Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
atc1441 Profile picture
@atc1441
Jun 9, 2023 6 tweets 4 min read Read on X
Scrolly
Here is the full Philips Sonicare Head NFC Password Calculation 🥳

How I got there you can find in this Thread.
1/N ImageImage
Since lately the RF sniffing of the NFC Password was blogged by Cyrill Künzi kuenzi.dev/toothbrush/ I could not stop thinking on how to crack it.

So this afternoon I bought the cheapest available Toothbrush with the NFC feature (40€) and opened it up.

Quite simple to open! ImageImageImage
Inside of this version we can find an
NXP NFC Reader MFRC630
and an MindMotion MM32F001 Cortex M0 SoC
16Kb Flash and 2Kb RAM

Plus nicely labeled Debug Pins...

Ok how much on the bet that it will be locked... but lets see... Image
Very unusual, after hitting connect I was greeted by a happily connected SWD Flasher which was able to read the full flash without problems 🥳
wonder who slept there at Philips... ImageImage
After an exiting reverse engineering session in IDA everything came together and the NFC Password calculation was found.

And as shown already its a very simple CRC Calculation over the NFC Tag UID and the Manufacturing String that is in NFC Tag and also printed on the Brush Head Image
That's all 🙂

Finally that thought is satisfied!
You can find this story on YouTube as well:


And of course the example code here:
gist.github.com/atc1441/41af75…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with atc1441

atc1441 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @atc1441

atc1441 Profile picture
Jan 24, 2022
Another Payment Terminal from @SumUp this time way more expensive with 100€ new but also more advanced overall with included 3G Simcard, Printer, Wifi, and Touchscreen Display.

Lets do a teardown... 1/x
The main device has 2 torx screws in the back.
Loosen them will directly trigger the tamper detection which puts the device into a soft lock state.

So lets continue

The internals reveal a big 1200mAh LIPO and a Quectel EG91-EX LTE Module

Also the tamper detection is visible
After removing 6screws we find the interesting parts
More Tamper detection
- ESP8266 WiFi Module
- nRF52832 BLE Module
- NXP CLRC663 NFC Chip
- MAX32552 ARM M3 Secure SOC
Quite similar internals to the BLE Terminal from last week, understandable decision
Read 7 tweets
atc1441 Profile picture
Dec 20, 2021
How i Hacked 2.5 million IP Cameras in just 3 nights
DISCLAIMER: This story may or may not be true for legal reasons.

About 2 years ago a friend of mine bought himself a IP Camera for his garage.
Just to test how far i can get i asked for only the App this Cam uses... 1/x
After decompiling and looking into the app with "Show Java"(Android App) it turned out that there are Assets with to much info's in like App Keys and Email credentials for their Support function 😖 first fail!

2/x
Unfortunately the Email credentials where real and still active
There where a lot of Support requests, every email contained the App database from the phone sending the mail (paperclip symbol)
These databases did include the login data and password in plain text 😖 Next fail!
3/x
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(