At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is unlikely to be the last payment you’ll make. These days, almost everything requires an ongoing subscription to do everything you paid for in the first place. It’s ridiculous, especially when all you want to do is recharge your electric motorcycle with electricity, you already pay; why on earth would you need a subscription for that?

That was (Maarten’s) question when he picked up a second-hand EVBox wall charger, which refused to charge his bike without signing up for a subscription. Granted, the subscription gave access to all kinds of cool features, none of which were needed to recharge the bike’s battery. A teardown revealed a well-built device with separate modules for AC power and battery charging, as well as a communications module with a cellular modem, obviously the part that phones home and prevents the charger from working without subscription.

After some time at dead ends and a futile search for documentation, (Maarten) decided to poke around in the conversation between the loadout cards and the communication card, reasonably assuming that if he knew what they were talking about, he would be able to to imitate the commands that operate the charger. He managed to do just that, reverse engineering the protocol enough to perform a simple replay attack using a Raspberry Pi. This allowed him to use the loader. Problem solved, right?

Not so fast – it’s “failure of the week,” after all. This is where (Maarten) should have ended his day, but he decided to keep pushing enough to snatch defeat from the jaws of victory. He discovered that the charging module’s firmware performed only limited validation of messages coming from the communications module, and since he found only fourteen commands in the protocol, he figured he would benefit from the Open the firmware to explore the 256 commands. orders possible. However, going through all the commands proved fatal for the loader, breaking the poor thing right after it figured it all out. Ouch!

To his credit, (Maarten) was only trying to be thorough in his exploration of the protocol, and his intention to make it easier for the next hacker is extremely commendable. That he went a byte too far is regrettable, but that is the price we sometimes pay for progress. Everything he’s done is carefully documented, so if you own one of these chargers, you have all the tools you need to make it a standalone charger. Just make sure you know when to stop.