This is how they do it!

Well it’s been a long time since I’ve posted something new… But today I’ve got something big:

Sometime last year I received an email from Doegox. A Belgium Hacker (I know him for his work on the ICE-man repo of the proxmark readers/writers).

We exchanged some information and this is what I received from him:

import sys
import hashlib

# Usage: pwd.py 04A03CAA1E7080
def getpwd(uid):
    uid = bytearray.fromhex(uid)
    h = bytearray.fromhex(hashlib.sha1(uid).hexdigest())
    pwd = ""
    pwd += "%02X" % h[h[0] % 20]
    pwd += "%02X" % h[(h[0]+5) % 20]
    pwd += "%02X" % h[(h[0]+13) % 20]
    pwd += "%02X" % h[(h[0]+17) % 20]
    return pwd

assert getpwd("04A03CAA1E7080") == "CD91AFCC"
assert getpwd("04112233445566") == "EC9805C8"
print("PWD:", getpwd(sys.argv[1]))

To most of you this might look like some random code.. But this is actually very special… Xiaomi relies on a password for communication between filter and air purifier. More information can be found on the reverse engineering Github: Click

The type of NFC tags that are used are the NTAG213 tags (by NXP) How they created the password was a secret until now!

They use the UUID (duhh its, unique for each filter) If we use the above code and and insert a filter with UUID : 04A03CAA1E7080 we get the password CD91AFCC.

As seen as in my Github filter snoop: Click

That means we can make our own filters now!

This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀

if you want to support me, buy a NFC sticker pack (yes they act as an new filter in a Xiaomi Air Purifier)

Special thanks to Doegox and an incredible programmer friend.