Question Mi Band 3 NFC to open doors?

prixes

New member
Joined
Aug 8, 2019
Messages
7
Likes
0
Points
1
#61
dont even try with this mod ... i already wrote it that it just disconnects you from their services so it will just stuck when you click on the NFC menu....
Make account with region set to China ... and you will reach the ID verification process from there on we need some reverse engineering :)
I tried scanning cards on my screen and using even chinese VPN(not sure if i successfully redirected the connection through the proxy), but it didn't work
Some one said that he succeed with printed picture ... But i dont have printer so no such option for me.
I am sure that there is some toggle/boolean field in the app that is telling if account is verified if some one found it we will crack it down
 

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#62
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
 

rendal

Well-known member
Contributor
Joined
Aug 29, 2018
Messages
913
Likes
764
Points
103
#63
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
There is another way. All you have to do is create an "blank card". The "blank card" can only be changed (overwritten) through NFC. All that is needed is a modified firmware with hard defined “blank cards”.
 
Last edited:

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#64
Not sure I'm getting what you are saying.

I want to reverse engineer the Bluetooth protocol used to:
1. Enable the NFC feature on the Band
2. Tell it to learn a new tag (basically, run a EnlistTag command to get NFC tag's UID)
3. Tell the band to associate this UID with some name (so it can be selected on the band when emulating)

The NFC blank card emulation would only work for one card (because once the blank card is programmed by your own system, it'll/should not change to work with your system). Also, I'm not sure if the band is able to store 5 complete Mifare Classic card on its own memory or if it's only storing the UID of the tags and replaying them.
 

Safb

New member
Joined
Nov 5, 2019
Messages
5
Likes
0
Points
1
#65
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
You can try decompile the Amazfit application, it has same features that MiFit have, only different design and less obfuscation code
 

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#66
You're right. The code is less obfuscated. Yet, they are abstracting away the NFC code via an abstract interface and they inject in runtime the methods for this interface depending on the current selected band/watch. So unless one with a working NFC band can capture the Bluetooth packets, I'm not able to tell what to put in bluetooth packet's to enable NFC and work with the band's NFC tag capture.

Also, the authentication happens remotely (as in this code:
public final void faceNetworkAuthorization(final @NotNull Context context) {
Intrinsics.checkParameterIsNotNull((Object)context, "appContext");
this.f = Observable.just("").subscribeOn(Schedulers.io()).map(new Function<T, R>(){


public final boolean a(@NotNull String object) {
Intrinsics.checkParameterIsNotNull(object, "it");
Manager manager = new Manager(context);
object = new IDCardQualityLicenseManager(context);
manager.registerLicenseManager((ILicenseManager)object);
manager.takeLicenseFromNetwork(Util.getUUIDString(context));
boolean bl2 = ((IDCardQualityLicenseManager)object).checkCachedLicense() > 0L;
return bl2;
}
 
Last edited:

Safb

New member
Joined
Nov 5, 2019
Messages
5
Likes
0
Points
1
#67
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.
 

Attachments

lemaki

New member
Joined
Dec 9, 2019
Messages
1
Likes
0
Points
1
#68
I've been trying to unlock nfc for a while too. Tried whith a chinese account, but couldn't pass verification. Tried with Mifit Mod+ 4.07 but coundn't either, tried looking at the decompiled apk but no luck either. Didn't think about Amazfit, might try it out later.

Maybe we could also try with older versions of Mifit or Amazfit, maybe there is less obfuscation with old apks ?
 
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#69
As far as I understand the code (it's complex), they are querying some license from the network based on the information of your band and probably your phone too. So unless we can capture this communication, we'll not be able to figure out the encryption keys by only capturing Bluetooth packets.

Yet, we can capture the packet that's starting the NFC (Bluetooth) service on the band (I doubt it's encrypted), and we *might* be able to reproduce the communication to Xiaomi or Huami servers that's done in those software to get the license's keys. That's kindly like the auth key (and it probably derived from it).
 

Safb

New member
Joined
Nov 5, 2019
Messages
5
Likes
0
Points
1
#70
I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.
I notice that file I attached not shown in message.
Here a link: hci_snoop_2019_12_07_17_28_55.cfa
 
Joined
Aug 13, 2019
Messages
12
Likes
0
Points
1
#71
same situation, NFC donesn't work :(

Mi band 4 with China account, but I cannot pass control of ID card.
I have print a lot of fake ID card from google and from "myfakeinfo" but mi band show only "just a sec..".

has anyone really cheated the app?
 
Joined
Aug 13, 2019
Messages
12
Likes
0
Points
1
#73
I use official MI band app v. 4.0.14, I see "just a sec" for 20/30sec, after that I don' t receive any message and phone stay at step with front/back image of ID.
Did you able to pass the check? Can you share your fake ID?
 

Safb

New member
Joined
Nov 5, 2019
Messages
5
Likes
0
Points
1
#76
After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?
 

rendal

Well-known member
Contributor
Joined
Aug 29, 2018
Messages
913
Likes
764
Points
103
#77
After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?
Yes, I confirm. NFC cards are also freely available on Mi Band 3, without authentication via a Chinese personal identification card. Excellent ?
 

Juaniyo

New member
Joined
Aug 9, 2019
Messages
11
Likes
2
Points
3
#78
After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?
I stopped updating MiFit in 4.0.17. After this version NFC cards stored in Mi Band 4 are deleted when unpairing the band from the phone (needed to change from fake Chinese account used to create NFC cards).

So this new update also mean to remain in the Chinese account otherwise the cards will be also deleted? Does anyone check this out?
 

Trusted Store

Members online

No members online now.

Our Telegram Channel

Which color of official strap would you like to buy for your Mi Band 3?

  • Black

    Votes: 2,156 52.8%
  • Deep Blue

    Votes: 1,197 29.3%
  • Redish Orange

    Votes: 729 17.9%

Forum statistics

Threads
2,450
Messages
40,615
Members
211,963
Latest member
mcioclu
Top