Sniffing Passwords, Rickrolling Toothbrushes

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

14 thoughts on “Sniffing Passwords, Rickrolling Toothbrushes

  1. Being employed by P&G i would say that is not a toothbrush I would put in my mouth.

    And the ion brushes have ips led displays among other thing and way more fun to hack and play around with.

      1. P&G make cheap copies of this brush, which isn’t so much overpriced as the replaceable brushes are _insanely_ overpriced. You can get a knockoff with 3 heads for the price of one replacement head.

        I doubt they sell many anymore. The Chinese knockoffs are even cheaper and just as good.

      2. I think it’s because P&G owns Oral B, the other electric toothbrush manufacturer, so he wouldn’t recommend a Philips model.
        I used both (Orab B and Philips) and I stick to the Dutch.

        1. I use Oral B toothbrushes for at least 20 years and i’m pretty satisfied: no failure, and battery lasting i would said about 5/6 years. I believe that not letting the recharging base powered 24h/day but only recharge about once a week, when only 1 charge light is remaining, probably extend the lifetime of the battery.
          Beside that, i decided to try Philips HC3806 cordless Power Flosser 3000 and bought one 6 months ago. I was pretty satisfied with it… until it sudendly stopped working: motor turns on half a second and stops with all leds blinking. This failure is not described in the manual. And when trying to connect the charger, leds are blinking quite erraticaly, so i believe this is something related to power circuitry. Some other people are complaining to have the same problem on the Internet.
          So for a first experience with Philips, it is rather deceptive!

          1. I had something similar with my beard trimmer. Wouldn’t turn on, weird flashing lights. I thought it was broken and contacted the manufacturer, turns out it has a travel mode so it doesn’t accidentally turn on in your bag or luggage. Felt like an idiot, I had never heard of such a thing.

          2. I have an oral b that is about 10 years old and is now on its third (or forth – I forget) battery. It is pretty simple to swap them out and the rest of the device is very durable. I think what will finally kill it is actually the rubber on the handle wearing off.

    1. Or half sarcasm tags, because I was torn between how cool it is to be able to flash custom songs into toothbrushes, and how dystopic it is that the toothbrush heads have NFC in ’em.

      I think this state of limbo is where Hackaday resides. :)

      But I had so much fun writing “toothbrush”, “NFC”, and “Ghidra” in the same paragraph that I just had to comment on it.

  2. I worked on this toothbrush. Sonicare is located in Bothell, Washington for the curious. For a going away present for one of our co-workers, I recorded everyone on our team say “goodbye”, and played it through the motor with some custom firmware.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.