Following the trend of stuffing more electronics in everyday devices, the new Philips Sonicare electric toothbrush that [Cyrill Künzi] purchased ended up having a ‘brush head replacement reminder’ feature that wasn’t simply a timer in the handle or base of the unit, but ended up involving an NFC chip embedded in every single brush head containing the usage timer for that particular head. Naturally, this asked for it to be solidly reverse-engineered and hacked.
The NFC chip inside the brush head turned out to be an NXP NTAG213, with the head happily communicating with the NFC reader in a smartphone and the NFC Tools app. This also revealed the memory layout and a few sections that had write access protected by a password, one of which was likely to be the counter. This turned out to be address 0x24, with a few experiments showing the 32-bit value at this address counting the seconds the brush head had been used.
Decoding the NFC data stream from a toothbrush using NFC-laboratory. (Credit: Cyrill Künzi)
Naturally, with this memory address password protected, the next step was to sniff the password using an SDR sniffer setup. After passing the resulting raw data with a gnuradio script through a lowpass filter, the resulting WAV file was decoded with the NFC-laboratory tool, allowing ..
Support the originator by clicking the read the rest link below.