Reverse-Engineering The Bluetooth Fichero Thermal Label Printer Protocol

March 9, 2026 by Maya Posch 15 Comments

It’s hard to deny that label printers have become more accessible than ever, but an annoying aspect of many of these cheap units is that their only user interface is a proprietary smartphone app connected via Bluetooth. The Fichero-branded label printer that [0xMH] obtained for a mere 10 Euro at a store in the Netherlands was much the same, with an associated app that doesn’t just bind it to smartphones, but also requires no fewer than 26 permissions. Obviously this required some reverse-engineering of the BLE protocol.

The fruits of this reverse-engineering effort can be found in the GitHub repository, with the most interesting part probably being that this Fichero is just one of many relabeling of generic label printers, this one being an AiYin D11, by Xiamen Printer Future Technology. This means that other iterations of this D11 will work exactly the same, as they all use the same ‘LuckPrinter’ SDK.

[0xMH] provides a Web GUI to talk with a local D11 printer, though you can also use the Python scripts, or of course implement the protocol using your favorite language and frameworks, so that you can finally control a cheap label printer from a PC or even BLE-equipped MCU like the software gods intended.

Thanks to [T-ice] for the tip.

Hackaday Links: January 18, 2026

January 18, 2026 by Tom Nardi 7 Comments

Looking for a unique vacation spot? Have at least $10 million USD burning a hole in your pocket? If so, then you’re just the sort of customer the rather suspiciously named “GRU Space” is looking for. They’re currently taking non-refundable $1,000 deposits from individuals looking to stay at their currently non-existent hotel on the lunar surface. They don’t expect you’ll be able to check in until at least the early 2030s, and the $1K doesn’t actually guarantee you’ll be selected as one of the guests who will be required to cough up the final eight-figure ticket price before liftoff, but at least admission into the history books is free with your stay.

Mars One living units under regolith — This never happened.

The whole idea reminds us of Mars One, which promised to send the first group of colonists to the Red Planet by 2024. They went bankrupt in 2019 after collecting ~$100 deposits from more than 4,000 applicants, and we probably don’t have to tell you that they never actually shot anyone into space. Admittedly, the Moon is a far more attainable goal, and the commercial space industry has made enormous strides in the decade since Mars One started taking applications. But we’re still not holding our breath that GRU Space will be leaving any mints on pillows at one-sixth gravity.

Speaking of something which actually does have a chance of reaching the Moon on time — on Saturday, NASA rolled out the massive Space Launch System (SLS) rocket that will carry a crew of four towards our nearest celestial neighbor during the Artemis II mission. There’s still plenty of prep work to do, including a dress rehearsal that’s set to take place in the next couple of weeks, but we’re getting very close. Artemis II won’t actually land on the Moon, instead performing a lunar flyby, but it will still be the first time we’ve sent humans beyond Low Earth Orbit (LEO) since Apollo 17 in 1972. We can’t wait for some 4K Earthrise video.

Continue reading “Hackaday Links: January 18, 2026” →

39C3: Liberating ESP32 Bluetooth

December 30, 2025 by Elliot Williams 6 Comments

Bluetooth is everywhere, but it’s hard to inspect. Most of the magic is done inside a Bluetooth controller chip, accessed only through a controller-specific Host-Controller Interface (HCI) protocol, and almost everything your code does with Bluetooth passes through a binary library that speaks the right HCI dialect. Reverse engineering these libraries can get us a lot more control of and information about what’s going on over the radio link.

That’s [Anton]’s motivation and goal in this reversing and documentation project, which he describes for us in this great talk at this year’s Chaos Communication Congress. In the end, [Anton] gets enough transparency about the internal workings of the Bluetooth binaries to transmit and receive data. He stops short of writing his own BT stack, but suggests that it would be possible, but maybe more work than one person should undertake.

So what does this get us? Low-level control of the BT controller in a popular platform like the ESP32 that can do both classic and low-energy Bluetooth should help a lot with security research into Bluetooth in general. He figured out how to send arbitrary packets, for instance, which should allow someone to write a BT fuzzing tool. Unfortunately, there is a sequence ID that prevents his work from turning the controller into a fully promiscuous BT monitor, but still there’s a lot of new ground exposed here.

If any of this sounds interesting to you, you’ll find his write-up, register descriptions, and more in the GitHub repository. This isn’t a plug-and-play Bluetooth tool yet, but this is the kind of groundwork on a popular chip that we expect will enable future hacking, and we salute [Anton] for shining some light into one of the most ubiquitous and yet intransparent corners of everyday tech.

Old FM Radio Upcycled Into Classy Bluetooth Speaker

December 23, 2025 by Lewin Day 27 Comments

[Distracted by Design] loves gear from the 1980s, though some of it isn’t as useful as it used to be. He happened across a cheap old FM radio with a great look, but wanted to repurpose it into something more modern. Thus, he set about turning this cheap piece of old electronics into a stylish Bluetooth speaker.

All of the original electronics were stripped out, while the original speaker was kept since it neatly fit the case. Electronically, the build relies on a Bluetooth module harvested from an existing speaker. 3D-printed bracketry was used to fasten it neatly into place inside the radio housing, with the buttons neatly presented where the original radio had its tone and volume controls. Power is via an internal lithium-ion battery, charged over USB-C thanks to an off-the-shelf charging module.

Where the build really shines, though, is the detailing. The original cheap plastic handle was replaced with a CNC-machined wooden piece, bolted on with machined aluminium side plates. Similarly, the original clear plastic tuning window was replaced with another tasteful piece of wood that dropped perfectly into place. At the back, the charge port is nicely integrated. Where the radio formerly had a removable door for the power cable storage, it now has a machined aluminium plate hosting the USB-C charge port. Little 3D-printed button actuators were also used to integrate the Bluetooth module’s controls into the case.

It’s a very stylish build, overall. Perhaps the one area it’s a let down is in the sound quality. The ancient speaker simply doesn’t sound great compared to modern Bluetooth speakers and their finely-tuned, bassy audio. However, this isn’t necessarily a bad thing—sometimes it’s nice to have an audio source with a limited frequency response. It can be nice for use in an area where you may want to be able to easily speak over the music.

If you want to build a Bluetooth speaker of your own, you might like to whip up an open-source design from scratch. Video after the break.

Continue reading “Old FM Radio Upcycled Into Classy Bluetooth Speaker” →

Liberating AirPods With Bluetooth Spoofing

December 12, 2025 by Aaron Beckendorf 18 Comments

Apple’s AirPods can pair with their competitors’ devices and work as basic Bluetooth earbuds, but to no one’s surprise most of their really interesting features are reserved for Apple devices. What is surprising, though, is that simple Bluetooth device ID spoofing unlocks these features, a fact which [Kavish Devar] took advantage of to write LibrePods, an AirPods controller app for Android and Linux.

In particular, LibrePods lets you control noise reduction modes, use ear detection to pause and unpause audio, detect head gestures, reduce volume when the AirPods detect you’re speaking, work as configurable hearing aids, connect to two devices simultaneously, and configure a few other settings. The app needs an audiogram to let them work as hearing aids, and you’ll need an existing audiogram – creating an audiogram requires too much precision. Of particular interest to hackers, the app has a debug mode to send raw Bluetooth packets to the AirPods. Unfortunately, a bug in the Android Bluetooth stack means that LibrePods requires root on most devices.

This isn’t the first time we’ve seen a hack enable hearing aid functionality without official Apple approval. However, while we have some people alter the hardware, AirPorts can’t really be called hacker- or repair-friendly.

Thanks to [spiralbrain] for the tip!

Another Thermal Printer, Conquered

November 11, 2025 by Jenny List 15 Comments

The arrival of cheap thermal printer mechanisms over the last few years has led to a burst of printer hacking in our community, and we’re sure many of you will like us have one knocking around somewhere. There are a variety of different models on the market, and since they often appear in discount stores we frequently see new ones requiring their own reverse engineering effort. [Mel] has done some work on just such a model, the Core Innovation CTP-500, which can be found at Walmart.

The write-up is a tale of Bluetooth reverse engineering as much as it is one about the device itself, as he sniffs the protocol it uses, and finds inspiration from the work of others on similar peripherals. The resulting Python app can be found in his GitHub repository, and includes a TK GUI for ease of use. We like this work and since there’s an analogous printer from a European store sitting on the Hackaday bench as we write this, it’s likely we’ll be giving it a very close look.

Meanwhile if [Mel] sounds a little familiar it might be because of their print-in-place PCB holder we featured recently.

Simple Device Can Freeze Wi-Fi Camera Feeds

November 1, 2025 by Lewin Day 149 Comments

Wi-Fi cameras are everywhere these days, with wireless networking making surveillance systems easier to deploy than ever. [CiferTech] has been recently developing the RF Clown—a tool that can block transmissions from these cameras at some range.

The build is based around an ESP32, with three tactile switches and an OLED display for the user interface. The microcontroller is hooked up to a trio of GT—24 Mini radio modules, which feed a bank of antennas on top of the device. Depending on the mode the device is set to, it will command these modules to jam Bluetooth, BLE, or Wi-Fi traffic in the area with relatively crude transmissions.

The use of multiple radio modules isn’t particularly sophisticated—it just makes it easier to put out more signal on more bands at the same time, flooding the zone and making it less likely legitimate transmissions will get through. Specifically, [CiferTech] demonstrates the use case of taking out a Wi-Fi camera—with the device switched on, the video feed freezes because packets from the camera simply stop making it through.

It’s perhaps impolite to interfere with the operation of somebody else’s cameras, so keep that in mind before you pursue a project like this one. Files are on GitHub for the curious. Video after the break.

Continue reading “Simple Device Can Freeze Wi-Fi Camera Feeds” →