05 I2C
This mode enables communication over the I2C bus using standard SDA/SCL lines.
It supports device scanning, pinging, register reads/writes, sniffing, and manual instruction sequences.
| Command | Description |
|---|---|
scan |
Scans all I2C addresses (1–126) and lists devices that acknowledge (ACK) |
ping <addr> |
Sends a transmission to the given I2C address and checks for ACK |
identify <addr> |
Attempts to recognize the I2C device based on its address |
sniff |
Passively monitors the I2C bus and displays decoded traffic |
read <addr> <reg> |
Reads a register from a device |
write <addr> <reg> <val> |
Writes a value to a register of the device |
dump <addr> [len] |
Reads a memory block from device (default 256 bytes) |
slave <addr> |
Emulates a slave device at given address and logs I2C master operations |
flood <addr> |
Continuously read data to random register to stress device |
glitch <addr> |
Injects glitches and invalid transitions to test device robustness |
monitor <addr> [ms] |
Continuously monitors I2C register changes on a target device and logs modified values |
eeprom [addr] |
EEPROM shell for working with I2C EEPROM chips (24XX and AT24C) |
jam |
Continuously inject glitches on the bus |
recover |
Attempt to recover the I2C bus by sending 16 clock pulses and a stop condition |
swap |
Swap the SDA/SCL pins |
config |
Configures SDA/SCL pins and I2C frequency (in Hz) |
[0x13 0x4B r:8] ... |
Sends a custom I2C instruction sequence using bytecode-style syntax |
The eeprom [addr] command provides an interactive environment to explore, manage, and erase I2C eeprom chips.
- 🔍 Probe – Detects the connected EEPROM, identifying its size, page size, 1-byte or 2-byte addressing.
- 📊 Analyze – Performs a content analysis: detects file signatures, structured data, secrets, and measures entropy.
- 📖 Read bytes – Reads a sequence of bytes starting at a given address. Supports single or multi-byte reads.
- ✏️ Write bytes – Writes one or more bytes to address, handling page boundaries and write cycles.
- 🗃️ Dump EEPROM – Outputs the entire EEPROM contents in hex dump format.
-
💣 Erase EEPROM – Wipes the chip by writing
0xFFacross all pages. - 🚪 Exit Shell – Leaves the EEPROM shell and returns to the previous menu.
| Model | Capacity | Addressing | Typical Page Size |
|---|---|---|---|
| 24×01 | 1 Kbit | 1-byte | 8 bytes |
| 24×02 | 2 Kbit | 1-byte | 8 bytes |
| 24×04 | 4 Kbit | 1-byte | 16 bytes |
| 24×08 | 8 Kbit | 1-byte | 16 bytes |
| 24×16 | 16 Kbit | 1-byte | 16 bytes |
| 24×32 | 32 Kbit | 2-byte | 32 bytes |
| 24×64 | 64 Kbit | 2-byte | 32 bytes |
| 24×128 | 128 Kbit | 2-byte | 64 bytes |
| 24×256 | 256 Kbit | 2-byte | 64 bytes |
| 24×512 | 512 Kbit | 2-byte | 128 bytes |
| 24×1025 | 1 Mbit | 2-byte | 128 bytes |
| 24×1026 | 1 Mbit | 2-byte | 128 bytes |
| 24×M01 | 1 Mbit | 2-byte | 128 bytes |
| 24×M02 | 2 Mbit | 2-byte | 256 bytes |
- Default I²C address is
0x50, but it can be changed witheeprom [addr]. - Compatible with most 24XX and AT24C series EEPROM chips from Microchip, ST, and others.
- See https://github.com/geo-tp/ESP32-Bus-Pirate-Scripts to dump the content of EEPROM in a file.
-
scanattempts to detect devices by sending start/stop frames across all valid addresses. -
pingis a simpler check for a specific address (e.g.,ping 0x3C) and confirms presence with an ACK. -
identifycan be used to browse known I2C address mappings, even without any device physically connected. -
readperforms a read on the given address and register. -
writeperforms a write to the specified device address and register. -
slaveallows the device to act as an I2C slave for debugging or reverse-engineering master devices. -
dumpattempts a full memory/register read of the device. It tries standard register access first and falls back to raw if unsupported. -
floodis useful to overload or probe device response under sustained pressure. -
glitchinjects abnormal I2C signals to test the target’s error handling capabilities. -
monitorperforms registers dump on the target to compare changes every given ms (default 500)
mode i2c
config # Set pins and frequency
scan # Detect connected devices
identify 0x18 # Identify devices using this address
sniff # Monitor I2C transactions passively
ping 0x3C # Check ACK at address 0x3C
read 0x3C 0x00 # Read register 0x00 from device 0x3C
write 0x3C 0x01 0xFF # Write 0xFF to register 0x01
write 0x3C 0x01 50 # Write 50 to register 0x01
dump 0x3C 128 # Dump 128 bytes from address 0x3C
dump 0x12 # Dump 256 bytes from address 0x12
slave 0x3C # Emulate slave at address 0x3C
flood 0x3C # Stress test device at 0x3C
glitch 0x3C # Inject glitches to address 0x3C
monitor 0x13 # Monitor registers changes every 500ms
monitor 0x13 1000 # Monitor registers changes every 1sec
eeprom # EEPROM shell with default 0x50 address
eeprom 0x58 # EEPROM shell with 0x58 address
recover # Attempt to release SDA from LOW
swap # SDA and SCL swap
[0x3C 0x00 r:4] # Address 0x3C, register 0x00 and read 4 bytes from there