July 6, 2026
I Spent a Weekend Digging Into the BAT-BMS E-Rickshaw Hack – Here’s the Raw Technical Breakdown
---
By GovindPratapSingh
3 min read
If you've been on the internet this past week, you've definitely seen those crazy videos—an e-rickshaw just dying in the middle of the road while some guy laughs holding a smartphone. At first, I thought it was fake or just some weird relay attack. But the more I dug into it, the more I realized this wasn't some elite hacking. It was actually shockingly simple, and honestly, that's what makes it terrifying.
So, I rolled up my sleeves, went down the rabbit hole, and did my own technical research on how the BAT-BMS app actually pulls this off. Here is the no-BS technical breakdown of exactly what is happening under the hood.
The Moment: It's All About the Battery's Brain
My first thought was, "How is a random app talking to a moving vehicle?"
Turns out, we aren't hacking the motor or the ECU (Engine Control Unit) directly. We are talking directly to the Battery Management System (BMS).
Think of the BMS as the strict bodyguard of a lithium-ion battery pack. Its main job isn't even speed or acceleration—it's safety. It constantly watches the voltage, current, and temperature. If things get too hot or the voltage drops too low, the BMS has the ultimate authority to physically cut the power to save the battery from catching fire.
Here is the kicker: Manufacturers decided to put a Bluetooth chip inside this BMS so mechanics and owners could check battery health via an app without opening the physical casing. Convenient, right? Well, convenient for us, and very convenient for the pranksters.
My Personal Research Deep-Dive on the Exploit
To understand how the shutdown happens, I traced the connectivity and the command structure. Here's the sequence I pieced together:
- The Open Bluetooth Door (No Password Required) I checked the datasheets of a few popular Chinese BMS modules that are heavily imported into India. To my shock, most of them ship with Bluetooth Low Energy (BLE) broadcasting set to 'Open'. There is no PIN, no pairing request pop-up on the driver's phone—nothing.
The BAT-BMS app doesn't "hack" the battery. It literally just scans the nearby BLE signals, finds the BMS, and says, "Hey, let me connect." And the BMS replies, "Sure, come on in."
- The 'Discharge' Toggle is the Trigger Once I downloaded the APK just to see the UI layout (without a battery nearby, obviously), I spotted the culprit immediately. It's a simple on/off toggle labeled "Discharge".
Here is the terrifyingly simple logic:
· When Discharge = ON, the BMS closes the internal relay/contactor, allowing high-voltage current to flow from the battery cells to the motor controller. The rickshaw moves. · When the attacker toggles Discharge = OFF via the app, the BMS instantly opens that relay.
- The Instant Cut-Off This is the part that blew my mind. There is no "safe shutdown" grace period. It's not like slowly releasing the accelerator. The BMS physically snaps the circuit open. The motor loses all high-voltage supply in milliseconds.
Since e-rickshaws don't have mechanical gearboxes to hold them in place, the vehicle just goes dead—usually right in the middle of traffic. The display might still be on (because the 12V DC-DC converter might still have juice), but the traction is completely gone.
Why This Works (And Why It's So Easy)
I kept asking myself: Why didn't the manufacturer lock this feature?
The answer is cost and debugging. When these BMS units are made in factories in China, engineers use these open Bluetooth connections to test battery packs on the assembly line. They need quick access to toggle the relays without opening the casing. Instead of setting unique passwords for every unit (which costs money and logistics), they just leave the authentication blank.
Because the BMS doesn't have a "whitelist" feature, any phone running the BAT-BMS app within a 10–15 meter range can act as the master controller.
My Personal Take on the Cyber-Physical Risk
Doing this research gave me chills for two reasons:
- It's not a hack; it's a feature being abused. This means there is no complex code to patch on the app side. The app is doing exactly what it was designed to do.
- The liability is huge. We are talking about a vehicle that carries families, school kids, and groceries. If this happens at 40 km/h and the auto swerves, it's a major physical accident waiting to happen—not just a "digital prank."
What I Concluded Needs to Happen
Based on my research, blaming the BAT-BMS app developers is useless—they just made a diagnostic tool. The fix has to come from the hardware side:
· Mandatory Pairing Authentication: BMS units must require a physical button press on the battery itself to authorize a new Bluetooth connection. If you can't press the button, you can't toggle the discharge. · Firmware Update (if possible): If the BMS supports OTA updates, manufacturers need to push a patch that locks the discharge toggle behind a simple 4-digit pin set during installation.
Until then, this isn't going to stop. It's a classic case of the EV industry prioritizing convenience and low-cost production over basic security hygiene.