-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private keys of regular devices #37
Comments
This is technically possible, but quite hard to implement. After you've got the actual private key you cannot just use its public key to public this one and have your device appear in FindMy. For this your would need to adapt the firmware that is currently available to send rotating keys as mentioned in our paper (see Section 6.1) We are currently working on a firmware with rotating keys, but we do not have an ETA, yet. |
Thank you for your input! I understand that you can't use the public key directly, but I don't think you need to implement the whole rotating keys thing, I guess that if you generate the first key and the device send that first key continuously that should work. Also I tried to check those keys on my keychain but they are not present on any of my Macs. I'm still running MacOS Mojave so maybe that's the cause since offline finding appeared on MacOS Catalina, but my iPhone is running iOS14 so I thought at least their key should be there... but maybe is not synced since I'm not on Catalina/BigSur? BTW, I maybe able to help with the new firmware if you need to. I'm trying to port the firmware to Go (using TinyGO) although it seems that the crypto packages are not available for nrf51822 so maybe that's not possible. I'm not sure if this is the right communication channel or you have slack or something where we can discuss this technical things in a faster way. |
This is definitely the best communication channel for the moment. I think generating the first key does not work, because from our reverse engineering we know that the devices are only checking for current keys (for the last 7 days). You could probably generate one current key and deploy it to one of your devices. This could work for about 7 days. The reason why you cannot find the keys is definitely macOS Mojave. You would need Catalina for Offline Finding and even Big Sur for Open Haystack. I'll keep this issue open for further discussions |
@Sn0wfreezeDev how do you get the BeaconStore key? When I run |
I find it in |
The content might be in any raw data that cannot be represented by some text. Probably because the randomly generate those passwords. You can probably access the data with Swift and Apple's security framework. |
I did also try accessing it from Swift and saw no data stored under that keychain item. When arbitrary data is stored as the value, the KeyChain app does not allow checking the "Show Password" box. Also, Can you share any information or example code that you used to retrieve the key and decrypt the .record files? Thanks! |
Sorry, I don't have any source code available for this. The last time I decrypted my private keys was with macOS Catalina. Apple has changed a lot there after we submitted a security vulnerability. |
Yay I was finally able to decrypt these .record files. For anybody else trying to do this:
I had been stumped by the fact that there was no proper data associated with the keychain item in step (3), along with trying to use |
Did any of you get any further with this? |
Hey @robinkruyt, Congrats! That's exactly what you need to generate the keys. |
Hello everyone, I have a question that might be related. Feel free to delete or move my post if it's not. |
Hi @leokeba yes that would be possible if you have access to the private key, you can start generating public keys that will match the one sent out by your AirTag. |
Thanks @Sn0wfreezeDev for the quick answer. From what I gather, the public key and BLE address are rotated every 24 hours. So in theory, if I'm able to to match the public key with the address, I could still be able to identify the AirTag using the address alone until it rotates again, right ? |
Yes you are right the AIrTag changes it's key pair (public and private key) every 24 hours. The iPhone and the AirTag often synchronize with each other to update the current state of the key. |
@Sn0wfreezeDev is there a way for Apple to lockout/identify OpenHaystack users in the future? As I understand OpenHaystack hijacks the API so it can query arbitrary public key which don't depend on rotation/counter. |
That command yields nothing. But without the
Is there a way to actually do this without installing development tools? |
Did anyone get any further with this? I'm trying to do the same thing as @leokeba, track airtags that I own using standard ble scanners. I understand from the discussion above that to do so I need to extract the private key for the airtag from my icloud keychain (by using the technique posted by @llama above) and then generate a public key from that private key (or maybe generate a set of possible public keys?) and then compare those to the public key being broadcast by the airtag, which is split across the ble address and the ble manufacturer data.... but it might be enough to just compare the approriate bits from the generated public keys to the bits in the ble address. Does all that sound about right? |
|
Thanks to everyone solving those mysteries so far. @YeapGuy 's script made retrieving the key pair a breeze, after my Mac lost track of all its tracked items (still not sure why things broke that badly, but any iOS device linked to my account is no longer able to query Apple's server on found AirTags or add new ones, let alone see those already deployed - devices, no problem, it's just the items that are lost), |
I have created this: Given the |
On macOS 15 running
|
From experimenting, it seems that Apple may have moved the BeaconStore into the iCloud/Local Items keychain as part of MacOS 15, which (as far as I can tell) can not be accessed from the |
Yes, the BeaconStore is indeed now in the iCloud keychain. I also recently found that Apple might have changed the key rotation algorithm on official airtags: malmeloo/FindMy.py#90 So maybe this is part of their attempt to strengthen security of official accessories. Unfortunately, that means I can't use official airtags anymore for my own purpose.. |
Here's another plausible explanation of this: MartinPham/FindMySync#25 (comment) . Basically, I'm stuck at fetching the password to decode the plists because of this. |
I’m trying to use a public key from one of the devices currently registered on Find My App. This way I could create a tag that should appear as one of my Macs. According to the docs the private key should be on the iCloud Keychain but I’m unable to find it.
Does anybody knows where is it and how can I export it?
Thanks!
The text was updated successfully, but these errors were encountered: