Upload arbitrary data via Apple's Find My network.

Last update: Jan 2, 2023

Overview

Send My

Send My allows you to to upload abritrary data from devices without an internet connection by (ab)using Apple's Find My network. The data is broadcasted via Bluetooth Low Energy and forwarded by nearby Apple devices.

The application consists of two parts:

Firmware: An ESP32 firmware that turns the microcontroller into a serial (upload only) modem
DataFetcher: A macOS application used to retrieve, decode and display the uploaded data

Both are based on OpenHaystack, an open source implementation of the Find My Offline Finding protocol.

How it works

Summary: When sending, the data is encoded in the public keys that are broadcasted by the microcontroller. Nearby Apple devices will pick up those broadcasts and forward the data to an Apple backend as part of their location reporting. Those reports can later be retrieved by any Mac device to decode the sent data.

Check https://positive.security/blog/send-my for details.

How to use

The Modem

Change the modem_id (and if desired the data_to_send default message)
Check the Firmware README.md for flashing instructions
After boot, the ESP32 will immediately broadcast the default message in a loop until a new message is received via the serial interface. Messages can be sent to the modem e.g. using the Arduino IDE's Serial Monitor.

The DataFetcher

Install OpenHaystack including the AppleMail plugin as explained in https://github.com/seemoo-lab/openhaystack#installation
Run OpenHaystack and ensure that the AppleMail plugin indicator is green
Run the DataFetcher OFFetchReport application (either the Release version or build it yourself by opening DataFetcher/DataFetcher.xcodeproj in XCode and running the OFFetchReport target)
Insert the 4 byte modem_id previously set in the ESP firmware as hex digits
Fetch uploaded messages

References

Blog Post: https://positive.security/blog/send-my
OpenHaystack: https://github.com/seemoo-lab/openhaystack
Alexander Heinrich, Milan Stute, Tim Kornhuber, Matthias Hollick. Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies (PoPETs), 2021.

License

Send My is licensed under the GNU Affero General Public License v3.0.

Comments

About the public key rolling

Hi, in your article I noticed that the pairing procedure is: When paring an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys)

I’m confused about whether the private key will be stored in the airtag, because from the paper https://arxiv.org/pdf/2103.02282.pdf section 6.1, it seems that if you don’t know the d_i then you can’t calculate the next p_i?

Would be appreciated if you can clarify this 🤣 thanks!

opened by itewqq 3
OS X 10.11.6 Compatibility

Is it possible to compile the app with greater compatibility for older versions? I'm running 10.11.6 on an old iMac and when I run the OFFetchReports app it says "The application requires OS X 10.15 or later."

Thanks.

opened by rawdr 2
Problem Flashing with ESP32 (ESPRESSIF)

I cant flash on my macbook, its the same error as https://github.com/seemoo-lab/openhaystack/issues/66

[email protected] ~/D/s/F/ESP32 (main) [1]> ./flash_esp32.sh -p /dev/cu.usbmodem14101 esptool.py v3.1 Found 2 serial ports Serial port /dev/cu.usbmodem14101 Connecting...... Detecting chip type... ESP32 Chip is ESP32-D0WDQ6 (revision 1) Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None Crystal is 40MHz MAC: 3c:61:05:12:48:2c Uploading stub...

A fatal error occurred: Failed to write to target RAM (result was 01070000) [email protected] ~/D/s/F/ESP32 (main) [2]>

opened by KatzeMau 1

Fixed compilation error

Fix error during build:

 send-my/Firmware/ESP32/main/openhaystack_main.c:227:77: error: 'portTICK_RATE_MS' undeclared (first use in this function); did you mean 'portTICK_PERIOD_MS'?
        227 |         size = uart_read_bytes(UART_PORT_NUM, (unsigned char *)ptr, 1, 20 / portTICK_RATE_MS);
            |                                                                             ^~~~~~~~~~~~~~~~
            |                                                                             portTICK_PERIOD_MS

opened by alex-bellon 0

That's awesome!

Hi,

going beyond starring your repo, to tell you: that's just really amazing example of pwning / abusing Apple protocols :)

You are doing great job! That's also in general about Positive Security !

Best regards, Peter

opened by ink-splatters 0
Reliability of reception of the data

I recently ported your ESP32 Send My firmware to Zephyr and I'm running it on an nRF52832-based RuuviTag, sending the temperature values of the built-in BME280 to the Find My network (see the send-my-sensor project I just published). I'm barely able to receive messages in the DataFetcher, most of the shown characters are ?, with an occasional character coming through completely. I verified that the BLE packet capture is identical to the one sent by the ESP32 firmware for a test message. But my household is very low on Apple devices, just one Mac Mini M1. Does this only work with multiple Apple devices in the neighbourhood?

opened by koenvervloesem 0

Releases(v0.1)

v0.1(May 12, 2021)

Initial release with basic functionality to choose a modem and retrieve messages.

Note: The uploaded data is neither encrypted nor authenticated.
Source code(tar.gz)
Source code(zip)
DataFetcher.zip(3.87 MB)

Owner

Positive Security

Holistic IT security research & consulting

GitHub

A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

3.2k Jan 5, 2023

XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

190 Dec 24, 2022

Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

9 Oct 17, 2022

Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

9 Oct 17, 2022

WiFi scanner with visual persistence, intended to find the idlest channel e.g. to assign to a ZigBee device

WiFiChanViz Motivation This tool was initially coded to help find the idlest 2.4GHz channel in order to connect a ZigBee device to HomeAssistant in id

15 Oct 27, 2022

Wifi MQTT Data Logging via an esp8266 for the Ikea VINDRIKTNING PM2.5 air quality sensor

MQTT connectivity for the Ikea VINDRIKTNING This repository contains an ESP8266 firmware, which adds MQTT to the Ikea VINDRIKTNING PM2.5 air quality s

943 Dec 31, 2022

Realtime Client/Server app for Linux allowing joystick (and other HID) data to be transferred over a local network

netstick What is it? Netstick enables HID devices to be remotely connected between a "client" and "server" over a network connection. It allows the ke

33 Nov 6, 2022

A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

3 Nov 9, 2022

Alternative Shellcode Execution Via Callbacks

Alternative Code Execution This is gaining more popularity than expected, so I just wanted to give a shoutout to alfarom256 for informing me about cal

949 Jan 1, 2023

Control Hörmann doors drives directly via MQTT from Home Assistant

hoermann_door Control Hörmann doors drives directly via MQTT from Home Assistant

66 Nov 23, 2022

Bring Ethernet to the Pi Pico via SPI

Uses lwIP in combination with the ENC28J60 SPI ethernet module to bring a TCP/IP stack to the Pi Pico!

38 Nov 16, 2022

xpload is a C++ library to communicate with a calibration database via libcurl

BNL Nuclear and Particle Physics Software Group

1 Jan 10, 2022

RPI Pico WIFI via ESP-01S, LWESP, FreeRTOS, and MQTT example

RPIPicoRTOSMQTT RPI Pico WIFI via ESP-01S, LWESP, FreeRTOS, and MQTT example Demo code for RPI Pico using ESP-01S for wifi connection over uart. With

2 Dec 2, 2021

Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.

WDT Warp speed Data Transfer Design philosophy/Overview Goal: Lowest possible total transfer time - to be only hardware limited (disc or network bandw

2.7k Dec 31, 2022

Event-driven network library for multi-threaded Linux server in C++11

12.4k Jan 1, 2023

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, DPDK and PF_RING.

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy

2.1k Jan 6, 2023

Good Game, Peace Out Rollback Network SDK

(日本語ドキュメントはこちら) What's GGPO? Traditional techniques account for network transmission time by adding delay to a players input, resulting in a sluggish,

2.7k Dec 29, 2022

A network library for client/server games written in C++

yojimbo yojimbo is a network library for client/server games written in C++. It's designed around the networking requirements of competitive multiplay

2.2k Jan 1, 2023

An easy-to-learn, high performance network io library written in modern cpp (c++11), It borrows concepts from Netty, and with well defined internal modules, It enables you to write rpc, http/https,websocket application with just few lines。

A new beginning of network programming What is Netplus Netplus is a network programming library written in c++11. It's highly extensible, and with def

60 Dec 15, 2022