openhaystack icon indicating copy to clipboard operation
openhaystack copied to clipboard
verified publisher icon seemoo-lab

Android beacon app

Open luke-jr opened this issue 3 years ago • 20 comments

It would be nice if there was a simple app to broadcast beacons from an Android device (eg, in place of a microcontroller).

luke-jr avatar Sep 13 '22 13:09 luke-jr

To the best of my knowledge it requires root rights to change the Bluetooth MAC on android, please correct me if I'm wrong because I would like this too.

biemster avatar Sep 15 '22 17:09 biemster

I don't know. root would be acceptable for many use cases (just think of all the 3G-only phones that are no longer useful...).

luke-jr avatar Sep 15 '22 19:09 luke-jr

You can simply do this from android nRF app, set MAC header, and payload according to /firmware and pubkey. I cloned a genuine airtag this way.

mrx23dot avatar Oct 28 '22 14:10 mrx23dot

For me the first bytes of the pubkey are shown as XX:XX:XX in the cloned advertisement, is there an option I'm missing?

biemster avatar Oct 28 '22 14:10 biemster

MAC is 6bytes, payload is 7 for not stolen device, 30 for iphone and possibly stolen one. Devices have to be unconnected from BT and wifi for some time to be "stolen".

On iphone you cannot change the MAC, but on old androids you can.

mrx23dot avatar Oct 28 '22 14:10 mrx23dot

You can simply do this from android nRF app, set MAC header, and payload according to /firmware and pubkey. I cloned a genuine airtag this way.

How have you done this? Can you please share it with us? Thanks

Furtivo360 avatar Oct 28 '22 14:10 Furtivo360

Just make your tag/phone believe it's stolen (see above), find the broadcast msg with 2sec period in nRF on android, based on strongest signal, then try to replay it with the same app or MCU, on a 3rd phone you could compare them if they are the same. It should be valid for a few days.

mrx23dot avatar Oct 28 '22 15:10 mrx23dot

You can simply do this from android nRF app, set MAC header, and payload according to /firmware and pubkey.

I mean an app that does it automatically, without a user constantly involved...

Just make your tag/phone believe it's stolen (see above),

You didn't explain above. And by "stolen", I assume you mean away from their iOS device? Shouldn't need to actually be lost/stolen...

luke-jr avatar Oct 29 '22 01:10 luke-jr

Broadcasting constantly from android is not reliable os will kill it eventually.

It's considers itself stolen/away when disconnected from BLE/wifi for ~30mins. (e.g. left in the park)

mrx23dot avatar Oct 29 '22 10:10 mrx23dot

Broadcasting constantly from android is not reliable os will kill it eventually.

Plenty of apps broadcast constantly without issues.

It's considers itself stolen/away when disconnected from BLE/wifi for ~30mins. (e.g. left in the park)

Away, yes (but just BLE - airtags don't support wifi...). Stolen/lost can only be manually triggered, and prevents it from being re-registered to another user.

luke-jr avatar Oct 29 '22 18:10 luke-jr

Up

Hitmanreis avatar Mar 17 '24 09:03 Hitmanreis