This is how they do it!

For a very thorough write-up on how this all works , please visit : https://unethical.info/2024/01/24/hacking-my-air-purifier/

Well it’s been a long time since I’ve posted something new… But today I’ve got something big:

NFC Stickers act like new filters!!

Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).

We exchanged some information and this is what I received from him:

import sys
import hashlib

# Usage: pwd.py 04A03CAA1E7080
def getpwd(uid):
    uid = bytearray.fromhex(uid)
    h = bytearray.fromhex(hashlib.sha1(uid).hexdigest())
    pwd = ""
    pwd += "%02X" % h[h[0] % 20]
    pwd += "%02X" % h[(h[0]+5) % 20]
    pwd += "%02X" % h[(h[0]+13) % 20]
    pwd += "%02X" % h[(h[0]+17) % 20]
    return pwd

assert getpwd("04A03CAA1E7080") == "CD91AFCC"
assert getpwd("04112233445566") == "EC9805C8"
print("PWD:", getpwd(sys.argv[1]))

To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click

The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!

They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.

As seen as in my Github filter snoop: Click

That means we can make our own filters now!

Party hard.

This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀

if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)

I sell on Tindie

Special thanks to Doegox and an incredible programmer friend.

Programming…..

37 comments

  1. Brilliant! Thank you so much! I always thought they whitelisted the data they wrote to the tags and it annoyed me that they always started to complain way too early about replacement. Thank you so much!

  2. I got a PC NFC writer and stickers but i am not sure what to do 😀 and to be honest how…
    Is there a “how to” available?

    1. The easiest way:
      Clone an original NFC filter sticker. (dump the contents) then place the copy in the air purifier let it run for a couple of days. Check what numbers changed.. Change those numbers back to the original value. Hey Presto you have a full filter again.

      1. This procedure is for exiting NFC on a filter? But how to create a new TAG? I did some try without success, except getting the Password. With PM3 I dump the original brand new with 100% remaining like this:
        hf mfu dump -k 12345678
        Then on a new NCF 213 Tag I restore with:
        hf mfu restore -f myfile -k AABBCCDD
        But got error durring the process and the tag didn’t work.
        Thank for your help

  3. Hi, ACR122U NFC reader and Writer.
    Do I need specific software to write and clone it? Thank you for show us tips.

      1. Thank you Admin,
        Can you help me clear my understand with this question?
        Why do we need password for the unique UUID? I have my UUID of the current filter what I have to do with it to make filter tag? I am trying to extend my filter life. Hope you can help a newbie like me learn something.

  4. Thank you
    I able to modify the tag to 100%.
    Using ACR122U and ACR122U made easy software v2.9 on ebay.
    It a great software for normal student, people. No need to be developer.
    The password can be obtained by python.

    1. Hi Mia, I have ACR122U also can you help me with it how you do it. I have downloaded .bin files from GitHub but NFC tools only read json files. Please help me how you do that thanks.

    2. Hi. Did somebody try Tag/Filter for Xiaomi Purifier 4 Pro ?
      I’m getting authentication failed with calculated password.
      python pwd.py 040F018AEB7285
      PWD: F490FBCF

  5. Hi I have a GoJO soap Dispenser RFID and I search its response at frequency around 13.56 Mhz but my proxmark could not identify the tag. If you interest in this project please let me know

  6. Hi,
    i have a flipper zero and would like to test your hack out.
    can you maybe explain the stepps a little more in detail?
    like should i read the tag of an existing filter first and then write a new password somehow?

Leave a comment

Your email address will not be published. Required fields are marked *