Converting Bluetooth Sensors To Zigbee

November 29, 2023 by Bryan Cockfield 19 Comments

With the increase in popularity of Internet of Things (IoT) devices and their need to communicate wirelessly, there’s been a corresponding explosion of wireless protocols to chose from. Of course there’s Wi-Fi and Bluetooth, but for more specialized applications there are some other options like Z-Wave, LoRa, Sigfox, and Thread. There’s a decent amount of overlap in their capabilities too, so when [SHS] was investigating some low-cost Xiaomi sensors it was discovered that it is possible to convert them from their general purpose Bluetooth protocol over to the more IoT-specialized Zigbee protocol instead.

These combination temperature and humidity sensors have already been explored by [Aaron Christophel] who found that it’s possible to flash these devices with custom firmware. With that background, converting them from Bluetooth to Zigbee is not a huge leap. All that’s needed is the Zigbee firmware from [Ivan Belokobylskiy] aka [devbis] and to follow the steps put together by [SHS] which include a process for flashing the firmware using an over-the-air update and another using UART if the wireless updates go awry. Then it’s just a short process to pair the new Zigbee device to the network and the sensor is back up and running.

Converting from one wireless protocol to another might not seem that necessary, but using Bluetooth as an IoT network often requires proxy nodes as support devices, whereas Zigbee can communicate directly from the sensor to a hub like Home Assistant. Other Zigbee devices themselves can also act as a mesh network of sorts without needing proxy nodes. The only downside of this upgrade is that once the Bluetooth firmware has been replaced, the devices no longer has any Bluetooth functionality.

Thanks to [RoganDawes] for the tip!

A Xiaomi 3 Lite dashboard with the panel taken off and the PCB visible, four wires connected to the SWD header.

Xiaomi Scooter Firmware Hacking Gets Hands-On

April 4, 2023 by Arya Voronova 16 Comments

Scooter hacking is wonderful – you get to create a better scooter from a pre-made scooter platform, and sometimes you can do that purely through firmware modifications. Typically, hackers have been uploading firmware using Bluetooth OTA methods, and at some point, we’ve seen the always-popular Xiaomi scooters starting to get locked down. Today, we see [Daljeet Nandha] from [RoboCoffee] continue the research of the new Xiaomi scooter realities, where he finds that SWD flashing is way more of a viable avenue that we might’ve expected. Continue reading “Xiaomi Scooter Firmware Hacking Gets Hands-On” →

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

100% display from filter screen and the responsible mod chip

Clearing The Air About Proprietary Consumables With A Xiaomi Filter DRM Resetter

August 28, 2021 by Brian McEvoy 16 Comments

The “razor and blades model” probably set a lot of young hackers on their current trajectory. If we buy a widget, we want to pick our widget refills instead of going back to the manufacturer for their name-brand option. [Flamingo-Tech] was having none of it when they needed a new filter for their Xiaomi air purifier so they set out to fool it into thinking there was a genuine replacement fresh from the box. Unlike a razor handle, the air purifier can refuse to work if it is not happy, so the best option was to make a “mod-chip.”

The manufacturer’s filters have a Near-Field Communication (NFC) chip and antenna which talk to the base station. The controller receives the filter data via I₂C, but the mod-chip replaces that transmitter and reassures the controller that everything is peachy in filter town. On top of the obvious hack here, [Flamingo-Tech] shows us how to extend filter life with inexpensive wraps, so that’s a twofer. You can create your own mod-chip from the open-source files or grab one from [Flamingo-Tech’s] Tindie store.

We usually hear about mod-chips in relation to games, but we are happy to extend that honor to 3D printers. Have you ever fooled a “razor?”

Continue reading “Clearing The Air About Proprietary Consumables With A Xiaomi Filter DRM Resetter” →

19 Coils Make Charging Wireless

June 20, 2021 by Al Williams 57 Comments

Wireless charging is conceptually simple. Two coils form an ad hoc transformer with the primary in the charger and the secondary in the charging device. However, if you’ve ever had a wireless charging device, you know that reality can be a bit more challenging since the device must be positioned just so on the charger. Xiaomi has a multi-coil charger that can charge multiple devices and is tolerant of their positioning on the charger. How does it work? [Charger Lab] tears one apart and finds 19 coils and a lot of heat management crammed into the device.

The first part of the post is a terse consumer review of the device, looking at its dimensions and features. But the second part is when the cover comes off. The graphite heat shield looks decidedly like an accidental spill of something, but we’re sure that’s just how it appears. The coils are packed in tight in three layers. We have to wonder about their mutual interactions, and we assume that only some of them are active at any given time. The teardown shows a lot of the components and even pulls datasheets on many components, but doesn’t really go into the theory of operation.

Still, this is an unusual device to see from the inside. It is impressive to see so much power and thermal management in such a tiny package. We wonder that we don’t see more wireless charging in do-it-yourself projects. We do see some, of course. Not to mention grafting a charging receiver to an existing cell phone.

Exploring Custom Firmware On Xiaomi Thermometers

December 8, 2020 by Tom Nardi 55 Comments

If we’ve learned anything over the years, it’s that hackers love to know what the temperature is. Seriously. A stroll through the archives here at Hackaday uncovers an overwhelming number of bespoke gadgets for recording, displaying, and transmitting the current conditions. From outdoor weather stations to an ESP8266 with a DHT11 soldered on, there’s no shortage of prior art should you want to start collecting your own environmental data.

Now obviously we’re big fans of DIY it here, that’s sort of the point of the whole website. But there’s no denying that it can be hard to compete with the economies of scale, especially when dealing with imported goods. Even the most experienced hardware hacker would have trouble building something like the Xiaomi LYWSD03MMC. For as little as $4 USD each, you’ve got a slick energy efficient sensor with an integrated LCD that broadcasts the current temperature and humidity over Bluetooth Low Energy.

You could probably build your own…but why?

It’s pretty much the ideal platform for setting up a whole-house environmental monitoring system except for one detail: it’s designed to work as part of Xiaomi’s home automation system, and not necessarily the hacked-together setups that folks like us have going on at home. But that was before Aaron Christophel got on the case.

We first brought news of his ambitious project to create an open source firmware for these low-cost sensors last month, and unsurprisingly it generated quite a bit of interest. After all, folks taking existing pieces of hardware, making them better, and sharing how they did it with the world is a core tenet of this community.

Believing that such a well crafted projected deserved a second look, and frankly because I wanted to start monitoring the conditions in my own home on the cheap, I decided to order a pack of Xiaomi thermometers and dive in.

Continue reading “Exploring Custom Firmware On Xiaomi Thermometers” →

Shhh… Robot Vacuum Lidar Is Listening

November 27, 2020 by Inderpreet Singh 5 Comments

There are millions of IoT devices out there in the wild and though not conventional computers, they can be hacked by alternative methods. From firmware hacks to social engineering, there are tons of ways to break into these little devices. Now, four researchers at the National University of Singapore and one from the University of Maryland have published a new hack to allow audio capture using lidar reflective measurements.

The hack revolves around the fact that audio waves or mechanical waves in a room cause objects inside a room to vibrate slightly. When a lidar device impacts a beam off an object, the accuracy of the receiving system allows for measurement of the slight vibrations cause by the sound in the room. The experiment used human voice transmitted from a simple speaker as well as a sound bar and the surface for reflections were common household items such as a trash can, cardboard box, takeout container, and polypropylene bags. Robot vacuum cleaners will usually be facing such objects on a day to day basis.

The bigger issue is writing the filtering algorithm that is able to extract the relevant information and separate the noise, and this is where the bulk of the research paper is focused (PDF). Current developments in Deep Learning assist in making the hack easier to implement. Commercial lidar is designed for mapping, and therefore optimized for reflecting off of non-reflective surface. This is the opposite of what you want for laser microphone which usually targets a reflective surface like a window to pick up latent vibrations from sound inside of a room.

Deep Learning algorithms are employed to get around this shortfall, identifying speech as well as audio sequences despite the sensor itself being less than ideal, and the team reports achieving an accuracy of 90%. This lidar based spying is even possible when the robot in question is docked since the system can be configured to turn on specific sensors, but the exploit depends on the ability to alter the firmware, something the team accomplished using the Dustcloud exploit which was presented at DEF CON in 2018.

You don’t need to tear down your robot vacuum cleaner for this experiment since there are a lot of lidar-based rovers out there. We’ve even seen open source lidar sensors that are even better for experimental purposes.

Thanks for the tip [Qes]