Air Filter DRM? Hacker Opts Out With NFC Sticker

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

55 thoughts on “Air Filter DRM? Hacker Opts Out With NFC Sticker

  1. There’s little point investing time for better DRM in devices like this. You may hack it but 100,000 Karens will rush to buy new filter as soon as some stupid red light comes on. As it is in the joke where Tech Enthusiasts say: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future! Meanwhile, Programmers and Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.

  2. slash-me being clueless (as usual) and TL;DR the links, but wouldn’t it be possible to emulate the NCF sticker thingy? So a one-time solution instead of adding 2,40 € each time?

  3. Darn. When I read “[Flamingo-tech] has shared the discovery of how Xiaomi generates the password”, I was kind of hoping to find a description of how they discovered how Xiaomi generates the password.

    Instead we find it’s a Deus ex machina where [Flamingo-tech] received an email with some magic numbers in code from hacker [Doegox], with no explanation of how they were discovered.

    He then turned that code into a product he sells.

    Nothing to learn here. But it will be interesting to see how Xiaomi reacts to this effective piracy. (I’m absolutely not defending their decision to DRM an air filter, but this is a direct attack on their business, and they are not a small company in a law-abiding democracy…)

    1. The reason I can’t disclose the source or the how to is because it’s a gray area (legally)
      By posting the script online anyone can work with it, sell it, build an app whatever. By reading out the UID of an original filter, running the python script you can rewrite the original filters if you feel like it. (requires NFC tools, or NFC enabled phone)

      If you are really interested in how it all started you can send me an email :)

      I don’t know if Xiaomi or any party that is related to Xiaomi is responsible for this but ever since posting it online I get hit with some serious DDOS attacks. 150GB of traffic… I think it’s interesting that you call it piracy… If I buy food at the store I’m allowed to eat it if its past its due date… Why am I hindered when I want to do this with electronic devices?
      Somehow we seem to think that when I own a product that has a limited lifetime/span (rightfully or for no reason) we should accept that and just throw it away. I think we should seriously reconsider how we use/tread materials.

    2. Which may be why he received the “magic” code as there is a big difference between receiving material and publishing it vs. admitting and showing how you produced the item yourself. Not that I believe the wikileaks narrative, since I know who the actor playing Assange is, BUT, publishing stolen CIA files is a whole lot different then admitting that you stole them yourself. That is sort of what the 4th estate was suppose to be built upon.

    3. My reading of the posted python code is that the password is just a mashup of the bytes of a sha1 hash of the uid. So the ‘how the password is generated ‘ is indeed revealed in the posted code….

        1. I’d not say defeatist for them, just realist.

          We can’t all afford to spend time with the internet research needed to to avoid DRM’d products, or cracking it, or building a better version of a product…

          If you buy a product and its got or gets DRM there isn’t a great deal you can do, they already got your money, and often there isn’t alot of alternative choice either – when every company is jumping on the DRM lockdown bandwagon but you need/want that product…

  4. I have yet to hear a compelling reason why there needs to be an electronic controller running a simple fan motor.
    I would simply use my skills as an electrician to completely bypass the controls if I owned one of these abominations. Problem solved. I could even set up a circuit with a simple triac if I decided that I needed the fan to have variable speed.

      1. A brushless motor seems overkill when a cheap fractional horsepower shaded pole motor would do, but from time to time I disassemble a device from China, Inc. and find more technology than expected.

        1. It’s easier to run a BLDC motor with variable speed than plain old ordinary motors, which in fans typically have three speeds. Not enough, almost enough, and too loud.

  5. “[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.”

    Sounds like an argument for a HaD reader to come up with a better filter sensor.

    1. Measuring dust on the long run is almost impossible in a private, “i don’t want to spend extra time with that!” setting.

      Take the Ikea VINDRIKTNING: after some time the sensor will be filled with the dust it sucks in and then it is definitely sucking (*1). Been there, had it. Went from “always green” going through all stages between to “always red” within not a year.

      So the solution is: clean it. But when and how? Is there any data about the saturation speed for this actual room? Filter data? For the extra sheets added? And does the cleaning methode really clean? What about the case?

      So with this air filter it might end as an virus spreader and make the situation worse.

      (*1): https://www.youtube.com/watch?v=duUOXmlWk80

      1. Here’s a solution… measure delta P. The differential pressure across a dirty filter is always higher than the delta across a clean one.

        The definition of a “good” or “clean” filter becomes delta p < x.

        Except in the most heavily-polluted atmospheres, pressure sensors are immune to accumulated FOD.

        Now that I think if it, a simple paddle switch might be enough. When the filter is soiled to the point that the fan can't move enough air through the unit to deflect the paddle, the spring-loaded switch closes.

        Both these techniques, by the way, are used to monitor and assure proper airflow in power load banks, so their utility us not theoretical.

        1. I don’t know if they are still available, but there used to be home furnace filters with a whistle which would kick in there were too much pressure drop across the filter. I can see it backfiring when the whistle starts at 11:00 PM on a Sunday night, so the angry homeowner simply removes the filter and subsequently forgets to buy a new filter.

        2. Use the simple vane switch that is common in RV gas furnaces. If the blower doesn’t start and move the vane that trips the switch, the gas valve doesn’t open. If it has electronic ignition instead of a pilot light, then that doesn’t go off.

          If the filter is too clogged for the fan to move enough air to close the vane switch, then it’s time to change or clean the filter.

        3. “The differential pressure across a dirty filter is always higher than the delta across a clean one.”

          That only applies to mechanical particulate filters where the mesh size is what ‘catches’ particles. For HEPA filters where different mechanisms capture filters, the flow rate of a ‘clogged’ (ineffective) filter and a fresh one will be effectively identical.

          This is why life timers are used for HEPA filter replacement: unless you have an accurate particle counter plus a source of particles (to produce a known test particle density) you do not have a simple method to determine current filter effectiveness. The particle source is needed because otherwise you will only find out your filter has failed after it has started blowing particulates around.

  6. What we need now is a smart nfc sticker.
    One that can modify itself. Perhaps, in this case, periodically incrementing its ID number. Effectively creating a set it and forget it solution.

  7. It is possible to reset filter to factory settings so it forgets list of used filters. Old filter becomes new again.
    Sure it is annoying to setup filter again,but it costs nothing.

  8. “And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.”

    10 for $29.95 + $4 Shipping = $33.95, $3.40 each.

    So we’ve gone from paying too much for DRM’d filters to paying too much for NFC DRM stickers. Such is life on a planet where it is becoming impossible to actually own anything.

  9. It’s an air filter. I mean, come on, what does that really require? A motor and a switch ought to suffice.

    Pure DRM overreach, consumer abuse, crappy “as a service” mentality at its finest.

    Honestly people, don’t buy DRM infected crap.

  10. It’s an air filter. I imagine it would be within the capabilities of many to rip the logic board out of the unit, and replace it with a suitable toggle switch.

    As for what to do with the logic board? A visit with Mr Tesla Coil should set that stuff right.

  11. Xiaomi Air Purifier 2 has several buttons, how to operate and what functions do they have?
    The Xiaomi Air Purifier 2 has only two buttons in total, a “switch/operation mode” button and a “light switch/filter reset” button. In the off state, press the “Switch/Operation Mode” button to turn on the purifier, press and hold for 2 seconds to turn off. In the power-on state, each time you press the “Switch/Run Mode” button, you can switch the running mode. The gears are: Auto, Sleep Mode, and Favorite. In the power-on state, single press the “light switch/filter reset” button to adjust all the lights of the host. The gears are: bright light, low light, and off. Filter reset: Press and hold the “Light switch/filter reset” button for about 6 seconds, and the filter is reset successfully after you hear the “Di Di Di” sound. WiFi reset: Press the “Switch/Operation Mode” key and the “Light ON/OFF key/filter reset” key at the same time for about 5 seconds, after hearing the “Di Di Di Di Di Di Di” sound, the WiFi reset is successful.

    1. “Filter reset: Press and hold the “Light switch/filter reset” button for about 6 seconds, and the filter is reset successfully after you hear the “Di Di Di” sound.”

      Haha, definitely worth updating the article with the RTFM solution! No need for any NFC tags at all.

  12. I think some of you are too harsh on Flamingo, in the end of the day, he started this as a personal project and after allot of hours he managed to discover a way to convert a normal virgin nfc tag into basically a new filter by writing a unic id and password, and this for sure deserves some reward. If you dont want to pay 33$ for 10 filters, than you free to pay 60$ for a new filter. And in the end of the day, Flamingo made a very complete and informative posts, and gave allot of hints. He didn’t post hks script, but why would he?

  13. Before you try to hack a filter replacement reminder, keep in mind why you are even using an air purifier. More expensive devices have sensors to detect when the filter needs to be replaced to still maintain the promised CADR. They also have routine disinfection mechanisms to keep the filter from becoming a refuge for spores and bacteria. Such a cheap consumer device can’t have that, so you NEED to regularly replace the filter in order for it to do any good. There are other devices using electrostatic precipitators instead of HEPA filters, those just need to be regularly washed out.

  14. or you could go the other route like I did. I built a box on wheels with a four inch thick high quality air filter and pre filter and stuffed an 800cfm inline duct fan inside of it. It’s loud, but it will cycle the air in any given room about once every 1-3 minutes depending on how much furniture and which room. for a 12×12 room with dressers it takes a minute or less to filter the entire room once. the best part is, it uses standard 4 inch hvac filters so I can choose whatever is cheapest or whatever works the best. also doubles as a small night stand on wheels. If i were to buy a fan for it rather than use one i had lying around, i would get one with adjustable speed. At some point I plan on figuring out how to put a muffler on this one so it’s quieter. Right now it just directly connects to a hole which I put a standard screen on like you’d use for a window on the exhaust.
    anyway, filter lasts forever because it’s huge, and I can suck anything out of an entire room in a matter of minutes. The filter I stuffed into it is good enough to filter out dog farts, so I’m happy about that. :-D

  15. Even though we manage to read the serial number of the tag (UID) and able to get the password with the python code at hand..

    And have a blank nfc tag sticker next to me..

    I have no idea how to proceed and create one because from the many NFC reader apps on the phone,
    it either can’t read the tag under the filter entirely (let alone clone it) or just some basic info on the tag type, technologies available, serial number (UID), ATQA, SAK and memory information (180 bytes: 45 pages (4bytes each)) info..

    most nfc tool programs allow to write just basic tasks to a tag (open an app, turn on wifi etc) but nothing where you can export the whole context or import your own.

    Any help?

  16. My understanding is that the filter life displayed percentage is based on hours of use and not actual filthiness/clogging. For myself I wrap my filter in 3M filtrete PM2.5 cloth to prolong the filter life and capture more crud. I change the 3M cloth every few weeks during smoky season here in northern Thailand. It’s disgusting dark gray. The cloth is very inexpensive when bought in rolls and a perfect height size to cut.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.