shihaam/thijooree
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 8 Wiki Activity
Files
256f216da4fe2f13e7e4333aad8e07705a41939e
thijooree/docs/mibapi
History
Shihaam Abdul Rahman 256f216da4
All checks were successful
Auto Tag on Version Change / check-version (push) Successful in 4s
Details
update docs
2026-05-23 23:46:00 +05:00
..
01-encryption.md
update docs
2026-05-23 23:46:00 +05:00
02-login.md
update docs
2026-05-23 23:46:00 +05:00
03-accounts.md
update docs
2026-05-23 23:46:00 +05:00
04-history.md
update docs
2026-05-23 23:46:00 +05:00
05-cards.md
update docs
2026-05-23 23:46:00 +05:00
06-financing.md
update docs
2026-05-23 23:46:00 +05:00
07-profile.md
update docs
2026-05-23 23:46:00 +05:00
08-transfer.md
update docs
2026-05-23 23:46:00 +05:00
09-contacts.md
update docs
2026-05-23 23:46:00 +05:00
decrypt.py
working mib login and list accounts
2026-05-14 05:24:11 +05:00
README.md
update docs
2026-05-23 23:46:00 +05:00

README.md

MIB Faisanet API

Reverse-engineered from mv.com.mib.faisamobilex (Faisanet Mobile Banking, React Native / Hermes bytecode v96).

Play Store

Architecture

MIB uses two completely separate backends:

Backend Base URL Auth Used for
Encrypted API https://faisanet.mib.com.mv/faisamobilex_smvc/ Blowfish + DH session key Login, key exchange
WebView host https://faisamobilex-wv.mib.com.mv Session cookies Accounts, history, transfers, contacts, cards, financing

Encrypted API

All calls to the encrypted API are POST / with Content-Type: application/x-www-form-urlencoded; charset=utf-8 and form body:

sfunc=<function_code>&data=<url_encoded_base64_blowfish_ciphertext>

The request JSON is encrypted with Blowfish (ECB, PKCS5) before sending. The response body is also base64-encoded Blowfish ciphertext.

Two keys are used:

Phase Key
sfunc=r (initial key exchange) DEFAULT_KEY (hardcoded in app)
All subsequent requests DH-derived session key

See 01-encryption.md for full details.

WebView Session Auth

After login, all data endpoints use cookie-based auth on faisamobilex-wv.mib.com.mv:

Cookie: mbmodel=IOS-1.0; xxid=<session_xxid>; IBSID=<session_xxid>; mbnonce=<nonceGenerator>; time-tracker=597

These values come from the login flow — xxid and nonceGenerator from the DH key exchange response.

WebView AJAX Headers

All AJAX POST calls also require:

X-Requested-With: XMLHttpRequest
Accept: */*
Origin: https://faisamobilex-wv.mib.com.mv
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

The Referer value varies per endpoint (documented per endpoint).

WebView User-Agent

Mozilla/5.0 (Linux; Android {version}; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/129.0.6668.70 Mobile Safari/537.36

Documents

# File Description
1 01-encryption.md Blowfish encryption, DH key exchange, nonce computation
2 02-login.md Device registration and regular login flows
3 03-accounts.md Select profile, account balances
4 04-history.md Transaction history
5 05-cards.md Debit card list
6 06-financing.md Financing deals
7 07-profile.md Personal profile (HTML scrape)
8 08-transfer.md Account lookup and fund transfer
9 09-contacts.md Beneficiary management

Start here → 01-encryption.md

Reference in New Issue View Git Blame Copy Permalink