Unethical Info Fights Back Against Forced Filter Replacement with a Xiaomi Air Purifier DRM Guide

Xiaomi's RFID-based filter management system gets a workaround, allowing you to replace the filter on your own schedule.

Gareth Halfacree
4 months agoSecurity / HW101 / Sustainability

Pseudonymous tinkerer "Unethical Info," hereafter simply "Info," has written a guide to breaking the digital rights management (DRM) on a Xiaomi 4 Pro air purifier — after the system decided the filter had reached end-of-life long before it should have required replacement.

"I searched the web for a deal on a decent air purifier and the Xiaomi 4 Pro seemed to meet all my requirements. The filter size, scheduler and air volume ticked all the boxes," Info explains. "I set it up and thought nothing of it until last week my room was lit with the ‘0% remaining’ replace filter warning. I had set my unit up to disable the LCD so this was an unwelcome surprise. I dismissed the warning by clicking the user button to dismiss the error and 15 minutes later it lit up my room again…"

Where many air purifiers rely on the user's honesty and allow the filter to be marked as replaced with nothing more than a simple push of a button, the Xiaomi 4 Pro opted for an approach which will be familiar to anyone with a modern inkjet printer: a chip attached to the bottom of the consumable filter, communicating with a Radio-Frequency Identification (RFID) reader in the air purifier itself.

Finding that a fellow tinkerer, Flamingo Tech, had already figured out the format of the tag, and discovering how the password to unlock the tag had already been discovered by Proxmark users, Info had an idea of what needed to be done to bypass the DRM on the filter. "Flamingo Tech published a script written by Doegox outlining how the password crack works. Despite the title 'This is how they do it!'," Info notes, "he fails to explain the code within the post and uses the blog as a call to action to sell his own tags."

Taking that information as a base, Info has fully detailed how the password generator works — and extended it to allowing the RFID tags to be reset from any Near Field Communication (NFC)-capable smartphone or tablet, simply by copying the tag's serial number into a web page and receiving the filter reset command required with the click of a single button.

The full project write-up, and the password generation tool, can be found on Unethical Info's website; the tool should be compatible with the Xiaomi 4, 4 Lite, and 4 Pro, MI PRO, MI PRO H, PRO H, PRO, and 3H, though not all models have been tested.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles