The Alpitronic HYC50 Hardware Teardown for Pwn2Own Automotive 2026

As we ramp up to the premier automotive and charging station hacking competition, Pwn2Own Automotive 2026 in Tokyo, the Trend Micro Zero Day Initiative (ZDI) is providing a preliminary look at one of the main targets: the Alpitronic HYC50 High-Power Charger. The HYC50 series represents the leading edge of fast-charging infrastructure, blending complex high-voltage power electronics with a robust, networked digital control system. For Pwn2Own contestants, the digital attack surface is often the most accessible path to a top-tier bounty. This post serves as a hardware identification primer, guiding researchers through the core components that make up the device’s control and low-voltage sections.

Participants in Pwn2Own Automotive 2026 will be provided with a modified hardware setup to simplify the research process. This setup isolates the low-voltage control and digital boards from the high-voltage power stack, allowing for safer and more focused analysis. This case contains the primary application processor, communication interfaces (Ethernet, CAN), and critical memory components that govern the charger’s operation, payment, and network connectivity. Additionally, you will find the touchscreen and NFC interfaces readily accessible on the front of the case.

The central brain of the Alpitronic HYC50 is the main digital control board. This PCB is responsible for managing the charger’s state machine, handling OCPP (Open Charge Point Protocol) communication, managing user authentication, and orchestrating the power modules. The main application processor and its memories reside on a customized System On a Module (SOM) that attaches to the main board via a 200 pin SO-DIMM header. The DCB features several key components of interest to security researchers: Two PLC units provide communication to the vehicle. The RED Beet E 1.1 devices are utilized for this purpose. These are alternately known as SECC (Supply Equipment Communication Controllers). Two RJ45 Ethernet interfaces reside on the board. As these are located near a maintenance access hatch on the enclosure, the interfaces are intended to be used by installers and technicians to access the management interface of the charger. An STM32G0B1 is utilized on the DCB, likely for real-time control of the charging process. The high-density connectors near the SOM interface the other boards of the system. This includes the touch screen LCD and the SIM card communications board. There is a 4-pin unpopulated header on the DCB near the SOM socket. Silkscreen reads “CON_SOM_UART”, suggesting a console port. Its operational status is unknown.

The main processing components of the charger reside on a 208-pin module that is plugged into the DCB. The module is custom, however it is heavily based on the VAR-SOM-6UL design produced by Variscite. It is a variant that contains an eMMC device but appears to be lacking the Wi-Fi devices that a standard VAR-SOM-6UL is advertised with. The custom SOM features several key components of interest to security researchers: The primary processor, an i.MX6 (MCIMX6G2AVM07 AB). This runs the operating system (likely embedded Linux or a RTOS) and the core application code. Soldered DDR memory adjacent to the i.MX6 on the top side. Part number reads K4B4G1646E-BMMA, which translates to a 512MB DDR3L device. A surface-mounted eMMC Flash chip sits on the back side.

To read the complete article see: thezdi.com :link: