IoT Air Purifier Makes A Great Case Study In Reverse Engineering

February 6, 2024 by Dan Maloney 10 Comments

Here at Hackaday, about the only thing we like more than writing up tales of reverse engineering heroics is writing up tales of reverse engineering heroics that succeed in jailbreaking expensive widgets from their needless IoT dependency. It’s got a real “stick it to the man” vibe that’s hard to resist.

The thing is, we rarely see a reverse engineering write-up as thorough as the one [James Warner] did while integrating an IoT air purifier into Home Assistant, so we just had to make sure we called this one out. Buckle up; it’s a long, detailed post that really gets down into the weeds, but not unnecessarily so. [James] doesn’t cloud-shame the appliance manufacturer, so we can’t be sure who built this, but it’s someone who thought it’d be a swell idea to make the thing completely dependent on their servers for remote control via smartphone. The reverse engineering effort started with a quick look at the phone app, but when that didn’t pay off in any useful way, [James] started snooping on what the device was talking about using Wireshark.

One thing led to another, wires were soldered to the serial pins on the ESP32 on the purifier’s main board, and with the help of a FlipperZero as a UART bridge, the firmware was soon in hand. This gave [James] clues about the filesystem, which led to a whole Ghidra side quest into learning how to flash the firmware. [James] then dug into the meat of the problem: figuring out the packet structure used to talk to the server, and getting the private key used to encrypt the packets. This allowed a classic man-in-the-middle attack to figure out the contents of each packet and eventually, an MQTT bridge to let Home Assistant control the purifier.

If it sounds like we glossed over a lot, we know — this article is like a master class on reverse engineering. [James] pulled a lot of tools out of his kit for this, and the write-up is clear and concise. You may not have the same mystery fan to work with, but this would be a great place to start reverse engineering just about anything.

Thanks to [ThoriumBR] for the tip.

Hacking A Xiaomi Air Purifier’s Filter DRM To Extend Its Lifespan

January 26, 2024 by Maya Posch 10 Comments

When [Unethical Info] was looking at air purifiers a while back, their eye fell on a Xiaomi 4 Pro, with a purchase quickly made. Fast-forward a while and suddenly the LCD on top of the device was showing a threatening ‘0% filter life remaining’ error message. This was traced back to an NFC (NTAG213) tag stuck to the filter inside the air purifier that had been keeping track of usage and was now apparently the reason why a still rather clean filter was forcibly being rejected. Rather than give into this demand, instead the NFC tag and its contents were explored for a way to convince it otherwise, inkjet cartridge DRM-style.

While in the process of reverse-engineering the system and doing some online research, a lucky break was caught in the form of earlier research by [Flamingo Tech] on the Xiaomi Air Purifier 3, who had obtained the password-generating algorithm used with the (password-locked) NFC tag, along with the target area of the filter’s NFC tag to change. Using the UID of the NFC tag, the password to unlock the NFC tag for writing was generated, which requires nothing more than installing e.g. ‘NFC Tools’ on an NFC-capable Android/iOS smartphone to obtain the tag’s UID and reset the usage count on the filter.

A password generating tool is provided with the [Unethical Info] article, and this approach works across a range of Xiaomi air purifiers, making it an easy fix for anyone who owns such a device but isn’t quite ready yet to shell out the big bucks for a fresh DRM-ed filter. This approach also saves one from buying more NFC tags, which was the case with the previous solution.

A Practical Open Source Air Purifier

January 16, 2024 by Jenny List 44 Comments

In the years since the start of the coronavirus pandemic, it’s fair to say we’ve all become a lot more aware of the air quality surrounding us. Many of us have added a CO₂ monitor to our collection of tools, and quite a few will have an air filtration system too. There are plenty of devices on the market that fulfill this niche at varying qualities and prices, but shouldn’t a decent filter be something to make for yourself? [Naomi Wu] thinks so, and she’s put up the design for her Nukit open air purifier online under the GPLv3.

The principle of the unit is simple enough: it’s a box with an HVAC filter on the front and a set of computer fans on its side to draw air through. But it’s more than just a box, as there are three separate versions for wall-mount, hanging mount or a freestanding tower, and each one comes as a DXF file with all parts ready for laser cutting. It’s about as straightforward a way to get your hands on a well-designed and high quality air purifier as could be imagined.

[Naomi] has been quiet for a while in her familiar role as YouTube maker and guide to the nooks and crannies of her native Shenzhen, so it’s very positive to see her still active and producing projects after being warned off social media by the authorities. If you’d like to see another recent project of hers, look no further than her update to [Bunnie Huang]’s Shenzhen guide.

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

ESP32 Brings Air Purifier Online With Home Assistant

November 25, 2021 by Tom Nardi 7 Comments

A lot of hackers are rightfully concerned about the privacy issues that surround many of today’s “smart” gadgets, but it’s hard to argue that the ability to remotely control devices around your home isn’t convenient. Enter self-hosted, open source projects like Home Assistant. This provides the framework for building out a home automation system without having your ~~soul~~ information sold, but as you might expect, you’re going to have to put some effort in to get the most of it.

For example, take a look at this Phillips AC4014 air purifier that [Anton] connected to Home Assistant by way of an ESP32. Rather than getting too bogged down in reverse engineering the purifier’s surprisingly complex internal electronics, he took the easy way out and wired a couple of relays across the power and fan speed buttons; this allows the device to be easily controlled by the microcontroller, without impacting the functionality of the original controls.

But since those front panel controls still work, that meant [Anton] needed a way for the ESP32 to detect the device’s status and report that to Home Assistant so everything stayed in sync. So he looked around on the PCB for a trace that got powered up when the air purifier was up and running, which he connected to a pin of the microcontroller through a transistor. This let’s the firmware determine if the machine is running or not just by checking if the appropriate pin has gone high.

Speaking of the firmware, [Anton] decided to use ESPHome rather than trying to write his own code from scratch. This project allows you to rapidly add new devices to Home Assistant by providing the firmware with a relatively simple YAML configuration file, which he’s provided as an example. In fact, he’s provided quite a lot of examples with this project, down to an annotated image of the PCB that shows where to tap your wires into. He’s done quite a service for anyone who’s got this same model of air purifier.

This unit doesn’t appear to have any capability of actually checking the quality of the air in the room, but we’ve recently seen a low-cost IKEA product that can do exactly that. Even better, it can be easily modified to report its findings over the network using the ESP8266.

100% display from filter screen and the responsible mod chip

Clearing The Air About Proprietary Consumables With A Xiaomi Filter DRM Resetter

August 28, 2021 by Brian McEvoy 16 Comments

The “razor and blades model” probably set a lot of young hackers on their current trajectory. If we buy a widget, we want to pick our widget refills instead of going back to the manufacturer for their name-brand option. [Flamingo-Tech] was having none of it when they needed a new filter for their Xiaomi air purifier so they set out to fool it into thinking there was a genuine replacement fresh from the box. Unlike a razor handle, the air purifier can refuse to work if it is not happy, so the best option was to make a “mod-chip.”

The manufacturer’s filters have a Near-Field Communication (NFC) chip and antenna which talk to the base station. The controller receives the filter data via I₂C, but the mod-chip replaces that transmitter and reassures the controller that everything is peachy in filter town. On top of the obvious hack here, [Flamingo-Tech] shows us how to extend filter life with inexpensive wraps, so that’s a twofer. You can create your own mod-chip from the open-source files or grab one from [Flamingo-Tech’s] Tindie store.

We usually hear about mod-chips in relation to games, but we are happy to extend that honor to 3D printers. Have you ever fooled a “razor?”

Continue reading “Clearing The Air About Proprietary Consumables With A Xiaomi Filter DRM Resetter” →