Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-05-05 19:11:59

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Xiaomi Air Purifier

Didn't found topic for Xiaomi Air Purifier filters.

There is a tag at bottom of filter, that counts work hours.
It has an NTAG 213 144bytes (NT2H1311G0DU) format.

You can read password by sniffing Purifier's requests.
Get your tag id by using "hf search", than simulate your empty tag (hf 14a sim t 2 u <UID>), put your proxmark inside purifier, push "closed  door sesor" button and power it on (you will see 100% filter remain message).

Use "hf list" to get your password.
Make backup dump ("hf mfu dump k <password>")
Than you can write zero's to 8 sector to get 100% remain.

"hf mfu wrbl b 8 d 00000000 k <PASSWORD>"

Purifier read blocks 4,5,6,7,8 from a tag.
Block 5 is "filter rfid product id" (mine is "00003033" -> 0:0:30:33).
Block 8 is work time/remain time.
Other blocks content is unknown for me.

p.s. calculator didn't calculate right password for this tag (My tag id 04A81D12DE5F80, pwd: dae55796; "hf mfu pwdgen" calcs for ev1(?): E14146FC)

Last edited by Monster1024 (2020-05-05 19:22:01)

Offline

#2 2020-05-06 06:51:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Thats neat little hack of yours.
Its the first time I heard of this,  so I am curious and I would need some more info for documentation.

In order to collect some more data from these kinds of tag. Would you mind running these command and share?

hf mfu info k dae55796
hf mfu dump k dae55796

hf 14a sim t 2 u 04A81D12DE5F80
trace save f Xiaomi_04A81D12DE5F80.trace

The keygen algo is unknown,  so don't the output from pwdgen to generate a correct one for you.

Offline

#3 2020-05-06 10:10:08

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

For this moment I have following params readed by purifier:
filter hours used: 31
filter life remaining: 99%
filter rfid product id: 00:00:30:33
filter rfid tag: 80:5f:de:12:1d:a8:4
filter type: regular

Here is tag info and traces:

[usb] pm3 --> hf mfu info k dae55796
          
[=] --- Tag Information --------------------------          
[=] -------------------------------------------------------------          
[+]       TYPE: NTAG 213 144bytes (NT2H1311G0DU)          
[+]        UID: 04 A8 1D 12 DE 5F 80           
[+]     UID[0]: 04, NXP Semiconductors Germany          
[+]       BCC0: 39 (ok)          
[+]       BCC1: 13 (ok)          
[+]   Internal: 48 (default)          
[+]       Lock: 00 00  - 00          
[+] OneTimePad: E1 10 3E 00  - 2160

[=] --- NDEF Message          
[+] Capability Container: E1 10 3E 00           
[+]   E1: NDEF Magic Number          
[+]   10: version 0.1 supported by tag          
[+]        : Read access granted without any security / Write access granted without any security          
[+]   3E: Physical Memory Size: 496 bytes          
[+]   3E: NDEF Memory Size: 496 bytes          
[+]   Additional feature information          
[+]   00          
[+]   00000000          
[+]   xxx      - 00: RFU (ok)          
[+]      x     - 00: don't support special frame          
[+]       x    - 00: don't support lock block          
[+]        xx  - 00: RFU (ok)          
[+]          x - 00: IC don't support multiple block reads          
          
[=] --- Tag Signature          
[=]  IC signature public key name: NXP NTAG21x (2013)          
[=] IC signature public key value: 04494E1A386D3D3CFE3DC10E5DE68A499B1C202DB5B132393E89ED19FE5BE8BC61          
[=]     Elliptic curve parameters: NID_secp128r1          
[=]              TAG IC Signature: 84A3053C856ADEAC9C0608BCDEB8554A460EB6ED684121E3EA10D58B02F818C8          
[+]            Signature verified: successful          
          
[=] --- Tag Version          
[=]        Raw bytes: 00 04 04 02 01 00 0F 03           
[=]        Vendor ID: 04, NXP Semiconductors Germany          
[=]     Product type: 04, NTAG          
[=]  Product subtype: 02, 50pF          
[=]    Major version: 01          
[=]    Minor version: 00          
[=]             Size: 0F, (256 <-> 128 bytes)          
[=]    Protocol type: 03, ISO14443-3 Compliant          
          
[=] --- Tag Configuration          
[=]   cfg0 [41/0x29]: 04 00 00 04           
[=]                     - strong modulation mode disabled          
[=]                     - page 4 and above need authentication          
[=]   cfg1 [42/0x2A]: C0 05 00 00           
[=]                     - Unlimited password attempts          
[=]                     - NFC counter disabled          
[=]                     - NFC counter password protection enabled          
[=]                     - user configuration permanently locked          
[=]                     - read and write access is protected with password          
[=]                     - 05, Virtual Card Type Identifier is default          
[=]   PWD  [43/0x2B]: DA E5 57 96 - (cannot be read)          
[=]   PACK [44/0x2C]: 00 00       - (cannot be read)          
[=]   RFU  [44/0x2C]:       00 00 - (cannot be read)          
[usb] pm3 --> hf mfu dump k dae55796
[+] TYPE: NTAG 213 144bytes (NT2H1311G0DU)          
[+] Reading tag memory...          

*special* data
          

DataType  | Data                    | Ascii          
----------+-------------------------+---------          
Version   | 00 04 04 02 01 00 0F 03 | ........          
TBD       | 00 00                   | ..          
TBD       | 00                      | .          
Signature1| 84 A3 05 3C 85 6A DE AC 9C 06 08 BC DE B8 55 4A | ...<.j........UJ          
Signature2| 46 0E B6 ED 68 41 21 E3 EA 10 D5 8B 02 F8 18 C8 | F...hA!.........          
Counter0  | 00 00 00                | ...          
Tearing0  | 00                      | .          
Counter1  | 00 00 00                | ...          
Tearing1  | 00                      | .          
Counter2  | 00 00 00                | ...          
Tearing2  | 00                      | .          
-------------------------------------------------------------          

Block#   | Data        |lck| Ascii          
---------+-------------+---+------          
  0/0x00 | 04 A8 1D 39 |   | ...9          
  1/0x01 | 12 DE 5F 80 |   | .._.          
  2/0x02 | 13 48 00 00 |   | .H..          
  3/0x03 | E1 10 3E 00 | 0 | ..>.          
  4/0x04 | 00 00 4A 44 | 0 | ..JD          
  5/0x05 | 00 00 30 33 | 0 | ..03          
  6/0x06 | 00 18 12 18 | 0 | ....          
  7/0x07 | 00 00 76 09 | 0 | ..v.          
  8/0x08 | 94 BB 01 00 | 0 | ....          
  9/0x09 | 00 00 00 00 | 0 | ....          
 10/0x0A | 00 00 00 00 | 0 | ....          
 11/0x0B | 00 00 00 00 | 0 | ....          
 12/0x0C | 00 00 00 00 | 0 | ....          
 13/0x0D | 00 00 00 00 | 0 | ....          
 14/0x0E | 00 00 00 00 | 0 | ....          
 15/0x0F | 00 00 00 00 | 0 | ....          
 16/0x10 | 00 00 00 00 | 0 | ....          
 17/0x11 | 00 00 00 00 | 0 | ....          
 18/0x12 | 00 00 00 00 | 0 | ....          
 19/0x13 | 00 00 00 00 | 0 | ....          
 20/0x14 | 00 00 00 00 | 0 | ....          
 21/0x15 | 00 00 00 00 | 0 | ....          
 22/0x16 | 00 00 00 00 | 0 | ....          
 23/0x17 | 00 00 00 00 | 0 | ....          
 24/0x18 | 00 00 00 00 | 0 | ....          
 25/0x19 | 00 00 00 00 | 0 | ....          
 26/0x1A | 00 00 00 00 | 0 | ....          
 27/0x1B | 00 00 00 00 | 0 | ....          
 28/0x1C | 00 00 00 00 | 0 | ....          
 29/0x1D | 00 00 00 00 | 0 | ....          
 30/0x1E | 00 00 00 00 | 0 | ....          
 31/0x1F | 00 00 00 00 | 0 | ....          
 32/0x20 | 00 00 00 00 | 0 | ....          
 33/0x21 | 00 00 00 00 | 0 | ....          
 34/0x22 | 00 00 00 00 | 0 | ....          
 35/0x23 | 00 00 00 00 | 0 | ....          
 36/0x24 | 00 00 00 00 | 0 | ....          
 37/0x25 | 00 00 00 00 | 0 | ....          
 38/0x26 | 00 00 00 00 | 0 | ....          
 39/0x27 | 00 00 00 00 | 0 | ....          
 40/0x28 | 00 00 00 BD | 0 | ....          
 41/0x29 | 04 00 00 04 | 0 | ....          
 42/0x2A | C0 05 00 00 | 0 | ....          
 43/0x2B | DA E5 57 96 | 0 | ..W.          
 44/0x2C | 00 00 00 00 | 0 | ....          
---------------------------------          
[=] Using UID as filename          
[+] saved 236 bytes to binary file hf-mfu-04A81D12DE5F80-dump.bin          
[+] saved to json file hf-mfu-04A81D12DE5F80-dump.json          
[usb] pm3 --> hf list
[+] Recorded activity (trace len = 372 bytes)          
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)          
          
      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation          
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------          
          0 |       1056 | Rdr |26                                                                       |     | REQA          
       2228 |       4596 | Tag |44  00                                                                   |     |           
     419818 |     422282 | Rdr |93  20                                                                   |     | ANTICOLL          
     423454 |     429278 | Tag |88  04  a8  1d  39                                                       |     |           
     839624 |     850152 | Rdr |93  70  88  04  a8  1d  39  bb  3b                                       |  ok | SELECT_UID          
     851324 |     854844 | Tag |04  da  17                                                               |     |           
    1286526 |    1288990 | Rdr |95  20                                                                   |     | ANTICOLL-2          
    1290162 |    1296050 | Tag |12  de  5f  80  13                                                       |     |           
    1706296 |    1716760 | Rdr |95  70  12  de  5f  80  13  51  12                                       |  ok | SELECT_UID-2          
    1717996 |    1721580 | Tag |00  fe  51                                                               |     |           
    2112566 |    2120726 | Rdr |1b  da  e5  57  96  70  88                                               |  ok | PWD-AUTH KEY: 0xdae55796          
    2123114 |    2127850 | Tag |ab  da  20  2c                                                           |     |           
    2518840 |    2523544 | Rdr |30  04  26  ee                                                           |  ok | READBLOCK(4)          
    2527084 |    2547948 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |           
    2938678 |    2943382 | Rdr |30  05  af  ff                                                           |  ok | READBLOCK(5)          
    2946922 |    2967786 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |           
    3358548 |    3363316 | Rdr |30  06  34  cd                                                           |  ok | READBLOCK(6)          
    3366600 |    3387464 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |           
    3778338 |    3783106 | Rdr |30  07  bd  dc                                                           |  ok | READBLOCK(7)          
    3786582 |    3807446 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |           
    4198106 |    4202810 | Rdr |30  08  4a  24                                                           |  ok | READBLOCK(8)          
    4206350 |    4227214 | Tag |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |

Here is dumps and trace file:
https://github.com/monster1025/fileshar … .trace.bin
https://github.com/monster1025/fileshar … 0-dump.bin
https://github.com/monster1025/fileshar … -dump.json

Last edited by Monster1024 (2020-05-06 10:26:11)

Offline

#4 2020-05-06 10:34:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Cool, it also has a NDEF container.    But the data doesn't look like it has.  Nevertheless,  try the following.

hf mfu ndef

And do you have more that one tag?

for the keygen algo,   we would need you to simulate specific UIDs'  and collect their pwds.

UID pattern:

00 00 00 00 00 00 00
00 00 00 00 00 00 01
00 00 00 00 00 00 02
00 00 00 00 00 00 04
00 00 00 00 00 00 08
00 00 00 00 00 00 10
00 00 00 00 00 00 20
00 00 00 00 00 00 30
00 00 00 00 00 00 40
....
FF FF FF FF FF FF FF

Offline

#5 2020-05-06 10:41:34

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

Hmm.. It didn't answer or can't read/parse ndef:

[usb] pm3 --> hf mfu ndef -k dae55796
          
[=] --- NDEF Message          
[+] Capability Container: E1 10 3E 00           
[+]   E1: NDEF Magic Number          
[+]   10: version 0.1 supported by tag          
[+]        : Read access granted without any security / Write access granted without any security          
[+]   3E: Physical Memory Size: 496 bytes          
[+]   3E: NDEF Memory Size: 496 bytes          
[+]   Additional feature information          
[+]   00          
[+]   00000000          
[+]   xxx      - 00: RFU (ok)          
[+]      x     - 00: don't support special frame          
[+]       x    - 00: don't support lock block          
[+]        xx  - 00: RFU (ok)          
[+]          x - 00: IC don't support multiple block reads          
[=] Tag reported size vs NDEF reported size mismatch. Using smallest value          
[=]           
[=] NDEF parsing          
[=] -----------------------------------------------------          
[+] -- NDEF NULL block.          
[=] -----------------------------------------------------          
[!!] ? unknown tag 0x4a          

[usb] pm3 --> hf mfu ndef
          
[=] --- NDEF Message          
[+] Capability Container: E1 10 3E 00           
[+]   E1: NDEF Magic Number          
[+]   10: version 0.1 supported by tag          
[+]        : Read access granted without any security / Write access granted without any security          
[+]   3E: Physical Memory Size: 496 bytes          
[+]   3E: NDEF Memory Size: 496 bytes          
[+]   Additional feature information          
[+]   00          
[+]   00000000          
[+]   xxx      - 00: RFU (ok)          
[+]      x     - 00: don't support special frame          
[+]       x    - 00: don't support lock block          
[+]        xx  - 00: RFU (ok)          
[+]          x - 00: IC don't support multiple block reads          
[=] Tag reported size vs NDEF reported size mismatch. Using smallest value          
[!!] ? Error: tag didn't answer to READ          

>And do you have more that one tag?
No, I have only one - but I can simulate multiple ids with proxmark and get passwords from purifier.
How many do you need?
Special ids or random?

Last edited by Monster1024 (2020-05-06 10:45:04)

Offline

#6 2020-05-06 11:37:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

See my previous post for uid patterns

Offline

#7 2020-05-06 12:36:52

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

made some readings.
When 1 byte is not specified - algo get "default" password (0x90de545e).

00000000000000 - 0x90de545e - ab  90  7e  c1
00000000000001 - 0x90de545e - ab  90  7e  c1
00000000000004 - 0x90de545e - ab  90  7e  c1
000000000000F8 - 0x90de545e - ab  90  7e  c1
000000000011F8 - 0x90de545e - ab  90  7e  c1
000000000111F8 - 0x90de545e - ab  90  7e  c1
000000001111F8 - 0x90de545e - ab  90  7e  c1
000000011111F8 - 0x90de545e - ab  90  7e  c1
000000111111F8 - 0x90de545e - ab  90  7e  c1
000001111111F8 - 0x90de545e - ab  90  7e  c1
000011111111F8 - 0x90de545e - ab  90  7e  c1
011011111111F8 - 0xe0311bd1 - ab  e0  f9  b2 
000111111111F8 - 0x90de545e - ab  90  7e  c1
001111111111F8 - 0x90de545e - ab  90  7e  c1
011111111111F8 - 0x1a7a788f - ab  1a  2c  ea
021111111111F8 - 0x65496bd6 - ab  65  5c  61                                                           
041111111111F8 - 0xd26e63cf - ab  d2  68  a0                                                           
141111111111F8 - 0xced4b30f - ab  ce  85  7a                                                           
141111111112F8 - 0x05a05603 - ab  05  5a  02                                                           
010000000000F4 - 0xe640b665 - ab  e6  cf  d7                                                           
01000000000114 - 0xcb07a949 - ab  cb  28  2d                                                           
020000000001F8 - 0xe1927aa3 - ab  e1  70  a3 
22222222222222 - 0x7041057d - ab  70  70  26
----
10000000000000 - 0x32b7a568 - ab  32  66  47
20000000000000 - 0x1d1155aa - ab  1d  93  9e 
40000000000000 - 0x90de545e - ab  90  7e  c1 
80000000000000 - 0x90de545e - ab  90  7e  c1
01000000000000 - 0x042aabc9 - ab  04  d3  13
02000000000000 - 0x9e89bab3 - 30  04  26  ee
04000000000000 - 0xc78ba898 - ab  c7  44  e7
08000000000000 - 0x7b0e246e - ab  7b  a3  98
00100000000000 - 0x90de545e - ab  90  7e  c1
00200000000000 - 0x90de545e - ab  90  7e  c1
00400000000000 - 0x90de545e - ab  90  7e  c1
00800000000000 - 0x90de545e - ab  90  7e  c1
00010000000000 - 0x90de545e - ab  90  7e  c1
01010000000000 - 0xc6dc60f7 - ab  c6  cd  f6
01020000000000 - 0xf17bae8d - ab  f1  f1  b3
01040000000000 - 0x4a6f1dc2 - ab  4a  a9  b8
01080000000000 - 0x7bfc436d - ab  7b  a3  98
01001000000000 - 0x2d09ce89 - ab  2d  10  af
01002000000000 - 0x9693521b - ab  96  48  a4
01004000000000 - 0xd6fe7dda - ab  d6  4c  e6
01008000000000 - 0x70dded0f - ab  70  70  26
01000100000000 - 0xfdb1bc02 - ab  fd  9d  79 
01000200000000 - 0x8d40e753 - ab  8d  1a  0a
01000400000000 - 0x9827d18a - ab  98  36  4d 
01000800000000 - 0x5781ea66 - ab  57  cd  73
01000010000000 - 0x03bec653 - ab  03  6c  67 
01000020000000 - 0x33873f21 - ab  33  ef  56
01000040000000 - 0x4db37b43 - ab  4d  16  cc
01000080000000 - 0x65e5834c - ab  65  5c  61
01000001000000 - 0x9b98576d - ab  9b  ad  7f
01000002000000 - 0x8dab78dc - ab  8d  1a  0a 
01000004000000 - 0x11d6ed66 - ab  11  ff  54
01000008000000 - 0x5402a296 - ab  54  56  41
01000000100000 - 0x84e3e24b - ab  84  db  97
01000000200000 - 0x8b3556ce - ab  8b  2c  6f
01000000400000 - 0xfb8ea7db - ab  fb  ab  1c
01000000800000 - 0x3c87fd31 - ab  3c  18  ae
01000000010000 - 0xa1abe04f - ab  a1  74  e1
01000000020000 - 0x0b1a0349 - ab  0b  24  eb
01000000040000 - 0x3ae5e3a3 - ab  3a  2e  cb
01000000080000 - 0xb4feb020 - ab  b4  58  a6
01000000001000 - 0xe029abee - ab  e0  f9  b2
01000000002000 - 0xfb3e913e - ab  fb  ab  1c 
01000000004000 - 0x1daf31d7 - ab  1d  93  9e
01000000008000 - 0x9d0e4388 - ab  9d  9b  1a
01000000000100 - 0x972ae659 - ab  97  c1  b5
01000000000200 - 0xa51f93a9 - ab  a5  50  a7
01000000000400 - 0x7f124803 - ab  7f  87  de
01000000000800 - 0xef6d2f43 - ab  ef  0e  4a
01000000000010 - 0xf6cba95a - ab  f6  4e  c7
01000000000020 - 0x160e2786 - ab  16  40  20
01000000000040 - 0xc45f47c2 - ab  c4  df  d5
01000000000080 - 0x25415f9c - ab  25  58  23
01000000000001 - 0x71949360 - ab  71  f9  37
01000000000002 - 0x6663ef3b - ab  66  c7  53
01000000000004 - 0x73dce7af - ab  73  eb  14
01000000000008 - 0x7687b546 - ab  76  46  43

Last edited by Monster1024 (2020-05-07 09:53:16)

Offline

#8 2020-05-06 13:58:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

lets go through the need basic pattern first.

hf 14a sim t 2 u  %s
---------------------------------
0000000000000001
0000000000000002
0000000000000004
0000000000000008

0000000000000010
0000000000000020
0000000000000040
0000000000000080
0000000000000100
0000000000000200
0000000000000400
0000000000000800

0000000000001000
0000000000002000
0000000000004000
0000000000008000

0000000000010000
0000000000020000
0000000000040000
0000000000080000

0000000000100000
0000000000200000
0000000000400000
0000000000800000

0000000001000000
0000000002000000
0000000004000000
0000000008000000

0000000010000000
0000000020000000
0000000040000000
0000000080000000

0000000100000000
0000000200000000
0000000400000000
0000000800000000

0000001000000000
0000002000000000
0000004000000000
0000008000000000

0000010000000000
0000020000000000
0000040000000000
0000080000000000

0000100000000000
0000200000000000
0000400000000000
0000800000000000

0001000000000000
0002000000000000
0004000000000000
0008000000000000

0010000000000000
0020000000000000
0040000000000000
0080000000000000

0100000000000000
0200000000000000
0400000000000000
0800000000000000

1000000000000000
2000000000000000
4000000000000000
8000000000000000

Offline

#9 2020-05-06 15:00:18

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

When first 2 "chars" are 00 - password is always 90de545e.

Example:

Variants from
0000000000000001
0000000000000002
...
to
0080000000000000
will always returns password "90de545e"

First "meaningful" id is 0100000000000000, that's why I started to check with "01" in first two chars.

Will post all results little bit later.

Offline

#10 2020-05-06 15:58:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

I see.

The drastic changes from 1bit changes is an indicator that some kind of hash/crypto is being used behind.
So lets continue with what you started,  collect the uid pattern from above but with 0x01.

01 xx xx xx xx xx xx

Offline

#11 2020-05-06 21:04:05

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

Done. Updated post #7.

Last edited by Monster1024 (2020-05-06 21:47:43)

Offline

#12 2020-05-07 09:22:08

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Great, 

Would you mind collecting the PACK aswell?   To see if its static of dynamic aswell.

2112566 |    2120726 | Rdr |1b  da  e5  57  96  70  88                                               |  ok | PWD-AUTH KEY: 0xdae55796          
    2123114 |    2127850 | Tag |ab  da  20  2c         -->>  PACK 0xAB DA

[edit]  ...if you have more than one original filter.  I know that when we simulate, we don't use the right PACK. 

Does the air purifier continue and read the whole simulated tag?  Or does it stop when it gets the wrong PACK?

Offline

#13 2020-05-07 10:00:14

Monster1024
Contributor
Registered: 2020-05-05
Posts: 33

Re: Xiaomi Air Purifier

Collected PACKS from logfiles aswell (great that we have a logfiles by default in client application smile).

But as you mentioned above - it is proxmark 'calculated/simulated' pack value.

I have only one original filter and I cannot 'sniff' traffic between purifier and filter, because proxmark physically not fit when filter installed;
so I don't know how to get filter's original pack value (maybe interact as a reader for filter's tag?).

>Does the air purifier continue and read the whole simulated tag?  Or does it stop when it gets the wrong PACK?
Yes, it continue reading data for simulated tags (and continue read blocks data for 'wrong/calculated' PACK).

Also, it didn't stop reading when got zeroes in all readed blocks (empty/clean tag).

Last edited by Monster1024 (2020-05-07 10:15:41)

Offline

#14 2020-05-07 10:19:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Cool,   this is still a good basis for a lua-script.   Reading a filter,  presenting the data, reset the data etc.

Offline

#15 2020-05-17 17:13:17

hayabusa
Contributor
From: Australia
Registered: 2019-08-27
Posts: 12

Re: Xiaomi Air Purifier

Hi

I also tried and can get 100% from 0% of filter

my UID is 04 5D 81 72 62 60 80
and
my pwd is 0xbe26be3f

Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation         
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------         
          0 |       1056 | Rdr |26                                                                       |     | REQA         
       2228 |       4596 | Tag |44  00                                                                   |     |           
     419202 |     421666 | Rdr |93  20                                                                   |     | ANTICOLL         
     422838 |     428662 | Tag |88  04  5d  81  50                                                       |     |           
     838422 |     848886 | Rdr |93  70  88  04  5d  81  50  08  c0                                       |  ok | SELECT_UID         
     850122 |     853642 | Tag |04  da  17                                                               |     |           
    1284736 |    1287200 | Rdr |95  20                                                                   |     | ANTICOLL-2         
    1288372 |    1294196 | Tag |72  62  60  80  f0                                                       |     |           
    1703936 |    1714400 | Rdr |95  70  72  62  60  80  f0  b6  5c                                       |  ok | SELECT_UID-2         
    1715636 |    1719220 | Tag |00  fe  51                                                               |     |           
    2109626 |    2117850 | Rdr |1b  be  26  be  3f  cc  80                                               |  ok | PWD-AUTH KEY: 0xbe26be3f         
    2120046 |    2124718 | Tag |ab  be  02  09                                                           |     |           
    3488990 |    3490046 | Rdr |26                                                                       |     | REQA         
    3491218 |    3493586 | Tag |44  00                                                                   |     |           
    3908190 |    3910654 | Rdr |93  20                                                                   |     | ANTICOLL         
    3911826 |    3917650 | Tag |88  04  5d  81  50                                                       |     |           
    4327390 |    4337854 | Rdr |93  70  88  04  5d  81  50  08  c0                                       |  ok | SELECT_UID         
    4339090 |    4342610 | Tag |04  da  17                                                               |     |           
    4773704 |    4776168 | Rdr |95  20                                                                   |     | ANTICOLL-2         
    4777340 |    4783164 | Tag |72  62  60  80  f0                                                       |     |           
    5192924 |    5203388 | Rdr |95  70  72  62  60  80  f0  b6  5c                                       |  ok | SELECT_UID-2         
    5204624 |    5208208 | Tag |00  fe  51                                                               |     |           
    5598678 |    5606902 | Rdr |1b  be  26  be  3f  cc  80                                               |  ok | PWD-AUTH KEY: 0xbe26be3f         
    5609034 |    5613706 | Tag |ab  be  02  09                                                           |     |

Offline

#16 2020-05-17 17:22:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Great!

So far it looks like a simple PACK algo.
PACK =  0xAB PWD[0]

 UID                  | PWD         | PACK 
----------------------+-------------+-----------
 04 A8 1D 12 DE 5F 80 | da e5 57 96 | ab da
 04 5D 81 72 62 60 80 | be 26 be 3f | ab be

Offline

#17 2021-11-04 18:59:15

mistalowalowa
Contributor
Registered: 2021-11-03
Posts: 2

Re: Xiaomi Air Purifier

Hey guys, my UID is 04:CA:B2:2A:33:70:80
Could anyone generate my tag password? Would be super nice, I don't have my proxmark yet, trying to unlock the tag with my android phone.

Thanks!

Offline

#18 2022-01-23 14:33:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

Ok,   since the pwdgen algo was identified by Doegox,   it has already been implemented into the pm3 client.

hf mfu pwdgen --uid 04CAB22A337080

gives

8345CF3D

Offline

#19 2023-09-11 16:05:46

Vitaliy86
Contributor
Registered: 2021-04-11
Posts: 5

Re: Xiaomi Air Purifier

Del

Last edited by Vitaliy86 (2023-09-11 21:59:28)

Offline

#20 2023-09-11 16:34:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

see if you can collect UID/PWD samples.

Offline

#21 2023-09-11 17:02:47

Vitaliy86
Contributor
Registered: 2021-04-11
Posts: 5

Re: Xiaomi Air Purifier

Xiaomi Mi Air Purifier A1 (MJXFJ-150-A1)

Last edited by Vitaliy86 (2023-09-23 06:09:55)

Offline

#22 2023-09-11 17:04:11

Vitaliy86
Contributor
Registered: 2021-04-11
Posts: 5

Re: Xiaomi Air Purifier

..

Last edited by Vitaliy86 (2023-09-23 06:10:19)

Offline

#23 2023-09-17 02:10:46

Vitaliy86
Contributor
Registered: 2021-04-11
Posts: 5

Re: Xiaomi Air Purifier

iceman wrote:

see if you can collect UID/PWD samples.

Need more samples?

Offline

#24 2023-09-17 10:08:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Xiaomi Air Purifier

yes,
need to collect all UID / PWD / PACK.

simulate with a uid of all zeros.   then make a one bit change across the uid and collect all pwd/pack.

Offline

#25 2024-02-14 15:46:56

sarange
Contributor
Registered: 2024-02-10
Posts: 2

Re: Xiaomi Air Purifier

Hey guys,

If you are still interested about the PACK that the real tag gives, I think I got it. I can only read either the reader or the tag at any given time because I can't put the proxmark in between.

TAG:

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       2368 | Tag |44  00                                                                   |     | 
     154208 |     160096 | Tag |88  04  84  5a  52                                                       |     | 
     341696 |     345216 | Tag |04  da  17                                                               |     | 
     487776 |     493600 | Tag |52  a1  70  80  03                                                       |     | 
     667136 |     670720 | Tag |00  fe  51                                                               |     | 
     872496 |     877168 | Tag |00  00  a0  1e                                                           |     | 
    1007600 |    1028400 | Tag |00  00  41  50  00  00  31  31  00  21  03  27  00  31  73  66  2b  fa   |     | 
    1270160 |    1291024 | Tag |00  00  31  31  00  21  03  27  00  31  73  66  56  80  4f  01  4e  2f   |     | 
    1432512 |    1453312 | Tag |00  21  03  27  00  31  73  66  56  80  4f  01  00  00  00  00  ce  db   |     | 
    1595216 |    1616016 | Tag |00  31  73  66  56  80  4f  01  00  00  00  00  00  00  00  00  32  f0   |     | 
    1757920 |    1778784 | Tag |56  80  4f  01  00  00  00  00  00  00  00  00  00  00  00  00  bd  a4   |     | 

Reader:

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       1056 | Rdr |26                                                                       |     | 
     151280 |     153744 | Rdr |93  20                                                                   |     | 
     318656 |     329120 | Rdr |93  70  88  04  84  5a  52  98  4b                                       |     | 
     471488 |     473952 | Rdr |95  20                                                                   |     | 
     644096 |     654624 | Rdr |95  70  52  a1  70  80  03  b2  62                                       |     | 
     851712 |     859936 | Rdr |1b  8a  7f  5f  60  1c  fb                                               |     | 
     990320 |     995024 | Rdr |30  04  26  ee                                                           |     | 
    1252544 |    1257248 | Rdr |30  05  af  ff                                                           |     | 
    1415248 |    1420016 | Rdr |30  06  34  cd                                                           |     | 
    1577936 |    1582704 | Rdr |30  07  bd  dc                                                           |     | 
    1740640 |    1745344 | Rdr |30  08  4a  24                                                           |     | 

So the PACK is most likely 0000a01e here. The UID of the tag is 04845A52A17080 and the password is 8a7f5f60.

As for simulating the UIDs and getting the trace, I am not sure if it's feasible becasue the reader initiates a connection only once. After that, you need to "simulate" the back cover being opened, then closed and the power button needs to be pressed again.

If anyone wants to collect the above info for their tag:

  • Tag: put the proxmark inside the filter and fit it inside the purfier.

  • Reader: put the filter beneath the purifier with the tag pointed up, and the proxmark inside the purifier.

Also, block 6 for me is 00210327, so I speculate that maybe it's the production date in the form "00YYMMDD".

Offline

Board footer

Powered by FluxBB