Xiaomi Air Purifier 3H Reverse Engineering Part 3: ESP32 DUMP

Stealing Your password

Yesterday, I received a mail! By a user named : tuxuser. I thought I was alone in the world of Xiaomi Air purifier poking…

Since more people are getting involved I decided to update some more information on the web!

I dumped the ESP Flash contents using : Link (look closely and you will see that I used the air purifier to generate that content)

warning: don’t use this firmware to recover your devices if its bricked. I made some manual changes to it to remove some private info.

I will make a virgin dump that can be used for recovery purposes.

Lest do a visual analysis of the data:

Upload the Binary to https://binvis.io/
scroll through the data.. the first thing I saw was:

Small data Island in ESP Flash

Lets see:

Owno….. they did not..

I was flabbergasted to see this… All my network information (SSID and location, passwords) in plain text..

Facepalm Really GIF - Facepalm Really Stressed GIFs
Facepalm

Furthermore they save all the network data and password of previous networks as well.. don’t forget to wipe your ESP when you sell this thing secondhand…
more interesting: the PSM tokens of the device (these can be used with integration in something like Home assistant.) are located here as well.

From now on when I need someone’s WIFI password:

me.

The following IP Addresses are hard coded in the device:

110.43.0.85
110.43.0.83
http://dlg.io.mi.com

By Blocking these IP addresses the Air purifier wont be able to call home.

Parts in this series:
Part 1 header information
Part 2 Fremont EEPROM dump

Leave a comment

Your email address will not be published. Required fields are marked *