Question Mi Band 3 NFC to open doors?

[prixes]

dont even try with this mod ... i already wrote it that it just disconnects you from their services so it will just stuck when you click on the NFC menu....
Make account with region set to China ... and you will reach the ID verification process from there on we need some reverse engineering
I tried scanning cards on my screen and using even chinese VPN(not sure if i successfully redirected the connection through the proxy), but it didn't work
Some one said that he succeed with printed picture ... But i dont have printer so no such option for me.
I am sure that there is some toggle/boolean field in the app that is telling if account is verified if some one found it we will crack it down

 

[bobleponge]

Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...

 

[rendal]

Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...

There is another way. All you have to do is create an "blank card". The "blank card" can only be changed (overwritten) through NFC. All that is needed is a modified firmware with hard defined “blank cards”.

 

[bobleponge]

Not sure I'm getting what you are saying.

I want to reverse engineer the Bluetooth protocol used to:
1. Enable the NFC feature on the Band
2. Tell it to learn a new tag (basically, run a EnlistTag command to get NFC tag's UID)
3. Tell the band to associate this UID with some name (so it can be selected on the band when emulating)

The NFC blank card emulation would only work for one card (because once the blank card is programmed by your own system, it'll/should not change to work with your system). Also, I'm not sure if the band is able to store 5 complete Mifare Classic card on its own memory or if it's only storing the UID of the tags and replaying them.

 

[Safb]

Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...

You can try decompile the Amazfit application, it has same features that MiFit have, only different design and less obfuscation code

 

[bobleponge]

You're right. The code is less obfuscated. Yet, they are abstracting away the NFC code via an abstract interface and they inject in runtime the methods for this interface depending on the current selected band/watch. So unless one with a working NFC band can capture the Bluetooth packets, I'm not able to tell what to put in bluetooth packet's to enable NFC and work with the band's NFC tag capture.

Also, the authentication happens remotely (as in this code:
public final void faceNetworkAuthorization(final @NotNull Context context) {
Intrinsics.checkParameterIsNotNull((Object)context, "appContext");
this.f = Observable.just("").subscribeOn(Schedulers.io()).map(new Function<T, R>(){

public final boolean a(@NotNull String object) {
Intrinsics.checkParameterIsNotNull(object, "it");
Manager manager = new Manager(context);
object = new IDCardQualityLicenseManager(context);
manager.registerLicenseManager((ILicenseManager)object);
manager.takeLicenseFromNetwork(Util.getUUIDString(context));
boolean bl2 = ((IDCardQualityLicenseManager)object).checkCachedLicense() > 0L;
return bl2;
}

 

[Safb]

Can someone with the working NFC capture the bluetooth packets (Bluetooth sniffing on Android) while enabling the NFC feature on the band and also when "learning" a NFC tag and when "saving" the tag to the band ?

I've tried to decompile MiFit app, but it's a real mess with the NFC feature. I think it'll be much easier to start from scratch and send the appropriate commands to the band...

I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.

 

[lemaki]

I've been trying to unlock nfc for a while too. Tried whith a chinese account, but couldn't pass verification. Tried with Mifit Mod+ 4.07 but coundn't either, tried looking at the decompiled apk but no luck either. Didn't think about Amazfit, might try it out later.

Maybe we could also try with older versions of Mifit or Amazfit, maybe there is less obfuscation with old apks ?

 

[bobleponge]

As far as I understand the code (it's complex), they are querying some license from the network based on the information of your band and probably your phone too. So unless we can capture this communication, we'll not be able to figure out the encryption keys by only capturing Bluetooth packets.

Yet, we can capture the packet that's starting the NFC (Bluetooth) service on the band (I doubt it's encrypted), and we *might* be able to reproduce the communication to Xiaomi or Huami servers that's done in those software to get the license's keys. That's kindly like the auth key (and it probably derived from it).

 

[Safb]

I found chat in telegram about NFC - "Mtool". One guy help me to get his Bluetooth packets from mi band 3, bad news he told me that it look like encrypted, he didn't see the card uid in packages.


I had to rename it to txt, to put it here, file was cfa format.
I guess he use FraME DISPLAY to read it.

I notice that file I attached not shown in message.
Here a link: hci_snoop_2019_12_07_17_28_55.cfa

 

[luckysquid]

same situation, NFC donesn't work

Mi band 4 with China account, but I cannot pass control of ID card.
I have print a lot of fake ID card from google and from "myfakeinfo" but mi band show only "just a sec..".

has anyone really cheated the app?

 

[prixes]

"just a sec..". means no internet connection or modded/offline app

 

[luckysquid]

I use official MI band app v. 4.0.14, I see "just a sec" for 20/30sec, after that I don' t receive any message and phone stay at step with front/back image of ID.
Did you able to pass the check? Can you share your fake ID?

 

[luckysquid]

Anyone have news?

 

[ercantarum]

 

[Safb]

After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?

 

[rendal]

After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?

Yes, I confirm. NFC cards are also freely available on Mi Band 3, without authentication via a Chinese personal identification card. Excellent ?

 

[Juaniyo]

After last officially update of MiFit, mi band 4 with nfc (china account) stopped ask for my ID card. Maybe they removed it?? I successfully added empty card and copy nfc door card ?

I stopped updating MiFit in 4.0.17. After this version NFC cards stored in Mi Band 4 are deleted when unpairing the band from the phone (needed to change from fake Chinese account used to create NFC cards).

So this new update also mean to remain in the Chinese account otherwise the cards will be also deleted? Does anyone check this out?

 

[ercantarum]

 

[ercantarum]