Now Reading
Hacking my “good” toothbrush – The Twenty P.c

Hacking my “good” toothbrush – The Twenty P.c

2023-05-30 13:30:31

After shopping for a brand new Philips Sonicare toothbrush I used to be shocked to see that it reacts to the insertion of a brush head by blinking an LED.
A fast on-line search reveals that the pinnacle communicates with the toothbrush deal with to remind you when it’s time to purchase a brand new one.

From the Philips product web page: appears to be REALLY good!

Reverse Engineering

Trying on the base of the pinnacle reveals that it comprises an antenna and a tiny black field that’s presumably an IC.
The following trace could be discovered within the guide the place it says that: “Radio Tools on this product operates at 13.56 MHz”, which might point out that it’s an NFC tag.
And certainly when holding the comb head to my telephone it opens a hyperlink to a product web page:

Brush head


Utilizing the NFC Tools app we are able to study rather a lot about this tag:

  • It’s an NTAG213
  • It makes use of NfcA
  • It’s password protected
  • We will see the hyperlink to the Philips webpage

Additionally utilizing NFC Instruments, the reminiscence and reminiscence entry situations could be learn:

Deal with Knowledge Kind Entry
0x00 04:EC:FC:9C UID0-UID2/BCC0 Learn-Solely
0x01 A2:94:10:90 UID3-UDI6 Learn-Solely
0x02 B6:48:FF:FF BCC1/INT./LOCK0-LOCK1 Learn-Solely
0x03 E1:10:12:00 OTP0-OTP3 Learn-Solely
0x04 03:20:D1:01 DATA Learn-Solely
0x05 1C:55:02:70 DATA Learn-Solely
0x06 68:69:6C:69 DATA Learn-Solely
0x07 70:73:2E:63 DATA Learn-Solely
0x08 6F:6D:2F:6E DATA Learn-Solely
0x09 66:63:62:72 DATA Learn-Solely
0x0A 75:73:68:68 DATA Learn-Solely
0x0B 65:61:64:74 DATA Learn-Solely
0x0C 61:70:FE:00 DATA Learn-Solely
0x0D… 00:00:00:00 DATA Learn-Solely
0x1F 00:01:07:00 DATA Readable, write protected by PW
0x20 00:00:00:02 DATA Learn-Solely
0x21 60:54:32:32 DATA Learn-Solely
0x22 31:32:31:34 DATA Learn-Solely
0x23 20:31:32:4B DATA Learn-Solely
0x24 B3:02:02:00 DATA Readable,write protected by PW
0x25 00:00:00:00 DATA Readable,write protected by PW
0x26 00:00:00:00 DATA Readable,write protected by PW
0x27 00:00:00:01 DATA Readable,write protected by PW
0x28 00:03:30:BD LOCK2 – LOCK4 Readable,write protected by PW
0x29 04:00:00:10 CFG 0 Learn-Solely
0x2A 43:00:00:00 CFG 1 Learn-Solely
0x2B 00:00:00:00 PWD0-PWD3 Write-Solely
0x2C 00:00:00:00 PACK0-PACK1 Write-Solely

I repeated this course of for one black and two white W DiamondClean brush heads and discovered the next:

  • Deal with 0x00-0x02 comprises a singular ID and its checksum
  • Deal with 0x04-0x0C comprises the hyperlink to the Philips retailer
  • Deal with 0x22 is 31:32:31:34 for black and 31:31:31:31 for white heads respectively
  • Deal with 0x24 comprises the whole brush time
  • All different readable information is an identical between all heads

Decoding the saved time

Let’s do an experiment to see what modifications occur to the tag when utilizing the toothbrush:

  1. Learn the tag
    • When studying a brand new brush head that has by no means been involved with the information at addr. 0x24 is 00:00:02:00.
    • Merely attaching it to the deal with (with out brushing) modifications nothing
  2. Brush for a while
    • On this case, I let the toothbrush run for 5s
  3. Learn the tag once more
    • The information at addr. 0x24 is now 05:00:02:00
  4. Observe the distinction
    • Appears like addr. 0x24 saves the variety of seconds that the comb head was in use

When the comb is used for greater than 255s, this timer rolls over to the second bit (02:01:02:00 -> 258s).

Making an attempt to overwrite the saved time is sadly unsuccessful, as this reminiscence tackle is password protected.

Sniffing the password

Fortunately it seems that the required password is shipped over plain textual content! So all I have to do is to smell the communication between the toothbrush and the pinnacle.
After digging out my HackRF software defined radio and a few trial and error, I got here up with the next workflow.

File RF sign

When opening gqrx and tuning it to 13.736 MHz whereas holding the toothbrush near the antenna, it’s seen that the pinnacle will get polled a number of instances a second. It’s a welcome shock that my easy monopole antenna will get a sign that’s robust sufficient for this function. You may obtain the related gqrx configuration file here.

Whereas brushing, the NFC polling takes a quick pause and the primary burst of packets that follows updates the time counter.
With the power of gqrx to make I/Q recordings, we are able to seize the password RF alerts like this:

  1. Activate the toothbrush
  2. Begin recording
  3. Flip off the toothbrush
  4. Cease the recording

The primary packets within the file ought to now include the password in plain textual content.

Convert recording

Earlier than this uncooked I/Q file could be decoded it must be transformed right into a barely totally different format to be learn by the decoding program.
I created a small gnuradio companion script that applies a lowpass filter and converts the information right into a wav file with two channels that include the actual and imaginary elements of the complicated sign.
Ensure that to substitute the right paths within the supply/sink blocks and test the sampling frequency (I used 2MHz).
You may obtain the script here.

Decode recording

Decoded traffic

I discovered the right software for this process referred to as NFC-laboratory.
After opening the newly created WAV file, it ought to look one thing like the image above. On this case, the recording is simply ok to see the communication that goes from host to tag (inexperienced arrow). However to smell the password that is good.
When trying on the datasheet for the NTAG213, we are able to see what is occurring:

  • Line #0-#6: communication is established with the tags’ distinctive ID
  • Line #7: The toothbrush sends the password (command 0x1B = PWD_AUTH)
  • Line #9: The time counter is up to date to the brand new worth (command 0xA2 = WRITE)
  • All traces beneath are repeated polling with out password authentication or writing something

So the password for this brush head is 67:B3:8B:98 (underlined within the image).

Writing to the comb

With the password efficiently acquired, it’s now attainable to set the counter on the comb head to something we wish by sending the related bytes over NFC.
NFC Instruments involves the rescue once more:

See Also

  1. Go to Different -> Superior NFC instructions
  2. Set the I/O Class to NfcA
  3. Set the information to 1B:67:B3:8B:98,A2:24:00:00:02:00
  4. Take pleasure in a factory-new brush head (a minimum of so far as the time counter is worried)

Right here is the breakdown of the command in step 3:

Command Clarification
67:B3:8B:98 The password
, Bundle delimiter
24 To handle 0x24
00:00:02:00 Timer set to 0s

Beneath you possibly can see the reminiscence of the comb head earlier than and after the customized NFC instructions:

Observe how the timer at tackle 0x24 modifications

With this, the toothbrush is now efficiently hacked and we are able to mess around with the timer as we want.

Listed here are some fascinating observations:

  • Solely the primary two bytes at tackle 0x24 are used for timekeeping. As soon as the counter reaches FF:FF:02:00 it stops going up (18 hours of steady brushing).
  • When the saved time is larger than 0x5460 the toothbrush blinks the LED to inform you to alter heads. This corresponds to 21’600s -> 180 x 2min -> 3 months of brushing twice a day, which is precisely in keeping with Philips suggestion to alter heads each 3 months.

Password verification safety

You may need observed the colour of the comb head altering all through of this submit. It’s because I needed to run out and purchase a brand new one after getting locked out of the primary one.
When having an in depth have a look at the contents of tackle 0x2A which is 43:00:00:00 and page 18 of the datasheet, we are able to see that the tag is configured to completely disable all write entry after three improper password makes an attempt. (Which I promptly exceeded when taking part in round) Because of this not even the toothbrush deal with itself can write to this head once more.

Password technology

Sadly, the password of each brush head is exclusive and this technique of extracting it with an SDR is kind of concerned and requires particular {hardware}.
On the backside of web page 30 within the datasheet, NXP recommends producing the password from the 7-byte UID. Beneath are all of the UID – password pairs I obtained from my 3 heads:

UID Password
04:79:CF:7A:89:10:90 FF:34:CE:4C
04:EC:FC:A2:94:10:90 61:F0:A5:0F
04:D7:29:0A:94:10:90 67:B3:8B:98

All my tries to guess to one-way operate for producing the passwords failed. Relying on the care that the Philips engineers took, guessing this operate could possibly be virtually inconceivable.
However if you happen to handle to resolve this puzzle, be at liberty to hit me up with an E-mail.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top