Following the trend of stuffing more electronics in everyday devices, the new Philips Sonicare electric toothbrush that [Cyrill Künzi] purchased ended up having a ‘brush head replacement reminder’ feature that wasn’t simply a timer in the handle or base of the unit, but ended up involving an NFC chip embedded in every single brush head containing the usage timer for that particular head. Naturally, this asked for it to be solidly reverse-engineered and hacked.
The NFC chip inside the brush head turned out to be an NXP NTAG213, with the head happily communicating with the NFC reader in a smartphone and the NFC Tools app. This also revealed the memory layout and a few sections that had write access protected by a password, one of which was likely to be the counter. This turned out to be address 0x24, with a few experiments showing the 32-bit value at this address counting the seconds the brush head had been used.
Naturally, with this memory address password protected, the next step was to sniff the password using an SDR sniffer setup. After passing the resulting raw data with a gnuradio script through a lowpass filter, the resulting WAV file was decoded with the NFC-laboratory tool, allowing the traffic to be analyzed for clues. What this revealed was that the password is being passed as plaintext in the NFC data stream, making it a snap to use it to reset the counter to zero or any other desired value.
During this process, [Cyrill] came across a few gotchas, including that you only get three attempts to guess the password before the NFC chip permanently refuses new authentication attempts, and the password is unique with each brush head as it’s generated from the NFC chip’s 7-byte UID, per the NXP datasheet. Fortunately, it appears that this system is only being used as a complex reminder system, and you can still use an ‘expired’ head, but it does turn spent brush heads into e-waste, which is less ideal.