Weirdest NFC device I've seen

Today I got a new toothbrush. I’ve always had issues with oral health (runs in the family), so I decided to spring for a nice one. I ended up with the Philips Sonicare 9300 DiamondClean Smart. It was one of the best ones Best Buy had, and I needed one tonight. My old one died.

I noticed that the brush handle could recognize which brushhead was put on top. I watched a promotional video, where they stated it was NFC. Surprisingly, a quick scan revealed that it’s 13.56MHz ISO 14443a.

So…

I give you the NFC tools scan results of one of the brushheads.

Surprisingly, it also contained an NDEF record, as seen in image 2 here:

That led me to decide to try something else, and god I’m glad I did…

Yep, that’s my toothbrush activating my xSIID.

The future is weird.

13 Likes

Now you can program your brush head, or clone it to your hand.

2 Likes

Haha, I had kind of wondered about that, until it fully kicked in that it would serve absolutely no purpose.

Interestingly, it appears to just be using a few bytes in user memory to store the brushhead type, if I’m not mistaken. Here’s two TagInfo dumps from two different brushheads, if anyone is interested.
image
image

The NDEF record is interesting too. 2/3 of my heads link to philips.com, while the third links to that
philips.com/nfcbrushheadtap page.

I’m actually genuinely a bit curious if something like a flexM1 or a flexNT would bother it while you’re brushing. If it loses coupling with the brushhead tag, it would think you just pulled it off completely. It couples pretty close when the brushhead is on though, so I don’t think it could accidentally read an implant instead.

i wonder if it updates the tag in the head with data… like maybe use count or minutes used or something like that… would be fun to track over time.

Hmm, it does have a use counter in the app (to push you to buy new heads). I had assumed it was purely software, a counter in the app, but now I’m curious. I’ll keep an eye on things for the next few uses, see if I see an incrementing counter anywhere in the tag dump.

the tag has a built in counter as well… might be using that… maybe … dunno… anyway it’s interesting… i wonder if they are using it to somehow block knockoff heads… can you copy the data and then alter it to see if the brush will work with altered data? how expensive are the heads? can you sniff it with the proxmark3? how big are your pinky fingers? is god dead? what does the moon taste like?

10 Likes

The heads are ~$15 each, lasting for 3 months or 179 brushes. As far as I know it doesn’t block counterfeit heads, as it’ll still turn on and run without a head on it at all. I think it changes brush speed and such based on the head type though, so that functionality would need a genuine head (or one with a “fake” tag).

I’ll play around with it a little. I don’t want to risk bricking one of the pricy brush heads, but I’ll try cloning it to a card and see if I can get reads from the brush handle. From there I’ll see if I can modify it a bit, along with attempting modifications.

I’ll also try a sniff with the PM3.

You’re much more experienced with reading tag dumps, can you tell if either of them have the lock bit set for the user memory? I’d normally just attempt a write, but again, don’t want to brick it. I’m curious, if it is using user memory to increment, if you could “reset” a head to 0 uses.

EDIT: Can’t believe I forgot…

image

probably by now

i’d guess like moon

4 Likes

ah yeah they are fully locked

oh-my

6 Likes

As far as I understand it’s meant to be used to help determine the lifespan of the heads and alert you to when they need replacing.