Unethical Info

Breaking Free from DRM: The Story of Hacking My Air Purifier

I searched the web for a deal on a decent air purifier and the Xiaomi 4 Pro seemed to meet all my requirements. The filter size, scheduler and air volume ticked all the boxes. I set it up and thought nothing of it until last week my room was lit with the ‘0% remaining’ replace filter warning. I had set my unit up to disable the LCD so this was an unwelcome surprise. I dismissed the warning by clicking the user button to dismiss the error and 15 minutes later it lit up my room again…  

There was nowhere in the app I could disable the warning, having cleaned the filter several times throughout the year I was sure it had at least another 12 months of life left in it. I decided to investigate the nightmare DRM RFID chip that was stuck to the bottom of my filter.

Grifters and Gatekeepers:

As I reached for my proxmark I realized that surely someone had already done the heavy lifting, I was partially correct. Introducing Flamingo Tech he had spent some time reverse engineering these filters and publishing his work.

In his repo he outlines the important blocks from the tag:

  • Block 8 back to 00000000, it’s back to 100%
  • Other block info:
    • Block4 is rfid-factory-id
    • Block5 is rfid-product-id (xx:xx:xx:xx Regular Filter)
    • Block6: rfid-time
    • Block7: rfid-serial-num

Unfortunately the NfcA tag is still locked and we can’t edit the tag without the password. Thankfully the proxmark community had already tackled this. You can review their process in discovering their password key gen here.

Flamingo Tech published a script written by Doegox outlining how the password crack works. Despite the title “This is how they do it!” he fails to explain the code within the post and uses the blog as a call to action to sell his own tags. Normally this sort of thing doesn’t bother me but the comment “This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀” rubbed me the wrong way. If he really cared about the carbon footprint he would have explained how to update the tag already on the filter you own. However if you want to support his work you can still grab his stickers here.

I decided to explain the code here but if you want to skip to the actual filter reset scroll down to “Hacking the tag”.

Password Key Gen:

The script contains two examples, the first example is based on the tag UID “04A03CAA1E7080” resulting in the password “CD91AFCC”.

First we take the UID and convert it to a byte array. So 04A03CAA1E7080 becomes a sequence of bytes [04, A0, 3C, AA, 1E, 70, 80].
Next the SHA-1 hash function is applied to this byte array which gives us bcaf806333ccf720cd441a167f914fbe6ea4a513 which is converted to a byte array as we need only 4 bytes from this string to form the password.

Using the first byte in the array “BC” we convert it to decimal to get 188 and use that byte to determine where each byte is within the hash.
The calculated indices are:

188 % 20 = 8
(188 + 5) % 20 = 13
(188 + 13) % 20 = 1
(188 + 17) % 20 = 5

Now back to that hash we generated earlier – bcaf806333ccf720cd441a167f914fbe6ea4a513

Grabbing the bytes in the correct order we get:

8th byte: CD
13th byte: 91
1st byte: AF
5th byte: CC

Concatenating these forms the password:
CD91AFCC

Now that we know how it works we can modify/reset our own filters. Not everyone has access to a ~$350 Proxmark so I’ve created instructions for updating your tag with any NFC enabled mobile phone.

Hacking the tag:

Step 1:

Install NFC tools for your NFC enabled Android or iPhone.

Step 2:

Scan the NFC tag on the bottom of your filter with the read function of the free app.

Step 3:

Copy the retrieved ‘Serial Number/UID’ (14 character hex value) down somewhere.

Step 4:

Generate your reset command by entering the 14 characters below. If the UID is 12345678901234 the password will be 011853E8 and the command to reset the filter will be: 1B011853E8,3008,A20800000000

UID to Password Converter

Step 5:

In the main menu of the app click ‘Other’ -> ‘Advanced NFC commands’ and accept the disclaimer. Then paste the command above into the data box. (NOTE: Android users will have to select the I/O class which will be “NfcA (ISO 14443-3A)” from the drop down menu)

Step 6:

Ensure the top of the phone is sitting over the tag and click ‘Send Command’

Voila! You’ve successfully reset your filter. Repeat as needed for continuous, hassle-free air purification.

Compatible Device List:

Xiaomi Air Purifier:  Compatible: Tested:
4 Pro ✓
4 Lite ✓
4 ✓
MI PRO ✓
MI PRO H ✓
PRO H ✓
PRO ✓
3H ✓

If you get the time to test this mod against older models please comment below and I’ll update my list. All models tested working!

Published by

admin

Responses

  1. Anonymous Coward Avatar
    Anonymous Coward

    Worked on my 3H, thanks!

    Reply
    1. admin Avatar
      admin

      Thanks! Updating the compatibility matrix.

      Reply
    2. VadimAA Avatar
      VadimAA

      Worked on my 3H too, thanks!

      Reply
  2. Interested Observer Avatar
    Interested Observer

    Admirable work and your succinct description is well done.

    Reply
  3. David Avatar
    David

    Sweet works well on my Mi Air Purifier Pro and Mi Air Purifier 2S

    Reply
  4. Unnamed Nomard Avatar
    Unnamed Nomard

    Also works on the Mi Air Purifier MAX. Thanks!

    Reply
  5. Stan Angeloff Avatar
    Stan Angeloff

    Tested on Xiaomi MI Air Purifier 3H with HEPA filter, works as advertised ☺

    Reply
  6. Jan Avatar
    Jan

    You cannot just hold a button for 6 seconds to reset filter state like on the old models?

    Reply
    1. admin Avatar
      admin

      Unfortunately the 4 Pro doesn’t have this functionality. I tried a few combinations of the capacitive button on the front and the physical button on the back to no benefit. Happy to test any suggestions you have for that model.

      Reply
  7. Z Avatar
    Z

    Very decent job!

    Reply
  8. Isabella Avatar
    Isabella

    Impressed with your technical knowledge on air purifier.

    Any recommendation for great tech hand hoover?

    Tried 3 already which turned poor battery and poor suction too (tech issues 🙂 even though customer reviews were 5 stars)

    Thanks a million 🙂

    Reply
  9. Parhelia Avatar
    Parhelia

    Confirmed working the Purifier Pro

    Reply
  10. Stephan Avatar
    Stephan

    Thanks, my filter (Xiaomi 3H) is now at 100%
    Procedure is easy and well documented, nice!
    🙂

    Reply
  11. Patryk Avatar
    Patryk

    I replace filters in mine more or less according to reported usage (before winter and after few weeks of having 0% in summer), is the advertised lifespan a lie and they last much longer then indicated?
    I’m curious but couldn’t find any good info on these HEPA filters.

    Reply
  12. lamalasx Avatar
    lamalasx

    You can highly likely reset the filter with the device itself.
    Turn it on, hold one of the front buttons while opening the filter door. Can’t remember which one of the buttons you need to hold, or what order (holding the button first then opening the door or the other way).
    It works on the Pro H for which every source said it can’t reset the filter like the previous versions (3, 3c, ..). Yet I managed to bring up the service menu by accident and reset the filter.

    Reply
  13. The Flamingo Avatar
    The Flamingo

    Hey!

    Great work man! I’m glad that you did this ^^! Back when I was working on the Xiaomi filter stuff I was afraid of Xiaomi! I got strange views on LinkedIn, my website was ddossed… So I posted the bare minimum and hoped the internet would do the rest!

    Great post and work! Keep up the good work!

    Ps thanks for keeping the flamingo alive!

    The Flamingo

    Reply
  14. Ja Avatar
    Ja

    Tested with Pro H – works like expected.
    Thx

    Reply
  15. The Flamingo Avatar
    The Flamingo

    Ps I don’t know how to reach you but here you go: https://www.flamingo-tech.nl/2024/01/27/this-is-how-they-do-it-part-2/

    Thanks man!

    Reply
    1. admin Avatar
      admin

      I sent you an email! Thanks for your hard work.

      Reply
  16. KaO Avatar
    KaO

    It worked on my Mi Air Purifier 2S

    Reply
  17. mark Avatar
    mark

    I don’t even have one of these purifiers, but I applaud what you’ve done. Terrificd work! Thanks for reducing the level of enshittification in the world.

    Reply
  18. Rouf Avatar
    Rouf

    Worked on my 4 pro but did not work on the 4 lite. I couldn’t find any NFC tag on the 4 lite’s filter?

    Reply
  19. Nadya Avatar
    Nadya

    It worked on my Mi Air Purifier 3H. My filter was at 0% for the last few months, but now it’s at 100%! I have never used the NFC on my phone until now. With your great instructions I reset the filter relatively fast and it was fun! Thank you! 🙂

    Reply
  20. Andrei Avatar
    Andrei

    Thank you so much! Worked on my Xiaomi Air Purifier 2S

    Reply
  21. Aaron Avatar
    Aaron

    Xiaomi Air Purifier 4 confirmed working. You are an absolute legend 👍

    Reply
  22. Gaijin Avatar
    Gaijin

    Works like a charm !
    You roc

    Reply
  23. Breaking Free from DRM: The Story of Hacking My Air Purifier #ReverseEngineering #Hacking @InfoUnethical « Adafruit Industries – Makers, hackers, artists, designers and engineers!

    […] A matrix of air purifiers tested is included. Read more here. […]

    Reply
  24. TheCoNaX Avatar
    TheCoNaX

    Xiaomi Smart Mi Air Purifier 2S
    Work’s great, thanks!!!

    Reply
  25. Przemysław Avatar
    Przemysław

    Amazing, thanks! I confirm what the commenter before me said – worked on Mi Air Purifier 2S

    Reply
  26. A.J. Vera Avatar
    A.J. Vera

    You are a steely-eyed missile person!

    Don’t own one of these purifiers, but was impressed by the clarity, brevity
    and effectiveness of your hack. Your writeup of the process is a model
    for technical explanations.

    You rock.

    Reply
  27. Milan Avatar
    Milan

    That is the slickest hack ever. Thanks a bunch!
    “Mi Air Purifier Pro H” by the way.

    Reply
  28. Milan Avatar
    Milan

    i’m sticking a link to this page on the back of my unit
    https://i.imgur.com/PEpSvF5.jpg

    Reply
  29. Air Hacker Avatar
    Air Hacker

    Pro H – works!

    Reply
  30. Kyron6868 Avatar
    Kyron6868

    You are GREAT!

    Reply
  31. DoubleD Avatar
    DoubleD

    Hello! It didn’t work on my 3H. Could it be because I have the purooe filter?

    Reply
    1. admin Avatar
      admin

      Hey there, try following this guide for your filter https://www.youtube.com/watch?v=jW3ZeZ6fL9Y
      Some filters don’t have NFC tags but they removed this method for the 4 onward.

      Basically hold the front and back button for 15 seconds (or 4 sets of beeps) and it’ll open the settings menu on the filter and resets the internal memory (resetting the filter counter)

      Reply
  32. Chris Avatar
    Chris

    This worked but it stops the percentage being reported in the app at least for my 3H

    Reply
  33. Cene Avatar
    Cene

    tnx , worked on my 3h easy steps , tnx one more time 🙂

    Reply
  34. Max Avatar
    Max

    Awesome!
    Thank you so much for your work!
    This is really cool and useful.
    I checked it on my cleaners.

    XIAOMI Smart Air Purifier 4 Pro
    XIAOMI Smart Air Purifier 4

    Everything works perfectly!
    You can add checkmarks to the table)

    Reply
    1. admin Avatar
      admin

      Glad it worked!
      Table updated.

      Reply
  35. Josef Avatar
    Josef

    Wau! Thank you very much for your work! It worked perfectly for my two Mi Air Purifier H3!

    Reply
  36. Yuliya Avatar
    Yuliya

    Hi!
    Mijia Smart Leafless Purification Fan Not work. Uid 8 characters

    Reply
  37. Ilnur Avatar
    Ilnur

    Worked on Smartmi Air Purifier 1 (KQJHQ01ZM), filter zmfl-1-fla

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *