Hardware
Pwn2Roll: Who Needs a 595€ Remote When You Have wheelchair.py?
A 595€ wheelchair remote that sends a handful of Bluetooth commands. A 99.99€ app feature that does exactly what the 595€ hardware does. A speed upgrade from 6 to 8.5 km/h locked behind a 99.99€ paywall - because apparently catching the bus is a premium feature.
Welcome to the wonderful world of DRM in assistive devices, where already expensive basic mobility costs extra and comes with in-app purchases! And because hackers gonna hack, this just could not be left alone.
This talk depicts the reverse engineering of a popular electric wheelchair drive system: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility.
What you'll learn:
- how a 22-character QR code sticker, labeled as "Cyber Security Key", becomes AES encryption
- why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports
- the internals, possibilities and features of electronics worth 30€ cosplaying as a 599€ medical device
- the technical implementation of the "pay 99€ or stay slow" speed limiter (6 km/h vs 8.5 km/h)
- how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python
- why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote
We'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices.
This is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this.
Additional information
| Live Stream | https://streaming.media.ccc.de/39c3/zero |
|---|---|
| Type | Talk |
| Language | English |
More sessions
| 12/27/25 |
OpenAutoLab, an open source machine, that is capable of processing contemporary color and black-and-white films for analogue photography, is being presented here. It made its first public appearance at 37C3 and was already seen there in action, but had no organized talk or proper presentation. Now it is better documented, waits to be built by more people and to be further developed by the community. This talk is about motivation behind developing OpenAutoLab and about the technical decisions ...
|
| 12/27/25 |
Like 39C3, the last CCC camp (2023) and congress (38C3) have seen volunteer-driven deployments of legacy ISDN and POTS networks using a mixture of actual legacy telephon tech and custom open source software. This talk explains how this is achieved, and why this work plays an important role in preserving parts of our digital communications heritage.
|
| 12/27/25 |
Building electronics has never been easier, cheaper, or more accessible than the last few years. It's also becoming a precious skill in a world where commercially made electronics are the latest victim of enshittification and vibe coding. And yet, while removing technical and financial barriers to building things, we've not come as far as we should have in removing social barriers. The electronics and engineering industry and the cultures around them are hostile to newcomers and self-taught ...
|
| 12/27/25 |
This project transforms a classic rotary phone into a mobile device. Previous talks have analyzed various aspects of analogue phone technology, such as rotary pulse detection or ringing voltage generation. Now this project helps you get rid of the cable: it equips the classic German FeTAp 611 with battery power and a flyback SMPS based ringing voltage generator - but still maintains the classical look and feel. The talk demonstrates the journey of bridging analog and digital worlds, explaining ...
|
| 12/27/25 |
Despite how widely used the ESP32 is, its Bluetooth stack remains closed source. Let’s dive into the low-level workings of a proprietary Bluetooth peripheral. Whether you are interested in reverse engineering, Bluetooth security, or just enjoy poking at undocumented hardware, this talk may inspire you to dig deeper.
|
| 12/27/25 |
With PTP 1588, AES67, and SMPTE 2110, we can transmit synchronous audio and video with sub-millisecond latency over the asynchronous medium Ethernet. But how do you make hundreds of devices agree on the exact same nanosecond on a medium that was never meant to care about time? Precision Time Protocol (IEEE 1588) tries to do just that. It's the invisible backbone of realtime media standards like AES67 and SMPTE 2110, proprietary technologies such as Dante, and even critical systems powering ...
|
| 12/27/25 |
Almost everyone has a household appliance at home, whether it's a washing machine, dishwasher, or dryer. Despite their ubiquity, little is publicly documented about how these devices actually work or how their internal components communicate. This talk takes a closer look at proprietary bus systems, hidden diagnostic interfaces, and approaches to cloud-less integration of appliances from two well-known manufacturers into modern home automation systems.
|
