ESP32 Bit Pirate

ESP32-S3 Sub-GHz and CC1101 debugging

CC1101 Sub-GHz capture and replay

ESP32 Bit Pirate turns a compatible ESP32-S3 board plus a CC1101 module into a Sub-GHz signal debugging workbench. Use it to wire the radio, scan RSSI, sweep frequencies, receive frames, trace raw pulses, record signals to LittleFS and load Flipper-style .sub files.

Sub-GHz radio debugging visual with an ESP32 board, CC1101 module, antenna and radio wave activity

Quick Sub-GHz workflow

Start with wiring and passive discovery. Only move to receive, record, load or transmit-style checks when the module, antenna, frequency and legal test context are clear.

  1. 01

    Wire the CC1101 module with SPI, chip select, GDO0, 3.3 V power and common ground.

  2. 02

    Open SubGHz mode, confirm the pin mapping and set a frequency that matches your own test device or lab signal.

  3. 03

    Use scan, sweep or waterfall to find activity before trying to receive a frame.

  4. 04

    Use receive and trace to inspect payloads, raw pulses or likely encoding details.

  5. 05

    Use record, load, ear and LittleFS file workflows when a signal needs to be reused or inspected in an authorized bench test.

mode subghz
config
setfrequency
scan
sweep
waterfall
receive
trace
record
load
ear

Example CLI flow. See the SubGHz wiki for exact syntax, CC1101 pin prompts, supported commands and firmware-specific behavior.

Sub-GHz workflows covered by ESP32 Bit Pirate

Use this overview to choose the right CC1101 and Sub-GHz workflow before opening a detailed recipe.

Wire

CC1101 module setup

Connect SPI, chip select, GDO0, 3.3 V and ground, then confirm the selected board exposes safe GPIOs for the radio module.

Scan

RSSI peak discovery

Use scan, sweep or waterfall to check whether a known band has visible activity before decoding or recording anything.

Sweep

Frequency activity map

Sweep a frequency range to locate useful areas for a known own transmitter, remote, sensor or lab generator.

Receive

Frame capture and analysis

Receive frames, inspect likely encoding and use trace workflows when a simple decoded result is not enough.

Record

LittleFS signal storage

Record symbols or raw timing into device storage so a working bench capture can be reused later.

.sub

Flipper-style file workflows

Upload and load compatible .sub files for repeatable CC1101 playback tests on systems you own or are allowed to test.

When an ESP32-S3 Sub-GHz workbench helps

Sub-GHz debugging is usually about confirming hardware, frequency, signal quality and file handling before building a custom radio workflow.

Unknown activity

Before trying a decoder

Use scan, sweep or waterfall first to confirm that the antenna and CC1101 are seeing real activity on the expected band.

Known own device

Before recording a signal

Use receive and trace against a device you own or are explicitly authorized to test, then decide whether recording is useful.

File workflow

Before repeating manual tests

Use LittleFS and compatible .sub files when the same signal needs to be loaded across multiple sessions; reserve send, replay, jam or bruteforce-style transmit tests for legal, controlled lab targets only.

CC1101 hardware reminders

These notes stay short. The detailed command references live in the project documentation and firmware repository.

3.3 V logic

Use 3.3 V power and logic-compatible wiring. Do not feed 5 V logic directly into ESP32 GPIO or CC1101 signal pins.

SPI plus GDO0

The module needs SPI wiring plus the interrupt/data signal expected by the firmware. Check board-specific pins before testing.

Antenna

Use an antenna matched to the test band. A missing or wrong antenna can make scan and receive results look broken.

Frequency and region

Choose frequencies that match your local regulations and your own test device. The page is intended for authorized lab work.

Storage

Record and load workflows use LittleFS, so confirm available space and file names before relying on a saved capture.

Common Sub-GHz problems

Most CC1101 failures come from wrong pin mapping, missing ground, weak antenna, frequency mismatch, bad power or trying to decode before confirming RSSI activity.

No module

Check 3.3 V, ground, SPI pins, chip select and GDO0. Start from the CC1101 wiring recipe before scanning.

No activity

Confirm the frequency, antenna, distance and transmitter state. Try scan or sweep before receive.

Bad receive

Move closer, reduce noise, confirm the exact band and use trace when the decoded frame does not look stable.

File not found

Upload the .sub file to the expected LittleFS location, keep names simple and confirm it appears before loading.

Desktop tool mismatch

Use the SubGHz Raw CDC adapter only when a simple USB serial transport is the right fit for the external tool.

Board choice for Sub-GHz

For integrated CC1101 workflows, use a T-Embed CC1101 firmware target. For an external CC1101 module on raw pins, use a GPIO-friendly board and verify the SPI/GDO mapping first.

Detailed Sub-GHz recipes

These pages are the task-level CC1101 and Sub-GHz workflows. This overview keeps the protocol-level guidance here, while each recipe covers setup, commands and troubleshooting in detail.

Useful Sub-GHz references

This page is a protocol overview. Use the site index for the full web experience, or GitHub for source code, firmware documentation and the SubGHz command reference.

Flash ESP32 Bit Pirate

Flash a supported ESP32-S3 board before testing Sub-GHz mode from the browser.

Open Web Flasher

SubGHz command reference

Open the maintained firmware wiki for SubGHz mode commands, CC1101 setup, scan, sweep, receive, trace, record, load and ear workflows.

Open SubGHz command reference

SPI protocol overview

CC1101 uses SPI for the radio module link, so SPI wiring checks are useful before debugging radio behavior.

Open SPI debugging guide

USB adapter overview

Use the USB adapter page when the Raw CDC path is a better fit than the interactive CLI.

Open USB adapter guide

ESP32 Bit Pirate GitHub

Check firmware source, issues and releases that affect Sub-GHz support.

Open GitHub repository

Sub-GHz debugging FAQ

Short answers for common questions before moving into a detailed workflow.

Can ESP32 Bit Pirate work with CC1101 Sub-GHz modules?

Yes. SubGHz mode is built around an external CC1101 module connected through SPI plus the required GDO signal, with common ground and board-specific GPIO configuration.

Can ESP32 Bit Pirate find active Sub-GHz frequencies?

Yes. SubGHz scan, sweep and waterfall workflows help locate RSSI peaks before moving to receive, trace, record, ear or file-based workflows.

Can ESP32 Bit Pirate use Flipper-style .sub files?

Yes. The firmware can use LittleFS file workflows for compatible SubGHz .sub files so captured or prepared signals can be loaded for controlled lab tests.