Xiaomi Air Purifier 3H Reverse Engineering Part 3: ESP32 DUMP

Stealing Your password

Yesterday, I received a mail! By a user named : tuxuser. I thought I was alone in the world of Xiaomi Air purifier poking…

Since more people are getting involved I decided to update some more information on the web!

I dumped the ESP Flash contents using : Link (look closely and you will see that I used the air purifier to generate that content)

warning: don’t use this firmware to recover your devices if its bricked. I made some manual changes to it to remove some private info.

I will make a virgin dump that can be used for recovery purposes.

Lest do a visual analysis of the data:

Upload the Binary to https://binvis.io/
scroll through the data.. the first thing I saw was:

Small data Island in ESP Flash

Lets see:

Owno….. they did not..

I was flabbergasted to see this… All my network information (SSID and location, passwords) in plain text..

Facepalm Really GIF - Facepalm Really Stressed GIFs
Facepalm

Furthermore they save all the network data and password of previous networks as well.. don’t forget to wipe your ESP when you sell this thing secondhand…
more interesting: the PSM tokens of the device (these can be used with integration in something like Home assistant.) are located here as well.

From now on when I need someone’s WIFI password:

me.

The following IP Addresses are hard coded in the device:

110.43.0.85
110.43.0.83
http://dlg.io.mi.com

By Blocking these IP addresses the Air purifier wont be able to call home.

Parts in this series:
Part 1 header information
Part 2 Fremont EEPROM dump

6 comments

  1. You did a great job. I think I’ll give your mod a try.

    “All my network information (SSID and location, passwords) in plain text.. ”
    “From now on when I need someone’s WIFI password:”
    Yes. But information is already “stolen” by Xiaomi if a device is registered. All the information is sent to the cloud.

    Therefore I didn’t register mine so far. Did you make some progress on ESP32 ?

    My aim is to never register my 3H but be able to connect it to my smarthome to steer it and to gather sensor informations.

    Regards Markus

    1. Hi Markus and anyone else reading,

      For the exact same reason I started working on replacing the stock ESP32 firmware with my own build of ESPHome. This allows me to monitor and control the purifier from Home Assistant without ever having to connect it to the internet or download weird apps. The only disadvantage is, that you have to take the purifier apart to access the header for flashing. Also you have to tie GPIO0 and GPIO2 to GND for the ESP to enter download mode.

      I hope someone can benefit from my work.

      Regards,
      Jaro

  2. Guys, I really need your help. I got a NTAG213 tag which i need to clone. I think it’s encrypted or password protected. Can anyone be able to clone it?

Leave a comment

Your email address will not be published. Required fields are marked *