WheelchairDriver

[stephenc1]

10 years of R-Net reverse engineering, fully open sourced.

After a decade of research since our DEFCON 24 talk, we've released everything we know about the R-Net protocol in a new repository: open-rnet

What's in it:

Complete R-Net protocol specification — every frame, every handshake, fully documented
590+ CAN frames mapped with a searchable frame dictionary
Serial authentication algorithm cracked — XOR-based challenge/response, fully reversed
R-Net Programmer dongle protocol reversed — read/write device config memory without a $1,500 dongle
Firmware analysis — HCS08 microcontroller reverse engineering, encryption keys, memory maps
25 real-world .R-net config files parsed from 10 different chairs (V6, C500, M300, Alltrack, Pulse 6, F3, M3)
Python tools — self-programming, OBP mode, config parser, protocol utilities
27+ packet captures for your own analysis
3 confirmed control methods — FollowJSM, JSMerror, EmulateJSM

No more locked-out configs. No more begging a dealer to change your own wheelchair's speed setting.

https://github.com/redragonx/open-rnet


youtu.be/_RvVlD1TO6U

[snaker]

This is a great project. Thanks stephenc1 for sharing.

[snaker]

@stephenc1: Is it possible to use an usb-can adapter to connect a PC/laptop to a rnet power module for programming?

[snaker]

Or this industrial usb-can adapter?
https://mlab.com.vn/industrial-grade-ca ... rface-card

[Superchunk]

I've just ported this to esp32, you can just shove it in the chair with the rnet connector block and power + can from the same rnet cable with this module: https://www.waveshare.com/ESP32-S3-RS485-CAN.htm everything done over BT.

[Burgerman]

Thats great. I think its beyond me but I have a dongle and oem access already.
I will move it to the permanant anouncement bit at the top...

[stephenc1]

Thats great. I think its beyond me but I have a dongle and oem access already.
I will move it to the permanant anouncement bit at the top...

Thank you very much for this.

[stephenc1]

Or this industrial usb-can adapter?
https://mlab.com.vn/industrial-grade-ca ... rface-card

usbcan2.jpg

Certain ones might have to properly terminated with a resistor, the docs should mention this somewhere.

[Raro]

Thank you so much for sharing, stephenc1. I wouldn't know how to use it, but I'm sure some of the users here would.

[martin007]

Excellent news!

[slomobile]

I've just ported this to esp32, you can just shove it in the chair with the rnet connector block and power + can from the same rnet cable with this module: https://www.waveshare.com/ESP32-S3-RS485-CAN.htm everything done over BT.

That was fast. Ordered one. Where can I find your port?

For non coders, a "port" is when you take software written for one type of processor and compile it for a different processor.

[acid_coke]

That's really cool I hope this is real. But that suspiciously looks like it's AI generated. I won't be exited until someone actually shows that the programming etc. works.

[snaker]

No sign of any AI here. Just writing the documentation in details, stephenc1 might have spent a lot time.

[emilevirus]

No sign of any AI here. Just writing the documentation in details, stephenc1 might have spent a lot time.

The commit literally says Claude. The research isn't AI obviously but the utility scripts are.

[snaker]

That claude just helps typing faster or generating some sample code at best.

[stephenc1]

No sign of any AI here. Just writing the documentation in details, stephenc1 might have spent a lot time.

The commit literally says Claude. The research isn't AI obviously but the utility scripts are.

Yes, used AI to make the dirty scripts faster, I am more about the research.

[snaker]

@stephenc1: Does open r-net support changing the "motor output voltage" and "motor compensation" parameters?

[TheRocMachine]

10 years of R-Net reverse engineering, fully open sourced.

After a decade of research since our DEFCON 24 talk, we've released everything we know about the R-Net protocol in a new repository: open-rnet

What's in it:

Complete R-Net protocol specification — every frame, every handshake, fully documented
590+ CAN frames mapped with a searchable frame dictionary
Serial authentication algorithm cracked — XOR-based challenge/response, fully reversed
R-Net Programmer dongle protocol reversed — read/write device config memory without a $1,500 dongle
Firmware analysis — HCS08 microcontroller reverse engineering, encryption keys, memory maps
25 real-world .R-net config files parsed from 10 different chairs (V6, C500, M300, Alltrack, Pulse 6, F3, M3)
Python tools — self-programming, OBP mode, config parser, protocol utilities
27+ packet captures for your own analysis
3 confirmed control methods — FollowJSM, JSMerror, EmulateJSM

No more locked-out configs. No more begging a dealer to change your own wheelchair's speed setting.

https://github.com/redragonx/open-rnet


youtu.be/_RvVlD1TO6U

I recently got a Q200R and the speed settings are utter trash. Years ago i programmed my old chair with the great settings Burgerman recommends and i simply cannot go back to any other settings. Id like to program my new chair but im not much for computer programming. The last time i did it i received a dongle and a program i could download and then i simply had to program the chair. Would i be able to do this if i lack programming knowledge? Thank you.

[Burgerman]

Well it all looks a bit beyond me. So you probably need a dongle. (£330 approx full retail). The OEM PC software software is the easy part. PM me.

I recently got a Q200R and the speed settings are utter trash.

Its not your new char, its every single chair on the market. All chairs are like this. All can be fixed with the exception of front drive chairs. IF you have access to an OEM programmer for it. That rules out many brands in 2026.

Years ago i programmed my old chair with the great settings Burgerman recommends and i simply cannot go back to any other settings.

Because those are the ONLY ones that will ever give accurate, real time, linear proportional control. So it steers by exactly how much you tell it, exactly when you tell it, and it stops turning precisely when told too. No other settings can do that. Its like steering a car or a computer mouse.

As for the settings that I tell everyone to use, that you cant manage without, I completely agree. Only those that have never experienced this ever disagree. If I cant do that same configuration, to EVERY chair I use, then its simply no use to me. Basically dangerous.
Once tried and tested theres just no going back. Hovercraft style stock steering is frustrating and dangerous. You normally need OEM access to do this. To remove walls etc, that even allow it. With R-net you can do this with DEALER level however if you know how.