Well it’s been a long time since I’ve posted something new… But today I’ve got something big:
Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).
We exchanged some information and this is what I received from him:
import sys
import hashlib
# Usage: pwd.py 04A03CAA1E7080
def getpwd(uid):
uid = bytearray.fromhex(uid)
h = bytearray.fromhex(hashlib.sha1(uid).hexdigest())
pwd = ""
pwd += "%02X" % h[h[0] % 20]
pwd += "%02X" % h[(h[0]+5) % 20]
pwd += "%02X" % h[(h[0]+13) % 20]
pwd += "%02X" % h[(h[0]+17) % 20]
return pwd
assert getpwd("04A03CAA1E7080") == "CD91AFCC"
assert getpwd("04112233445566") == "EC9805C8"
print("PWD:", getpwd(sys.argv[1]))
To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click
The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!
They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.
As seen as in my Github filter snoop: Click
That means we can make our own filters now!
This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀
if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)
Special thanks to Doegox and an incredible programmer friend.
Brilliant! Thank you so much! I always thought they whitelisted the data they wrote to the tags and it annoyed me that they always started to complain way too early about replacement. Thank you so much!