Well it’s been a long time since I’ve posted something new… But today I’ve got something big:
Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).
We exchanged some information and this is what I received from him:
import sys
import hashlib
# Usage: pwd.py 04A03CAA1E7080
def getpwd(uid):
uid = bytearray.fromhex(uid)
h = bytearray.fromhex(hashlib.sha1(uid).hexdigest())
pwd = ""
pwd += "%02X" % h[h[0] % 20]
pwd += "%02X" % h[(h[0]+5) % 20]
pwd += "%02X" % h[(h[0]+13) % 20]
pwd += "%02X" % h[(h[0]+17) % 20]
return pwd
assert getpwd("04A03CAA1E7080") == "CD91AFCC"
assert getpwd("04112233445566") == "EC9805C8"
print("PWD:", getpwd(sys.argv[1]))
To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click
The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!
They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.
As seen as in my Github filter snoop: Click
That means we can make our own filters now!
This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀
if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)
Special thanks to Doegox and an incredible programmer friend.
Brilliant! Thank you so much! I always thought they whitelisted the data they wrote to the tags and it annoyed me that they always started to complain way too early about replacement. Thank you so much!
I got a PC NFC writer and stickers but i am not sure what to do 😀 and to be honest how…
Is there a “how to” available?
The easiest way:
Clone an original NFC filter sticker. (dump the contents) then place the copy in the air purifier let it run for a couple of days. Check what numbers changed.. Change those numbers back to the original value. Hey Presto you have a full filter again.
This procedure is for exiting NFC on a filter? But how to create a new TAG? I did some try without success, except getting the Password. With PM3 I dump the original brand new with 100% remaining like this:
hf mfu dump -k 12345678
Then on a new NCF 213 Tag I restore with:
hf mfu restore -f myfile -k AABBCCDD
But got error durring the process and the tag didn’t work.
Thank for your help
Hi, ACR122U NFC reader and Writer.
Do I need specific software to write and clone it? Thank you for show us tips.
Hey Mia,
Sorry I don’t use that reader. I cannot help you!
Thank you Admin,
Can you help me clear my understand with this question?
Why do we need password for the unique UUID? I have my UUID of the current filter what I have to do with it to make filter tag? I am trying to extend my filter life. Hope you can help a newbie like me learn something.
Thank you
I able to modify the tag to 100%.
Using ACR122U and ACR122U made easy software v2.9 on ebay.
It a great software for normal student, people. No need to be developer.
The password can be obtained by python.
Hi Mia Glen,
can you post how you did it with the reader/writer?
thank you 🙂
Hello. Can You help me with this ?
Hi Mia, I have ACR122U also can you help me with it how you do it. I have downloaded .bin files from GitHub but NFC tools only read json files. Please help me how you do that thanks.
Hi I have a GoJO soap Dispenser RFID and I search its response at frequency around 13.56 Mhz but my proxmark could not identify the tag. If you interest in this project please let me know
Hey Ayaka,
Please see the mail I’ve send you 😉