Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
atc1441 Profile picture
atc1441
@atc1441
Hack the planet! my biggest passion is to run a custom firmware on as many devices as possible

Jun 9, 2023, 6 tweets

Here is the full Philips Sonicare Head NFC Password Calculation 🥳

How I got there you can find in this Thread.
1/N

Since lately the RF sniffing of the NFC Password was blogged by Cyrill Künzi kuenzi.dev/toothbrush/ I could not stop thinking on how to crack it.

So this afternoon I bought the cheapest available Toothbrush with the NFC feature (40€) and opened it up.

Quite simple to open!

Inside of this version we can find an
NXP NFC Reader MFRC630
and an MindMotion MM32F001 Cortex M0 SoC
16Kb Flash and 2Kb RAM

Plus nicely labeled Debug Pins...

Ok how much on the bet that it will be locked... but lets see...

Very unusual, after hitting connect I was greeted by a happily connected SWD Flasher which was able to read the full flash without problems 🥳
wonder who slept there at Philips...

After an exiting reverse engineering session in IDA everything came together and the NFC Password calculation was found.

And as shown already its a very simple CRC Calculation over the NFC Tag UID and the Manufacturing String that is in NFC Tag and also printed on the Brush Head

That's all 🙂

Finally that thought is satisfied!
You can find this story on YouTube as well:


And of course the example code here:
gist.github.com/atc1441/41af75…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling