Foreign netizens reverse-engineered the Xiaomi air purifier to extend the use time of the filter element

Xiaomi’s products are of high quality and low price, and many rice noodles are also used abroad. Recently, a foreign netizen researched the Xiaomi air purifier and discovered the secret of the communication between the Xiaomi air purifier and the air filter through reverse engineering.

As we all know, the air filter element, like the filter element of the water purifier, needs to be replaced with a new one after a period of use to ensure the quality of the filtration. Usually the machine will show what percentage of availability is left. When this availability is close to 0, it means that you need to buy a new one to replace the old filter element. However, this foreign netizen found that the communication between the Xiaomi air purifier and the filter element it used was confirmed by the UUID of NFC. He found this secret in the code obtained by the reverse engineering of the purifier:

 import sys import hashlib # Usage: 04A03CAA1E7080 def getpwd(uid): uid = bytearray.fromhex(uid) h = bytearray.fromhex(hashlib.sha1(uid).hexdigest()) pwd = "" pwd += "%02X" % h[h[0] % 20] pwd += "%02X" % h[(h[0]+5) % 20] pwd += "%02X" % h[(h[0]+13) % 20] pwd += "%02X" % h[(h[0]+17) % 20] return pwd assert getpwd("04A03CAA1E7080") == "CD91AFCC" assert getpwd("04112233445566") == "EC9805C8" print("PWD:", getpwd(sys.argv[1]))

You can find this reverse engineering on GitHub.

By looking at this reverse code, it may be more like a random character to most people, but it is the crux of the problem. A password is used to confirm the connection between the purifier and the filter. The type of NFC it uses is NTAG213 (by NXP), and the process of generating the password is not clear. The NFC UUID is unique for each filter element. If using the above code ( CD91AFCC ), with a NFC card with a 04A03CAA1E7080 UUID, we simulate a new filter device and fool the purifier.

You can refer to these filter information on Github by netizens to crack.

After the purifier communicates with the fake NFC, it will recognize that it is a new filter element, which can prolong the use time of the expired filter element.

Programmer programming…

Reference: This is how they do it!


This article is reprinted from
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment