Well it’s been a long time since I’ve posted something new… But today I’ve got something big:
Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).
We exchanged some information and this is what I received from him:
import sys import hashlib # Usage: pwd.py 04A03CAA1E7080 def getpwd(uid): uid = bytearray.fromhex(uid) h = bytearray.fromhex(hashlib.sha1(uid).hexdigest()) pwd = "" pwd += "%02X" % h[h % 20] pwd += "%02X" % h[(h+5) % 20] pwd += "%02X" % h[(h+13) % 20] pwd += "%02X" % h[(h+17) % 20] return pwd assert getpwd("04A03CAA1E7080") == "CD91AFCC" assert getpwd("04112233445566") == "EC9805C8" print("PWD:", getpwd(sys.argv))
To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click
The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!
They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.
As seen as in my Github filter snoop: Click
That means we can make our own filters now!
This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀
if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)
Special thanks to Doegox and an incredible programmer friend.