A discarded disposable vape pen, with its 24 MHz microcontroller and a few kilobytes of memory, now runs a live web server—and the hack is far more than a clever stunt. Engineer Bogdan Ionescu’s project, published online as BogdanTheGeek, slices through the disposable electronics debate like a hot soldering iron: if millions of such devices end up in landfills each week while still packing usable compute and rechargeable batteries, what does that tell us about design, waste, and hidden potential?

Ionescu disassembled a common single-use vape, identified the onboard PUYA/PY32 chip as a Cortex-M0+ part with approximately 24 KB of flash and 3 KB of SRAM, and turned its USB port into a SLIP-based network interface. On top, he layered the ancient but resource-savvy uIP 0.9 TCP/IP stack to serve a simple HTTP page—all from the chip’s own flash storage. The result is a bare-metal web server that, after optimization, can serve a page in around 160 milliseconds.

This article unpacks the technical wizardry, the sobering environmental backdrop, and the broader implications for security, policy, and the maker community.

The Hardware: What’s Inside a Throwaway Vape?

Modern disposable e-cigarettes are not mere heating elements; they are compact embedded systems. To regulate power, count puffs, show battery status, and handle USB charging, manufacturers pack in 32-bit microcontrollers. Ionescu’s tear-down revealed a chip marked PUYA C642F15, which cross-references to the PY32F002B series—an ARM Cortex-M0+ core running at up to 24 MHz.

The specs are minuscule by today’s standards, but they match exactly what the PY32 family datasheets promise: 24 KB of flash storage, about 3 KB of SRAM, and a UART, SPI, I²C, and USB interface. That USB interface proved crucial: the vape’s charge port doubles as a serial communication channel, providing a toehold for reprogramming without expensive tools.

Inside the plastic shell, Ionescu also found a lithium-ion battery that, according to research from the University of Oxford and the Faraday Institution, can often withstand more than 450 full charge-discharge cycles. Despite being sold as “single-use,” the energy cell inside is drastically underutilized. This waste of both compute and energy forms the core of the environmental argument.

Building the Network Stack: SLIP, uIP, and Sheer Ingenuity

Most low-end microcontrollers lack Ethernet or Wi-Fi, so Ionescu employed the Serial Line Internet Protocol (SLIP). Dating back to the early internet, SLIP wraps IP packets over a serial byte stream. By routing the MCU’s UART through the USB-to-serial converter already present on the vape board, the device presented itself as a network interface to a host computer.

On the host side, standard Linux tools like slattach and socat bound the serial link to a network interface, assigning an IP address and enabling TCP/IP traffic to flow. The result is essentially a 56K modem link—slow, but entirely functional for low-throughput services.

For the software side, Ionescu turned to uIP 0.9, an ultra-compact TCP/IP stack designed for memory-constrained embedded systems. uIP uses a minimal event loop and requires only a few kilobytes of RAM. Its HTTP server example provided a starting point; Ionescu adapted the code to store a static web page in the chip’s remaining flash and serve it upon request.

The initial performance, however, was abysmal. Pings took around 1.5 seconds with 50% packet loss, and a simple page load exceeded 20 seconds. The culprit? Naïve, byte-by-byte serial I/O that choked the tiny CPU with per-character overhead. By introducing a ring buffer and batching writes, Ionescu slashed overhead dramatically. Post-optimization, ping round-trip times dropped to around 20 milliseconds, and the page loaded in roughly 160 ms under light load. The device still cannot handle multiple concurrent requests—the single-threaded event loop and tiny memory see to that—but it works capably as a demonstration.

Ionescu published the full source code, inviting anyone with a discarded vape and some microcontroller experience to replicate the build. A live instance of the server, though throttled by its inherent limits, remains accessible for curious visitors.

Environmental Tsunami: The Scale of Disposable Vape Waste

The hack lands in the middle of a surging policy debate. A widely cited 2023 study estimated that 1.3 million disposable vapes are chucked away each week in the United Kingdom alone. Extrapolate that globally, and the numbers become staggering. Each discarded unit contains a lithium-ion cell, a programmable microcontroller, a display, wiring, and a plastic casing—most of which ends up in landfills or incinerators.

Lithium cells from these devices pose dual risks: they can leach toxic metals into soil and water, and if crushed in waste-processing machinery, they can ignite and cause landfill fires. Even when sent through formal recycling streams, the extraction of these small, soldered cells is labour-intensive and rarely profitable. The result is an accelerating e-waste stream that existing infrastructure is ill-equipped to handle.

Yet, as Ionescu’s work demonstrates, the components inside are far from dead. The batteries retain most of their capacity; the microcontrollers are still programmable. Reuse, even at a hobbyist scale, offers a tiny corrective—extracting additional value before final disposal.

Security and Safety: Not a Trivial Hack

Anyone inspired to crack open a used vape should approach with caution. The safety warnings are real, and they go beyond software.

Physical hazards: Residual e-liquid is sticky, corrosive, and potentially toxic. Batteries can short-circuit if handled carelessly, leading to fires or chemical burns. Proper personal protective equipment, a clean work area, and knowledge of lithium-ion handling are prerequisites. Dented or corroded cells should never be reused.

Network security: A device with a bare-bones TCP/IP stack should never be exposed directly to the open internet. The uIP stack, while robust for its age, was not built to withstand modern adversarial traffic. Buffer overruns, packet injection, or simple denial-of-service attacks could crash the server or, in a worst-case scenario, be leveraged to pivot into an attached network. Ionescu advises development on isolated networks, using host-side tools to carefully bridge traffic.

Firmware risks: Reflashing unknown silicon with code downloaded from the internet carries its own dangers. Without proper verification, a precompiled binary could contain malicious payloads. Developers should audit any third-party code before flashing, and consider enabling lock bits to prevent accidental overwrites.

Ethical dimensions: Some discarded vapes may contain traces of controlled substances, raising legal and ethical questions. Also, promoting reuse should not inadvertently normalize scavenging as a substitute for producer responsibility. The goal is to highlight the absurdity of disposable electronics, not to excuse the industry’s throwaway business model.

What This Means for Industry and Policy

Ionescu’s project is a potent illustration of the principle that “waste” is a design choice. If manufacturers exposed standardized programming headers, used removable, rechargeable batteries, and labelled chips more transparently, the repurposing potential would skyrocket. Current designs, optimized for cost and one-time use, deliberately obscure the very hackability that could extend product life.

Regulatory winds are shifting. The European Union is advancing right-to-repair legislation and battery recycling mandates. Some jurisdictions, including Scotland and parts of Australia, are moving to ban single-use vapes altogether. These measures aim to curb the influx at the source, forcing manufacturers to adopt more sustainable designs or face market exclusion. Maker tinkering, while admirable, cannot substitute for systemic policy intervention—but it can supply the vivid narratives that drive public awareness.

For the Curious Maker: A Getting-Started Guide

If the vape-to-server idea has you reaching for a discarded device, here is a condensed, safety-first pathway:

  1. Source safely: Collect a used vape from a known source, wearing gloves. Discharge the battery fully if possible, and check for leaks or swelling.
  2. Disassemble gently: Most casings snap apart. Identify the chip and USB test points. Document everything.
  3. Establish communication: Use a USB-to-serial adapter to connect to the chip’s UART lines. Tools like OpenOCD and an SWD interface may be needed for flashing, depending on the part.
  4. Port uIP and SLIP: Adapt existing uIP examples to your specific MCU. Implement a ring buffer for serial sends to avoid the initial performance cliff.
  5. Attach the network: On a Linux host, use slattach to bring up a sl0 interface, and configure IP forwarding if you want the device reachable from your LAN—but keep it off the public internet.
  6. Serve a page: Store a minimal HTML file in flash, map a URL handler in uIP’s HTTP server callback, and test locally.
  7. Iterate: Monitor stability, adjust buffer sizes, and consider adding a simple watchdog timer.

Ionescu’s public repository includes build instructions and the tweaks that made the difference between a laughably slow proof-of-concept and a usable, if fragile, web server.

Broader Lessons for the Embedded World

This hack is a masterclass in constrained computing, echoing lessons from the early internet era. It proves that with disciplined software engineering—event-driven loops, tight buffer management, and protocol economy—even the humblest silicon can participate in modern networks. SLIP and uIP, technologies from the 1980s and 1990s, are still relevant teaching tools for IoT developers who must often squeeze functionality into kilobyte-scale footprints.

For the cybersecurity community, the demonstration is a double-edged sword. It shows how easily a tiny, covert network endpoint can be hidden inside a piece of everyday trash. The same techniques that power a playful vape server could be repurposed to build stealthy embedded implants for espionage or sabotage. Defenders must consider that throwaway consumer devices might become vectors if reprogrammable chips are not properly secured.

The Big Picture

The vape web server is more than a weekend curiosity. It is a sharp critique of today’s throwaway culture, delivered in code and silicon. Ionescu’s work throws into relief the disjoint between the sophisticated engineering inside a $5 disposable and its designated lifespan of a few hundred puffs. While hobbyist reuse provides a glimmer of redemption, it cannot match the scale of the problem. True progress demands that manufacturers design for repair, reuse, and recycling from the outset—and that governments enforce those standards.

In the meantime, every reflashed vape that serves an HTTP page instead of gathering rust in a landfill is a small, defiant act of technical creativity. It’s a reminder that the most compelling environmental messages sometimes arrive not in white papers, but through a blinking LED and a serial terminal prompt.