Question Mi Band 3 NFC to open doors?

prixes

New member
Joined
Aug 8, 2019
Messages
6
Likes
0
Points
1
#61
dont even try with this mod ... i already wrote it that it just disconnects you from their services so it will just stuck when you click on the NFC menu....
Make account with region set to China ... and you will reach the ID verification process from there on we need some reverse engineering :)
I tried scanning cards on my screen and using even chinese VPN(not sure if i successfully redirected the connection through the proxy), but it didn't work
Some one said that he succeed with printed picture ... But i dont have printer so no such option for me.
I am sure that there is some toggle/boolean field in the app that is telling if account is verified if some one found it we will crack it down
 

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#62
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
 

rendal

Well-known member
Contributor
Joined
Aug 29, 2018
Messages
593
Likes
500
Points
103
#63
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
There is another way. All you have to do is create an "blank card". The "blank card" can only be changed (overwritten) through NFC. All that is needed is a modified firmware with hard defined “blank cards”.
 
Last edited:

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#64
Not sure I'm getting what you are saying.

I want to reverse engineer the Bluetooth protocol used to:
1. Enable the NFC feature on the Band
2. Tell it to learn a new tag (basically, run a EnlistTag command to get NFC tag's UID)
3. Tell the band to associate this UID with some name (so it can be selected on the band when emulating)

The NFC blank card emulation would only work for one card (because once the blank card is programmed by your own system, it'll/should not change to work with your system). Also, I'm not sure if the band is able to store 5 complete Mifare Classic card on its own memory or if it's only storing the UID of the tags and replaying them.
 

Safb

New member
Joined
Nov 5, 2019
Messages
4
Likes
0
Points
1
#65
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
You can try decompile the Amazfit application, it has same features that MiFit have, only different design and less obfuscation code
 

bobleponge

New member
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#66
You're right. The code is less obfuscated. Yet, they are abstracting away the NFC code via an abstract interface and they inject in runtime the methods for this interface depending on the current selected band/watch. So unless one with a working NFC band can capture the Bluetooth packets, I'm not able to tell what to put in bluetooth packet's to enable NFC and work with the band's NFC tag capture.

Also, the authentication happens remotely (as in this code:
public final void faceNetworkAuthorization(final @NotNull Context context) {
Intrinsics.checkParameterIsNotNull((Object)context, "appContext");
this.f = Observable.just("").subscribeOn(Schedulers.io()).map(new Function<T, R>(){


public final boolean a(@NotNull String object) {
Intrinsics.checkParameterIsNotNull(object, "it");
Manager manager = new Manager(context);
object = new IDCardQualityLicenseManager(context);
manager.registerLicenseManager((ILicenseManager)object);
manager.takeLicenseFromNetwork(Util.getUUIDString(context));
boolean bl2 = ((IDCardQualityLicenseManager)object).checkCachedLicense() > 0L;
return bl2;
}
 
Last edited:
Joined
Nov 5, 2019
Messages
4
Likes
0
Points
1
#67
Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...
I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.
 

Attachments

Joined
Dec 9, 2019
Messages
1
Likes
0
Points
1
#68
I've been trying to unlock nfc for a while too. Tried whith a chinese account, but couldn't pass verification. Tried with Mifit Mod+ 4.07 but coundn't either, tried looking at the decompiled apk but no luck either. Didn't think about Amazfit, might try it out later.

Maybe we could also try with older versions of Mifit or Amazfit, maybe there is less obfuscation with old apks ?
 
Joined
Dec 2, 2019
Messages
4
Likes
0
Points
1
#69
As far as I understand the code (it's complex), they are querying some license from the network based on the information of your band and probably your phone too. So unless we can capture this communication, we'll not be able to figure out the encryption keys by only capturing Bluetooth packets.

Yet, we can capture the packet that's starting the NFC (Bluetooth) service on the band (I doubt it's encrypted), and we *might* be able to reproduce the communication to Xiaomi or Huami servers that's done in those software to get the license's keys. That's kindly like the auth key (and it probably derived from it).
 
Joined
Nov 5, 2019
Messages
4
Likes
0
Points
1
#70
I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.
I notice that file I attached not shown in message.
Here a link: hci_snoop_2019_12_07_17_28_55.cfa
 

Trusted Store

Our Telegram Channel

Which color of official strap would you like to buy for your Mi Band 3?

  • Black

    Votes: 1,355 54.8%
  • Deep Blue

    Votes: 719 29.1%
  • Redish Orange

    Votes: 397 16.1%

Forum statistics

Threads
1,088
Messages
26,640
Members
143,512
Latest member
Vibi
Top