39C3

4 Articles

39C3: Liberating ESP32 Bluetooth

December 30, 2025 by 5 Comments

Bluetooth is everywhere, but it’s hard to inspect. Most of the magic is done inside a Bluetooth controller chip, accessed only through a controller-specific Host-Controller Interface (HCI) protocol, and almost everything your code does with Bluetooth passes through a binary library that speaks the right HCI dialect. Reverse engineering these libraries can get us a lot more control of and information about what’s going on over the radio link.

That’s [Anton]’s motivation and goal in this reversing and documentation project, which he describes for us in this great talk at this year’s Chaos Communication Congress. In the end, [Anton] gets enough transparency about the internal workings of the Bluetooth binaries to transmit and receive data. He stops short of writing his own BT stack, but suggests that it would be possible, but maybe more work than one person should undertake.

So what does this get us? Low-level control of the BT controller in a popular platform like the ESP32 that can do both classic and low-energy Bluetooth should help a lot with security research into Bluetooth in general. He figured out how to send arbitrary packets, for instance, which should allow someone to write a BT fuzzing tool. Unfortunately, there is a sequence ID that prevents his work from turning the controller into a fully promiscuous BT monitor, but still there’s a lot of new ground exposed here.

If any of this sounds interesting to you, you’ll find his write-up, register descriptions, and more in the GitHub repository. This isn’t a plug-and-play Bluetooth tool yet, but this is the kind of groundwork on a popular chip that we expect will enable future hacking, and we salute [Anton] for shining some light into one of the most ubiquitous and yet intransparent corners of everyday tech.

39C3: Recreating Sandstorm

December 29, 2025 by 7 Comments

Some synthesizer sounds are just catchy, but some of them are genre-defining. We think you could make that case for the Roland JP-8000 patch “Sandstorm”, which you’ve heard if you listened to any trance from the 90’s, but especially the song that was named after it.

“Sandstorm” is powered by the Roland Supersaw, and synth nerds have argued for a decade about how it’s made. The JP-8000 is a digital synthesizer, though, so it’s just code, run through custom DSP chips. If you could reverse engineer these chips, make a virtual machine, and send them the right program, you could get the sound 100% right. Think MAME but for synthesizers.

That brings us to [giulioz]’s talk at the 39th Chaos Communication Congress, where he dives deep into the custom DSP chip at the heart of the JP-8000. He and his crew had approached older digital synths by decapping and mapping out the logic, as you often do in video game emulation. Here, getting the connections right turned out to be simply too daunting, so he found a simpler device that had a test mode that, combined with knowledge of the chip architecture, helped him to figure out the undocumented DSP chip’s instruction set.

After essentially recreating the datasheet from first principles for a custom chip, [guiloz] and team could finally answer the burning question: “how does the Supersaw work”?  The horrifying answer, after all this effort, is that it’s exactly what you’d expect — seven sawtooth waves, slightly detuned, and layered over each other. Just what it sounds like.

The real end result is an emulation that’s every bit (tee-hee!) as good as the original, because it’s been checked out on a logic analyzer. But the real fun is the voyage. Go give the talk a watch.

39C3: Hacking Washing Machines

December 29, 2025 by 17 Comments

Many of us have them, few of us really hack on them: well, here we’re talking about large home appliances. [Severin von Wnuck-Lipinski] and [Hajo Noerenberg] were both working on washing machines, found each other, and formed a glorious cooperation that ended in the unholy union of German super-brands Miele and B/S/H — a Miele washer remote controlled by Siemens’ web app.

This talk, given at the 39th Chaos Communication Congress (39C3), is about much more than the stunt hack, however. In fact, we covered [Severin]’s work on the very clever, but proprietary, Miele Diagnostic Interface a little while ago. But now, he’s got it fully integrated into his home automation system. It’s a great hack, and you can implement it without even opening the box.

About halfway through the talk, [Hajo] takes over, dissecting the internal D-Bus communication protocol. Here, you have to open up the box, but then you get easy access to everything about the internal state of the machine. And D-Bus seems to be used in a wide range of B/S/H/ home appliances, so this overview should give you footing for your own experimentation on coffee machines or dishwashers as well. Of course, he wires up an ESP32 to the bus, and connects everything, at the lowest level, to his home automation system, but he also went the extra mile and wrote up a software stack to support it.

It’s a great talk, with equal parts humor and heroic hacking. If you’re thinking about expanding out your own home automation setup, or are even just curious about what goes on inside those machines these days, you should absolutely give it a watch.

Editor Note: The “S” is Siemens, which is Hackaday’s parent company’s parent company. Needless to say, they had nothing to do with this work or our reporting on it.

39C3: Hardware, And The Hard Bit

December 29, 2025 by 10 Comments

The 39th annual Chaos Communication Congress (39C3) is underway, and it kicked off with a talk that will resonate deeply with folks in the Hackaday universe. [Kliment] gave an impassioned invitation for everyone to start making hardware based on his experience both in the industry and in giving an intro-to-surface-mount workshop to maybe thousands of hackers over the years.

His main points are that the old “hardware is hard” cliche is overdone. Of course, working on a complicated high-reliability medical device isn’t child’s play, but that’s not where you start off. And getting started in hardware design and hobby-scale manufacture has never been easier or cheaper, and the open-source tooling gives you a foot in the door.

He tells the story of an attendee at a workshop who said “I kept waiting for the hard part to come, but then I was finished.”  Starting off with the right small-scale projects, learning a few techniques, and ramping up skills built on skills is the way to go. ([Kliment] is a big proponent of hand-placed hot-plate reflow soldering, and we concur.)

This is the talk that you want to show to your software friends who are hardware-curious. It’s also a plea for more experimentation, more prototyping, more hacking, and simply more people in the hardware / DIY electronics scene. Here at Hackaday, it’s maybe preaching to the choir, but sometimes it’s just nice to hear saying it all out loud.