Unethical Info


Breaking Free from DRM: The Story of Hacking My Air Purifier

I searched the web for a deal on a decent air purifier and the Xiaomi 4 Pro seemed to meet all my requirements. The filter size, scheduler and air volume ticked all the boxes. I set it up and thought nothing of it until last week my room was lit with the ‘0% remaining’ replace filter warning. I had set my unit up to disable the LCD so this was an unwelcome surprise. I dismissed the warning by clicking the user button to dismiss the error and 15 minutes later it lit up my room again…  

There was nowhere in the app I could disable the warning, having cleaned the filter several times throughout the year I was sure it had at least another 12 months of life left in it. I decided to investigate the nightmare DRM RFID chip that was stuck to the bottom of my filter.

Grifters and Gatekeepers:

As I reached for my proxmark I realized that surely someone had already done the heavy lifting, I was partially correct. Introducing Flamingo Tech he had spent some time reverse engineering these filters and publishing his work.

In his repo he outlines the important blocks from the tag:

  • Block 8 back to 00000000, it’s back to 100%
  • Other block info:
    • Block4 is rfid-factory-id
    • Block5 is rfid-product-id (xx:xx:xx:xx Regular Filter)
    • Block6: rfid-time
    • Block7: rfid-serial-num

Unfortunately the NfcA tag is still locked and we can’t edit the tag without the password. Thankfully the proxmark community had already tackled this. You can review their process in discovering their password key gen here.

Flamingo Tech published a script written by Doegox outlining how the password crack works. Despite the title “This is how they do it!” he fails to explain the code within the post and uses the blog as a call to action to sell his own tags. Normally this sort of thing doesn’t bother me but the comment “This will significantly decrease the waste footprint from a whole filter.. to just a sticker 😀” rubbed me the wrong way. If he really cared about the carbon footprint he would have explained how to update the tag already on the filter you own. However if you want to support his work you can still grab his stickers here.

I decided to explain the code here but if you want to skip to the actual filter reset scroll down to “Hacking the tag”.

Password Key Gen:

The script contains two examples, the first example is based on the tag UID “04A03CAA1E7080” resulting in the password “CD91AFCC”.

First we take the UID and convert it to a byte array. So 04A03CAA1E7080 becomes a sequence of bytes [04, A0, 3C, AA, 1E, 70, 80].
Next the SHA-1 hash function is applied to this byte array which gives us bcaf806333ccf720cd441a167f914fbe6ea4a513 which is converted to a byte array as we need only 4 bytes from this string to form the password.

Using the first byte in the array “BC” we convert it to decimal to get 188 and use that byte to determine where each byte is within the hash.
The calculated indices are:

188 % 20 = 8
(188 + 5) % 20 = 13
(188 + 13) % 20 = 1
(188 + 17) % 20 = 5

Now back to that hash we generated earlier – bcaf806333ccf720cd441a167f914fbe6ea4a513

Grabbing the bytes in the correct order we get:

8th byte: CD
13th byte: 91
1st byte: AF
5th byte: CC

Concatenating these forms the password:
CD91AFCC

Now that we know how it works we can modify/reset our own filters. Not everyone has access to a ~$350 Proxmark so I’ve created instructions for updating your tag with any NFC enabled mobile phone.

Hacking the tag:

Step 1:

Install NFC tools for your NFC enabled Android or iPhone.

Step 2:

Scan the NFC tag on the bottom of your filter with the read function of the free app.

Step 3:

Copy the retrieved ‘Serial Number/UID’ (14 character hex value) down somewhere.

Step 4:

Generate your reset command by entering the 14 characters below. If the UID is 12345678901234 the password will be 011853E8 and the command to reset the filter will be: 1B011853E8,3008,A20800000000

UID to Password Converter

Step 5:

In the main menu of the app click ‘Other’ -> ‘Advanced NFC commands’ and accept the disclaimer. Then paste the command above into the data box. (NOTE: Android users will have to select the I/O class which will be “NfcA (ISO 14443-3A)” from the drop down menu)

Step 6:

Ensure the top of the phone is sitting over the tag and click ‘Send Command’

Voila! You’ve successfully reset your filter. Repeat as needed for continuous, hassle-free air purification.

Compatible Device List:

Xiaomi Air Purifier:  Compatible: Tested:
4 Pro ✓
4 Lite ✓
4 ✓
MI PRO ✓
MI PRO H ✓
PRO H ✓
PRO ✓
3H ✓

If you get the time to test this mod against older models please comment below and I’ll update my list. All models tested working!

Published by


Responses

  1. Anonymous Coward Avatar
    Anonymous Coward

    Worked on my 3H, thanks!

    1. admin Avatar
      admin

      Thanks! Updating the compatibility matrix.

    2. VadimAA Avatar
      VadimAA

      Worked on my 3H too, thanks!

  2. Interested Observer Avatar
    Interested Observer

    Admirable work and your succinct description is well done.

  3. David Avatar
    David

    Sweet works well on my Mi Air Purifier Pro and Mi Air Purifier 2S

  4. Unnamed Nomard Avatar
    Unnamed Nomard

    Also works on the Mi Air Purifier MAX. Thanks!

  5. Stan Angeloff Avatar
    Stan Angeloff

    Tested on Xiaomi MI Air Purifier 3H with HEPA filter, works as advertised ☺

  6. Jan Avatar
    Jan

    You cannot just hold a button for 6 seconds to reset filter state like on the old models?

    1. admin Avatar
      admin

      Unfortunately the 4 Pro doesn’t have this functionality. I tried a few combinations of the capacitive button on the front and the physical button on the back to no benefit. Happy to test any suggestions you have for that model.

  7. Z Avatar
    Z

    Very decent job!

  8. Isabella Avatar
    Isabella

    Impressed with your technical knowledge on air purifier.

    Any recommendation for great tech hand hoover?

    Tried 3 already which turned poor battery and poor suction too (tech issues 🙂 even though customer reviews were 5 stars)

    Thanks a million 🙂

  9. Parhelia Avatar
    Parhelia

    Confirmed working the Purifier Pro

  10. Stephan Avatar
    Stephan

    Thanks, my filter (Xiaomi 3H) is now at 100%
    Procedure is easy and well documented, nice!
    🙂

  11. Patryk Avatar
    Patryk

    I replace filters in mine more or less according to reported usage (before winter and after few weeks of having 0% in summer), is the advertised lifespan a lie and they last much longer then indicated?
    I’m curious but couldn’t find any good info on these HEPA filters.

  12. lamalasx Avatar
    lamalasx

    You can highly likely reset the filter with the device itself.
    Turn it on, hold one of the front buttons while opening the filter door. Can’t remember which one of the buttons you need to hold, or what order (holding the button first then opening the door or the other way).
    It works on the Pro H for which every source said it can’t reset the filter like the previous versions (3, 3c, ..). Yet I managed to bring up the service menu by accident and reset the filter.

  13. The Flamingo Avatar
    The Flamingo

    Hey!

    Great work man! I’m glad that you did this ^^! Back when I was working on the Xiaomi filter stuff I was afraid of Xiaomi! I got strange views on LinkedIn, my website was ddossed… So I posted the bare minimum and hoped the internet would do the rest!

    Great post and work! Keep up the good work!

    Ps thanks for keeping the flamingo alive!

    The Flamingo

  14. Ja Avatar
    Ja

    Tested with Pro H – works like expected.
    Thx

  15. The Flamingo Avatar
    The Flamingo

    Ps I don’t know how to reach you but here you go: https://www.flamingo-tech.nl/2024/01/27/this-is-how-they-do-it-part-2/

    Thanks man!

    1. admin Avatar
      admin

      I sent you an email! Thanks for your hard work.

  16. KaO Avatar
    KaO

    It worked on my Mi Air Purifier 2S

  17. mark Avatar
    mark

    I don’t even have one of these purifiers, but I applaud what you’ve done. Terrificd work! Thanks for reducing the level of enshittification in the world.

  18. Rouf Avatar
    Rouf

    Worked on my 4 pro but did not work on the 4 lite. I couldn’t find any NFC tag on the 4 lite’s filter?

  19. Nadya Avatar
    Nadya

    It worked on my Mi Air Purifier 3H. My filter was at 0% for the last few months, but now it’s at 100%! I have never used the NFC on my phone until now. With your great instructions I reset the filter relatively fast and it was fun! Thank you! 🙂

  20. Andrei Avatar
    Andrei

    Thank you so much! Worked on my Xiaomi Air Purifier 2S

  21. Aaron Avatar
    Aaron

    Xiaomi Air Purifier 4 confirmed working. You are an absolute legend 👍

  22. Gaijin Avatar
    Gaijin

    Works like a charm !
    You roc

  23. Breaking Free from DRM: The Story of Hacking My Air Purifier #ReverseEngineering #Hacking @InfoUnethical « Adafruit Industries – Makers, hackers, artists, designers and engineers!

    […] A matrix of air purifiers tested is included. Read more here. […]

  24. TheCoNaX Avatar
    TheCoNaX

    Xiaomi Smart Mi Air Purifier 2S
    Work’s great, thanks!!!

  25. Przemysław Avatar
    Przemysław

    Amazing, thanks! I confirm what the commenter before me said – worked on Mi Air Purifier 2S

  26. A.J. Vera Avatar
    A.J. Vera

    You are a steely-eyed missile person!

    Don’t own one of these purifiers, but was impressed by the clarity, brevity
    and effectiveness of your hack. Your writeup of the process is a model
    for technical explanations.

    You rock.

  27. Milan Avatar
    Milan

    That is the slickest hack ever. Thanks a bunch!
    “Mi Air Purifier Pro H” by the way.

  28. Milan Avatar
    Milan

    i’m sticking a link to this page on the back of my unit
    https://i.imgur.com/PEpSvF5.jpg

  29. Air Hacker Avatar
    Air Hacker

    Pro H – works!

  30. Kyron6868 Avatar
    Kyron6868

    You are GREAT!

  31. DoubleD Avatar
    DoubleD

    Hello! It didn’t work on my 3H. Could it be because I have the purooe filter?

    1. admin Avatar
      admin

      Hey there, try following this guide for your filter https://www.youtube.com/watch?v=jW3ZeZ6fL9Y
      Some filters don’t have NFC tags but they removed this method for the 4 onward.

      Basically hold the front and back button for 15 seconds (or 4 sets of beeps) and it’ll open the settings menu on the filter and resets the internal memory (resetting the filter counter)

  32. Chris Avatar
    Chris

    This worked but it stops the percentage being reported in the app at least for my 3H

  33. Cene Avatar
    Cene

    tnx , worked on my 3h easy steps , tnx one more time 🙂

  34. Max Avatar
    Max

    Awesome!
    Thank you so much for your work!
    This is really cool and useful.
    I checked it on my cleaners.

    XIAOMI Smart Air Purifier 4 Pro
    XIAOMI Smart Air Purifier 4

    Everything works perfectly!
    You can add checkmarks to the table)

    1. admin Avatar
      admin

      Glad it worked!
      Table updated.

  35. Josef Avatar
    Josef

    Wau! Thank you very much for your work! It worked perfectly for my two Mi Air Purifier H3!

  36. Yuliya Avatar
    Yuliya

    Hi!
    Mijia Smart Leafless Purification Fan Not work. Uid 8 characters

  37. Ilnur Avatar
    Ilnur

    Worked on Smartmi Air Purifier 1 (KQJHQ01ZM), filter zmfl-1-fla

  38. LeslieLee Avatar
    LeslieLee

    Is it possible to back up the original card information first so that it can be restored in case the modification fails?

  39. Ernesto Avatar
    Ernesto

    Mi Air Purifier Pro Modelo AC-M3-CA. It works strangely: it reads the NFC tag, records the password, shows 100%, but the screen where you see the temperature still indicates the original percentage. Maybe because it doesn’t work with 35% remaining used filter

  40. gbhall Avatar
    gbhall

    Legend! This worked for me!

  41. Shadow Avatar
    Shadow

    Tested with Xiaomi Smart Air Purifier Elite, works well. Thanks for the excellent work!

    It’s worth mentioning that the NFC tag of this model was hidden on the top side of the filter (inside the plastic, I suppose, in the center of the “Please refer to the reminder on the display to replace the filter” label), opposite to other models where it was stored on the bottom and was not tagged at all.

    If anyone like me was curious about the command, I figured out what the commands mean with the NTAG213/215/216 cheatsheet (first PDF result in Google):

    The command is `1B011853E8,3008,A20800000000`:

    – `1B` – PWD_AUTH (password authentication)
    – `011853E8` – password itself
    – `30` – READ
    – `08` – block address
    – `A2` – WRITE
    – `08` – block address
    – `00000000` – data to write (here I don’t fully understand why zeroing works, but it does)

    We only need the read command for debug purposes, so we can omit it or also use it for verification that our blocks were rewritten successfully.

    ## Using Flipper (June 2024)

    I also tested with my Flipper. Unfortunately, sending data regime is only supported with the CLI and available only on old firmwares because it was removed by the devs during refactoring.

    To do it with Flipper:

    1. Flash with old firmware where NFC APDU was available (before Dec 2023, e.g., unlshd-066 and others)
    2. Connect to the computer and run CLI
    3. Put Flipper on the NFC (and do not touch unless you finished)
    4. Run `nfc detect`:

    “`
    >: nfc detect
    Detecting nfc…
    Press Ctrl+C to abort
    Found: NFC-A UID length: 7, UID:12345678901234
    “`

    5. Obtain password from the site or with Flipper NFC App functional
    6. Run `nfc apdu` (use only caps hex and do not use “,” as delimiters here):

    “`
    nfc apdu 1B011853E8 3008 A20800000000 3008
    detecting tag
    Sending APDU:1B011853E8 to Tag
    Response: 0000
    Sending APDU:3008 to Tag
    Response: 362AD001000000000000000000000000
    Sending APDU:A20800000000 to Tag
    No response
    Sending APDU:3008 to Tag
    Response: 00000000000000000000000000000000
    “`

    We see that the write was successful!

    7. If you want to revert to the original state, use bytes from the first response of the previous command. In our example, the command will be:

    “`
    nfc apdu 1B011853E8 3008 A208362AD001 3008
    detecting tag
    Sending APDU:1B011853E8 to Tag
    Response: 0000
    Sending APDU:3008 to Tag
    Response: 00000000000000000000000000000000
    Sending APDU:A208362AD001 to Tag
    No response
    Sending APDU:3008 to Tag
    Response: 362AD001000000000000000000000000
    “`

    1. Marcin Avatar
      Marcin

      Zeroing works because the data there is a work time counter (I don’t remember if the unit is in seconds, minutes or something else) which is constantly being updated by the air purifier during operation. Writing zeros basically resets filters “mileage” 🙂

  42. jnk Avatar
    jnk

    thanks so much! worked like a charm for my 3H <3

  43. Maria Avatar
    Maria

    Thank you so much! Worked great for my 4 Pro. Awesome!

  44. Flens Avatar
    Flens

    Thanks a lot! It worked perfectly for my 4 Pro. Amazing!

  45. Buddz008 Avatar
    Buddz008

    This totally works for me. Don’t forget to physically clean your filter as well before installing back into your unit.

    Happy resetting to 100% Filter Lifer over and over again…

    Thanks buddy 😉

Leave a Reply

Your email address will not be published. Required fields are marked *