This is how they do it!

Well it’s been a long time since I’ve posted something new… But today I’ve got something big:

NFC Stickers act like new filters!!

Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).

We exchanged some information and this is what I received from him:

import sys
import hashlib

# Usage: pwd.py 04A03CAA1E7080
def getpwd(uid):
    uid = bytearray.fromhex(uid)
    h = bytearray.fromhex(hashlib.sha1(uid).hexdigest())
    pwd = ""
    pwd += "%02X" % h[h[0] % 20]
    pwd += "%02X" % h[(h[0]+5) % 20]
    pwd += "%02X" % h[(h[0]+13) % 20]
    pwd += "%02X" % h[(h[0]+17) % 20]
    return pwd

assert getpwd("04A03CAA1E7080") == "CD91AFCC"
assert getpwd("04112233445566") == "EC9805C8"
print("PWD:", getpwd(sys.argv[1]))

To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click

The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!

They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.

As seen as in my Github filter snoop: Click

That means we can make our own filters now!

Party hard.

This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀

if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)

I sell on Tindie

Special thanks to Doegox and an incredible programmer friend.

Programming…..

23 comments

  1. Brilliant! Thank you so much! I always thought they whitelisted the data they wrote to the tags and it annoyed me that they always started to complain way too early about replacement. Thank you so much!

  2. I got a PC NFC writer and stickers but i am not sure what to do 😀 and to be honest how…
    Is there a “how to” available?

    1. The easiest way:
      Clone an original NFC filter sticker. (dump the contents) then place the copy in the air purifier let it run for a couple of days. Check what numbers changed.. Change those numbers back to the original value. Hey Presto you have a full filter again.

  3. Hi, ACR122U NFC reader and Writer.
    Do I need specific software to write and clone it? Thank you for show us tips.

      1. Thank you Admin,
        Can you help me clear my understand with this question?
        Why do we need password for the unique UUID? I have my UUID of the current filter what I have to do with it to make filter tag? I am trying to extend my filter life. Hope you can help a newbie like me learn something.

  4. Thank you
    I able to modify the tag to 100%.
    Using ACR122U and ACR122U made easy software v2.9 on ebay.
    It a great software for normal student, people. No need to be developer.
    The password can be obtained by python.

  5. Hi I have a GoJO soap Dispenser RFID and I search its response at frequency around 13.56 Mhz but my proxmark could not identify the tag. If you interest in this project please let me know

Leave a comment

Your email address will not be published. Required fields are marked *