Hacking A Xiaomi Air Purifier’s Filter DRM To Extend Its Lifespan

January 26, 2024 by Maya Posch 10 Comments

When [Unethical Info] was looking at air purifiers a while back, their eye fell on a Xiaomi 4 Pro, with a purchase quickly made. Fast-forward a while and suddenly the LCD on top of the device was showing a threatening ‘0% filter life remaining’ error message. This was traced back to an NFC (NTAG213) tag stuck to the filter inside the air purifier that had been keeping track of usage and was now apparently the reason why a still rather clean filter was forcibly being rejected. Rather than give into this demand, instead the NFC tag and its contents were explored for a way to convince it otherwise, inkjet cartridge DRM-style.

While in the process of reverse-engineering the system and doing some online research, a lucky break was caught in the form of earlier research by [Flamingo Tech] on the Xiaomi Air Purifier 3, who had obtained the password-generating algorithm used with the (password-locked) NFC tag, along with the target area of the filter’s NFC tag to change. Using the UID of the NFC tag, the password to unlock the NFC tag for writing was generated, which requires nothing more than installing e.g. ‘NFC Tools’ on an NFC-capable Android/iOS smartphone to obtain the tag’s UID and reset the usage count on the filter.

A password generating tool is provided with the [Unethical Info] article, and this approach works across a range of Xiaomi air purifiers, making it an easy fix for anyone who owns such a device but isn’t quite ready yet to shell out the big bucks for a fresh DRM-ed filter. This approach also saves one from buying more NFC tags, which was the case with the previous solution.

Mobile phone reading an NFC tag with information on a garden plant

NFC Puts A Stake In The Ground

August 15, 2023 by Michael Shaub 21 Comments

Sometimes we have a new part or piece of tech that we want to use, and it feels like a solution looking for a problem. Upon first encountering NFC Tags, [nalanj] was looking for an application and thought they might make a great update to old-fashioned plant markers in a garden. Those are usually small and, being outside 24/7, the elements tend to wear away at what little information they hold.

[nalanj] used a freeform data structuring service called Cardinal to set up text information fields for each plant and even photos. Once a template has been created, every entry gets a unique URL that’s perfect for writing to an NFC tag. See the blog post on Cardinal’s site for the whole process, the thought behind the physical design of the NFC tag holder, and a great application of a pause in the 3D print to encapsulate the tags.

NFC tags are super hackable, though, so you don’t have to limit yourself to lookups in a plant database. Heck, you could throw away your door keys.

Air Filter DRM? Hacker Opts Out With NFC Sticker

August 13, 2022 by Donald Papp 55 Comments

[Flamingo-tech]’s Xiaomi air purifier has a neat safety feature: it will refuse to run if a filter needs replacement. Of course, by “neat” we mean “annoying”. Especially when the purifier sure seems to judge a filter to be useless much earlier than it should. Is your environment relatively clean, and the filter still has legs? Are you using a secondary pre-filter to extend the actual filter’s life? Tough! Time’s up. Not only is this inefficient, but it’s wasteful.

Every Xiaomi filter contains an NTAG213 NFC tag with a unique ID and uses a unique password for communications, but how this password was generated (and therefore how to generate new ones) was not known. This meant that compatible tags recognized by the purifier could not be created. Until now, that is. [Flamingo-tech] has shared the discovery of how Xiaomi generates the password for communication between filter and purifier.

A small NFC sticker is now all it takes to have the purifier recognize a filter as new.

[Flamingo-tech] has long been a proponent of fooling Xiaomi purifiers into acting differently. In the past, this meant installing a modchip to hijack the DRM process. That’s a classic method of getting around nonsense DRM on things like label printers and dishwashers, but in this case, reverse-engineering efforts paid off.

It’s now possible to create simple NFC stickers that play by all the right rules. Is a filter’s time up according to the NFC sticker, but it’s clearly still good? Just peel that NFC sticker off and slap on a new one, and as far as the purifier is concerned, it’s a new filter!

If you’re interested in the reverse-engineering journey, there’s a GitHub repository with all the data. And for those interested in purchasing compatible NFC stickers, [Flamingo-tech] has some available for sale.

Cracking The MiFare Classic Could Get You Free Snacks

July 13, 2022 by Lewin Day 23 Comments

[Guillermo] started a new job a while back. That job came with an NFC access card, which was used for booking rooms and building access. The card also served as a wallet for using the vending machines. He set about hacking the card to see what he could uncover.

Initial scans with NFC Tools revealed the card was an Infineon MIFARE Classic Card 1k. These cards are considered fairly old and insecure by now. There’s plenty of guides online on how to crack the private keys that are supposed to make the card secure. Conveniently, [Guillermo] had a reader/writer on hand for these very cards.

[Guillermo] was able to use a tool called mfoc to dump the keys and data off the card. From there, he was able to determine that the credit for the vending machines was stored on the card itself, rather than on a remote server.

This means that it’s simple to change the values on the card in order to get free credit, and thus free snacks. However, [Guillermo] wisely resisted the urge to cash in on candy and sodas. When totals from the machine and credit system were reconciled, there’d be a clear discrepancy, and a short investigation would quickly point to his own card.

He also managed to successfully clone a card onto a “Magic Mifare” from Amazon. In testing, the card performed flawlessly on all systems he tried it on.

It goes to show just how vulnerable some NFC-based access control systems really are. RFID tags are often not as safe as you’d hope, either!

NFC Performance: It’s All In The Antenna

November 10, 2021 by Jenny List 15 Comments

NFC tags are a frequent target for experimentation, whether simply by using an app on a mobile phone to interrogate or write to tags, by incorporating them in projects by means of an off-the-shelf module, or by designing a project using them from scratch. Yet they’re not always easy to get right, and can often give disappointing results. This article will attempt to demystify what is probably the most likely avenue for an NFC project to have poor performance, the pickup coil antenna in the reader itself.

The tags contain chips that are energised through the RF field that provides enough power for them to start up, at which point they can communicate with a host computer for whatever their purpose is.

“NFC” stands for “Near Field Communication”, in which data can be exchanged between physically proximate devices without their being physically connected. Both reader and tag achieve this through an antenna, which takes the form of a flat coil and a capacitor that together make a resonant tuned circuit. The reader sends out pulses of RF which is maintained once an answer is received from a card, and thus communication can be established until the card is out of the reader’s range. Continue reading “NFC Performance: It’s All In The Antenna” →

NFC Tags Add Old-School Functionality To New Phone

December 14, 2015 by Bryan Cockfield 27 Comments

Back in the day, we had smartphones with physical buttons. Not just power, volume, and maybe another button on the front. Whole, slide-out QWERTY keyboards right on the underside of the phone. It was a lawless wasteland, but for those who yearn for the wild-west days of the late 2000s, [Liviu] has recreated the shortcut buttons that used to exist on the tops of these keyboards for modern-day smartphones.

There were lots of phones that had shortcut keys on their keyboards, but [Liviu] enjoyed using the ones that allowed him to switch between applications (or “apps” as the kids are saying these days) such as the calendar, the browser, or the mail client. To recreate this, he went with a few NFC tags. These devices are easily programmed via a number of apps from your app store of choice, and can be placed essentially anywhere. In order to make them visible to the phone at any time, though, he placed the tags inside a clear plastic case for his phone and can now use them anytime.

If you’ve never used or programmed an NFC tag, this would be a great project to get yourself acquainted with how they operate. Plus, you could easily upgrade this project to allow the tags to do any number of other things. You can take projects like this as far as you want.

Continue reading “NFC Tags Add Old-School Functionality To New Phone” →

Toddler Jukebox Requires No Quarters Or Button Mashing

October 9, 2014 by Kristina Panos 18 Comments

Ahh, toddlers. They’re as ham-fisted as they are curious. It’s difficult to have to say no when they want to touch and engage with the things that we love and want them to play with. [Shawn] feels this way about his son’s interest in the family Sonos system and engineered an elegant solution he calls Song Blocks.

The Sonos sits on a dresser that hides a RasPi B+. Using bare walnut blocks numbered 1-12, his son can use the Sonos without actually touching it. Each block has a magnet and an NFC tag. When his son sticks a block on the face of the right drawer containing embedded magnets and an NFC controller board, the B+ reads the tag and plays the song. It also tweets the song selection and artist.

The blocks themselves are quite beautiful. [Shawn] numbered them with what look like Courier New stamps and then burned the numbers in with a soldering iron. His Python script is on the git, and he has links to the libraries used on his build page. The Song Blocks demo video is waiting for you after the jump.

Continue reading “Toddler Jukebox Requires No Quarters Or Button Mashing” →