{"guid":"4435af8f-b96a-5593-be42-47a04ba5f47e","title":"Pwn2Roll: Who Needs a 595€ Remote When You Have wheelchair.py?","subtitle":null,"slug":"39c3-pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py","link":"https://events.ccc.de/congress/2025/hub/event/detail/pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py","description":"A 595€ wheelchair remote that sends a handful of Bluetooth commands. A 99.99€ app feature that does exactly what the 595€ hardware does. A speed upgrade from 6 to 8.5 km/h locked behind a 99.99€ paywall - because apparently catching the bus is a premium feature.\n\nWelcome to the wonderful world of DRM in assistive devices, where already expensive basic mobility costs extra and comes with in-app purchases! And because hackers gonna hack, this just could not be left alone.\n\nThis talk depicts the reverse engineering of a popular electric wheelchair drive system - the Alber e-motion M25: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility.\n\nWhat you'll learn:\n\n- how a 22-character QR code sticker, labeled as \"Cyber Security Key\", becomes AES encryption\n- why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports\n- the internals, possibilities and features of electronics worth 30€ cosplaying as a 595€ medical device\n- the technical implementation of the \"pay 99.99€ or stay slow\" speed limiter (6 km/h vs 8.5 km/h)\n- how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python\n- why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote\n\nWe'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices.\n\nThis is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this.\n\nThis talk will be simultaneously interpretated into German sign language (Deutsche Gebärdensprache aka. DGS).\n\nLicensed to the public under http://creativecommons.org/licenses/by/4.0","original_language":"eng","persons":["elfy"],"tags":["2188","2025","39c3","Hardware","Zero","39c3-eng","Day 1"],"view_count":30062,"promoted":false,"date":"2025-12-27T17:15:00.000+01:00","release_date":"2025-12-29T00:00:00.000+01:00","updated_at":"2026-04-09T23:45:06.185+02:00","length":3405,"duration":3405,"thumb_url":"https://static.media.ccc.de/media/congress/2025/2188-4435af8f-b96a-5593-be42-47a04ba5f47e.jpg","poster_url":"https://static.media.ccc.de/media/congress/2025/2188-4435af8f-b96a-5593-be42-47a04ba5f47e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2025/2188-4435af8f-b96a-5593-be42-47a04ba5f47e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2025/2188-4435af8f-b96a-5593-be42-47a04ba5f47e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/39c3-pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py","url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_title":"39C3: Power Cycles","conference_url":"https://api.media.ccc.de/public/conferences/39c3","related":[],"recordings":[{"size":565,"length":3405,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T14:59:53.021+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/av1-hd/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/94729","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":null,"length":null,"mime_type":"text/vtt","language":"eng","filename":"2188-4435af8f-b96a-5593-be42-47a04ba5f47e-eng.vtt","state":"auto","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-12-30T03:11:39.563+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/2188-4435af8f-b96a-5593-be42-47a04ba5f47e-eng.vtt","url":"https://api.media.ccc.de/public/recordings/95378","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":51,"length":3405,"mime_type":"audio/mpeg","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:00:35.112+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/mp3/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/94734","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":35,"length":3405,"mime_type":"audio/opus","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-29T15:00:30.569+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/opus/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_opus.opus","url":"https://api.media.ccc.de/public/recordings/94733","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":168,"length":3405,"mime_type":"video/webm","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-29T15:00:26.374+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-sd/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/94732","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":201,"length":3405,"mime_type":"video/mp4","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-29T15:00:19.794+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-sd/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_sd.mp4","url":"https://api.media.ccc.de/public/recordings/94731","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":784,"length":3405,"mime_type":"video/webm","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T15:00:12.352+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-hd/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/94730","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":1172,"length":3405,"mime_type":"video/mp4","language":"eng","filename":"39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-29T13:51:58.007+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2188-eng-Pwn2Roll_Who_Needs_a_595_Remote_When_You_Have_wheelchairpy_hd.mp4","url":"https://api.media.ccc.de/public/recordings/94709","event_url":"https://api.media.ccc.de/public/events/4435af8f-b96a-5593-be42-47a04ba5f47e","conference_url":"https://api.media.ccc.de/public/conferences/39c3"}]}