BrushOS is an exploration of a Philips Sonicare toothbrush and attempt at custom firmware with amazing and new features.

Status

Trying to dump firmware through SWD is currently failing on all available hardware.

Summary

Even though I started this myself, I quickly found out about another hacker starting research in May 2023: Cyrill Künzi: Hacking my “smart” toothbrush.

Luckily he didn’t crack the toothbrush side and I set out to solve that problem.

All my tries to guess to one-way function for generating the passwords failed. Depending on the care that the Philips engineers took, guessing this function could be almost impossible. But if you manage to solve this puzzle, feel free to hit me up with an E-mail.

Unfortunately this created some traction on Hacker News and Hackaday and Aaron Christophel did it in an afternoon while I was already working on it.

Update (August 16, 2023)

After publishing this article, I was pleasantly surprised to see it picked up by some big news sites such as Hacker News and Hackaday. The resulting discussions and comments proved to be both enlightening and entertaining. Thanks to everyone who dropped positive comments and messages! A special shoutout has to go to Aaron Christophel who got inspired by this post to:

  • Dump and reverse engineer the Philips Sonicare firmware to extract the password generation algorithm: Video
  • Wrote a password generator: GitHub
  • And just for fun, he made the toothbrush bust out a Rick Roll Please go check his content if you are interested in the solution to the puzzle.

Looking at Aaron’s research, he got lucky that his model of the toothbrush (Philips Sonicare 3100) had a different chip from ours and that wasn’t locked, so he could easily dump the flash.