reverse engineering

422 Articles

39C3: Hacking Washing Machines

December 29, 2025 by 18 Comments

Many of us have them, few of us really hack on them: well, here we’re talking about large home appliances. [Severin von Wnuck-Lipinski] and [Hajo Noerenberg] were both working on washing machines, found each other, and formed a glorious cooperation that ended in the unholy union of German super-brands Miele and B/S/H — a Miele washer remote controlled by Siemens’ web app.

This talk, given at the 39th Chaos Communication Congress (39C3), is about much more than the stunt hack, however. In fact, we covered [Severin]’s work on the very clever, but proprietary, Miele Diagnostic Interface a little while ago. But now, he’s got it fully integrated into his home automation system. It’s a great hack, and you can implement it without even opening the box.

About halfway through the talk, [Hajo] takes over, dissecting the internal D-Bus communication protocol. Here, you have to open up the box, but then you get easy access to everything about the internal state of the machine. And D-Bus seems to be used in a wide range of B/S/H/ home appliances, so this overview should give you footing for your own experimentation on coffee machines or dishwashers as well. Of course, he wires up an ESP32 to the bus, and connects everything, at the lowest level, to his home automation system, but he also went the extra mile and wrote up a software stack to support it.

It’s a great talk, with equal parts humor and heroic hacking. If you’re thinking about expanding out your own home automation setup, or are even just curious about what goes on inside those machines these days, you should absolutely give it a watch.

Editor Note: The “S” is Siemens, which is Hackaday’s parent company’s parent company. Needless to say, they had nothing to do with this work or our reporting on it.

Liberating AirPods With Bluetooth Spoofing

December 12, 2025 by 18 Comments

Apple’s AirPods can pair with their competitors’ devices and work as basic Bluetooth earbuds, but to no one’s surprise most of their really interesting features are reserved for Apple devices. What is surprising, though, is that simple Bluetooth device ID spoofing unlocks these features, a fact which [Kavish Devar] took advantage of to write LibrePods, an AirPods controller app for Android and Linux.

In particular, LibrePods lets you control noise reduction modes, use ear detection to pause and unpause audio, detect head gestures, reduce volume when the AirPods detect you’re speaking, work as configurable hearing aids, connect to two devices simultaneously, and configure a few other settings. The app needs an audiogram to let them work as hearing aids, and you’ll need an existing audiogram – creating an audiogram requires too much precision. Of particular interest to hackers, the app has a debug mode to send raw Bluetooth packets to the AirPods. Unfortunately, a bug in the Android Bluetooth stack means that LibrePods requires root on most devices.

This isn’t the first time we’ve seen a hack enable hearing aid functionality without official Apple approval. However, while we have some people alter the hardware, AirPorts can’t really be called hacker- or repair-friendly.

Thanks to [spiralbrain] for the tip!

Reverse Engineering The Miele Diagnostic Interface

November 17, 2025 by 22 Comments

The infrared transceiver installed on the washing machine. (Credit: Severin)
The infrared transceiver installed on the washing machine. (Credit: Severin)

Since modern household appliances now have an MCU inside, they often have a diagnostic interface and — sometimes — more. Case in point: Miele washing machines, like the one that [Severin] recently fixed, leading to the firmware becoming unhappy and refusing to work. This fortunately turned out to be recoverable by clearing the MCU’s fault memory, but if you’re unlucky, you will have to recalibrate the machine, which requires very special and proprietary software.

Naturally, this led [Severin] down the path of investigating how exactly the Miele Diagnostic Utility (MDU) and the Program Correction (PC) interface communicate. Interestingly, the PC interface uses an infrared LED/receiver combination that’s often combined with a status LED, as indicated by a ‘PC’ symbol. This interface uses the well-known IrDA standard, but [Severin] still had to track down the serial protocol.

Continue reading “Reverse Engineering The Miele Diagnostic Interface”

Another Thermal Printer, Conquered

November 11, 2025 by 15 Comments

The arrival of cheap thermal printer mechanisms over the last few years has led to a burst of printer hacking in our community, and we’re sure many of you will like us have one knocking around somewhere. There are a variety of different models on the market, and since they often appear in discount stores we frequently see new ones requiring their own reverse engineering effort. [Mel] has done some work on just such a model, the Core Innovation CTP-500, which can be found at Walmart.

The write-up is a tale of Bluetooth reverse engineering as much as it is one about the device itself, as he sniffs the protocol it uses, and finds inspiration from the work of others on similar peripherals. The resulting Python app can be found in his GitHub repository, and includes a TK GUI for ease of use. We like this work and since there’s an analogous printer from a European store sitting on the Hackaday bench as we write this, it’s likely we’ll be giving it a very close look.

Meanwhile if [Mel] sounds a little familiar it might be because of their print-in-place PCB holder we featured recently.

LLM Dialogue In Animal Crossing Actually Works Very Well

September 30, 2025 by 8 Comments

In the original Animal Crossing from 2001, players are able to interact with a huge cast of quirky characters, all with different interests and personalities. But after you’ve played the game for awhile, the scripted interactions can become a bit monotonous. Seeing an opportunity to improve the experience, [josh] decided to put a Large Language Model (LLM) in charge of these interactions. Now when the player chats with other characters in the game, the dialogue is a lot more engaging, relevant, and sometimes just plain funny.

How does one go about hooking a modern LLM into a 24-year-old game built for an entirely offline console? [josh]’s clever approach required a lot of poking about, and did a good job of leveraging some of the game’s built-in features for a seamless result.

Continue reading “LLM Dialogue In Animal Crossing Actually Works Very Well”

Hosting A Website On A Disposable Vape

September 15, 2025 by 55 Comments

For the past years people have been collecting disposable vapes primarily for their lithium-ion batteries, but as these disposable vapes have begun to incorporate more elaborate electronics, these too have become an interesting target for reusability. To prove the point of how capable these electronics have become, [BogdanTheGeek] decided to turn one of these vapes into a webserver, appropriately called the vapeserver.

While tearing apart some of the fancier adult pacifiers, [Bogdan] discovered that a number of them feature Puya MCUs, which is a name that some of our esteemed readers may recognize from ‘cheapest MCU’ articles. The target vape has a Puya PY32F002B MCU, which comes with a Cortex-M0+ core at 24 MHz, 3 kB SRAM and 24 kB of Flash. All of which now counts as ‘disposable’ in 2025, it would appear.

Even with a fairly perky MCU, running a webserver with these specs would seem to be a fool’s errand. Getting around the limited hardware involved using the uIP TCP/IP stack, and using SLIP (Serial Line Internet Protocol), along with semihosting to create a serial device that the OS can use like one would a modem and create a visible IP address with the webserver.

The URL to the vapeserver is contained in the article and on the GitHub project page, but out of respect for not melting it down with an unintended DDoS, it isn’t linked here. You are of course totally free to replicate the effort on a disposable adult pacifier of your choice, or other compatible MCU.

Using An MCU’s Own Debug Peripheral To Defeat Bootrom Protection

September 10, 2025 by 2 Comments

The patient hooked up for some reverse-engineering. (Credit: Caralynx, Twitter)
The patient hooked up for some reverse-engineering. (Credit: Caralynx, Twitter)

Released in July of 2025, the Tamagotchi Paradise may look somewhat like the late 90s toy that terrorized parents and teachers alike for years, but it’s significantly more complex and powerful hardware-wise. This has led many to dig into its ARM Cortex-M3-powered guts, including [Yukai Li] who recently tripped over a hidden section in the bootrom of the dual-core Sonix SNC73410 MCU that makes up most of the smarts inside this new Tamagotchi toy.

Interestingly, [Yukai] did see that the visible part of the bootrom image calls into the addresses that make up the hidden part right in the reset handler, which suggests that after reset this hidden bootrom section is accessible, just not when trying to read it via e.g. SWD as the hiding occurs before the SWD interface becomes active. This led [Yukai] to look at a way to make this ROM section not hidden by using the Cortex-M3’s standard Flash Patch and Breakpoint (FPB) unit. This approach is covered in the project’s source file.

With this code running, the FPB successfully unset the responsible ROM hide bit in the OSC_CTRL register, allowing the full bootrom to be dumped via SWD and thus defeating this copy protection with relatively little effort.

Heading image: PCB and other components of a torn-down Tamagotchi Paradise. (Credit: Tamagotchi Center)