Upload arbitrary data via Apple's Find My network.

Overview

Send My

Send My allows you to to upload abritrary data from devices without an internet connection by (ab)using Apple's Find My network. The data is broadcasted via Bluetooth Low Energy and forwarded by nearby Apple devices.

Send my Overview

The application consists of two parts:

  • Firmware: An ESP32 firmware that turns the microcontroller into a serial (upload only) modem
  • DataFetcher: A macOS application used to retrieve, decode and display the uploaded data

Both are based on OpenHaystack, an open source implementation of the Find My Offline Finding protocol.

How it works

Summary: When sending, the data is encoded in the public keys that are broadcasted by the microcontroller. Nearby Apple devices will pick up those broadcasts and forward the data to an Apple backend as part of their location reporting. Those reports can later be retrieved by any Mac device to decode the sent data.

Check https://positive.security/blog/send-my for details.

How to use

The Modem

  1. Change the modem_id (and if desired the data_to_send default message)
  2. Check the Firmware README.md for flashing instructions
  3. After boot, the ESP32 will immediately broadcast the default message in a loop until a new message is received via the serial interface. Messages can be sent to the modem e.g. using the Arduino IDE's Serial Monitor.

ESP32 modem serial output

The DataFetcher

  1. Install OpenHaystack including the AppleMail plugin as explained in https://github.com/seemoo-lab/openhaystack#installation
  2. Run OpenHaystack and ensure that the AppleMail plugin indicator is green
  3. Run the DataFetcher OFFetchReport application (either the Release version or build it yourself by opening DataFetcher/DataFetcher.xcodeproj in XCode and running the OFFetchReport target)
  4. Insert the 4 byte modem_id previously set in the ESP firmware as hex digits
  5. Fetch uploaded messages

Data retrieval macOS app

References

License

Send My is licensed under the GNU Affero General Public License v3.0.

Comments
  • About the public key rolling

    About the public key rolling

    Hi, in your article I noticed that the pairing procedure is: When paring an AirTag with an Apple Device, an Elliptic Curve key pair is generated and the public key is pushed to the AirTag (and a shared secret to generate rolling public keys)

    I’m confused about whether the private key will be stored in the airtag, because from the paper https://arxiv.org/pdf/2103.02282.pdf section 6.1, it seems that if you don’t know the d_i then you can’t calculate the next p_i?

    Would be appreciated if you can clarify this 🤣 thanks!

    opened by itewqq 3
  • OS X 10.11.6 Compatibility

    OS X 10.11.6 Compatibility

    Is it possible to compile the app with greater compatibility for older versions? I'm running 10.11.6 on an old iMac and when I run the OFFetchReports app it says "The application requires OS X 10.15 or later."

    Thanks.

    opened by rawdr 2
  • Problem Flashing with ESP32 (ESPRESSIF)

    Problem Flashing with ESP32 (ESPRESSIF)

    I cant flash on my macbook, its the same error as https://github.com/seemoo-lab/openhaystack/issues/66

    [email protected] ~/D/s/F/ESP32 (main) [1]> ./flash_esp32.sh -p /dev/cu.usbmodem14101 esptool.py v3.1 Found 2 serial ports Serial port /dev/cu.usbmodem14101 Connecting...... Detecting chip type... ESP32 Chip is ESP32-D0WDQ6 (revision 1) Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None Crystal is 40MHz MAC: 3c:61:05:12:48:2c Uploading stub...

    A fatal error occurred: Failed to write to target RAM (result was 01070000) [email protected] ~/D/s/F/ESP32 (main) [2]>

    opened by KatzeMau 1
  • Fixed compilation error

    Fixed compilation error

    Fix error during build:

     send-my/Firmware/ESP32/main/openhaystack_main.c:227:77: error: 'portTICK_RATE_MS' undeclared (first use in this function); did you mean 'portTICK_PERIOD_MS'?
            227 |         size = uart_read_bytes(UART_PORT_NUM, (unsigned char *)ptr, 1, 20 / portTICK_RATE_MS);
                |                                                                             ^~~~~~~~~~~~~~~~
                |                                                                             portTICK_PERIOD_MS
    
    opened by alex-bellon 0
  • That's awesome!

    That's awesome!

    Hi,

    going beyond starring your repo, to tell you: that's just really amazing example of pwning / abusing Apple protocols :)

    You are doing great job! That's also in general about Positive Security !

    Best regards, Peter

    opened by ink-splatters 0
  • Reliability of reception of the data

    Reliability of reception of the data

    I recently ported your ESP32 Send My firmware to Zephyr and I'm running it on an nRF52832-based RuuviTag, sending the temperature values of the built-in BME280 to the Find My network (see the send-my-sensor project I just published). I'm barely able to receive messages in the DataFetcher, most of the shown characters are ?, with an occasional character coming through completely. I verified that the BLE packet capture is identical to the one sent by the ESP32 firmware for a test message. But my household is very low on Apple devices, just one Mac Mini M1. Does this only work with multiple Apple devices in the neighbourhood?

    opened by koenvervloesem 0
Releases(v0.1)
Owner
Positive Security
Holistic IT security research & consulting
Positive Security
A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

Qihoo 360 3.1k Sep 29, 2022
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 182 Sep 28, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
WiFi scanner with visual persistence, intended to find the idlest channel e.g. to assign to a ZigBee device

WiFiChanViz Motivation This tool was initially coded to help find the idlest 2.4GHz channel in order to connect a ZigBee device to HomeAssistant in id

tobozo 14 Aug 7, 2022
Wifi MQTT Data Logging via an esp8266 for the Ikea VINDRIKTNING PM2.5 air quality sensor

MQTT connectivity for the Ikea VINDRIKTNING This repository contains an ESP8266 firmware, which adds MQTT to the Ikea VINDRIKTNING PM2.5 air quality s

Sören Beye 897 Sep 28, 2022
Realtime Client/Server app for Linux allowing joystick (and other HID) data to be transferred over a local network

netstick What is it? Netstick enables HID devices to be remotely connected between a "client" and "server" over a network connection. It allows the ke

null 31 Oct 1, 2022
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Apr 14, 2022
Alternative Shellcode Execution Via Callbacks

Alternative Code Execution This is gaining more popularity than expected, so I just wanted to give a shoutout to alfarom256 for informing me about cal

null 874 Oct 3, 2022
Control Hörmann doors drives directly via MQTT from Home Assistant

hoermann_door Control Hörmann doors drives directly via MQTT from Home Assistant

null 59 Sep 21, 2022
Bring Ethernet to the Pi Pico via SPI

Uses lwIP in combination with the ENC28J60 SPI ethernet module to bring a TCP/IP stack to the Pi Pico!

James Judd 37 Sep 27, 2022
xpload is a C++ library to communicate with a calibration database via libcurl

xpload is a C++ library to communicate with a calibration database via libcurl

BNL Nuclear and Particle Physics Software Group 1 Jan 10, 2022
RPI Pico WIFI via ESP-01S, LWESP, FreeRTOS, and MQTT example

RPIPicoRTOSMQTT RPI Pico WIFI via ESP-01S, LWESP, FreeRTOS, and MQTT example Demo code for RPI Pico using ESP-01S for wifi connection over uart. With

Dr Jon Durrant 2 Dec 2, 2021
Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.

WDT Warp speed Data Transfer Design philosophy/Overview Goal: Lowest possible total transfer time - to be only hardware limited (disc or network bandw

Facebook 2.7k Oct 2, 2022
Event-driven network library for multi-threaded Linux server in C++11

Muduo is a multithreaded C++ network library based on the reactor pattern. http://github.com/chenshuo/muduo Copyright (c) 2010, Shuo Chen. All righ

Shuo Chen 12.1k Oct 6, 2022
Good Game, Peace Out Rollback Network SDK

(日本語ドキュメントはこちら) What's GGPO? Traditional techniques account for network transmission time by adding delay to a players input, resulting in a sluggish,

Tony Cannon 2.6k Sep 30, 2022
A network library for client/server games written in C++

yojimbo yojimbo is a network library for client/server games written in C++. It's designed around the networking requirements of competitive multiplay

The Network Protocol Company 2.2k Sep 26, 2022
BingBing 59 Sep 29, 2022