OpenOCD then talks SWD via the BP6’s bit-banged implementation. Same speed caveats as JTAG.

4. 1-Wire mode

1-Wire is Dallas Semiconductor’s (now Maxim, now Analog Devices) single-wire bus for low-cost sensors and identification chips. Famously used in DS18B20 temperature sensors, iButton authentication, and a long tail of memory / EEPROM / battery-monitor parts.

4.1 The 1-Wire bus model

Electrical:

One data wire (the BP6’s selected IO pin)
Ground (BP6’s GND)
Optional VCC (BP6’s VOUT, or external)

The data wire is held high by a pull-up (the BP6’s internal 10 kΩ is normally adequate); devices on the bus pull it low to communicate. Each device has a unique 64-bit ROM ID burned in at manufacture — you can address one specific device on a multi-device bus by its ID.

Default BP6 pin: IO0 = 1-Wire data.

4.2 DS18B20 temperature sensor walkthrough

The canonical 1-Wire example. DS18B20 reports temperature in 0.0625°C steps over 1-Wire.

Quick read (assuming a single DS18B20 on the bus, using Skip-ROM):

1WIRE> [0xCC 0x44]      # Skip-ROM + Convert-T (start a temperature conversion)
1-Wire reset OK
WRITE: 0xCC
WRITE: 0x44

1WIRE> D:750            # wait 750 ms for conversion (max for 12-bit resolution)

1WIRE> [0xCC 0xBE r:9]  # Skip-ROM + Read-Scratchpad + read 9 bytes
1-Wire reset OK
WRITE: 0xCC
WRITE: 0xBE
READ: 0x91 0x01 0x4B 0x46 0x7F 0xFF 0x0F 0x10 0x4E

The first 2 bytes (0x91 0x01) are the temperature in 16-bit signed fixed-point: 0x0191 = 401 decimal, ÷ 16 = 25.0625°C. Bytes 3-4 are alarm thresholds; byte 5 is the configuration register; bytes 6-8 are reserved; byte 9 is the CRC of the scratchpad.

For a real device-management workflow on a multi-device bus, use Match-ROM (0x55 + 8-byte ROM ID) instead of Skip-ROM to address one specific sensor.

4.3 iButton (DS19xx) read

iButtons are 1-Wire devices in a coin-cell-shaped stainless-steel button. Used for door-access tokens, time-clock badges, and similar identification applications.

Reading an iButton’s ROM ID:

1WIRE> [0x33 r:8]
1-Wire reset OK
WRITE: 0x33
READ: 0x01 0x12 0x34 0x56 0x78 0x9A 0xBC 0xDE

The 8 bytes are: 1-byte family code, 6-byte unique serial, 1-byte CRC. Match against the iButton’s documented family codes (0x01 for DS1990A, 0x14 for DS1971, etc.) to know which kind you have.

4.4 DS24xx EEPROM access

The DS24-series EEPROMs (DS2431, DS2433, DS2434, etc.) are 1-Wire-attached EEPROMs ranging from 1 Kbit to 32 Kbit. Same Match-ROM / Skip-ROM addressing as DS18B20, plus per-chip commands for reading/writing the EEPROM region.

DS2431 (1 Kbit EEPROM) — read scratchpad after writing it:

1WIRE> [0xCC 0x0F 0x00 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08]   # write 8 bytes
1WIRE> [0xCC 0xAA r:11]                                                 # read scratchpad + verification bytes

The exact byte-level protocol varies per part — datasheet for the specific DS24-series chip is the canonical reference.

4.5 Parasite power

A 1-Wire device can operate without a VCC connection — drawing power from the data line during high pulses, storing it in an internal capacitor, and dumping responses when the line goes low.

To enable parasite power on the BP6 side: just don’t connect VOUT/VCC to the device. The pull-up on the data line provides the only power. Some 1-Wire devices (like DS18B20 in 12-bit mode during temperature conversion) draw enough current that the pull-up needs to be temporarily reinforced to a strong pull-up — the BP6 firmware can do this automatically during long conversions if you enable the option in the 1-Wire setup wizard.

For simple iButton reads or DS24-series EEPROM access, parasite power is fine without anything special.

5. Smart card mode — SLE4442 via 2-Wire

The SLE4442 is a low-cost secure-memory smart card with a 2-wire serial interface that looks like I²C but isn’t — the START/STOP timing is custom, requiring its own protocol implementation.

5.1 What an SLE4442 is

A 256-byte memory card with:

32-byte protected area (the first 32 bytes, write-protected by PIN until correct PSC is entered)
224-byte main memory (256 - 32)
3-byte PSC (Personal Security Code) memory
4 protection bits per byte in the protected area (so granular per-byte write protection)

Commercial use: laundry / vending / copier value cards, hotel key cards (older systems), loyalty / membership cards. Cards are read/written through a 5-pin or 6-pin smart-card slot — the SLE4442 uses 5 contacts (VCC, GND, CLK, I/O, RST).

5.2 The `sle4442` command

Enter the BP6’s 2-Wire mode (not I²C mode), then the sle4442 command at the prompt:

2WIRE> m
Mode> 7 (2-Wire)
[wizard prompts, accept defaults]

2WIRE> sle4442
SLE4442 commands:
  sle4442 atr               - read Answer-to-Reset
  sle4442 read              - dump 256-byte memory
  sle4442 read_protection   - dump 32 protection bits
  sle4442 read_psc          - dump 3-byte PSC location (returns 0 if locked)
  sle4442 auth <PSC>        - present PSC (CAREFUL — 3 wrong attempts permanently locks the card)
  sle4442 write <addr> <byte>  - write a byte (requires successful auth)
  sle4442 write_psc <new>   - change PSC (requires successful current auth)

5.3 PSC authentication (3 attempts before permanent lock)

The PSC is a 3-byte (24-bit) password. The card has a 3-attempt failure counter that decrements with each failed auth — when it reaches zero, the card is permanently locked and no further authentication is possible. Writes to protected memory are also impossible after lock.

The BP6 firmware enforces a confirmation prompt before issuing a sle4442 auth command:

2WIRE> sle4442 auth 0x111111
WARNING: You have 2 PSC attempts remaining before permanent lock.
This is attempt 2 of 3 since the last successful auth.
Are you sure? Type "yes" to confirm.
2WIRE> yes
Auth failed. 1 attempt remaining.

This is non-negotiable: blow through 3 failed PSC attempts and the card is bricked.

If you have the correct PSC (e.g., from a card vendor’s spec, or recovered through reverse engineering), sle4442 auth succeeds and the failure counter resets to 3.

5.4 Reading the 256-byte memory

The main 256-byte memory is publicly readable — no PSC required:

2WIRE> sle4442 read
Memory dump:
0000: 02 00 14 4E 7F 70 65 73 12 34 5A B5 24 0C C0 00
0010: ...
...
00F0: ...

The contents are application-defined. For laundry value cards, the first 32 bytes typically encode the remaining balance + a manufacturer signature; for hotel key cards, the format is vendor-specific and often randomized.

5.5 Protection-bits readout

The 32-byte protected area has 4 protection bits per byte, accessed via sle4442 read_protection:

2WIRE> sle4442 read_protection
Protection bits (one nibble per byte of the protected area):
00: F (no writes allowed)  01: F  02: F  03: F  ...  1F: F

F (4 bits set) means “fully protected — no writes.” 0 would mean “all bits writable.” Manufacturers ship cards with all F to lock the factory-programmed identity bytes.

6. ISO 7816 (full smart card) via the SIM-and-IC-card adapter

For real ISO 7816-3 smart cards (banking, SIM cards, secure-element ICs), the BP6 needs the SIM and IC card adapter plank (sold separately by Where Labs; see Vol 8 § 10.3). The plank provides the 5-pin ISO 7816 contact pads + a SIM-card slot, with proper power conditioning and level translation.

6.1 HDUART T=0 protocol

ISO 7816 cards speak the T=0 protocol — a half-duplex serial protocol with the card supplying the clock during reset, then both directions clocking on the same line at a card-defined baud rate (typically derived from a 1-5 MHz card clock, giving baud rates like ~9600).

The BP6 uses HDUART mode (Vol 6 § 3) for this, because the electrical model matches: single-wire half-duplex with the BP6 driving an external pull-up. The card clock comes from the BP6 (driving a separate CLK pin on the adapter) at a configurable rate.

6.2 ATR (Answer-to-Reset) parsing

When a smart card is reset (RST line goes low, then high), it responds with an ATR — a sequence of bytes that identifies the card and tells the reader how to communicate with it. The BP6 reads the ATR and parses it:

HDUART> sim atr
ATR (Answer-to-Reset):
  3B 9F 95 80 1F C7 80 31 A0 73 BE 21 13 67 43 20 0F 90 00

Decoded:
  TS (initial char): 0x3B (direct convention)
  T0: 0x9F (TA1, TB1, TC1, TD1 present; 15 historical bytes)
  TA1: 0x95 (Fi=512, Di=32, baud = clock × 32/512)
  TB1: 0x80
  ...
  Historical bytes: 31 A0 73 BE 21 13 67 43 20 0F 90 00
  Application identifier hint: SIM application

The ATR decoder pulls from the firmware’s built-in EMV/SIM ATR database — most production cards (SIM, EMV, Mifare-ULC, etc.) have known ATR patterns.

6.3 SIM file system walk (3F00 / 7F10 / etc.)

After reset and ATR exchange, the BP6 can navigate a SIM card’s file system. SIM cards use a 3-level hierarchy:

MF (Master File) at address 3F00 — the root
DF (Dedicated File / directory) — e.g., 7F10 (Telecom DF), 7F20 (GSM DF)
EF (Elementary File / data) — e.g., 6F40 (Short Message storage), 6F3A (Abbreviated Dialing Numbers / phone book)

The BP6 firmware exposes this via the sim command:

HDUART> sim select 3F00
SIM> sim select 7F10
SIM> sim select 6F3A
SIM> sim read_record 1
Record 1:
  Name: HOME
  Number: +1-555-1234
  ...

This is enough to dump a SIM’s phone book, recent calls, SMS storage, identification fields (IMSI, ICCID), and any other application data the SIM stores. Pin protection applies — most SIM operations require entering the PIN1 first via sim verify_chv1 <pin>.

6.4 GSM 11.11 commands

GSM 11.11 is the spec that defines the SIM-card command set. The BP6 supports the common subset:

SELECT <fid> — select a file by 16-bit file ID
READ BINARY <offset> <length> — read from an EF
UPDATE BINARY <offset> <data> — write to an EF
READ RECORD <num> — read a record from a record-structured EF
UPDATE RECORD <num> <data> — write a record
VERIFY CHV <chv_no> <pin> — present PIN (CHV1 = PIN1, CHV2 = PIN2)
CHANGE CHV <chv_no> <old> <new> — change PIN
UNBLOCK CHV <chv_no> <puk> <new_pin> — unblock PIN with PUK

Same 3-attempts-and-locked rule applies to SIM PINs: 3 failed PIN1 entries blocks the SIM until you provide the PUK1.

6.5 EMV (bank-card) AID enumeration

EMV cards (chip-and-PIN bank cards) follow a different architecture — file IDs are replaced by Application IDentifiers (AIDs) that select one of several applications (Visa, MasterCard, Amex) on the same physical card.

HDUART> emv enumerate
Selecting PSE (Payment System Environment)...
Found AID: A0 00 00 00 03 10 10 (Visa Credit)
Found AID: A0 00 00 00 04 10 10 (MasterCard Credit)
Found AID: A0 00 00 00 25 01 04 02 (Amex)

Reading an EMV card’s data is read-only for unprivileged tools — the card has cryptographic protections that prevent extracting the actual card number, expiration, or CVV without the issuer’s cooperation. The BP6 can enumerate AIDs, read public-facing data (PAN holder name, expiration date in some cases), and exercise the application-selection protocol for research purposes.

Don’t use this for fraud-related activity. Inheriting from _shared/legal_ethics.md: read-only research on cards you own (your own bank card) is fine; tampering with other people’s cards is criminal.

7. I²S mode (audio)

I²S (Inter-IC Sound) is the standard digital audio bus for connecting an audio codec / DAC / ADC to a host processor. Found on virtually every modern audio chip.

7.1 Input mode (capturing audio from a target)

I²S input requires three signals:

BCLK (bit clock) — the BP6 generates or accepts, depending on master/slave config
LRCLK (left/right clock, also called WS = word select) — same
SD (serial data) — target drives, BP6 reads

When the BP6 is the master (generates BCLK and LRCLK), the target codec sends audio data clocked by the BP6. When the target is the master (BP6 is slave), the BP6 follows the target’s clocks.

Captured data: typically 16-bit or 24-bit signed samples in two channels (stereo). The BP6 can buffer these to the on-board NAND filesystem as raw PCM or WAV files.

Sample rates supported: typical I²S rates from 8 kHz to 192 kHz. Higher rates push the PIO clock; 192 kHz × 24 bit × 2 channels = ~9 Mbit/s sustained, comfortably within PIO’s capability.

7.2 Output mode (driving audio to a target DAC)

Output mode: BP6 generates the audio, target accepts and converts to analog.

Use case: testing an unknown audio codec — feed it a sine wave or a known WAV file from the BP6’s NAND, see if the speaker output matches.

Audio file in /audio/test.wav on the BP6’s NAND filesystem, then:

I2S> play /audio/test.wav
Playing 44.1 kHz 16-bit stereo, duration 5.2s

This is a specialty mode — most BP6 users won’t touch I²S. It exists because the PIO support makes it cheap to implement, and it’s the right answer when you’re bringing up an unfamiliar audio codec.

8. IR mode

The BP6 has an IR LED + IR receiver on a separate small daughterboard or via a probe-connector arrangement (depending on revision). IR mode drives carrier-modulated frames for remote control work.

8.1 TX — generating NEC / RC5 / Sony carrier-modulated frames

Common IR remote-control protocols:

NEC — 38 kHz carrier, 8-bit address + 8-bit command + inverted check
RC5 — 36 kHz carrier, 14-bit frame, Manchester encoding
Sony SIRC — 40 kHz carrier, 12/15/20-bit frames

The BP6 IR mode exposes these as commands:

IR> nec 0x10 0x20      # send NEC frame: address 0x10, command 0x20
IR> rc5 0x14 0x12      # send RC5 frame
IR> sony12 0x21        # send Sony 12-bit frame

The carrier frequency, duty cycle, and bit timing are PIO-managed (Vol 3 § 6.1, irio.pio + rc5.pio).

8.2 RX — capturing IR remote signals

Aim a remote control at the BP6’s IR receiver, press a button, and the BP6 captures the carrier-demodulated frame:

IR> rx
Waiting for IR signal...
Captured: NEC protocol, address 0x10, command 0x20
Raw timing: [start: 9000 µs / 4500 µs] [data: 32 bits, varying]

This is identical functionality to the Flipper Zero’s IR mode (which uses the same irio PIO programs in its firmware) and to the dedicated USB IR Toy.

8.3 IR Toy compat layer

The original Dangerous Prototypes IR Toy was a small USB device with the same IR send/receive capabilities. The BP6 firmware includes a compat layer that lets it speak the same IR-Toy serial protocol — so any software written for the IR Toy (LIRC, etc.) works with the BP6 unchanged.

Enable IR Toy compat via the binmode menu → IR Toy. The BP6’s USB CDC channel then emits IR-Toy-protocol responses.

9. LED mode (addressable RGB driving)

The BP6’s LED mode drives addressable RGB LED chains — WS2812, SK6812, or APA102 — via the probe pins, as a general-purpose chain driver. (This is separate from the on-board 18-LED chain (Vol 2 § 10), which is firmware-managed for status indicators.)

9.1 WS2812 / SK6812 (3-wire timing protocol)

WS2812 / SK6812 use a single data wire with strict 800 kHz bit timing — each bit is 1.25 µs with a high pulse of 0.35 µs (for “0”) or 0.7 µs (for “1”). PIO (Vol 3 § 6.1, ws2812.pio) handles this.

LED> ws2812 count 16     # set chain length to 16 LEDs
LED> ws2812 set 0 0xFF0000   # set LED 0 to red
LED> ws2812 set 1 0x00FF00   # set LED 1 to green
LED> ws2812 update           # flush the buffer to the chain

Or a single command to set a pattern:

LED> ws2812 pattern rainbow 50ms

Default driving pin: IO0. Power the chain from VOUT (set the PSU to 5 V for WS2812; 3.3 V for SK6812 variants depending on the part).

9.2 APA102 (4-wire SPI-class)

APA102 uses a separate clock + data pair (more like SPI than WS2812’s timing-protocol). Pinout:

BP6 IO	APA102 signal
IO0	DI (data)
IO1	CI (clock)

The lack of strict bit timing makes APA102 friendlier for long chains and noisy environments. The BP6 drives APA102 either via PIO or via hardware SPI:

LED> apa102 count 64
LED> apa102 set 0 31 0xFF0000   # LED 0, brightness 31, red

9.3 Driving long chains

WS2812/SK6812 chains beyond ~50 LEDs need careful attention to:

Data signal integrity — the digital signal degrades along the chain; a buffer/repeater every 50 LEDs helps.
Power injection — every 50-100 LEDs, inject fresh 5 V power. The BP6 can supply 500 mA — enough for ~30 LEDs at full white. Longer chains need external power.
Refresh rate — each LED takes 30 µs to clock; 100 LEDs takes 3 ms; 1000 LEDs takes 30 ms (limiting refresh to ~30 Hz).

For long installation work (signage, art installations), the BP6 is a fine development tool but you’ll deploy with a dedicated controller (T1000S, ESP32-based controller, etc.). The BP6 is for bench bring-up and small fixed-LED-count projects.

10. Cheatsheet updates for Vol 12

Items from this volume that belong on the laminate cheatsheet:

JTAG pin assignment: IO0=TCK, IO1=TMS, IO2=TDI, IO3=TDO, IO4=TRST(opt).
JTAG/SWD speed ceiling: BP6 = 100-400 kHz bit-banged. Use J-Link or BMP for fast flash programming.
idcode at JTAG prompt — first thing after pins are connected.
bluetag — pin-find for JTAG/SWD on unknown targets (cross-ref Vol 5 § 7).
openocd at JTAG prompt — hand off to host OpenOCD via BBIO.
SWD via JTAG mode: 2-pin (SWCLK, SWDIO); auto-detected by idcode / bluetag.
1-Wire data on IO0 by default; 10 kΩ pull-up needed (BP6’s internal is fine).
DS18B20 quick read: [0xCC 0x44] D:750 [0xCC 0xBE r:9] — Skip-ROM + Convert + delay + Skip-ROM + Read-Scratchpad.
iButton read: [0x33 r:8] — Read-ROM (8-byte ROM ID).
SLE4442: 2-Wire mode + sle4442 command. PSC = 3 attempts before permanent lock.
SIM/ISO 7816: HDUART mode + sim command, needs SIM+IC card adapter plank. PIN1 = 3 attempts before block.
IR: nec/rc5/sony12 commands; carrier and bit timing PIO-driven.
WS2812 chain: 800 kHz, 1.25 µs/bit; default driver pin IO0; chain length set with ws2812 count.
Sandbox rule on EMV: read-only research on own cards; never tampering on other people’s.

End of Volume 7. Volume 8 picks up with the adapter ecosystem — every cable, every flash adapter, every plank tjscientist owns, plus the broader Where Labs / community plank catalog.

Bus Pirate 6 Volume 7 — Protocol Modes II — JTAG/SWD (blueTag), 1-Wire, Smart Card, I²S, IR, LED

Contents