Today I got a new toothbrush. I’ve always had issues with oral health (runs in the family), so I decided to spring for a nice one. I ended up with the Philips Sonicare 9300 DiamondClean Smart. It was one of the best ones Best Buy had, and I needed one tonight. My old one died.
I noticed that the brush handle could recognize which brushhead was put on top. I watched a promotional video, where they stated it was NFC. Surprisingly, a quick scan revealed that it’s 13.56MHz ISO 14443a.
So…
I give you the NFC tools scan results of one of the brushheads.
Haha, I had kind of wondered about that, until it fully kicked in that it would serve absolutely no purpose.
Interestingly, it appears to just be using a few bytes in user memory to store the brushhead type, if I’m not mistaken. Here’s two TagInfo dumps from two different brushheads, if anyone is interested.
I’m actually genuinely a bit curious if something like a flexM1 or a flexNT would bother it while you’re brushing. If it loses coupling with the brushhead tag, it would think you just pulled it off completely. It couples pretty close when the brushhead is on though, so I don’t think it could accidentally read an implant instead.
Hmm, it does have a use counter in the app (to push you to buy new heads). I had assumed it was purely software, a counter in the app, but now I’m curious. I’ll keep an eye on things for the next few uses, see if I see an incrementing counter anywhere in the tag dump.
the tag has a built in counter as well… might be using that… maybe … dunno… anyway it’s interesting… i wonder if they are using it to somehow block knockoff heads… can you copy the data and then alter it to see if the brush will work with altered data? how expensive are the heads? can you sniff it with the proxmark3? how big are your pinky fingers? is god dead? what does the moon taste like?
The heads are ~$15 each, lasting for 3 months or 179 brushes. As far as I know it doesn’t block counterfeit heads, as it’ll still turn on and run without a head on it at all. I think it changes brush speed and such based on the head type though, so that functionality would need a genuine head (or one with a “fake” tag).
I’ll play around with it a little. I don’t want to risk bricking one of the pricy brush heads, but I’ll try cloning it to a card and see if I can get reads from the brush handle. From there I’ll see if I can modify it a bit, along with attempting modifications.
I’ll also try a sniff with the PM3.
You’re much more experienced with reading tag dumps, can you tell if either of them have the lock bit set for the user memory? I’d normally just attempt a write, but again, don’t want to brick it. I’m curious, if it is using user memory to increment, if you could “reset” a head to 0 uses.
