Upload arbitrary data via Apple's Find My network.

Overview

Send My

Send My allows you to to upload abritrary data from devices without an internet connection by (ab)using Apple's Find My network. The data is broadcasted via Bluetooth Low Energy and forwarded by nearby Apple devices.

Send my Overview

The application consists of two parts:

  • Firmware: An ESP32 firmware that turns the microcontroller into a serial (upload only) modem
  • DataFetcher: A macOS application used to retrieve, decode and display the uploaded data

Both are based on OpenHaystack, an open source implementation of the Find My Offline Finding protocol.

How it works

Summary: When sending, the data is encoded in the public keys that are broadcasted by the microcontroller. Nearby Apple devices will pick up those broadcasts and forward the data to an Apple backend as part of their location reporting. Those reports can later be retrieved by any Mac device to decode the sent data.

Check https://positive.security/blog/send-my for details.

How to use

The Modem

  1. Change the modem_id (and if desired the data_to_send default message)
  2. Check the Firmware README.md for flashing instructions
  3. After boot, the ESP32 will immediately broadcast the default message in a loop until a new message is received via the serial interface. Messages can be sent to the modem e.g. using the Arduino IDE's Serial Monitor.

ESP32 modem serial output

The DataFetcher

  1. Install OpenHaystack including the AppleMail plugin as explained in https://github.com/seemoo-lab/openhaystack#installation
  2. Run OpenHaystack and ensure that the AppleMail plugin indicator is green
  3. Run the DataFetcher OFFetchReport application (either the Release version or build it yourself by opening DataFetcher/DataFetcher.xcodeproj in XCode and running the OFFetchReport target)
  4. Insert the 4 byte modem_id previously set in the ESP firmware as hex digits
  5. Fetch uploaded messages

Data retrieval macOS app

References

License

Send My is licensed under the GNU Affero General Public License v3.0.

Comments
  • About the public key rolling

    About the public key rolling

    Hi, in your article I noticed that the pairing procedure is: When paring an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys)

    I’m confused about whether the private key will be stored in the airtag, because from the paper https://arxiv.org/pdf/2103.02282.pdf section 6.1, it seems that if you don’t know the d_i then you can’t calculate the next p_i?

    Would be appreciated if you can clarify this 🤣 thanks!

    opened by itewqq 3
  • OS X 10.11.6 Compatibility

    OS X 10.11.6 Compatibility

    Is it possible to compile the app with greater compatibility for older versions? I'm running 10.11.6 on an old iMac and when I run the OFFetchReports app it says "The application requires OS X 10.15 or later."

    Thanks.

    opened by rawdr 2
  • Problem Flashing with ESP32 (ESPRESSIF)

    Problem Flashing with ESP32 (ESPRESSIF)

    I cant flash on my macbook, its the same error as https://github.com/seemoo-lab/openhaystack/issues/66

    [email protected] ~/D/s/F/ESP32 (main) [1]> ./flash_esp32.sh -p /dev/cu.usbmodem14101 esptool.py v3.1 Found 2 serial ports Serial port /dev/cu.usbmodem14101 Connecting...... Detecting chip type... ESP32 Chip is ESP32-D0WDQ6 (revision 1) Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None Crystal is 40MHz MAC: 3c:61:05:12:48:2c Uploading stub...

    A fatal error occurred: Failed to write to target RAM (result was 01070000) [email protected] ~/D/s/F/ESP32 (main) [2]>

    opened by KatzeMau 1
  • Fixed compilation error

    Fixed compilation error

    Fix error during build:

     send-my/Firmware/ESP32/main/openhaystack_main.c:227:77: error: 'portTICK_RATE_MS' undeclared (first use in this function); did you mean 'portTICK_PERIOD_MS'?
            227 |         size = uart_read_bytes(UART_PORT_NUM, (unsigned char *)ptr, 1, 20 / portTICK_RATE_MS);
                |                                                                             ^~~~~~~~~~~~~~~~
                |                                                                             portTICK_PERIOD_MS
    
    opened by alex-bellon 0
  • That's awesome!

    That's awesome!

    Hi,

    going beyond starring your repo, to tell you: that's just really amazing example of pwning / abusing Apple protocols :)

    You are doing great job! That's also in general about Positive Security !

    Best regards, Peter

    opened by ink-splatters 0
  • Reliability of reception of the data

    Reliability of reception of the data

    I recently ported your ESP32 Send My firmware to Zephyr and I'm running it on an nRF52832-based RuuviTag, sending the temperature values of the built-in BME280 to the Find My network (see the send-my-sensor project I just published). I'm barely able to receive messages in the DataFetcher, most of the shown characters are ?, with an occasional character coming through completely. I verified that the BLE packet capture is identical to the one sent by the ESP32 firmware for a test message. But my household is very low on Apple devices, just one Mac Mini M1. Does this only work with multiple Apple devices in the neighbourhood?

    opened by koenvervloesem 0
Releases(v0.1)
Owner
Positive Security
Holistic IT security research & consulting
Positive Security
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 150 Sep 27, 2022
Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

See wiki for full documentation Serial Data Monitor Description Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactivel

monnoliv 4 Oct 29, 2021
This was the first ever Computer Science project that I made back in Class XII (2016). I thought I should upload it on GitHub so that it does not get lost. :)

First Ever Project This was the first ever Computer Science project that I made back in Class XII (2016). I thought I should upload it on github so th

Kshitiz Srivastava 3 Jun 7, 2021
An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS

ESP-File-Server An ESP32 system that can perform a Directory, Upload, Download, Delete, Rename and Stream Files in SPIFFS Using an ESP32 to handle fil

G6EJD 27 Oct 2, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

artifact64 THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD Generate x64 arch undetactable executables directly from cobalt strike . USAGE : compile u

null 72 Oct 4, 2022
NightDriverStrip is a source code package for building a flash program that you upload to the ESP32 microcontroller.

NightDriverStrip is a source code package for building a flash program that you upload to the ESP32 microcontroller.

Plummer's Software LLC 576 Sep 27, 2022
Signs IPAs on Windows with arbitrary .p12/.mobileprovision files

DumbSigner A mutilated version of Riley Testut's AltServer for Windows to sign IPAs with arbitrary p12 and mobileprovision files on Windows. It works

Raymonf 5 Jun 27, 2022
Resize, crop, and convert images on Upload.

Upload Image Plugin Resize, crop, and convert images on Upload. To use this plugin use the following settings in a "Transformation Step" in the Upload

Upload.js 20 Mar 31, 2022
Arkku's Arbitrary Keyboard

AAKBD AAKBD is a USB keyboard implementation for AVR (e.g., ATMEGA32U4, ATMEGA32U2) devices. One of the A's probably stands for Arbitrary, since it is

Kimmo Kulovesi 6 Sep 6, 2022
Upload codes in any language in this repository

HacktoberFest21 Hello Hackers! HacktoberFest has begun again for year 2021, and everyone's excited to get started! What is Hacktoberfest? Hacktoberfes

SUDIP MONDAL 56 Jan 1, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

ACHLYSv2 How it works: First ACHLYS detects the environment of the machine its being in, by checking sandboxes and debuggers presents. second when the

null 27 Feb 1, 2022
Arbitrary Precision provides C++ long integer types that behave as basic integer types. This library aims to be intuitive and versatile in usage, rather than fast.

Arbitrary Precision (AP) Cross-platform and cross-standard header-only arbitrary precision arithmetic library. Currently it offers integer types that

null 16 Aug 3, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

ACHLYSv1 How it works: First ACHLYS detects the environment of the machine its being in, by checking sandboxes and debuggers presents. second when the

null 16 Nov 29, 2021
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

How Does 0x41 work: 1- checks the environment [detect sandboxes / debuggers / virtual machines] 2- download the [encrypted] shellcode file [.bin] if t

null 38 Jan 12, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

WHALE : A AES CRYPTOR USAGE: All u have to do is to build "builder" project and run it according to ur arguments. the builder.exe will then build and

null 40 Sep 9, 2022
Openmind - Deduction framework with arbitrary mathematical system solver.

openmind Compilation: Debian/Ubuntu: sudo apt install cmake g++ git libboost-all-dev libxss-dev libx11-dev libxcb-screensaver0-dev ocl-icd-opencl-dev

Sergei Krivonos 10 Apr 3, 2022
Unofficial upload of ChinesePython, a translation of the Python programming language in Chinese [Provided by UrduPython engineers]

# Downloaded from SourceForge: https://sourceforge.net/projects/chinesepython/ # (Uploaded as is) ---------------------------------------------------

Saad A. Bazaz 3 Feb 12, 2022
find likely coding segments in DNA using composition-normalised hexamer tables

hextable makes files of statistics that hexamer uses to scan for likely coding regions

Richard Durbin 14 Jan 21, 2022
Two programs to find the LCM of two positive integers.

LCM-finders LCM-finders? LCM-finders is the repo for my LCM finder projects. I made this program in two similar languages. ?? Note: Two languages mean

Chandula Janith 1 Apr 15, 2022