{"id":18292134,"url":"https://github.com/seemoo-lab/airtag","last_synced_at":"2025-04-05T04:11:34.452Z","repository":{"id":94400721,"uuid":"421432289","full_name":"seemoo-lab/airtag","owner":"seemoo-lab","description":"AirTag instrumentation including AirTechno and firmware downgrades.","archived":false,"fork":false,"pushed_at":"2025-01-14T20:15:32.000Z","size":8462,"stargazers_count":166,"open_issues_count":1,"forks_count":14,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-03-29T03:07:27.004Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seemoo-lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-10-26T13:17:34.000Z","updated_at":"2025-03-11T11:39:32.000Z","dependencies_parsed_at":"2023-04-10T05:30:59.662Z","dependency_job_id":null,"html_url":"https://github.com/seemoo-lab/airtag","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fairtag","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fairtag/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fairtag/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seemoo-lab%2Fairtag/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seemoo-lab","download_url":"https://codeload.github.com/seemoo-lab/airtag/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247284950,"owners_count":20913704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T14:16:50.013Z","updated_at":"2025-04-05T04:11:34.434Z","avatar_url":"https://github.com/seemoo-lab.png","language":"JavaScript","readme":"# AirTag Scripts \u0026 Resources\n\n\n## FЯIDA Script Overview\n\n![AirTag: Play custom sound, UWB, firmware version, downgrade](assets/airtag_frida.png)\n\n\n### Prerequisites\n\nThe scripts require a jailbroken iPhone, paired with an AirTag, and a host system, running\n[FЯIDA](https://frida.re).\n\nAirTag support was introduced as of iOS 14.5. So far, we tested the scripts provided here on various\niOS versions (14.6, 14.7, 14.8) on [checkm8](https://checkra.in)-supported devices.\nThe scripts might run on Fugu14 as well, but we didn't test that yet.\n\n### Run custom tasks, enumerate commands\n\nUse [hook_durian.js](scripts/hook_durian.js) to\nplay custom sounds aka [AirTechno](https://www.youtube.com/watch?v=z1DJ7z_LaUM),\nand also run and decode all other L2CAP commands. Commands are described by opcodes,\nand opcodes can be enumerated to list their meanings.\n\n\nIt's possible to run raw commands. However, some commands require a mutex or special\nstate. Thus, ideally, create a task, which will take care of creating a command,\nincluding mutex handling. Objective-C allows to extract a full command list, included\nin the comments of `hook_durian.js`, so that you don't need to enumerate them.\nFor example, `unpairTask`, `stopSoundTask`, etc.\n\n```JavaScript\n// run a predefined task\nd.performTaskByName('stopSoundTask');\n\n// run a task with custom opcode 0x01 and payload 0x02030405\nd.performTaskWithCommand([1, 2, 3, 4, 5]);\n```\n\nSome tasks require parameters. These aren't fully reverse engineered yet.\nDepending on the command, you might need to add a custom function.\nFor example, you can play custom sounds:\n\n```JavaScript\n// play sound sequence id 1, twice, with 0 offset, and 0 pause\nd.playSoundSequence[1, 2, 0, 0];\n```\n\nTo set the `DurianService` etc. to call task, manually play a sound \nvia the Find My app on the AirTag once.\n\n\n### Hook the firmware update process for downgrades\n\nA detailed description of the downgrade process including script\nexplanations is available on [YouTube](https://www.youtube.com/watch?v=C4JyI_WUNJ8).\n\n#### 1. Download the firmware version you want\n\n[The iPhone Wiki](https://www.theiphonewiki.com/wiki/OTA_Updates/AirTag) hosts an\nup-to-date list of all firmware updates released for the AirTag. Note that the very first\nstock version (1.0.225) was never released as OTA, so you cannot use the method here to\ndowngrade to the very first version that did not have any anti-stalking protections.\n\n#### 2. Extract the U1 firmware (aka Rose) from the super binary (optional)\n\nIf you want to downgrade the U1 firmware as well, you can extract it using\n[DurianFirmware_extract.py](scripts/DurianFirmware_extract.py).\n\n```bash\nmkdir airtag_firmware_1A276d\ncd airtag_firmware_1A276d\nwget https://updates.cdn-apple.com/2021/patches/071-45785/4132D4FE-1C5A-498E-8A6D-678A026679AF/com_apple_MobileAsset_MobileAccessoryUpdate_DurianFirmware/ae34f4b8aec8a4d4562227109be101728b7bef20.zip\npython3 DurianFirmware_extract.py AssetData/DurianFirmware.acsw/DurianFirmwareMobileAsset.bin\n```\n\nThis will extract the following files, with `ftab` being the U1 firmware.\n\n```buildoutcfg\ntag : blap    offset : 0x9c       size : 0x38340\ntag : sftd    offset : 0x383dc    size : 0x1b400\ntag : bldr    offset : 0x537dc    size : 0x5f9c\ntag : basg    offset : 0x59778    size : 0x47\ntag : sdsg    offset : 0x597c0    size : 0x48\ntag : blsg    offset : 0x59808    size : 0x47\ntag : ftab    offset : 0x59850    size : 0x924c5\n```\n\n\n#### 3. Overwrite the U1 firmware while the downgrade is running (optional)\n\nReplace the `sha384sum` of `rkos` and `dsp1` in the [hook_durian_update_fud.js](scripts/update/hook_durian_update_fud.js) script\nwith the matching ones. For this, you also have to split the `ftab` using the external [ftab_split.py](https://gist.github.com/matteyeux/c1018765a51bcac838e26f8e49c6e9ce) script.\n\n```bash\nftab_split.py ftab.bin \nsha384sum rkos \n    1fcb05b377eb405eeffc5ad60efce6aeed3b83d834e0403bd88a142d84c6082ea6c649ebf14ae05b1a87d159e9dc167c  rkos\nsha384sum sbd1 \n    928a226b85b52c75f07fb3cd89f1c38a783bb9834de647407b935a952359d36b243a58fa43a172d1e39c3d432d1a3030  sbd1\n```\n\nNow we can use the TOCTOU to overwrite the firmware. Double-check which firmware is being used for the update,\nthe folder might differ. The following is running on the iPhone:\n\n```\niPhone:/private/var/MobileAsset/AssetsV2/com_apple_MobileAsset_MobileAccessoryUpdate_DurianFirmware/[your_version].asset/AssetData/DurianFirmware.acsw root#\n   while true; do cp /var/root/ftab_rose_airtag_old.bin ftab.bin; sleep 1; done\n```\n\n#### 4. Run the downgrade\n\nIf you're not downgrading Rose and only the nRF parts, you might need to adapt [overwrite_firmware.py](scripts/update/overwrite_firmware.py).\nOtherwise, simply run:\n\n```bash\npython3 overwrite_firmware.py\n```\n\nNow, remove your AirTag from your account and pair it again. The update should start within 5 minutes.\nIf this wasn't the case, check your `idevicesyslog`. Possible reasons:\n\n* Concurrent interaction with the AirTag that delayed the update process by 2h 30min. Just pair again.\n* The current AirTag firmware version has a `deploymentLimit`. Can probably fixed by overwriting the `xml` file\n  in the same folder as the asset location on the iPhone.\n\n\n### L2CAP command opcodes\n\nThe full list of L2CAP opcodes, since they might also be useful for reverse engineering and building\nclients independent of iOS. Note that Durian opcodes are for AirTags, and Hawkeye opcodes are likely\nfor third-party Find My devices.\n\n\n```buildoutcfg\nDurian opcode list: \n[d] 0: Acknowledge\n[d] 1: Rose Init\n[d] 2: Rose Ready\n[d] 3: Rose Start Ranging\n[d] 4: Rose Ranging Complete\n[d] 6: Rose Stop\n[d] 7: Get Firmware Version\n[d] 8: Stop Sound\n[d] 10: Leashing\n[d] 11: Set Max Connections\n[d] 12: Get Multi Status\n[d] 13: Set Obfuscated Identifier\n[d] 14: Set Mutex\n[d] 15: Set Near Owner Timeout\n[d] 18: Get Firmware Version (Deprecated)\n[d] 19: Unpair\n[d] 21: Rose Set Paramaters\n[d] 22: Rose Stop Ranging\n[d] 24: Get User Stats\n[d] 32: Abort FWDL\n[d] 34: Rose Error\n[d] 36: Rose P2P Timestamp\n[d] 37: Rose Debug P2P Timestamp\n[d] 38: Set Tag Type\n[d] 39: Get Battery Status\n[d] 40: Play Sound Sequence\n[d] 42: Set Wild Mode Configuration\n[d] 43: Roll Wild Key\n[d] 45: Set Absolute Wild Mode Configuration\n[d] 174: Fetch Current Key Index\n[d] 175: Play Unauthorized Sound\n[d] 177: Set Key Rotation Timeout\n[d] 180: Dump Logs\n[d] 181: Check Crashes\n[d] 185: Induce Crash\n[d] 195: Enable/Disable UT PlaySound Rate Limit\n[d] 197: Set Central Reference Time\n[d] 199: Set Accelerometeter Slope Mode Configuration\n[d] 200: Set Accelerometer Orientation Mode Configuration\n[d] 201: Get Accelerometer Slope Mode Configuration\n[d] 202: Get Accelerometer Orientation Mode Configuration\n[d] 203: Get Accelerometer Mode\n[d] 209: Fetch ProductData AIS\n[d] 210: Fetch ManufacturerName AIS\n[d] 211: Fetch ModelName AIS\n[d] 212: Fetch ModelColorCode AIS\n[d] 213: Fetch AccessoryCategory AIS\n[d] 214: Fetch AccessoryCapabilities AIS\n[d] 215: Fetch FirmwareVersion AIS\n[d] 216: Fetch FindMyVersion AIS\n[d] 217: Fetch BatteryTyp AIS\n[d] 218: Fetch BatteryLevel AIS\n[d] 219: Send UARP message to accessory\n[d] 220: Stop Unauthorized Sound\n\nHawkeye opcode list: \n[h] 512: Sound Start\n[h] 513: Sound Stop\n[h] 514: Persistent Connection Status\n[h] 515: Nearby Timeout\n[h] 516: Unpair\n[h] 517: Configure Separated State\n[h] 518: Latch Separated Key\n[h] 519: Set Max Connections\n[h] 520: Set UTC\n[h] 521: Get Multi Status\n[h] 523: Command Response\n[h] 524: Multi Status Response\n[h] 525: Sound Complete\n[h] 768: Non-Owner Sound Start\n[h] 769: Non-Owner Sound Stop\n[h] 770: Non-Owner Command Response\n[h] 771: Non-Owner Sound Complete\n[h] 1024: Get Current Primary Key\n[h] 1025: Get iCloud Identifier\n[h] 1026: Get Current Primary Key Response\n[h] 1027: Get iCloud Identifier Response\n[h] 1028: Get Serial Number\n[h] 1029: Get Serial Number Response\n[h] 1280: Key Rotation\n[h] 1281: Retrieve Logs\n[h] 1282: Log Response\n[h] 1283: Debug Command Response\n[h] 1284: Reset\n[h] 1285: UT Motion Config\n```\n\n\n","funding_links":[],"categories":["Operating Systems"],"sub_categories":["macOS/iOS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseemoo-lab%2Fairtag","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseemoo-lab%2Fairtag","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseemoo-lab%2Fairtag/lists"}