[roundandround]

I'm curious to see, but I don't think the algorithm for calculating the password from the identifier would be very sophisticated. Assuming they didn't want to add costs to prevent easy retrieval of any secret key from the device, a complex algorithm would be kind of a waste.

[nneonneo]

I mean, even something as simple as `md5("very-long-secret-only-phillips-knows" + uid)[:4]` would be effectively unguessable. Not hard if you have the code for the firmware, but nigh-impossible otherwise.

[roundandround]

If one person has access once and publishes it, the work of setting up a proper md5 was a waste compared to an xor.

[netsec_burn]

The Sonicare app lets you download the latest firmware blob. So all you'd do is intercept it and find the function responsible for generating the password.

[kuroguro]

The app has the firmware embedded in it (resources/assets/firmware), not sure if it actually downloads a newer one or if it updates with the app. It does seem to be encrypted or compressed somehow tho.

[kuroguro]

It does seem to be for the more expensive diamondclean series tho I guess the brush checking would be similar. Didn't find any decryption in the APK, it just transfers it as is. Must be hidden inside the firmware as well. I don't think there's any way to get the firmware except dump it from the chip :/