Hacking An Actual WiFi Toothbrush With An ESP32-C3

Following on the heels of a fortunately not real DDoS botnet composed of electric toothbrushes, [Aaron Christophel] got his hands on a sort-of-electric toothbrush which could totally be exploited for this purpose.

Evowera Planck Mini will never gonna give you up, never let you down. (Credit: Aaron Christophel)
Evowera Planck Mini will never gonna give you up, never let you down. (Credit: Aaron Christophel)

The Evowera Planck Mini which he got is the smaller, children-oriented version of the Planck O1 (a more regular electric toothbrush). Both have a 0.96″ color LC display, but the O1 only has Bluetooth and requires a smartphone app. Meanwhile the Mini uses a pressure sensor for the brush along with motion sensors to keep track of the child’s teeth brushing efforts and to provide incentives.

The WiFi feature of the Mini appears to be for both firmware updates as well as to allow parents to monitor the brushing reports of their offspring in the associated smartphone app. With this feature provided by the ESP32-C3 SoC inside the device, the question was how secure it is.

As it turns out not very secure, with [Aaron] covering the exploit in a Twitter thread. As exploits go, it’s pretty straightforward: the toothbrush tries to connect to a default WiFi network (SSID evowera, pass 12345678), tries to acquire new firmware, and flashes this when found without any fuss. [Aaron] made sure to figure out the pin-out on the PCB inside the device as well, opening up new avenues for future  hacking.

We’re great fans of [Aaron] and his efforts to breathe new life into gadgets through firmware hacking. His replacement firmware for the Xiaomi LYWSD03MMC Bluetooth thermometer is one of the best we’ve seen.

Continue reading “Hacking An Actual WiFi Toothbrush With An ESP32-C3”

This Week In Security: Broken Shims, LassPass, And Toothbrushes?

Linux has a shim problem. Which naturally leads to a reasonable question: What’s a shim, and why do we need it? The answer: Making Linux work wit Secure Boot, and an unintended quirk of the GPLv3.

Secure Boot is the verification scheme in modern machines that guarantees that only a trusted OS can boot. When Secure Boot was first introduced, many Linux fans suggested it was little more than an attempt to keep Linux distros off of consumer’s machines. That fear seems to have been unwarranted, as Microsoft has dutifully kept the Linux Shim signed, so we can all run Linux distros on our Secure Boot machines.

So the shim. It’s essentially a first-stage bootloader, that can boot a signed GRUB2 or other target. You might ask, why can’t we just ask Microsoft to sign GRUB2 directly? And that’s where the GPLv3 comes in. That license has an “anti-tivoization” section, which specifies “Installation Information” as part of what must be provided as part of GPLv3 compliance. And Microsoft’s legal team understands that requirement to apply to even this signing process. And it would totally defeat the point of Secure Boot to release the keys, so no GPLv3 code gets signed. Instead, we get the shim.

Now that we understand the shim, let’s cover how it’s broken. The most serious vulnerability is a buffer overflow in the HTTP file transfer code. The buffer is allocated based on the size in the HTTP header, but a malicious HTTP server can set that value incorrectly, and the shim code would happily write the real HTTP contents past the end of that buffer, leading to arbitrary code execution. You might ask, why in the world does the shim have HTTP code in it at all? The simple answer is to support UEFI HTTP Boot, a replacement for PXE boot.

The good news is that this vulnerability can only be triggered when using HTTP boot, and only by connecting to a malicious server or via a man-in-the-middle attack. With this in mind, it’s odd that this vulnerability is rated a 9.8. Specifically, it seems incorrect that this bug is rated low complexity, or a general network attack vector. In Red Hat’s own write-up of the vulnerability, they argue that the exploitation is high complexity, and is only possible from an adjacent network. There were a handful of lesser vulnerabilities found, and these were all fixed with shim 15.8. Continue reading “This Week In Security: Broken Shims, LassPass, And Toothbrushes?”

It’s A Sander! No, It’s A Toothbrush! Relax, Relax, It’s Both

We always enjoy a project that transforms some common object into something useful for us. [Modelkitsdeluxe] fits the bill by modifying a power toothbrush into a miniature sander. If you want to practice your Spanish, you can watch the video below. Or you can try the automatically translated captions.

As you can guess from the user name, he is mainly interested in working with small models, but it struck us that this might also be useful for general 3D printing. Honestly, once you have the idea, there isn’t much to it. You mutilate a brush head that fits the toothbrush to accept a small sanding disk.

There are probably a dozen ways to attach your sandpaper or emery cloth to the head. [Modelkitdeluxe] used double-sided tape and Velcro. While we applaud the upcycling, we’ll probably stick with a hobby tool. Our toothbrush makes an annoying buzz every 30 seconds or so to remind you to move to another part of your mouth. That doesn’t seem like a great feature when doing precision sanding. On the other hand, you could probably yank the controller out of the toothbrush and use it for the motor, drive, and batteries to avoid that.

If you want to tackle that, here’s something to get you started. If sanding doesn’t turn your crank, maybe you can try turning your deadbolt.

Continue reading “It’s A Sander! No, It’s A Toothbrush! Relax, Relax, It’s Both”

Sniffing Passwords, Rickrolling Toothbrushes

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Toothbrush Speed Controller Secrets Revealed

Typically, when we want to build something with a DC motor, we might grab a bunch of AAs, or a single lithium cell at the very least. Electric toothbrushes often run on more humble power sources, like a single NiMH battery. They’re designed to get useful motion out of just 1.2V, and [Marian Hryntsiv] has taken a look at what makes them tick.

The article focuses on an electric toothbrush built around the Low Voltage GreenPAK™ SLG47513 chip. It’s designed to work at voltages from just 1 to 1.65 V. To make the most of the limited power available, the toothbrush stays in sleep mode most of the time when it’s not working in oral health.

[Marian] steps through the various parts of the circuit, and also explains the unique functionality baked into the brush. Of particular interest are the timer routines that guide the user through brushing each section of the mouth in turn, before a notification that tells them that 2 minutes of brushing time has elapsed. There’s also a useful explanation of the inductive charging method used.

Electric toothbrushes may be mundane home items today, but they’re an example of a product that has largely already been optimized to the nth degree. Until laser-based plaque removal or enamel regeneration technology gets off the ground, this is as good as it gets. We can dream, though!

 

Making A Toothbrush From Scratch, Right Down To The Bristles

Most of us probably get by with a toothbrush costing a couple dollars at most, made of injection-moulded plastic for delicate, tender mouths. Maybe if you’re a real cleantooth, you have a fancy buzzy electric one. We’d wager few are machining their own bespoke toothbrushes from scratch, but if you want some inspiration, [W&M Levsha] is doing just that.

Much of the work will be familiar to die hard machining enthusiasts. There’s careful crafting of the wood handle, involving a stackup of multiple stained and varnished woods – in this case, hornbeam being the paler of the two, and amaranth providing that rich red color. The stem is a stylish stainless steel piece, elegantly bent to a tasteful curve. Finally, the assembly of the brush head alone is worth the watch. It’s custom made – with a steel backing plate and fishing wire bristles custom cut with an automated jig using stepper motors.  We’re suspect fishing wire is not rated for dental use, but the nylon strands are at least in the ballpark of what regular toothbrushes use.

While we probably wouldn’t slide this one betwixt our lips without consulting a dental professional first, it’s a great video for learning about what it takes to make beautiful bespoke objects in the workshop. We’ve seen elegant work from [W&M Levsha] before, too – in the form of a delightfully eclectic cap gun lighter. Video after the break.

Continue reading “Making A Toothbrush From Scratch, Right Down To The Bristles”

[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck

It’s not too exciting that [Joe Grand] has a toothbrush that plays music inside your head. That’s actually a trick that the manufacturer pulled off. It’s that [Joe] gave his toothbrush an SD card slot for music that doesn’t suck.

The victim donor hardware for this project is a toothbrush meant for kids called Tooth Tunes. They’ve been around for years, but unless you’re a kid (or a parent of one) you’ve never heard of them. That’s because they generally play the saccharine sounds of Hannah Montana and the Jonas Brothers which make adults choose cavities over dental health. However, we’re inclined to brush the enamel right off of our teeth if we can listen to The Amp Hour, Embedded FM, or the Spark Gap while doing so. Yes, we’re advocating for a bone-conducting, podcasting toothbrush.

[Joe’s] hack starts by cracking open the neck of the brush to cut the wires going to a transducer behind the brushes (his first attempt is ugly but the final process is clean and minimal). This allows him to pull out the guts from the sealed battery compartment in the handle. In true [Grand] fashion he rolled a replacement PCB that fits in the original footprint, adding an SD card and replacing the original microcontroller with an ATtiny85. He goes the extra mile of making this hack a polished work by also designing in an On/Off controller (MAX16054) which delivers the tiny standby current needed to prevent the batteries from going flat in the medicine cabinet.

Check out his video showcasing the hack below. You don’t get an audio demo because you have to press the thing against the bones in your skull to hear it. The OEM meant for this to press against your teeth, but now we want to play with them for our own hacks. Baseball cap headphones via bone conduction? Maybe.

Update: [Joe] wrote in to tell us he published a demonstration of the audio. It uses a metal box as a sounding chamber in place of the bones in our head.

Continue reading “[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck”